Business Automation

 View Only

IBM BAMOE v9 - Kubernetes deployment example

By Marco Antonioni posted Fri January 03, 2025 04:26 AM

  
IBM BAMOE v9 - Kubernetes deployment example
 

# Introduction

In recent months, many of my customers who have subscribed to IBM BAMOE support licenses have been asking me for various types of information on the new BAMOE 9.2 version that will include support for BPMN processes with database persistence.
One of the hot topics that are always brought up in the discussion is related to the new cloud native architecture of Kogito that includes the use of Quarkus and in the future also SpringBoot for the creation of containerized images for process and rule management applications.
 
The question is always the same: "How should we develop BPMN applications with BAMOE v9?".
The answer is really very simple.
 
  • Fill your technical debts regarding Quarkus or SpringBoot and obviously Kubernetes architecture.
  • Follow cloud native public good practices (e.g. https://12factor.net/).
  • Carefully evaluate the QoS required for your business solutions and design an architecture to support your solution that meets your needs, this is a crucial phase always and in any case.
  • Use the old "divide and conquer" approach ... after all I was born in Rome ;-) 
  • Always try to make each single microservice so that it has homogeneous contents between them, both in terms of application and technological homogeneity.
  • Remember that in the world of microservices one of the killers always lurking is represented by the multiple dependencies between the various versions of open source frameworks.  Have a look at Monorepos: beyond the Technicalities
  • Always try to find the right tradeoff between separation of the logics into fine-grained components and the high number of components to integrate; the greater the number of microservices, the greater the delay in communication and the greater the possibility of communication problems and related recovery operations; remember that this is a stateful operative domain !!! 
Just to recall some difficult management scenarios that I have seen in some customers. 
Having a single server and related product database with multiple applications, even if not related to each other (different lines of business), leads to complex situations when upgrading both the executable binaries of the product and when migrating process instances between versions/branches of the same application. 
In business and IT governance there can be many hidden costs that grow exponentially when you create dependencies in the shape of "inverted pyramids". 
In containerized environments where a good automation pipeline must always be present, it is good to create autonomous systems for the entire life cycle of each single business solution. 
It is always extremely difficult to define an initial capacity plan that can then scale quickly based on business demands when you have designed an architecture with a single server for all applications.
What does all this have to do with solutions based on IBM BAMOE v9?
It has a lot to do with it because the 'foundations' are the basis for every successful solution.
 
Let's go back to IBM BAMOE now.
 
This post references a github repository (https://github.com/marcoantonioni/bamoe9-k8s) containing an example of a 'complete deployment' in a Kubernetes environment for an application based on a BPMN process in IBM BAMOE runtime version 9.1.1 (technical preview for long running processes supported by a database), the application is based on Quarkus technology.
The contents of the repository is a very simple example of architecture and functional integration in a Kubernetes environment.
The code and configurations in this repository is not suitable for reuse in production environments. 
The security enforcements in code/configurations are minimal for demonstration purposes only.
Minikube environment has been selected as a deployment target environment to demonstrate the simplicity of setup even on the developer's desktop.
 

# Scenario

The use case involves the use of a simple application based on a BPMN process implemented with two human tasks profiled for two different organizational roles.
BAMOE9-HiringProcess
Users who interact with the application must be authenticated and provide in each interaction with the application a set of credentials identified by a JWT token obtained through a login operation to an OIDC server (in this scenario Keycloak).
Keycloak has been configured with a customized realm for which two user groups have been created, one for Human Resources users, the other for Information Technology users; two roles 'HR' and 'IT' have been created to which the two user groups have been associated. What is defined as 'Realm Role' in Keycloak corresponds to the configuration in the 'Group' section of the human tasks.
With this configuration the human tasks of the process will be visible and usable only by users profiled for the role associated with the human task.
The database server supporting the solution is set up for two databases, one to support the BAMOE process runtime, the other to support the Keycloak server.
To create effective security enforcement, the BPM application was protected with a specific http policy.
A simple application was created that stands between the client and the BPM process application and that implements authentication and authorization enforcement based on JWT tokens; this application dynamically extracts the roles associated with the user from the JWT token and readjusts the call to the BPM application that can only be reached on address 127.0.0.1 within the execution pod; in this way the frontend container protects the backend application by appropriately implementing the 'Sidecar' pattern.
The frontend application also implements authorization logic that is not present in the standard BPMN notation such as which roles can start new process instances.
The frontend application is intended to be an example from which to take inspiration and create your own access security policies for BPMN applications created with Kogito technology (current version in the 'incubator' phase, https://github.com/orgs/apache/repositories?q=kogito), in this case on IBM BAMOE distribution version 9.1.1 (technical preview).
 
The application used for this demo is in this repo https://github.com/marcoantonioni/bamoe9-oidc-processes
 

# Environment

A 'complete deployment' is a set of components such as:
 
  • Postgresql database
  • PGAdmin for database administration
  • Keycloak for SSO security management with JWT token
  • BAMOE in Compact architecture
Containers ready to use can be pulled from my quay.io account
 
As mentioned above I chose Minikube (https://minikube.sigs.k8s.io/docs/) because it is a solid K8S environment and well known by many.
The CRs that you will find in this repository are generic and can be deployed in any K8S and Openshift runtime, obviously also Openshift Local (https://developers.redhat.com/products/openshift-local/overview).
 
The two repositories contain step-by-step instructions for creating applications and deploying them in a K8S environment.

# Conclusions

 
I hope this post can be useful to help you take the first steps towards the realization of process and rule management solutions in a containerized environment based on IBM BAMOE version 9.
 
The IBM BAMOE version 9.2 version with GA support of database persistence is planned for the year 2025, at the time of publishing this post there are no fixed dates.
 

# References

 
0 comments
9 views

Permalink