背景简介
Pega 搭配 Ingress 完成 WebUser 节点容器化部署。
前置条件
- Kubernetes 已安装 【Kubernetes - 安装】
- Helm 已安装 【Helm - 安装】
- Containerd 已安装 【Containerd - 安装】
- Ingress 已配置 【Kubernetes - Ingress-Traefik 配置 】
- Pega 容器已申请 【官方教程】
- Pega 数据库已安装 【Pega - 容器化部署】
- Kafka 已安装 【Kafka - 安装】
- SRS 已安装 【Pega - SRS 容器化部署】
详细步骤
补充信息:
- PEGA 默认的 Ingress 控制器是: traefik
第一步: 修改 pega.yaml 配置文件,启用 WebUser ingress
---
global:
# This values.yaml file is an example. For more information about
# each configuration option, see the project readme.
# Enter your Kubernetes provider.
provider: "k8s"
# Enter a name for the deployment if using multi-tenant services such as the Search and Reporting Service.
customerDeploymentId:
deployment:
# The name specified will be used to prefix all of the Pega pods (replacing "pega" with something like "app1-dev").
name: "pega"
# Deploy Pega nodes
actions:
execute: "deploy"
# Add custom certificates to be mounted to container
# to support custom certificates as plain text (less secure), pass them directly using the certificates parameter;
# to support multiple custom certificates as external secrets, specify each of your external secrets
# as an array of comma-separated strings using the certificatesSecrets parameter.
certificatesSecrets: []
certificates: {}
# Add krb5.conf file content here.
# Feature is used for Decisioning data flows to fetch data from Kafka or HBase streams
kerberos: {}
# If a storage class to be passed to the VolumeClaimTemplates in search and stream pods, it can be specified here:
storageClassName: ""
# Provide JDBC connection information to the Pega relational database
# If you are installing or upgrading on IBM DB2, update the udb.conf file in the /charts/pega/charts/installer/config/udb directory with any additional connection properties.
jdbc:
# url Valid values are:
#
# Oracle jdbc:oracle:thin:@//localhost:1521/dbName
# IBM DB/2 z / OS jdbc:db2://localhost:50000/dbName
# IBM DB/2 jdbc:db2://localhost:50000/dbName:fullyMaterializeLobData=true;fullyMaterializeInputStreams=true;
# progressiveStreaming=2;useJDBC4ColumnNameAndLabelSemantics=2;
# SQL Server jdbc:sqlserver://localhost:1433;databaseName=dbName;selectMethod=cursor;sendStringParametersAsUnicode=false
# PostgreSQL jdbc:postgresql://localhost:5432/dbName
url: "jdbc:postgresql://dev-upgrade-db-svc:5432/postgres"
# driverClass -- jdbc class. Valid values are:
#
# Oracle oracle.jdbc.OracleDriver
# IBM DB/2 com.ibm.db2.jcc.DB2Driver
# SQL Server com.microsoft.sqlserver.jdbc.SQLServerDriver
# PostgreSQL org.postgresql.Driver
driverClass: "org.postgresql.Driver"
# pega.database.type Valid values are: mssql, oracledate, udb, db2zos, postgres
dbType: "postgres"
# For databases that use multiple JDBC driver files (such as DB2), specify comma separated values for 'driverUri'
driverUri: "https://jdbc.postgresql.org/download/postgresql-42.7.3.jar"
username: "postgres"
password: "postgres"
# To avoid exposing username & password, leave the jdbc.password & jdbc.username parameters empty (no quotes),
# configure JDBC username & password parameters in the External Secrets Manager, and enter the external secret for the credentials
# make sure the keys in the secret should be DB_USERNAME and DB_PASSWORD respectively
external_secret_name: ""
# CUSTOM CONNECTION PROPERTIES
# Use the connectionProperties parameter to pass connection settings to your deployment
# by adding a list of semi-colon-delimited required connection setting. The list string must end with ";".
# For example, you can set a custom authentication using Azure Managed Identity and avoid using a password.
# To pass an Authentication method and a managed identity, MSI Client ID,
# set: connectionProperties: "Authentication=ActiveDirectoryMSI;msiClientId=<your Azure Managed Identity>;"
connectionProperties: ""
rulesSchema: "rules"
dataSchema: "data"
customerDataSchema: ""
customArtifactory:
# If you use a secured custom artifactory to manager your JDBC driver,
# provide the authentication details below by filling in the appropriate authentication section,
# either basic or apiKey.
authentication:
# Provide the basic authentication credentials or the API key authentication details to satisfy your custom artifactory authentication mechanism.
basic:
username: ""
password: ""
apiKey:
headerName: ""
value: ""
# To avoid exposing basic.username,basic.password,apiKey.headerName,apiKey.value parameters, configure the
# basic.username,basic.password,apiKey.headerName,apiKey.value parameters in External Secrets Manager, and enter the external secret for the credentials
# make sure the keys in the secret should be CUSTOM_ARTIFACTORY_USERNAME , CUSTOM_ARTIFACTORY_PASSWORD , CUSTOM_ARTIFACTORY_APIKEY_HEADER , CUSTOM_ARTIFACTORY_APIKEY
external_secret_name: ""
# Leave customArtifactory.enableSSLVerification enabled to ensure secure access to your custom artifactory;
# when customArtifactory.enableSSLVerification is false, SSL verification is skipped and establishes an insecure connection.
enableSSLVerification: true
# Provide a required domain certificate for your custom artifactory; if none is required, leave this field blank.
certificate:
docker:
# If using a custom Docker registry, supply the credentials here to pull Docker images.
registry:
url: "pega-docker.downloads.pega.com"
username: "PEGA_PROVIDE_USERID"
password: "PEGA_PROVIDE_TOKEN"
# To avoid exposing Docker registry details, create secrets to manage your Docker registry credentials.
# Specify secret names as an array of comma-separated strings in double quotation marks using the imagePullSecretNames parameter. For example: ["secret1", "secret2"]
imagePullSecretNames: []
# Docker image information for the Pega docker image, containing the application server.
pega:
image: "pega-docker.downloads.pega.com/platform/pega:8.23.1"
utilityImages:
busybox:
image: busybox:1.31.0
imagePullPolicy: IfNotPresent
k8s_wait_for:
image: pegasystems/k8s-wait-for
imagePullPolicy: "IfNotPresent"
# waitTimeSeconds: 2
# maxRetries: 1
# Upgrade specific properties
upgrade:
# Configure only for aks/pks
# Run "kubectl cluster-info" command to get the service host and https service port of kubernetes api server.
# Example - Kubernetes master is running at https://<service_host>:<https_service_port>
kube-apiserver:
serviceHost: "API_SERVICE_ADDRESS"
httpsServicePort: "SERVICE_PORT_HTTPS"
# Set the `compressedConfigurations` parameter to `true` when the configuration files under charts/pega/config/deploy are in compressed format.
# For more information, see the “Pega compressed configuration files” section in the Pega Helm chart documentation.
compressedConfigurations: false
pegaDiagnosticUser: ""
pegaDiagnosticPassword: ""
# Specify the Pega tiers to deploy
tier:
- name: "web"
# Create an interactive tier for web users. This tier uses
# the WebUser node type and will be exposed via a service to
# the load balancer.
nodeType: "WebUser"
# Pega requestor specific properties
requestor:
# Inactivity time after which requestor is passivated
passivationTimeSec: 900
service:
# For help configuring the service block, see the Helm chart documentation
# https://github.com/pegasystems/pega-helm-charts/blob/master/charts/pega/README.md#service
httpEnabled: true
port: 80
targetPort: 8080
# Use this parameter to deploy a specific type of service using the serviceType parameter and specify the type of service in double quotes.
# This is an optional value and should be used based on the use case.
# This should be set only in case of eks, gke and other cloud providers. This option should not be used for k8s and minikube.
# For example if you want to deploy a service of type LoadBalancer, uncomment the following line and specify serviceType: "LoadBalancer"
# serviceType: ""
# Specify the CIDR ranges to restrict the service access to the given CIDR range.
# Each new CIDR block should be added in a separate line.
# Should be used only when serviceType is set to LoadBalancer.
# Uncomment the following lines and replace the CIDR blocks with your configuration requirements.
# loadBalancerSourceRanges:
# - "123.123.123.0/24"
# - "128.128.128.64/32"
# Define custom ports for service here. If you want to use the custom ports for other services, please use the same configuration for those services.
# customServicePorts:
# - name: <name>
# port: <port>
# targetPort: <port>
# To configure TLS between the ingress/load balancer and the backend, set the following:
tls:
enabled: false
# To avoid entering the certificate values in plain text, configure the keystore, keystorepassword, cacertificate parameter
# values in the External Secrets Manager, and enter the external secret name below
# make sure the keys in the secret should be TOMCAT_KEYSTORE_CONTENT, TOMCAT_KEYSTORE_PASSWORD and ca.crt respectively
# In case of providing multiple secrets, please provide them in comma separated string format.
external_secret_names: []
# If using tools like cert-manager to generate certificates, please provide the keystore name that is autogenerated by the external tool.
# Default is TOMCAT_KEYSTORE_CONTENT
external_keystore_name: ""
# If using external secrets operator and not using standard Password Key, please provide the key for keystore password.
# Default is TOMCAT_KEYSTORE_PASSWORD
external_keystore_password: ""
keystore:
keystorepassword:
port: 443
targetPort: 8443
# set the value of CA certificate here in case of baremetal/openshift deployments - CA certificate should be in base64 format
# pass the certificateChainFile file if you are using certificateFile and certificateKeyFile
cacertificate:
# provide the SSL certificate and private key as a PEM format
certificateFile:
certificateKeyFile:
# if you will deploy traefik addon chart and enable traefik, set enabled=true; otherwise leave the default setting.
traefik:
enabled: false
# the SAN of the certificate present inside the container
serverName: ""
# set insecureSkipVerify=true, if the certificate verification has to be skipped
insecureSkipVerify: false
ingress:
enabled: true
# For help configuring the ingress block including TLS, see the Helm chart documentation
# https://github.com/pegasystems/pega-helm-charts/blob/master/charts/pega/README.md#ingress
# Enter the domain name to access web nodes via a load balancer.
# e.g. web.mypega.example.com
domain: "pega-webuser-ingress"
# Configure custom path for given host along with pathType. Default pathType is ImplementationSpecific.
# path:
# pathType:
tls:
# Enable TLS encryption
enabled: false
# secretName:
# useManagedCertificate: false
# ssl_annotation:
# For Openshift, Pega deployments enable TLS to secure the connection
# from the browser to the router by creating the route using reencrypt termination policy.
# Add your certificate, the corresponding key using the appropriate .pem or .crt format and
# specify a CA certificate to validate the endpoint certificate.
certificate:
key:
cacertificate:
replicas: 2
javaOpts: ""
deploymentStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
livenessProbe:
port: 8081
# Optionally overridde the default or add additional resource specifications.
# initialHeap: "8192m"
# maxHeap: "8192m"
resources:
requests:
memory: "8Gi"
cpu: 2
limits:
memory: "12Gi"
cpu: 4
# To configure an alternative user for custom image, set value for runAsUser.
# To configure an alternative group for volume mounts, set value for fsGroup
# See, https://github.com/pegasystems/pega-helm-charts/blob/master/charts/pega/README.md#security-context
# securityContext:
# runAsUser: 9001
# fsGroup: 0
hpa:
enabled: true
# To configure behavior specifications for hpa, set the required scaleUp & scaleDown values.
# See, https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#stabilization-window
# behavior:
# scaleDown:
# stabilizationWindowSeconds: 600
# key/value pairs that are attached to the pods (https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
# podLabels:
# Topology spread constraints to control the placement of your pods across nodes, zones, regions, or other user-defined topology domains.
# For more information please refer https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
# If you want to apply topology spread constraints in other tiers, please use the same configuration as described here.
# topologySpreadConstraints:
# - maxSkew: <integer>
# topologyKey: <string>
# whenUnsatisfiable: <string>
# labelSelector: <object>
# Tolerations allow the scheduler to schedule pods with matching taints.
# For more information please refer https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
# If you want to apply tolerations to other tiers, please use the same configuration as described here.
# tolerations:
# - key: "key1"
# operator: "Equal"
# value: "value1"
# effect: "NoSchedule"
# Set enabled to true to include a Pod Disruption Budget for this tier.
# To enable this budget, specifiy either a pdb.minAvailable or pdb.maxUnavailable
# value and comment out the other parameter.
pdb:
enabled: false
minAvailable: 1
# maxUnavailable: "50%"
- name: "batch"
# Create a background tier for batch processing. This tier uses
# a collection of background node types and will not be exposed to
# the load balancer.
nodeType: "BackgroundProcessing,Search,Batch,RealTime,Custom1,Custom2,Custom3,Custom4,Custom5,BIX"
replicas: 2
javaOpts: ""
deploymentStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
livenessProbe:
port: 8081
# To configure an alternative user for your custom image, set value for runAsUser
# To configure an alternative group for volume mounts, set value for fsGroup
# See, https://github.com/pegasystems/pega-helm-charts/blob/master/charts/pega/README.md#security-context
# securityContext:
# runAsUser: 9001
# fsGroup: 0
hpa:
enabled: true
# Set enabled to true to include a Pod Disruption Budget for this tier.
# To enable this budget, specifiy either a pdb.minAvailable or pdb.maxUnavailable
# value and comment out the other parameter.
pdb:
enabled: false
minAvailable: 1
# maxUnavailable: "50%"
resources:
requests:
memory: "8Gi"
cpu: 2
limits:
memory: "12Gi"
cpu: 4
# External services
# Cassandra automatic deployment settings.
cassandra:
enabled: false
persistence:
enabled: true
resources:
requests:
memory: "4Gi"
cpu: 2
limits:
memory: "8Gi"
cpu: 4
# Elasticsearch deployment settings.
# Note: This Elasticsearch deployment is used for Pega search, and is not the same Elasticsearch deployment used by the EFK stack.
# These search nodes will be deployed regardless of the Elasticsearch configuration above.
pegasearch:
image: "pegasystems/search"
memLimit: "3Gi"
replicas: 1
# Set externalSearchService to true to use the Search and Reporting Service.
# Refer to the README document to configure SRS as a search functionality provider under this section.
externalSearchService: true
externalURL: dev-upgrade-srs
srsAuth:
enabled: false
url: ""
clientId: ""
authType: ""
privateKey: ""
external_secret_name: ""
# Hazelcast settings (applicable from Pega 8.6)
hazelcast:
# Hazelcast docker image for platform version 8.6 through 8.7.x
image: "YOUR_HAZELCAST_IMAGE:TAG"
# Hazelcast docker image for platform version 8.8 and later
clusteringServiceImage: "pega-docker.downloads.pega.com/platform/clustering-service:1.3.9"
# Setting below to true will deploy Pega Platform using a client-server Hazelcast model for version 8.6 through 8.7.x.
# Note: Make sure to set this value as "false" in case of Pega Platform version before "8.6". If not set this will fail the installation.
enabled: false
# Setting below to true will deploy Pega Platform using a client-server Hazelcast model for version 8.8 and later.
clusteringServiceEnabled: true
# Setting related to Hazelcast migration.
migration:
# Set to `true` to initiate the migration job.
initiateMigration: false
# Reference the `platform/clustering-service-kubectl` Docker image to create the migration job.
migrationJobImage: "YOUR_MIGRATION_JOB_IMAGE:TAG"
# Set to `true` when migrating from embedded Hazelcast.
embeddedToCSMigration: false
# No. of initial members to join
replicas: 2
# UserName in the client-server Hazelcast model authentication. This setting is exposed and not secure.
username: ""
# Password in the client-server Hazelcast model authentication. This setting is exposed and not secure.
password: ""
# To avoid exposing username and password parameters, leave these parameters empty and configure
# these cluster settings using an External Secrets Manager. Use the following keys in the secret:
# HZ_CS_AUTH_USERNAME for username and HZ_CS_AUTH_PASSWORD for password.
# Enter the external secret for these credentials below.
external_secret_name: ""
# Stream (externalized Kafka service) settings.
stream:
# Beginning with Pega Platform '23, enabled by default; when disabled, your deployment does not use a"Kafka stream service" configuration.
enabled: true
# Provide externalized Kafka service broker urls.
bootstrapServer: "dev-pega870pe-kafka-svc:9092"
# Provide Security Protocol used to communicate with kafka brokers. Supported values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL.
securityProtocol: PLAINTEXT
# If required, provide trustStore certificate file name
# When using a trustStore certificate, you must also include a Kubernetes secret name, that contains the trustStore certificate,
# in the global.certificatesSecrets parameter.
# Pega deployments only support trustStores using the Java Key Store (.jks) format.
trustStore: ""
# If required provide trustStorePassword value in plain text.
trustStorePassword: ""
# If required, provide keyStore certificate file name
# When using a keyStore certificate, you must also include a Kubernetes secret name, that contains the keyStore certificate,
# in the global.certificatesSecrets parameter.
# Pega deployments only support keyStores using the Java Key Store (.jks) format.
keyStore: ""
# If required, provide keyStore value in plain text.
keyStorePassword: ""
# If required, provide jaasConfig value in plain text.
jaasConfig: ""
# If required, provide a SASL mechanism**. Supported values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512.
saslMechanism: PLAIN
# By default, topics originating from Pega Platform have the pega- prefix,
# so that it is easy to distinguish them from topics created by other applications.
# Pega supports customizing the name pattern for your Externalized Kafka configuration for each deployment.
streamNamePattern: "pega-{stream.name}"
# Your replicationFactor value cannot be more than the number of Kafka brokers. Pega recommended value is 3.
replicationFactor: "1"
# To avoid exposing trustStorePassword, keyStorePassword, and jaasConfig parameters, leave the values empty and
# configure them using an External Secrets Manager, making sure you configure the keys in the secret in the order:
# STREAM_TRUSTSTORE_PASSWORD, STREAM_KEYSTORE_PASSWORD and STREAM_JAAS_CONFIG.
# Enter the external secret name below.
external_secret_name: ""
第二步: 部署 Pega
helm install dev-app-web pega/pega --values pega.yaml -n dev-upgrade
W0303 14:14:19.293363 2678493 warnings.go:70] annotation "kubernetes.io/ingress.class" is deprecated, please use 'spec.ingressClassName' instead
NAME: dev-app-web
LAST DEPLOYED: Mon Mar 3 14:14:16 2025
NAMESPACE: dev-upgrade
STATUS: deployed
REVISION: 1
TEST SUITE: None
第三步: 查看完整部署
# kubectl get pod,pv,pvc,svc,storageclass,ingress -n dev-upgrade
# kubectl get pod,pv,pvc,svc,storageclass,ingress -n dev-upgrade
NAME READY STATUS RESTARTS AGE
pod/clusteringservice-0 1/1 Running 0 2m3s
pod/clusteringservice-1 1/1 Running 0 82s
pod/dev-pega870pe-kafka-f5b8db5f8-d5fvc 1/1 Running 7 (7d15h ago) 68d
pod/dev-pega870pe-zookeeper-848d59d4b7-gzhkl 1/1 Running 6 (7d15h ago) 68d
pod/dev-upgrade-batch-6bf9fbc7-47rbg 1/1 Running 0 2m3s
pod/dev-upgrade-batch-6bf9fbc7-lbczx 1/1 Running 0 2m3s
pod/dev-upgrade-constellation-767554b58f-q84hk 1/1 Running 6 (7d15h ago) 68d
pod/dev-upgrade-constellation-messaging-5547b9c98b-p7sdz 1/1 Running 1 (7d15h ago) 10d
pod/dev-upgrade-db-65b74bcfdf-dpkgz 1/1 Running 6 (7d15h ago) 68d
pod/dev-upgrade-srs-697cb7db6d-62sx8 1/1 Running 0 137m
pod/dev-upgrade-web-df4f96cf-jkmsc 1/1 Running 0 2m3s
pod/dev-upgrade-web-df4f96cf-z7t6v 1/1 Running 0 2m3s
pod/elasticsearch-master-0 1/1 Running 0 137m
pod/elasticsearch-master-1 1/1 Running 0 137m
pod/pega-hazelcast-0 1/1 Running 0 2m3s
pod/pega-hazelcast-1 1/1 Running 0 82s
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE
persistentvolume/dev-upgrade-constellation-app-pv 1Ti RWO Retain Bound dev-upgrade/dev-upgrade-constellation-app-pvc <unset> 72d
persistentvolume/dev-upgrade-db-pv
persistentvolume/pvc-08a7c3c1-afb1-4d42-9192-91dfe63dafbe 30Gi RWO Retain Bound dev-upgrade/elasticsearch-master-elasticsearch-master-0 nfs-csi-myk8s-pega-dev-es <unset> 137m
persistentvolume/pvc-a3a16839-8c59-4ad4-82d1-c852efaa08e5 30Gi RWO Retain Bound dev-upgrade/elasticsearch-master-elasticsearch-master-1 nfs-csi-myk8s-pega-dev-es <unset> 137m
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
persistentvolumeclaim/dev-upgrade-constellation-app-pvc Bound dev-upgrade-constellation-app-pv 1Ti RWO <unset> 72d
persistentvolumeclaim/dev-upgrade-db-pvc Bound dev-upgrade-db-pv 1Ti RWO <unset> 68d
persistentvolumeclaim/elasticsearch-master-elasticsearch-master-0 Bound pvc-08a7c3c1-afb1-4d42-9192-91dfe63dafbe 30Gi RWO nfs-csi-myk8s-pega-dev-es <unset> 137m
persistentvolumeclaim/elasticsearch-master-elasticsearch-master-1 Bound pvc-a3a16839-8c59-4ad4-82d1-c852efaa08e5 30Gi RWO nfs-csi-myk8s-pega-dev-es <unset> 137m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/clusteringservice-service ClusterIP None <none> 5701/TCP 2m3s
service/dev-pega870pe-kafka-svc NodePort 10.99.115.98 <none> 9092:30006/TCP 68d
service/dev-pega870pe-zookeeper-svc NodePort 10.105.137.205 <none> 2181:30005/TCP 68d
service/dev-upgrade-constellation NodePort 10.102.66.125 <none> 3000:32463/TCP 68d
service/dev-upgrade-constellation-messaging NodePort 10.110.124.13 <none> 3000:30258/TCP 10d
service/dev-upgrade-db-svc NodePort 10.107.76.91 <none> 5432:30033/TCP 68d
service/dev-upgrade-srs ClusterIP 10.99.252.10 <none> 8080/TCP,80/TCP 137m
service/dev-upgrade-web ClusterIP 10.99.132.143 <none> 80/TCP 2m3s
service/elasticsearch-master ClusterIP 10.99.226.229 <none> 9200/TCP,9300/TCP 137m
service/elasticsearch-master-headless ClusterIP None <none> 9200/TCP,9300/TCP 137m
service/pega-hazelcast-service ClusterIP None <none> 5701/TCP 2m3s
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
storageclass.storage.k8s.io/nfs-csi-myk8s-pega-dev-es nfs.csi.k8s.io Retain Immediate true 138m
NAME CLASS HOSTS ADDRESS PORTS AGE
ingress.networking.k8s.io/dev-upgrade-web <none> pega-webuser-ingress 80 2m3s
第四步: 在浏览器中访问
以上便是本文的全部内容,感谢您的阅读,如遇到任何问题,欢迎在评论区留言,我会通过邮件回复。