microservices-api
diff --git a/‎README.md
Lines changed: 134 additions & 34 deletions b/‎README.md
Lines changed: 134 additions & 34 deletions
diff --git a/‎lab-artifacts/operator/application/application-cr.yaml
Lines changed: 40 additions & 0 deletions b/‎lab-artifacts/operator/application/application-cr.yaml
Lines changed: 40 additions & 0 deletions
diff --git a/‎lab-artifacts/operator/open-liberty-operator/deploy/ibm-open-liberty-scc.yaml
Lines changed: 41 additions & 0 deletions b/‎lab-artifacts/operator/open-liberty-operator/deploy/ibm-open-liberty-scc.yaml
Lines changed: 41 additions & 0 deletions
diff --git a/‎lab-artifacts/operator/open-liberty-operator/deploy/operator.yaml
Lines changed: 47 additions & 0 deletions b/‎lab-artifacts/operator/open-liberty-operator/deploy/operator.yaml
Lines changed: 47 additions & 0 deletions
@@ -1,66 +1,68 @@
 
 ![Overview](images/diagram_general.png)
 
-# MicroProfile Lab with Open Liberty and Minikube
+# MicroProfile Lab with Open Liberty and OKD
 
-This lab illustrates steps to deploy a MicroProfile application, running in a Open Liberty Docker container into [Minikube](https://kubernetes.io/docs/setup/minikube/)
+This lab illustrates steps to deploy a MicroProfile application, running in a Open Liberty Docker container into [OKD](https://www.okd.io) using Open Liberty Operator.
 
 If you find an issue with the lab instruction you can [report it](https://github.com/microservices-api/kubernetes-microprofile-lab/issues) or better yet, [submit a PR](https://github.com/microservices-api/kubernetes-microprofile-lab/pulls).
 
-For questions/comments about Liberty's Docker container or Helm charts please email [Arthur De Magalhaes](mailto:arthurdm@ca.ibm.com).
+For questions/comments about Open Liberty Docker container or Open Liberty Operator please email [Arthur De Magalhaes](mailto:arthurdm@ca.ibm.com).
 
 # Before you begin
 
 You'll need a few different artifacts to this lab.  Check if you have these installed by running:
 
-```
+```bash
 git --help
 mvn --help
 java -help
 docker --help
 kubectl --help
-helm --help
-minikube --help
+oc --help
 ```
 
-If any of these is not installed:
+If any of these are not installed:
 
 * Install [Git client](https://git-scm.com/download/mac)
 * Install [Maven](https://maven.apache.org/download.cgi)
 * Install [Docker engine](https://docs.docker.com/engine/installation/)
 * Install [Java 8](https://java.com/en/download/)
-* Install [kubectl](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.0/manage_cluster/cfc_cli.html)
-* Install [helm](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.0/app_center/create_helm_cli.html)
-* Install [minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/)
+* Install [kubectl](https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz)
+* Install [oc](https://github.com/openshift/origin/releases/download/v3.11.0/openshift-origin-client-tools-v3.11.0-0cbc58b-linux-64bit.tar.gz)
+
+## What is OKD?
+
+From [okd.io](https://www.okd.io):
+>OKD is a distribution of Kubernetes optimized for continuous application development and multi-tenant deployment. OKD adds developer and operations-centric tools on top of Kubernetes to enable rapid application development, easy deployment and scaling, and long-term lifecycle maintenance for small and large teams. OKD is the upstream Kubernetes distribution embedded in Red Hat OpenShift. OKD embeds Kubernetes and extends it with security and other integrated concepts. OKD is also referred to as Origin in github and in the documentation. An OKD release corresponds to the Kubernetes distribution - for example, OKD 1.10 includes Kubernetes 1.10. If you are looking for enterprise-level support, or information on partner certification, Red Hat also offers Red Hat OpenShift Container Platform.
+
+## What are Operators?
 
+From [Red Hat](https://www.redhat.com/en/blog/introducing-operator-framework-building-apps-kubernetes):
+> An Operator is a method of packaging, deploying and managing a Kubernetes application. A Kubernetes application is an application that is both deployed on Kubernetes and managed using the Kubernetes APIs and kubectl tooling. To be able to make the most of Kubernetes, you need a set of cohesive APIs to extend in order to service and manage your applications that run on Kubernetes. You can think of Operators as the runtime that manages this type of application on Kubernetes.
 
-# Deploying a MicroProfile application in a Minikube cluster
+# Deploying a MicroProfile application in an OKD cluster
 
-This lab will walk you through the deployment of our sample MicroProfile Application into a Minikube cluster, which is built on the open source Kubernetes framework. You'll build a MicroProfile application and package it inside a Open Liberty Docker container. You will then utilize a Helm chart that deploys the Liberty container to Minikube, with the appropriate service setup, while also deploying and configuring a CouchDB Helm chart that stands up the database that holds the data for this microservice.
+This lab will walk you through the deployment of our sample MicroProfile Application into an OKD cluster. You'll build a MicroProfile application and package it inside a Open Liberty Docker container. You will then utilize an operator that deploys an Open Liberty container to OKD, with the appropriate service setup, while also deploying and configuring a CouchDB operator that stands up the a database that holds data for this microservice.
 
 ## Setting up the cluster
 
-1. Download and setup minikube
-1. Start minikube by running `minikube start`
-1. Enable ingress with the command `minikube addons enable ingress`.  
-1. Set the Docker CLI to target the minikube Docker engine by running `eval $(minikube docker-env)`
-1. Set up helm and tiller by running `helm init`
-1. Wait until the following command indicates that the tiller-deploy deployment is available: `kubectl get deployment tiller-deploy --namespace kube-system`   (Note: This could take a few minutes)
+To install OKD on RHEL or CentOS, follow instructions describe [here](https://github.com/gshipley/installcentos#installation). Ensure SELinux is set to _permissive_.
 
 ## Part 1A: Build the application and Docker container
 
 ### Vote Microservice
 
-The vote microservice stores feedback from the sessions and displays how well all sessions were liked in a pie chart.  If the vote service is configured (via server.xml) to connect to a CouchDB database, the votes will be persisted. Otherwise, the vote data will simply be stored in-memory. This sample application is one of the MicroProfile [showcase](https://github.com/eclipse/microprofile-conference/tree/master/microservice-vote) applications.
+The vote microservice stores feedback from the sessions and displays how well all sessions were liked in a pie chart.  If the vote service is configured (via `server.xml`) to connect to a CouchDB database, the votes will be persisted. Otherwise, the vote data will simply be stored in-memory. This sample application is one of the MicroProfile [showcase](https://github.com/eclipse/microprofile-conference/tree/master/microservice-vote) applications.
 
 You can clone the lab artifacts and explore the application:
 
-1. Clone the project into your machine. This is already done on the laptop provided for you in this workshop, so you can skip this step. The cloned folder is under the Home directory (shortcut is on the desktop).
-    ```bash
+1. Clone the project into your machine.
+    ```console
     git clone https://github.com/microservices-api/kubernetes-microprofile-lab.git
     ```
 1. Navigate into the sample application directory:
-    ```bash
+    ```console
     cd kubernetes-microprofile-lab/lab-artifacts/application
     ```
 1. See if you can find where technologies described below are used in the application.
@@ -91,7 +93,7 @@ You can clone the lab artifacts and explore the application:
 
 ### Dockerizing Vote Microservice
 
-By now you should have a general understanding about the application. Now you will see how you can package the sample application into a Docker container by using a Dockerfile that contains instructions on how the image is built.
+By now you should have a general understanding about the application. Now, you will see how you can package the sample application into a Docker container by using a Dockerfile that contains instructions on how the image is built.
 
 In this lab we demonstrate a best-practice pattern which separates the concerns between the enterprise architect and the developer.  We first build a Docker image that will act as our `enterprise base image`, which in a company would be the shared curated image that all developers must start from - this allows for consistent and compliance across the enterprise.  We then build the developer's Docker image, which starts from the enterprise base image and adds only the application and related configuration.
 
@@ -105,6 +107,10 @@ The following steps will build the sample application and create a Docker image
     ```bash
     mvn clean package
     ```
+1. Navigate into the `lab-artifacts` directory
+    ```bash
+    cd ..
+    ```
 1. Build and tag the Enterprise Docker image:
     ```bash
     cd ..
@@ -114,13 +120,38 @@ The following steps will build the sample application and create a Docker image
     ```bash
     docker build -t microservice-vote:1.0.0  -f ApplicationDockerfile .
     ```
-1. You can use the Docker CLI to verify that your image is built.  Remember that this is querying Minikube's internal Docker registry.
+1. You can use the Docker CLI to verify that your image is built.
     ```bash
     docker images
     ```
 
+## Part 1B: Upload the Docker image to OKD's internal registry
 
-## Part 2: Deploy Liberty and CouchDB Helm charts
+We will use OKD's internal Docker registry to host our image.
+
+1. Ensure your `oc` client is logged into OKD. Replace `<USERNAME>`, `<PASSWORD>` and `<CLUSTER_IP>` with appropriate values:
+    ```bash
+    oc login --username=<USERNAME> --password=<PASSWORD> https://console.<CLUSTER_IP>.nip.io:8443
+    ```
+1. Create a new project in OKD which will host our application:
+    ```bash
+    oc new-project myproject
+    ```
+1. Log into the Docker registry:
+    ```bash
+    docker login -u $(oc whoami) -p $(oc whoami -t) docker-registry-default.apps.<CLUSTER_IP>.nip.io
+    ```
+1. Tag the Docker image:
+    ```bash
+    docker tag microservice-vote:1.0.0 docker-registry-default.apps.<CLUSTER_IP>.nip.io/microservice-vote:1.0.0
+    ```
+1. Now that you're logged in the registry, you can `docker push` your tagged image (`microservice-vote`) into the ICP Docker registry:
+    ```bash
+    docker push docker-registry-default.apps.<CLUSTER_IP>.nip.io/microservice-vote:1.0.0
+    ```
+1. Your image is now available in the Docker registry in OKD. You can verify this through the OKD's Registry Dashboard at `https://registry-console-default.apps.<CLUSTER_IP>.nip.io/registry`.
+
+## Part 2: Deploy Liberty and CouchDB Operators
 
 In this part of the lab you will use the Helm command line tool to install a Helm chart.
 
@@ -129,26 +160,95 @@ First, let's see what are **Helm charts**. Helm is a package manager for Kuberne
 Now let's deploy our workload using Helm charts.
 
 ### Deploy CouchDB
+
+In this section we will deploy CouchDB Helm chart. OKD does not come with tiller. So we need to install tiller first.
+
+1. Create a project for Tiller
+    ```bash
+    oc new-project tiller
+    ```
+    If you already have `tiller` project, switch to the project:
+    ```bash
+    oc project tiller
+    ```
+1. Download Helm CLI and install the Helm client locally:
+
+    Linux:
+    ```bash
+    curl -s https://storage.googleapis.com/kubernetes-helm/helm-v2.14.1-linux-amd64.tar.gz | tar xz
+    cd linux-amd64
+    ```
+    OSX:
+    ```bash
+    curl -s https://storage.googleapis.com/kubernetes-helm/ lm-v2.14.1-darwin-amd64.tar.gz | tar xz
+    cd darwin-amd64
+    ```
+
+    Now configure the Helm client locally:
+    ```bash
+    sudo mv helm /usr/local/bin
+    sudo chmod a+x /usr/local/bin/helm
+    ./helm init --client-only
+    ```
+1. Install the Tiller server:
+    ```bash
+    oc process -f https://github.com/openshift/origin/raw/master/examples/helm/tiller-template.yaml -p TILLER_NAMESPACE="tiller" -p HELM_VERSION=v2.14.1 | oc create -f -
+    oc rollout status deployment tiller
+    ```
+1. If things go well, the following commands should run successfully:
+    ```bash
+    helm version
+    ```
+
+Now that the Helm is configured locally and on OKD, you can deploy CouchDB Helm chart.
+1. Navigate to `lab-artifacts/helm/database`:
+    ```bash
+    cd lab-artifacts/helm/database
+    ```
 1. Deploy the CouchDB Helm chart:
     ```bash
-    cd helm/database
     helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com/
     helm install incubator/couchdb -f db_values.yaml --name couchdb 
     ```
     Ensure the CouchDB pod is up and running by executing `kubectl get pods` command. Your output will look similar to the following:
      ```bash
-    NAME                                        READY   STATUS    RESTARTS   AGE
-    couchdb-couchdb-0                           2/2     Running   0          3m
+    NAME                            READY   STATUS    RESTARTS   AGE
+    couchdb-couchdb-0               2/2     Running   0          3m
     ```
-    
+
     You need to wait until the value under `READY` column becomes `2/2`. Re-run the `kubectl get pods` command if necessary.
 
-### Deploy Liberty    
-1. Deploy the microservice using the Open Liberty Helm chart:
+### Deploy Liberty
+
+#### Install Open Liberty artifacts
+
+1. Navigate to Open Liberty Operator artifact directory:
+    ```bash
+    cd lab-artifacts/operator/open-liberty-operator
+    ```
+1. Install Open Liberty Operator artifacts:
+    ```bash
+    kubectl apply -f olm/open-liberty-crd.yaml
+    kubectl apply -f deploy/service_account.yaml
+    kubectl apply -f deploy/role.yaml
+    kubectl apply -f deploy/role_binding.yaml
+    kubectl apply -f deploy/operator.yaml
+    ```
+1. Creating a custom Security Context Constraints (SCC). SCC controls the actions that a pod can perform and what it has the ability to access.
+    ```bash
+    kubectl apply -f deploy/ibm-open-liberty-scc.yaml --validate=false
+    ```
+1. Grant the default namespace's service account access to the newly created SCC, `ibm-open-liberty-scc`. Update `<namespace>` with the appropriate namespace:
+    ```bash
+    oc adm policy add-scc-to-group ibm-open-liberty-scc system:serviceaccounts:<namespace>
+    ```
+
+#### Deploy application
+
+1. Deploy the microservice application using the provided CR:
     ```bash
     cd ../application
-    helm repo add ibm-charts https://raw.githubusercontent.com/IBM/charts/master/repo/stable/
-    helm install ibm-charts/ibm-open-liberty -f app_overrides.yaml -f enterprise_overrides.yaml
+    kubectl apply -f application-cr.yaml
     ```
 1. You can view the status of your deployment by running `kubectl get deployments`.  If the deployment is not coming up after a few minutes one way to debug what happened is to query the pods with `kubectl get pods` and then fetch the logs of the Liberty pod with `kubectl logs <pod>`.
 1. Use `kubectl get ing | awk 'FNR == 2 {print $3;}'` to determine the address of the application. Note: If the previous command is printing out a port, such as `80`, please wait a few more minutes for the `URL` to be available.  
@@ -222,7 +322,7 @@ The steps below would guide you how to enable persistence for your database:
     You need to wait until the couchdb and Liberty pods become ready. The old pods may be terminating while the new ones start up.
 
     For Liberty, you will now see 2 pods, since we increased the number of replicas.
-1. Refresh the page. You may need to add the security exception again. If you get `Failed to load API defintion` message then try refreshing again. 
+1. Refresh the page. You may need to add the security exception again. If you get `Failed to load API definition` message then try refreshing again.
 1. Now add a new attendee through the OpenAPI UI as before.
 1. Now repeat Steps 1-5 in this section to see that even though you delete the couchdb database container, data still gets recovered from the PersistentVolume.
 
 
@@ -0,0 +1,40 @@
+apiVersion: openliberty.io/v1alpha1
+kind: OpenLiberty
+metadata:
+  name: operator-demo-openliberty
+spec:
+  image:
+    # repository: quay.io/arthurdm/microservice-vote
+    repository: microservice-vote
+    tag: 1.0.0
+    pullPolicy: IfNotPresent
+    license: ""
+    extraEnvs:
+    - name: "dbUrl"
+      value: "http://couchdb-svc-couchdb:5984"
+    - name: dbUsername
+      valueFrom:
+        secretKeyRef:
+          name: couchdb-couchdb
+          key: adminUsername
+    - name: dbPassword
+      valueFrom:
+        secretKeyRef:
+          name: couchdb-couchdb
+          key: adminPassword
+  ingress:
+    enabled: true
+    rewriteTarget: "/"
+    path: "/"
+  microprofile:
+    health:
+      enabled: true
+  pod:
+    labels:
+      application: conference
+  monitoring:
+    enabled: true
+  arch:
+    amd64: "3 - Most preferred"
+    ppc64le: "0 - Do not use"
+    s390x: "0 - Do not use"
@@ -0,0 +1,41 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+  name: ibm-open-liberty-scc
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities: []
+allowedFlexVolumes: []
+defaultAddCapabilities: []
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - max: 65535
+    min: 1
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: MustRunAsNonRoot
+seccompProfiles:
+- docker/default
+seLinuxContext:
+  type: RunAsAny
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - max: 65535
+    min: 1
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+priority: 0
@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: open-liberty-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: open-liberty-operator
+  template:
+    metadata:
+      labels:
+        name: open-liberty-operator
+    spec:
+      serviceAccountName: open-liberty-operator
+      containers:
+        - name: open-liberty-operator
+          image: openliberty/operator:0.0.1
+          imagePullPolicy: Always
+          env:
+            - name: WATCH_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: "open-liberty-operator"
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 3
+            preference:
+              matchExpressions:
+              - key: beta.kubernetes.io/arch
+                operator: In
+                values:
+                - amd64