Chapter 4. Authoring or managed server environment

You can deploy an environment for creating and modifying services using Business Central and for running them in KIE Servers managed by Business Central. This environment consists of Business Central and one or more KIE Servers.

You can use Business Central both to develop services and to deploy them to KIE Servers. You can connect several KIE Servers to one Business Central to manage deployment of services to each of the servers.

If necessary, you can create separate environments, so that you can use one deployment of Business Central to author services (authoring environment) and another deployment of Business Central to manage deployment of staging or production services on several KIE Servers (managed server environment). Usually, one KIE Server is sufficient for a dedicated authoring environment. You can use an external Maven repository to store services from an authoring environment and deploy them to a separate managed server environment.

For Red Hat Decision Manager, the procedures to deploy an authoring environment and a managed server environment are the same. You must first deploy an authoring environment template, consisting of Business Central and one KIE Server.

If necessary, you can deploy additional KIE Server templates in the same namespace to create an environment with multiple KIE Servers. This environment can be a managed server environment for staging and production deployment of services.

Depending on your needs, you can deploy either a single authoring environment template or a high-availability (HA) authoring environment template.

A single authoring environment contains two pods. One of the pods runs Business Central, the other runs KIE Server. This environment is most suitable for single-user authoring or when your OpenShift infrastructure has limited resources. It does not require persistent volumes that support the ReadWriteMany access mode.

In a single authoring environment, you cannot scale Business Central. You can scale KIE Server.

In an HA authoring environment, both Business Central and KIE Server are provided in scalable pods. When pods are scaled, persistent storage is shared between the copies.

To enable high-availability functionality in Business Central, additional pods with AMQ and Data Grid are required. These pods are configured and deployed by the high-availability authoring template. Use a high-availability authoring environment to provide maximum reliability and responsiveness, especially if several users are involved in authoring at the same time.

In the current version of Red Hat Decision Manager, an HA authoring environment is supported with certain limitations:

  • If a Business Central pod crashes while a user works with it, the user can get an error message and then is redirected to another pod. Logging on again is not required.
  • If a Business Central pod crashes during a user operation, data that was not committed (saved) might be lost.
  • If a Business Central pod crashes during creation of a project, an unusable project might be created.
  • If a Business Central pod crashes during creation of an asset, the asset might be created but not indexed, so it cannot be used. The user can open the asset in Business Central and save it again to make it indexed.
  • When a user deploys a service to the KIE Server, the KIE Server deployment is rolled out again. Users can not deploy another service to the same KIE Server until the roll-out completes.

In a high-availability authoring environment you can also deploy additional managed or immutable KIE Servers, if required. Business Central can automatically discover any KIE Servers in the same namespace, including immutable KIE Servers and managed KIE Servers.

If you want to deploy additional managed or immutable KIE Servers in a single authoring environment, you must complete an additional manual step to enable the OpenShiftStartupStrategy setting in the environment, as described in Section 4.5, “Enabling the OpenShiftStartupStrategy setting to connect additional KIE Servers to Business Central”. This setting enables the discovery of other KIE Servers.

For instructions about deploying managed KIE Servers, see Section 4.6, “Deploying an additional managed KIE Server for an authoring or managed environment”. For instructions about deploying immutable KIE Servers, see Deploying a Red Hat Decision Manager immutable server environment on Red Hat OpenShift Container Platform.

4.1. Deploying an authoring environment

You can use OpenShift templates to deploy a single or high-availability authoring environment. This environment consists of Business Central and a single KIE Server.

4.1.1. Starting configuration of the template for an authoring environment

If you want to deploy a single authoring environment, use the rhdm78-authoring.yaml template file.

If you want to deploy a high-availability authoring environment, use the rhdm78-authoring-ha.yaml template file.

Procedure

  1. Download the rhdm-7.8.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the required template file.
  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the <template-file-name>.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.
    • To use the OpenShift command line console, prepare the following command line:

      oc new-app -f <template-path>/<template-file-name>.yaml -p DECISION_CENTRAL_HTTPS_SECRET=decisioncentral-app-secret -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Replace <template-file-name> with the name of the template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 4.1.2, “Setting required parameters for an authoring environment” to set common parameters. You can view the template file to see descriptions for all parameters.

4.1.2. Setting required parameters for an authoring environment

When configuring the template to deploy an authoring environment, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

4.1.3. Configuring the image stream namespace for an authoring environment

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

If you installed an image streams file according to instructions in Section 3.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

4.1.4. Setting an optional Maven repository for an authoring environment

When configuring the template to deploy an authoring environment, if you want to place the built KJAR files into an external Maven repository, you must set parameters to access the repository.

Prerequisites

Procedure

To configure access to a custom Maven repository, set the following parameters:

  • Maven repository URL (MAVEN_REPO_URL): The URL for the Maven repository.
  • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
  • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
  • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

Important

To export or push Business Central projects as KJAR artifacts to the external Maven repository, you must also add the repository information in the pom.xml file for every project. For information about exporting Business Central projects to an external repository, see Packaging and deploying a Red Hat Decision Manager project.

4.1.5. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an authoring environment

When configuring the template to deploy an authoring environment, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 3.5, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 3.5, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.
  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*,!repo-rhdmcentr; with this value, Maven retrieves artifacts from the built-in Maven repository of Business Central directly and retrieves any other required artifacts from the mirror. If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

4.1.6. Configuring Business Central and KIE Server replicas for a high-availability authoring environment

If you are deploying a high-availability authoring environment, by default two replicas of Business Central and two replicas of the KIE Server are initially created.

Optionally, you can modify the number of replicas.

Skip this procedure for a single authoring environment.

Prerequisites

Procedure

To modify the numbers of initial replicas, set the following parameters:

  • Business Central Container Replicas (DECISION_CENTRAL_CONTAINER_REPLICAS): The number of replicas that the deployment initially creates for Business Central.
  • KIE Server Container Replicas (KIE_SERVER_CONTAINER_REPLICAS): The number of replicas that the deployment initially creates for the KIE Server.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

4.1.7. Specifying the Git hooks directory for an authoring environment

You can use Git hooks to facilitate interaction between the internal Git repository of Business Central and an external Git repository.

If you want to use Git hooks, you must configure a Git hooks directory.

Prerequisites

Procedure

To configure a Git hooks directory, set the following parameter:

  • Git hooks directory (GIT_HOOKS_DIR): The fully qualified path to a Git hooks directory, for example, /opt/kie/data/git/hooks. You must provide the content of this directory and mount it at the specified path. For instructions about providing and mounting the Git hooks directory using a configuration map or a persistent volume, see Section 4.2, “(Optional) Providing the Git hooks directory”.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

4.1.8. Configuring resource usage for a high-availability deployment

If you are deploying the high-availability template (rhdm78-authoring-ha.yaml), you can optionally configure resource usage to optimize performance for your requirements.

If you are deploying the single authoring environment template (rhdm78-authoring.yaml), skip this procedure.

For more information about sizing resources, see the following sections in the Red Hat OpenShift Container Platform 3.11 product documentation:

Prerequisites

Procedure

Set the following parameters of the template as applicable:

  • Business Central Container Memory Limit (DECISION_CENTRAL_MEMORY_LIMIT): The amount of memory requested in the OpenShift environment for the Business Central container. The default value is 8Gi.
  • Business Central JVM Max Memory Ratio (DECISION_CENTRAL_JAVA_MAX_MEM_RATIO): The percentage of container memory that is used for the Java Virtual Machine for Business Central. The remaining memory is used for the operating system. The default value is 80, for a limit of 80%.
  • Business Central Container CPU Limit (DECISION_CENTRAL_CPU_LIMIT): The maximum CPU usage for Business Central. The default value is 2000m.
  • KIE Server Container Memory Limit (KIE_SERVER_MEMORY_LIMIT): The amount of memory requested in the OpenShift environment for the KIE Server container. The default value is 1Gi.
  • KIE Server Container CPU Limit (KIE_SERVER_CPU_LIMIT): The maximum CPU usage for KIE Server. The default value is 1000m.
  • DataGrid Container Memory Limit (DATAGRID_MEMORY_LIMIT): The amount of memory requested in the OpenShift environment for the Red Hat Data Grid container. The default value is 2Gi.
  • DataGrid Container CPU Limit (DATAGRID_CPU_LIMIT): The maximum CPU usage for Red Hat Data Grid. The default value is 1000m.

4.1.9. Setting parameters for RH-SSO authentication for an authoring environment

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an authoring environment.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Decision Manager is created in the RH-SSO authentication system.
  • User names and passwords for Red Hat Decision Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 5, Red Hat Decision Manager roles and users.

    You must create a user with the username and password configured in the secret for the administrative user, as described in Section 3.4, “Creating the secret for the administrative user”. This user must have the kie-server,rest-all,admin roles.

  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Decision Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Decision Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 4.1.1, “Starting configuration of the template for an authoring environment”.

Procedure

  1. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Decision Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.
  2. Complete one of the following procedures:

    1. If you created the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central.
      • Business Central RH-SSO Client Secret (DECISION_CENTRAL_SSO_SECRET): The secret string that is set in RH-SSO for the client for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for KIE Server.
    2. To create the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The name of the client to create in RH-SSO for Business Central.
      • Business Central RH-SSO Client Secret (DECISION_CENTRAL_SSO_SECRET): The secret string to set in RH-SSO for the client for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for KIE Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Decision Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

After completing the deployment, review the URLs for components of Red Hat Decision Manager in the RH-SSO authentication system to ensure they are correct.

4.1.10. Setting parameters for LDAP authentication for an authoring environment

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an authoring environment.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Decision Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 4.4, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

4.1.11. Enabling Prometheus metric collection for an authoring environment

If you want to configure your KIE Server deployment to use Prometheus to collect and store metrics, enable support for this feature in KIE Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.1.12, “Completing deployment of the template for an authoring environment”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring KIE Server.

4.1.12. Completing deployment of the template for an authoring environment

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

4.2. (Optional) Providing the Git hooks directory

If you configure the GIT_HOOKS_DIR parameter, you must provide a directory of Git hooks and must mount this directory on the Business Central deployment.

The typical use of Git hooks is interaction with an upstream repository. To enable Git hooks to push commits into an upstream repository, you must also provide a secret key that corresponds to a public key configured on the upstream repository.

Procedure

  1. If interaction with an upstream repository using SSH authentication is required, complete the following steps to prepare and mount a secret with the necessary files:

    1. Prepare the id_rsa file with a private key that matches a public key stored in the repository.
    2. Prepare the known_hosts file with the correct name, address, and public key for the repository.
    3. Create a secret with the two files using the oc command, for example:

      oc create secret git-hooks-secret --from-file=id_rsa=id_rsa --from-file=known_hosts=known_hosts
    4. Mount the secret in the SSH key path of the Business Central deployment, for example:

      oc set volume dc/<myapp>-rhdmcentr --add --type secret --secret-name git-hooks-secret --mount-path=/home/jboss/.ssh --name=ssh-key

      Replace <myapp> with the application name that you set when configuring the template.

  2. Create the Git hooks directory. For instructions, see the Git hooks reference documentation.

    For example, a simple Git hooks directory can provide a post-commit hook that pushes the changes upstream. If the project was imported into Business Central from a repository, this repository remains configured as the upstream repository. Create a file named post-commit with permission values 755 and the following content:

    git push
    Note

    A pre-commit script is not supported in Business Central. Use a post-commit script.

  3. Supply the Git hooks directory to the Business Central deployment. You can use a configuration map or a persistent volume.

    1. If the Git hooks consist of one or several fixed script files, use a configuration map. Complete the following steps:

      1. Change into the Git hooks directory that you have created.
      2. Create an OpenShift configuration map from the files in the directory. Run the following command:

        oc create configmap git-hooks --from-file=<file_1>=<file_1> --from-file=<file_2>=<file_2> ...

        Replace file_1, file_2, and so on with Git hook script file names. Example:

        oc create configmap git-hooks --from-file=post-commit=post-commit
      3. Mount the configuration map on the Business Central deployment in the path that you have configured:

        oc set volume dc/<myapp>-rhdmcentr --add --type configmap --configmap-name git-hooks  --mount-path=<git_hooks_dir> --name=git-hooks

        Replace <myapp> with the application name that was set when configuring the template and <git_hooks_dir> is the value of GIT_HOOKS_DIR that was set when configuring the template.

    2. If the Git hooks consist of long files or depend on binaries, such as executable or KJAR files, use a persistence volume. You must create a persistent volume, create a persistent volume claim and associate the volume with the claim, transfer files to the volume, and mount the volume in the myapp-rhdmcentr deployment configuration (replace myapp with the application name). For instructions about creating and mounting persistence volumes, see Using persistent volumes. For instructions about copying files onto a persistent volume, see Transferring files in and out of containers.
  4. Wait a few minutes, then review the list and status of pods in your project. Because Business Central does not start until you provide the Git hooks directory, the KIE Server might not start at all. To see if it has started, check the output of the following command:

    oc get pods

    If a working KIE Server pod is not present, start it:

    oc rollout latest dc/<myapp>-kieserver

    Replace <myapp> with the application name that was set when configuring the template.

4.3. (Optional) Providing a truststore for accessing HTTPS servers with self-signed certificates

Components of your Red Hat Decision Manager infrastructure might need to use HTTPS access to servers that have a self-signed HTTPS certificate. For example, Business Central and KIE Server might need to interact with an internal Nexus repository that uses a self-signed HTTPS server certificate.

In this case, to ensure that HTTPS connections complete successfully, you must provide client certificates for these services using a truststore.

Skip this procedure if you do not need Red Hat Decision Manager components to communicate with servers that use self-signed HTTPS server certificates.

Procedure

  1. Prepare a truststore with the certificates. Use the following command to create a truststore or to add a certificate to an existing truststore. Add all the necessary certificates to one truststore.

    keytool -importcert -file certificate-file -alias alias -keyalg algorithm -keysize size -trustcacerts -noprompt -storetype JKS -keypass truststore-password -storepass truststore-password -keystore keystore-file

    Replace the following values:

    • certificate-file: The pathname of the certificate that you want to add to the truststore.
    • alias: The alias for the certificate in the truststore. If you are adding more than one certificate to the truststore, every certificate must have a unique alias.
    • algorithm: The encryption algorithm used for the certificate, typically RSA.
    • size: The size of the certificate key in bytes, for example, 2048.
    • truststore-password: The password for the truststore.
    • keystore-file: The pathname of the truststore file. If the file does not exist, the command creates a new truststore.

      The following example command adds a certificate from the /var/certs/nexus.cer file to a truststore in the /var/keystores/custom-trustore.jks file. The truststore password is mykeystorepass.

      keytool -importcert -file /var/certs/nexus.cer -alias nexus-cert -keyalg RSA -keysize 2048 -trustcacerts -noprompt -storetype JKS -keypass mykeystorepass -storepass mykeystorepass -keystore /var/keystores/custom-trustore.jks
  2. Create a secret with the truststore file using the oc command, for example:

    oc create secret generic truststore-secret --from-file=/var/keystores/custom-trustore.jks
  3. In the deployment for the necessary components of your infrastructure, mount the secret and then set the JAVA_OPTS_APPEND option to enable the Java application infrastructure to use the trast store, for example:

    oc set volume dc/myapp-rhdmcentr --add --overwrite --name=custom-trustore-volume --mount-path /etc/custom-secret-volume --secret-name=custom-secret
    
    oc set env dc/myapp-rhdmcentr JAVA_OPTS_APPEND='-Djavax.net.ssl.trustStore=/etc/custom-secret-volume/custom-trustore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=mykeystorepass'
    oc set volume dc/myapp-kieserver --add --overwrite --name=custom-trustore-volume --mount-path /etc/custom-secret-volume --secret-name=custom-secret
    
    oc set env dc/myapp-kieserver JAVA_OPTS_APPEND='-Djavax.net.ssl.trustStore=/etc/custom-secret-volume/custom-trustore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=mykeystorepass'

    Replace myapp with the application name that you set when configuring the template.

4.4. (Optional) Providing the LDAP role mapping file

If you configure the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, you must provide a file that defines the role mapping. Mount this file on all affected deployment configurations.

Procedure

  1. Create the role mapping properties file, for example, my-role-map. The file must contain entries in the following format:

    ldap_role = product_role1, product_role2...

    For example:

    admins = kie-server,rest-all,admin
  2. Create an OpenShift configuration map from the file by entering the following command:

    oc create configmap ldap-role-mapping --from-file=<new_name>=<existing_name>

    Replace <new_name> with the name that the file is to have on the pods (it must be the same as the name specified in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES file) and <existing_name> with the name of the file that you created. Example:

    oc create configmap ldap-role-mapping --from-file=rolemapping.properties=my-role-map
  3. Mount the configuration map on every deployment configuration that is configured for role mapping.

    The following deployment configurations can be affected in this environment:

    • myapp-rhdmcentr: Business Central
    • myapp-kieserver: KIE Server

    Replace myapp with the application name. Sometimes, several KIE Server deployments can be present under different application names.

    For every deployment configuration, run the command:

     oc set volume dc/<deployment_config_name> --add --type configmap --configmap-name ldap-role-mapping --mount-path=<mapping_dir> --name=ldap-role-mapping

    Replace <mapping_dir> with the directory name (without file name) set in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, for example, /opt/eap/standalone/configuration/rolemapping .

4.5. Enabling the OpenShiftStartupStrategy setting to connect additional KIE Servers to Business Central

In an environment deployed using Red Hat Decision Manager authoring templates, Business Central manages one KIE Server. You can scale the KIE Server pod, but all the copies execute the same services.

You can connect additional KIE Servers to Business Central. However, if you deployed a single authoring environment using the rhdm78-authoring.yaml, you must enable the OpenShiftStartupStrategy setting in the environment. When OpenShiftStartupStrategy is enabled, Business Central automatically discovers KIE Servers in the same namespace and these KIE Servers can be configured to connect to the Business Central.

With the OpenShiftStartupStrategy setting, when a user deploys a service to the KIE Server, the KIE Server deployment is rolled out again. Users can not deploy another service to the same KIE Server until the roll-out completes. Because the roll-out might take noticeable time, the OpenShiftStartupStrategy setting might not be suitable for some authoring environments.

Do not complete this procedure if you deployed a high-availability authoring environment using the rhdm78-authoring-ha.yaml template. In this environment, the OpenShiftStartupStrategy setting is enabled by default.

Do not complete this procedure unless you want to connect additional KIE Servers to Business Central.

Prerequisites

  • You deployed an authoring environment using the rhdm78-authoring.yaml template.
  • You are logged in to the OpenShift project where the environment is deployed using the oc tool.

Procedure

  1. Enter the following command to view the deployment configurations that are deployed in the project:

    $ oc get dc
  2. In the output of the command, find the deployment configuration names for the Business Central and KIE Server pods:

    • The name of the deployment configuration for Business Central is myapp-rhdmcentr. Replace myapp with the application name of the environment, which is set in the APPLICATION_NAME parameter of the template.
    • The name of the deployment configuration for KIE Server is myapp-kieserver. Replace myapp with the application name.
  3. Enter the following commands to enable the OpenShiftStartupStrategy setting on the pods:

    $ oc env myapp-rhdmcentr KIE_SERVER_CONTROLLER_OPENSHIFT_ENABLED=true
    $ oc env myapp-kieserver KIE_SERVER_STARTUP_STRATEGY=OpenShiftStartupStrategy

    In these commands, replace myapp-rhdmcentr with the Business Central deployment configuration name and myapp-kieserver with the KIE Server deployment configuration name.

  4. When you enable the OpenShiftStartupStrategy setting, by default Business Central discovers only KIE Servers that are deployed with the same value of the APPLICATION_NAME parameter as the authoring template. If you want to connect KIE Servers with any other application names to the Business Central, enter the following command:

    $ oc env myapp-rhdmcentr KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED=true

    In this command, replace myapp-rhdmcentr with the Business Central deployment configuration name.

4.6. Deploying an additional managed KIE Server for an authoring or managed environment

You can deploy an additional managed KIE Server to an authoring or managed environment. Deploy the server in the same project as the Business Central deployment.

If you deployed a single authoring environment using the rhdm78-authoring.yaml template, you must enable the OpenShiftStartupStrategy setting for your environment for the Business Central to connect to the KIE Server. For instructions about enabling the OpenShiftStartupStrategy setting, see Section 4.5, “Enabling the OpenShiftStartupStrategy setting to connect additional KIE Servers to Business Central”. You do not need to complete this procedure for a high-availability authoring environment.

The KIE Server loads services from a Maven repository. You must configure the server to use either the Business Central built-in repository or an external repository.

The server starts with no loaded services. Use Business Central or the REST API of the KIE Server to deploy and undeploy services on the server.

4.6.1. Starting configuration of the template for an additional managed KIE Server

To deploy an additional managed KIE Server, use the rhdm78-kieserver.yaml template file.

Procedure

  1. Download the rhdm-7.8.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the rhdm78-kieserver.yaml template file.
  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the rhdm78-kieserver.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.
    • To use the OpenShift command line console, prepare the following command line:

      oc new-app -f <template-path>/rhdm78-kieserver.yaml -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 4.6.2, “Setting required parameters for an additional managed KIE Server” to set common parameters. You can view the template file to see descriptions for all parameters.

4.6.2. Setting required parameters for an additional managed KIE Server

When configuring the template to deploy an additional managed KIE Server, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

    • Credentials secret (CREDENTIALS_SECRET): The name of the secret containing the administrative user credentials, as created in Section 3.4, “Creating the secret for the administrative user”.
    • KIE Server Keystore Secret Name (KIE_SERVER_HTTPS_SECRET): The name of the secret for KIE Server, as created in Section 3.2, “Creating the secrets for KIE Server”.
    • KIE Server Certificate Name (KIE_SERVER_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 3.2, “Creating the secrets for KIE Server”.
    • KIE Server Keystore Password (KIE_SERVER_HTTPS_PASSWORD): The password for the keystore that you created in Section 3.2, “Creating the secrets for KIE Server”.
    • Application Name (APPLICATION_NAME): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and KIE Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. You can deploy several applications using the same template into the same project, as long as you use different application names. Also, the application name determines the name of the server configuration (server template) that the KIE Server joins on Business Central. If you are deploying several KIE Servers, you must ensure each of the servers has a different application name.
    • KIE Server Mode (KIE_SERVER_MODE): In the rhdm78-kieserver.yaml template the default value is PRODUCTION. In PRODUCTION mode, you cannot deploy SNAPSHOT versions of KJAR artifacts on the KIE Server and cannot change versions of an artifact in an existing container. To deploy a new version with PRODUCTION mode, create a new container on the same KIE Server. To deploy SNAPSHOT versions or to change versions of an artifact in an existing container, set this parameter to DEVELOPMENT.
    • ImageStream Namespace (IMAGE_STREAM_NAMESPACE): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 3.1, “Ensuring the availability of image streams and the image registry”), the namespace is openshift. If you have installed the image streams file, the namespace is the name of the OpenShift project.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.6.9, “Completing deployment of the template for an additional managed KIE Server”.

4.6.3. Configuring the image stream namespace for an additional managed KIE Server

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

If you installed an image streams file according to instructions in Section 3.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

4.6.4. Configuring information about a Business Central instance for an additional managed KIE Server

If you want to enable a connection from a Business Central instance in the same namespace to the KIE Server, you must configure information about the Business Central instance.

The Business Central instance must be configured with the same credentials secret (CREDENTIALS_SECRET) as the KIE Server.

Prerequisites

Procedure

  1. Set the following parameters:

    • Name of the Business Central service (DECISION_CENTRAL_SERVICE): The OpenShift service name for the Business Central.
  2. Configure access to the Maven repository from which the server must load services. You must configure the same repository that the Business Central uses.

    • If the Business Central uses its own built-in repository, set the following parameter:

      • Name of the Maven service hosted by Business Central (DECISION_CENTRAL_MAVEN_SERVICE): The OpenShift service name for the Business Central.
    • If you configured the Business Central to use an external Maven repository, set the following parameters:

      • Maven repository URL (MAVEN_REPO_URL): A URL for the external Maven repository that Business Central uses.
      • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
      • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
      • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.6.9, “Completing deployment of the template for an additional managed KIE Server”.

4.6.5. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an additional managed KIE Server

When configuring the template to deploy an additional managed KIE Server, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 3.5, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 3.5, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.
  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.

    • If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.
    • If you configure a built-in Business Central Maven repository (DECISION_CENTRAL_MAVEN_SERVICE), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror: external:*,!repo-rhdmcentr.
    • If you configure both repositories, change MAVEN_MIRROR_OF to exclude the artifacts in both repositories from the mirror: external:*,!repo-rhdmcentr,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.6.9, “Completing deployment of the template for an additional managed KIE Server”.

4.6.6. Setting parameters for RH-SSO authentication for an additional managed KIE Server

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an additional managed KIE Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Decision Manager is created in the RH-SSO authentication system.
  • User names and passwords for Red Hat Decision Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 5, Red Hat Decision Manager roles and users.

    You must create a user with the username and password configured in the secret for the administrative user, as described in Section 3.4, “Creating the secret for the administrative user”. This user must have the kie-server,rest-all,admin roles.

  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Decision Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Decision Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 4.6.1, “Starting configuration of the template for an additional managed KIE Server”.

Procedure

  1. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Decision Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.
  2. Complete one of the following procedures:

    1. If you created the client for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for KIE Server.
    2. To create the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for KIE Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Decision Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.6.9, “Completing deployment of the template for an additional managed KIE Server”.

After completing the deployment, review the URLs for components of Red Hat Decision Manager in the RH-SSO authentication system to ensure they are correct.

4.6.7. Setting parameters for LDAP authentication for an additional managed KIE Server

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an additional managed KIE Server.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Decision Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 4.4, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.6.9, “Completing deployment of the template for an additional managed KIE Server”.

4.6.8. Enabling Prometheus metric collection for an additional managed KIE Server

If you want to configure your KIE Server deployment to use Prometheus to collect and store metrics, enable support for this feature in KIE Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 4.6.9, “Completing deployment of the template for an additional managed KIE Server”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring KIE Server.

4.6.9. Completing deployment of the template for an additional managed KIE Server

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.