Serverless is a cloud-native deployment model which helps manage servers based on demand. When running a serverless application, the app pod is automatically scaled up when app is in use or scaled down to zero (no running server) when the application is idle. The rapid server startup time with Liberty InstantOn is essential in serverless applications when scaling up pods. In my previous blog, I have created a Liberty InstantOn application container image using guide-security-intro sample application, now I will deploy it to Red Hat OpenShift Container Platform (OCP) with OpenShift Serverless.
Prerequisites:
-
- An OCP cluster 4.14 or later
- The sample InstantOn application container image (see my previous blog)
- oc - OpenShift Command Line Interface (CLI)
Steps
Install Red Hat OpenShift Serverless operator and create Knative Serving instance in OCP
1. Install Red Hat OpenShift Serverless operator using OCP console. Navigate to Operators > OperatorHub and search for Red Hat OpenShift Serverless and install it with the default values. The current latest OpenShift serverless version at this time is 1.33.2.
2. Create a Knative Serving instance to control the behavior of serverless workloads on the OCP cluster. To deploy Liberty InstantOn application, we need to enable kubernetes security context capabilities and kubernetes security context in Knative serving to allow Linux capabilities and security context to be added to the container. In OCP console, navigate to Operators > Installed Operators > Red Hat OpenShift Serverless operator > Knative Serving tab. Click on Create KnativeServing button and paste in the following content, or using "oc apply -f <the-following-kserving>.yaml"
-
kind: KnativeServing
apiVersion: operator.knative.dev/v1beta1
metadata:
name: knative-serving
namespace: knative-serving
spec:
config:
features:
kubernetes.containerspec-addcapabilities: enabled
kubernetes.podspec-securitycontext: enabled
3. Verify that the created KnativeServing is ready to serve
-
oc get KnativeServing -n knative-serving
NAME VERSION READY REASON
knative-serving 1.12 True
Deploy the sample InstantOn application container image as a serverless application in OCP with OpenShift serverless
Use Open Liberty Operator (OLO) to deploy application container image to OCP with OpenShift Serverless since it helps manage applications in Kubernetes. If Open Liberty Operator is not installed on your OCP cluster, you can install OLO using OCP console by navigating to Operators > OperatorHub, search for Open Liberty and install OLO with the default values. By default, OLO is installed on all namespaces, but it can also be installed in a certain project in OCP. You also need to create security context constraints (SCCs) and service account to add additional capabilities and permissions to pods for Liberty InstantOn restore process. I will deploy the application to serverless-sample-security project so all configuration steps below are run inside this project.
1. Create a new project to deploy serverless application
2. If the InstantOn application container image is in a secured registry, you must create an image pull secret in the same namespace of the application. The command below is for creating a pull secret when not having a Docker credentials file for the secured registry.
3. Follow steps 4 and 5 in the Deploy the InstantOn application container image to Red Hat OpenShift Container Platform using Open Liberty Operator section in my previous blog to create security context constraints (SCCs) and add to a service account to provide additional capabilities and permissions to pods for Liberty InstantOn restore process.
4. Deploy serverless application with Open Liberty operator using the following yaml file by running command "oc apply -f <the-following-olapp.yaml>. The .spec.createKnativeService: true is for deploying app in serverless. .spec.pullSecret provides registry credential to pull app image from a secured registry, and the .spec.securityContext grants the container permissions for InstantOn application restore process.
5. View knative service to see its status and application URL
6. Once the serverless application is deployed, you can monitor the app pod status and see the app pod scaling down when it is not being used. The following shows that app pod is terminating (scaling down) when the application is not used.
7. Run the application with the knative service URL and monitor the pod status to see that pod is scaling up
8. View pod logs. In this case, the server was started in 0.268 seconds
-
% oc logs guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl
Defaulted container "user-container" out of: user-container, queue-proxy
[9/20/24, 22:01:51:836 UTC] 00000037 com.ibm.ws.kernel.launch.internal.FrameworkManager A Launching defaultServer (Open Liberty 24.0.0.9/wlp-1.0.93.cl241020240827-1743) on Eclipse OpenJ9 VM, version 17.0.12+7 (en_US)
[9/20/24, 22:01:51:854 UTC] 00000037 com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://guide-security-kn-00001-deployment-6b4b4fb88d-4tbgl:9080/
[9/20/24, 22:01:51:869 UTC] 00000037 io.openliberty.checkpoint.internal.CheckpointImpl A CWWKC0452I: The Liberty server process resumed operation from a checkpoint in 0.245 seconds.
[9/20/24, 22:01:51:871 UTC] 00000037 com.ibm.ws.app.manager.AppMessageHelper A CWWKZ0001I: Application guide-security-intro.war started in 0.247 seconds.
[9/20/24, 22:01:51:891 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager A CWWKF0012I: The server installed the following features: [appSecurity-5.0, cdi-4.0, distributedMap-1.0, expressionLanguage-5.0, faces-4.0, jndi-1.0, jsonp-2.1, servlet-6.0, ssl-1.0, transportSecurity-1.0].
[9/20/24, 22:01:51:892 UTC] 00000037 com.ibm.ws.kernel.feature.internal.FeatureManager A CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 0.268 seconds.
Conclusion
In conclusion, we deployed existing Liberty InstantOn application container image to OCP with Red Hat OpenShift Serverless and see that the rapid server startup time with Liberty InstantOn benefits serverless applications in response to the demand.