App Connect Enterprise v11 for IBM Cloud Private on Red Hat OpenShift or natively on OpenShift

Docker, Kubernetes, and Helm work together to provide a platform for managing, packaging, and orchestrating containerized workloads. For IBM App Connect Enterprise this enables the packaging of an integration server into a standardized unit for deployment that can be promoted through a development pipeline then deployed, managed, and scaled. This blog will discuss how to run IBM App Connect Enterprise (ACE) on OpenShift with IBM Cloud Private (ICP) as well as running ACE natively on OpenShift.

Background

IBM App Connect Enterprise v11 (and its previous release, named IBM Integration Bus v10) software can be used to create your own Docker images. We’ve been helping our customers build such Docker images for several years now. We began this journey in June 2015 with our first Dockerfile contribution to GitHub. Latterly, in 2017, we have also provided pre-built Docker images, both on Docker Registry Hub (containing developer-licensed IIB/ACE software, which are free to download and try out), and for download from IBM Passport Advantage by entitled paying customers (for production usage). There are of course several Linux container technologies competing for attention in the industry right now, but Docker has rapidly become ubiquitous. This has brought simplicity in packaging and portability to developers.

However, container images by themselves do not address key enterprise needs for production workloads. Container orchestration frameworks have also rapidly gathered widespread usage with the Kubernetes technology (a portable, extensible, open-source platform for managing your containers), now the clear leader of the pack. In line with this trend, we have also seen phenomenal interest and growth in IBM Cloud Private. IBM Cloud Private is an application platform for developing and managing on-premises, containerized applications. It is an integrated environment for managing containers that includes the container orchestrator Kubernetes, but provides additional value with a private image registry, a management console, and monitoring frameworks.

In November of this year we released a new and improved set of ACE Docker images and Helm Charts that are certified for use on IBM Cloud Private v3.1. Utilizing ACE on IBM Cloud Private provides customers with certified capabilities for production deployment alongside management and lifecycle operations as part of the ICP platform. Features such as pre-configured deployments based on product expertise, rolling upgrades, rollbacks, security/vulnerability testing, and integration with management services for logging, monitoring, metering, and security provide control and management of production workloads.

While IBM Cloud Private brings tangible benefits with a common support model and technology layer across IBM software offerings, other IBM customers may be interested in building their own custom ACE containers, built using Red Hat Enterprise Linux (rather than Ubuntu) directly on OpenShift without IBM Cloud Private. Those customers can also follow the instructions below that mimic the IBM process for building such containers.

First, find or create everything you need:

• A Red Hat OpenShift cluster with IBM Cloud Private installed
• The App Connect Enterprise (ACE) v11 binary that you download from Passport Advantage
• Helm Charts from ot4i/ace-helm
• A Red Hat Enterprise Linux (RHEL) machine with a valid subscription

Procedure

These instructions will take you step by step through running an ACE container on IBM Cloud Private on Red Hat OpenShift, and running ACE natively on Red Hat OpenShift. Both methods will require a RHEL-based image that’s built by using the instructions here: github.com/ot4i/ace-docker.

Alternative methods:

• Running App Connect Enterprise on IBM Cloud Private on Red Hat OpenShift
• Running App Connect Enterprise with IBM MQ on IBM Cloud Private on Red Hat OpenShift
• Running App Connect Enterprise on Red Hat OpenShift

Running App Connect Enterprise on IBM Cloud Private on Red Hat OpenShift

1. Push your Docker image to a container registry so that the cluster can access it. You may need to create a Kubernetes secret so that the image can be pulled by the cluster; this process is documented in this guide in the Kubernetes documentation.
2. In the IBM Cloud Private web interface, click the burger menu in the top-left corner and select Manage then Namespaces, and create a namespace for your ACE deployment. For this tutorial, the namespace is called ‘ace’.
3. Apply a Security Context Constraint (SCC) to the cluster; these are similar to Pod Security Policies and give ACE the access it needs to the environment. Download the SCC for ACE here: github.com/ot4i/ace-helm and apply it to the cluster by using the command oc create -f scc.yaml. Validate that it was created correctly by running oc get scc ibm-ace-scc and the SCC will be displayed.
4. Create a service account on Red Hat OpenShift to bind the SCC to the ACE deployment: oc create serviceaccount ibm-ace-sa
5. Add the SCC to the service account: oc adm policy add-scc-to-user ibm-ace-scc -z ibm-ace-sa
6. In the directory containing the Helm Charts from ot4i/ace-helm, install the Helm Chart to the cluster:
   helm upgrade --install ace-dev ibm-ace --tls --recreate-pods --namespace ace
7. Patch the deployment with the service account created above by using:
   oc patch deploy/ace-dev-ibm-ace --patch '{"spec":{"template":{"spec":{"serviceAccountName": "ibm-ace-sa"}}}}' -n ace

Running App Connect Enterprise with IBM MQ on IBM Cloud Private on Red Hat OpenShift

1. Push your Docker image to a container registry so that the cluster can access it. You may need to create a Kubernetes secret so that the image can be pulled by the cluster; this process is documented in this guide in the Kubernetes documentation.
2. In the IBM Cloud Private web interface, click the burger menu in the top-left corner and select Manage, then Namespaces, and create a namespace for your ACE deployment. For this tutorial, the namespace is called ‘ace’.
3. In the directory containing the Helm Charts from ot4i/ace-helm, install the Helm Chart to the cluster:
   helm install --name ace-mq ibm-ace --set license=accept --set image.repository.acemq={IMAGE_LOCATION} --set image.tag={IMAGE_TAG} --set queueManagerEnabled=true --namespace ace

Running App Connect Enterprise on Red Hat OpenShift

1. The chart used requires a Security Context Constraint (SCC) to be bound to the target namespace before you install the chart.

   Some predefined SCC names are available at https://github.com/ot4i/ace-helm.

   For example, using the SCC name, ibm-anyuid-scc:

   1. Apply a Security Context Constraint (SCC) to the cluster to give ACE the access it needs to the environment. Download ibm-anyuid-scc.yaml from here: github.com/ot4i/ace-helm and apply it to the cluster by using the command oc create -f ibm-anyuid-scc.yaml. Validate that it was created correctly by running oc get scc ibm-anyuid-scc and the SCC will be displayed.
   2. Create a service account on Red Hat OpenShift to bind the SCC to the ACE deployment: oc create serviceaccount ibm-ace-sa
   3. Add the SCC to the service account: oc adm policy add-scc-to-user ibm-anyuid-scc -z ibm-ace-sa
   4. In the directory containing the Helm Charts from ot4i/ace-helm, install the Helm Chart to the cluster:
      helm upgrade --install ace-dev ibm-ace --tls --recreate-pods --namespace ace
   5. Patch the deployment with the service account created above by using:
      oc patch deploy/ace-dev-ibm-ace --patch '{"spec":{"template":{"spec":{"serviceAccountName": "ibm-ace-sa"}}}}' -n ace
2. Push your Docker image to a container registry so that the cluster can access it. You may need to create a Kubernetes secret so that the image can be pulled by the cluster; this process is documented in this guide from Red Hat.
3. Run the application: oc new-app DOCKER_REGISTRY/IMAGE_NAME:IMAGE_TAG --env LICENSE=accept where DOCKER_REGISTRY, IMAGE_NAME, and IMAGE_TAG are set to the values that are configured for your registry.
   NOTE: By running this command you are accepting the license conditions of App Connect Enterprise. Review this license before running the command.
4. Expose the service so you can access it: oc expose svc/ibm-ace-server-prod.
   You will be able to see the pods and services running in the OpenShift UI as shown below: