Chapter 3. Environment with immutable servers

You can deploy an environment that includes one or more pods running immutable KIE Server with preloaded services. Each KIE Server pod can be separately scaled as necessary.

On an immutable KIE Server, any services must be loaded onto the server at the time the image is created. You cannot deploy or undeploy services on a running immutable KIE Server. The advantage of this approach is that the KIE Server with the services in it runs like any other containerized service and does not require specialized management. The KIE Server runs like any other pod on the OpenShift environment; you can use any container-based integration workflows as necessary.

When you create a KIE Server image, you can build your services using S2I (Source to Image). Provide a Git repository with the source of your services and other business assets; if you develop the services or assets in Business Central, copy the source into a separate repository for the S2I build. OpenShift automatically builds the source, installs the services into the KIE Server image, and starts the containers with the services.

If you are using Business Central for authoring services, you can extract the source for your process and place it into a separate Git repository (such as GitHub or an on-premise installation of GitLab) for use in the S2I build.

Alternatively, you can create a similar KIE Server deployment using services that are already built as KJAR files. In this case, you must provide the services in a Maven repository. You can use the built-in repository of the Business Central or your own repository (for example, a Nexus deployment). When the server pod starts, it retrieves the KJAR services from the Maven repository. Services on the pod are never updated or changed. At every restart or scaling of the pod, the server retrieves the files from the repository, so you must ensure they do not change on the Maven repository to keep the deployment immutable.

With both methods of creating immutable images, no further management of the image is required. If you want to use a new version of a service, you can build a new image.

3.1. Deploying an immutable KIE Server using an S2I build

You can deploy an immutable KIE Server using an S2I build. When you deploy the server, the deployment procedure retrieves the source code for any services that must run on this server, builds the services, and includes them in the server image.

You cannot deploy or undeploy services on a running immutable KIE Server. You can use Business Central to view monitoring information. The KIE Server runs like any other pod on the OpenShift environment; you can use any container-based integration workflows as necessary.

You can enable JMS capabilities of the immutable KIE Server. With JMS capabilities you can interact with the server through JMS API using an external AMQ message broker.

If a Business Central is deployed in the same namespace, it discovers the immutable KIE Server automatically. You can use Business Central to start and stop (but not deploy) services on the immutable KIE Server.

3.1.1. Starting configuration of the template for an immutable KIE Server using S2I

To deploy an immutable KIE Server using an S2I build, use the rhdm78-prod-immutable-kieserver-amq.yaml template file if you want to enable JMS capabilities. Otherwise, use the rhdm78-prod-immutable-kieserver.yaml template file.

Procedure

  1. Download the rhdm-7.8.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the required template file.

  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the <template-file-name>.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.

    • To use the OpenShift command line console, prepare the following command line: 

      oc new-app -f <template-path>/<template-file-name>.yaml -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Replace <template-file-name> with the name of the template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 3.1.2, “Setting required parameters for an immutable KIE Server using S2I” to set common parameters. You can view the template file to see descriptions for all parameters.

3.1.2. Setting required parameters for an immutable KIE Server using S2I

When configuring the template to deploy an immutable KIE Server using an S2I build, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

    • Credentials secret (CREDENTIALS_SECRET): The name of the secret containing the administrative user credentials, as created in Section 2.3, “Creating the secret for the administrative user”.
    • KIE Server Keystore Secret Name (KIE_SERVER_HTTPS_SECRET): The name of the secret for KIE Server, as created in Section 2.2, “Creating the secrets for KIE Server”.
    • KIE Server Certificate Name (KIE_SERVER_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 2.2, “Creating the secrets for KIE Server”.
    • KIE Server Keystore Password (KIE_SERVER_HTTPS_PASSWORD): The password for the keystore that you created in Section 2.2, “Creating the secrets for KIE Server”.
    • Application Name (APPLICATION_NAME): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and KIE Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. You can deploy several applications using the same template into the same project, as long as you use different application names. Also, the application name determines the name of the server configuration (server template) that the KIE Server joins on Business Central. If you are deploying several KIE Servers, you must ensure each of the servers has a different application name.

    • KIE Server Container Deployment (KIE_SERVER_CONTAINER_DEPLOYMENT): The identifying information of the decision service (KJAR file) that the deployment must pull from the local or external repository after building your source. The format is <containerId>=<groupId>:<artifactId>:<version> or, if you want to specify an alias name for the container, <containerId>(<aliasId>)=<groupId>:<artifactId>:<version>. You can provide two or more KJAR files using the | separator, as illustrated in the following example: 

      containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

      To avoid duplicate container IDs, the artifact ID must be unique for each artifact built or used in your project.

    • Git Repository URL (SOURCE_REPOSITORY_URL): The URL for the Git repository that contains the source for your services.
    • Git Reference (SOURCE_REPOSITORY_REF): The branch in the Git repository.
    • Context Directory (CONTEXT_DIR): The path to the source within the project downloaded from the Git repository.
    • Artifact Directory (ARTIFACT_DIR): The path within the project that contains the required binary files (KJAR files and any other necessary files) after a successful Maven build. Normally this directory is the target directory of the build. However, you can provide prebuilt binaries in this directory in the Git repository.
    • ImageStream Namespace (IMAGE_STREAM_NAMESPACE): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace is openshift. If you have installed the image streams file, the namespace is the name of the OpenShift project.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

3.1.3. Configuring the image stream namespace for an immutable KIE Server using S2I

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

If you installed an image streams file according to instructions in Section 2.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

3.1.4. Configuring information about a Business Central instance for an immutable KIE Server using S2I

If you want to enable a connection from a Business Central instance in the same namespace to the KIE Server, you must configure information about the Business Central instance.

The Business Central instance must be configured with the same credentials secret (CREDENTIALS_SECRET) as the KIE Server.

Prerequisites

Procedure

  1. Set the following parameters:

    • Name of the Business Central service (DECISION_CENTRAL_SERVICE): The OpenShift service name for the Business Central.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

3.1.5. Setting an optional Maven repository for an immutable KIE Server using S2I

When configuring the template to deploy an immutable KIE Server using an S2I build, if your source build includes dependencies that are not available on the public Maven tree and require a separate custom Maven repository, you must set parameters to access the repository.

Prerequisites

Procedure

To configure access to a custom Maven repository, set the following parameters:

  • Maven repository URL (MAVEN_REPO_URL): The URL for the Maven repository.
  • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
  • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
  • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

3.1.6. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an immutable KIE Server using S2I

When configuring the template to deploy an immutable KIE Server using an S2I build, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.5, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 2.5, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.

  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.

    • If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.
    • If you configure a built-in Business Central Maven repository (DECISION_CENTRAL_MAVEN_SERVICE), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror: external:*,!repo-rhdmcentr.
    • If you configure both repositories, change MAVEN_MIRROR_OF to exclude the artifacts in both repositories from the mirror: external:*,!repo-rhdmcentr,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

3.1.7. Configuring communication with an AMQ server for an immutable KIE Server using S2I

If you use the rhdm78-prod-immutable-kieserver-amq.yaml template file, JMS capabilities of the KIE Server are enabled. You can interact with the server through JMS API, using an external AMQ message broker.

If necessary for your environment, you can modify the JMS configuration.

Prerequisites

Procedure

Set any of the following parameters as required for your environment:

  • AMQ Username (AMQ_USERNAME) and AMQ Password (AMQ_PASSWORD): The user name and password of a standard broker user, if user authentication in the broker is required in your environment.
  • AMQ Role (AMQ_ROLE): The user role for the standard broker user. The default role is admin.
  • AMQ Queues (AMQ_QUEUES): AMQ queue names, separated by commas. These queues are automatically created when the broker starts and are accessible as JNDI resources in the JBoss EAP server. If you use custom queue names, you must also set the same queue names in the KIE_SERVER_JMS_QUEUE_RESPONSE, KIE_SERVER_JMS_QUEUE_REQUEST, KIE_SERVER_JMS_QUEUE_SIGNAL, KIE_SERVER_JMS_QUEUE_AUDIT, and KIE_SERVER_JMS_QUEUE_EXECUTOR parameters.
  • AMQ Global Max Size (AMQ_GLOBAL_MAX_SIZE): The maximum amount of memory that message data can consume. If no value is specified, half of the memory available in the pod is allocated.
  • AMQ Protocols (AMQ_PROTOCOL): Broker protocols that the KIE Server can use to communicate with the AMQ server, separated by commas. Allowed values are openwire, amqp, stomp, and mqtt. Only openwire is supported by JBoss EAP. The default value is openwire.
  • AMQ Broker Image (AMQ_BROKER_IMAGESTREAM_NAME): The image stream name for the AMQ broker image.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

3.1.8. Setting parameters for RH-SSO authentication for an immutable KIE Server using S2I

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an immutable KIE Server using an S2I build.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

  • A realm for Red Hat Decision Manager is created in the RH-SSO authentication system.

  • User names and passwords for Red Hat Decision Manager are created in the RH-SSO authentication system. For a list of the available roles, see Chapter 4, Red Hat Decision Manager roles and users.

    You must create a user with the username and password configured in the secret for the administrative user, as described in Section 2.3, “Creating the secret for the administrative user”. This user must have the kie-server,rest-all,admin roles.

  • Clients are created in the RH-SSO authentication system for all components of the Red Hat Decision Manager environment that you are deploying. The client setup contains the URLs for the components. You can review and edit the URLs after deploying the environment. Alternatively, the Red Hat Decision Manager deployment can create the clients. However, this option provides less detailed control over the environment.
  • You started the configuration of the template, as described in Section 3.1.1, “Starting configuration of the template for an immutable KIE Server using S2I”.

Procedure

  1. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Decision Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.

  2. Complete one of the following procedures:

    1. If you created the client for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for KIE Server.

    2. To create the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for KIE Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Decision Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

After completing the deployment, review the URLs for components of Red Hat Decision Manager in the RH-SSO authentication system to ensure they are correct.

3.1.9. Setting parameters for LDAP authentication for an immutable KIE Server using S2I

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an immutable KIE Server using an S2I build.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Decision Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.4, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

3.1.10. Enabling Prometheus metric collection for an immutable KIE Server using S2I

If you want to configure your KIE Server deployment to use Prometheus to collect and store metrics, enable support for this feature in KIE Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.1.11, “Completing deployment of the template for an immutable KIE Server using S2I”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring KIE Server.

3.1.11. Completing deployment of the template for an immutable KIE Server using S2I

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

3.2. Deploying an immutable KIE Server from KJAR services

You can deploy an immutable KIE Server using services that are already built as KJAR files.

You must provide the services in a Maven repository. You can use the built-in repository of the Business Central or your own repository (for example, a Nexus deployment). When the server pod starts, it retrieves the KJAR services from the Maven repository. Services on the pod are never updated or changed. At every restart or scaling of the pod, the server retrieves the files from the repository, so you must ensure they do not change on the Maven repository to keep the deployment immutable.

You cannot deploy or undeploy services on a running immutable KIE Server. You can use Business Central to view monitoring information. The KIE Server runs like any other pod on the OpenShift environment; you can use any container-based integration workflows as necessary.

If a Business Central is deployed in the same namespace, it discovers the immutable KIE Server automatically. You can use Business Central to start and stop (but not deploy) services on the immutable KIE Server and to view monitoring data.

3.2.1. Starting configuration of the template for an immutable KIE Server from KJAR services

To deploy an immutable KIE Server from KJAR services, use the rhdm78-kieserver.yaml template file.

Procedure

  1. Download the rhdm-7.8.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  2. Extract the rhdm78-kieserver.yaml template file.

  3. Use one of the following methods to start deploying the template:

    • To use the OpenShift Web UI, in the OpenShift application console select Add to Project → Import YAML / JSON and then select or paste the rhdm78-kieserver.yaml file. In the Add Template window, ensure Process the template is selected and click Continue.

    • To use the OpenShift command line console, prepare the following command line: 

      oc new-app -f <template-path>/rhdm78-kieserver.yaml -p KIE_SERVER_HTTPS_SECRET=kieserver-app-secret -p PARAMETER=value

      In this command line, make the following changes:

      • Replace <template-path> with the path to the downloaded template file.
      • Use as many -p PARAMETER=value pairs as needed to set the required parameters.

Next steps

Set the parameters for the template. Follow the steps in Section 3.2.2, “Setting required parameters for an immutable KIE Server from KJAR services” to set common parameters. You can view the template file to see descriptions for all parameters.

3.2.2. Setting required parameters for an immutable KIE Server from KJAR services

When configuring the template to deploy an immutable KIE Server from KJAR services, you must set the following parameters in all cases.

Prerequisites

Procedure

  1. Set the following parameters:

    • Credentials secret (CREDENTIALS_SECRET): The name of the secret containing the administrative user credentials, as created in Section 2.3, “Creating the secret for the administrative user”.
    • KIE Server Keystore Secret Name (KIE_SERVER_HTTPS_SECRET): The name of the secret for KIE Server, as created in Section 2.2, “Creating the secrets for KIE Server”.
    • KIE Server Certificate Name (KIE_SERVER_HTTPS_NAME): The name of the certificate in the keystore that you created in Section 2.2, “Creating the secrets for KIE Server”.
    • KIE Server Keystore Password (KIE_SERVER_HTTPS_PASSWORD): The password for the keystore that you created in Section 2.2, “Creating the secrets for KIE Server”.
    • Application Name (APPLICATION_NAME): The name of the OpenShift application. It is used in the default URLs for Business Central Monitoring and KIE Server. OpenShift uses the application name to create a separate set of deployment configurations, services, routes, labels, and artifacts. You can deploy several applications using the same template into the same project, as long as you use different application names. Also, the application name determines the name of the server configuration (server template) that the KIE Server joins on Business Central. If you are deploying several KIE Servers, you must ensure each of the servers has a different application name.
    • Maven repository URL (MAVEN_REPO_URL): A URL for a Maven repository. You must upload all the processes (KJAR files) that are to be deployed on the KIE Server into this repository.
    • Maven repository ID (MAVEN_REPO_ID): An identifier for the Maven repository. The default value is repo-custom.
    • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
    • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

    • KIE Server Container Deployment (KIE_SERVER_CONTAINER_DEPLOYMENT): The identifying information of the decision services (KJAR files) that the deployment must pull from the Maven repository. The format is <containerId>=<groupId>:<artifactId>:<version> or, if you want to specify an alias name for the container, <containerId>(<aliasId>)=<groupId>:<artifactId>:<version>. You can provide two or more KJAR files using the | separator, as illustrated in the following example: 

      containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2
    • KIE Server Mode (KIE_SERVER_MODE): In the rhdm78-kieserver-*.yaml templates the default value is PRODUCTION. In PRODUCTION mode, you cannot deploy SNAPSHOT versions of KJAR artifacts on the KIE Server and cannot change versions of an artifact in an existing container. To deploy a new version with PRODUCTION mode, create a new container on the same KIE Server. To deploy SNAPSHOT versions or to change versions of an artifact in an existing container, set this parameter to DEVELOPMENT.
    • ImageStream Namespace (IMAGE_STREAM_NAMESPACE): The namespace where the image streams are available. If the image streams were already available in your OpenShift environment (see Section 2.1, “Ensuring the availability of image streams and the image registry”), the namespace is openshift. If you have installed the image streams file, the namespace is the name of the OpenShift project.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.9, “Completing deployment of the template for an immutable KIE Server from KJAR services”.

3.2.3. Configuring the image stream namespace for an immutable KIE Server from KJAR services

If you created image streams in a namespace that is not openshift, you must configure the namespace in the template.

If all image streams were already available in your Red Hat OpenShift Container Platform environment, you can skip this procedure.

Prerequisites

Procedure

If you installed an image streams file according to instructions in Section 2.1, “Ensuring the availability of image streams and the image registry”, set the ImageStream Namespace (IMAGE_STREAM_NAMESPACE) parameter to the name of your OpenShift project.

3.2.4. Configuring information about a Business Central instance for an immutable KIE Server from KJAR services

If you want to enable a connection from a Business Central instance in the same namespace to the KIE Server, you must configure information about the Business Central instance.

The Business Central instance must be configured with the same credentials secret (CREDENTIALS_SECRET) as the KIE Server.

Prerequisites

Procedure

  1. Set the following parameters:

    • Name of the Business Central service (DECISION_CENTRAL_SERVICE): The OpenShift service name for the Business Central.

  2. Ensure that the following settings are set to the same value as the same settings for the Business Central:

    • Maven repository URL (MAVEN_REPO_URL): A URL for the external Maven repository from which services must be deployed.
    • Maven repository username (MAVEN_REPO_USERNAME): The user name for the Maven repository.
    • Maven repository password (MAVEN_REPO_PASSWORD): The password for the Maven repository.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.9, “Completing deployment of the template for an immutable KIE Server from KJAR services”.

3.2.5. Configuring access to a Maven mirror in an environment without a connection to the public Internet for an immutable KIE Server from KJAR services

When configuring the template to deploy an immutable KIE Server from KJAR services, if your OpenShift environment does not have a connection to the public Internet, you must configure access to a Maven mirror that you set up according to Section 2.5, “Preparing a Maven mirror repository for offline use”.

Prerequisites

Procedure

To configure access to the Maven mirror, set the following parameters:

  • Maven mirror URL (MAVEN_MIRROR_URL): The URL for the Maven mirror repository that you set up in Section 2.5, “Preparing a Maven mirror repository for offline use”. This URL must be accessible from a pod in your OpenShift environment.

  • Maven mirror of (MAVEN_MIRROR_OF): The value that determines which artifacts are to be retrieved from the mirror. For instructions about setting the mirrorOf value, see Mirror Settings in the Apache Maven documentation. The default value is external:*. With this value, Maven retrieves every required artifact from the mirror and does not query any other repositories.

    • If you configure an external Maven repository (MAVEN_REPO_URL), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror, for example, external:*,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.
    • If you configure a built-in Business Central Maven repository (DECISION_CENTRAL_MAVEN_SERVICE), change MAVEN_MIRROR_OF to exclude the artifacts in this repository from the mirror: external:*,!repo-rhdmcentr.
    • If you configure both repositories, change MAVEN_MIRROR_OF to exclude the artifacts in both repositories from the mirror: external:*,!repo-rhdmcentr,!repo-custom. Replace repo-custom with the ID that you configured in MAVEN_REPO_ID.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.9, “Completing deployment of the template for an immutable KIE Server from KJAR services”.

3.2.6. Setting parameters for RH-SSO authentication for an immutable KIE Server from KJAR services

If you want to use RH-SSO authentication, complete the following additional configuration when configuring the template to deploy an immutable KIE Server from KJAR services.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. Set the following parameters:

    • RH-SSO URL (SSO_URL): The URL for RH-SSO.
    • RH-SSO Realm name (SSO_REALM): The RH-SSO realm for Red Hat Decision Manager.
    • RH-SSO Disable SSL Certificate Validation (SSO_DISABLE_SSL_CERTIFICATE_VALIDATION): Set to true if your RH-SSO installation does not use a valid HTTPS certificate.

  2. Complete one of the following procedures:

    1. If you created the client for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • Business Central RH-SSO Client name (DECISION_CENTRAL_SSO_CLIENT): The RH-SSO client name for Business Central.
      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The RH-SSO client name for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string that is set in RH-SSO for the client for KIE Server.

    2. To create the clients for Red Hat Decision Manager within RH-SSO, set the following parameters in the template:

      • KIE Server RH-SSO Client name (KIE_SERVER_SSO_CLIENT): The name of the client to create in RH-SSO for KIE Server.
      • KIE Server RH-SSO Client Secret (KIE_SERVER_SSO_SECRET): The secret string to set in RH-SSO for the client for KIE Server.
      • RH-SSO Realm Admin Username (SSO_USERNAME) and RH-SSO Realm Admin Password (SSO_PASSWORD): The user name and password for the realm administrator user for the RH-SSO realm for Red Hat Decision Manager. You must provide this user name and password in order to create the required clients.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.9, “Completing deployment of the template for an immutable KIE Server from KJAR services”.

After completing the deployment, review the URLs for components of Red Hat Decision Manager in the RH-SSO authentication system to ensure they are correct.

3.2.7. Setting parameters for LDAP authentication for an immutable KIE Server from KJAR services

If you want to use LDAP authentication, complete the following additional configuration when configuring the template to deploy an immutable KIE Server from KJAR services.

Important

Do not configure LDAP authentication and RH-SSO authentication in the same deployment.

Prerequisites

Procedure

  1. Set the AUTH_LDAP* parameters of the template. These parameters correspond to the settings of the LdapExtended Login module of Red Hat JBoss EAP. For instructions about using these settings, see LdapExtended login module.

    If the LDAP server does not define all the roles required for your deployment, you can map LDAP groups to Red Hat Decision Manager roles. To enable LDAP role mapping, set the following parameters:

    • RoleMapping rolesProperties file path (AUTH_ROLE_MAPPER_ROLES_PROPERTIES): The fully qualified path name of a file that defines role mapping, for example, /opt/eap/standalone/configuration/rolemapping/rolemapping.properties. You must provide this file and mount it at this path in all applicable deployment configurations; for instructions, see Section 3.4, “(Optional) Providing the LDAP role mapping file”.
    • RoleMapping replaceRole property (AUTH_ROLE_MAPPER_REPLACE_ROLE): If set to true, mapped roles replace the roles defined on the LDAP server; if set to false, both mapped roles and roles defined on the LDAP server are set as user application roles. The default setting is false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.9, “Completing deployment of the template for an immutable KIE Server from KJAR services”.

3.2.8. Enabling Prometheus metric collection for an immutable KIE Server from KJAR services

If you want to configure your KIE Server deployment to use Prometheus to collect and store metrics, enable support for this feature in KIE Server at deployment time.

Prerequisites

Procedure

To enable support for Prometheus metric collection, set the Prometheus Server Extension Disabled (PROMETHEUS_SERVER_EXT_DISABLED) parameter to false.

Next steps

If necessary, set additional parameters.

To complete the deployment, follow the procedure in Section 3.2.9, “Completing deployment of the template for an immutable KIE Server from KJAR services”.

For instructions about configuring Prometheus metrics collection, see Managing and monitoring KIE Server.

3.2.9. Completing deployment of the template for an immutable KIE Server from KJAR services

After setting all the required parameters in the OpenShift Web UI or in the command line, complete deployment of the template.

Procedure

Depending on the method that you are using, complete the following steps:

  • In the OpenShift Web UI, click Create.

    • If the This will create resources that may have security or project behavior implications message appears, click Create Anyway.
  • Complete the command line and press Enter.

3.3. (Optional) Providing a truststore for accessing HTTPS servers with self-signed certificates

Components of your Red Hat Decision Manager infrastructure might need to use HTTPS access to servers that have a self-signed HTTPS certificate. For example, KIE Server might need to interact with an internal Nexus repository that uses a self-signed HTTPS server certificate.

In this case, to ensure that HTTPS connections complete successfully, you must provide client certificates for these services using a truststore.

Skip this procedure if you do not need Red Hat Decision Manager components to communicate with servers that use self-signed HTTPS server certificates.

Note

In Red Hat Decision Manager 7.8, this procedure is not effective for an immutable deployment that uses an S2I build.

Procedure

  1. Prepare a truststore with the certificates. Use the following command to create a truststore or to add a certificate to an existing truststore. Add all the necessary certificates to one truststore. 

    keytool -importcert -file certificate-file -alias alias -keyalg algorithm -keysize size -trustcacerts -noprompt -storetype JKS -keypass truststore-password -storepass truststore-password -keystore keystore-file

    Replace the following values:

    • certificate-file: The pathname of the certificate that you want to add to the truststore.
    • alias: The alias for the certificate in the truststore. If you are adding more than one certificate to the truststore, every certificate must have a unique alias.
    • algorithm: The encryption algorithm used for the certificate, typically RSA.
    • size: The size of the certificate key in bytes, for example, 2048.
    • truststore-password: The password for the truststore.

    • keystore-file: The pathname of the truststore file. If the file does not exist, the command creates a new truststore.

      The following example command adds a certificate from the /var/certs/nexus.cer file to a truststore in the /var/keystores/custom-trustore.jks file. The truststore password is mykeystorepass. 

      keytool -importcert -file /var/certs/nexus.cer -alias nexus-cert -keyalg RSA -keysize 2048 -trustcacerts -noprompt -storetype JKS -keypass mykeystorepass -storepass mykeystorepass -keystore /var/keystores/custom-trustore.jks

  2. Create a secret with the truststore file using the oc command, for example: 

    oc create secret generic truststore-secret --from-file=/var/keystores/custom-trustore.jks

  3. In the deployment for the necessary components of your infrastructure, mount the secret and then set the JAVA_OPTS_APPEND option to enable the Java application infrastructure to use the trast store, for example: 

    oc set volume dc/myapp-kieserver --add --overwrite --name=custom-trustore-volume --mount-path /etc/custom-secret-volume --secret-name=custom-secret

oc set env dc/myapp-kieserver JAVA_OPTS_APPEND='-Djavax.net.ssl.trustStore=/etc/custom-secret-volume/custom-trustore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=mykeystorepass'

    Replace myapp with the application name that you set when configuring the template.

3.4. (Optional) Providing the LDAP role mapping file

If you configure the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, you must provide a file that defines the role mapping. Mount this file on all affected deployment configurations.

Procedure

  1. Create the role mapping properties file, for example, my-role-map. The file must contain entries in the following format: 

    ldap_role = product_role1, product_role2...

    For example: 

    admins = kie-server,rest-all,admin

  2. Create an OpenShift configuration map from the file by entering the following command: 

    oc create configmap ldap-role-mapping --from-file=<new_name>=<existing_name>

    Replace <new_name> with the name that the file is to have on the pods (it must be the same as the name specified in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES file) and <existing_name> with the name of the file that you created. Example: 

    oc create configmap ldap-role-mapping --from-file=rolemapping.properties=my-role-map

  3. Mount the configuration map on every deployment configuration that is configured for role mapping.

    The following deployment configurations can be affected in this environment:

    • myapp-kieserver: KIE Server

    Replace myapp with the application name. Sometimes, several KIE Server deployments can be present under different application names.

    For every deployment configuration, run the command: 

     oc set volume dc/<deployment_config_name> --add --type configmap --configmap-name ldap-role-mapping --mount-path=<mapping_dir> --name=ldap-role-mapping

    Replace <mapping_dir> with the directory name (without file name) set in the AUTH_ROLE_MAPPER_ROLES_PROPERTIES parameter, for example, /opt/eap/standalone/configuration/rolemapping .