Chapter 7. Preparation for deploying Red Hat Process Automation Manager in your OpenShift environment

Before deploying Red Hat Process Automation Manager in your OpenShift environment, you must complete several procedures. You do not need to repeat these procedures if you want to deploy additional images, for example, for new versions of processes or for other processes.

Note

If you are deploying a trial environment, complete the procedure described in Section 7.1, “Ensuring the availability of image streams and the image registry” and do not complete any other preparation procedures.

7.1. Ensuring the availability of image streams and the image registry

To deploy Red Hat Process Automation Manager components on Red Hat OpenShift Container Platform, you must ensure that OpenShift can download the correct images from the Red Hat registry. To download the images, OpenShift requires image streams, which contain the information about the location of images. OpenShift also must be configured to authenticate with the Red Hat registry using your service account user name and password.

Some versions of the OpenShift environment include the required image streams. You must check if they are available. If image streams are available in OpenShift by default, you can use them if the OpenShift infrastructure is configured for registry authentication server. The administrator must complete the registry authentication configuration when installing the OpenShift environment.

Otherwise, you can configure registry authentication in your own project and install the image streams in that project.

Procedure

  1. Determine whether Red Hat OpenShift Container Platform is configured with the user name and password for Red Hat registry access. For details about the required configuration, see Configuring a Registry Location. If you are using an OpenShift Online subscription, it is configured for Red Hat registry access.
  2. If Red Hat OpenShift Container Platform is configured with the user name and password for Red Hat registry access, enter the following commands:

    $ oc get imagestreamtag -n openshift | grep -F rhpam-businesscentral | grep -F 7.11
    $ oc get imagestreamtag -n openshift | grep -F rhpam-kieserver | grep -F 7.11

    If the outputs of both commands are not empty, the required image streams are available in the openshift namespace and no further action is required.

  3. If the output of one or both of the commands is empty or if OpenShift is not configured with the user name and password for Red Hat registry access, complete the following steps:

    1. Ensure you are logged in to OpenShift with the oc command and that your project is active.
    2. Complete the steps documented in Registry Service Accounts for Shared Environments. You must log in to the Red Hat Customer Portal to access the document and to complete the steps to create a registry service account.
    3. Select the OpenShift Secret tab and click the link under Download secret to download the YAML secret file.
    4. View the downloaded file and note the name that is listed in the name: entry.
    5. Enter the following commands:

      oc create -f <file_name>.yaml
      oc secrets link default <secret_name> --for=pull
      oc secrets link builder <secret_name> --for=pull

      Replace <file_name> with the name of the downloaded file and <secret_name> with the name that is listed in the name: entry of the file.

    6. Download the rhpam-7.11.0-openshift-templates.zip product deliverable file from the Software Downloads page and extract the rhpam711-image-streams.yaml file.
    7. Enter the following command:

      $ oc apply -f rhpam711-image-streams.yaml
      Note

      If you complete these steps, you install the image streams into the namespace of your project. In this case, when you deploy the templates, you must set the IMAGE_STREAM_NAMESPACE parameter to the name of this project.

7.2. Creating the secrets for KIE Server

OpenShift uses objects called secrets to hold sensitive information such as passwords or keystores. For more information about OpenShift secrets, see the Secrets chapter in the Red Hat OpenShift Container Platform documentation.

You must create an SSL certificate for HTTP access to KIE Server and provide it to your OpenShift environment as a secret.

Procedure

  1. Generate an SSL keystore named keystore.jks with a private and public key for SSL encryption for KIE Server. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.

    Note

    In a production environment, generate a valid signed certificate that matches the expected URL for KIE Server.

  2. Record the name of the certificate. The default value for this name in Red Hat Process Automation Manager configuration is jboss.
  3. Record the password of the keystore file. The default value for this name in Red Hat Process Automation Manager configuration is mykeystorepass.
  4. Use the oc command to generate a secret named kieserver-app-secret from the new keystore file:

    $ oc create secret generic kieserver-app-secret --from-file=keystore.jks

7.3. Creating the secrets for Business Central

If your environment includes Business Central or Business Central Monitoring, you must create an SSL certificate for HTTP access to Business Central and provide it to your OpenShift environment as a secret.

Do not use the same certificate and keystore for Business Central and KIE Server.

Procedure

  1. Generate an SSL keystore named keystore.jks with a private and public key for SSL encryption for Business Central. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.

    Note

    In a production environment, generate a valid signed certificate that matches the expected URL for Business Central.

  2. Record the name of the certificate. The default value for this name in Red Hat Process Automation Manager configuration is jboss.
  3. Record the password of the keystore file. The default value for this name in Red Hat Process Automation Manager configuration is mykeystorepass.
  4. Use the oc command to generate a secret named businesscentral-app-secret from the new keystore file:

    $ oc create secret generic businesscentral-app-secret --from-file=keystore.jks

7.4. Creating the secrets for Smart Router

If your environment includes Smart Router, you must create an SSL certificate for HTTP access to Smart Router and provide it to your OpenShift environment as a secret.

Do not use the same certificate and keystore for Smart Router as the ones used for KIE Server or Business Central.

Procedure

  1. Generate an SSL keystore named keystore.jks with a private and public key for SSL encryption for Smart Router. For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.

    Note

    In a production environment, generate a valid signed certificate that matches the expected URL for Smart Router.

  2. Record the name of the certificate. The default value for this name in Red Hat Process Automation Manager configuration is jboss.
  3. Record the password of the keystore file. The default value for this name in Red Hat Process Automation Manager configuration is mykeystorepass.
  4. Use the oc command to generate a secret named smartrouter-app-secret from the new keystore file:

    $ oc create secret generic smartrouter-app-secret --from-file=keystore.jks

7.5. Creating the secret for the administrative user

You must create a generic secret that contains the user name and password for a Red Hat Process Automation Manager administrative user account. This secret is required for deploying Red Hat Process Automation Manager using any template except the trial template.

The secret must contain the user name and password as literals. The key name for the user name is KIE_ADMIN_USER. The key name for the password is KIE_ADMIN_PWD.

If you are using multiple templates to deploy components of Red Hat Process Automation Manager, use the same secret for all these deployments. The components utilize this user account to communicate with each other.

If your environment includes Business Central or Business Central Monitoring, you can also use this user account to log in to Business Central or Business Central Monitoring.

Important

If you use RH-SSO or LDAP authentication, the same user with the same password must be configured in your authentication system with the kie-server,rest-all,admin roles for Red Hat Process Automation Manager.

Procedure

Use the oc command to generate a generic secret named kie-admin-user-secret from the user name and password:

$ oc create secret generic rhpam-credentials --from-literal=KIE_ADMIN_USER=adminUser --from-literal=KIE_ADMIN_PWD=adminPassword

In this command, replace adminPassword with the password for the administrative user. Optionally, you can replace adminUser with another user name for the administrative user.

7.6. Changing GlusterFS configuration

If you are deploying an authoring environment, you must check whether your OpenShift environment uses GlusterFS to provide permanent storage volumes. If it uses GlusterFS, to ensure optimal performance of Business Central, you must tune your GlusterFS storage by changing the storage class configuration.

Procedure

  1. To check whether your environment uses GlusterFS, enter the following command:

    oc get storageclass

    In the results, check whether the (default) marker is on the storage class that lists glusterfs. For example, in the following output the default storage class is gluster-container, which does list glusterfs:

    NAME              PROVISIONER                       AGE
    gluster-block     gluster.org/glusterblock          8d
    gluster-container (default) kubernetes.io/glusterfs 8d

    If the result has a default storage class that does not list glusterfs or if the result is empty, you do not need to make any changes. In this case, skip the rest of this procedure.

  2. To save the configuration of the default storage class into a YAML file, enter the following command:

    oc get storageclass <class-name> -o yaml >storage_config.yaml

    Replace <class-name> with the name of the default storage class. Example:

    oc get storageclass gluster-container -o yaml >storage_config.yaml
  3. Edit the storage_config.yaml file:

    1. Remove the lines with the following keys:

      • creationTimestamp
      • resourceVersion
      • selfLink
      • uid
    2. If you are planning to use Business Central only as a single pod, without high-availability configuration, on the line with the volumeoptions key, add the following options:

      features.cache-invalidation on
      performance.nl-cache on

      For example:

      volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, performance.nl-cache on

    3. If you are planning to use Business Central in a high-availability configuration, on the line with the volumeoptions key, add the following options:

      features.cache-invalidation on
      nfs.trusted-write on
      nfs.trusted-sync on
      performance.nl-cache on
      performance.stat-prefetch off
      performance.read-ahead off
      performance.write-behind off
      performance.readdir-ahead off
      performance.io-cache off
      performance.quick-read off
      performance.open-behind off
      locks.mandatory-locking off
      performance.strict-o-direct on

      For example:

      volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, nfs.trusted-write on, nfs.trusted-sync on, performance.nl-cache on, performance.stat-prefetch off, performance.read-ahead off, performance.write-behind off, performance.readdir-ahead off, performance.io-cache off, performance.quick-read off, performance.open-behind off, locks.mandatory-locking off, performance.strict-o-direct on

  4. To remove the existing default storage class, enter the following command:

    oc delete storageclass <class-name>

    Replace <class-name> with the name of the default storage class. Example:

    oc delete storageclass gluster-container
  5. To re-create the storage class using the new configuration, enter the following command:

    oc create -f storage_config.yaml

7.7. Provisioning persistent volumes with ReadWriteMany access mode using NFS

If you want to deploy Business Central Monitoring or high-availability Business Central, your environment must provision persistent volumes with ReadWriteMany access mode.

Note

If you want to deploy a high-availability authoring environment, for optimal performance and reliability, provision persistent volumes using GlusterFS. Configure the GlusterFS storage class as described in Section 7.6, “Changing GlusterFS configuration”.

If your configuration requires provisioning persistent volumes with ReadWriteMany access mode but your environment does not support such provisioning, use NFS to provision the volumes. Otherwise, skip this procedure.

Procedure

Deploy an NFS server and provision the persistent volumes using NFS. For information about provisioning persistent volumes using NFS, see the "Persistent storage using NFS" section of the Configuring Clusters guide in the Red Hat OpenShift Container Platform 3.11 documentation.

7.8. Extracting the source code from Business Central for use in an S2I build

If you are planning to create immutable KIE servers using the source-to-image (S2I) process, you must provide the source code for your services in a Git repository. If you are using Business Central for authoring services, you can extract the source code for your service and place it into a separate Git repository, such as GitHub or an on-premise installation of GitLab, for use in the S2I build.

Skip this procedure if you are not planning to use the S2I process or if you are not using Business Central for authoring services.

Procedure

  1. Use the following command to extract the source code:

    git clone https://<business-central-host>:443/git/<MySpace>/<MyProject>

    In this command, replace the following variables:

    • <business-central-host> with the host on which Business Central is running
    • <MySpace> with the name of the Business Central space in which the project is located
    • <MyProject> with the name of the project
    Note

    To view the full Git URL for a project in Business Central, click MenuDesign<MyProject>Settings.

    Note

    If you are using self-signed certificates for HTTPS communication, the command might fail with an SSL certificate problem error message. In this case, disable SSL certificate verification in git, for example, using the GIT_SSL_NO_VERIFY environment variable:

    env GIT_SSL_NO_VERIFY=true git clone https://<business-central-host>:443/git/<MySpace>/<MyProject>
  2. Upload the source code to another Git repository, such as GitHub or GitLab, for the S2I build.

7.9. Preparing a Maven mirror repository for offline use

If your Red Hat OpenShift Container Platform environment does not have outgoing access to the public Internet, you must prepare a Maven repository with a mirror of all the necessary artifacts and make this repository available to your environment.

Note

You do not need to complete this procedure if your Red Hat OpenShift Container Platform environment is connected to the Internet.

Prerequisites

  • A computer that has outgoing access to the public Internet is available.

Procedure

  1. Configure a Maven release repository to which you have write access. The repository must allow read access without authentication and your OpenShift environment must have network access to this repository.

    You can deploy a Nexus repository manager in the OpenShift environment. For instructions about setting up Nexus on OpenShift, see Setting up Nexus in the Red Hat OpenShift Container Platform 3.11 documentation.

    Use this repository as a mirror to host the publicly available Maven artifacts. You can also provide your own services in this repository in order to deploy these services on immutable servers or to deploy them on managed servers using Business Central monitoring.

  2. On the computer that has an outgoing connection to the public Internet, complete the following steps:
  3. Navigate to the Software Downloads page in the Red Hat Customer Portal (login required), and select the product and version from the drop-down options:

    • Product: Red Hat Process Automation Manager
    • Version: 7.11

      1. Download and extract the Red Hat Process Automation Manager 7.11.0 Offliner Content List (rhpam-7.11.0-offliner.zip) product deliverable file.
      2. Extract the contents of the rhpam-7.11.0-offliner.zip file into any directory.
      3. Change to the directory and enter the following command:

        ./offline-repo-builder.sh offliner.txt

        This command creates the repository subdirectory and downloads the necessary artifacts into this subdirectory. This is the mirror repository.

        If a message reports that some downloads have failed, run the same command again. If downloads fail again, contact Red Hat support.

      4. Upload all artifacts from the repository subdirectory to the Maven mirror repository that you prepared. You can use the Maven Repository Provisioner utility, available from the Maven repository tools Git repository, to upload the artifacts.
  4. If you developed services outside of Business Central and they have additional dependencies, add the dependencies to the mirror repository. If you developed the services as Maven projects, you can use the following steps to prepare these dependencies automatically. Complete the steps on the computer that has an outgoing connection to the public Internet.

    1. Create a backup of the local Maven cache directory (~/.m2/repository) and then clear the directory.
    2. Build the source of your projects using the mvn clean install command.
    3. For every project, enter the following command to ensure that Maven downloads all runtime dependencies for all the artifacts generated by the project:

      mvn -e -DskipTests dependency:go-offline -f /path/to/project/pom.xml --batch-mode -Djava.net.preferIPv4Stack=true

      Replace /path/to/project/pom.xml with the path of the pom.xml file of the project.

    4. Upload all artifacts from the local Maven cache directory (~/.m2/repository) to the Maven mirror repository that you prepared. You can use the Maven Repository Provisioner utility, available from the Maven repository tools Git repository, to upload the artifacts.

7.10. Building a custom KIE Server extension image for an external database

If you want to use an external database server for a KIE Server and the database server is not a MySQL or PostgreSQL server, you must build a custom KIE Server extension image with drivers for this server before deploying your environment.

Complete the steps in this build procedure to provide drivers for any of the following database servers:

  • Microsoft SQL Server
  • IBM DB2
  • Oracle Database
  • Sybase

Optionally, you can use this procedure to build a new version of drivers for any of the following database servers:

  • MySQL
  • MariaDB
  • PostgreSQL

For the supported versions of the database servers, see Red Hat Process Automation Manager 7 Supported Configurations.

The build procedure creates a custom extension image that extends the existing KIE Server image. You must import this custom extension image into your OpenShift environment and then reference it in the EXTENSIONS_IMAGE parameter.

Prerequisites

  • You are logged in to your OpenShift environment using the oc command. Your OpenShift user must have the registry-editor role.
  • For Oracle Database, IBM DB2, or Sybase, you downloaded the JDBC driver from the database server vendor.
  • You have installed the following required software:

    • Docker: For installation instructions, see Get Docker.
    • CEKit version 3.8.0: For installation instructions, see Installation.
    • The following libraries and extensions for CEKit. For more information, see Dependencies.

      • docker, provided by the python3-docker package or similar package
      • docker-squash, provided by the python3-docker-squash package or similar package
      • behave, provided by the python3-behave package or similar package

Procedure

  1. For IBM DB2, Oracle Database, or Sybase, provide the JDBC driver JAR file in a local directory.
  2. Download the rhpam-7.11.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat Customer Portal.
  3. Unzip the file and, using the command line, change to the templates/contrib/jdbc/cekit directory of the unzipped file. This directory contains the source code for the custom build.
  4. Enter one of the following commands, depending on the database server type:

    • For Microsoft SQL Server:

      make mssql
    • For MySQL:

      make mysql
    • For PostgreSQL:

      make postgresql
    • For MariaDB:

      make mariadb
    • For IBM DB2:

      make db2 artifact=/tmp/db2jcc4.jar version=10.2

      In this command, replace /tmp/db2jcc4.jar with the path name of the IBM DB2 driver and 10.2 with the version of the driver.

    • For Oracle Database:

      make oracle artifact=/tmp/ojdbc7.jar version=7.0

      In this command, replace /tmp/ojdbc7.jar with the path name of the Oracle Database driver and 7.0 with the version of the driver.

    • For Sybase:

      make build sybase artifact=/tmp/jconn4-16.0_PL05.jar version=16.0_PL05

      In this command, replace /tmp/jconn4-16.0_PL05.jar with the path name of the downloaded Sybase driver and 16.0_PL05 with the version of the driver.

      Alternatively, if you need to update the driver class or driver XA class for the Sybase driver, you can set the DRIVER_CLASS or DRIVER_XA_CLASS variable for this command, for example:

      export DRIVER_CLASS=another.class.Sybase && make sybase artifact=/tmp/jconn4-16.0_PL05.jar version=16.0_PL05
  5. Enter the following command to list the Docker images that are available locally:

    docker images

    Note the name of the image that was built, for example, jboss-kie-db2-extension-openshift-image, and the version tag of the image, for example, 11.1.4.4 (not the latest tag).

  6. Access the registry of your OpenShift environment directly and push the image to the registry. Depending on your user permissions, you can push the image into the openshift namespace or into a project namespace. For instructions about accessing the registry and pushing the images, see Accessing the Registry Directly in the Red Hat OpenShift Container Platform product documentation.
  7. When configuring your KIE Server deployment with a template that supports an external database server, set the following parameters:

    • Drivers Extension Image (EXTENSIONS_IMAGE): The ImageStreamTag definition of the extension image, for example, jboss-kie-db2-extension-openshift-image:11.1.4.4
    • Drivers ImageStream Namespace (EXTENSIONS_IMAGE_NAMESPACE): The namespace to which you uploaded the extension image, for example, openshift or your project namespace.