Contribute in GitHub:

Defining and deploying a DBB server container

See Installing the DBB Operator (CASE) bundle to install the DBB Operator and DBB Custom Resource Definition (CRD) into a Red Hat® OpenShift Container Platform (OCP) cluster. This document also shows how to install a DBB server for a trial or POC. For production environments, it is recommended that you configure the container to run with IBM Db2®.

This document goes through the CRD to customize a DBB server setup in OCP.

Configuring DBB server

For running a POC or trial, the basic configuration provides all that you need for a quick setup and start. For running a production server, you need to configure both the User Registry and an instance of Db2. The following Custom Resource (CR) defines a default configuration for a POC or trial.

apiVersion: dbb.ibm.com/v1
kind: DBBServer
metadata:
  name: <name>
  namespace: <namespace>
spec:
  license:
    accept: true
  useLocalDerby: true
  derbyPVClaimSpec:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 20Gi
    storageClassName: dbb-derby
  logsPVClaimSpec:
    accessModes:
      - ReadWriteOnce
    resources:
      requests:
        storage: 10Gi
    storageClassName: dbb-logs

This CR sets the required license acceptance to true (license is found in the CASE bundle). It also indicates that it is using a Derby database and defines persistent volume claims for the Derby database and log files. These claims use a default storage class. So, the OCP administrators must have defined a default storage class.

If you are installing for the first time, continue with the configuration steps below. If you are upgrading from a previous release, review and follow the instructions in Migrating a Dependency Based Build container.

Custom resource fields

This section describes how to use each element in the DBB server CR.

Kind and Version

As with most definitions, the DBB CR starts with ApiVersion (currently dbb.ibm.com/v1) and Kind (DBBServer).

kind (required)
Represents the resource type of this object. Always DBBServer.
apiVersion (required)
Defines the version of the schema used for processing this resource. Always dbb.ibm.com/v1.

Metadata

The resource metadata includes the name and namespace fields. Other metadata fields might be used or added by OCP but are not required when a DBB server instance is created. See metav1.ObjectMeta.

name (required)
Name of this instance of the DBB server. The name is used as a prefix as the operator creates other resources within the OCP cluster.
namespace (required)
Namespace where the artifacts will be created. If the name and namespace are identical to a previously submitted DBBServer, the existing objects will be updated with the configuration rather than creating a new instance.

Spec

The spec section of the CR is where most of the configuration can be customized for your DBB server.

license (required)
As mentioned before, the license/accept are required for the operator to process the CR. The license is found in the CASE bundle.
```
license:
  accept: true
```
useLocalDerby (required)
Indicates that this deployment of the DBB server will use Derby for its database.
```
useLocalDerby: true
```

dbbProperties (optional)
A multi-line string that will overlay the default dbb.properties file in the server configuration.

dbbProperties: |
  #com.ibm.dbb.web.admin defines the user with administrator-role privileges used to obtain LDAP group information via SCIM
  com.ibm.dbb.web.admin=ADMIN
  #com.ibm.dbb.web.admin.password defines the admin password used to obtain LDAP group information via SCIM. Use the Liberty securityUtility to obfuscate the password.
  com.ibm.dbb.web.admin.password={xor}HhsSFhE=

bootstrapProperties (optional)
A multi-line string that will overlay the default bootstrap.properties file in the server configuration.

boostrapProperties: |
  com.ibm.ws.logging.trace.file.name=dbb.log
  com.ibm.ws.logging.trace.specification=*.info:com.ibm.dbb.*=debug

jvmOptions (optional)
A multi-line string that will overlay the default jvm.options file in the server configuration.
keystoreConfig (optional)
A multi-line string that will override the default keystore information in the server configuration. It can be customized to setup a signed certificate for the server. This information is stored in /config/configDropins/overrides/keystore.xml when the container starts.
```
keystoreConfig: |
  <server>
    <keyStore id="defaultKeyStore" location="/dbb/dbbdev.p12" password="{xor}Oz09azkqMQ==" type="PKCS12"/>
  </server>
```

databaseConfig (optional)
A multi-line string that will override the default Derby database configuration. It is recommended for a production environment. This information is stored in /config/configDropins/overrides/databaseConfig.xml when the container starts.

databaseConfig: |
  <server>
    <featureManager>
      <feature>jdbc-4.1</feature>
    </featureManager>

    <jdbcDriver id="db2JDBCdriver">
      <library name="DB2Lib">
        <fileset dir="${shared.resource.dir}/db2" includes="*.jar"/>
      </library>
    </jdbcDriver>
    <dataSource id="dbbConnection" jdbcDriverRef="db2JDBCdriver" jndiName="jdbc/dbbConnection" transactional="false">
      <properties.db2.jcc databaseName="DBB" password="{xor}OzovHT4sOjsdKjYzO2sZKjFx" portNumber="50000" serverName="dbbdev.rtp.raleigh.ibm.com" user="db2inst1"/>
    </dataSource>
  </server>

userRegistryConfig (optional)
A multi-line string that will override the default basic user registry. It is recommended for a production environment. This information is stored in /config/configDropins/overrides/userRegistryConfig.xml when the container starts.

userRegistryConfig: |
  <server>
    <featureManager>
      <feature>appSecurity-2.0</feature>
      <feature>ldapRegistry-3.0</feature>
    </featureManager>

    <ldapRegistry
      id="ldap" realm="DBB" ignoreCase="true"
      host="dbbdev.rtp.raleigh.ibm.com" port="389"
      baseDN="o=ibm"
      ldapType="Custom">  
      <customFilters
        userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))"
        groupFilter="(&amp;(cn=%v)(objectclass=groupOfNames))"
        userIdMap="*:uid"
        groupIdMap="*:cn"
        groupMemberIdMap="groupOfNames:member">
      </customFilters>
      <attributeConfiguration>
		      <attribute name="userIdMap" propertyName="name" syntax="String" entityType="PersonAccount"></attribute>
		         <externalIdAttribute name="userIdMap" entityType="PersonAccount" autoGenerate="false"></externalIdAttribute>
	        </attributeConfiguration>
    </ldapRegistry>
  </server>

replicas (optional)
The number of servers to run with this configuration (default: 1). It will allow loaded balancing among multiple servers.
```
replicas: 1
```
env (optional)
Allows you to add additional DBBEnvVar variables to the server configuration. Such variables can be used, for example, as environment variables, or reference configMap fields as environment variables or files, for use in the server configuration. For more detail, see DBBEnvVar.
```
env:
- name: name1
  value: abc
- name: name2
  value: value2
  path: value.txt
```
derbyPVClaimSpec (optional)
The files that are written or modified while running a container are not retained when the container is stopped and restarted. Persistent storage is required to retain database updates. This property overrides the default persistent volume claim for a Derby database. See corev1.PersistentVolumeClaimSpec for more detail about this property.
```
derbyPVClaimSpec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 20Gi
  storageClassName: dbb-derby
```
logsPVClaimSpec (optional)
The files that are written or modified while running a container are not retained when the container is stopped and restarted. Persistent storage is required to retain database updates. This property overrides the default persistent volume claim for log files. See corev1.PersistentVolumeClaimSpec for more detail about this property.
```
logsPVClaimSpec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: dbb-logs
```
volumes (optional)
Define a list of additional volumes that you might want to be mounted to the DBB server container. For instance, you might need to mount an additional volume that contains the keystore and truststore for the SSL configuration. See corev1.Volume for more detail about how to define a Volume.
The following example defines a volume from an OCP secret.
```
volumes:
- name: secret-volume
  secret:
    secretName: mydbb-dbb-secrets
```
volumeMounts (optional)
Define a list of additional volume mounts that you might want to be mounted to the DBB server container. For instance, you might need to mount an additional volume that contains the keystore and truststore for the SSL configuration. See corev1.VolumeMount for more detail about how to define a VolumeMount. The following example defines a mount for the previous volume example. Each entry in the secret becomes a separate file in /etc/secret-volume.
```
volumeMounts:
- name: secret-volume
  readOnly: true
  mountPath: /etc/secret-volume
```
resources (optional)
Override the default resources defined for the DBB server container environment. Busier servers might require more available resources. jvmOptions might also need to be provided to increase the JVM resources available. See corev1.ResourceRequirements for more detail on specifying resources.
```
resources:
  limits:
    cpu: "2"
    memory: 8Gi
  requests:
    cpu: "1"
    memory: 3Gi
```
autoscaler (optional)
Allows you to add dynamic scaling to your DBB server setup. Unlike the replicas configuration that sets a static number of DBB servers to run, this option can define a minimum and a maximum number of replicas to run and allow OCP to start and stop replicas based on the metrics defined. See DBBAutoscalerSpec for more information.
```
autoscaler:
minReplicas: 1
maxReplicas: 5
metrics:
- type: Resource
  resource:
    name: cpu
    targetAverageUtilization: 20
```

DBBEnvVar

This structure defines properties necessary to add additional environment variables or files in a DBB server environment.

name
Name of environment variable
value (optional)
A string value assigned to the environment variable
valueFrom (optional)
Value is assigned from an entry in a configMap or a secret. See corev1.EnvVarSource for more detail.
path (optional)
A path to store the value of the environment variable as a file.

Examples:

Environment variable directly defined in deployment and accessible as environment variable in running DBB server environment.
```
- name: name1
    value: abc
```
Environment variable added to deployment ConfigMap and stored in the DBB server environment as a file.
```
- name: name2
  value: value2
  path: value.txt
```

Value and map key defined and stored in deployment ConfigMap and referenced as an environment variable in deployment.

- name: envvarname
  value: mappedvalue
  valueFrom:
    configMapKeyRef:
      name: <cr_name>-dbb-configmap
      key: mapkeyname

Environment variable defined from an entry in an existing ConfigMap and referenced as an environment variable in deployment.
```
- name: envvar2
  valueFrom:
   configMapKeyRef:
     name: another-configmap
     key: anotherkey
```
Environment variable defined from an entry in an existing Secret and referenced as an environment variable in deployment.
```
- name: secretenvvar
  valueFrom:
   secretKeyRef:
     name: my-secrets
     key: hostname
```

DBBAutoscalerSpec

minReplicas (optional)
A number that specifies the minimum number of DBB servers to start for this deployment.
```
minReplicas: 2
```
maxReplicas
A number that specifies the maximum number of DBB servers to start for this deployment.
```
maxReplicas: 10
```
metrics
Defines load metrics that OCP will use to determine whether to start more servers or to terminate servers. See autoscaling.MetricSpec for more detail.
```
metrics:
- type: Resource
  resource:
    name: cpu
    targetAverageUtilization: 20
```

Deploying the DBB server Custom Resource

After the configuration is set in the CR, the CR can be applied to your cluster. The DBB operator will use the CR to create the necessary artifacts (such as ConfigMaps, Deployments, Route, and Service) for an operating DBB server. After the configuration is complete, the server starts automatically and can be monitored in the OCP console under Workloads > Pods and selecting the namespace used for the CR.

Use the oc client to log in to your cluster.

oc login https://<your_cluster_hostname> -u <username> -p <password>

Create a namespace and set the project for your DBB OCP resources or use the --namespace <namespace> option in step 3.
```
oc create namespace <namespace>
```
Note: While a unique namespace is not required for multiple DBB server deployments, it is recommended.
Deploy the CR
```
oc apply -f dbbserver_cr.yaml
```

Custom Resource Status

As the Customer Resource (CR) is reconciled by the operator, the state on the CR will change from initial to available. If the initial deployment attempt fails, the state will go to initialFail. After deployment, if the server fails to run, the state will go to notAvailable.

For each state, the following table shows the statuses that are displayed as part of the CR.

State	Statuses
initial	DBBServer is intializing DBBServer is not Ready DBBServer is healthy DBBServer not yet available
initialFail	DBBServer is not intializing DBBServer is not Ready DBBServer failed DBBServer is not available
available	DBBServer has Started DBBServer is Ready DBBServer is healthy DBBServer is available
notAvailable	DBBServer has Started DBBServer is running DBBServer is not healthy DBBServer is not available

Additional Steps

By default, the DBB operator configures a NetworkPolicy and an EgressNetworkPolicy in the namespace, which completely shuts down ingress and egress, respectively. Ingress and egress must be opened in order for the DBB server container to work.

Update NetworkPolicy
- Log in to the cluster console as administrator and navigate to Networking > NetworkPolicies.
- Select the Project/Namespace used for the DBBServer CR.
- Select the NetworkPolicy named <DBBServer CR name>-dbb-np.
- Click the YAML tab to view the YAML code.
- Add the following lines to the end of the YAML code and save. This opens ingress to all traffic. More strict rules may be added as needed.
```
ingress:
  - {}
```
Update EgressNetworkPolicy
- Log in to the cluster console as administrator and navigate to Administration > CustomResourceDefinitions.
- Select EgressNetworkPolicy custom resource definition.
- Select Instances.
- Select the <DBBServer CR name>-dbb-enp instance with the namespace that is used to apply the DBBServer CR.
- Click the YAML tab to view the YAML code.
- At a minimum, you must add an egress to the cluster's API node in front of the Deny egress and save. Other egress rules may be applied as needed for the database and LDAP.
```
egress:
  - to:
      cidrSelector: 9.30.235.162/32
    type: Allow
  - to:
      cidrSelector: 0.0.0.0/0
    type: Deny
```
Restart the DBB server pod. Once the NetworkPolicy and EgressNetworkPolicy are updated, you may need to restart the DBB server pod for the updated policies to take effect.
- Log in to the cluster console as administrator and navigate to Workloads > Pods.
- Select the Project/Namespace used for the DBBServer CR.
- Find the DBB server pod named <DBBServer CR name>-dbb-deployment-<deployment id>-<unique id>.
- Click the three dots next to the DBB server pod and select Delete Pod. A new pod automatically spins up to replace the deleted pod.

Validating DBB server setup

Log into your OpenShift Cluster console.
Expand the Workloads tab on the left-hand side menu and click Pods.
On the Pods page, select the project from the drop-down list.
The Pod, <cr_name>-dbb-deployment-1-<id> should have the Running status. Click the pod and inspect the YAML or logs if errors occur.
Click the Networking tab on the left-hand side menu and click Routes.
Note the location URL for the dbb-server route. Use the hostname in this url for later steps.
Navigate to https://<hostname>/dbb/rest/collection.
Log in with any DBBAdmins credentials you have configured.
You should see a heading of "DBB Collections" with no collections listed.
Create sample collections.
- Navigate to https://<hostname>/dbb/rest/collection/setup. Expected result is "OK - Setup completed."
- Navigate to https://<hostname>/dbb/rest/collection. Expect to see a list of collections ("Collection1", "Collection2", and "Collection3").
- Navigate to each collection to see the logical files and logical dependencies.

Troubleshooting

Review the YAML or Logs tab in the pod. If the server is running, open a terminal for the pod and review the log files that are generated at /logs to identify issues with the server.