Skip to content

Latest commit

 

History

History
198 lines (145 loc) · 18.3 KB

howto-integrate-all.md

File metadata and controls

198 lines (145 loc) · 18.3 KB
Raw

Integrate your Liberty application with different Azure services

In this guide, you will integrate your Liberty application with different Azure services, including security, data persistence & distributed logging. The Liberty application is running on an Azure Red Hat OpenShift (ARO) 4 cluster. You learn how to:

[!div class="checklist"]

  • Set up different services
  • Prepare your application
  • Prepare application image
  • Deploy sample application

Before you begin

In previous guides, a Java application, which is running inside Open Liberty/WebSphere Liberty runtime, is deployed to an ARO 4 cluster. If you have not done these guides, walk them through with the following links and return here to continue.

Set up different services

When you complete all of previous guides, different services used for this guide have already set up. Let's recap them one by one.

  1. Set up Azure Red Hat OpenShift cluster.
  2. Create an Azure Database for PostgreSQL Flexible server.
  3. Set up an OpenID Connect provider with Microsoft Entra ID.
  4. Deploy cluster logging.

Prepare your application

The application <path-to-repo>/2-simple used in the previous basic guide hasn't enabled security, data persistence or distributed logging. To make it integrate with different services, a number of files need to be updated or created:

File Name Source Path Destination Path Operation Description
server.xml <path-to-repo>/2-simple/src/main/liberty/config/server.xml <path-to-repo>/4-finish/src/main/liberty/config/server.xml Updated Add socialLogin-1.0, transportSecurity-1.0, appSecurity-5.0, jwt-1.0, mpJwt-2.1, mpConfig-3.1, persistence-3.1 features and their configurations.
web.xml <path-to-repo>/2-simple/src/main/webapp/WEB-INF/web.xml <path-to-repo>/4-finish/src/main/webapp/WEB-INF/web.xml Updated Add security-role and security-constraint for accessing web resources of the application.
CafeJwtUtil.java <path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java New The utility class for retrieving ID token issued from Microsoft Entra ID, and providing an API to determine if the logged-on user is in the configured admin group of Microsoft Entra ID.
CafeRequestFilter.java <path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeRequestFilter.java New A client request filter for adding JWT token in HTTP Authorization Header for outbound requests.
Cafe.java <path-to-repo>/2-simple/src/mainjava/cafe/web/view/Cafe.java <path-to-repo>/4-finish/src/main/java/cafe/web/view/Cafe.java Updated Register CafeRequestFilter for intercepting internal REST calls, add new APIs to get principal name of logged-on user and flag indicating whether the logged-on user can delete existing coffees or not.
CafeResource.java <path-to-repo>/2-simple/src/main/java/cafe/web/rest/CafeResource.java <path-to-repo>/4-finish/src/main/java/cafe/web/rest/CafeResource.java Updated Inject JsonWebToken to verify the groups claim of the token for RBAC.
Coffee.java <path-to-repo>/2-simple/src/main/java/cafe/model/entity/Coffee.java <path-to-repo>/4-finish/src/main/java/cafe/model/entity/Coffee.java Updated Annotate POJO Coffee with jakarta.persistence.Entity annotation to make it a JPA Entity.
CafeRepository.java <path-to-repo>/2-simple/src/main/java/cafe/model/CafeRepository.java <path-to-repo>/4-finish/src/main/java/cafe/model/CafeRepository.java Updated Changed to be a Stateless Bean, CafeRepository implements create, read, update, and delete coffees using jakarta.persistence.EntityManager and jakarta.persistence.PersistenceContext APIs.
persistence.xml <path-to-repo>/4-finish/src/main/resources/META-INF/persistence.xml New A new configuration file to configure data persistence schema.
messages.properties <path-to-repo>/2-simple/src/main/resources/cafe/web/messages.properties <path-to-repo>/4-finish/src/main/resources/cafe/web/messages.properties Updated Parameterize display name using the name of the logged-on user.
messages_es.properties <path-to-repo>/2-simple/src/main/resources/cafe/web/messages_es.properties <path-to-repo>/4-finish/src/main/resources/cafe/web/messages_es.properties Updated Parameterize display name using the name of the logged-on user.
index.xhtml <path-to-repo>/2-simple/src/main/webapp/index.xhtml <path-to-repo>/4-finish/src/main/webapp/index.xhtml Updated Display principal name of the logged-on user. Disable coffee delete button if the logged-on user is not authorized.
pom.xml <path-to-repo>/2-simple/pom.xml <path-to-repo>/4-finish/pom.xml Updated Add new properties and dependencies for Social Login and database connection, and add new dependency for Eclipse MicroProfile and postgresql JDBC driver.

For reference, these changes have already been applied in <path-to-repo>/4-finish of your local clone.

Execute the following commands to build application package:

cd <path-to-repo>/4-finish
mvn clean package

Prepare application image

To build the application image, Dockerfile needs to be prepared in advance:

File Name Source Path Destination Path Operation Description
Dockerfile <path-to-repo>/2-simple/Dockerfile <path-to-repo>/4-finish/Dockerfile Updated Add JDBC driver into application image, which is based on Open Liberty base image.
Dockerfile-wlp <path-to-repo>/2-simple/Dockerfile-wlp <path-to-repo>/4-finish/Dockerfile-wlp Updated Add JDBC driver into application image, which is based on WebSphere Liberty base image.

Follow steps below to build the application image and push it to the built-in container image registry.

  1. Make sure you have already signed in to the OpenShift CLI using the kubeadmin credentials. If not, follow Connect using the OpenShift CLI to sign using oc login command.

  2. Run the following commands to build and push the image to the container registry of your Azure Red Hat OpenShift 4 cluster:

    # Change directory to "<path-to-repo>/4-finish"
cd <path-to-repo>/4-finish

# If you are building with the Open Liberty base image, the existing Dockerfile is ready for you

# If you are building with the WebSphere Liberty base image, uncomment and execute the following two commands to rename Dockerfile-wlp to Dockerfile
# mv Dockerfile Dockerfile.backup
# mv Dockerfile-wlp Dockerfile

# Change project to open-liberty-demo you created before
oc project open-liberty-demo

# Create an image stream
oc create imagestream javaee-cafe-all-in-one

# Create a build configuration that specifies the image stream tag of the build output
oc new-build --name javaee-cafe-all-in-one-config --binary --strategy docker --to javaee-cafe-all-in-one:1.0.0

# Start the build to upload local contents, containerize, and output to the image stream tag specified before
oc start-build javaee-cafe-all-in-one-config --from-dir . --follow

Deploy sample application

To integrate the application with Microsoft Entra ID OpenID Connect and Azure Database for PostgreSQL flexible server on the ARO 4 cluster, a number of Kubernetes resource YAML files need to be updated or created.

File Name Source Path Destination Path Operation Description
aad-oidc-secret.yaml <path-to-repo>/4-finish/aad-oidc-secret.yaml New A Kubernetes Secret resource with user input data, including client.id, client.secret, tenant.id, and admin.group.id.
tls-crt-secret.yaml <path-to-repo>/4-finish/tls-crt-secret.yaml New A Kubernetes Secret resource with user input data, including ca.crt, destCA.crt, tls.crt, and tls.key.
db-secret.yaml <path-to-repo>/4-finish/db-secret.yaml New A Kubernetes Secret resource with PostgreSQL database connection data, including db.server.name, db.port.number, db.name, db.user, and db.password.
openlibertyapplication.yaml <path-to-repo>/2-simple/openlibertyapplication.yaml <path-to-repo>/4-finish/openlibertyapplication.yaml Updated Add environment variables whose values are from Secret aad-oidc-secret and db-secret-postgres. Specify existing certificate for Route and Service of OpenLibertyApplication custom resource.

For reference, these changes have already been applied in <path-to-repo>/4-finish of your local clone.

Now you can deploy the sample Liberty application to the ARO 4 cluster with the following steps.

  1. Make sure you have already signed in to the OpenShift CLI using the kubeadmin credentials. If not, follow Connect using the OpenShift CLI to sign using oc login command.

  2. Run the following commands to deploy the application.

    # Change directory to "<path-to-repo>/4-finish"
cd <path-to-repo>/4-finish

# Change project to "open-liberty-demo"
oc project open-liberty-demo

# Create environment variables which will be passed to secret "aad-oidc-secret"
# Note: replace "<client ID>", "<client secret>", "<tenant ID>", and "<group ID>" with the ones you noted down before
export CLIENT_ID=<client ID>
export CLIENT_SECRET=<client secret>
export TENANT_ID=<tenant ID>
export ADMIN_GROUP_ID=<group ID>

# Create secret "aad-oidc-secret"
envsubst < aad-oidc-secret.yaml | oc apply -f -

# Create TLS private key and certificate, which is also used as CA certificate for testing purpose
openssl req -x509 -subj "/C=US/ST=majguo/L=OpenLiberty/O=demo/CN=www.example.com" -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

# Create environment variables which will be passed to secret "tls-crt-secret"
export CA_CRT=$(cat tls.crt | base64 -w 0)
export DEST_CA_CRT=$(cat tls.crt | base64 -w 0)
export TLS_CRT=$(cat tls.crt | base64 -w 0)
export TLS_KEY=$(cat tls.key | base64 -w 0)

# Create secret "tls-crt-secret"
envsubst < tls-crt-secret.yaml | oc apply -f -

# Create environment variables which will be passed to secret "db-secret-postgres"
# Note: replace "<PostgreSQL server name>", "<DB name>", "<DB admin>", and "<DB admin password>" with the ones you noted down before
export DB_SERVER_NAME=<PostgreSQL server name>.postgres.database.azure.com
export DB_PORT_NUMBER=5432
export DB_NAME=<DB name>
export DB_USER=<DB admin>
export DB_PASSWORD=<DB admin password>

# Create Secret "db-secret-postgres"
envsubst < db-secret.yaml | oc apply -f -

# Create OpenLibertyApplication "javaee-cafe-all-in-one"
oc create -f openlibertyapplication.yaml

# Check if OpenLibertyApplication instance is created
oc get openlibertyapplication javaee-cafe-all-in-one

# Check if deployment created by Operator is ready
oc get deployment javaee-cafe-all-in-one

# Get host of the route
HOST=$(oc get route javaee-cafe-all-in-one --template='{{ .spec.host }}')
echo "Route Host: https://$HOST"

Once the Liberty Application is up and running, copy the value of Route Host from console output.

  1. Open your Microsoft Entra ID > App registrations > your registered application > Authentication > Select Add URI in Redirect URIs section > Replace <Route_Host> with the value of Route Host for <Route_Host>/ibm/api/social-login/redirect/liberty-aad-oidc-javaeecafe, and fill it into the text box > Select Save.

  2. Open Route Host in the InPrivate window of Microsoft Edge, verify the application is secured by Microsoft Entra ID OpenID Connect and connected to Azure Database for PostgreSQL flexible server.

    1. Sign in as a user, who doesn't belong to the admin group you created before.
    2. Update your password if necessary. Accept permission requested if necessary.
    3. You will see the email address of your AAD account displayed in the application home page, where the coffee Delete button is disabled.
    4. Create new coffees.
    5. Close the InPrivate window > open a new InPrivate window > sign in as another user, who does belong to the admin group you created before.
    6. Update your password if necessary. Accept permission requested if necessary.
    7. You will see the email address of your AAD account displayed in the application home page, where the coffee Delete button is enabled now.
    8. Create new coffees. Delete existing coffees.

The application logs are shipped to the Elasticsearch cluster, and can be visualized in the Kibana web console. Follow steps in Visualize your application logs in Kibana (EFK) to access the Kibana web console to visualize the application logs.

Next steps

In this guide, you learned how to:

[!div class="checklist"]

  • Set up different services
  • Prepare your application
  • Prepare application image
  • Deploy sample application

To free OpenShift resources created for these guides:

To delete the ARO 4 cluster, follow "Tutorial: Delete an Azure Red Hat OpenShift 4 cluster".