Chapter 2. Preparing to deploy Red Hat Decision Manager in your OpenShift environment
Before deploying Red Hat Decision Manager in your OpenShift environment, you need to complete several preparatory tasks. You do not need to repeat these tasks if you want to deploy additional images, for example, for new versions of decision services or for other decision services
2.1. Ensuring the availability of image streams and the image registry
To deploy Red Hat Decision Manager components on Red Hat OpenShift Container Platform, you must ensure that OpenShift can download the correct images from the Red Hat registry. To download the images, OpenShift requires the information about their location (known as image streams). OpenShift also must be configured to authenticate with the Red Hat registry using your service account user name and password.
Some versions of the OpenShift environment include the required image streams. You must check if they are available. If image streams are available in OpenShift by default, you can use them if the OpenShift infrastructure is configured for registry authentication server. The administrator must complete the registry authentication configuration when installing the OpenShift environment.
Otherwise, you can configure registry authentication in your own project and install the image streams in the same project.
Procedure
- Determine whether Red Hat OpenShift Container Platform is configured with the user name and password for Red Hat registry access. For details about the required configuration, see Configuring a Registry Location. If you are using an OpenShift Online subscription, it is configured for Red Hat registry access.
If Red Hat OpenShift Container Platform is configured with the user name and password for Red Hat registry access, run the following commands:
$ oc get imagestreamtag -n openshift | grep rhdm73-decisioncentral-openshift $ oc get imagestreamtag -n openshift | grep rhdm73-kieserver-openshift
If the outputs of both commands are not empty, the required image streams are available in the
openshift
namespace and no further action is required.If the output of one or both of the commands is empty or if OpenShift is not configured with the user name and password for Red Hat registry access, complete the following steps:
-
Ensure you are logged in to OpenShift with the
oc
command and that your project is active. - Complete the steps documented in Registry Service Accounts for Shared Environments. You must log in to Red Hat Customer Portal to access the document and to complete the steps to create a registry service account.
- Select the OpenShift Secret tab and click the link under Download secret to download the YAML secret file.
-
View the downloaded file and note the name that is listed in the
name:
entry. Run the following commands:
oc create -f <file_name>.yaml oc secrets link default <secret_name> --for=pull oc secrets link builder <secret_name> --for=pull
Where
<file_name>
is the name of the downloaded file and <secret_name> is the name that is listed in thename:
entry of the file.-
Download the
rhdm-7.3.0-openshift-templates.zip
product deliverable file from the Software Downloads page and extract therhdm73-image-streams.yaml
file. Complete one of the following actions:
Run the following command:
$ oc create -f rhdm73-image-streams.yaml
-
Using the OpenShift Web UI, select Add to Project
Import YAML / JSON and then choose the file or paste its contents.
-
Ensure you are logged in to OpenShift with the
If you want to deploy a high-availability Business Central (this functionality is a technology preview), complete the following additional steps:
Verify if the AMQ scaledown controller image stream is present. Enter the following command:
$ oc get imagestreamtag -n openshift | grep amq-broker-72-scaledown-controller-openshift
If the output of the command is not empty, the required image stream is available in the
openshift
namespace and no further action is required.If the output of the commands is empty, complete the following steps:
- Download the following file: https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/amq-broker-72/amq-broker-7-scaledown-controller-image-streams.yaml
Complete one of the following actions:
Run the following command:
$ oc create -f amq-broker-7-scaledown-controller-image-streams.yaml
Using the OpenShift Web UI, select Add to Project
Import YAML / JSON and then choose the amq-broker-7-scaledown-controller-image-streams.yaml
file or paste its contents.NoteIf you complete these steps, you install the image streams into the namespace of your project. If you install the image streams using these steps, you must set the
IMAGE_STREAM_NAMESPACE
parameter to the name of this project when deploying templates.
2.2. Creating the secrets for Decision Server
OpenShift uses objects called Secrets
to hold sensitive information, such as passwords or keystores. For more information about OpenShift secrets, see the Secrets chapter in the OpenShift documentation.
You must create an SSL certificate for Decision Server and provide it to your OpenShift environment as a secret.
Procedure
Generate an SSL keystore with a private and public key for SSL encryption for Decision Server. In a production environment, generate a valid signed certificate that matches the expected URL of the Decision Server. Save the keystore in a file named
keystore.jks
. Record the name of the certificate and the password of the keystore file.For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.
Use the
oc
command to generate a secret namedkieserver-app-secret
from the new keystore file:$ oc create secret generic kieserver-app-secret --from-file=keystore.jks
2.3. Creating the secrets for Business Central
If you are planning to deploy Business Central in your OpenShift environment, you must create an SSL certificate for Business Central and provide it to your OpenShift environment as a secret. Do not use the same certificate and keystore for Business Central and for Decision Server.
Procedure
Generate an SSL keystore with a private and public key for SSL encryption for Business Central. In a production environment, generate a valid signed certificate that matches the expected URL of the Business Central. Save the keystore in a file named
keystore.jks
. Record the name of the certificate and the password of the keystore file.For more information on how to create a keystore with self-signed or purchased SSL certificates, see Generate a SSL Encryption Key and Certificate.
Use the
oc
command to generate a secret nameddecisioncentral-app-secret
from the new keystore file:$ oc create secret generic decisioncentral-app-secret --from-file=keystore.jks
2.4. Preparing a Maven mirror repository for offline use
If your Red Hat OpenShift Container Platform environment does not have outgoing access to the public Internet, you must prepare a Maven repository with a mirror of all the necessary artifacts and make this repository available to your environment.
Skip this procedure if your Red Hat OpenShift Container Platform environment is connected to the Internet.
Procedure
- Prepare a Maven release repository to which you can write. The repository must allow read access without authentication. Your OpenShift environment must have access to this repository. You can deploy a Nexus repository manager in the OpenShift environment. For instructions about setting up Nexus on OpenShift, see Setting up Nexus.
Complete the following actions on a computer that has an outgoing connection to the public Internet:
-
Clear the local Maven cache directory (
~/.m2/repository
). -
Build the source of your services using the
mvn clean install
command. -
Upload all artifacts from the local Maven cache directory (
~/.m2/repository
) to the Maven repository that you prepared. You can use the Maven Repository Provisioner utility to upload the artifacts.
-
Clear the local Maven cache directory (
2.5. Changing GlusterFS configuration
Check whether your OpenShift environment uses GlusterFS to provide permanent storage volumes. If it uses GlusterFS, to ensure optimal performance, tune your GlusterFS storage by changing the storage class configuration.
Procedure
To check whether your environment uses GlusterFS, run the following command:
oc get storageclass
In the results, check whether the
(default)
marker is on the storage class that listsglusterfs
. For example, in the following output the default storage class isgluster-container
, which does listglusterfs
:NAME PROVISIONER AGE gluster-block gluster.org/glusterblock 8d gluster-container (default) kubernetes.io/glusterfs 8d
If the result has a default storage class that does not list
glusterfs
or if the result is empty, you do not need to make any changes. In this case, skip the rest of this procedure.To save the configuration of the default storage class into a YAML file, run the following command:
oc get storageclass <class-name> -o yaml >storage_config.yaml
Replace
<class-name>
with the name of the default storage class. For example:oc get storageclass gluster-container -o yaml >storage_config.yaml
Edit the
storage_config.yaml
file:Remove the lines with the following keys:
-
creationTimestamp
-
resourceVersion
-
selfLink
-
uid
-
On the line with the
volumeoptions
key, add the following two options:features.cache-invalidation on, performance.nl-cache on
. For example:volumeoptions: client.ssl off, server.ssl off, features.cache-invalidation on, performance.nl-cache on
To remove the existing default storage class, run the following command:
oc delete storageclass <class-name>
Replace
<class-name>
with the name of the default storage class. For example:oc delete storageclass gluster-container
To re-create the storage class using the new configuration, run the following command:
oc create -f storage_config.yaml