In this guide, you will integrate your Liberty application with different Azure services, including security, data persistence & distributed logging. The Liberty application is running on an Azure Red Hat OpenShift (ARO) 4 cluster. You learn how to:
[!div class="checklist"]
- Set up different services
- Prepare your application
- Prepare application image
- Deploy sample application
In previous guides, a Java application, which is running inside Open Liberty/WebSphere Liberty runtime, is deployed to an ARO 4 cluster. If you have not done these guides, walk them through with the following links and return here to continue.
- Deploy a Java application inside Open Liberty/WebSphere Liberty on an Azure Red Hat OpenShift 4 cluster
- Integrate your Liberty application with Elasticsearch stack
- Integrate your Liberty application with Azure managed databases
- Integrate your Liberty application with Azure Active Directory OpenID Connect
When you complete all of previous guides, different services used for this guide have already set up. Let's recap them one by one.
- Set up Azure Red Hat OpenShift cluster.
- Set up Azure Active Directory.
- Create an Azure Database for PostgreSQL server.
- Deploy cluster logging.
The application <path-to-repo>/2-simple
used in the previous basic guide hasn't enabled security, data persistence or distributed logging. To make it integrate with different services, a number of files need to be updated or created:
File Name | Source Path | Destination Path | Operation | Description |
---|---|---|---|---|
server.xml |
<path-to-repo>/2-simple/src/main/liberty/config/server.xml |
<path-to-repo>/4-finish/src/main/liberty/config/server.xml |
Updated | Add socialLogin-1.0 , transportSecurity-1.0 , appSecurity-3.0 , jwt-1.0 , mpJwt-1.1 , mpConfig-1.3 , jpa-2.2 features and their configurations. |
web.xml |
<path-to-repo>/2-simple/src/main/webapp/WEB-INF/web.xml |
<path-to-repo>/4-finish/src/main/webapp/WEB-INF/web.xml |
Updated | Add security-role and security-constraint for accessing web resources of the application. |
CafeJwtUtil.java |
<path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeJwtUtil.java |
New | The utility class for retrieving ID token issued from Azure AD, and providing an API to determine if the logged-on user is in the configured admin group of Azure AD. | |
CafeRequestFilter.java |
<path-to-repo>/4-finish/src/main/java/cafe/web/view/CafeRequestFilter.java |
New | A client request filter for adding JWT token in HTTP Authorization Header for outbound requests. | |
Cafe.java |
<path-to-repo>/2-simple/src/mainjava/cafe/web/view/Cafe.java |
<path-to-repo>/4-finish/src/main/java/cafe/web/view/Cafe.java |
Updated | Register CafeRequestFilter for intercepting internal REST calls, add new APIs to get principal name of logged-on user and flag indicating whether the logged-on user can delete existing coffees or not. |
CafeResource.java |
<path-to-repo>/2-simple/src/main/java/cafe/web/rest/CafeResource.java |
<path-to-repo>/4-finish/src/main/java/cafe/web/rest/CafeResource.java |
Updated | Inject JsonWebToken to verify the groups claim of the token for RBAC. |
Coffee.java |
<path-to-repo>/2-simple/src/main/java/cafe/model/entity/Coffee.java |
<path-to-repo>/4-finish/src/main/java/cafe/model/entity/Coffee.java |
Updated | Annotate POJO Coffee with javax.persistence.Entity annotation to make it a JPA Entity. |
CafeRepository.java |
<path-to-repo>/2-simple/src/main/java/cafe/model/CafeRepository.java |
<path-to-repo>/4-finish/src/main/java/cafe/model/CafeRepository.java |
Updated | Changed to be a Stateless Bean, CafeRepository implements create, read, update, and delete coffees using javax.persistence.EntityManager and javax.persistence.PersistenceContext APIs. |
persistence.xml |
<path-to-repo>/4-finish/src/main/resources/META-INF/persistence.xml |
New | A new configuration file to configure data persistence schema. | |
messages.properties |
<path-to-repo>/2-simple/src/main/resources/cafe/web/messages.properties |
<path-to-repo>/4-finish/src/main/resources/cafe/web/messages.properties |
Updated | Parameterize display name using the name of the logged-on user. |
messages_es.properties |
<path-to-repo>/2-simple/src/main/resources/cafe/web/messages_es.properties |
<path-to-repo>/4-finish/src/main/resources/cafe/web/messages_es.properties |
Updated | Parameterize display name using the name of the logged-on user. |
index.xhtml |
<path-to-repo>/2-simple/src/main/webapp/index.xhtml |
<path-to-repo>/4-finish/src/main/webapp/index.xhtml |
Updated | Display principal name of the logged-on user. Disable coffee delete button if the logged-on user is not authorized. |
pom.xml |
<path-to-repo>/2-simple/pom.xml |
<path-to-repo>/4-finish/pom.xml |
Updated | Add new properties and dependencies for Social Login and database connection, and add new dependency for Eclipse MicroProfile and postgresql JDBC driver. |
For reference, these changes have already been applied in <path-to-repo>/4-finish
of your local clone.
Execute the following commands to build application package:
cd <path-to-repo>/4-finish
mvn clean package
To build the application image, Dockerfile needs to be prepared in advance:
File Name | Source Path | Destination Path | Operation | Description |
---|---|---|---|---|
Dockerfile |
<path-to-repo>/2-simple/Dockerfile |
<path-to-repo>/4-finish/Dockerfile |
Updated | Add JDBC driver into application image, which is based on Open Liberty base image. |
Dockerfile-wlp |
<path-to-repo>/2-simple/Dockerfile-wlp |
<path-to-repo>/4-finish/Dockerfile-wlp |
Updated | Add JDBC driver into application image, which is based on WebSphere Liberty base image. |
Follow steps below to build the application image and push it to the built-in container image registry:
-
Change directory to
<path-to-repo>/4-finish
of your local clone. -
Download postgresql-42.4.1.jar and put it to current working directory.
-
Log in to the OpenShift web console from your browser using the credentials of the Azure AD user.
-
Log in to the OpenShift CLI with the token for the Azure AD user.
-
Run the following commands to build application image and push it to the registry.
# Build and tag application image # Note: # - replace "${Docker_File}" with "Dockerfile" to build application image with Open Liberty base image # - replace "${Docker_File}" with "Dockerfile-wlp" to build application image with WebSphere Liberty base image docker build -t javaee-cafe-all-in-one:1.0.0 --pull --file=${Docker_File} . # Note: replace "<Container_Registry_URL>" with the fully qualified name of the registry Container_Registry_URL=<Container_Registry_URL> # Create a new tag with registry info that refers to source image docker tag javaee-cafe-all-in-one:1.0.0:1.0.0 ${Container_Registry_URL}/open-liberty-demo/javaee-cafe-all-in-one:1.0.0 # Log in to the built-in container image registry docker login -u $(oc whoami) -p $(oc whoami -t) ${Container_Registry_URL} # Push image to the built-in container image registry docker push ${Container_Registry_URL}/open-liberty-demo/javaee-cafe-all-in-one:1.0.0
To integrate the application with Azure AD OpenID Connect and Azure Database for PostgreSQL server on the ARO 4 cluster, a number of Kubernetes resource YAML files need to be updated or created.
File Name | Source Path | Destination Path | Operation | Description |
---|---|---|---|---|
aad-oidc-secret.yaml |
<path-to-repo>/4-finish/aad-oidc-secret.yaml |
New | A Kubernetes Secret resource with user input data, including client.id , client.secret , tenant.id , and admin.group.id . |
|
tls-crt-secret.yaml |
<path-to-repo>/4-finish/tls-crt-secret.yaml |
New | A Kubernetes Secret resource with user input data, including ca.crt , destCA.crt , tls.crt , and tls.key . |
|
db-secret.yaml |
<path-to-repo>/4-finish/db-secret.yaml |
New | A Kubernetes Secret resource with PostgreSQL database connection data, including db.server.name , db.port.number , db.name , db.user , and db.password . |
|
openlibertyapplication.yaml |
<path-to-repo>/2-simple/openlibertyapplication.yaml |
<path-to-repo>/4-finish/openlibertyapplication.yaml |
Updated | Add environment variables whose values are from Secret aad-oidc-secret and db-secret-postgres . Specify existing certificate for Route and Service of OpenLibertyApplication custom resource. |
For reference, these changes have already been applied in <path-to-repo>/4-finish
of your local clone.
Now you can deploy the sample Liberty application to the ARO 4 cluster with the following steps.
-
Log in to the OpenShift web console from your browser using the credentials of the Azure AD user.
-
Log in to the OpenShift CLI with the token for the Azure AD user.
-
Run the following commands to deploy the application.
# Change directory to "<path-to-repo>/4-finish" cd <path-to-repo>/4-finish # Change project to "open-liberty-demo" oc project open-liberty-demo # Create environment variables which will be passed to secret "aad-oidc-secret" # Note: replace "<client ID>", "<client secret>", "<tenant ID>", and "<group ID>" with the ones you noted down before export CLIENT_ID=<client ID> export CLIENT_SECRET=<client secret> export TENANT_ID=<tenant ID> export ADMIN_GROUP_ID=<group ID> # Create secret "aad-oidc-secret" envsubst < aad-oidc-secret.yaml | oc create -f - # Create TLS private key and certificate, which is also used as CA certificate for testing purpose openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt # Create environment variables which will be passed to secret "tls-crt-secret" export CA_CRT=$(cat tls.crt | base64 -w 0) export DEST_CA_CRT=$(cat tls.crt | base64 -w 0) export TLS_CRT=$(cat tls.crt | base64 -w 0) export TLS_KEY=$(cat tls.key | base64 -w 0) # Create secret "tls-crt-secret" envsubst < tls-crt-secret.yaml | oc create -f - # Create environment variables which will be passed to secret "db-secret-postgres" # Note: replace "<Server name>", "<Port number>", "<Admin username>", and "<Password>" with the ones you noted down before export DB_SERVER_NAME=<Server name>.postgres.database.azure.com export DB_PORT_NUMBER=<Port number> export DB_NAME=postgres export DB_USER=<Admin username>@<Server name> export DB_PASSWORD=<Password> # Create Secret "db-secret-postgres" envsubst < db-secret.yaml | oc create -f - # Create OpenLibertyApplication "javaee-cafe-all-in-one" oc create -f openlibertyapplication.yaml # Check if OpenLibertyApplication instance is created oc get openlibertyapplication javaee-cafe-all-in-one # Check if deployment created by Operator is ready oc get deployment javaee-cafe-all-in-one # Get host of the route HOST=$(oc get route javaee-cafe-all-in-one --template='{{ .spec.host }}') echo "Route Host: $HOST"
Once the Liberty Application is up and running, copy the value of Route Host from console output.
-
Open your Azure AD > App registrations > your registered application > Authentication > Click Add URI in Redirect URIs section > Replace <Route_Host> with the value of Route Host for
https://<Route_Host>/ibm/api/social-login/redirect/liberty-aad-oidc-javaeecafe
, and fill it into the text box > Click Save. -
Replace <Route_Host> with the value of Route Host for
https://<Route_Host>
, and open it in the InPrivate window of Microsoft Edge, verify the application is secured by Azure AD OpenID Connect and connected to Azure Database for PostgreSQL server.- Sign in as a user, who doesn't belong to the admin group you created before.
- Update your password if necessary. Accept permission requested if necessary.
- You will see the email address of your AAD account displayed in the application home page, where the coffee Delete button is disabled.
- Create new coffees.
- Close the InPrivate window > open a new InPrivate window > sign in as another user, who does belong to the admin group you created before.
- Update your password if necessary. Accept permission requested if necessary.
- You will see the email address of your AAD account displayed in the application home page, where the coffee Delete button is enabled now.
- Create new coffees. Delete existing coffees.
The application logs are shipped to the Elasticsearch cluster, and can be visualized in the Kibana web console.
- Log in to the OpenShift web console from your browser using the
kubeadmin
credentials. Click Monitoring > Logging. - In the new opened window, click Log in with OpenShift. Log in with
kubeadmin
if required. - Open Management > Index Patterns > Select project.* > Click Refresh field list icon at top-right of the page.
- Click Discover. Select index pattern project.* from the dropdown list.
- Add kubernetes.namespace_name, kubernetes.pod_name, loglevel, and message from Available Fields into Selected Fields. Discover application logs from the work area of the page.
If you want to log in using the Azure AD user to view logs in the Kibana web console, follow the steps above but replace index pattern project.* with project.open-liberty-demo.<random-guid>.*.
In this guide, you learned how to:
[!div class="checklist"]
- Set up different services
- Prepare your application
- Prepare application image
- Deploy sample application
To free OpenShift resources created for these guides:
- Connect to the ARO 4 cluster.
- Run
oc delete project open-liberty-demo
in a console.
To delete the ARO 4 cluster, follow "Tutorial: Delete an Azure Red Hat OpenShift 4 cluster".