Chapter 15. OpenShift template reference information

Red Hat Process Automation Manager provides the following OpenShift templates. To access the templates, download and extract the rhpam-7.12.0-openshift-templates.zip product deliverable file from the Software Downloads page of the Red Hat customer portal.

  • rhpam712-trial-ephemeral.yaml provides a Business Central instance and a KIE Server instance connected to the Business Central instance. This environment uses an ephemeral configuration without any persistent storage. For details about this template, see Section 15.1, “rhpam712-trial-ephemeral.yaml template”.
  • rhpam712-authoring.yaml provides a Business Central instance and a KIE Server instance connected to the Business Central instance. the KIE Server instance uses an H2 database with persistent storage. You can use this environment to author processes, services, and other business assets. For details about this template, see Section 15.2, “rhpam712-authoring.yaml template”.
  • rhpam712-authoring-ha.yaml provides a high-availability Business Central, a KIE Server instance connected to the Business Central instance, and a MySQL instance that the KIE Server instance uses. You can use this environment to author processes, services, and other business assets. For details about this template, see Section 15.3, “rhpam712-authoring-ha.yaml template”.
  • rhpam712-prod-immutable-monitor.yaml provides a Business Central Monitoring instance and a Smart Router that you can use with immutable KIE Servers. When you deploy this template, OpenShift displays the settings that you must then use for deploying the rhpam712-prod-immutable-kieserver.yaml template. For details about this template, see Section 15.4, “rhpam712-prod-immutable-monitor.yaml template”.
  • rhpam712-prod-immutable-kieserver.yaml provides an immutable KIE Server instance. When you deploy this template, a source-to-image (S2I) build is triggered for one or several services that are to run on the KIE Server instance. the KIE Server instance can optionally be configured to connect to the Business Central Monitoring instance and Smart Router provided by rhpam712-prod-immutable-monitor.yaml. For details about this template, see Section 15.5, “rhpam712-prod-immutable-kieserver.yaml template”.
  • rhpam712-prod-immutable-kieserver-amq.yaml provides an immutable KIE Server instance. When you deploy this template, a source-to-image (S2I) build is triggered for one or several services that are to run on the KIE Server instance. the KIE Server instance can optionally be configured to connect to the Business Central Monitoring instance and Smart Router provided by rhpam712-prod-immutable-monitor.yaml. This version of the template includes JMS integration. For details about this template, see Section 15.6, “rhpam712-prod-immutable-kieserver-amq.yaml template”.
  • rhpam712-kieserver-externaldb.yaml provides a KIE Server instance that uses an external database. You can configure the KIE Server instance to connect to a Business Central instance. Also, you can copy sections from this template into another template to configure a KIE Server instance in the other template to use an external database. For details about this template, see Section 15.7, “rhpam712-kieserver-externaldb.yaml template”.
  • rhpam712-kieserver-mysql.yaml provides a KIE Server instance and a MySQL instance that the KIE Server instance uses. You can configure the KIE Server instance to connect to a Business Central instance. Also, you can copy sections from this template into another template to configure a KIE Server instance in the other template to use MySQL and to provide the MySQL instance. For details about this template, see Section 15.8, “rhpam712-kieserver-mysql.yaml template”.
  • rhpam712-kieserver-postgresql.yaml provides a KIE Server instance and a PostgreSQL instance that the KIE Server instance uses. You can configure the KIE Server instance to connect to a Business Central instance. Also, you can copy sections from this template into another template to configure a KIE Server instance in the other template to use PostgreSQL and to provide the PostgreSQL instance. For details about this template, see Section 15.9, “rhpam712-kieserver-postgresql.yaml template”.
  • rhpam712-managed.yaml provides a high-availability Business Central Monitoring instance, a KIE Server instance, and a PostgreSQL instance that the KIE Server instance uses. OpenShiftStartupStrategy is enabled, ensuring that the Business Central Monitoring instance can connect to other KIE Server instances in the same project automatically, as long as these instances have OpenShiftStartupStrategy enabled as well. For details about this template, see Section 15.10, “rhpam712-managed.yaml template”.
  • rhpam712-prod.yaml provides a high-availability Business Central Monitoring instance, a Smart Router, two distinct KIE Servers connected to the Business Central instance and to the Smart Router, and two PostgreSQL instances. Each KIE Server uses its own PostgreSQL instance. You can use this environment to execute business assets in a production or staging environment. You can configure the number of replicas for each component. For details about this template, see Section 15.11, “rhpam712-prod.yaml template”.

15.1. rhpam712-trial-ephemeral.yaml template

Application template for an ephemeral authoring and testing environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.1.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

DEFAULT_PASSWORD

KIE_ADMIN_PWD

Default password used for multiple components for user convenience in this trial environment.

RedHat

True

KIE_ADMIN_USER

KIE_ADMIN_USER

KIE administrator user name.

adminUser

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations e.g. queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

DEVELOPMENT

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_ACCESS_CONTROL_ALLOW_ORIGIN

AC_ALLOW_ORIGIN_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Origin response header value in the KIE Server (useful for CORS support).

*

False

KIE_SERVER_ACCESS_CONTROL_ALLOW_METHODS

AC_ALLOW_METHODS_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Methods response header value in the KIE Server (useful for CORS support).

GET, POST, OPTIONS, PUT

False

KIE_SERVER_ACCESS_CONTROL_ALLOW_HEADERS

AC_ALLOW_HEADERS_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Headers response header value in the KIE Server (useful for CORS support).

Accept, Authorization, Content-Type, X-Requested-With

False

KIE_SERVER_ACCESS_CONTROL_ALLOW_CREDENTIALS

AC_ALLOW_CREDENTIALS_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Credentials response header value in the KIE Server (useful for CORS support).

true

False

KIE_SERVER_ACCESS_CONTROL_MAX_AGE

AC_MAX_AGE_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Max-Age response header value in the KIE Server (useful for CORS support).

1

False

BUSINESS_CENTRAL_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route for Business Central. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentr-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

false

False

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

true

False

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

5000

False

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

 — 

False

MAVEN_REPO_ID

MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

repo-custom

False

MAVEN_REPO_URL

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

GIT_HOOKS_DIR

GIT_HOOKS_DIR

The directory to use for git hooks, if required.

/opt/kie/data/git/hooks

False

BUSINESS_CENTRAL_MEMORY_LIMIT

 — 

Business Central Container memory limit.

2Gi

False

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

1Gi

False

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

BUSINESS_CENTRAL_SSO_CLIENT

SSO_CLIENT

Business Central RH-SSO Client name.

 — 

False

BUSINESS_CENTRAL_SSO_SECRET

SSO_SECRET

Business Central RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.1.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.1.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-rhpamcentr

8080

http

All the Business Central web server’s ports.

${APPLICATION_NAME}-kieserver

8080

 — 

All the KIE Server web server’s ports.

15.1.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-rhpamcentr-http

none

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

15.1.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.1.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-rhpamcentr

ImageChange

${APPLICATION_NAME}-kieserver

ImageChange

15.1.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-rhpamcentr

1

${APPLICATION_NAME}-kieserver

1

15.1.2.3.3. Pod Template
15.1.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-rhpamcentr

${APPLICATION_NAME}-rhpamsvc

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-rhpamsvc

15.1.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-rhpamcentr

rhpam-businesscentral-rhel8

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

15.1.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-rhpamcentr

Http Get on http://localhost:8080/rest/ready

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

15.1.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-rhpamcentr

Http Get on http://localhost:8080/rest/healthy

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

15.1.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-rhpamcentr

jolokia

8778

TCP

http

8080

TCP

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

15.1.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-rhpamcentr

WORKBENCH_ROUTE_NAME

 — 

insecure-${APPLICATION_NAME}-rhpamcentr

KIE_ADMIN_USER

KIE administrator user name.

${KIE_ADMIN_USER}

KIE_ADMIN_PWD

Default password used for multiple components for user convenience in this trial environment.

${DEFAULT_PASSWORD}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

KIE_SERVER_CONTROLLER_OPENSHIFT_ENABLED

 — 

true

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED}

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE}

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

${KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL}

MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

${MAVEN_REPO_ID}

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

GIT_HOOKS_DIR

The directory to use for git hooks, if required.

${GIT_HOOKS_DIR}

KUBERNETES_NAMESPACE

 — 

 — 

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

Business Central RH-SSO Client Secret.

${BUSINESS_CENTRAL_SSO_SECRET}

SSO_CLIENT

Business Central RH-SSO Client name.

${BUSINESS_CENTRAL_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route for Business Central. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentr-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

 — 

${APPLICATION_NAME}-rhpamcentr

KIE_ADMIN_USER

KIE administrator user name.

${KIE_ADMIN_USER}

KIE_ADMIN_PWD

Default password used for multiple components for user convenience in this trial environment.

${DEFAULT_PASSWORD}

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations e.g. queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

insecure-${APPLICATION_NAME}-kieserver

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

${KIE_SERVER_CONTAINER_DEPLOYMENT}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentr

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

KIE administrator user name.

${KIE_ADMIN_USER}

RHPAMCENTR_MAVEN_REPO_PASSWORD

Default password used for multiple components for user convenience in this trial environment.

${DEFAULT_PASSWORD}

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KUBERNETES_NAMESPACE

 — 

 — 

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

FILTERS

 — 

AC_ALLOW_ORIGIN,AC_ALLOW_METHODS,AC_ALLOW_HEADERS,AC_ALLOW_CREDENTIALS,AC_MAX_AGE

AC_ALLOW_ORIGIN_FILTER_RESPONSE_HEADER_NAME

 — 

Access-Control-Allow-Origin

AC_ALLOW_ORIGIN_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Origin response header value in the KIE Server (useful for CORS support).

${KIE_SERVER_ACCESS_CONTROL_ALLOW_ORIGIN}

AC_ALLOW_METHODS_FILTER_RESPONSE_HEADER_NAME

 — 

Access-Control-Allow-Methods

AC_ALLOW_METHODS_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Methods response header value in the KIE Server (useful for CORS support).

${KIE_SERVER_ACCESS_CONTROL_ALLOW_METHODS}

AC_ALLOW_HEADERS_FILTER_RESPONSE_HEADER_NAME

 — 

Access-Control-Allow-Headers

AC_ALLOW_HEADERS_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Headers response header value in the KIE Server (useful for CORS support).

${KIE_SERVER_ACCESS_CONTROL_ALLOW_HEADERS}

AC_ALLOW_CREDENTIALS_FILTER_RESPONSE_HEADER_NAME

 — 

Access-Control-Allow-Credentials

AC_ALLOW_CREDENTIALS_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Allow-Credentials response header value in the KIE Server (useful for CORS support).

${KIE_SERVER_ACCESS_CONTROL_ALLOW_CREDENTIALS}

AC_MAX_AGE_FILTER_RESPONSE_HEADER_NAME

 — 

Access-Control-Max-Age

AC_MAX_AGE_FILTER_RESPONSE_HEADER_VALUE

Sets the Access-Control-Max-Age response header value in the KIE Server (useful for CORS support).

${KIE_SERVER_ACCESS_CONTROL_MAX_AGE}

15.1.2.4. External Dependencies

15.1.2.4.1. Secrets

This template requires the following secrets to be installed for the application to run.

15.2. rhpam712-authoring.yaml template

Application template for a non-HA persistent authoring environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.2.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values.

rhpam-credentials

True

KIE_SERVER_CONTROLLER_TOKEN

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

 — 

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

KIE_SERVER_PERSISTENCE_DS

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

KIE_SERVER_H2_USER

RHPAM_USERNAME

KIE Server H2 database user name.

sa

False

KIE_SERVER_H2_PWD

RHPAM_PASSWORD

KIE Server H2 database password.

 — 

False

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property)

DEVELOPMENT

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

BUSINESS_CENTRAL_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for the http service route for Business Central. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentr-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for the https service route for Business Central. Leave blank for default hostname, e.g.: <application-name>-rhpamcentr-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for the http service route for KIE Server. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for the https service route for KIE Server. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for Business Central.

businesscentral-app-secret

True

BUSINESS_CENTRAL_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

BUSINESS_CENTRAL_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

BUSINESS_CENTRAL_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for KIE Server.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

false

False

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

true

False

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

5000

False

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that Business Central and KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for building and deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*,!repo-rhpamcentr

False

MAVEN_REPO_ID

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

GIT_HOOKS_DIR

GIT_HOOKS_DIR

The directory to use for git hooks, if required.

/opt/kie/data/git/hooks

False

BUSINESS_CENTRAL_VOLUME_CAPACITY

 — 

Size of the persistent storage for Business Central runtime data.

1Gi

True

BUSINESS_CENTRAL_MEMORY_LIMIT

 — 

Business Central Container memory limit.

4Gi

True

BUSINESS_CENTRAL_CPU_LIMIT

 — 

Business Central Container CPU limit.

2

True

BUSINESS_CENTRAL_CPU_REQUEST

 — 

Business Central Container CPU Request.

1500m

True

BUSINESS_CENTRAL_MEMORY_REQUEST

 — 

Business Central Container Memory Request.

3Gi

True

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory Request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU Request.

750m

True

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

BUSINESS_CENTRAL_SSO_CLIENT

SSO_CLIENT

Business Central RH-SSO Client name.

 — 

False

BUSINESS_CENTRAL_SSO_SECRET

SSO_SECRET

Business Central RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.2.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.2.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-rhpamcentr

8080

http

All the Business Central web server’s ports.

8443

https

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

15.2.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-rhpamcentr-http

none

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

${APPLICATION_NAME}-rhpamcentr-https

TLS passthrough

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.2.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.2.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-rhpamcentr

ImageChange

${APPLICATION_NAME}-kieserver

ImageChange

15.2.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-rhpamcentr

1

${APPLICATION_NAME}-kieserver

1

15.2.2.3.3. Pod Template
15.2.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-rhpamcentr

${APPLICATION_NAME}-rhpamsvc

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-rhpamsvc

15.2.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-rhpamcentr

rhpam-businesscentral-rhel8

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

15.2.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-rhpamcentr

Http Get on http://localhost:8080/rest/ready

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

15.2.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-rhpamcentr

Http Get on http://localhost:8080/rest/healthy

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

15.2.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-rhpamcentr

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

15.2.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-rhpamcentr

APPLICATION_USERS_PROPERTIES

 — 

/opt/kie/data/configuration/application-users.properties

APPLICATION_ROLES_PROPERTIES

 — 

/opt/kie/data/configuration/application-roles.properties

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

KIE_SERVER_CONTROLLER_OPENSHIFT_ENABLED

 — 

false

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED}

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE}

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

${KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

MAVEN_MIRROR_URL

Maven mirror that Business Central and KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for building and deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

GIT_HOOKS_DIR

The directory to use for git hooks, if required.

${GIT_HOOKS_DIR}

HTTPS_KEYSTORE_DIR

 — 

/etc/businesscentral-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${BUSINESS_CENTRAL_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${BUSINESS_CENTRAL_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${BUSINESS_CENTRAL_HTTPS_PASSWORD}

WORKBENCH_ROUTE_NAME

 — 

${APPLICATION_NAME}-rhpamcentr

KUBERNETES_NAMESPACE

 — 

 — 

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

Business Central RH-SSO Client Secret.

${BUSINESS_CENTRAL_SSO_SECRET}

SSO_CLIENT

Business Central RH-SSO Client name.

${BUSINESS_CENTRAL_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for the http service route for Business Central. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentr-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for the https service route for Business Central. Leave blank for default hostname, e.g.: <application-name>-rhpamcentr-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

 — 

${APPLICATION_NAME}-rhpamcentr

DATASOURCES

 — 

RHPAM

RHPAM_DATABASE

 — 

rhpam7

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

RHPAM_DRIVER

 — 

h2

RHPAM_USERNAME

KIE Server H2 database user name.

${KIE_SERVER_H2_USER}

RHPAM_PASSWORD

KIE Server H2 database password.

${KIE_SERVER_H2_PWD}

RHPAM_NONXA

 — 

false

RHPAM_XA_CONNECTION_PROPERTY_URL

 — 

jdbc:h2:/opt/kie/data/h2/rhpam;AUTO_SERVER=TRUE

KIE_SERVER_PERSISTENCE_DIALECT

 — 

org.hibernate.dialect.H2Dialect

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property)

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_CONTROLLER_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentr

KIE_SERVER_CONTROLLER_PROTOCOL

 — 

ws

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

insecure-${APPLICATION_NAME}-kieserver

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

KIE_SERVER_STARTUP_STRATEGY

 — 

ControllerBasedStartupStrategy

MAVEN_MIRROR_URL

Maven mirror that Business Central and KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for building and deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentr

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

KUBERNETES_NAMESPACE

 — 

 — 

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for the http service route for KIE Server. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for the https service route for KIE Server. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

15.2.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-rhpamcentr

businesscentral-keystore-volume

/etc/businesscentral-secret-volume

ssl certs

True

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

15.2.2.4. External Dependencies

15.2.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-rhpamcentr-claim

ReadWriteOnce

${APPLICATION_NAME}-kie-claim

ReadWriteOnce

15.2.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • businesscentral-app-secret
  • kieserver-app-secret

15.3. rhpam712-authoring-ha.yaml template

Application template for a HA persistent authoring environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.3.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values.

rhpam-credentials

True

KIE_SERVER_CONTROLLER_TOKEN

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

 — 

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

MYSQL_USER

RHPAM_USERNAME

MySQL database user name.

rhpam

False

MYSQL_PWD

RHPAM_PASSWORD

MySQL database password.

 — 

False

MYSQL_DB

RHPAM_DATABASE

MySQL database name.

rhpam7

False

MYSQL_DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the KIE Server database volume.

1Gi

True

MYSQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the MySQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

MYSQL_IMAGE_STREAM_TAG

 — 

The MySQL image version, which is intended to correspond to the MySQL version. Default is "8.0".

8.0

False

KIE_SERVER_MYSQL_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server MySQL Hibernate dialect.

org.hibernate.dialect.MySQL8Dialect

True

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

DEVELOPMENT

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

BUSINESS_CENTRAL_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route for Business Central. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentr-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route for Business Central. Leave blank for default hostname, e.g.: <application-name>-rhpamcentr-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route for KIE Server. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route for KIE Server. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for Business Central.

businesscentral-app-secret

True

BUSINESS_CENTRAL_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret for Business Central.

keystore.jks

False

BUSINESS_CENTRAL_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate for Business Central.

jboss

False

BUSINESS_CENTRAL_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate for Business Central.

mykeystorepass

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for KIE Server.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret for KIE Server.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate for KIE Server.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate for KIE Server.

mykeystorepass

False

APPFORMER_JMS_BROKER_USER

APPFORMER_JMS_BROKER_USER

The user name for connecting to the JMS broker.

jmsBrokerUser

True

APPFORMER_JMS_BROKER_PASSWORD

APPFORMER_JMS_BROKER_PASSWORD

The password to connect to the JMS broker.

 — 

True

DATAGRID_IMAGE

 — 

DataGrid image.

registry.redhat.io/datagrid/datagrid-8-rhel8:1.2

True

DATAGRID_CPU_LIMIT

 — 

DataGrid Container CPU limit.

1000m

True

DATAGRID_MEMORY_LIMIT

 — 

DataGrid Container memory limit.

2Gi

True

DATAGRID_VOLUME_CAPACITY

 — 

Size of the persistent storage for DataGrid’s runtime data.

1Gi

True

AMQ_BROKER_IMAGE

 — 

AMQ Broker Image.

registry.redhat.io/amq7/amq-broker:7.8

True

AMQ_ROLE

 — 

User role for standard broker user.

admin

True

AMQ_NAME

 — 

The name of the broker.

broker

True

AMQ_GLOBAL_MAX_SIZE

 — 

Specifies the maximum amount of memory that message data can consume. If no value is specified, half of the system’s memory is allocated.

10 gb

False

AMQ_VOLUME_CAPACITY

 — 

Size of persistent storage for AMQ broker volume.

1Gi

True

AMQ_REPLICAS

 — 

Number of broker replicas for a cluster.

2

True

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

false

False

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

Enables connection to KIE Server via OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

true

False

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

5000

False

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStreams in a different namespace/project.

openshift

True

BUSINESS_CENTRAL_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for Business Central. Default is "rhpam-businesscentral-rhel8".

rhpam-businesscentral-rhel8

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that Business Central and KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for building and deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*,!repo-rhpamcentr

False

MAVEN_REPO_ID

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

GIT_HOOKS_DIR

GIT_HOOKS_DIR

The directory to use for git hooks, if required.

/opt/kie/data/git/hooks

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

60000

True

BUSINESS_CENTRAL_VOLUME_CAPACITY

 — 

Size of the persistent storage for Business Central runtime data.

1Gi

True

BUSINESS_CENTRAL_JAVA_MAX_MEM_RATIO

JAVA_MAX_MEM_RATIO

Business Central Container JVM max memory ratio. -Xmx is set to a ratio of the memory available on the container. The default is 80, which means the upper boundary is 80% of the available memory. To skip adding the -Xmx option, set this value to 0.

80

True

BUSINESS_CENTRAL_MEMORY_LIMIT

 — 

Business Central Container memory limit.

4Gi

True

BUSINESS_CENTRAL_CPU_LIMIT

 — 

Business Central Container CPU limit.

2

True

BUSINESS_CENTRAL_CPU_REQUEST

 — 

Business Central Container CPU Request.

1500m

True

BUSINESS_CENTRAL_MEMORY_REQUEST

 — 

Business Central Container Memory Request.

3Gi

True

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory Request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU Request.

750m

True

BUSINESS_CENTRAL_CONTAINER_REPLICAS

 — 

Business Central Container Replicas, defines how many Business Central containers will be started.

2

True

KIE_SERVER_CONTAINER_REPLICAS

 — 

KIE Server Container Replicas, defines how many KIE Server containers will be started.

2

True

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

BUSINESS_CENTRAL_SSO_CLIENT

SSO_CLIENT

Business Central RH-SSO Client name.

 — 

False

BUSINESS_CENTRAL_SSO_SECRET

SSO_SECRET

Business Central RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

APPFORMER_INFINISPAN_USERNAME

APPFORMER_INFINISPAN_USERNAME

Username used for the Datagrid.

user

True

APPFORMER_INFINISPAN_PASSWORD

APPFORMER_INFINISPAN_PASSWORD

Password used for the Datagrid.

pass

True

15.3.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.3.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-rhpamcentr

8080

http

All the Business Central web server’s ports.

8443

https

${APPLICATION_NAME}-datagrid-ping

8888

ping

The JGroups ping port for clustering.

${APPLICATION_NAME}-datagrid

11222

hotrod

Provides a service for accessing the application over Hot Rod protocol.

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

${APPLICATION_NAME}-amq-tcp

61616

 — 

The broker’s OpenWire port.

ping

8888

 — 

The JGroups ping port for amq clustering.

${APPLICATION_NAME}-mysql

3306

 — 

The MySQL server’s port.

15.3.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-rhpamcentr-http

none

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

${APPLICATION_NAME}-rhpamcentr-https

TLS passthrough

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.3.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.3.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-rhpamcentr

ImageChange

${APPLICATION_NAME}-kieserver

ImageChange

${APPLICATION_NAME}-mysql

ImageChange

15.3.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-rhpamcentr

2

${APPLICATION_NAME}-kieserver

2

${APPLICATION_NAME}-mysql

1

15.3.2.3.3. Pod Template
15.3.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-rhpamcentr

${APPLICATION_NAME}-rhpamsvc

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-rhpamsvc

15.3.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-rhpamcentr

${BUSINESS_CENTRAL_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-mysql

mysql

15.3.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-rhpamcentr

Http Get on http://localhost:8080/rest/ready

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-mysql

/bin/sh -i -c MYSQL_PWD="$MYSQL_PASSWORD" mysql -h 127.0.0.1 -u $MYSQL_USER -D $MYSQL_DATABASE -e 'SELECT 1'

15.3.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-rhpamcentr

Http Get on http://localhost:8080/rest/healthy

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-mysql

tcpSocket on port 3306

15.3.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-rhpamcentr

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-mysql

 — 

3306

TCP

15.3.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-rhpamcentr

APPLICATION_USERS_PROPERTIES

 — 

/opt/kie/data/configuration/application-users.properties

APPLICATION_ROLES_PROPERTIES

 — 

/opt/kie/data/configuration/application-roles.properties

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

KIE_SERVER_CONTROLLER_OPENSHIFT_ENABLED

 — 

true

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED}

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

Enables connection to KIE Server via OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE}

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

${KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

WORKBENCH_ROUTE_NAME

 — 

${APPLICATION_NAME}-rhpamcentr

MAVEN_MIRROR_URL

Maven mirror that Business Central and KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for building and deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

GIT_HOOKS_DIR

The directory to use for git hooks, if required.

${GIT_HOOKS_DIR}

HTTPS_KEYSTORE_DIR

 — 

/etc/businesscentral-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret for Business Central.

${BUSINESS_CENTRAL_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate for Business Central.

${BUSINESS_CENTRAL_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate for Business Central.

${BUSINESS_CENTRAL_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.rhpamcentr

APPFORMER_INFINISPAN_SERVICE_NAME

 — 

${APPLICATION_NAME}-datagrid

APPFORMER_INFINISPAN_PORT

 — 

11222

APPFORMER_INFINISPAN_USERNAME

Username used for the Datagrid.

${APPFORMER_INFINISPAN_USERNAME}

APPFORMER_INFINISPAN_PASSWORD

Password used for the Datagrid.

${APPFORMER_INFINISPAN_PASSWORD}

APPFORMER_INFINISPAN_SASL_QOP

 — 

auth

APPFORMER_INFINISPAN_SERVER_NAME

 — 

infinispan

APPFORMER_INFINISPAN_REALM

 — 

default

APPFORMER_JMS_BROKER_ADDRESS

 — 

${APPLICATION_NAME}-amq-tcp

APPFORMER_JMS_BROKER_PORT

 — 

61616

APPFORMER_JMS_BROKER_USER

The user name for connecting to the JMS broker.

${APPFORMER_JMS_BROKER_USER}

APPFORMER_JMS_BROKER_PASSWORD

The password to connect to the JMS broker.

${APPFORMER_JMS_BROKER_PASSWORD}

JAVA_MAX_MEM_RATIO

Business Central Container JVM max memory ratio. -Xmx is set to a ratio of the memory available on the container. The default is 80, which means the upper boundary is 80% of the available memory. To skip adding the -Xmx option, set this value to 0.

${BUSINESS_CENTRAL_JAVA_MAX_MEM_RATIO}

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

Business Central RH-SSO Client Secret.

${BUSINESS_CENTRAL_SSO_SECRET}

SSO_CLIENT

Business Central RH-SSO Client name.

${BUSINESS_CENTRAL_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route for Business Central. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentr-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route for Business Central. Leave blank for default hostname, e.g.: <application-name>-rhpamcentr-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

 — 

${APPLICATION_NAME}-rhpamcentr

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

DATASOURCES

 — 

RHPAM

RHPAM_DATABASE

MySQL database name.

${MYSQL_DB}

RHPAM_DRIVER

 — 

mariadb

RHPAM_USERNAME

MySQL database user name.

${MYSQL_USER}

RHPAM_PASSWORD

MySQL database password.

${MYSQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-mysql

RHPAM_SERVICE_PORT

 — 

3306

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server MySQL Hibernate dialect.

${KIE_SERVER_MYSQL_DIALECT}

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_CONTROLLER_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentr

KIE_SERVER_CONTROLLER_PROTOCOL

 — 

ws

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

insecure-${APPLICATION_NAME}-kieserver

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

MAVEN_MIRROR_URL

Maven mirror that Business Central and KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for building and deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentr

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret for KIE Server.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate for KIE Server.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate for KIE Server.

${KIE_SERVER_HTTPS_PASSWORD}

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route for KIE Server. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route for KIE Server. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-mysql

MYSQL_USER

MySQL database user name.

${MYSQL_USER}

MYSQL_PASSWORD

MySQL database password.

${MYSQL_PWD}

MYSQL_DATABASE

MySQL database name.

${MYSQL_DB}

MYSQL_DEFAULT_AUTHENTICATION_PLUGIN

 — 

mysql_native_password

15.3.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-rhpamcentr

businesscentral-keystore-volume

/etc/businesscentral-secret-volume

ssl certs

True

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-mysql

${APPLICATION_NAME}-mysql-pvol

/var/lib/mysql/data

mysql

false

15.3.2.4. External Dependencies

15.3.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-rhpamcentr-claim

ReadWriteMany

${APPLICATION_NAME}-mysql-claim

ReadWriteOnce

15.3.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • businesscentral-app-secret
  • kieserver-app-secret
15.3.2.4.3. Clustering

Clustering in OpenShift EAP is achieved through Kubernetes discovery mechanism. This is done by configuring the JGroups protocol stack in standalone-openshift.xml with the <kubernetes.KUBE_PING/> element. The templates are configured to use kubernetes.KUBE_PING.

The discovery mechanism used is specified by the JGROUPS_PING_PROTOCOL environment variable which can be set to kubernetes.KUBE_PING. kubernetes.KUBE_PING is the default used by the image if no value is specified for JGROUPS_PING_PROTOCOL.

For kubernetes.KUBE_PING to work, the following steps must be taken:

  1. The KUBERNETES_NAMESPACE environment variable must be set using the kubernetes metadata.namespace assigned to the pod. If not set, the server will act as if it is a single-node cluster (a "cluster of one").
  2. The KUBERNETES_LABELS environment variables should be set (see table above). If not set, pods outside of your application (albeit in your namespace) will try to join.
  3. The value used as a KUBERNETES_LABELS must be added as a label in the respective deployment config. By convention the value is cluster=kubernetes.ping.<name>-cluster ,name used are console-cluster, consolemon-cluster, kieserver-cluster.
  4. Authorization must be granted to the service account the pod is running under to be allowed to access Kubernetes' REST api. This is done on the command line.

Example 15.1. Policy commands

Using the default service account in the myproject namespace:

oc policy add-role-to-user view system:serviceaccount:myproject:default -n myproject

Using the eap-service-account in the myproject namespace:

oc policy add-role-to-user view system:serviceaccount:myproject:eap-service-account -n myproject

15.4. rhpam712-prod-immutable-monitor.yaml template

Application template for a router and monitoring console in a production environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.4.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

MAVEN_REPO_ID

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

repo-custom

False

MAVEN_REPO_URL

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentr

False

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

false

False

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

true

False

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds (Sets the org.kie.server.controller.template.cache.ttl system property)

5000

False

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

False

SMART_ROUTER_HOSTNAME_HTTP

 — 

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-smartrouter-<project>.<default-domain-suffix>

 — 

False

SMART_ROUTER_HOSTNAME_HTTPS

 — 

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-smartrouter-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_ROUTER_ID

KIE_SERVER_ROUTER_ID

Router ID used in API communication. (Router property org.kie.server.router.id)

kie-server-router

True

KIE_SERVER_ROUTER_PROTOCOL

KIE_SERVER_ROUTER_PROTOCOL

KIE Server router protocol. (Used to build the org.kie.server.router.url.external property)

http

False

KIE_SERVER_ROUTER_URL_EXTERNAL

KIE_SERVER_ROUTER_URL_EXTERNAL

Public URL where the router can be found. Format http://<host>:<port> (Router property org.kie.server.router.url.external)

 — 

False

KIE_SERVER_ROUTER_NAME

KIE_SERVER_ROUTER_NAME

Router name used in the Business Central user interface. (Router property org.kie.server.router.name)

KIE Server Router

True

KIE_SERVER_ROUTER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file.

smartrouter-app-secret

True

KIE_SERVER_ROUTER_HTTPS_KEYSTORE

 — 

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_ROUTER_HTTPS_NAME

KIE_SERVER_ROUTER_TLS_KEYSTORE_KEYALIAS

The name associated with the server certificate.

jboss

False

KIE_SERVER_ROUTER_HTTPS_PASSWORD

KIE_SERVER_ROUTER_TLS_KEYSTORE_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_MONITOR_TOKEN

KIE_SERVER_CONTROLLER_TOKEN

KIE Server monitor token for bearer authentication. (Sets the org.kie.server.controller.token system property)

 — 

False

BUSINESS_CENTRAL_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HTTPS_SECRET

 — 

The name of the secret containing the keystore file.

businesscentral-app-secret

True

BUSINESS_CENTRAL_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

BUSINESS_CENTRAL_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

BUSINESS_CENTRAL_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

BUSINESS_CENTRAL_MEMORY_LIMIT

 — 

Business Central Container memory limit.

2Gi

True

BUSINESS_CENTRAL_MEMORY_REQUEST

 — 

Business Central Container memory request.

1536Mi

True

BUSINESS_CENTRAL_CPU_LIMIT

 — 

Business Central Container CPU limit.

1

True

BUSINESS_CENTRAL_CPU_REQUEST

 — 

Business Central Container CPU request.

750m

True

SMART_ROUTER_MEMORY_LIMIT

 — 

Smart Router Container memory limit.

512Mi

False

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

BUSINESS_CENTRAL_SSO_CLIENT

SSO_CLIENT

Business Central Monitoring RH-SSO Client name.

 — 

False

BUSINESS_CENTRAL_SSO_SECRET

SSO_SECRET

Business Central Monitoring RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.4.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.4.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-rhpamcentrmon

8080

http

All the Business Central Monitoring web server’s ports.

8443

https

${APPLICATION_NAME}-smartrouter

9000

http

The smart router server http and https ports.

9443

https

15.4.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-rhpamcentrmon-http

none

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

${APPLICATION_NAME}-rhpamcentrmon-https

TLS passthrough

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

insecure-${APPLICATION_NAME}-smartrouter-http

none

${SMART_ROUTER_HOSTNAME_HTTP}

${APPLICATION_NAME}-smartrouter-https

TLS passthrough

${SMART_ROUTER_HOSTNAME_HTTPS}

15.4.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.4.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-rhpamcentrmon

ImageChange

${APPLICATION_NAME}-smartrouter

ImageChange

15.4.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-rhpamcentrmon

1

${APPLICATION_NAME}-smartrouter

2

15.4.2.3.3. Pod Template
15.4.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-rhpamcentrmon

${APPLICATION_NAME}-rhpamsvc

${APPLICATION_NAME}-smartrouter

${APPLICATION_NAME}-smartrouter

15.4.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-rhpamcentrmon

rhpam-businesscentral-monitoring-rhel8

${APPLICATION_NAME}-smartrouter

rhpam-smartrouter-rhel8

15.4.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-rhpamcentrmon

Http Get on http://localhost:8080/rest/ready

15.4.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-rhpamcentrmon

Http Get on http://localhost:8080/rest/healthy

15.4.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-rhpamcentrmon

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-smartrouter

http

9000

TCP

15.4.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-rhpamcentrmon

APPLICATION_USERS_PROPERTIES

 — 

/opt/kie/data/configuration/application-users.properties

APPLICATION_ROLES_PROPERTIES

 — 

/opt/kie/data/configuration/application-roles.properties

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_CONTROLLER_OPENSHIFT_ENABLED

 — 

true

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED}

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE}

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds (Sets the org.kie.server.controller.template.cache.ttl system property)

${KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server monitor token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_MONITOR_TOKEN}

HTTPS_KEYSTORE_DIR

 — 

/etc/businesscentral-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${BUSINESS_CENTRAL_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${BUSINESS_CENTRAL_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${BUSINESS_CENTRAL_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.rhpamcentrmon

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

Business Central Monitoring RH-SSO Client Secret.

${BUSINESS_CENTRAL_SSO_SECRET}

SSO_CLIENT

Business Central Monitoring RH-SSO Client name.

${BUSINESS_CENTRAL_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_HOST

 — 

 — 

KIE_SERVER_ROUTER_PORT

 — 

9000

KIE_SERVER_ROUTER_PORT_TLS

 — 

9443

KIE_SERVER_ROUTER_URL_EXTERNAL

Public URL where the router can be found. Format http://<host>:<port> (Router property org.kie.server.router.url.external)

${KIE_SERVER_ROUTER_URL_EXTERNAL}

KIE_SERVER_ROUTER_ID

Router ID used in API communication. (Router property org.kie.server.router.id)

${KIE_SERVER_ROUTER_ID}

KIE_SERVER_ROUTER_NAME

Router name used in the Business Central user interface. (Router property org.kie.server.router.name)

${KIE_SERVER_ROUTER_NAME}

KIE_SERVER_ROUTER_ROUTE_NAME

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_SERVICE

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_PROTOCOL

KIE Server router protocol. (Used to build the org.kie.server.router.url.external property)

${KIE_SERVER_ROUTER_PROTOCOL}

KIE_SERVER_ROUTER_TLS_KEYSTORE_KEYALIAS

The name associated with the server certificate.

${KIE_SERVER_ROUTER_HTTPS_NAME}

KIE_SERVER_ROUTER_TLS_KEYSTORE_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_ROUTER_HTTPS_PASSWORD}

KIE_SERVER_ROUTER_TLS_KEYSTORE

 — 

/etc/smartrouter-secret-volume/${KIE_SERVER_ROUTER_HTTPS_KEYSTORE}

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_CONTROLLER_TOKEN

KIE Server monitor token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_MONITOR_TOKEN}

KIE_SERVER_CONTROLLER_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentrmon

KIE_SERVER_CONTROLLER_PROTOCOL

 — 

http

KIE_SERVER_ROUTER_REPO

 — 

/opt/rhpam-smartrouter/data

KIE_SERVER_ROUTER_CONFIG_WATCHER_ENABLED

 — 

true

15.4.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-rhpamcentrmon

businesscentral-keystore-volume

/etc/businesscentral-secret-volume

ssl certs

True

${APPLICATION_NAME}-smartrouter

${APPLICATION_NAME}-smartrouter

/opt/rhpam-smartrouter/data

 — 

false

15.4.2.4. External Dependencies

15.4.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-smartrouter-claim

ReadWriteMany

${APPLICATION_NAME}-rhpamcentr-claim

ReadWriteMany

15.4.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • smartrouter-app-secret
  • businesscentral-app-secret

15.5. rhpam712-prod-immutable-kieserver.yaml template

Application template for an immutable KIE Server in a production environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.5.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

POSTGRESQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the PostgreSQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

POSTGRESQL_IMAGE_STREAM_TAG

 — 

The PostgreSQL image version, which is intended to correspond to the PostgreSQL version. Default is "10".

10

False

KIE_SERVER_POSTGRESQL_USER

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

rhpam

False

KIE_SERVER_POSTGRESQL_PWD

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

 — 

False

KIE_SERVER_POSTGRESQL_DB

RHPAM_DATABASE

KIE Server PostgreSQL database name.

rhpam7

False

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

100

True

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_SERVER_POSTGRESQL_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

org.hibernate.dialect.PostgreSQLDialect

True

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.6.0-SNAPSHOT

True

SOURCE_REPOSITORY_URL

 — 

Git source URI for application.

https://github.com/jboss-container-images/rhpam-7-openshift-image.git

True

SOURCE_REPOSITORY_REF

 — 

Git branch/tag reference.

main

False

CONTEXT_DIR

 — 

Path within Git project to build; empty for root project directory.

quickstarts/library-process/library

False

GITHUB_WEBHOOK_SECRET

 — 

GitHub trigger secret.

 — 

True

GENERIC_WEBHOOK_SECRET

 — 

Generic build trigger secret.

 — 

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror to use for S2I builds. If enabled, the mirror must contain all the artifacts necessary for building and running the required services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*

False

MAVEN_REPO_ID

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository.

 — 

False

MAVEN_REPO_USERNAME

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentr

False

ARTIFACT_DIR

 — 

List of directories from which archives will be copied into the deployment folder. If unspecified, all archives in /target will be copied.

 — 

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

30000

False

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

KIE_SERVER_MGMT_DISABLED

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped. (Sets the property org.kie.server.mgmt.api.disabled to true)

true

True

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.5.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.5.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

${APPLICATION_NAME}-postgresql

5432

 — 

The database server’s port.

15.5.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.5.2.3. Build Configurations

A buildConfig describes a single build definition and a set of triggers for when a new build should be created. A buildConfig is a REST object, which can be used in a POST to the API server to create a new instance. Refer to the Openshift documentation for more information.

S2I imagelinkBuild outputBuildTriggers and Settings

rhpam-kieserver-rhel8:7.12.0

rhpam-7/rhpam-kieserver-rhel8

${APPLICATION_NAME}-kieserver:latest

GitHub, Generic, ImageChange, ConfigChange

15.5.2.4. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.5.2.4.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-kieserver

ImageChange

${APPLICATION_NAME}-postgresql

ImageChange

15.5.2.4.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-kieserver

2

${APPLICATION_NAME}-postgresql

1

15.5.2.4.3. Pod Template
15.5.2.4.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

15.5.2.4.3.2. Image
DeploymentImage

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-postgresql

postgresql

15.5.2.4.3.3. Readiness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container

15.5.2.4.3.4. Liveness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container --live

15.5.2.4.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-postgresql

 — 

5432

TCP

15.5.2.4.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

 — 

DEVELOPMENT

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

insecure-${APPLICATION_NAME}-kieserver

KIE_SERVER_ROUTER_SERVICE

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

${KIE_SERVER_CONTAINER_DEPLOYMENT}

MAVEN_MIRROR_URL

Maven mirror to use for S2I builds. If enabled, the mirror must contain all the artifacts necessary for building and running the required services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

RHPAM_DRIVER

 — 

postgresql

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

${KIE_SERVER_POSTGRESQL_DIALECT}

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-postgresql

RHPAM_SERVICE_PORT

 — 

5432

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped. (Sets the property org.kie.server.mgmt.api.disabled to true)

${KIE_SERVER_MGMT_DISABLED}

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-postgresql

POSTGRESQL_USER

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

POSTGRESQL_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

POSTGRESQL_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

${POSTGRESQL_MAX_PREPARED_TRANSACTIONS}

15.5.2.4.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-postgresql

${APPLICATION_NAME}-postgresql-pvol

/var/lib/pgsql/data

postgresql

false

15.5.2.5. External Dependencies

15.5.2.5.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-postgresql-claim

ReadWriteOnce

15.5.2.5.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • kieserver-app-secret

15.6. rhpam712-prod-immutable-kieserver-amq.yaml template

Application template for an immutable KIE Server in a production environment integrated with ActiveMQ, for Red Hat Process Automation Manager 7.12 - Deprecated

15.6.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

POSTGRESQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the PostgreSQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

POSTGRESQL_IMAGE_STREAM_TAG

 — 

The PostgreSQL image version, which is intended to correspond to the PostgreSQL version. Default is "10".

10

False

KIE_SERVER_POSTGRESQL_USER

RHPAM_USERNAME

KIE Server PostgreSQL database user name

rhpam

False

KIE_SERVER_POSTGRESQL_PWD

RHPAM_PASSWORD

KIE Server PostgreSQL database password

 — 

False

KIE_SERVER_POSTGRESQL_DB

RHPAM_DATABASE

KIE Server PostgreSQL database name

rhpam7

False

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

100

True

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.6.0-SNAPSHOT

True

SOURCE_REPOSITORY_URL

 — 

Git source URI for application

https://github.com/jboss-container-images/rhpam-7-openshift-image.git

True

SOURCE_REPOSITORY_REF

 — 

Git branch/tag reference

main

False

CONTEXT_DIR

 — 

Path within Git project to build; empty for root project directory.

quickstarts/library-process/library

False

GITHUB_WEBHOOK_SECRET

 — 

GitHub trigger secret

 — 

True

GENERIC_WEBHOOK_SECRET

 — 

Generic build trigger secret

 — 

True

MAVEN_MIRROR_URL

 — 

Maven mirror to use for S2I builds

 — 

False

MAVEN_REPO_ID

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

my-repo-id

False

MAVEN_REPO_URL

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository.

 — 

False

MAVEN_REPO_USERNAME

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentr

False

ARTIFACT_DIR

 — 

List of directories from which archives will be copied into the deployment folder. If unspecified, all archives in /target will be copied.

 — 

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

30000

False

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

KIE_SERVER_MGMT_DISABLED

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped. (Sets the property org.kie.server.mgmt.api.disabled to true)

true

True

KIE_SERVER_EXECUTOR_JMS

KIE_SERVER_EXECUTOR_JMS

Enables the JMS executor, set false to disable it.

true

False

KIE_SERVER_EXECUTOR_JMS_TRANSACTED

KIE_SERVER_EXECUTOR_JMS_TRANSACTED

Enable transactions for JMS executor, disabled by default

false

False

KIE_SERVER_JMS_QUEUE_REQUEST

KIE_SERVER_JMS_QUEUE_REQUEST

JNDI name of request queue for JMS. The default value is queue/KIE.SERVER.REQUEST

queue/KIE.SERVER.REQUEST

False

KIE_SERVER_JMS_QUEUE_RESPONSE

KIE_SERVER_JMS_QUEUE_RESPONSE

JNDI name of response queue for JMS. The default value is queue/KIE.SERVER.RESPONSE

queue/KIE.SERVER.RESPONSE

False

KIE_SERVER_JMS_QUEUE_EXECUTOR

KIE_SERVER_JMS_QUEUE_EXECUTOR

JNDI name of response queue for JMS. The default value is queue/KIE.SERVER.RESPONSE

queue/KIE.SERVER.EXECUTOR

False

KIE_SERVER_JMS_ENABLE_SIGNAL

KIE_SERVER_JMS_ENABLE_SIGNAL

Enable the Signal configuration through JMS

true

False

KIE_SERVER_JMS_QUEUE_SIGNAL

KIE_SERVER_JMS_QUEUE_SIGNAL

JMS queue for signals

queue/KIE.SERVER.SIGNAL

False

KIE_SERVER_JMS_ENABLE_AUDIT

KIE_SERVER_JMS_ENABLE_AUDIT

Enable the Audit logging through JMS

true

False

KIE_SERVER_JMS_QUEUE_AUDIT

KIE_SERVER_JMS_QUEUE_AUDIT

JMS queue for audit logging

queue/KIE.SERVER.AUDIT

False

KIE_SERVER_JMS_AUDIT_TRANSACTED

KIE_SERVER_JMS_AUDIT_TRANSACTED

determines if JMS session is transacted or not - default true.

false

False

AMQ_USERNAME

AMQ_USERNAME

User name for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.

 — 

False

AMQ_PASSWORD

AMQ_PASSWORD

Password for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.

 — 

False

AMQ_ROLE

AMQ_ROLE

User role for standard broker user.

admin

True

AMQ_QUEUES

AMQ_QUEUES

Queue names, separated by commas. These queues will be automatically created when the broker starts. Also, they will be made accessible as JNDI resources in EAP. These are the default queues needed by KIE Server. If using custom Queues, use the same values here as in the KIE_SERVER_JMS_QUEUE_RESPONSE, KIE_SERVER_JMS_QUEUE_REQUEST, KIE_SERVER_JMS_QUEUE_SIGNAL, KIE_SERVER_JMS_QUEUE_AUDIT and KIE_SERVER_JMS_QUEUE_EXECUTOR parameters.

queue/KIE.SERVER.REQUEST,queue/KIE.SERVER.RESPONSE,queue/KIE.SERVER.EXECUTOR,queue/KIE.SERVER.SIGNAL,queue/KIE.SERVER.AUDIT

False

AMQ_GLOBAL_MAX_SIZE

AMQ_GLOBAL_MAX_SIZE

Specifies the maximum amount of memory that message data can consume. If no value is specified, half of the system’s memory is allocated.

10 gb

False

AMQ_SECRET

 — 

The name of a secret containing AMQ SSL related files.

broker-app-secret

True

AMQ_TRUSTSTORE

AMQ_TRUSTSTORE

The name of the AMQ SSL Trust Store file.

broker.ts

False

AMQ_TRUSTSTORE_PASSWORD

AMQ_TRUSTSTORE_PASSWORD

The password for the AMQ Trust Store.

changeit

False

AMQ_KEYSTORE

AMQ_KEYSTORE

The name of the AMQ keystore file.

broker.ks

False

AMQ_KEYSTORE_PASSWORD

AMQ_KEYSTORE_PASSWORD

The password for the AMQ keystore and certificate.

changeit

False

AMQ_PROTOCOL

AMQ_PROTOCOL

Broker protocols to configure, separated by commas. Allowed values are: openwire, amqp, stomp and mqtt. Only openwire is supported by EAP.

openwire

False

AMQ_BROKER_IMAGESTREAM_NAME

 — 

AMQ Broker Image

amq-broker:7.8

True

AMQ_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat AMQ images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

SSO_URL

SSO_URL

RH-SSO URL

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name

 — 

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.6.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.6.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

${APPLICATION_NAME}-amq-jolokia

8161

amq-jolokia

The broker’s console and Jolokia port.

${APPLICATION_NAME}-amq-amqp

5672

amq-amqp

The broker’s AMQP port.

${APPLICATION_NAME}-amq-amqp-ssl

5671

amq-amqp-ssl

The broker’s AMQP SSL port.

${APPLICATION_NAME}-amq-mqtt

1883

amq-mqtt

The broker’s MQTT port.

${APPLICATION_NAME}-amq-mqtt-ssl

8883

amq-mqtt-ssl

The broker’s MQTT SSL port.

${APPLICATION_NAME}-amq-stomp

61613

amq-stomp

The broker’s STOMP port.

${APPLICATION_NAME}-amq-stomp-ssl

61612

amq-stomp-ssl

The broker’s STOMP SSL port.

${APPLICATION_NAME}-amq-tcp

61616

amq-tcp

The broker’s OpenWire port.

${APPLICATION_NAME}-amq-tcp-ssl

61617

amq-tcp-ssl

The broker’s OpenWire (SSL) port.

${APPLICATION_NAME}-postgresql

5432

 — 

The database server’s port.

15.6.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

${APPLICATION_NAME}-amq-jolokia-console

TLS passthrough

<default>

${APPLICATION_NAME}-amq-tcp-ssl

TLS passthrough

<default>

15.6.2.3. Build Configurations

A buildConfig describes a single build definition and a set of triggers for when a new build should be created. A buildConfig is a REST object, which can be used in a POST to the API server to create a new instance. Refer to the Openshift documentation for more information.

S2I imagelinkBuild outputBuildTriggers and Settings

rhpam-kieserver-rhel8:7.12.0

rhpam-7/rhpam-kieserver-rhel8

${APPLICATION_NAME}-kieserver:latest

GitHub, Generic, ImageChange, ConfigChange

15.6.2.4. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.6.2.4.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-kieserver

ImageChange

${APPLICATION_NAME}-postgresql

ImageChange

${APPLICATION_NAME}-amq

ImageChange

15.6.2.4.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-kieserver

2

${APPLICATION_NAME}-postgresql

1

${APPLICATION_NAME}-amq

1

15.6.2.4.3. Pod Template
15.6.2.4.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

15.6.2.4.3.2. Image
DeploymentImage

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-postgresql

postgresql

${APPLICATION_NAME}-amq

${AMQ_BROKER_IMAGESTREAM_NAME}

15.6.2.4.3.3. Readiness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container

${APPLICATION_NAME}-amq

/bin/bash -c /opt/amq/bin/readinessProbe.sh

15.6.2.4.3.4. Liveness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container --live

15.6.2.4.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-postgresql

 — 

5432

TCP

${APPLICATION_NAME}-amq

console-jolokia

8161

TCP

amqp

5672

TCP

amqp-ssl

5671

TCP

mqtt

1883

TCP

mqtt-ssl

8883

TCP

stomp

61613

TCP

stomp-ssl

61612

TCP

artemis

61616

TCP

amq-tcp-ssl

61617

TCP

15.6.2.4.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

 — 

DEVELOPMENT

KIE_MBEANS

KIE Server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

insecure-${APPLICATION_NAME}-kieserver

KIE_SERVER_ROUTER_SERVICE

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

${KIE_SERVER_CONTAINER_DEPLOYMENT}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository, if set. Default is generated randomly.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_DATABASE

KIE Server PostgreSQL database name

${KIE_SERVER_POSTGRESQL_DB}

RHPAM_JNDI

KIE Server persistence datasource (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

RHPAM_DRIVER

 — 

postgresql

KIE_SERVER_PERSISTENCE_DIALECT

 — 

org.hibernate.dialect.PostgreSQLDialect

RHPAM_USERNAME

KIE Server PostgreSQL database user name

${KIE_SERVER_POSTGRESQL_USER}

RHPAM_PASSWORD

KIE Server PostgreSQL database password

${KIE_SERVER_POSTGRESQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-postgresql

RHPAM_SERVICE_PORT

 — 

5432

TIMER_SERVICE_DATA_STORE

 — 

${APPLICATION_NAME}-postgresql

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

KIE_SERVER_EXECUTOR_JMS

Enables the JMS executor, set false to disable it.

${KIE_SERVER_EXECUTOR_JMS}

KIE_SERVER_EXECUTOR_JMS_TRANSACTED

Enable transactions for JMS executor, disabled by default

${KIE_SERVER_EXECUTOR_JMS_TRANSACTED}

KIE_SERVER_JMS_QUEUE_REQUEST

JNDI name of request queue for JMS. The default value is queue/KIE.SERVER.REQUEST

${KIE_SERVER_JMS_QUEUE_REQUEST}

KIE_SERVER_JMS_QUEUE_RESPONSE

JNDI name of response queue for JMS. The default value is queue/KIE.SERVER.RESPONSE

${KIE_SERVER_JMS_QUEUE_RESPONSE}

KIE_SERVER_JMS_QUEUE_EXECUTOR

JNDI name of response queue for JMS. The default value is queue/KIE.SERVER.RESPONSE

${KIE_SERVER_JMS_QUEUE_EXECUTOR}

KIE_SERVER_JMS_ENABLE_SIGNAL

Enable the Signal configuration through JMS

${KIE_SERVER_JMS_ENABLE_SIGNAL}

KIE_SERVER_JMS_QUEUE_SIGNAL

JMS queue for signals

${KIE_SERVER_JMS_QUEUE_SIGNAL}

KIE_SERVER_JMS_ENABLE_AUDIT

Enable the Audit logging through JMS

${KIE_SERVER_JMS_ENABLE_AUDIT}

KIE_SERVER_JMS_QUEUE_AUDIT

JMS queue for audit logging

${KIE_SERVER_JMS_QUEUE_AUDIT}

KIE_SERVER_JMS_AUDIT_TRANSACTED

determines if JMS session is transacted or not - default true.

${KIE_SERVER_JMS_AUDIT_TRANSACTED}

MQ_SERVICE_PREFIX_MAPPING

 — 

${APPLICATION_NAME}-amq7=AMQ

AMQ_USERNAME

User name for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.

${AMQ_USERNAME}

AMQ_PASSWORD

Password for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.

${AMQ_PASSWORD}

AMQ_PROTOCOL

Broker protocols to configure, separated by commas. Allowed values are: openwire, amqp, stomp and mqtt. Only openwire is supported by EAP.

tcp

AMQ_QUEUES

Queue names, separated by commas. These queues will be automatically created when the broker starts. Also, they will be made accessible as JNDI resources in EAP. These are the default queues needed by KIE Server. If using custom Queues, use the same values here as in the KIE_SERVER_JMS_QUEUE_RESPONSE, KIE_SERVER_JMS_QUEUE_REQUEST, KIE_SERVER_JMS_QUEUE_SIGNAL, KIE_SERVER_JMS_QUEUE_AUDIT and KIE_SERVER_JMS_QUEUE_EXECUTOR parameters.

${AMQ_QUEUES}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate

${KIE_SERVER_HTTPS_PASSWORD}

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped. (Sets the property org.kie.server.mgmt.api.disabled to true)

${KIE_SERVER_MGMT_DISABLED}

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-postgresql

POSTGRESQL_USER

KIE Server PostgreSQL database user name

${KIE_SERVER_POSTGRESQL_USER}

POSTGRESQL_PASSWORD

KIE Server PostgreSQL database password

${KIE_SERVER_POSTGRESQL_PWD}

POSTGRESQL_DATABASE

KIE Server PostgreSQL database name

${KIE_SERVER_POSTGRESQL_DB}

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

${POSTGRESQL_MAX_PREPARED_TRANSACTIONS}

${APPLICATION_NAME}-amq

AMQ_USER

User name for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.

${AMQ_USERNAME}

AMQ_PASSWORD

Password for standard broker user. It is required for connecting to the broker. If left empty, it will be generated.

${AMQ_PASSWORD}

AMQ_ROLE

User role for standard broker user.

${AMQ_ROLE}

AMQ_NAME

 — 

${APPLICATION_NAME}-broker

AMQ_TRANSPORTS

Broker protocols to configure, separated by commas. Allowed values are: openwire, amqp, stomp and mqtt. Only openwire is supported by EAP.

${AMQ_PROTOCOL}

AMQ_QUEUES

Queue names, separated by commas. These queues will be automatically created when the broker starts. Also, they will be made accessible as JNDI resources in EAP. These are the default queues needed by KIE Server. If using custom Queues, use the same values here as in the KIE_SERVER_JMS_QUEUE_RESPONSE, KIE_SERVER_JMS_QUEUE_REQUEST, KIE_SERVER_JMS_QUEUE_SIGNAL, KIE_SERVER_JMS_QUEUE_AUDIT and KIE_SERVER_JMS_QUEUE_EXECUTOR parameters.

${AMQ_QUEUES}

AMQ_GLOBAL_MAX_SIZE

Specifies the maximum amount of memory that message data can consume. If no value is specified, half of the system’s memory is allocated.

${AMQ_GLOBAL_MAX_SIZE}

AMQ_REQUIRE_LOGIN

 — 

true

AMQ_ANYCAST_PREFIX

 — 

 — 

AMQ_MULTICAST_PREFIX

 — 

 — 

AMQ_KEYSTORE_TRUSTSTORE_DIR

 — 

/etc/amq-secret-volume

AMQ_TRUSTSTORE

The name of the AMQ SSL Trust Store file.

${AMQ_TRUSTSTORE}

AMQ_TRUSTSTORE_PASSWORD

The password for the AMQ Trust Store.

${AMQ_TRUSTSTORE_PASSWORD}

AMQ_KEYSTORE

The name of the AMQ keystore file.

${AMQ_KEYSTORE}

AMQ_KEYSTORE_PASSWORD

The password for the AMQ keystore and certificate.

${AMQ_KEYSTORE_PASSWORD}

15.6.2.4.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-postgresql

${APPLICATION_NAME}-postgresql-pvol

/var/lib/pgsql/data

postgresql

false

${APPLICATION_NAME}-amq

broker-secret-volume

/etc/amq-secret-volume

ssl certs

True

15.6.2.5. External Dependencies

15.6.2.5.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-postgresql-claim

ReadWriteOnce

15.6.2.5.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • kieserver-app-secret
  • broker-app-secret

15.7. rhpam712-kieserver-externaldb.yaml template

Application template for a managed KIE Server with an external database, for Red Hat Process Automation Manager 7.12 - Deprecated

15.7.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*

False

MAVEN_REPO_ID

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentr

False

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_PERSISTENCE_SCHEMA

KIE_SERVER_PERSISTENCE_SCHEMA

Hibernate persistence schema.

bd.schema

False

KIE_SERVER_EXTERNALDB_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server external database Hibernate dialect.

org.hibernate.dialect.MySQL57Dialect

True

KIE_SERVER_EXTERNALDB_SERVICE_HOST

RHPAM_SERVICE_HOST

Sets the datasource service host. Use this if you want to use the predefined mysql or postgresql datasource properties. Leave blank if the KIE_SERVER_EXTERNALDB_URL parameter is set.

10.10.10.1

False

KIE_SERVER_EXTERNALDB_SERVICE_PORT

RHPAM_SERVICE_PORT

Sets the datasource service port. Use this if you want to use the predefined mysql or postgresql datasource properties. Leave blank if the KIE_SERVER_EXTERNALDB_URL parameter is set.

4321

False

KIE_SERVER_EXTERNALDB_NONXA

RHPAM_NONXA

Sets the datasources type. It can be XA or NONXA. For non XA set it to true. Default value is true.

True

False

KIE_SERVER_EXTERNALDB_URL

RHPAM_URL

Sets the datasource jdbc connection url. Note that, if you are using PostgreSQL do not use this field, use the SERVICE_HOST and PORT. If using SERVICE_PORT and HOST there is no need to fill this parameter.

jdbc:mysql://127.0.0.1:3306/rhpam

False

KIE_SERVER_EXTERNALDB_DRIVER

RHPAM_DRIVER

The predefined driver name, available values are mysql, postgresql or the preferred name for the external driver.

mariadb

True

KIE_SERVER_EXTERNALDB_JNDI

KIE_SERVER_PERSISTENCE_DS

Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/ExampleDS.

java:jboss/datasources/jbpmDS

True

KIE_SERVER_EXTERNALDB_DB

RHPAM_DATABASE

KIE Server external database name. Leave blank if the KIE_SERVER_EXTERNALDB_URL is set.

rhpam

False

KIE_SERVER_EXTERNALDB_USER

RHPAM_USERNAME

KIE Server external database user name.

rhpam

True

KIE_SERVER_EXTERNALDB_PWD

RHPAM_PASSWORD

KIE Server external database password.

 — 

True

KIE_SERVER_EXTERNALDB_MIN_POOL_SIZE

RHPAM_MIN_POOL_SIZE

Sets xa-pool/min-pool-size for the configured datasource.

 — 

False

KIE_SERVER_EXTERNALDB_MAX_POOL_SIZE

RHPAM_MAX_POOL_SIZE

Sets xa-pool/max-pool-size for the configured datasource.

 — 

False

KIE_SERVER_EXTERNALDB_CONNECTION_CHECKER

RHPAM_CONNECTION_CHECKER

An org.jboss.jca.adapters.jdbc.ValidConnectionChecker that provides a SQLException isValidConnection(Connection e) method to validate if a connection is valid.

org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker

False

KIE_SERVER_EXTERNALDB_EXCEPTION_SORTER

RHPAM_EXCEPTION_SORTER

An org.jboss.jca.adapters.jdbc.ExceptionSorter that provides a boolean isExceptionFatal(SQLException e) method to validate if an exception should be broadcast to all javax.resource.spi.ConnectionEventListener as a connectionErrorOccurred.

org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter

False

KIE_SERVER_EXTERNALDB_BACKGROUND_VALIDATION

RHPAM_BACKGROUND_VALIDATION

Sets the sql validation method to background-validation, if set to false the validate-on-match method will be used.

true

False

KIE_SERVER_EXTERNALDB_BACKGROUND_VALIDATION_MILLIS

RHPAM_VALIDATION_MILLIS

Defines the interval for the background-validation check for the jdbc connections.

10000

False

KIE_SERVER_EXTERNALDB_DRIVER_TYPE

RHPAM_DRIVER_TYPE

KIE Server external database driver type, applicable only for DB2, possible values are 4 (default) or 2.

4

False

EXTENSIONS_IMAGE

 — 

ImageStreamTag definition for the image containing the drivers and configuration. For example, custom-driver-image:7.12.0.

custom-driver-extension:7.12.0

True

EXTENSIONS_IMAGE_NAMESPACE

 — 

Namespace within which the ImageStream definition for the image containing the drivers and configuration is located.

openshift

True

EXTENSIONS_INSTALL_DIR

 — 

Full path to the directory within the extensions image where the extensions are located (e.g. install.sh, modules/, etc.).

/extensions

True

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

PRODUCTION

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties).

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering (Sets the org.drools.server.filter.classes system property).

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

30000

False

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.6.0-SNAPSHOT

False

KIE_SERVER_MGMT_DISABLED

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped. Sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy.

true

False

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.7.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.7.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

15.7.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.7.2.3. Build Configurations

A buildConfig describes a single build definition and a set of triggers for when a new build should be created. A buildConfig is a REST object, which can be used in a POST to the API server to create a new instance. Refer to the Openshift documentation for more information.

S2I imagelinkBuild outputBuildTriggers and Settings

rhpam-kieserver-rhel8:7.12.0

rhpam-7/rhpam-kieserver-rhel8

${APPLICATION_NAME}-kieserver:latest

ImageChange, ImageChange, ConfigChange

15.7.2.4. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.7.2.4.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-kieserver

ImageChange

15.7.2.4.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-kieserver

1

15.7.2.4.3. Pod Template
15.7.2.4.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

15.7.2.4.3.2. Image
DeploymentImage

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

15.7.2.4.3.3. Readiness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

15.7.2.4.3.4. Liveness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

15.7.2.4.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

15.7.2.4.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties).

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering (Sets the org.drools.server.filter.classes system property).

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

${APPLICATION_NAME}-kieserver

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

${KIE_SERVER_CONTAINER_DEPLOYMENT}

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped. Sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy.

${KIE_SERVER_MGMT_DISABLED}

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

KIE_SERVER_PERSISTENCE_DS

Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/ExampleDS.

${KIE_SERVER_EXTERNALDB_JNDI}

KIE_SERVER_PERSISTENCE_SCHEMA

Hibernate persistence schema.

${KIE_SERVER_PERSISTENCE_SCHEMA}

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server external database Hibernate dialect.

${KIE_SERVER_EXTERNALDB_DIALECT}

DATASOURCES

 — 

RHPAM

RHPAM_DATABASE

KIE Server external database name. Leave blank if the KIE_SERVER_EXTERNALDB_URL is set.

${KIE_SERVER_EXTERNALDB_DB}

RHPAM_SERVICE_HOST

Sets the datasource service host. Use this if you want to use the predefined mysql or postgresql datasource properties. Leave blank if the KIE_SERVER_EXTERNALDB_URL parameter is set.

${KIE_SERVER_EXTERNALDB_SERVICE_HOST}

RHPAM_SERVICE_PORT

Sets the datasource service port. Use this if you want to use the predefined mysql or postgresql datasource properties. Leave blank if the KIE_SERVER_EXTERNALDB_URL parameter is set.

${KIE_SERVER_EXTERNALDB_SERVICE_PORT}

RHPAM_JNDI

Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/ExampleDS.

${KIE_SERVER_EXTERNALDB_JNDI}

RHPAM_DRIVER

The predefined driver name, available values are mysql, postgresql or the preferred name for the external driver.

${KIE_SERVER_EXTERNALDB_DRIVER}

RHPAM_USERNAME

KIE Server external database user name.

${KIE_SERVER_EXTERNALDB_USER}

RHPAM_PASSWORD

KIE Server external database password.

${KIE_SERVER_EXTERNALDB_PWD}

RHPAM_NONXA

Sets the datasources type. It can be XA or NONXA. For non XA set it to true. Default value is true.

${KIE_SERVER_EXTERNALDB_NONXA}

RHPAM_URL

Sets the datasource jdbc connection url. Note that, if you are using PostgreSQL do not use this field, use the SERVICE_HOST and PORT. If using SERVICE_PORT and HOST there is no need to fill this parameter.

${KIE_SERVER_EXTERNALDB_URL}

RHPAM_XA_CONNECTION_PROPERTY_URL

Sets the datasource jdbc connection url. Note that, if you are using PostgreSQL do not use this field, use the SERVICE_HOST and PORT. If using SERVICE_PORT and HOST there is no need to fill this parameter.

${KIE_SERVER_EXTERNALDB_URL}

RHPAM_MIN_POOL_SIZE

Sets xa-pool/min-pool-size for the configured datasource.

${KIE_SERVER_EXTERNALDB_MIN_POOL_SIZE}

RHPAM_MAX_POOL_SIZE

Sets xa-pool/max-pool-size for the configured datasource.

${KIE_SERVER_EXTERNALDB_MAX_POOL_SIZE}

RHPAM_CONNECTION_CHECKER

An org.jboss.jca.adapters.jdbc.ValidConnectionChecker that provides a SQLException isValidConnection(Connection e) method to validate if a connection is valid.

${KIE_SERVER_EXTERNALDB_CONNECTION_CHECKER}

RHPAM_EXCEPTION_SORTER

An org.jboss.jca.adapters.jdbc.ExceptionSorter that provides a boolean isExceptionFatal(SQLException e) method to validate if an exception should be broadcast to all javax.resource.spi.ConnectionEventListener as a connectionErrorOccurred.

${KIE_SERVER_EXTERNALDB_EXCEPTION_SORTER}

RHPAM_BACKGROUND_VALIDATION

Sets the sql validation method to background-validation, if set to false the validate-on-match method will be used.

${KIE_SERVER_EXTERNALDB_BACKGROUND_VALIDATION}

RHPAM_VALIDATION_MILLIS

Defines the interval for the background-validation check for the jdbc connections.

${KIE_SERVER_EXTERNALDB_BACKGROUND_VALIDATION_MILLIS}

RHPAM_DRIVER_TYPE

KIE Server external database driver type, applicable only for DB2, possible values are 4 (default) or 2.

${KIE_SERVER_EXTERNALDB_DRIVER_TYPE}

RHPAM_JTA

 — 

true

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

15.7.2.4.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

15.7.2.5. External Dependencies

15.7.2.5.1. Secrets

This template requires the following secrets to be installed for the application to run.

  • kieserver-app-secret

15.8. rhpam712-kieserver-mysql.yaml template

Application template for a managed KIE Server with a MySQL database, for Red Hat Process Automation Manager 7.12 - Deprecated

15.8.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*

False

MAVEN_REPO_ID

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentr

False

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

MYSQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the MySQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

MYSQL_IMAGE_STREAM_TAG

 — 

The MySQL image version, which is intended to correspond to the MySQL version. Default is "8.0".

8.0

False

KIE_SERVER_MYSQL_USER

RHPAM_USERNAME

KIE Server MySQL database user name.

rhpam

False

KIE_SERVER_MYSQL_PWD

RHPAM_PASSWORD

KIE Server MySQL database password.

 — 

False

KIE_SERVER_MYSQL_DB

RHPAM_DATABASE

KIE Server MySQL database name.

rhpam7

False

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_SERVER_MYSQL_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server MySQL Hibernate dialect.

org.hibernate.dialect.MySQL8Dialect

True

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

PRODUCTION

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

30000

False

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.6.0-SNAPSHOT

False

KIE_SERVER_MGMT_DISABLED

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy.

true

False

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.8.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.8.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

${APPLICATION_NAME}-mysql

3306

 — 

The database server’s port.

15.8.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.8.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.8.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-kieserver

ImageChange

${APPLICATION_NAME}-mysql

ImageChange

15.8.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-kieserver

1

${APPLICATION_NAME}-mysql

1

15.8.2.3.3. Pod Template
15.8.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

15.8.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-mysql

mysql

15.8.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-mysql

/bin/sh -i -c MYSQL_PWD="$MYSQL_PASSWORD" mysql -h 127.0.0.1 -u $MYSQL_USER -D $MYSQL_DATABASE -e 'SELECT 1'

15.8.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-mysql

tcpSocket on port 3306

15.8.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-mysql

 — 

3306

TCP

15.8.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

${APPLICATION_NAME}-kieserver

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

${KIE_SERVER_CONTAINER_DEPLOYMENT}

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy.

${KIE_SERVER_MGMT_DISABLED}

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_CONNECTION_CHECKER

 — 

org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker

RHPAM_EXCEPTION_SORTER

 — 

org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter

RHPAM_DATABASE

KIE Server MySQL database name.

${KIE_SERVER_MYSQL_DB}

RHPAM_DRIVER

 — 

mariadb

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server MySQL Hibernate dialect.

${KIE_SERVER_MYSQL_DIALECT}

RHPAM_USERNAME

KIE Server MySQL database user name.

${KIE_SERVER_MYSQL_USER}

RHPAM_PASSWORD

KIE Server MySQL database password.

${KIE_SERVER_MYSQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-mysql

RHPAM_SERVICE_PORT

 — 

3306

RHPAM_JTA

 — 

true

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-mysql

MYSQL_USER

KIE Server MySQL database user name.

${KIE_SERVER_MYSQL_USER}

MYSQL_PASSWORD

KIE Server MySQL database password.

${KIE_SERVER_MYSQL_PWD}

MYSQL_DATABASE

KIE Server MySQL database name.

${KIE_SERVER_MYSQL_DB}

MYSQL_DEFAULT_AUTHENTICATION_PLUGIN

 — 

mysql_native_password

15.8.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-mysql

${APPLICATION_NAME}-mysql-pvol

/var/lib/mysql/data

mysql

false

15.8.2.4. External Dependencies

15.8.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-mysql-claim

ReadWriteOnce

15.8.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • kieserver-app-secret

15.9. rhpam712-kieserver-postgresql.yaml template

Application template for a managed KIE Server with a PostgreSQL database, for Red Hat Process Automation Manager 7.12 - Deprecated

15.9.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*

False

MAVEN_REPO_ID

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

False

MAVEN_REPO_USERNAME

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentr

False

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

KIE_SERVER_POSTGRESQL_USER

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

rhpam

False

KIE_SERVER_POSTGRESQL_PWD

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

 — 

False

KIE_SERVER_POSTGRESQL_DB

RHPAM_DATABASE

KIE Server PostgreSQL database name.

rhpam7

False

POSTGRESQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the PostgreSQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

POSTGRESQL_IMAGE_STREAM_TAG

 — 

The PostgreSQL image version, which is intended to correspond to the PostgreSQL version. Default is "10".

10

False

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

100

True

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_SERVER_POSTGRESQL_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

org.hibernate.dialect.PostgreSQLDialect

True

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

PRODUCTION

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

30000

False

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.6.0-SNAPSHOT

False

KIE_SERVER_MGMT_DISABLED

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy.

true

False

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.9.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.9.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports.

8443

https

${APPLICATION_NAME}-postgresql

5432

 — 

The database server’s port.

15.9.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.9.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.9.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-kieserver

ImageChange

${APPLICATION_NAME}-postgresql

ImageChange

15.9.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-kieserver

1

${APPLICATION_NAME}-postgresql

1

15.9.2.3.3. Pod Template
15.9.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver

15.9.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-postgresql

postgresql

15.9.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container

15.9.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container --live

15.9.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-postgresql

 — 

5432

TCP

15.9.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

${APPLICATION_NAME}-kieserver

KIE_SERVER_CONTAINER_DEPLOYMENT

KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2

${KIE_SERVER_CONTAINER_DEPLOYMENT}

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_MGMT_DISABLED

Disable management api and don’t allow KIE containers to be deployed/undeployed or started/stopped sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy.

${KIE_SERVER_MGMT_DISABLED}

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

RHPAM_DRIVER

 — 

postgresql

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-postgresql

RHPAM_SERVICE_PORT

 — 

5432

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

${KIE_SERVER_POSTGRESQL_DIALECT}

RHPAM_JTA

 — 

true

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_CONNECTION_CHECKER

 — 

org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker

RHPAM_EXCEPTION_SORTER

 — 

org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer database data-store service.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-postgresql

POSTGRESQL_USER

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

POSTGRESQL_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

POSTGRESQL_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

${POSTGRESQL_MAX_PREPARED_TRANSACTIONS}

15.9.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-postgresql

${APPLICATION_NAME}-postgresql-pvol

/var/lib/pgsql/data

postgresql

false

15.9.2.4. External Dependencies

15.9.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-postgresql-claim

ReadWriteOnce

15.9.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • kieserver-app-secret

15.10. rhpam712-managed.yaml template

Application template for a managed HA production runtime environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.10.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*

False

MAVEN_REPO_ID

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

True

MAVEN_REPO_USERNAME

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_SERVICE

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

myapp-rhpamcentrmon

False

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

false

False

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

true

False

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

5000

False

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

KIE_SERVER_CONTROLLER_TOKEN

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

 — 

False

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

POSTGRESQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the PostgreSQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

POSTGRESQL_IMAGE_STREAM_TAG

 — 

The PostgreSQL image version, which is intended to correspond to the PostgreSQL version. Default is "10".

10

False

KIE_SERVER_POSTGRESQL_USER

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

rhpam

False

KIE_SERVER_POSTGRESQL_PWD

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

 — 

False

KIE_SERVER_POSTGRESQL_DB

RHPAM_DATABASE

KIE Server PostgreSQL database name.

rhpam7

False

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

100

True

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_SERVER_POSTGRESQL_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

org.hibernate.dialect.PostgreSQLDialect

True

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

PRODUCTION

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

BUSINESS_CENTRAL_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for Business Central.

businesscentral-app-secret

True

BUSINESS_CENTRAL_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

BUSINESS_CENTRAL_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

BUSINESS_CENTRAL_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for KIE Server.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

30000

False

BUSINESS_CENTRAL_MEMORY_LIMIT

 — 

Business Central Monitoring Container memory limit.

2Gi

True

BUSINESS_CENTRAL_MEMORY_REQUEST

 — 

Business Central Monitoring Container memory request.

1536Mi

True

BUSINESS_CENTRAL_CPU_LIMIT

 — 

Business Central Monitoring Container CPU limit.

1

True

BUSINESS_CENTRAL_CPU_REQUEST

 — 

Business Central Monitoring Container CPU request.

750m

True

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

BUSINESS_CENTRAL_MONITORING_CONTAINER_REPLICAS

 — 

Business Central Monitoring Container Replicas, will define how much Business Central Monitoring containers will be started.

3

True

KIE_SERVER_CONTAINER_REPLICAS

 — 

KIE Server Container Replicas, will define how much KIE Server containers will be started.

3

True

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

BUSINESS_CENTRAL_SSO_CLIENT

SSO_CLIENT

Business Central Monitoring RH-SSO Client name.

 — 

False

BUSINESS_CENTRAL_SSO_SECRET

SSO_SECRET

Business Central Monitoring RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

KIE_SERVER_SSO_CLIENT

SSO_CLIENT

KIE Server RH-SSO Client name.

 — 

False

KIE_SERVER_SSO_SECRET

SSO_SECRET

KIE Server RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.10.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.10.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-rhpamcentrmon

8080

http

All the Business Central Monitoring web server’s ports.

8443

https

${APPLICATION_NAME}-kieserver

8080

http

All the KIE Server web server’s ports. (First KIE Server)

8443

https

${APPLICATION_NAME}-postgresql

5432

 — 

The first database server’s port.

15.10.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

insecure-${APPLICATION_NAME}-rhpamcentrmon-http

none

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

${APPLICATION_NAME}-rhpamcentrmon-https

TLS passthrough

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

insecure-${APPLICATION_NAME}-kieserver-http

none

${KIE_SERVER_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-https

TLS passthrough

${KIE_SERVER_HOSTNAME_HTTPS}

15.10.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.10.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-rhpamcentrmon

ImageChange

${APPLICATION_NAME}-kieserver

ImageChange

${APPLICATION_NAME}-postgresql

ImageChange

15.10.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-rhpamcentrmon

3

${APPLICATION_NAME}-kieserver

3

${APPLICATION_NAME}-postgresql

1

15.10.2.3.3. Pod Template
15.10.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-rhpamcentrmon

${APPLICATION_NAME}-rhpamsvc

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-rhpamsvc

15.10.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-rhpamcentrmon

rhpam-businesscentral-monitoring-rhel8

${APPLICATION_NAME}-kieserver

${KIE_SERVER_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-postgresql

postgresql

15.10.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-rhpamcentrmon

Http Get on http://localhost:8080/rest/ready

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container

15.10.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-rhpamcentrmon

Http Get on http://localhost:8080/rest/healthy

${APPLICATION_NAME}-kieserver

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-postgresql

/usr/libexec/check-container --live

15.10.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-rhpamcentrmon

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-kieserver

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-postgresql

 — 

5432

TCP

15.10.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-rhpamcentrmon

APPLICATION_USERS_PROPERTIES

 — 

/opt/kie/data/configuration/application-users.properties

APPLICATION_ROLES_PROPERTIES

 — 

/opt/kie/data/configuration/application-roles.properties

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_CONTROLLER_OPENSHIFT_ENABLED

 — 

true

KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED

If set to true, turns on KIE Server global discovery feature (Sets the org.kie.server.controller.openshift.global.discovery.enabled system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_GLOBAL_DISCOVERY_ENABLED}

KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE

If OpenShift integration of Business Central is turned on, setting this parameter to true enables connection to KIE Server via an OpenShift internal Service endpoint. (Sets the org.kie.server.controller.openshift.prefer.kieserver.service system property)

${KIE_SERVER_CONTROLLER_OPENSHIFT_PREFER_KIESERVER_SERVICE}

KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL

KIE ServerTemplate Cache TTL in milliseconds. (Sets the org.kie.server.controller.template.cache.ttl system property)

${KIE_SERVER_CONTROLLER_TEMPLATE_CACHE_TTL}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

HTTPS_KEYSTORE_DIR

 — 

/etc/businesscentral-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${BUSINESS_CENTRAL_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${BUSINESS_CENTRAL_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${BUSINESS_CENTRAL_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.rhpamcentrmon

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

Business Central Monitoring RH-SSO Client Secret.

${BUSINESS_CENTRAL_SSO_SECRET}

SSO_CLIENT

Business Central Monitoring RH-SSO Client name.

${BUSINESS_CENTRAL_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-kieserver

WORKBENCH_SERVICE_NAME

 — 

${APPLICATION_NAME}-rhpamcentrmon

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_ID

 — 

 — 

KIE_SERVER_ROUTE_NAME

 — 

${APPLICATION_NAME}-kieserver

KIE_SERVER_STARTUP_STRATEGY

 — 

OpenShiftStartupStrategy

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.

${BUSINESS_CENTRAL_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

RHPAMCENTR_MAVEN_REPO_USERNAME

 — 

Set according to the credentials secret

RHPAMCENTR_MAVEN_REPO_PASSWORD

 — 

Set according to the credentials secret

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

RHPAM_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

RHPAM_DRIVER

 — 

postgresql

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

${KIE_SERVER_POSTGRESQL_DIALECT}

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-postgresql

RHPAM_SERVICE_PORT

 — 

5432

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server RH-SSO Client Secret.

${KIE_SERVER_SSO_SECRET}

SSO_CLIENT

KIE Server RH-SSO Client name.

${KIE_SERVER_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-postgresql

POSTGRESQL_USER

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

POSTGRESQL_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

POSTGRESQL_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

${POSTGRESQL_MAX_PREPARED_TRANSACTIONS}

15.10.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-rhpamcentrmon

businesscentral-keystore-volume

/etc/businesscentral-secret-volume

ssl certs

True

${APPLICATION_NAME}-kieserver

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-postgresql

${APPLICATION_NAME}-postgresql-pvol

/var/lib/pgsql/data

postgresql

false

15.10.2.4. External Dependencies

15.10.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-postgresql-claim

ReadWriteOnce

${APPLICATION_NAME}-rhpamcentr-claim

ReadWriteMany

15.10.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • businesscentral-app-secret
  • kieserver-app-secret

15.11. rhpam712-prod.yaml template

Application template for a managed HA production runtime environment, for Red Hat Process Automation Manager 7.12 - Deprecated

15.11.1. Parameters

Templates allow you to define parameters that take on a value. That value is then substituted wherever the parameter is referenced. References can be defined in any text field in the objects list field. See the Openshift documentation for more information.

Variable nameImage Environment VariableDescriptionExample valueRequired

APPLICATION_NAME

 — 

The name for the application.

myapp

True

MAVEN_MIRROR_URL

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

 — 

False

MAVEN_MIRROR_OF

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

external:*

False

MAVEN_REPO_ID

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

repo-custom

False

MAVEN_REPO_URL

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/

True

MAVEN_REPO_USERNAME

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

 — 

False

MAVEN_REPO_PASSWORD

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

 — 

False

BUSINESS_CENTRAL_MAVEN_SERVICE

RHPAMCENTR_MAVEN_REPO_SERVICE

The service name for the optional Business Central, where it can be reached, to allow service lookups (for maven repo usage), if required.

myapp-rhpamcentr

False

CREDENTIALS_SECRET

 — 

Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values

rhpam-credentials

True

IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

True

KIE_SERVER_IMAGE_STREAM_NAME

 — 

The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".

rhpam-kieserver-rhel8

True

IMAGE_STREAM_TAG

 — 

A named pointer to an image in an image stream. Default is "7.12.0".

7.12.0

True

SMART_ROUTER_HOSTNAME_HTTP

 — 

Custom hostname for http service route. Leave blank for default hostname, e.g. <application-name>-smartrouter-<project>.<default-domain-suffix>'

 — 

False

SMART_ROUTER_HOSTNAME_HTTPS

 — 

Custom hostname for https service route. Leave blank for default hostname, e.g. secure-<application-name>-smartrouter-<project>.<default-domain-suffix>'

 — 

False

KIE_SERVER_ROUTER_ID

KIE_SERVER_ROUTER_ID

Router ID used when connecting to the controller. (router property org.kie.server.router.id)

kie-server-router

True

KIE_SERVER_ROUTER_PROTOCOL

KIE_SERVER_ROUTER_PROTOCOL

KIE Server router protocol. (Used to build the org.kie.server.router.url.external property)

http

False

KIE_SERVER_ROUTER_URL_EXTERNAL

KIE_SERVER_ROUTER_URL_EXTERNAL

Public URL where the router can be found. Format http://<host>:<port> (router property org.kie.server.router.url.external)

 — 

False

KIE_SERVER_ROUTER_NAME

KIE_SERVER_ROUTER_NAME

Router name used when connecting to the controller. (router property org.kie.server.router.name)

KIE Server Router

True

KIE_SERVER_CONTROLLER_TOKEN

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

 — 

False

KIE_SERVER_PERSISTENCE_DS

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

java:/jboss/datasources/rhpam

False

POSTGRESQL_IMAGE_STREAM_NAMESPACE

 — 

Namespace in which the ImageStream for the PostgreSQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".

openshift

False

POSTGRESQL_IMAGE_STREAM_TAG

 — 

The PostgreSQL image version, which is intended to correspond to the PostgreSQL version. Default is "10".

10

False

KIE_SERVER_POSTGRESQL_USER

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

rhpam

False

KIE_SERVER_POSTGRESQL_PWD

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

 — 

False

KIE_SERVER_POSTGRESQL_DB

RHPAM_DATABASE

KIE Server PostgreSQL database name.

rhpam7

False

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

100

True

DB_VOLUME_CAPACITY

 — 

Size of persistent storage for the database volume.

1Gi

True

KIE_SERVER_POSTGRESQL_DIALECT

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

org.hibernate.dialect.PostgreSQLDialect

True

KIE_SERVER_MODE

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

PRODUCTION

False

KIE_MBEANS

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

enabled

False

DROOLS_SERVER_FILTER_CLASSES

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

true

False

PROMETHEUS_SERVER_EXT_DISABLED

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

false

False

BUSINESS_CENTRAL_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

 — 

False

BUSINESS_CENTRAL_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER1_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER1_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER1_USE_SECURE_ROUTE_NAME

KIE_SERVER_USE_SECURE_ROUTE_NAME

If true, the KIE Server will use secure-<application-name>-kieserver vs. <application-name>-kieserver as the KIE Server route endpoint for Business Central to report. Therefore, Business Central displays the secure link to the user.

false

False

KIE_SERVER2_HOSTNAME_HTTP

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER2_HOSTNAME_HTTPS

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-kieserver-<project>.<default-domain-suffix>

 — 

False

KIE_SERVER2_USE_SECURE_ROUTE_NAME

KIE_SERVER_USE_SECURE_ROUTE_NAME

If true, will use secure-APPLICATION_NAME-kieserver-2 vs. APPLICATION_NAME-kieserver-2 as the route name.

false

False

BUSINESS_CENTRAL_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for Business Central.

businesscentral-app-secret

True

BUSINESS_CENTRAL_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

BUSINESS_CENTRAL_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

BUSINESS_CENTRAL_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_ROUTER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for Smart Router.

smartrouter-app-secret

True

KIE_SERVER_ROUTER_HTTPS_KEYSTORE

 — 

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_ROUTER_HTTPS_NAME

KIE_SERVER_ROUTER_TLS_KEYSTORE_KEYALIAS

The name associated with the server certificate.

jboss

False

KIE_SERVER_ROUTER_HTTPS_PASSWORD

KIE_SERVER_ROUTER_TLS_KEYSTORE_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_HTTPS_SECRET

 — 

The name of the secret containing the keystore file for KIE Server.

kieserver-app-secret

True

KIE_SERVER_HTTPS_KEYSTORE

HTTPS_KEYSTORE

The name of the keystore file within the secret.

keystore.jks

False

KIE_SERVER_HTTPS_NAME

HTTPS_NAME

The name associated with the server certificate.

jboss

False

KIE_SERVER_HTTPS_PASSWORD

HTTPS_PASSWORD

The password for the keystore and certificate.

mykeystorepass

False

KIE_SERVER_BYPASS_AUTH_USER

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

false

False

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

30000

False

BUSINESS_CENTRAL_MEMORY_LIMIT

 — 

Business Central Monitoring Container memory limit.

2Gi

True

BUSINESS_CENTRAL_MEMORY_REQUEST

 — 

Business Central Monitoring Container memory request.

1536Mi

True

BUSINESS_CENTRAL_CPU_LIMIT

 — 

Business Central Monitoring Container CPU limit.

1

True

BUSINESS_CENTRAL_CPU_REQUEST

 — 

Business Central Monitoring Container CPU request.

750m

True

KIE_SERVER_MEMORY_LIMIT

 — 

KIE Server Container memory limit.

2Gi

True

KIE_SERVER_MEMORY_REQUEST

 — 

KIE Server Container memory request.

1536Mi

True

KIE_SERVER_CPU_LIMIT

 — 

KIE Server Container CPU limit.

1

True

KIE_SERVER_CPU_REQUEST

 — 

KIE Server Container CPU request.

750m

True

SMART_ROUTER_MEMORY_LIMIT

 — 

Smart Router Container memory limit

512Mi

False

BUSINESS_CENTRAL_MONITORING_CONTAINER_REPLICAS

 — 

Business Central Monitoring Container Replicas, defines how many Business Central Monitoring containers will be started.

3

True

SMART_ROUTER_CONTAINER_REPLICAS

 — 

Smart Router Container Replicas, defines how many smart router containers will be started.

2

True

KIE_SERVER_CONTAINER_REPLICAS

 — 

KIE Server Container Replicas, defines how many KIE Server containers will be started.

3

True

SSO_URL

SSO_URL

RH-SSO URL.

https://rh-sso.example.com/auth

False

SSO_REALM

SSO_REALM

RH-SSO Realm name.

 — 

False

BUSINESS_CENTRAL_SSO_CLIENT

SSO_CLIENT

Business Central Monitoring RH-SSO Client name.

 — 

False

BUSINESS_CENTRAL_SSO_SECRET

SSO_SECRET

Business Central Monitoring RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

KIE_SERVER1_SSO_CLIENT

SSO_CLIENT

KIE Server 1 RH-SSO Client name.

 — 

False

KIE_SERVER1_SSO_SECRET

SSO_SECRET

KIE Server 1 RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

KIE_SERVER2_SSO_CLIENT

SSO_CLIENT

KIE Server 2 RH-SSO Client name.

 — 

False

KIE_SERVER2_SSO_SECRET

SSO_SECRET

KIE Server 2 RH-SSO Client Secret.

252793ed-7118-4ca8-8dab-5622fa97d892

False

SSO_USERNAME

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

 — 

False

SSO_PASSWORD

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

 — 

False

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

false

False

SSO_PRINCIPAL_ATTRIBUTE

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

preferred_username

False

AUTH_LDAP_URL

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

ldap://myldap.example.com:389

False

AUTH_LDAP_LOGIN_MODULE

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

optional

False

AUTH_LDAP_LOGIN_FAILOVER

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

true

False

AUTH_LDAP_BIND_DN

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

uid=admin,ou=users,ou=example,ou=com

False

AUTH_LDAP_BIND_CREDENTIAL

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

Password

False

AUTH_LDAP_BASE_CTX_DN

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

ou=users,ou=example,ou=com

False

AUTH_LDAP_BASE_FILTER

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

(uid={0})

False

AUTH_LDAP_RECURSIVE_SEARCH

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

true

False

AUTH_LDAP_SEARCH_TIME_LIMIT

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

10000

False

AUTH_LDAP_ROLE_ATTRIBUTE_ID

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

memberOf

False

AUTH_LDAP_ROLES_CTX_DN

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

ou=groups,ou=example,ou=com

False

AUTH_LDAP_ROLE_FILTER

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

(memberOf={1})

False

AUTH_LDAP_ROLE_RECURSION

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

1

False

AUTH_LDAP_DEFAULT_ROLE

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

user

False

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

sn=BlankSurname;cn=BlankCommonName

False

AUTH_LDAP_REFERRAL_MODE

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

 — 

False

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

role=role1,role3,role4;role7=role,admin

False

AUTH_LDAP_MAPPER_KEEP_MAPPED

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

 — 

False

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

 — 

False

15.11.2. Objects

The CLI supports various object types. A list of these object types as well as their abbreviations can be found in the Openshift documentation.

15.11.2.1. Services

A service is an abstraction which defines a logical set of pods and a policy by which to access them. See the container-engine documentation for more information.

ServicePortNameDescription

${APPLICATION_NAME}-rhpamcentrmon

8080

http

All the Business Central Monitoring web server’s ports.

8443

https

${APPLICATION_NAME}-smartrouter

9000

http

The smart router server http and https ports.

9443

https

${APPLICATION_NAME}-kieserver-1

8080

http

All the KIE Server web server’s ports. (First KIE Server)

8443

https

${APPLICATION_NAME}-kieserver-2

8080

http

All the KIE Server web server’s ports. (Second KIE Server)

8443

https

${APPLICATION_NAME}-postgresql-1

5432

 — 

The first database server’s port.

${APPLICATION_NAME}-postgresql-2

5432

 — 

The second database server’s port.

15.11.2.2. Routes

A route is a way to expose a service by giving it an externally reachable hostname such as www.example.com. A defined route and the endpoints identified by its service can be consumed by a router to provide named connectivity from external clients to your applications. Each route consists of a route name, service selector, and (optionally) security configuration. See the Openshift documentation for more information.

ServiceSecurityHostname

${APPLICATION_NAME}-rhpamcentrmon-http

none

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

${APPLICATION_NAME}-rhpamcentrmon-https

TLS passthrough

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

${APPLICATION_NAME}-kieserver-1-http

none

${KIE_SERVER1_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-1-https

TLS passthrough

${KIE_SERVER1_HOSTNAME_HTTPS}

${APPLICATION_NAME}-kieserver-2-http

none

${KIE_SERVER2_HOSTNAME_HTTP}

${APPLICATION_NAME}-kieserver-2-https

TLS passthrough

${KIE_SERVER2_HOSTNAME_HTTPS}

${APPLICATION_NAME}-smartrouter-http

none

${SMART_ROUTER_HOSTNAME_HTTP}

${APPLICATION_NAME}-smartrouter-https

TLS passthrough

${SMART_ROUTER_HOSTNAME_HTTPS}

15.11.2.3. Deployment Configurations

A deployment in OpenShift is a replication controller based on a user-defined template called a deployment configuration. Deployments are created manually or in response to triggered events. See the Openshift documentation for more information.

15.11.2.3.1. Triggers

A trigger drives the creation of new deployments in response to events, both inside and outside OpenShift. See the Openshift documentation for more information.

DeploymentTriggers

${APPLICATION_NAME}-rhpamcentrmon

ImageChange

${APPLICATION_NAME}-smartrouter

ImageChange

${APPLICATION_NAME}-kieserver-1

ImageChange

${APPLICATION_NAME}-postgresql-1

ImageChange

${APPLICATION_NAME}-kieserver-2

ImageChange

${APPLICATION_NAME}-postgresql-2

ImageChange

15.11.2.3.2. Replicas

A replication controller ensures that a specified number of pod "replicas" are running at any one time. If there are too many, the replication controller kills some pods. If there are too few, it starts more. See the container-engine documentation for more information.

DeploymentReplicas

${APPLICATION_NAME}-rhpamcentrmon

3

${APPLICATION_NAME}-smartrouter

2

${APPLICATION_NAME}-kieserver-1

3

${APPLICATION_NAME}-postgresql-1

1

${APPLICATION_NAME}-kieserver-2

3

${APPLICATION_NAME}-postgresql-2

1

15.11.2.3.3. Pod Template
15.11.2.3.3.1. Service Accounts

Service accounts are API objects that exist within each project. They can be created or deleted like any other API object. See the Openshift documentation for more information.

DeploymentService Account

${APPLICATION_NAME}-smartrouter

${APPLICATION_NAME}-smartrouter

${APPLICATION_NAME}-kieserver-1

${APPLICATION_NAME}-kieserver

${APPLICATION_NAME}-kieserver-2

${APPLICATION_NAME}-kieserver

15.11.2.3.3.2. Image
DeploymentImage

${APPLICATION_NAME}-rhpamcentrmon

rhpam-businesscentral-monitoring-rhel8

${APPLICATION_NAME}-smartrouter

rhpam-smartrouter-rhel8

${APPLICATION_NAME}-kieserver-1

${KIE_SERVER_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-postgresql-1

postgresql

${APPLICATION_NAME}-kieserver-2

${KIE_SERVER_IMAGE_STREAM_NAME}

${APPLICATION_NAME}-postgresql-2

postgresql

15.11.2.3.3.3. Readiness Probe

${APPLICATION_NAME}-rhpamcentrmon

Http Get on http://localhost:8080/rest/ready

${APPLICATION_NAME}-kieserver-1

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-postgresql-1

/usr/libexec/check-container

${APPLICATION_NAME}-kieserver-2

Http Get on http://localhost:8080/services/rest/server/readycheck

${APPLICATION_NAME}-postgresql-2

/usr/libexec/check-container

15.11.2.3.3.4. Liveness Probe

${APPLICATION_NAME}-rhpamcentrmon

Http Get on http://localhost:8080/rest/healthy

${APPLICATION_NAME}-kieserver-1

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-postgresql-1

/usr/libexec/check-container --live

${APPLICATION_NAME}-kieserver-2

Http Get on http://localhost:8080/services/rest/server/healthcheck

${APPLICATION_NAME}-postgresql-2

/usr/libexec/check-container --live

15.11.2.3.3.5. Exposed Ports
DeploymentsNamePortProtocol

${APPLICATION_NAME}-rhpamcentrmon

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-smartrouter

http

9000

TCP

${APPLICATION_NAME}-kieserver-1

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-postgresql-1

 — 

5432

TCP

${APPLICATION_NAME}-kieserver-2

jolokia

8778

TCP

http

8080

TCP

https

8443

TCP

${APPLICATION_NAME}-postgresql-2

 — 

5432

TCP

15.11.2.3.3.6. Image Environment Variables
DeploymentVariable nameDescriptionExample value

${APPLICATION_NAME}-rhpamcentrmon

APPLICATION_USERS_PROPERTIES

 — 

/opt/kie/data/configuration/application-users.properties

APPLICATION_ROLES_PROPERTIES

 — 

/opt/kie/data/configuration/application-roles.properties

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

HTTPS_KEYSTORE_DIR

 — 

/etc/businesscentral-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${BUSINESS_CENTRAL_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${BUSINESS_CENTRAL_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${BUSINESS_CENTRAL_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.rhpamcentrmon

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

Business Central Monitoring RH-SSO Client Secret.

${BUSINESS_CENTRAL_SSO_SECRET}

SSO_CLIENT

Business Central Monitoring RH-SSO Client name.

${BUSINESS_CENTRAL_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-rhpamcentrmon-<project>.<default-domain-suffix>

${BUSINESS_CENTRAL_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-smartrouter

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_ROUTER_HOST

 — 

 — 

KIE_SERVER_ROUTER_PORT

 — 

9000

KIE_SERVER_ROUTER_PORT_TLS

 — 

9443

KIE_SERVER_ROUTER_URL_EXTERNAL

Public URL where the router can be found. Format http://<host>:<port> (router property org.kie.server.router.url.external)

${KIE_SERVER_ROUTER_URL_EXTERNAL}

KIE_SERVER_ROUTER_ID

Router ID used when connecting to the controller. (router property org.kie.server.router.id)

${KIE_SERVER_ROUTER_ID}

KIE_SERVER_ROUTER_NAME

Router name used when connecting to the controller. (router property org.kie.server.router.name)

${KIE_SERVER_ROUTER_NAME}

KIE_SERVER_ROUTER_ROUTE_NAME

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_SERVICE

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_PROTOCOL

KIE Server router protocol. (Used to build the org.kie.server.router.url.external property)

${KIE_SERVER_ROUTER_PROTOCOL}

KIE_SERVER_ROUTER_TLS_KEYSTORE_KEYALIAS

The name associated with the server certificate.

${KIE_SERVER_ROUTER_HTTPS_NAME}

KIE_SERVER_ROUTER_TLS_KEYSTORE_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_ROUTER_HTTPS_PASSWORD}

KIE_SERVER_ROUTER_TLS_KEYSTORE

 — 

/etc/smartrouter-secret-volume/${KIE_SERVER_ROUTER_HTTPS_KEYSTORE}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

KIE_SERVER_CONTROLLER_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentrmon

KIE_SERVER_CONTROLLER_PROTOCOL

 — 

http

KIE_SERVER_ROUTER_REPO

 — 

/opt/rhpam-smartrouter/data

KIE_SERVER_ROUTER_CONFIG_WATCHER_ENABLED

 — 

true

${APPLICATION_NAME}-kieserver-1

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

KIE_SERVER_CONTROLLER_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentrmon

KIE_SERVER_CONTROLLER_PROTOCOL

 — 

ws

KIE_SERVER_ID

 — 

${APPLICATION_NAME}-kieserver-1

KIE_SERVER_ROUTE_NAME

 — 

${APPLICATION_NAME}-kieserver-1

KIE_SERVER_USE_SECURE_ROUTE_NAME

If true, the KIE Server will use secure-<application-name>-kieserver vs. <application-name>-kieserver as the KIE Server route endpoint for Business Central to report. Therefore, Business Central displays the secure link to the user.

${KIE_SERVER1_USE_SECURE_ROUTE_NAME}

KIE_SERVER_CONTAINER_DEPLOYMENT

 — 

 

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The service name for the optional Business Central, where it can be reached, to allow service lookups (for maven repo usage), if required.

${BUSINESS_CENTRAL_MAVEN_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_ROUTER_SERVICE

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_PORT

 — 

9000

KIE_SERVER_ROUTER_PROTOCOL

KIE Server router protocol. (Used to build the org.kie.server.router.url.external property)

${KIE_SERVER_ROUTER_PROTOCOL}

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

RHPAM_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

RHPAM_DRIVER

 — 

postgresql

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

${KIE_SERVER_POSTGRESQL_DIALECT}

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-postgresql-1

RHPAM_SERVICE_PORT

 — 

5432

TIMER_SERVICE_DATA_STORE

 — 

${APPLICATION_NAME}-postgresql-1

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server 1 RH-SSO Client Secret.

${KIE_SERVER1_SSO_SECRET}

SSO_CLIENT

KIE Server 1 RH-SSO Client name.

${KIE_SERVER1_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER1_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER1_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-postgresql-1

POSTGRESQL_USER

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

POSTGRESQL_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

POSTGRESQL_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

${POSTGRESQL_MAX_PREPARED_TRANSACTIONS}

${APPLICATION_NAME}-kieserver-2

KIE_ADMIN_USER

Admin user name

Set according to the credentials secret

KIE_ADMIN_PWD

Admin user password

Set according to the credentials secret

KIE_SERVER_MODE

The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property).

${KIE_SERVER_MODE}

KIE_MBEANS

KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)

${KIE_MBEANS}

DROOLS_SERVER_FILTER_CLASSES

KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)

${DROOLS_SERVER_FILTER_CLASSES}

PROMETHEUS_SERVER_EXT_DISABLED

If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)

${PROMETHEUS_SERVER_EXT_DISABLED}

KIE_SERVER_BYPASS_AUTH_USER

Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)

${KIE_SERVER_BYPASS_AUTH_USER}

KIE_SERVER_CONTROLLER_TOKEN

KIE Server controller token for bearer authentication. (Sets the org.kie.server.controller.token system property)

${KIE_SERVER_CONTROLLER_TOKEN}

KIE_SERVER_CONTROLLER_SERVICE

 — 

${APPLICATION_NAME}-rhpamcentrmon

KIE_SERVER_CONTROLLER_PROTOCOL

 — 

ws

KIE_SERVER_ID

 — 

${APPLICATION_NAME}-kieserver-2

KIE_SERVER_ROUTE_NAME

 — 

${APPLICATION_NAME}-kieserver-2

KIE_SERVER_USE_SECURE_ROUTE_NAME

If true, will use secure-APPLICATION_NAME-kieserver-2 vs. APPLICATION_NAME-kieserver-2 as the route name.

${KIE_SERVER2_USE_SECURE_ROUTE_NAME}

KIE_SERVER_CONTAINER_DEPLOYMENT

 — 

 

MAVEN_MIRROR_URL

Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.

${MAVEN_MIRROR_URL}

MAVEN_MIRROR_OF

Maven mirror configuration for KIE Server.

${MAVEN_MIRROR_OF}

MAVEN_REPOS

 — 

RHPAMCENTR,EXTERNAL

RHPAMCENTR_MAVEN_REPO_ID

 — 

repo-rhpamcentr

RHPAMCENTR_MAVEN_REPO_SERVICE

The service name for the optional Business Central, where it can be reached, to allow service lookups (for maven repo usage), if required.

${BUSINESS_CENTRAL_MAVEN_SERVICE}

RHPAMCENTR_MAVEN_REPO_PATH

 — 

/maven2/

EXTERNAL_MAVEN_REPO_ID

The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won’t be usable in MAVEN_MIRROR_OF.

${MAVEN_REPO_ID}

EXTERNAL_MAVEN_REPO_URL

Fully qualified URL to a Maven repository or service.

${MAVEN_REPO_URL}

EXTERNAL_MAVEN_REPO_USERNAME

User name for accessing the Maven repository, if required.

${MAVEN_REPO_USERNAME}

EXTERNAL_MAVEN_REPO_PASSWORD

Password to access the Maven repository, if required.

${MAVEN_REPO_PASSWORD}

KIE_SERVER_ROUTER_SERVICE

 — 

${APPLICATION_NAME}-smartrouter

KIE_SERVER_ROUTER_PORT

 — 

9000

KIE_SERVER_ROUTER_PROTOCOL

KIE Server router protocol. (Used to build the org.kie.server.router.url.external property)

${KIE_SERVER_ROUTER_PROTOCOL}

KIE_SERVER_PERSISTENCE_DS

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

DATASOURCES

 — 

RHPAM

RHPAM_JNDI

KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)

${KIE_SERVER_PERSISTENCE_DS}

RHPAM_JTA

 — 

true

RHPAM_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

RHPAM_DRIVER

 — 

postgresql

KIE_SERVER_PERSISTENCE_DIALECT

KIE Server PostgreSQL Hibernate dialect.

${KIE_SERVER_POSTGRESQL_DIALECT}

RHPAM_USERNAME

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

RHPAM_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

RHPAM_SERVICE_HOST

 — 

${APPLICATION_NAME}-postgresql-2

RHPAM_SERVICE_PORT

 — 

5432

TIMER_SERVICE_DATA_STORE

 — 

${APPLICATION_NAME}-postgresql-2

TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL

Sets refresh-interval for the EJB timer service database-data-store.

${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}

HTTPS_KEYSTORE_DIR

 — 

/etc/kieserver-secret-volume

HTTPS_KEYSTORE

The name of the keystore file within the secret.

${KIE_SERVER_HTTPS_KEYSTORE}

HTTPS_NAME

The name associated with the server certificate.

${KIE_SERVER_HTTPS_NAME}

HTTPS_PASSWORD

The password for the keystore and certificate.

${KIE_SERVER_HTTPS_PASSWORD}

JGROUPS_PING_PROTOCOL

 — 

kubernetes.KUBE_PING

KUBERNETES_NAMESPACE

 — 

 — 

KUBERNETES_LABELS

 — 

cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver

SSO_URL

RH-SSO URL.

${SSO_URL}

SSO_OPENIDCONNECT_DEPLOYMENTS

 — 

ROOT.war

SSO_REALM

RH-SSO Realm name.

${SSO_REALM}

SSO_SECRET

KIE Server 2 RH-SSO Client Secret.

${KIE_SERVER2_SSO_SECRET}

SSO_CLIENT

KIE Server 2 RH-SSO Client name.

${KIE_SERVER2_SSO_CLIENT}

SSO_USERNAME

RH-SSO Realm admin user name for creating the Client if it doesn’t exist.

${SSO_USERNAME}

SSO_PASSWORD

RH-SSO Realm Admin Password used to create the Client.

${SSO_PASSWORD}

SSO_DISABLE_SSL_CERTIFICATE_VALIDATION

RH-SSO Disable SSL Certificate Validation.

${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}

SSO_PRINCIPAL_ATTRIBUTE

RH-SSO Principal Attribute to use as user name.

${SSO_PRINCIPAL_ATTRIBUTE}

HOSTNAME_HTTP

Custom hostname for http service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER2_HOSTNAME_HTTP}

HOSTNAME_HTTPS

Custom hostname for https service route. Leave blank for default hostname, e.g.: secure-<application-name>-kieserver-<project>.<default-domain-suffix>

${KIE_SERVER2_HOSTNAME_HTTPS}

AUTH_LDAP_URL

LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.

${AUTH_LDAP_URL}

AUTH_LDAP_LOGIN_MODULE

LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER.

${AUTH_LDAP_LOGIN_MODULE}

AUTH_LDAP_LOGIN_FAILOVER

Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm.

${AUTH_LDAP_LOGIN_FAILOVER}

AUTH_LDAP_BIND_DN

Bind DN used for authentication.

${AUTH_LDAP_BIND_DN}

AUTH_LDAP_BIND_CREDENTIAL

LDAP Credentials used for authentication.

${AUTH_LDAP_BIND_CREDENTIAL}

AUTH_LDAP_BASE_CTX_DN

LDAP Base DN of the top-level context to begin the user search.

${AUTH_LDAP_BASE_CTX_DN}

AUTH_LDAP_BASE_FILTER

LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}).

${AUTH_LDAP_BASE_FILTER}

AUTH_LDAP_RECURSIVE_SEARCH

Indicates if the user queries are recursive.

${AUTH_LDAP_RECURSIVE_SEARCH}

AUTH_LDAP_SEARCH_TIME_LIMIT

The timeout in milliseconds for user or role searches.

${AUTH_LDAP_SEARCH_TIME_LIMIT}

AUTH_LDAP_ROLE_ATTRIBUTE_ID

Name of the attribute containing the user roles.

${AUTH_LDAP_ROLE_ATTRIBUTE_ID}

AUTH_LDAP_ROLES_CTX_DN

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

${AUTH_LDAP_ROLES_CTX_DN}

AUTH_LDAP_ROLE_FILTER

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).

${AUTH_LDAP_ROLE_FILTER}

AUTH_LDAP_ROLE_RECURSION

The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

${AUTH_LDAP_ROLE_RECURSION}

AUTH_LDAP_DEFAULT_ROLE

A role included for all authenticated users.

${AUTH_LDAP_DEFAULT_ROLE}

AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES

Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'

${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}

AUTH_LDAP_REFERRAL_MODE

If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'

${AUTH_LDAP_REFERRAL_MODE}

AUTH_ROLE_MAPPER_ROLES_PROPERTIES

When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3

${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}

AUTH_LDAP_MAPPER_KEEP_MAPPED

When set to 'true' the mapped roles will retain all roles, that have defined mappings.

${AUTH_LDAP_MAPPER_KEEP_MAPPED}

AUTH_LDAP_MAPPER_KEEP_NON_MAPPED

When set to 'true' the mapped roles will retain all roles, that have no defined mappings.

${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}

${APPLICATION_NAME}-postgresql-2

POSTGRESQL_USER

KIE Server PostgreSQL database user name.

${KIE_SERVER_POSTGRESQL_USER}

POSTGRESQL_PASSWORD

KIE Server PostgreSQL database password.

${KIE_SERVER_POSTGRESQL_PWD}

POSTGRESQL_DATABASE

KIE Server PostgreSQL database name.

${KIE_SERVER_POSTGRESQL_DB}

POSTGRESQL_MAX_PREPARED_TRANSACTIONS

Allows the PostgreSQL to handle XA transactions.

${POSTGRESQL_MAX_PREPARED_TRANSACTIONS}

15.11.2.3.3.7. Volumes
DeploymentNamemountPathPurposereadOnly

${APPLICATION_NAME}-rhpamcentrmon

businesscentral-keystore-volume

/etc/businesscentral-secret-volume

ssl certs

True

${APPLICATION_NAME}-smartrouter

${APPLICATION_NAME}-smartrouter

/opt/rhpam-smartrouter/data

 — 

false

${APPLICATION_NAME}-kieserver-1

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-postgresql-1

${APPLICATION_NAME}-postgresql-pvol

/var/lib/pgsql/data

postgresql

false

${APPLICATION_NAME}-kieserver-2

kieserver-keystore-volume

/etc/kieserver-secret-volume

ssl certs

True

${APPLICATION_NAME}-postgresql-2

${APPLICATION_NAME}-postgresql-pvol

/var/lib/pgsql/data

postgresql

false

15.11.2.4. External Dependencies

15.11.2.4.1. Volume Claims

A PersistentVolume object is a storage resource in an OpenShift cluster. Storage is provisioned by an administrator by creating PersistentVolume objects from sources such as GCE Persistent Disks, AWS Elastic Block Stores (EBS), and NFS mounts. See the Openshift documentation for more information.

NameAccess Mode

${APPLICATION_NAME}-postgresql-claim-1

ReadWriteOnce

${APPLICATION_NAME}-postgresql-claim-2

ReadWriteOnce

${APPLICATION_NAME}-smartrouter-claim

ReadWriteMany

${APPLICATION_NAME}-rhpamcentr-claim

ReadWriteMany

15.11.2.4.2. Secrets

This template requires the following secrets to be installed for the application to run.

  • businesscentral-app-secret
  • smartrouter-app-secret
  • kieserver-app-secret

15.12. OpenShift usage quick reference

To deploy, monitor, manage, and undeploy Red Hat Process Automation Manager templates on Red Hat OpenShift Container Platform, you can use the OpenShift Web console or the oc command.

For instructions about using the Web console, see Create and build an image using the Web console.

For detailed instructions about using the oc command, see CLI Reference. The following commands are likely to be required:

  • To create a project, use the following command:

    $ oc new-project <project-name>

    For more information, see Creating a project using the CLI.

  • To deploy a template (create an application from a template), use the following command:

    $ oc new-app -f <template-name> -p <parameter>=<value> -p <parameter>=<value> ...

    For more information, see Creating an application using the CLI.

  • To view a list of the active pods in the project, use the following command:

    $ oc get pods
  • To view the current status of a pod, including information whether or not the pod deployment has completed and it is now in a running state, use the following command:

    $ oc describe pod <pod-name>

    You can also use the oc describe command to view the current status of other objects. For more information, see Application modification operations.

  • To view the logs for a pod, use the following command:

    $ oc logs <pod-name>
  • To view deployment logs, look up a DeploymentConfig name in the template reference and enter the following command:

    $ oc logs -f dc/<deployment-config-name>

    For more information, see Viewing deployment logs.

  • To view build logs, look up a BuildConfig name in the template reference and enter the command:

    $ oc logs -f bc/<build-config-name>

    For more information, see Accessing build logs.

  • To scale a pod in the application, look up a DeploymentConfig name in the template reference and enter the command:

    $ oc scale dc/<deployment-config-name> --replicas=<number>

    For more information, see Manual scaling.

  • To undeploy the application, you can delete the project by using the command:

    $ oc delete project <project-name>

    Alternatively, you can use the oc delete command to remove any part of the application, such as a pod or replication controller. For details, see Application modification operations.