This is the fourth post of this series focusing on Verrazzano, a hybrid multi cloud Kubernetes-based Enterprise Container Platform for running both cloud-native and traditional applications.
You can check the previous blog posts in the links below:
- How to Install and Create a Verrazzano Cluster – In this blog post we saw how to install Verrazzano locally so you can have your own development environment on your computer.
- Deploying your first application to Verrazzano – In this blog post we saw how to create a Helidon Microservice and deploy it to Verrazzano.
- Lifting a Java EE application to Verrazzano – In this blog post we saw how to take an existing application running on Weblogic and deploy it to Verrazzano.
In this blog post, you will see how to move your cloud-native application composed of a traditional Java EE service running on Weblogic that accesses a microservice made using Helidon, and stores its data in a MySQL database. In the previous posts we saw how to run all of these parts in a local Verrazzano installation. Today, this workload will be moved to a Verrazzano installation on OCI – Oracle Cloud Infrastructure.
Because of the nature of Cloud-Native applications, a single application can be composed of dozens, or even hundreds of microservices. Of course, when running your workload in the Cloud, the developer is allowed to develop and test the complete application without the hardware limit of a single local computer. Furthermore, you can also invite more people to test your application no matter where they are located. These are some reasons why it is important to learn how to move your local workload to the Cloud with OCI.
Creating a Kubernetes Cluster on OKE
If you don’t have access to OCI, don’t worry. You can start NOW with the Oracle Cloud Free Tier.
If you already have access to OCI, just log in to your tenant and go to OKE (Oracle Kubernetes Engine) using the menu path “Developer Services -> Kubernetes Clusters (OKE).
Before creating your cluster, you might want to adjust your preferred compartment. When ready, just click on the “Create Cluster” button, select “Quick Create” and hit the “Launch Workflow” button.
For SHAPE, an OKE cluster with 3 nodes of VM.Standard2.4 OCI compute instance shape has proven sufficient to install Verrazzano and deploy our example application.
After the cluster has been created, hit the “Access Cluster” button and choose a way to access the cluster using the “kubectl” command. Note that you might need to install and setup OCI CLI to complete this step.
Creating a Repository in the OCI Container registry
Another step that is required is the creation of two repositories in the OCI Container registry. The first one will be used to store the Helidon application container image, and the second one will be used to store the Weblogic application container image.
So let’s go to the Container Registry following the menu “Developer Services -> Container Registry”. Hit the “Create Repository” button, choose your comportment and give the name “helidon” for the first one. Repeat the process, and create another repository called “weblogic“. Both repositories will be “Private” as we don’t want other people pulling the images of the application that you’ve created.
Because the repository is private, we need an “Auth Token” so we can access these repositories using this token. To create an “Auth Token” follow these steps:
- In the top-right corner of the Console, open the Profile menu (at the top right corner) and then click User Settings to view the details.
- On the Auth Tokens page, click Generate Token.
- Enter a friendly description for the auth token. Avoid entering confidential information.
- Click Generate Token. The new auth token is displayed.
- Copy the auth token immediately to a secure location from where you can retrieve it later, because you won’t see the auth token again in the Console.
- Close the Generate Token dialog.
Installing Verrazzano on OKE.
Considering that your “kubectl” command is properly configured to access the OKE Cluster that you have created, installing Verrazzano on OKE is as simple as the four steps below:
- Install the Verrazzano Operator:
kubectl apply -f https://github.com/verrazzano/verrazzano/releases/download/v1.1.1/operator.yaml
- Wait for the Verrazzano Operator deployment to complete.
kubectl -n verrazzano-install rollout status deployment/verrazzano-platform-operator
- Install Verrazzano
kubectl apply -f - <<EOF
apiVersion: install.verrazzano.io/v1alpha1
kind: Verrazzano
metadata:
name: example-verrazzano
spec:
profile: ${VZ_PROFILE:-dev}
EOF
- Wait for the deployment
kubectl wait \
--timeout=20m \
--for=condition=InstallComplete verrazzano/example-verrazzano
Now that Verrazzano is installed, let’s move to pushing the weblogic and helidon images to OCI.
Pushing the container images to OCI
In the previous blog posts we created two container images for each part of this application:
- Deploying your first application to Verrazzano – Section: Deploying a Component to Verrazzano – Shows how to create a Container image of a Helidon application.
- Lifting a Java EE application to Verrazzano – Section: Creating a container image – Shows how to create a Container image of an existing Weblogic domain.
If you started from this blog post, I highly recommend that you read these two blog posts above and create the container images and the OAM Verrazzano files to deploy Helidon, Weblogic and MySQL to Verrazzano.
If you already have the images locally, let’s move forward and push those images to OCI. But before doing so, remember that our OCI container registries are private, thus we need to authenticate against the OCI registry using the command below:
docker login https://<region-code>.ocir.io
You can find all “region-codes” here: Availability by Region
When prompted for a username, enter your username in the format <tenancy-namespace>/<username>, where <tenancy-namespace> is the auto-generated Object Storage namespace string of your tenancy (as shown on the Tenancy Information page). For example, ansh81vru1zp/jdoe@acme.com. If your tenancy is federated with Oracle Identity Cloud Service, use the format <tenancy-namespace>/oracleidentitycloudservice/<username>.
When prompted for a password, enter the auth token you copied earlier.
Now, we need to tag both (Helidon and Weblogic) local images that were previously built to use the following format: <region-key>.ocir.io/<tenancy-namespace>/<repo-name>:<tag>
Let’s tag the images and push them to the OCI Container Registry. Remember to replace <region-code> and <tenancy-namespace>
docker tag myrepo/myuser/helidon:1.0 <region-key>.ocir.io/<tenancy-namespace>/helidon:1.0
docker tag myrepo/myuser/weblogic:1.0 <region-key>.ocir.io/<tenancy-namespace>:1.0
docker push <region-key>.ocir.io/<tenancy-namespace>/helidon:1.0
docker push <region-key>.ocir.io/<tenancy-namespace>/weblogic:1.0
Preparing OCI for the Application.
The first thing that we need to do is to create a Kubernetes namespace to receive all of our resources. Let’s do it by executing the following commands:
kubectl create namespace demo-application
kubectl label namespace demo-application verrazzano-managed=true istio-injection=enabled
Now, just like we did previously with “docker login” to allow our local container engine to push images to OCI Container Registry, the second thing that we need to do before deploying the application to OCI is create a Kubernetes Secret that will be used to pull the images from OCI Container Registry. The same secret will be used by the Helidon and Weblogic yaml files.
To create the Kubernetes secret, execute the following command. Remember to replace <region-key>, <your-email>, <tenancy-namespace>, <username>, and <auth-token>.
kubectl create secret docker-registry ocir --namespace demo-application --docker-server=<region-key>.ocir.io --docker-email <your-email> --docker-username=<tenancy-namespace>/<username> --docker-password="<auth-token>"
Preparing the Helidon application
Now we need to do two modifications in the component.yaml file (created in the “Deploying your first application to Verrazzano” blog post) of the Helidon application. Alternatively you can use the file from the Github repository.
The modifications are: (Remember to update <region-key> and <tenancy-namespace>)
- Change the image to <region-key>.ocir.io/<tenancy-namespace>/helidon:1.0
- Add the ImagePullSecret named ocir that we have just created.
The modified component.yaml file should look like this:
apiVersion: core.oam.dev/v1alpha2
kind: Component
metadata:
name: hello-helidon-component
spec:
workload:
apiVersion: oam.verrazzano.io/v1alpha1
kind: VerrazzanoHelidonWorkload
metadata:
name: hello-helidon-workload
labels:
app: hello-helidon
spec:
deploymentTemplate:
metadata:
name: hello-helidon-deployment
podSpec:
containers:
- name: hello-helidon-container
image: "<region-key>.ocir.io/<tenancy-namespace>/helidon:1.0"
ports:
- containerPort: 8080
name: http
imagePullSecrets:
- name: ocir
Let’s now deploy this file, and the existing application-config.yaml to Kubernetes:
kubectl apply -n demo-application -f component.yaml
kubectl apply -n demo-application -f application-config.yaml
Execute the following command to make sure that your pod with the Helidon application is runnnig:
kubectl get pods -n demo-application
Preparing the Weblogic application
Because we don’t need any modifications in the MySQL OAM file, let’s first deploy it. Tip: We can even use the remote mysql-oam.yaml file that is already stored at Github:
kubectl apply -n demo-application -f https://raw.githubusercontent.com/rafabene/verrazzano-demo/main/weblogic-app/mysql-oam.yaml
Now, if you followed the instructions of the “Lifting a Java EE application to Verrazzano” blog post, you should have a folder called verrazzano_files with the following content:
- create_k8s_secrets.sh – A helper script with kubectl commands to apply the Kubernetes secrets needed for this domain like datasource credentials.
- vz-application.yaml – Verrazzano application configuration and component file
- vz_variable.properties – A set of properties extracted from the WDT domain model that contains the datasource information.
- wdt-archive.zip – The WDT archive file containing the application WAR file
- wdt-model.yaml – The WDT model of the WebLogic Server domain
If you don’t have the folder, you can use the example from the Github repository.
Because passwords inside Weblogic are strongly stored and cannot be discovered in any way, we should provide those credentials in the file verrazzano_files/create_k8s_secrets.sh. You can choose your favorite text editor, and look for the lines that run create_paired_k8s_secret, and update the credentials of weblogic and the jdbc-greetingsdb.
Save the file and execute it:
./create_k8s_secrets.sh
Now edit the vz-application.yaml file and make sure that the ImagePullSecrets is “ocir”, and the image is <region-key>.ocir.io/<tenancy-namespace>/helidon:1.0 (Remember to update <region-key> and <tenancy-namespace>).
And now we can deploy it using the command:
kubectl -n demo-application apply -f vz-application.yaml
This will trigger the Weblogic operator to set up our Weblogic image (with our pre-configured “demodomain”) in Kubernetes, and also deploy the MySQL components (Deployment, Service, and ConfigMap) from mysql-oam.yaml file.
Before accessing the application, make sure it’s ready by running the command:
kubectl wait -n demo-application pod \
-l job-name=demodomain-introspector \
--timeout=20m \
--for=delete && \
kubectl -n demo-application wait \
pod/demodomain-adminserver \
--timeout=20m \
--for=condition=Ready
Allowing Weblogic to access the Helidon application
Because Verrazzano provides a high level of security enabled by default, the Weblogic application won’t be able to reach the Helidon application endpoint. If you try to do it, the endpoint will reply with a 403 (forbidden) error and a message “RBAC: Permission denied”.
To allow the Helidon application to receive requests from the Weblogic application, we need to modify Helidon’s Authorization Policy to add the Security Account of Weblogic as a Principal. To modify the Authorization Policy of Helidon’s application, run the following command:
kubectl patch -n demo-application authorizationpolicy hello-helidon-appconf --type=json --patch '[{"op":"add", "path":"/spec/rules/0/from/0/source/principals/-", "value":"cluster.local/ns/demo-application/sa/demodomain-appconf"}]'
Access the application on Verrazzano
With the application deployed. We can use the command below to get the Host where the Weblogic application is running:
kubectl get gateway -n demo-application \
demo-application-demodomain-appconf-gw \
-o jsonpath='{.spec.servers[0].hosts[0]}'
It should reply with something like demodomain-appconf.demo-application.A.B.C.D.nip.io. In this case, open HTTPS://demodomain-appconf.demo-application.A.B.C.D.nip.io/weblogic-app/
Your browser will complain about ERR_CERT_INVALID as described in the Verrazzano FAQ. In this case, just type “thisisunsafe” in the screen and you should be able to access the application.
Try it, and make sure that the application is communicating with MySQL and the Helidon microservice.
Conclusion
In this blog post we saw how to move your application from a local Verrazzano installation to OCI. Moving your application to OCI makes it easy to have an environment that can scale enough to fit your Cloud-Native application no matter the size. You can also have multiple Kubernetes clusters for different environments (dev, test, production, etc), distribute your application easily across different regions and availability domains, store and distribute your container images using the OCI container registry, and many other uncountable advantages that only the Cloud environment can provide.
Check out more details about Verrazzano on its webpage: https://verrazzano.io and https://www.oracle.com/java/verrazzano/ . At the Verrazzano’s Youtube channel, you will see a Verrazzano tour video and much more. News about this project is shared on Verrazzano’s Twitter profile. Verrazzano is a fast paced evolving open source project. You can follow, and also contribute to this awesome project on the Github project page.