Deploying Flowable on Openshift

Flowable + Openshift

Introduction

Often time when we are exploring new technologies or trying out a new feature, we require an easy to configure, easy to manage, and reproducible deployment environment. For the past couple of years Openshift Container platform serving that need for me. I use Openshift mainly because —

1. It’s Kubernetes at the core. Hence I can manage multi-container applications easily.
2. Security-focused (backed by RedHat). It configures docker images with strict and recommended security policies like strict security context, file system permissions, and dropping unnecessary capabilities. More about it later.
3. Provides free sandbox for a developer. So no need to install heavy docker daemons, k3s clusters on local systems.
4. Tools like Helm, Operator makes application deployment look like package installation in Linux, (apt install git vs helm install flowable).

Making Images compactible to run on Openshift

As mentioned in point 2 above, Openshift considers security policies as a first-class citizen of their platform. The platform runs the docker images with the following restrictions —

1. Images are started with the random user id. This user is always part of the root group. Hence you cannot build your images as root or any specific user.
2. The mount volumes have fsGroup. So we have to make sure, the images are properly configured to access the data folder.
3. The capabilities like SETGID, SETUID are dropped.

Hence, you cannot assume that your images will run on Openshift as it is. This has been always the first issue I face when trying to deploy new applications on Openshift. But the beauty of Open-source always comes to your rescue. You can always raise issues and the PRs and get them fixed.

Docker image failing on openshift · Issue #2941 · flowable/flowable-engine

Flowable engineers are quick enough to accept the PR, and the latest images are now compatible to run on the Openshift.

Setting Up Environment

Installing Tools

If this is the first time you are working with Openshift, you need the following oc and helm installed. Use package manager like choco if not used already.

> choco install openshift-cli -y --force
> choco install kubernetes-helm -y --force

Getting Helm Chart

To reduce our efforts, the Flowable team has already packaged the engine as Helm Chart. The source can be accessed from —

flowable-engine/k8s/flowable at main · flowable/flowable-engine

## add helm chart.
> helm repo add flowable-oss https://flowable.github.io/helm/
> helm repo update
## check which charts are available.
> helm search repo flowable-oss
NAME                    CHART VERSION   APP VERSION     DESCRIPTION
flowable-oss/flowable   6.7.2           6.7.2           A Flowable Helm chart for Kubernetes

Accessing Openshift Cluster

Create the Openshift sandbox from https://developers.redhat.com/developer-sandbox/get-started. Once done, copy the login command from the dashboard and paste in the terminal.

Copy login command

## login to cluster 
> oc login --token=sha256~xxxx --server=https://api.sandbox.x8i5.p1.openshiftapps.com:6443

As docker added rate-limiting to the image pull request (one IP can at max do ~300 requests), we need to create pull secrets with the docker hub account.

> oc create secret docker-registry docker-key --docker-server=docker.io \
        --docker-username=YOUR_DOCKER_HUB_USERNAME --docker-password=YOUR_DOCKER_HUB_PASSWORD \
        --docker-email=YOUR_DOCKER_HUB_EMAIL
secret/docker-key created
## add secret to default service account, so that it will be used for every image pull request
> oc patch serviceaccount default -p '{\"imagePullSecrets\": [{\"name\": \"docker-key\"}]}'
## verify the changes
> oc get serviceaccount default -o yaml
apiVersion: v1
imagePullSecrets:
- name: docker-key
- name: default-dockercfg-p8qsm
kind: ServiceAccount
metadata:
  creationTimestamp: 2022-03-12T06:40:37Z
  name: default
  namespace: im-pratham-dev
  resourceVersion: "923910545"
  uid: 11e1c9f4-5292-482a-83d2-9c9318c46144
secrets:
- name: default-token-b58n9
- name: default-dockercfg-p8qsm

Installing Flowable

Using In-memory database

First, we will try with an in-memory database. We need to set the following values —

1. database.datasourceDriverClassName: H2 drive name
2. database.datasourceUrl: In memory DB connection string
3. postgres.enabled=false.

> helm upgrade --install flowable-demo flowable-oss/flowable --set database.datasourceDriverClassName=org.h2.Driver --set database.datasourceUrl=jdbc:h2:mem:testdb --set postgres.enabled=false
## check if pod is installed
> oc get po -l "app.kubernetes.io/name=ui"
NAME                  READY     STATUS    RESTARTS   AGE
ui-74c9cf8b94-nq8vm   0/1       Running   0          62s
## Use name of pod returned above. Port forwarding is to access the remote instance from the local system.
> oc port-forward ui-74c9cf8b94-nq8vm 8080
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080

Now visit http://localhost:8080/flowable-ui, and enter default credentials username: admin, password: test to login.

Flowable Open Source UI

Using Persistent Database

The above method is useful when you need a throw-away environment. The contents of the in-memory database will be wiped when a container is restarted. If you want a persistence solution, we can deploy any database we want and provide and connection string URL as we provided above.

The default PostgreSQL template coming with a flowable helm chart is again not compatible with Openshift. Hence we will install our own instance. Openshift has a pre-defined template for the same that we can re-use.

## check openshift pre-defined template
> oc get template -n openshift | grep postgresql
postgresql-ephemeral                                PostgreSQL database service, without persistent storage. For more information...   7 (2 generated)   3
postgresql-persistent                               PostgreSQL database service, with persistent storage. For more information ab...   8 (2 generated)   4
## as pointed above, we can use postgresql-persistence template.
## Now check which parameters are available for customization.
> oc describe template postgresql-persistent -n openshift
## Provide correct parameters, and deploy database.
> oc new-app --name=postgresql --template=postgresql-persistent -p POSTGRESQL_USER=flowable -p POSTGRESQL_PASSWORD=flowable -p POSTGRESQL_DATABASE=flowable-demo
            Username: flowable
            Password: flowable
       Database Name: flowable-demo
      Connection URL: postgresql://postgresql:5432/
## check if deployment is correct
> oc get po
NAME                  READY     STATUS      RESTARTS   AGE
postgresql-1-ch2wg    1/1       Running     0          31m
postgresql-1-deploy   0/1       Completed   0          31m

Now we need to upgrade our existing deployment to use the newly deployed PostgreSQL instance.

## Upgrade helm installation
> helm upgrade --install flowable-demo flowable-oss/flowable --set database.datasourceDriverClassName=org.postgresql.Driver --set database.datasourceUrl=jdbc:postgresql://postgresql:5432/flowable-demo --set postgres.enabled=false
## Above step will only change the connection configuration. This will not affect the running pod. Hence we have to manually delete old pod.
> oc delete po -l "app.kubernetes.io/name=ui"
pod "ui-74c9cf8b94-nq8vm" deleted
## Openshift is smart enough to create new pod with updated configuration
> oc get po
NAME                  READY     STATUS      RESTARTS   AGE
postgresql-1-ch2wg    1/1       Running     0          32m
postgresql-1-deploy   0/1       Completed   0          32m
ui-74c9cf8b94-k7bdn   0/1       Running     0          13s
## Use name of pod returned above. Port forwarding is to access the remote instance from the local system.
> oc port-forward ui-74c9cf8b94-k7bdn 8080
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080

Your final topology will look something like —

Deployment topology

This way you can install the Flowable on Openshift using Helm Chart.

Happy Helming!!

Explore other articles here —

Prathamesh Mane - Medium