PadoGrid | Catalogs | Manual | FAQ | Releases | Templates | Pods | Kubernetes | Docker | Apps | Quick Start
This bundle deploys Hazelcast using Helm Charts with Prometheus metrics enabled. It also includes the PadoGrid container for ingesting mock data into the Hazelcast cluster.
For Prometheus instructions, please see the following link: Configuring Prometheus Metrics.
install_bundle -download bundle-hazelcast-3n4n5-k8s-oc_helmThis bundle installs PadoGrid and Hazelcast Kubernetes containers to run on OpenShift Local (CRC) or OpenShift Container Platform (OCP). It demonstrates how to start Hazelcast using Helm Charts and use the PadoGrid pod to ingest mock data into Hazelcast.
- OpenShift Client, oc
- Helm, helm
oc_helm/
├── bin_sh
│  ├── build_app
│  ├── cleanup
│  ├── login_padogrid_pod
│  ├── setenv.sh
│  ├── start_hazelcast
│  ├── start_padogrid
│  ├── stop_hazelcast
│  └── stop_padogrid
├── etc
│  └── hazelcast-enterprise
│  ├── hz-secret.yaml
│  └── mc-secret.yaml
├── hazelcast
│  └── values.yaml
├── padogrid
│  ├── padogrid-no-pvc.yaml
│  └── padogrid.yaml
└── prometheus
└── service-monitor.yamlRun build_app which initializes your local environment. This script sets the license key in the hazelcast/secret.yaml file.
cd_k8s oc_helm/bin_sh
./build_appThe conatiner image versions can be changed as needed in the files shown below.
# Change dir to the k8s installation directory
cd_k8s oc_helm| Container | File |
|---|---|
| PadoGrid | padogrid/padogrid.yaml |
| Hazelcast | hazelcast/values.yaml |
Let's create the oc-helm project. You can create a project with a different name but make sure replace oc-helm with your project name throughout this article.
oc new-project oc-helmPadoGrid runs as a non-root user (padogrid/1001) that requires read/write permissions to the persistent volume. Let's add your project's default user to the nonroot SCC.
You can use one of the following methods to add the user to nonroot SSC.
oc edit scc nonrootnonroot SCC:
Add your project under theusers: section. For our example, since our project name is oc-helm, we would enter the following.
users:
- system:serviceaccount:oc-helm:default# See if user can use nonroot
oc adm policy who-can use scc nonroot
# Add user
oc adm policy add-scc-to-user nonroot system:serviceaccount:oc-helm:default❗️ Note that depending on the oc version, e.g., v4.5.9, oc get scc nonroot -o yaml may not show the user you added using CLI. This is also true for the user added using the editor, which may not show in the output of oc adm policy who-can use scc nonroot.
By default, the start_hazelcast script launches Hazelcast Enterprise. To run, OSS, specify the -oss as shown in the sequent section.
cd_k8s oc_helm/bin_sh
./start_hazelcast -ossHazelcast has been configured with securityContext enabled. It might fail to start due to the security constraint set by fsGroup. Check the StatefulSet events using the describe command as follows.
oc describe statefulset oc-helm-hazelcastOutput:
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 22s (x14 over 63s) statefulset-controller create Pod oc-helm-hazelcast-0 in StatefulSet oc-helm-hazelcast failed error: pods "oc-helm-hazelcast-0" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1000690000}: 1000690000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000690000: must be in the ranges: [1000570000, 1000579999]]If you see the warning event similar to the above then you need to enter the valid value in the hazelcast/values.yaml file as follows.
cd_k8s oc_helm
vi hazelcast/values.yamlFor our example, we would enter a valid value in the values.yaml file as follows.
# Security Context properties
securityContext:
# enabled is a flag to enable Security Context
enabled: true
# runAsUser is the user ID used to run the container
runAsUser: 1000570000
# runAsGroup is the primary group ID used to run all processes within any container of the pod
runAsGroup: 1000570000
# fsGroup is the group ID associated with the container
fsGroup: 1000570000
...After making the changes, restart (stop and start) the Hazelcast cluster as follow.
cd_k8s oc_helm; cd bin_sh
./stop_hazelcast -oss
./start_hazelcast -ossWatch pods.
oc get pods -wView the Hazelcast services.
oc get svcOutput:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
oc-helm-hazelcast ClusterIP None <none> 5701/TCP 8s
oc-helm-hazelcast-mancenter LoadBalancer 172.30.239.38 <pending> 8080:30974/TCP,443:30853/TCP 8sWe can open Management Center via HTTP or HTTPS. Follow the instructions in one of the subsequent sections.
Run oc expose svc to expose services.
oc expose -l app=hazelcast svc oc-helm-hazelcast-mancenterRun oc get route to get the Management Center URL.
oc get routeOutput:
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
oc-helm-hazelcast-mancenter oc-helm-hazelcast-mancenter-oc-helm.apps-crc.testing oc-helm-hazelcast-mancenter http NoneLaunch Hazelcast Enterprise Operator and Hazelcast.
cd_k8s oc_helm; cd bin_sh
./start_hazelcastHazelcast has been configured with securityContext enabled. It might fail to start due to the security constraint set by fsGroup. Check the StatefulSet events using the describe command as follows.
oc describe statefulset oc-helm-hazelcastOutput:
...
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 22s (x14 over 63s) statefulset-controller create Pod oc-helm-hazelcast-enterprise-0 in StatefulSet oc-helm-hazelcast-enterprise failed error: pods "oc-helm-hazelcast-enterprise-0" is forbidden: unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1000690000}: 1000690000 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1000690000: must be in the ranges: [1000570000, 1000579999]]If you see the warning event similar to the above then you need to enter the valid value in the hazelcast/values.yaml file as follows.
cd_k8s oc_helm
vi hazelcast/values.yamlFor our example, we would enter a valid value in the values.yaml file as follows.
# Security Context properties
securityContext:
# enabled is a flag to enable Security Context
enabled: true
# runAsUser is the user ID used to run the container
runAsUser: 1000570000
# runAsGroup is the primary group ID used to run all processes within any container of the pod
runAsGroup: 1000570000
# fsGroup is the group ID associated with the container
fsGroup: 1000570000
...After making the changes, restart (stop and start) the Hazelcast cluster as follow.
cd_k8s oc_helm; cd bin_sh
./stop_hazelcast
./start_hazelcastWatch pods.
oc get pods -wView the Hazelcast services.
oc get svcOutput:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
oc-helm-hazelcast-enterprise ClusterIP None <none> 5701/TCP 7m8s
oc-helm-hazelcast-enterprise-mancenter LoadBalancer 172.30.178.54 <pending> 8080:30179/TCP,443:32291/TCP 7m8sWe can open Management Center via HTTP or HTTPS. Follow the instructions in one of the subsequent sections.
Run oc expose svc to expose the Management Center service.
oc expose -l app=hazelcast svc oc-helm-hazelcast-enterprise-mancenterRun oc get route to get the Management Center URL.
oc get routeOutput:
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
oc-helm-hazelcast-enterprise-mancenter oc-helm-hazelcast-enterprise-mancenter-oc-helm.apps-crc.testing oc-helm-hazelcast-enterprise-mancenter http NoneWe can use the edge termination to access the management center via HTTPS. The Red Hat OpenShift documentation states, "With an edge route, the Ingress Controller terminates TLS encryption before forwarding traffic to the destination pod." This essentially means, beyond the termination point, the internal network traffic is not encrypted so that we can run the Management Center pod without HTTPS enabled.
First, we need to create a self-signed certificate. The following creates an RSA key and certificate etc/tls directory. Note that it sets CN (Common Name) to *.demo.com so that we can use it as a domain name for assigning any hosts.
cd_k8s oc_helm
mkdir etc/tls
openssl req -newkey rsa:4096 -x509 -sha256 -days 365 -nodes \
-out etc/tls/tls.crt -keyout etc/tls/tls.key -subj "/CN=*.demo.com"Now, expose the management center service with the edge termination. Let's assign the hostname to mancenter.demo.com as follows.
- Hazelcast OSS
oc create route edge tls-mancenter --service=oc-helm-hazelcast-mancenter \
--hostname=mancenter.demo.com --port 8080 --cert etc/tls/tls.crt --key etc/tls/tls.key- Hazelcast Enterprise
oc create route edge tls-mancenter --service=oc-helm-hazelcast-enterprise-mancenter \
--hostname=mancenter.demo.com --port 8080 --cert etc/tls/tls.crt --key etc/tls/tls.keyAssuming you are using OpenShift Local, open /etc/hosts and look for the IP address that has crc host names assigned. We need to append mancenter.demo.com to that IP address.
sudo vi /etc/hostsAppend mancenter.demo.com the IP address that has crc host names assigned in /etc/hosts:
<ip-address> ... api.crc.testing ... mancenter.demo.comRun oc get route to get the Management Center URL:
oc get route- Hazelcast OSS
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
tls-mancenter mancenter.demo.com oc-helm-hazelcast-mancenter 8080 edge None- Hazelcast Enterprise
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
tls-mancenter mancenter.demo.com oc-helm-hazelcast-enterprise-mancenter http edge None- HTTPS URL: https://mancenter.demo.com
cd_k8s oc_helm; cd bin_sh
# If you have not created local-storage
./start_padogridcd_k8s oc_helm; cd bin_sh
./start_padogridYou can use the PadoGrid pod as a client to the Hazelcast cluster. There are three (3) ways to login to the PadoGrid pod. Please follow the instructions in one of the subsequent sections.
The PadoGrid container is equipped with JupyterLab. The start_padogrid script has already exposed the padogrid-service so that we can immediately login to PadoGrid from the browser.
oc get route padogrid-serviceOutput:
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
padogrid-service padogrid-service-oc-helm.apps-crc.testing padogrid-service http None- URL: http://padogrid-service-oc-helm.apps-crc.testing
- Password: padogrid
If you want to access PadoGrid via HTTPS, then we need to terminate TLS as we did for the Management Center earlier.
cd_k8s oc_helm
oc create route edge tls-padogrid --service=padogrid-service \
--hostname=padogrid.demo.com --port 8888 --cert etc/tls/tls.crt --key etc/tls/tls.keyAssuming you are using OpenShift Local, open /etc/hosts and look for the IP address that has crc host names assigned. We need to append padogrid.demo.com to that IP address.
sudo vi /etc/hostsAppend mancenter.demo.com the IP address that has crc host names assigned in /etc/hosts:
<ip-address> ... api.crc.testing ... mancenter.demo.com padogrid.demo.comRun oc get route to get the Management Center URL:
oc get route tls-padogridNAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
tls-padogrid padogrid.demo.com padogrid-service http edge None- HTTPS URL: https://padogrid.demo.com
- Password: padogrid
From your shell, run the login_padogrid_pod script as follows.
cd_k8s oc_helm/bin_sh
./login_padogrid_podLogin to the PadoGrid pod using one of the options described in Section 6.
The start_padogrid script automatcially sets the Hazelcast service and the namespace for constructing the DNS address needed by the perf_test app to connect to the Hazelcast cluster. This allows us to simply login to the PadoGrid pod and run the perf_test app.
If perf_test fails to connect to the Hazelcst cluster then you may need to manually configure the Hazelcast client as described in the next section.
Create and run the perf_test app.
# First, change cluster context to the default cluster, 'myhz' so
# that we can create and run Hazelcast apps.
switch_cluster myhz
# Create 'perf_test' app
create_app
cd_app perf_test; cd bin_sh
# Ingest blob data into Hazelcast.
./test_ingestion -runRead ingested data.
cd_app perf_test; cd bin_sh
./read_cache eligibility
./read_cache profileThe elibility and profile maps contain blobs. They are meant for carrying out performance tests with different payload sizes. If you want to ingest non-blobs, then you can ingest the Northwind (nw) data generated by PadoGrid. To do so, you must first build the perf_test app and run the test_group script as shown below.
cd_app perf_test; cd bin_sh
./build_app
# After the build, run test_group
./test_group -run -prop ../etc/group-factory.propertiesRead the nw data:
./read_cache nw/customers
./read_cache nw/ordersExit from the PadoGrid pod.
exitThe test_ingestion script may fail to connect to the Hazelcast cluster if you started the PadoGrid pod before the Hazelcast cluster is started. In that case, you can simply restart PadoGrid. If it still fails even after the Hazelcast cluster has been started first, then you can manually enter the DNS address in the etc/hazelcast-client-k8s.xml file as described below.
cd_app perf_test
vi etc/hazelcast-client-k8s.xmlEnter the following in the etc/hazelcast-client-k8s.xml file. oc-helm-hazelcast is the service and oc-helm is the project name.
<kubernetes enabled="true">
<service-dns>oc-helm-hazelcast.oc-helm.svc.cluster.local</service-dns>
</kubernetes>Enter the following in the etc/hazelcast-client-k8s.xml file. oc-helm-hazelcast-enterprise is the service and oc-helm is the project name.
<kubernetes enabled="true">
<service-dns>oc-helm-hazelcast-enterprise.oc-helm.svc.cluster.local</service-dns>
</kubernetes>cd_k8s oc_helm; cd bin_sh
./cleanup -all -osscd_k8s oc_helm/bin_sh
./cleanup -alloc delete project oc-helm- Hazelcast Charts, https://github.com/hazelcast/charts
- Configuring Prometheus Metrics, README-PROM.md.
PadoGrid | Catalogs | Manual | FAQ | Releases | Templates | Pods | Kubernetes | Docker | Apps | Quick Start