The next meeting of the German speaking OpenShift community will take place on September 30, 2019 in Frankfurt. So block your calendar! Looking forward to see you there!
More information on Call for Papers & registrations options can be found here
Registration os now open for the next edition of OpenShift Users meeting at the Accenture Campus Kronberg on 17th October!
This time we have something special for you: it will be the first meeting with users from Germany, Austria and Switzerland for up to 200 participants. And we’re happy to host Reza Shafii (former VP of products at CoreOS) as one of our keynote speakers.
More information & registration can be found here: https://www.openshift-anwender.de/2018/09/04/jetzt-anmelden-zum-7-openshift-anwendertreffen-am-17-oktober/
At this year’s Red Hat Summit there have been some great sessions on containers and OpenShift. All session materials and source have already been published on GitHub: https://github.com/RedHatOfficial/rhsummitlabs-2018.
Here are the best sessions for OpenShift users:
Have fun!
Sebastian
This quick tip describes how to use your custom built docker images on OpenShift Online (Red Hat’s SaaS based container platform).
Login to OpenShift Online at https://manage.openshift.com/ and create a new project (for the sake of this demo I use “my-external-project” as the name for it).
Click of the question mark (upper right corner) and select “Command Line Tools”.
Then copy your access token into your clipboard according to the instructions shown.
Now login to the OpenShift Online Docker registry using the following command:
docker login -u YOUR_OPENSHIFT_ONLINE_USER -p YOUR_ACCESS_TOKEN https://registry.CLUSTER_ID.openshift.com:443
e.g.
docker login -u sfaulhab@redhat.com -p SECRET_TOKEN https://registry.rh-us-east-1.openshift.com:443
If the connection can be established you should receive a “Login succeeded” message.
In this demo I will be using a the basic “hello-world” image provided by Docker. Firstly you will need to find out the image id:
docker images
Now we tag the image with a new repository id:
docker tag IMAGE_ID registry.CLUSTER_ID.openshift.com:443/PROJECT_NAME/hello-world
e.g.
docker tag f2a91732366c registry.rh-us-east-1.openshift.com:443/my-external-project/hello-world
Now you should see the newly tagged image in your local registry:
Now we can directly push the image to the OpenShift Online registry (since we’ve authenticated before):
docker push registry.rh-us-east-1.openshift.com:443/my-external-project/hello-world
In the background OpenShift Online will import the image into its internal registry and will furthermore create an according image stream for it.
The resulting image stream can then be used to create a new deployment from that image. Click “Add to Project” and then “Deploy image”:
Have fun bringing your own Docker based applications onto OpenShift Online!
Cheers,
Sebastian
Start your CDK environment with registration (important as yum get’s used during addon installation)
export MINISHIFT_ENABLE_EXPERIMENTAL=y minishift start --service-catalog
Clone the addon repository and install Ansible Service Broker addon:
git clone https://github.com/minishift/minishift-addons.git cd minishift-addons/add-ons/ minishift addon install ansible-service-broker minishift addon apply ansible-service-broker
When logging in to your CDK console you should already see the preinstalled APB’s:
Configure your shell to use the minishift Docker daemon
eval $(minishift docker-env)
Fetch the APB command line script and make it available in your PATH
wget https://raw.githubusercontent.com/ansibleplaybookbundle/ansible-playbook-bundle/master/scripts/apb-docker-run.sh && mv apb-docker-run.sh apb && chmod +x apb
Verify that your installation works
apb --help
If everything went well you should see something like this:
You will need special permissions to work with the broker on your CDK installation. Therefore we need to execute the following:
oc login -u system:admin oc adm policy add-cluster-role-to-user cluster-admin developer oc login -u developer
Now let’s see if we can list the preinstalled APB’s:
apb list
In the default config of our Ansible Service Broker the APB’s are pulled from “https://registry.hub.docker.com/”. We need to change this to our local registry running within CDK.
registry:
- type: local_openshift
name: lo
namespaces:
- openshift
white_list:
- ".*-apb$"
The Ansible Service Broker pod now needs to be restarted in order to pull in the new configuration.
Firstly we use the CLI to scaffold our new service:
apb init sample-service-apb cd sample-service-apb
Now we locally build our APB. After the process has completed, the newly build APB docker image should appear in your local docker registry:
apb build
Finally we need to push the Docker image to our Service Broker inside CDK:
apb push
Now you should be able to see your first APB in your CDK’s service catalog.
Ansible Playbook Documentation
Getting started with APB development
I am an active long time user of Eclipse and Red Hat’s distribution called JBoss Developer Studio (https://developers.redhat.com/products/devstudio/overview/). The tool suite has a very nice feature called Eclipse Secure Storage, which allows me to save development related passwords (Github, OpenShift, etc.) in a secure manner on my local system. However, in the last couple of months I regularly had problems with Eclipse Secure Storage feature not allowing me to use/save any passwords. Even reinstalling and deleting user specific preferences in my home folder did not work. If you google for this type of problem you’ll find a number of users reporting similar issues, but neither a resolution nor a proper workaround.
Today I managed to fix my problem on Mac OS as follows:
A lot of customers would like to give the brave new container world (based on Docker technology) a try with real life workload. The WordPress content management system (yes, it has become more than a simple blog) seems to be an application that many customers know and use (and that I’ve been asked for numerous times). From a technical point of view the WordPress use case is rather simple, since we only need a PHP runtime and a database such as MySQL. Therefore it is a perfect candidate to pilot container aspects on OpenShift Container Platform.
I highly recommend to install the freely available Red Hat Container Development Kit (shortly CDK). It will give you a ready to use installation of OpenShift Container Platform based on a Vagrant image. So you’re up to speed in absolutely no time:
Please follow the installation instructions here: https://developers.redhat.com/products/cdk/get-started/
Spin up your CDK environment and ssh into the system:
vagrant up vagrant ssh
Create a new project and import the template for an ephemeral MySQL (since this is not included in the CDK V2.3 distribution by default). If you prefer to use another database or even one with persistent storage, then you can find additional templates here.
oc new-project wordpress oc create -f https://raw.githubusercontent.com/openshift/openshift-ansible/master/roles/openshift_examples/files/examples/v1.3/db-templates/mysql-ephemeral-template.json
Now we create one pod for our MySQL database and create our WordPress application based on the source code. OpenShift will automatically determine that it is based on PHP and will therefore choose the PHP builder image to create a Docker image from our WordPress source code.
oc new-app mysql-ephemeral oc new-app https://github.com/wordpress/wordpress oc expose service wordpress
Now let’s login to the OpenShift management console and see what has happened:
We now have a pod that runs our WordPress application (web server, PHP, source code) and one pod running our ready to use ephemeral (= non-persistent) MySQL database.
Before we need to note down the connection settings for our MySQL database. Firstly we look up the cluster IP of our mysql service; secondly we look up the database name, username & password. Have a look at the following screenshots:
Now it is time to setup and configure wordpress. Simply click on the route that has been created for your wordpress pod (in my case the hostname is “http://wordpress-wordpress.rhel-cdk.10.1.2.2.xip.io/wp-admin/setup-config.php”).
Congratulations for installing WordPress on OpenShift!
For now we’ve created all the resources manually in a not yet reusable fashion. Therefore one of the next steps could be to create a template from our resources, import it into the OpenShift namespace and make it available for our users as a service catalog item. So our users could provision a fully installed WordPress with the click of a button.
Many business processes in Germany involve paper (or better TONS OF PAPER!) and surely many manual steps: think of opening a bank account or registering a car at your local “Zulassungsstelle”. In my opinion one of the main reasons for that is that the identity of a user cannot be properly verified online. You could now argue that things like video identification or Deutsche Post PostIdent came up to address this problem. However this only solves part of the problem, since the signature still needs to be done manually.
In Germany the so called nPA (neuer Personalausweis) is able to solve this problem by providing a qualified signature. So you will be able to digitally sign contracts online. Therein lays the potential to completely transform tons of paper-based processes. And huge amounts of time and money could be saved as well!
The nPA has two main functions “Identification with Online-Ausweisfunktion” and “Electronic Signature”, which allow to implement many exciting use cases. These range from simple verifications (like age check, address validation) to login mechanisms for websites (the nPA can be considered as a single-sign-on system in this context). Moreover the nPA also allows to apply a qualified digital signature to documents, which is equal to a genuine signature (according to German law).
Since its launch in 2010 a couple of federal institutes and enterprises have made their services ready for the nPA:
A complete list of applications can be found here: http://www.personalausweisportal.de/DE/Buergerinnen-und-Buerger/Anwendungen/Anwendungen_node.html. However, from my perception the adoption still leaves a lot of room for improvement.
There is extensive documentation available which describes the technical architecture behind the eID system (personally I recommend the information from BSI found here: https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03130/tr-03130.html). That it why I do not want to go into the nitty gritty details.
However, to give you a rough understanding have a look at the following illustration, which looks similar to what is available in token based authentication systems (think of SAML and/or OpenID Connect concepts). There is something like a service provider (“WebServer”) who wants to protect a service; then an authority that is able to validate the identity (“eID-Server”); and a login component (“AusweisApp”) that allows the end user to enter login information like a PIN. Last but not least the user must have a card reader connected to his local system, which talks to the login component (“AusweisApp”).
It is important to understand that the login component (“AusweisApp”) is implemented as a standalone application, which must run on the user’s computer (and of course be installed beforehand). For 2017 it is planned to release mobile versions of the app (see Google Play Store) in order to use a mobile device as a card reader. In my opinion this will help to reduce the overall complexity from an end user’s perspective.
When looking at the system from a service provider’s point of view (e.g. I am an online shop provider who wants to enable users to login with their nPA), you have to consider a lot of things. Since their is neither a public instance of the “eID-Server” nor source code available, you have two options: create your own implementation based on the BSI spec or buy the service from a provider. Additionally you will have to think of how to integrate the token into your application: since there is no “reference implementation” of the “eID-Server” spec there is little to no documentation available. Overall the process feels rather complex and intransparent to me.
A detailed description of the application process can be found here: “Become Service Provider”.
The opportunity behind the German eID system is really huge and could speed up lots of processes and make all of our lives easier. But in my opinion there are a lot of things hindering the adoption and success of the system:
My final thoughts: the adoption cannot be forced by laws. Instead, I think that the eID system should be developed in a more transparent and community based manner. Moreover the integration by service providers should be as easy as putting a social login on my personal website.
„Man sollte auf Standards setzen und nicht für jede Applikation ein Silo aufbauen“
Looking forward to kick-off a discussion with you! 🙂
Cheers,
Sebastian
A lot has happened in the area of mobile since Apple kicked off the revolution by announcing the first iPhone. However, the overall mobile market still has to be considered as young and especially unstandardized. This really puts a lot of organizations in front of huge challenges concerning the efficient development of mobile applications and the secure integration into backend IT systems.
But there is no way around mobile in the next years! The smart combination of mobile techniques (MBaaS, micro services, etc.) and business process management approaches will definitely drive process efficiency and speed to a whole new level.
This showcase addresses a scenario that almost all enterprises in the insurance industry are facing: nowadays users expect to be able to contact their insurance 24/7 on an ad-hoc basis (e.g. for opening a claim or just for asking a question concerning their policy). Additionally they want to see on demand what the status of a certain request is. From an enterprise point of view insurances are looking at new ways on reacting to this new speed of communication and transparency. They’re also thinking of new concepts to efficiently integrate agencies and remote workers in their existing processes. They key consequence to address these requirements is to enhance existing input & output management infrastructure by a newly established mobile channel.
In this showcase we used Red Hat Mobile Application Platform (https://www.redhat.com/en/technologies/mobile/application-platform) as a key building block to efficiently and securely connect the outside world with existing enterprise systems.
Through the platform approach we do not need to reinvent the wheel for each mobile app on the horizon. Instead we put in place a centralized platform for developing and running mobile application in a standardized manner.
The use of Red Hat Mobile Application Platform (RHMAP) comes with the following benefits:
From a technical point of view the showcase is comprised of three main building blocks:
Since we have two different user groups (external end customer and employees) we’ve decided to develop two separate applications:
Employee App: This app targets remote workers (such as insurance agencies e.g.) who shall work on our processes from remote. We’ve decided to go for the same hybrid app approach in order to share code and speed up development. However, for such an end user group where we might influence the use of certain device types (such as Apple iPhone) we could have also thought about a native app (RHMAP provides an SDK for all popular mobile OS; so we could also reuse existing backend functionality in our cloud layer).
The source code of both applications is hosted on RHMAP which allows us to make use of the built-in build farm (allowing us to create push button builds for iOS, Android et al), configure and also preview the application.
The cloud part of an application built with RHMAP is comprised of a so called “Cloud Code App” providing the core functionality for our clients and a set of reusable MBaaS services that enable the connectivity to 3rd party (backend) systems. The following illustration shows an overview of all components created for our showcase:
For our showcase we’ve implemented a single Node.js based app called Cloud App which accepts all incoming requests from our client layer. RHMAP provides a feature rich development framework (including custom Node.js convenience modules) making the creation of cloud code apps easy and efficient. Through the use of Node.js as our programming language we get all the benefits of its evented and asynchronous model, that works extremely well with our use case of a data intense realtime application (DIRT paradigm).
An MBaaS (Mobile Backend-as-a-Service) is the primary point of contact for end user applications – both mobile and web. The MBaaS hosts Node.js applications – as REST API servers and/or Express.js based web apps. The primary purpose of the MBaaS is to allow users (developers) of RHMAP to deploy Node.js server-side for their mobile apps. The MBaaS also provides functionality such as caching, persistence, data synchronization and a range of other mobile-centric functionality. Multiple MBaaS may be utilized for customer segregation and/or lifecycle management (environments).
For this showcase we’ve developed a new MBaaS connector called fh-connector-jbpm-cloud, which is meant to be reused across multiple applications hosted on RHMAP. For the use in our project we’ve instantiated it and configured the environment variables to connect to our specific JBoss BPM Suite in the backend layer.
Function wise the MBaaS connector currently provides the following functionality:
We make use of the RHMAP built-in mobile push API which provides a generic way to interface with multiple push networks (Google Cloud Messaging, Apple Push Notification Service and Microsoft Push Notification Service) via REST or Node.js. This makes it very convenient to send out push notifications from 3rd party application (such as JBoss BPM Suite as demonstrated in our showcase).
More information on the push API can be found here http://docs.feedhenry.com/v3/product_features/push_notifications.html
This layer is comprised of a large set of different backend systems that typically run inside the datacenter of an organization; such as application servers, databases, messaging systems or ESB-like services. For the sake of this showcase we’ve chosen JBoss BPM Suite ((https://www.redhat.com/en/technologies/jboss-middleware/bpm)) as the only system in here. The BPM Suite provides a full blown authoring and runtime environment for business process applications focused on the use of open standards (such as BPMN 2.0). The included BPM engine also exposes a rich REST API that is used extensively by our MBaaS connector fh-connector-jbpm-cloud to start new process instances, control the process flow etc.
The core business process for our scenario is implemented as a simple BPMN 2.0 workflow that is being deployed in form of our Java based Request Processing Application.
After being instantiated the process firstly sends out a push notification to the requesting customer by simply calling the RHMAP push API. Secondly a human task called Process request is used to create a new work item in the work basket of our employees. Through our Employee App mobile application we empower remote employees to directly work on the request.
In addition to that the work items can be claimed via a traditional web-based application named Business Central, that is provided as part of JBoss BPM Suite.
Based on the decision the process completes with an according push notification to inform the customer.
More information on how to develop process applications can be found in the JBoss BPM Suite Development Guide.
TBD
The source code can be found here:
Special thanks to Sebastian Dehn (sdehn@redhat.com) for implementing large parts of the client layer.