--- kind: Template apiVersion: v1 metadata: annotations: description: Application template for a non-HA persistent authoring environment, for Red Hat Process Automation Manager 7.0 iconClass: icon-jboss tags: rhpam,jboss,authoring version: "1.2" openshift.io/display-name: Red Hat Process Automation Manager 7.0 authoring environment (non-HA, persistent, with https) template.openshift.io/bindable: "false" name: rhpam70-authoring labels: template: rhpam70-authoring rhpam: "1.2" message: |- A new persistent Process Automation Manager application have been created in your project. The username/password for accessing the Business Central interface is Username: ${KIE_ADMIN_USER} Password: ${KIE_ADMIN_PWD} The user name/password for calls to the Execution Server is Username: ${KIE_SERVER_USER} Password: ${KIE_SERVER_PWD} Please be sure to create the secrets named "${BUSINESS_CENTRAL_HTTPS_SECRET}" and "${KIE_SERVER_HTTPS_SECRET}" containing the ${BUSINESS_CENTRAL_HTTPS_KEYSTORE} and ${KIE_SERVER_HTTPS_KEYSTORE} files used for serving secure content. parameters: - displayName: Application Name description: The name for the application. name: APPLICATION_NAME value: myapp required: true - displayName: KIE Admin User description: KIE administrator username name: KIE_ADMIN_USER value: adminUser required: false - displayName: KIE Admin Password description: KIE administrator password name: KIE_ADMIN_PWD from: "[a-zA-Z]{6}[0-9]{1}!" generate: expression required: false - displayName: KIE Server Controller User description: KIE server controller username (Sets the org.kie.server.controller.user system property) name: KIE_SERVER_CONTROLLER_USER value: controllerUser required: false - displayName: KIE Server Controller Password description: KIE server controller password (Sets the org.kie.server.controller.pwd system property) name: KIE_SERVER_CONTROLLER_PWD from: "[a-zA-Z]{6}[0-9]{1}!" generate: expression required: false - displayName: KIE Server User description: KIE execution server username (Sets the org.kie.server.user system property) name: KIE_SERVER_USER value: executionUser required: false - displayName: KIE Server Password description: KIE execution server password (Sets the org.kie.server.pwd system property) name: KIE_SERVER_PWD from: "[a-zA-Z]{6}[0-9]{1}!" generate: expression required: false - displayName: KIE Server ID description: Business server identifier. Determines the template ID in Business Central or controller. If this parameter is left blank, it is set using the $HOSTNAME environment variable or a random value. (Sets the org.kie.server.id system property). name: KIE_SERVER_ID required: false - displayName: KIE Server Bypass Auth User description: KIE execution server bypass auth user (Sets the org.kie.server.bypass.auth.user system property) name: KIE_SERVER_BYPASS_AUTH_USER value: 'false' required: false - displayName: KIE Server Persistence DS description: KIE execution server persistence datasource (Sets the org.kie.server.persistence.ds system property) name: KIE_SERVER_PERSISTENCE_DS value: java:/jboss/datasources/rhpam required: false ## H2 database parameters BEGIN - displayName: KIE Server H2 Database User description: KIE execution server H2 database username name: KIE_SERVER_H2_USER value: sa required: false - displayName: KIE Server H2 Database Password description: KIE execution server H2 database password name: KIE_SERVER_H2_PWD from: "[a-zA-Z]{6}[0-9]{1}!" generate: expression required: false ## H2 database parameters END - displayName: KIE MBeans description: KIE execution server mbeans enabled/disabled (Sets the kie.mbeans and kie.scanner.mbeans system properties) name: KIE_MBEANS value: enabled required: false - displayName: Drools Server Filter Classes description: KIE execution server class filtering (Sets the org.drools.server.filter.classes system property) name: DROOLS_SERVER_FILTER_CLASSES value: 'true' required: false - displayName: Business Central Custom http Route Hostname description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: -rhpamcentr-.' name: BUSINESS_CENTRAL_HOSTNAME_HTTP value: '' required: false - displayName: Business Central Custom https Route Hostname description: 'Custom hostname for https service route. Leave blank for default hostname, e.g.: secure--rhpamcentr-.' name: BUSINESS_CENTRAL_HOSTNAME_HTTPS value: '' required: false - displayName: Execution Server Custom http Route Hostname description: 'Custom hostname for http service route, if set will also configure the KIE_SERVER_HOST. Leave blank for default hostname, e.g.: -kieserver-.' name: EXECUTION_SERVER_HOSTNAME_HTTP value: '' required: false - displayName: Execution Server Custom https Route Hostname description: 'Custom hostname for https service route. Leave blank for default hostname, e.g.: secure--kieserver-.' name: EXECUTION_SERVER_HOSTNAME_HTTPS value: '' required: false - displayName: Use the secure route name to set KIE_SERVER_HOST. description: Use https for the KIE_SERVER_HOST when it is not explicit configured to a custom value. name: EXECUTION_SERVER_USE_SECURE_ROUTE_NAME value: 'false' required: false - displayName: Business Central Server Keystore Secret Name description: The name of the secret containing the keystore file name: BUSINESS_CENTRAL_HTTPS_SECRET example: businesscentral-app-secret required: true - displayName: Business Central Server Keystore Filename description: The name of the keystore file within the secret name: BUSINESS_CENTRAL_HTTPS_KEYSTORE value: keystore.jks required: false - displayName: Business Central Server Certificate Name description: The name associated with the server certificate name: BUSINESS_CENTRAL_HTTPS_NAME value: jboss required: false - displayName: Business Central Server Keystore Password description: The password for the keystore and certificate name: BUSINESS_CENTRAL_HTTPS_PASSWORD value: mykeystorepass required: false - displayName: KIE Server Keystore Secret Name description: The name of the secret containing the keystore file name: KIE_SERVER_HTTPS_SECRET example: kieserver-app-secret required: true - displayName: KIE Server Keystore Filename description: The name of the keystore file within the secret name: KIE_SERVER_HTTPS_KEYSTORE value: keystore.jks required: false - displayName: KIE Server Certificate Name description: The name associated with the server certificate name: KIE_SERVER_HTTPS_NAME value: jboss required: false - displayName: KIE Server Keystore Password description: The password for the keystore and certificate name: KIE_SERVER_HTTPS_PASSWORD value: mykeystorepass required: false - displayName: Database Volume Capacity description: Size of persistent storage for database volume. name: DB_VOLUME_CAPACITY value: 1Gi required: true - displayName: ImageStream Namespace description: Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you've installed the ImageStreams in a different namespace/project. name: IMAGE_STREAM_NAMESPACE value: openshift required: true - displayName: KIE Server ImageStream Name description: The name of the image stream to use for KIE Execution Server. Default is "rhpam70-kieserver-openshift". name: KIE_SERVER_IMAGE_STREAM_NAME value: "rhpam70-kieserver-openshift" required: true - displayName: ImageStream Tag description: A named pointer to an image in an image stream. Default is "1.2". name: IMAGE_STREAM_TAG value: "1.2" required: true - displayName: Maven repository URL description: Fully qualified URL to a Maven repository or service. name: MAVEN_REPO_URL example: http://nexus.nexus-project.svc.cluster.local:8081/nexus/content/groups/public/ required: false - displayName: Maven repository username description: Username to access the Maven repository, if required. name: MAVEN_REPO_USERNAME required: false - displayName: Maven repository password description: Password to access the Maven repository, if required. name: MAVEN_REPO_PASSWORD required: false - displayName: Username for the Maven service hosted by Business Central description: Username to access the Maven service hosted by Business Central inside EAP. name: BUSINESS_CENTRAL_MAVEN_USERNAME required: true value: mavenUser - displayName: Password for the Maven service hosted by Business Central description: Password to access the Maven service hosted by Business Central inside EAP. name: BUSINESS_CENTRAL_MAVEN_PASSWORD from: "[a-zA-Z]{6}[0-9]{1}!" generate: expression required: true - displayName: Business Central Volume Capacity description: Size of the persistent storage for Business Central's runtime data. name: BUSINESS_CENTRAL_VOLUME_CAPACITY value: 1Gi required: true - displayName: Business Central Container Memory Limit description: Business Central Container memory limit name: BUSINESS_CENTRAL_MEMORY_LIMIT value: 2Gi required: false - displayName: Execution Server Container Memory Limit description: Execution Server Container memory limit name: EXCECUTION_SERVER_MEMORY_LIMIT value: 1Gi required: false - displayName: RH-SSO URL description: RH-SSO URL name: SSO_URL example: https://rh-sso.example.com/auth required: false - displayName: RH-SSO Realm name description: RH-SSO Realm name name: SSO_REALM required: false - displayName: Business Central RH-SSO Client name description: Business Central RH-SSO Client name name: BUSINESS_CENTRAL_SSO_CLIENT required: false - displayName: Business Central RH-SSO Client Secret description: Business Central RH-SSO Client Secret name: BUSINESS_CENTRAL_SSO_SECRET example: "252793ed-7118-4ca8-8dab-5622fa97d892" required: false - displayName: KIE Server RH-SSO Client name description: KIE Server RH-SSO Client name name: KIE_SERVER_SSO_CLIENT required: false - displayName: KIE Server RH-SSO Client Secret description: KIE Server RH-SSO Client Secret name: KIE_SERVER_SSO_SECRET example: "252793ed-7118-4ca8-8dab-5622fa97d892" required: false - displayName: RH-SSO Realm Admin Username description: RH-SSO Realm Admin Username used to create the Client if it doesn't exist name: SSO_USERNAME required: false - displayName: RH-SSO Realm Admin Password description: RH-SSO Realm Admin Password used to create the Client name: SSO_PASSWORD required: false - displayName: RH-SSO Disable SSL Certificate Validation description: RH-SSO Disable SSL Certificate Validation name: SSO_DISABLE_SSL_CERTIFICATE_VALIDATION value: "false" required: false - displayName: RH-SSO Principal Attribute description: RH-SSO Principal Attribute to use as username. name: SSO_PRINCIPAL_ATTRIBUTE value: preferred_username required: false - displayName: LDAP Endpoint description: LDAP Endpoint to connect for authentication name: AUTH_LDAP_URL example: "ldap://myldap.example.com" required: false - displayName: LDAP Bind DN description: Bind DN used for authentication name: AUTH_LDAP_BIND_DN example: "uid=admin,ou=users,ou=exmample,ou=com" required: false - displayName: LDAP Bind Credentials description: LDAP Credentials used for authentication name: AUTH_LDAP_BIND_CREDENTIAL example: "Password" required: false - displayName: LDAP JAAS Security Domain description: The JMX ObjectName of the JaasSecurityDomain used to decrypt the password. name: AUTH_LDAP_JAAS_SECURITY_DOMAIN required: false - displayName: LDAP Base DN description: LDAP Base DN of the top-level context to begin the user search. name: AUTH_LDAP_BASE_CTX_DN example: "ou=users,ou=example,ou=com" required: false - displayName: LDAP Base Search filter description: LDAP search filter used to locate the context of the user to authenticate. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. A common example for the search filter is (uid={0}). name: AUTH_LDAP_BASE_FILTER example: "(uid={0})" required: false - displayName: LDAP Search scope description: The search scope to use. name: AUTH_LDAP_SEARCH_SCOPE example: "SUBTREE_SCOPE" required: false - displayName: LDAP Search time limit description: The timeout in milliseconds for user or role searches. name: AUTH_LDAP_SEARCH_TIME_LIMIT example: "10000" required: false - displayName: LDAP DN attribute description: The name of the attribute in the user entry that contains the DN of the user. This may be necessary if the DN of the user itself contains special characters, backslash for example, that prevent correct user mapping. If the attribute does not exist, the entry’s DN is used. name: AUTH_LDAP_DISTINGUISHED_NAME_ATTRIBUTE example: "distinguishedName" required: false - displayName: LDAP Parse username description: A flag indicating if the DN is to be parsed for the username. If set to true, the DN is parsed for the username. If set to false the DN is not parsed for the username. This option is used together with usernameBeginString and usernameEndString. name: AUTH_LDAP_PARSE_USERNAME example: "true" required: false - displayName: LDAP Username begin string description: Defines the String which is to be removed from the start of the DN to reveal the username. This option is used together with usernameEndString and only taken into account if parseUsername is set to true. name: AUTH_LDAP_USERNAME_BEGIN_STRING required: false - displayName: LDAP Username end string description: Defines the String which is to be removed from the end of the DN to reveal the username. This option is used together with usernameEndString and only taken into account if parseUsername is set to true. name: AUTH_LDAP_USERNAME_END_STRING required: false - displayName: LDAP Role attributeID description: Name of the attribute containing the user roles. name: AUTH_LDAP_ROLE_ATTRIBUTE_ID example: memberOf required: false - displayName: LDAP Roles Search DN description: The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is. name: AUTH_LDAP_ROLES_CTX_DN example: "ou=groups,ou=example,ou=com" required: false - displayName: LDAP Role search filter description: A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. The authenticated userDN is substituted into the filter anywhere a {1} is used. An example search filter that matches on the input username is (member={0}). An alternative that matches on the authenticated userDN is (member={1}). name: AUTH_LDAP_ROLE_FILTER example: "(memberOf={1})" required: false - displayName: LDAP Role recursion description: The number of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0. name: AUTH_LDAP_ROLE_RECURSION example: "1" required: false - displayName: LDAP Default role description: A role included for all authenticated users name: AUTH_LDAP_DEFAULT_ROLE example: "guest" required: false - displayName: LDAP Role name attribute ID description: Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object’s name attribute. name: AUTH_LDAP_ROLE_NAME_ATTRIBUTE_ID example: "name" required: false - displayName: LDAP Role DN contains roleNameAttributeID description: A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameAttributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries. name: AUTH_LDAP_PARSE_ROLE_NAME_FROM_DN example: "false" required: false - displayName: LDAP Role Attribute ID is DN description: Whether or not the roleAttributeID contains the fully-qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true. name: AUTH_LDAP_ROLE_ATTRIBUTE_IS_DN example: "false" required: false - displayName: LDAP Referral user attribute ID description: If you are not using referrals, this option can be ignored. When using referrals, this option denotes the attribute name which contains users defined for a certain role, for example member, if the role object is inside the referral. Users are checked against the content of this attribute name. If this option is not set, the check will always fail, so role objects cannot be stored in a referral tree. name: AUTH_LDAP_REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK required: false objects: - kind: ServiceAccount apiVersion: v1 metadata: name: "${APPLICATION_NAME}-kieserver" labels: application: "${APPLICATION_NAME}" - kind: RoleBinding apiVersion: v1 metadata: name: "${APPLICATION_NAME}-kieserver-view" subjects: - kind: ServiceAccount name: "${APPLICATION_NAME}-kieserver" roleRef: name: view - kind: Service apiVersion: v1 spec: ports: - name: http port: 8080 targetPort: 8080 - name: https port: 8443 targetPort: 8443 - name: git-ssh port: 8001 targetPort: 8001 selector: deploymentConfig: "${APPLICATION_NAME}-rhpamcentr" metadata: name: "${APPLICATION_NAME}-rhpamcentr" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-rhpamcentr" annotations: description: All the Business Central web server's ports. - kind: Service apiVersion: v1 spec: ports: - name: http port: 8080 targetPort: 8080 - name: https port: 8443 targetPort: 8443 selector: deploymentConfig: "${APPLICATION_NAME}-kieserver" metadata: name: "${APPLICATION_NAME}-kieserver" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-kieserver" annotations: description: All the KIE server web server's ports. ## Place to add database service - kind: Route apiVersion: v1 id: "${APPLICATION_NAME}-rhpamcentr-http" metadata: name: "${APPLICATION_NAME}-rhpamcentr" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-rhpamcentr" annotations: description: Route for Business Central's http service. haproxy.router.openshift.io/timeout: 60s spec: host: "${BUSINESS_CENTRAL_HOSTNAME_HTTP}" to: name: "${APPLICATION_NAME}-rhpamcentr" port: targetPort: http - kind: Route apiVersion: v1 id: "${APPLICATION_NAME}-rhpamcentr-https" metadata: name: secure-${APPLICATION_NAME}-rhpamcentr labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-rhpamcentr" annotations: description: Route for Business Central's https service. haproxy.router.openshift.io/timeout: 60s spec: host: "${BUSINESS_CENTRAL_HOSTNAME_HTTPS}" to: name: ${APPLICATION_NAME}-rhpamcentr port: targetPort: https tls: termination: passthrough - kind: Route apiVersion: v1 id: "${APPLICATION_NAME}-kieserver-http" metadata: name: "${APPLICATION_NAME}-kieserver" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-kieserver" annotations: description: Route for KIE server's http service. spec: host: "${EXECUTION_SERVER_HOSTNAME_HTTP}" to: name: "${APPLICATION_NAME}-kieserver" port: targetPort: http - kind: Route apiVersion: v1 id: "${APPLICATION_NAME}-kieserver-https" metadata: name: secure-${APPLICATION_NAME}-kieserver labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-kieserver" annotations: description: Route for KIE server's https service. spec: host: "${EXECUTION_SERVER_HOSTNAME_HTTPS}" to: name: ${APPLICATION_NAME}-kieserver port: targetPort: https tls: termination: passthrough - kind: DeploymentConfig apiVersion: v1 metadata: name: "${APPLICATION_NAME}-rhpamcentr" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-rhpamcentr" spec: strategy: type: Recreate triggers: - type: ImageChange imageChangeParams: automatic: true containerNames: - "${APPLICATION_NAME}-rhpamcentr" from: kind: ImageStreamTag namespace: "${IMAGE_STREAM_NAMESPACE}" name: "rhpam70-businesscentral-openshift:${IMAGE_STREAM_TAG}" - type: ConfigChange replicas: 1 selector: deploymentConfig: "${APPLICATION_NAME}-rhpamcentr" template: metadata: name: "${APPLICATION_NAME}-rhpamcentr" labels: deploymentConfig: "${APPLICATION_NAME}-rhpamcentr" application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-rhpamcentr" spec: terminationGracePeriodSeconds: 60 containers: - name: "${APPLICATION_NAME}-rhpamcentr" image: rhpam70-businesscentral-openshift imagePullPolicy: Always resources: limits: memory: "${BUSINESS_CENTRAL_MEMORY_LIMIT}" volumeMounts: - name: businesscentral-keystore-volume mountPath: "/etc/businesscentral-secret-volume" readOnly: true - name: "${APPLICATION_NAME}-rhpamcentr-pvol" mountPath: "/opt/eap/standalone/data/bpmsuite" livenessProbe: exec: command: - "/bin/bash" - "-c" - "curl --fail --silent -u '${KIE_ADMIN_USER}:${KIE_ADMIN_PWD}' http://localhost:8080/kie-wb.jsp" initialDelaySeconds: 180 timeoutSeconds: 2 periodSeconds: 15 readinessProbe: exec: command: - "/bin/bash" - "-c" - "curl --fail --silent -u '${KIE_ADMIN_USER}:${KIE_ADMIN_PWD}' http://localhost:8080/kie-wb.jsp" initialDelaySeconds: 60 timeoutSeconds: 2 periodSeconds: 30 failureThreshold: 6 ports: - name: jolokia containerPort: 8778 protocol: TCP - name: http containerPort: 8080 protocol: TCP - name: https containerPort: 8443 protocol: TCP - name: git-ssh containerPort: 8001 protocol: TCP env: - name: KIE_ADMIN_USER value: "${KIE_ADMIN_USER}" - name: KIE_ADMIN_PWD value: "${KIE_ADMIN_PWD}" - name: KIE_MBEANS value: "${KIE_MBEANS}" - name: KIE_SERVER_CONTROLLER_USER value: "${KIE_SERVER_CONTROLLER_USER}" - name: KIE_SERVER_CONTROLLER_PWD value: "${KIE_SERVER_CONTROLLER_PWD}" - name: KIE_SERVER_USER value: "${KIE_SERVER_USER}" - name: KIE_SERVER_PWD value: "${KIE_SERVER_PWD}" - name: MAVEN_REPO_URL value: "${MAVEN_REPO_URL}" - name: MAVEN_REPO_USERNAME value: "${MAVEN_REPO_USERNAME}" - name: MAVEN_REPO_PASSWORD value: "${MAVEN_REPO_PASSWORD}" - name: KIE_MAVEN_USER value: "${BUSINESS_CENTRAL_MAVEN_USERNAME}" - name: KIE_MAVEN_PWD value: "${BUSINESS_CENTRAL_MAVEN_PASSWORD}" - name: HTTPS_KEYSTORE_DIR value: "/etc/businesscentral-secret-volume" - name: HTTPS_KEYSTORE value: "${BUSINESS_CENTRAL_HTTPS_KEYSTORE}" - name: HTTPS_NAME value: "${BUSINESS_CENTRAL_HTTPS_NAME}" - name: HTTPS_PASSWORD value: "${BUSINESS_CENTRAL_HTTPS_PASSWORD}" - name: PROBE_IMPL value: probe.eap.jolokia.EapProbe - name: PROBE_DISABLE_BOOT_ERRORS_CHECK value: 'true' - name: SSO_URL value: "${SSO_URL}" - name: SSO_OPENIDCONNECT_DEPLOYMENTS value: "ROOT.war" - name: SSO_REALM value: "${SSO_REALM}" - name: SSO_SECRET value: "${BUSINESS_CENTRAL_SSO_SECRET}" - name: SSO_CLIENT value: "${BUSINESS_CENTRAL_SSO_CLIENT}" - name: SSO_USERNAME value: "${SSO_USERNAME}" - name: SSO_PASSWORD value: "${SSO_PASSWORD}" - name: SSO_DISABLE_SSL_CERTIFICATE_VALIDATION value: "${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}" - name: SSO_PRINCIPAL_ATTRIBUTE value: "${SSO_PRINCIPAL_ATTRIBUTE}" - name: HOSTNAME_HTTP value: "${BUSINESS_CENTRAL_HOSTNAME_HTTP}" - name: HOSTNAME_HTTPS value: "${BUSINESS_CENTRAL_HOSTNAME_HTTPS}" - name: AUTH_LDAP_URL value: "${AUTH_LDAP_URL}" - name: AUTH_LDAP_BIND_DN value: "${AUTH_LDAP_BIND_DN}" - name: AUTH_LDAP_BIND_CREDENTIAL value: "${AUTH_LDAP_BIND_CREDENTIAL}" - name: AUTH_LDAP_JAAS_SECURITY_DOMAIN value: "${AUTH_LDAP_JAAS_SECURITY_DOMAIN}" - name: AUTH_LDAP_BASE_CTX_DN value: "${AUTH_LDAP_BASE_CTX_DN}" - name: AUTH_LDAP_BASE_FILTER value: "${AUTH_LDAP_BASE_FILTER}" - name: AUTH_LDAP_SEARCH_SCOPE value: "${AUTH_LDAP_SEARCH_SCOPE}" - name: AUTH_LDAP_SEARCH_TIME_LIMIT value: "${AUTH_LDAP_SEARCH_TIME_LIMIT}" - name: AUTH_LDAP_DISTINGUISHED_NAME_ATTRIBUTE value: "${AUTH_LDAP_DISTINGUISHED_NAME_ATTRIBUTE}" - name: AUTH_LDAP_PARSE_USERNAME value: "${AUTH_LDAP_PARSE_USERNAME}" - name: AUTH_LDAP_USERNAME_BEGIN_STRING value: "${AUTH_LDAP_USERNAME_BEGIN_STRING}" - name: AUTH_LDAP_USERNAME_END_STRING value: "${AUTH_LDAP_USERNAME_END_STRING}" - name: AUTH_LDAP_ROLE_ATTRIBUTE_ID value: "${AUTH_LDAP_ROLE_ATTRIBUTE_ID}" - name: AUTH_LDAP_ROLES_CTX_DN value: "${AUTH_LDAP_ROLES_CTX_DN}" - name: AUTH_LDAP_ROLE_FILTER value: "${AUTH_LDAP_ROLE_FILTER}" - name: AUTH_LDAP_ROLE_RECURSION value: "${AUTH_LDAP_ROLE_RECURSION}" - name: AUTH_LDAP_DEFAULT_ROLE value: "${AUTH_LDAP_DEFAULT_ROLE}" - name: AUTH_LDAP_ROLE_NAME_ATTRIBUTE_ID value: "${AUTH_LDAP_ROLE_NAME_ATTRIBUTE_ID}" - name: AUTH_LDAP_PARSE_ROLE_NAME_FROM_DN value: "${AUTH_LDAP_PARSE_ROLE_NAME_FROM_DN}" - name: AUTH_LDAP_ROLE_ATTRIBUTE_IS_DN value: "${AUTH_LDAP_ROLE_ATTRIBUTE_IS_DN}" - name: AUTH_LDAP_REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK value: "${AUTH_LDAP_REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK}" volumes: - name: businesscentral-keystore-volume secret: secretName: "${BUSINESS_CENTRAL_HTTPS_SECRET}" - name: "${APPLICATION_NAME}-rhpamcentr-pvol" persistentVolumeClaim: claimName: "${APPLICATION_NAME}-rhpamcentr-claim" - kind: DeploymentConfig apiVersion: v1 metadata: name: "${APPLICATION_NAME}-kieserver" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-kieserver" spec: strategy: type: Recreate triggers: - type: ImageChange imageChangeParams: automatic: true containerNames: - "${APPLICATION_NAME}-kieserver" from: kind: ImageStreamTag namespace: "${IMAGE_STREAM_NAMESPACE}" name: "${KIE_SERVER_IMAGE_STREAM_NAME}:${IMAGE_STREAM_TAG}" - type: ConfigChange replicas: 1 selector: deploymentConfig: "${APPLICATION_NAME}-kieserver" template: metadata: name: "${APPLICATION_NAME}-kieserver" labels: deploymentConfig: "${APPLICATION_NAME}-kieserver" application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-kieserver" spec: serviceAccountName: "${APPLICATION_NAME}-kieserver" terminationGracePeriodSeconds: 60 containers: - name: "${APPLICATION_NAME}-kieserver" image: "${KIE_SERVER_IMAGE_STREAM_NAME}" imagePullPolicy: Always resources: limits: memory: "${EXCECUTION_SERVER_MEMORY_LIMIT}" volumeMounts: - name: kieserver-keystore-volume mountPath: "/etc/kieserver-secret-volume" readOnly: true ## H2 volume mount BEGIN - name: "${APPLICATION_NAME}-h2-pvol" mountPath: "/opt/eap/standalone/data" ## H2 volume mount END livenessProbe: exec: command: - "/bin/bash" - "-c" - "curl --fail --silent -u '${KIE_ADMIN_USER}:${KIE_ADMIN_PWD}' http://localhost:8080/services/rest/server/healthcheck" initialDelaySeconds: 180 timeoutSeconds: 2 periodSeconds: 15 failureThreshold: 3 readinessProbe: exec: command: - "/bin/bash" - "-c" - "curl --fail --silent -u '${KIE_ADMIN_USER}:${KIE_ADMIN_PWD}' http://localhost:8080/services/rest/server/readycheck" initialDelaySeconds: 60 timeoutSeconds: 2 periodSeconds: 30 failureThreshold: 6 ports: - name: jolokia containerPort: 8778 protocol: TCP - name: http containerPort: 8080 protocol: TCP - name: https containerPort: 8443 protocol: TCP env: - name: DATASOURCES value: "RHPAM" - name: RHPAM_DATABASE value: "rhpam7" - name: RHPAM_JNDI value: "${KIE_SERVER_PERSISTENCE_DS}" - name: RHPAM_JTA value: "true" ## H2 driver settings BEGIN - name: RHPAM_DRIVER value: "h2" - name: RHPAM_USERNAME value: "${KIE_SERVER_H2_USER}" - name: RHPAM_PASSWORD value: "${KIE_SERVER_H2_PWD}" - name: RHPAM_XA_CONNECTION_PROPERTY_URL value: "jdbc:h2:/opt/eap/standalone/data/rhpam" - name: RHPAM_SERVICE_HOST value: "dummy_ignored" - name: RHPAM_SERVICE_PORT value: "12345" - name: KIE_SERVER_PERSISTENCE_DIALECT value: "org.hibernate.dialect.H2Dialect" ## H2 driver settings END - name: DROOLS_SERVER_FILTER_CLASSES value: "${DROOLS_SERVER_FILTER_CLASSES}" - name: KIE_ADMIN_USER value: "${KIE_ADMIN_USER}" - name: KIE_ADMIN_PWD value: "${KIE_ADMIN_PWD}" - name: KIE_MBEANS value: "${KIE_MBEANS}" - name: KIE_SERVER_BYPASS_AUTH_USER value: "${KIE_SERVER_BYPASS_AUTH_USER}" - name: KIE_SERVER_CONTROLLER_USER value: "${KIE_SERVER_CONTROLLER_USER}" - name: KIE_SERVER_CONTROLLER_PWD value: "${KIE_SERVER_CONTROLLER_PWD}" - name: KIE_SERVER_CONTROLLER_SERVICE value: "${APPLICATION_NAME}-rhpamcentr" - name: KIE_SERVER_CONTROLLER_PROTOCOL value: "ws" - name: KIE_SERVER_ID value: "${KIE_SERVER_ID}" - name: KIE_SERVER_HOST value: "${EXECUTION_SERVER_HOSTNAME_HTTP}" - name: EXECUTION_SERVER_ROUTE_NAME value: "${APPLICATION_NAME}-kieserver" - name: EXECUTION_SERVER_USE_SECURE_ROUTE_NAME value: "${EXECUTION_SERVER_USE_SECURE_ROUTE_NAME}" - name: KIE_SERVER_PERSISTENCE_DS value: "${KIE_SERVER_PERSISTENCE_DS}" - name: KIE_SERVER_USER value: "${KIE_SERVER_USER}" - name: KIE_SERVER_PWD value: "${KIE_SERVER_PWD}" - name: MAVEN_REPOS value: "RHPAMCENTR,EXTERNAL" - name: RHPAMCENTR_MAVEN_REPO_SERVICE value: "${APPLICATION_NAME}-rhpamcentr" - name: RHPAMCENTR_MAVEN_REPO_PATH value: "/maven2/" - name: RHPAMCENTR_MAVEN_REPO_USERNAME value: "${BUSINESS_CENTRAL_MAVEN_USERNAME}" - name: RHPAMCENTR_MAVEN_REPO_PASSWORD value: "${BUSINESS_CENTRAL_MAVEN_PASSWORD}" - name: EXTERNAL_MAVEN_REPO_URL value: "${MAVEN_REPO_URL}" - name: EXTERNAL_MAVEN_REPO_USERNAME value: "${MAVEN_REPO_USERNAME}" - name: EXTERNAL_MAVEN_REPO_PASSWORD value: "${MAVEN_REPO_PASSWORD}" - name: HTTPS_KEYSTORE_DIR value: "/etc/kieserver-secret-volume" - name: HTTPS_KEYSTORE value: "${KIE_SERVER_HTTPS_KEYSTORE}" - name: HTTPS_NAME value: "${KIE_SERVER_HTTPS_NAME}" - name: HTTPS_PASSWORD value: "${KIE_SERVER_HTTPS_PASSWORD}" - name: SSO_URL value: "${SSO_URL}" - name: SSO_OPENIDCONNECT_DEPLOYMENTS value: "ROOT.war" - name: SSO_REALM value: "${SSO_REALM}" - name: SSO_SECRET value: "${KIE_SERVER_SSO_SECRET}" - name: SSO_CLIENT value: "${KIE_SERVER_SSO_CLIENT}" - name: SSO_USERNAME value: "${SSO_USERNAME}" - name: SSO_PASSWORD value: "${SSO_PASSWORD}" - name: SSO_DISABLE_SSL_CERTIFICATE_VALIDATION value: "${SSO_DISABLE_SSL_CERTIFICATE_VALIDATION}" - name: SSO_PRINCIPAL_ATTRIBUTE value: "${SSO_PRINCIPAL_ATTRIBUTE}" - name: HOSTNAME_HTTP value: "${EXECUTION_SERVER_HOSTNAME_HTTP}" - name: HOSTNAME_HTTPS value: "${EXECUTION_SERVER_HOSTNAME_HTTPS}" - name: AUTH_LDAP_URL value: "${AUTH_LDAP_URL}" - name: AUTH_LDAP_BIND_DN value: "${AUTH_LDAP_BIND_DN}" - name: AUTH_LDAP_BIND_CREDENTIAL value: "${AUTH_LDAP_BIND_CREDENTIAL}" - name: AUTH_LDAP_JAAS_SECURITY_DOMAIN value: "${AUTH_LDAP_JAAS_SECURITY_DOMAIN}" - name: AUTH_LDAP_BASE_CTX_DN value: "${AUTH_LDAP_BASE_CTX_DN}" - name: AUTH_LDAP_BASE_FILTER value: "${AUTH_LDAP_BASE_FILTER}" - name: AUTH_LDAP_SEARCH_SCOPE value: "${AUTH_LDAP_SEARCH_SCOPE}" - name: AUTH_LDAP_SEARCH_TIME_LIMIT value: "${AUTH_LDAP_SEARCH_TIME_LIMIT}" - name: AUTH_LDAP_DISTINGUISHED_NAME_ATTRIBUTE value: "${AUTH_LDAP_DISTINGUISHED_NAME_ATTRIBUTE}" - name: AUTH_LDAP_PARSE_USERNAME value: "${AUTH_LDAP_PARSE_USERNAME}" - name: AUTH_LDAP_USERNAME_BEGIN_STRING value: "${AUTH_LDAP_USERNAME_BEGIN_STRING}" - name: AUTH_LDAP_USERNAME_END_STRING value: "${AUTH_LDAP_USERNAME_END_STRING}" - name: AUTH_LDAP_ROLE_ATTRIBUTE_ID value: "${AUTH_LDAP_ROLE_ATTRIBUTE_ID}" - name: AUTH_LDAP_ROLES_CTX_DN value: "${AUTH_LDAP_ROLES_CTX_DN}" - name: AUTH_LDAP_ROLE_FILTER value: "${AUTH_LDAP_ROLE_FILTER}" - name: AUTH_LDAP_ROLE_RECURSION value: "${AUTH_LDAP_ROLE_RECURSION}" - name: AUTH_LDAP_DEFAULT_ROLE value: "${AUTH_LDAP_DEFAULT_ROLE}" - name: AUTH_LDAP_ROLE_NAME_ATTRIBUTE_ID value: "${AUTH_LDAP_ROLE_NAME_ATTRIBUTE_ID}" - name: AUTH_LDAP_PARSE_ROLE_NAME_FROM_DN value: "${AUTH_LDAP_PARSE_ROLE_NAME_FROM_DN}" - name: AUTH_LDAP_ROLE_ATTRIBUTE_IS_DN value: "${AUTH_LDAP_ROLE_ATTRIBUTE_IS_DN}" - name: AUTH_LDAP_REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK value: "${AUTH_LDAP_REFERRAL_USER_ATTRIBUTE_ID_TO_CHECK}" volumes: - name: kieserver-keystore-volume secret: secretName: "${KIE_SERVER_HTTPS_SECRET}" ## H2 volume settings BEGIN - name: "${APPLICATION_NAME}-h2-pvol" persistentVolumeClaim: claimName: "${APPLICATION_NAME}-h2-claim" ## H2 volume settings END ## Place to add database deployment config - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: "${APPLICATION_NAME}-rhpamcentr-claim" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-rhpamcentr" spec: accessModes: - ReadWriteOnce resources: requests: storage: "${BUSINESS_CENTRAL_VOLUME_CAPACITY}" ## H2 persistent volume claim BEGIN - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: "${APPLICATION_NAME}-h2-claim" labels: application: "${APPLICATION_NAME}" service: "${APPLICATION_NAME}-kieserver" spec: accessModes: - ReadWriteOnce resources: requests: storage: "${DB_VOLUME_CAPACITY}" ## H2 persistent volume claim END