Chapter 6. Preparation for deploying Red Hat Decision Manager in your OpenShift environment
Before deploying Red Hat Decision Manager in your OpenShift environment, you must complete several procedures. You do not need to repeat these procedures if you want to deploy additional images, for example, for new versions of decision services or for other decision services
If you are deploying a trial environment, complete the procedure described in Section 6.1, “Ensuring the availability of image streams and the image registry” and do not complete any other preparation procedures.
6.1. Ensuring the availability of image streams and the image registry
To deploy Red Hat Decision Manager components on Red Hat OpenShift Container Platform, you must ensure that OpenShift can download the correct images from the Red Hat registry. To download the images, OpenShift requires image streams, which contain the information about the location of images. OpenShift also must be configured to authenticate with the Red Hat registry using your service account user name and password.
Some versions of the OpenShift environment include the required image streams. You must check if they are available. If image streams are available in OpenShift by default, you can use them if the OpenShift infrastructure is configured for registry authentication server. The administrator must complete the registry authentication configuration when installing the OpenShift environment.
Otherwise, you can configure registry authentication in your own project and install the image streams in that project.
Procedure
- Determine whether Red Hat OpenShift Container Platform is configured with the user name and password for Red Hat registry access. For details about the required configuration, see Configuring a Registry Location. If you are using an OpenShift Online subscription, it is configured for Red Hat registry access.
If Red Hat OpenShift Container Platform is configured with the user name and password for Red Hat registry access, enter the following commands:
$ oc get imagestreamtag -n openshift | grep -F rhdm79-decisioncentral-openshift $ oc get imagestreamtag -n openshift | grep -F rhdm79-kieserver-openshift
If the outputs of both commands are not empty, the required image streams are available in the
openshift
namespace and no further action is required.If the output of one or both of the commands is empty or if OpenShift is not configured with the user name and password for Red Hat registry access, complete the following steps:
-
Ensure you are logged in to OpenShift with the
oc
command and that your project is active. - Complete the steps documented in Registry Service Accounts for Shared Environments. You must log in to the Red Hat Customer Portal to access the document and to complete the steps to create a registry service account.
- Select the OpenShift Secret tab and click the link under Download secret to download the YAML secret file.
-
View the downloaded file and note the name that is listed in the
name:
entry. Enter the following commands:
oc create -f <file_name>.yaml oc secrets link default <secret_name> --for=pull oc secrets link builder <secret_name> --for=pull
Replace
<file_name>
with the name of the downloaded file and<secret_name>
with the name that is listed in thename:
entry of the file.-
Download the
rhdm-7.9.1-openshift-templates.zip
product deliverable file from the Software Downloads page and extract therhdm79-image-streams.yaml
file. Enter the following command:
$ oc apply -f rhdm79-image-streams.yaml
NoteIf you complete these steps, you install the image streams into the namespace of your project. In this case, when you deploy the templates, you must set the
IMAGE_STREAM_NAMESPACE
parameter to the name of this project.
-
Ensure you are logged in to OpenShift with the
6.2. Creating the secrets for KIE Server
OpenShift uses objects called secrets to hold sensitive information such as passwords or keystores. For more information about OpenShift secrets, see the Secrets chapter in the Red Hat OpenShift Container Platform documentation.
You must create an SSL certificate for HTTP access to KIE Server and provide it to your OpenShift environment as a secret.
Procedure
Generate an SSL keystore named
keystore.jks
with a private and public key for SSL encryption for KIE Server. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.NoteIn a production environment, generate a valid signed certificate that matches the expected URL for KIE Server.
-
Record the name of the certificate. The default value for this name in Red Hat Decision Manager configuration is
jboss
. -
Record the password of the keystore file. The default value for this name in Red Hat Decision Manager configuration is
mykeystorepass
. Use the
oc
command to generate a secret namedkieserver-app-secret
from the new keystore file:$ oc create secret generic kieserver-app-secret --from-file=keystore.jks
6.3. Creating the secrets for Business Central
If your environment includes Business Central, you must create an SSL certificate for HTTP access to Business Central and provide it to your OpenShift environment as a secret.
Do not use the same certificate and keystore for Business Central and KIE Server.
Procedure
Generate an SSL keystore named
keystore.jks
with a private and public key for SSL encryption for KIE Server. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.NoteIn a production environment, generate a valid signed certificate that matches the expected URL for Business Central.
-
Record the name of the certificate. The default value for this name in Red Hat Decision Manager configuration is
jboss
. -
Record the password of the keystore file. The default value for this name in Red Hat Decision Manager configuration is
mykeystorepass
. Use the
oc
command to generate a secret nameddecisioncentral-app-secret
from the new keystore file:$ oc create secret generic decisioncentral-app-secret --from-file=keystore.jks
6.4. Creating the secrets for Smart Router
If your environment includes Smart Router, you must create an SSL certificate for HTTP access to Smart Router and provide it to your OpenShift environment as a secret.
Do not use the same certificate and keystore for Smart Router as the ones used for KIE Server or Business Central.
Procedure
Generate an SSL keystore named
keystore.jks
with a private and public key for SSL encryption for KIE Server. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.NoteIn a production environment, generate a valid signed certificate that matches the expected URL for Smart Router.
-
Record the name of the certificate. The default value for this name in Red Hat Decision Manager configuration is
jboss
. -
Record the password of the keystore file. The default value for this name in Red Hat Decision Manager configuration is
mykeystorepass
. Use the
oc
command to generate a secret namedsmartrouter-app-secret
from the new keystore file:$ oc create secret generic smartrouter-app-secret --from-file=keystore.jks
6.5. Creating the secret for the administrative user
You must create a generic secret that contains the user name and password for a Red Hat Decision Manager administrative user account. This secret is required for deploying Red Hat Decision Manager using any template except the trial template.
The secret must contain the user name and password as literals. The key name for the user name is KIE_ADMIN_USER
. The key name for the password is KIE_ADMIN_PWD
.
If you are using multiple templates to deploy components of Red Hat Decision Manager, use the same secret for all these deployments. The components utilize this user account to communicate with each other.
If your environment includes Business Central, you can also use this user account to log in to Business Central.
If you use RH-SSO or LDAP authentication, the same user with the same password must be configured in your authentication system with the kie-server,rest-all,admin
roles for Red Hat Decision Manager.
Procedure
Use the oc
command to generate a generic secret named kie-admin-user-secret
from the user name and password:
$ oc create secret generic rhpam-credentials --from-literal=KIE_ADMIN_USER=adminUser --from-literal=KIE_ADMIN_PWD=adminPassword
In this command, replace adminPassword with the password for the administrative user. Optionally, you can replace adminUser with another user name for the administrative user.
6.6. Changing GlusterFS configuration
If you are deploying an authoring environment, you must check whether your OpenShift environment uses GlusterFS to provide permanent storage volumes. If it uses GlusterFS, to ensure optimal performance of Business Central, you must tune your GlusterFS storage by changing the storage class configuration.
Procedure
To check whether your environment uses GlusterFS, enter the following command:
oc get storageclass
In the results, check whether the
(default)
marker is on the storage class that listsglusterfs
. For example, in the following output the default storage class isgluster-container
, which does listglusterfs
:NAME PROVISIONER AGE gluster-block gluster.org/glusterblock 8d gluster-container (default) kubernetes.io/glusterfs 8d
If the result has a default storage class that does not list
glusterfs
or if the result is empty, you do not need to make any changes. In this case, skip the rest of this procedure.To save the configuration of the default storage class into a YAML file, enter the following command:
oc get storageclass <class-name> -o yaml >storage_config.yaml
Replace
<class-name>
with the name of the default storage class. Example:oc get storageclass gluster-container -o yaml >storage_config.yaml
Edit the
storage_config.yaml
file:Remove the lines with the following keys:
-
creationTimestamp
-
resourceVersion
-
selfLink
-
uid
-
If you are planning to use Business Central only as a single pod, without high-availability configuration, on the line with the
volumeoptions
key, add the following options:features.cache-invalidation on performance.nl-cache on
For example:
volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, performance.nl-cache on
If you are planning to use Business Central in a high-availability configuration, on the line with the
volumeoptions
key, add the following options:features.cache-invalidation on nfs.trusted-write on nfs.trusted-sync on performance.nl-cache on performance.stat-prefetch off performance.read-ahead off performance.write-behind off performance.readdir-ahead off performance.io-cache off performance.quick-read off performance.open-behind off locks.mandatory-locking off performance.strict-o-direct on
For example:
volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, nfs.trusted-write on, nfs.trusted-sync on, performance.nl-cache on, performance.stat-prefetch off, performance.read-ahead off, performance.write-behind off, performance.readdir-ahead off, performance.io-cache off, performance.quick-read off, performance.open-behind off, locks.mandatory-locking off, performance.strict-o-direct on
To remove the existing default storage class, enter the following command:
oc delete storageclass <class-name>
Replace
<class-name>
with the name of the default storage class. Example:oc delete storageclass gluster-container
To re-create the storage class using the new configuration, enter the following command:
oc create -f storage_config.yaml
6.7. Provisioning persistent volumes with ReadWriteMany
access mode using NFS
If you want to deploy high-availability Business Central, your environment must provision persistent volumes with ReadWriteMany
access mode. If you want to deploy high-availability Business Central, your environment must provision persistent volumes with ReadWriteMany
access mode.
If you want to deploy a high-availability authoring environment, for optimal performance and reliability, provision persistent volumes using GlusterFS. Configure the GlusterFS storage class as described in Section 6.6, “Changing GlusterFS configuration”.
If your configuration requires provisioning persistent volumes with ReadWriteMany
access mode but your environment does not support such provisioning, use NFS to provision the volumes. Otherwise, skip this procedure.
Procedure
Deploy an NFS server and provision the persistent volumes using NFS. For information about provisioning persistent volumes using NFS, see the "Persistent storage using NFS" section of the Configuring Clusters guide in the Red Hat OpenShift Container Platform 3.11 documentation.
6.8. Extracting the source code from Business Central for use in an S2I build
If you are planning to create immutable KIE servers using the source-to-image (S2I) process, you must provide the source code for your services in a Git repository. If you are using Business Central for authoring services, you can extract the source code for your service and place it into a separate Git repository, such as GitHub or an on-premise installation of GitLab, for use in the S2I build.
Skip this procedure if you are not planning to use the S2I process or if you are not using Business Central for authoring services.
Procedure
Use the following command to extract the source code:
git clone https://<decision-central-host>:443/git/<MySpace>/<MyProject>
In this command, replace the following variables:
-
<decision-central-host>
with the host on which Business Central is running -
<MySpace>
with the name of the Business Central space in which the project is located -
<MyProject>
with the name of the project
NoteTo view the full Git URL for a project in Business Central, click Menu → Design → <MyProject> → Settings.
NoteIf you are using self-signed certificates for HTTPS communication, the command might fail with an
SSL certificate problem
error message. In this case, disable SSL certificate verification ingit
, for example, using theGIT_SSL_NO_VERIFY
environment variable:env GIT_SSL_NO_VERIFY=true git clone https://<decision-central-host>:443/git/<MySpace>/<MyProject>
-
- Upload the source code to another Git repository, such as GitHub or GitLab, for the S2I build.
6.9. Preparing a Maven mirror repository for offline use
If your Red Hat OpenShift Container Platform environment does not have outgoing access to the public Internet, you must prepare a Maven repository with a mirror of all the necessary artifacts and make this repository available to your environment.
You do not need to complete this procedure if your Red Hat OpenShift Container Platform environment is connected to the Internet.
Prerequisites
- A computer that has outgoing access to the public Internet is available.
Procedure
Configure a Maven release repository to which you have write access. The repository must allow read access without authentication and your OpenShift environment must have network access to this repository.
You can deploy a Nexus repository manager in the OpenShift environment. For instructions about setting up Nexus on OpenShift, see Setting up Nexus in the Red Hat OpenShift Container Platform 3.11 documentation.
Use this repository as a mirror to host the publicly available Maven artifacts. You can also provide your own services in this repository in order to deploy these services on immutable servers.
On the computer that has an outgoing connection to the public Internet, complete the following steps:
-
Click Red Hat Process Automation Manager 7.9.1 Offliner Content List to download the
rhdm-7.9.1-offliner.zip
product deliverable file from the Software Downloads page of the Red Hat Customer Portal. -
Extract the contents of the
rhdm-7.9.1-offliner.zip
file into any directory. Change to the directory and enter the following command:
./offline-repo-builder.sh offliner.txt
This command creates a
repository
subdirectory and downloads the necessary artifacts into this subdirectory.If a message reports that some downloads have failed, run the same command again. If downloads fail again, contact Red Hat support.
-
Upload all artifacts from the
repository
subdirectory to the Maven mirror repository that you prepared. You can use the Maven Repository Provisioner utility, available from the Maven repository tools Git repository, to upload the artifacts.
-
Click Red Hat Process Automation Manager 7.9.1 Offliner Content List to download the
If you developed services outside Business Central and they have additional dependencies, add the dependencies to the mirror repository. If you developed the services as Maven projects, you can use the following steps to prepare these dependencies automatically. Complete the steps on the computer that has an outgoing connection to the public Internet.
-
Create a backup of the local Maven cache directory (
~/.m2/repository
) and then clear the directory. -
Build the source of your projects using the
mvn clean install
command. For every project, enter the following command to ensure that Maven downloads all runtime dependencies for all the artifacts generated by the project:
mvn -e -DskipTests dependency:go-offline -f /path/to/project/pom.xml --batch-mode -Djava.net.preferIPv4Stack=true
Replace
/path/to/project/pom.xml
with the correct path to thepom.xml
file of the project.-
Upload all artifacts from the local Maven cache directory (
~/.m2/repository
) to the Maven mirror repository that you prepared. You can use the Maven Repository Provisioner utility, available from the Maven repository tools Git repository, to upload the artifacts.
-
Create a backup of the local Maven cache directory (