-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy pathrhpam714-kieserver-mysql.yaml
820 lines (819 loc) · 35.7 KB
/
rhpam714-kieserver-mysql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
kind: Template
apiVersion: v1
metadata:
annotations:
iconClass: icon-jboss
tags: rhpam,processserver,jboss,kieserver
version: "7.14"
openshift.io/display-name: Red Hat Process Automation Manager 7.14 managed KIE Server with a MySQL database
openshift.io/provider-display-name: Red Hat, Inc.
description: Application template for a managed KIE Server with a MySQL database, for Red Hat Process Automation Manager 7.14 - Deprecated
template.openshift.io/long-description: This template defines resources needed to execute Rules and Processes on Red Hat Process Automation Manager KIE Server 7.14, including application deployment configuration, secure and insecure http communication, using a MySQL database. Template for Red Hat OpenShift Container Platform version 3.11. Deprecated since Red Hat Process Automation Manager version 7.5; consider using the Red Hat Business Automation Operator.
template.openshift.io/documentation-url: https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.14/html/deploying_a_red_hat_process_automation_manager_7.14_managed_server_environment_on_red_hat_openshift_container_platform/
template.openshift.io/support-url: https://access.redhat.com
template.openshift.io/bindable: "false"
name: rhpam714-kieserver-mysql
labels:
template: rhpam714-kieserver-mysql
rhpam: "7.14"
message: |-
A new Process Automation Manager KIE Server application have been created in your project.
The username/password needed for accessing the application are stored in "${CREDENTIALS_SECRET}" secret as
KIE_ADMIN_USER and KIE_ADMIN_PWD
You must create the secret named "${CREDENTIALS_SECRET}" containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values and the secret named "${KIE_SERVER_HTTPS_SECRET}" containing the ${KIE_SERVER_HTTPS_KEYSTORE} file used for serving secure content.
parameters:
- displayName: Application Name
description: The name for the application.
name: APPLICATION_NAME
value: myapp
required: true
- displayName: Maven mirror URL
description: Maven mirror that the KIE Server must use. If you configure a mirror, this mirror must contain all artifacts that are required for deploying your services.
name: MAVEN_MIRROR_URL
required: false
- displayName: Maven mirror of
description: Maven mirror configuration for KIE Server.
name: MAVEN_MIRROR_OF
value: "external:*"
required: false
- displayName: Maven repository ID
description: "The id to use for the maven repository. If set, it can be excluded from the optionally configured mirror by adding it to MAVEN_MIRROR_OF. For example: external:*,!repo-rhpamcentr,!repo-custom. If MAVEN_MIRROR_URL is set but MAVEN_MIRROR_ID is not set, an id will be generated randomly, but won't be usable in MAVEN_MIRROR_OF."
name: MAVEN_REPO_ID
value: repo-custom
required: false
- displayName: Maven repository URL
description: Fully qualified URL to a Maven repository or service.
name: MAVEN_REPO_URL
example: http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/
required: false
- displayName: Maven repository user name
description: User name for accessing the Maven repository, if required.
name: MAVEN_REPO_USERNAME
required: false
- displayName: Maven repository password
description: Password to access the Maven repository, if required.
name: MAVEN_REPO_PASSWORD
required: false
- displayName: Name of the Business Central service
description: The Service name for the optional Business Central, where it can be reached, to allow service lookups (for example, maven repo usage), if required.
name: BUSINESS_CENTRAL_SERVICE
example: "myapp-rhpamcentr"
required: false
- displayName: Credentials secret
description: Secret containing the KIE_ADMIN_USER and KIE_ADMIN_PWD values
name: CREDENTIALS_SECRET
example: rhpam-credentials
required: true
- displayName: ImageStream Namespace
description: Namespace in which the ImageStreams for Red Hat Process Automation Manager images are installed. These ImageStreams are normally installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".
name: IMAGE_STREAM_NAMESPACE
value: openshift
required: true
- displayName: KIE Server ImageStream Name
description: The name of the image stream to use for KIE Server. Default is "rhpam-kieserver-rhel8".
name: KIE_SERVER_IMAGE_STREAM_NAME
value: "rhpam-kieserver-rhel8"
required: true
- displayName: ImageStream Tag
description: A named pointer to an image in an image stream. Default is "7.14.0".
name: IMAGE_STREAM_TAG
value: "7.14.0"
required: true
- displayName: KIE Server Persistence DS
description: KIE Server persistence datasource. (Sets the org.kie.server.persistence.ds system property)
name: KIE_SERVER_PERSISTENCE_DS
value: java:/jboss/datasources/rhpam
required: false
## MySQL database parameters BEGIN
- displayName: MySQL ImageStream Namespace
description: Namespace in which the ImageStream for the MySQL image is installed. The ImageStream is already installed in the openshift namespace. You need to modify this parameter only if you installed the ImageStream in a different namespace/project. Default is "openshift".
name: MYSQL_IMAGE_STREAM_NAMESPACE
value: "openshift"
required: false
- displayName: MySQL ImageStream Tag
description: The MySQL image version, which is intended to correspond to the MySQL version. Default is "8.0".
name: MYSQL_IMAGE_STREAM_TAG
value: "8.0"
required: false
- displayName: KIE Server MySQL Database User
description: KIE Server MySQL database user name.
name: KIE_SERVER_MYSQL_USER
value: rhpam
required: false
- displayName: KIE Server MySQL Database Password
description: KIE Server MySQL database password.
name: KIE_SERVER_MYSQL_PWD
from: "[a-zA-Z]{6}[0-9]{1}!"
generate: expression
required: false
- displayName: KIE Server MySQL Database Name
description: KIE Server MySQL database name.
name: KIE_SERVER_MYSQL_DB
value: rhpam7
required: false
- displayName: Database Volume Capacity
description: Size of persistent storage for the database volume.
name: DB_VOLUME_CAPACITY
value: 1Gi
required: true
- displayName: KIE Server MySQL Dialect
description: KIE Server MySQL Hibernate dialect.
name: KIE_SERVER_MYSQL_DIALECT
value: org.hibernate.dialect.MySQL8Dialect
required: true
## MySQL database parameters END
- displayName: KIE Server Mode
description: "The KIE Server mode. Valid values are 'DEVELOPMENT' or 'PRODUCTION'. In production mode, you can not deploy SNAPSHOT versions of artifacts on the KIE Server and can not change the version of an artifact in an existing container. (Sets the org.kie.server.mode system property)."
name: KIE_SERVER_MODE
value: "PRODUCTION"
required: false
- displayName: KIE MBeans
description: KIE Server mbeans enabled/disabled. (Sets the kie.mbeans and kie.scanner.mbeans system properties)
name: KIE_MBEANS
value: enabled
required: false
- displayName: Drools Server Filter Classes
description: KIE Server class filtering. (Sets the org.drools.server.filter.classes system property)
name: DROOLS_SERVER_FILTER_CLASSES
value: 'true'
required: false
- displayName: Prometheus Server Extension Disabled
description: If set to false, the prometheus server extension will be enabled. (Sets the org.kie.prometheus.server.ext.disabled system property)
name: PROMETHEUS_SERVER_EXT_DISABLED
example: 'false'
required: false
- displayName: KIE Server Custom http Route Hostname
description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: insecure-<application-name>-kieserver-<project>.<default-domain-suffix>'
name: KIE_SERVER_HOSTNAME_HTTP
value: ''
required: false
- displayName: KIE Server Custom https Route Hostname
description: 'Custom hostname for https service route. Leave blank for default hostname, e.g.: <application-name>-kieserver-<project>.<default-domain-suffix>'
name: KIE_SERVER_HOSTNAME_HTTPS
value: ''
required: false
- displayName: KIE Server Keystore Secret Name
description: The name of the secret containing the keystore file.
name: KIE_SERVER_HTTPS_SECRET
example: kieserver-app-secret
required: true
- displayName: KIE Server Keystore Filename
description: The name of the keystore file within the secret.
name: KIE_SERVER_HTTPS_KEYSTORE
value: keystore.jks
required: false
- displayName: KIE Server Certificate Name
description: The name associated with the server certificate.
name: KIE_SERVER_HTTPS_NAME
value: jboss
required: false
- displayName: KIE Server Keystore Password
description: The password for the keystore and certificate.
name: KIE_SERVER_HTTPS_PASSWORD
value: mykeystorepass
required: false
- displayName: KIE Server Bypass Auth User
description: Allows the KIE Server to bypass the authenticated user for task-related operations, for example, queries. (Sets the org.kie.server.bypass.auth.user system property)
name: KIE_SERVER_BYPASS_AUTH_USER
value: 'false'
required: false
- displayName: "Timer service data store refresh interval (in milliseconds)"
description: "Sets refresh-interval for the EJB timer database data-store service."
name: TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL
value: '30000'
required: false
- displayName: KIE Server Container Memory Limit
description: KIE Server Container memory limit.
name: KIE_SERVER_MEMORY_LIMIT
value: 2Gi
required: true
- displayName: KIE Server Container Memory Request
description: KIE Server Container memory request.
name: KIE_SERVER_MEMORY_REQUEST
value: 1536Mi
required: true
- displayName: KIE Server Container CPU Limit
description: KIE Server Container CPU limit.
name: KIE_SERVER_CPU_LIMIT
value: '1'
required: true
- displayName: KIE Server Container CPU Request
description: KIE Server Container CPU request.
name: KIE_SERVER_CPU_REQUEST
value: '750m'
required: true
- displayName: KIE Server Container Deployment
description: 'KIE Server Container deployment configuration with optional alias. Format: containerId=groupId:artifactId:version|c2(alias2)=g2:a2:v2'
name: KIE_SERVER_CONTAINER_DEPLOYMENT
example: rhpam-kieserver-library=org.openshift.quickstarts:rhpam-kieserver-library:1.6.0-SNAPSHOT
required: false
- displayName: Disable KIE Server Management
description: "Disable management api and don't allow KIE containers to be deployed/undeployed or started/stopped sets the property org.kie.server.mgmt.api.disabled to true and org.kie.server.startup.strategy to LocalContainersStartupStrategy."
name: KIE_SERVER_MGMT_DISABLED
example: "true"
required: false
- displayName: RH-SSO URL
description: RH-SSO URL.
name: SSO_URL
example: https://rh-sso.example.com/auth
required: false
- displayName: RH-SSO Realm name
description: RH-SSO Realm name.
name: SSO_REALM
required: false
- displayName: KIE Server RH-SSO Client name
description: KIE Server RH-SSO Client name.
name: KIE_SERVER_SSO_CLIENT
required: false
- displayName: KIE Server RH-SSO Client Secret
description: KIE Server RH-SSO Client Secret.
name: KIE_SERVER_SSO_SECRET
example: "252793ed-7118-4ca8-8dab-5622fa97d892"
required: false
- displayName: RH-SSO Realm admin user name
description: RH-SSO Realm admin user name for creating the Client if it doesn't exist.
name: SSO_USERNAME
required: false
- displayName: RH-SSO Realm Admin Password
description: RH-SSO Realm Admin Password used to create the Client.
name: SSO_PASSWORD
required: false
- displayName: RH-SSO Disable SSL Certificate Validation
description: RH-SSO Disable SSL Certificate Validation.
name: SSO_DISABLE_SSL_CERTIFICATE_VALIDATION
value: "false"
required: false
- displayName: RH-SSO Principal Attribute
description: RH-SSO Principal Attribute to use as user name.
name: SSO_PRINCIPAL_ATTRIBUTE
value: preferred_username
required: false
- displayName: LDAP Endpoint
description: LDAP endpoint to connect for authentication. For failover, set two or more LDAP endpoints separated by space.
name: AUTH_LDAP_URL
example: "ldap://myldap.example.com:389"
required: false
- displayName: LDAP Flag Login Module
name: AUTH_LDAP_LOGIN_MODULE
description: "LDAP login module flag, adds backward compatibility with the legacy security subsystem on Elytron. 'optional' is the only supported value, if set, it will create a distributed realm on Elytron configuration with LDAP and FileSystem realms with the user added using the KIE_ADMIN_USER."
example: "optional"
required: false
- displayName: LDAP login failover
name: AUTH_LDAP_LOGIN_FAILOVER
description: "Enable failover, if LDAP Url is unreachable, it will fail over to the KieFsRealm."
example: "true"
required: false
- displayName: LDAP Bind DN
description: Bind DN used for authentication.
name: AUTH_LDAP_BIND_DN
example: "uid=admin,ou=users,ou=example,ou=com"
required: false
- displayName: LDAP Bind Credentials
description: LDAP Credentials used for authentication.
name: AUTH_LDAP_BIND_CREDENTIAL
example: "Password"
required: false
- displayName: Allow Empty Passwords
description: Does this realm support blank password direct verification? Blank password attempt will be rejected otherwise. Boolean flag, defaults to false.
name: AUTH_LDAP_ALLOW_EMPTY_PASSWORDS
example: "true"
required: false
- displayName: LDAP Base DN
description: LDAP Base DN of the top-level context to begin the user search.
name: AUTH_LDAP_BASE_CTX_DN
example: "ou=users,ou=example,ou=com"
required: false
- displayName: LDAP Base Search filter
description: |-
Legacy LDAP search filter used to locate the context of the user to authenticate. The input username or userDN
obtained from the login module callback is substituted into the filter anywhere a {0} expression is used.
A common example for the search filter is (uid={0}).
For Elytron based subsystem this property should be configured only with the search filter parameter, without
any search expression. Example (uid={0}) became just uid.
name: AUTH_LDAP_BASE_FILTER
example: "(uid={0})"
required: false
- displayName: LDAP User resursive search
description: Indicates if the user queries are recursive.
name: AUTH_LDAP_RECURSIVE_SEARCH
example: "true"
required: false
- displayName: LDAP Search time limit
description: The timeout in milliseconds for user or role searches.
name: AUTH_LDAP_SEARCH_TIME_LIMIT
example: "10000"
required: false
- displayName: LDAP Role attributeID
description: Name of the attribute containing the user roles.
name: AUTH_LDAP_ROLE_ATTRIBUTE_ID
example: memberOf
required: false
- displayName: LDAP Roles Search DN
description: The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.
name: AUTH_LDAP_ROLES_CTX_DN
example: "ou=groups,ou=example,ou=com"
required: false
- displayName: LDAP Role search filter
description: A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}).
name: AUTH_LDAP_ROLE_FILTER
example: "(memberOf={1})"
required: false
- displayName: LDAP Role recursion
description: The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.
name: AUTH_LDAP_ROLE_RECURSION
example: "1"
required: false
- displayName: LDAP Default role
description: A role included for all authenticated users.
name: AUTH_LDAP_DEFAULT_ROLE
example: "user"
required: false
- displayName: LDAP new identity attributes
description: "Provide new identities for LDAP identity mapping, the pattern to be used with this env is 'attribute_name=attribute_value;another_attribute_name=value'"
name: AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES
example: sn=BlankSurname;cn=BlankCommonName
required: false
- displayName: LDAP follow referrals
description: "If LDAP referrals should be followed. Corresponds to REFERRAL ('java.naming.referral') environment property. Allowed values: 'ignore', 'follow', 'throw'"
name: AUTH_LDAP_REFERRAL_MODE
required: false
- displayName: Role Mapping roles properties file path or one lined roles
description: When present, the RoleMapping will be configured to use the provided properties file or roles. This parameter defines the fully-qualified file path and name of a properties file or a set of roles with the following pattern 'role=role1;another-role=role2'. The format of every entry in the file is original_role=role1,role2,role3
example: role=role1,role3,role4;role7=role,admin
name: AUTH_ROLE_MAPPER_ROLES_PROPERTIES
required: false
- displayName: Role Mapper Keep Mapped
description: When set to 'true' the mapped roles will retain all roles, that have defined mappings.
name: AUTH_LDAP_MAPPER_KEEP_MAPPED
required: false
- displayName: Role Mapper Keep Non Mapped
description: When set to 'true' the mapped roles will retain all roles, that have no defined mappings.
name: AUTH_LDAP_MAPPER_KEEP_NON_MAPPED
required: false
objects:
- kind: ServiceAccount
apiVersion: v1
metadata:
name: "${APPLICATION_NAME}-kieserver"
labels:
application: "${APPLICATION_NAME}"
- kind: RoleBinding
apiVersion: v1
metadata:
name: "${APPLICATION_NAME}-kieserver-edit"
labels:
application: "${APPLICATION_NAME}"
subjects:
- kind: ServiceAccount
name: "${APPLICATION_NAME}-kieserver"
roleRef:
name: edit
- kind: Service
apiVersion: v1
spec:
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
selector:
deploymentConfig: "${APPLICATION_NAME}-kieserver"
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 3600
metadata:
name: "${APPLICATION_NAME}-kieserver"
labels:
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-kieserver"
annotations:
description: All the KIE Server web server's ports.
## MySQL service BEGIN
- apiVersion: v1
kind: Service
metadata:
annotations:
description: The database server's port.
labels:
application: ${APPLICATION_NAME}
service: "${APPLICATION_NAME}-mysql"
name: ${APPLICATION_NAME}-mysql
spec:
ports:
- port: 3306
targetPort: 3306
selector:
deploymentConfig: ${APPLICATION_NAME}-mysql
## MySQL service END
- kind: Route
apiVersion: v1
id: "insecure-${APPLICATION_NAME}-kieserver-http"
metadata:
name: "insecure-${APPLICATION_NAME}-kieserver"
labels:
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-kieserver"
annotations:
description: Route for KIE Server's http service.
haproxy.router.openshift.io/balance: source
spec:
host: "${KIE_SERVER_HOSTNAME_HTTP}"
to:
name: "${APPLICATION_NAME}-kieserver"
port:
targetPort: http
- kind: Route
apiVersion: v1
id: "${APPLICATION_NAME}-kieserver-https"
metadata:
name: "${APPLICATION_NAME}-kieserver"
labels:
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-kieserver"
annotations:
description: Route for KIE Server's https service.
spec:
host: "${KIE_SERVER_HOSTNAME_HTTPS}"
to:
name: "${APPLICATION_NAME}-kieserver"
port:
targetPort: https
tls:
termination: passthrough
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: "${APPLICATION_NAME}-kieserver"
labels:
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-kieserver"
services.server.kie.org/kie-server-id: "${APPLICATION_NAME}-kieserver"
annotations:
template.alpha.openshift.io/wait-for-ready: "true"
spec:
revisionHistoryLimit: 10
strategy:
rollingParams:
maxSurge: 100%
maxUnavailable: 0
type: Rolling
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- "${APPLICATION_NAME}-kieserver"
from:
kind: ImageStreamTag
namespace: "${IMAGE_STREAM_NAMESPACE}"
name: "${KIE_SERVER_IMAGE_STREAM_NAME}:${IMAGE_STREAM_TAG}"
- type: ConfigChange
replicas: 1
selector:
deploymentConfig: "${APPLICATION_NAME}-kieserver"
template:
metadata:
name: "${APPLICATION_NAME}-kieserver"
labels:
deploymentConfig: "${APPLICATION_NAME}-kieserver"
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-kieserver"
services.server.kie.org/kie-server-id: "${APPLICATION_NAME}-kieserver"
cluster: "jgrp.k8s.${APPLICATION_NAME}.kieserver"
spec:
serviceAccountName: "${APPLICATION_NAME}-kieserver"
terminationGracePeriodSeconds: 90
containers:
- name: "${APPLICATION_NAME}-kieserver"
image: "${KIE_SERVER_IMAGE_STREAM_NAME}"
imagePullPolicy: Always
lifecycle:
postStart:
exec:
command:
- /bin/sh
- /opt/eap/bin/launch/jboss-kie-kieserver-hooks.sh
preStop:
exec:
command:
- /bin/sh
- /opt/eap/bin/launch/jboss-kie-kieserver-hooks.sh
resources:
limits:
memory: "${KIE_SERVER_MEMORY_LIMIT}"
cpu: "${KIE_SERVER_CPU_LIMIT}"
requests:
memory: "${KIE_SERVER_MEMORY_REQUEST}"
cpu: "${KIE_SERVER_CPU_REQUEST}"
volumeMounts:
- name: kieserver-keystore-volume
mountPath: "/etc/kieserver-secret-volume"
readOnly: true
livenessProbe:
httpGet:
path: /services/rest/server/healthcheck
port: 8080
scheme: HTTP
initialDelaySeconds: 180
timeoutSeconds: 2
periodSeconds: 15
failureThreshold: 3
readinessProbe:
httpGet:
path: /services/rest/server/readycheck
port: 8080
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 2
periodSeconds: 5
failureThreshold: 36
ports:
- name: jolokia
containerPort: 8778
protocol: TCP
- name: http
containerPort: 8080
protocol: TCP
- name: https
containerPort: 8443
protocol: TCP
env:
- name: WORKBENCH_SERVICE_NAME
value: "${BUSINESS_CENTRAL_SERVICE}"
- name: KIE_ADMIN_USER
valueFrom:
secretKeyRef:
name: "${CREDENTIALS_SECRET}"
key: KIE_ADMIN_USER
- name: KIE_ADMIN_PWD
valueFrom:
secretKeyRef:
name: "${CREDENTIALS_SECRET}"
key: KIE_ADMIN_PWD
- name: KIE_SERVER_MODE
value: "${KIE_SERVER_MODE}"
- name: KIE_MBEANS
value: "${KIE_MBEANS}"
- name: DROOLS_SERVER_FILTER_CLASSES
value: "${DROOLS_SERVER_FILTER_CLASSES}"
- name: PROMETHEUS_SERVER_EXT_DISABLED
value: "${PROMETHEUS_SERVER_EXT_DISABLED}"
- name: KIE_SERVER_BYPASS_AUTH_USER
value: "${KIE_SERVER_BYPASS_AUTH_USER}"
- name: KIE_SERVER_ID
valueFrom:
fieldRef:
fieldPath: metadata.labels['services.server.kie.org/kie-server-id']
- name: KIE_SERVER_ROUTE_NAME
value: "${APPLICATION_NAME}-kieserver"
- name: KIE_SERVER_CONTAINER_DEPLOYMENT
value: "${KIE_SERVER_CONTAINER_DEPLOYMENT}"
- name: MAVEN_MIRROR_URL
value: "${MAVEN_MIRROR_URL}"
- name: MAVEN_MIRROR_OF
value: "${MAVEN_MIRROR_OF}"
- name: MAVEN_REPOS
value: "RHPAMCENTR,EXTERNAL"
- name: RHPAMCENTR_MAVEN_REPO_ID
value: "repo-rhpamcentr"
- name: RHPAMCENTR_MAVEN_REPO_SERVICE
value: "${BUSINESS_CENTRAL_SERVICE}"
- name: RHPAMCENTR_MAVEN_REPO_PATH
value: "/maven2/"
- name: RHPAMCENTR_MAVEN_REPO_USERNAME
valueFrom:
secretKeyRef:
name: "${CREDENTIALS_SECRET}"
key: KIE_ADMIN_USER
- name: RHPAMCENTR_MAVEN_REPO_PASSWORD
valueFrom:
secretKeyRef:
name: "${CREDENTIALS_SECRET}"
key: KIE_ADMIN_PWD
- name: EXTERNAL_MAVEN_REPO_ID
value: "${MAVEN_REPO_ID}"
- name: EXTERNAL_MAVEN_REPO_URL
value: "${MAVEN_REPO_URL}"
- name: EXTERNAL_MAVEN_REPO_USERNAME
value: "${MAVEN_REPO_USERNAME}"
- name: EXTERNAL_MAVEN_REPO_PASSWORD
value: "${MAVEN_REPO_PASSWORD}"
- name: KIE_SERVER_MGMT_DISABLED
value: "${KIE_SERVER_MGMT_DISABLED}"
- name: KIE_SERVER_STARTUP_STRATEGY
value: "OpenShiftStartupStrategy"
- name: KIE_SERVER_PERSISTENCE_DS
value: "${KIE_SERVER_PERSISTENCE_DS}"
- name: DATASOURCES
value: "RHPAM"
- name: RHPAM_JNDI
value: "${KIE_SERVER_PERSISTENCE_DS}"
## MySQL driver settings BEGIN
- name: RHPAM_CONNECTION_CHECKER
value: "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLValidConnectionChecker"
- name: RHPAM_EXCEPTION_SORTER
value: "org.jboss.jca.adapters.jdbc.extensions.mysql.MySQLExceptionSorter"
- name: RHPAM_DATABASE
value: "${KIE_SERVER_MYSQL_DB}"
- name: RHPAM_DRIVER
value: "mariadb"
- name: KIE_SERVER_PERSISTENCE_DIALECT
value: "${KIE_SERVER_MYSQL_DIALECT}"
- name: RHPAM_USERNAME
value: "${KIE_SERVER_MYSQL_USER}"
- name: RHPAM_PASSWORD
value: "${KIE_SERVER_MYSQL_PWD}"
- name: RHPAM_SERVICE_HOST
value: "${APPLICATION_NAME}-mysql"
- name: RHPAM_SERVICE_PORT
value: "3306"
## MySQL driver settings END
- name: RHPAM_JTA
value: "true"
- name: TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL
value: "${TIMER_SERVICE_DATA_STORE_REFRESH_INTERVAL}"
- name: HTTPS_KEYSTORE_DIR
value: "/etc/kieserver-secret-volume"
- name: HTTPS_KEYSTORE
value: "${KIE_SERVER_HTTPS_KEYSTORE}"
- name: HTTPS_NAME
value: "${KIE_SERVER_HTTPS_NAME}"
- name: HTTPS_PASSWORD
value: "${KIE_SERVER_HTTPS_PASSWORD}"
- name: JGROUPS_PING_PROTOCOL
value: "kubernetes.KUBE_PING"
- name: KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBERNETES_LABELS
value: "cluster=jgrp.k8s.${APPLICATION_NAME}.kieserver"
- name: SSO_URL
value: "${SSO_URL}"
- name: SSO_OPENIDCONNECT_DEPLOYMENTS
value: "ROOT.war"
- name: SSO_REALM
value: "${SSO_REALM}"
- name: SSO_SECRET
value: "${KIE_SERVER_SSO_SECRET}"
- name: SSO_CLIENT
value: "${KIE_SERVER_SSO_CLIENT}"
- name: SSO_USERNAME
value: "${SSO_USERNAME}"
- name: SSO_PASSWORD
value: "${SSO_PASSWORD}"
- name: SSO_DISABLE_SSL_CERTIFICATE_VALIDATION
value: "${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}"
- name: SSO_PRINCIPAL_ATTRIBUTE
value: "${SSO_PRINCIPAL_ATTRIBUTE}"
- name: HOSTNAME_HTTP
value: "${KIE_SERVER_HOSTNAME_HTTP}"
- name: HOSTNAME_HTTPS
value: "${KIE_SERVER_HOSTNAME_HTTPS}"
- name: AUTH_LDAP_URL
value: "${AUTH_LDAP_URL}"
- name: AUTH_LDAP_LOGIN_MODULE
value: "${AUTH_LDAP_LOGIN_MODULE}"
- name: AUTH_LDAP_LOGIN_FAILOVER
value: "${AUTH_LDAP_LOGIN_FAILOVER}"
- name: AUTH_LDAP_BIND_DN
value: "${AUTH_LDAP_BIND_DN}"
- name: AUTH_LDAP_BIND_CREDENTIAL
value: "${AUTH_LDAP_BIND_CREDENTIAL}"
- name: AUTH_LDAP_ALLOW_EMPTY_PASSWORDS
value: "${AUTH_LDAP_ALLOW_EMPTY_PASSWORDS}"
- name: AUTH_LDAP_BASE_CTX_DN
value: "${AUTH_LDAP_BASE_CTX_DN}"
- name: AUTH_LDAP_BASE_FILTER
value: "${AUTH_LDAP_BASE_FILTER}"
- name: AUTH_LDAP_RECURSIVE_SEARCH
value: "${AUTH_LDAP_RECURSIVE_SEARCH}"
- name: AUTH_LDAP_SEARCH_TIME_LIMIT
value: "${AUTH_LDAP_SEARCH_TIME_LIMIT}"
- name: AUTH_LDAP_ROLE_ATTRIBUTE_ID
value: "${AUTH_LDAP_ROLE_ATTRIBUTE_ID}"
- name: AUTH_LDAP_ROLES_CTX_DN
value: "${AUTH_LDAP_ROLES_CTX_DN}"
- name: AUTH_LDAP_ROLE_FILTER
value: "${AUTH_LDAP_ROLE_FILTER}"
- name: AUTH_LDAP_ROLE_RECURSION
value: "${AUTH_LDAP_ROLE_RECURSION}"
- name: AUTH_LDAP_DEFAULT_ROLE
value: "${AUTH_LDAP_DEFAULT_ROLE}"
- name: AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES
value: "${AUTH_LDAP_NEW_IDENTITY_ATTRIBUTES}"
- name: AUTH_LDAP_REFERRAL_MODE
value: "${AUTH_LDAP_REFERRAL_MODE}"
- name: AUTH_ROLE_MAPPER_ROLES_PROPERTIES
value: "${AUTH_ROLE_MAPPER_ROLES_PROPERTIES}"
- name: AUTH_LDAP_MAPPER_KEEP_MAPPED
value: "${AUTH_LDAP_MAPPER_KEEP_MAPPED}"
- name: AUTH_LDAP_MAPPER_KEEP_NON_MAPPED
value: "${AUTH_LDAP_MAPPER_KEEP_NON_MAPPED}"
volumes:
- name: kieserver-keystore-volume
secret:
secretName: "${KIE_SERVER_HTTPS_SECRET}"
initContainers:
- command:
- /bin/bash
- '-c'
- >-
replicas=$(oc get dc ${APPLICATION_NAME}-mysql -o=jsonpath='{.status.availableReplicas}'); until "[" $replicas -gt 0 "]"; do echo waiting for ${APPLICATION_NAME}-mysql; replicas=$(oc get dc ${APPLICATION_NAME}-mysql -o=jsonpath='{.status.availableReplicas}'); sleep 2; done;
image: registry.redhat.io/openshift3/ose-cli
imagePullPolicy: IfNotPresent
name: ${APPLICATION_NAME}-mysql-init
terminationMessagePolicy: FallbackToLogsOnError
## MySQL deployment config BEGIN
- kind: DeploymentConfig
apiVersion: v1
metadata:
name: "${APPLICATION_NAME}-mysql"
labels:
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-mysql"
annotations:
template.alpha.openshift.io/wait-for-ready: "true"
spec:
strategy:
type: Recreate
triggers:
- type: ImageChange
imageChangeParams:
automatic: true
containerNames:
- "${APPLICATION_NAME}-mysql"
from:
kind: ImageStreamTag
namespace: "${MYSQL_IMAGE_STREAM_NAMESPACE}"
name: "mysql:${MYSQL_IMAGE_STREAM_TAG}"
- type: ConfigChange
replicas: 1
selector:
deploymentConfig: "${APPLICATION_NAME}-mysql"
template:
metadata:
name: "${APPLICATION_NAME}-mysql"
labels:
deploymentConfig: "${APPLICATION_NAME}-mysql"
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-mysql"
spec:
terminationGracePeriodSeconds: 60
containers:
- name: "${APPLICATION_NAME}-mysql"
image: mysql
imagePullPolicy: Always
livenessProbe:
tcpSocket:
port: 3306
initialDelaySeconds: 30
timeoutSeconds: 1
readinessProbe:
exec:
command:
- "/bin/sh"
- "-i"
- "-c"
- "MYSQL_PWD=\"$MYSQL_PASSWORD\" mysql -h 127.0.0.1 -u $MYSQL_USER -D $MYSQL_DATABASE -e 'SELECT 1'"
port: 3306
initialDelaySeconds: 5
timeoutSeconds: 1
ports:
- containerPort: 3306
protocol: TCP
volumeMounts:
- mountPath: "/var/lib/mysql/data"
name: "${APPLICATION_NAME}-mysql-pvol"
env:
- name: MYSQL_USER
value: "${KIE_SERVER_MYSQL_USER}"
- name: MYSQL_PASSWORD
value: "${KIE_SERVER_MYSQL_PWD}"
- name: MYSQL_DATABASE
value: "${KIE_SERVER_MYSQL_DB}"
- name: MYSQL_DEFAULT_AUTHENTICATION_PLUGIN
value: "mysql_native_password"
volumes:
- name: "${APPLICATION_NAME}-mysql-pvol"
persistentVolumeClaim:
claimName: "${APPLICATION_NAME}-mysql-claim"
## MySQL deployment config END
## MySQL persistent volume claim BEGIN
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "${APPLICATION_NAME}-mysql-claim"
labels:
application: "${APPLICATION_NAME}"
service: "${APPLICATION_NAME}-mysql"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "${DB_VOLUME_CAPACITY}"
## MySQL persistent volume claim END