Webapp deployment

A Java Web Application (webapp) is a collection of servlets, other Java classes, static resources (such as HTML pages), other resources, and meta information that describes the webapp bundled together.

The Java webapp in Magnolia PaaS has a typical structure.

Webapp structure example
custom
├── .gitignore
├── .gitlab-ci.yml (1)
├── .m2
│   └── settings.xml
├── README.md
├── custom-webapp
│   ├── Dockerfile
│   ├── pom.xml
│   ├── src
│   └── target
├── pom.xml
└── values.yml (2)
1 The .gitlab-ci.yml file ensures your development changes are automatically picked up.
2 The values.yml file ensures your Magnolia PaaS application is deployed to the your cluster.

The pipeline

When Magnolia PaaS is set up with GitLab, changes in your project automatically trigger your pipeline via what is configured in your .gitlab-ci.yml file.

This way, changes are picked up automatically and you don’t have to worry about it. However, the final deployment step is sometimes manual and you’ll need to make a deploy action to finish the process. This is typically done by clicking a button manually in GitLab.

gitlab manual deploy action

The .gitlab-ci.yml file

It’s important that you configure the .gitlab-ci.yml file correctly so that your development changes are picked up and deployed. If you are using a different CI/CD pipeline, you can use this file as a blueprint.

Magnolia automatically picks up the changes when using this approach.
.gitlab-ci.yml
# Use the latest Maven version

stages:
  - build
  - push
  - deploy

variables:
  MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
  MAVEN_CLI_OPTS: "-s .m2/settings.xml --batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"

# Build the Maven project.
build-magnolia: (1)
  image: maven:3.6-jdk-11-slim
  stage: build
  cache:
    key: "$CI_JOB_NAME"
    paths:
      - $CI_PROJECT_DIR/.m2/repository
  before_script:
    - mkdir -p $CI_PROJECT_DIR/.m2
  script:
    - mvn $MAVEN_CLI_OPTS package
    - ls -Fahl base-webapp/target
  artifacts:
    expire_in: 30 days
    paths:
      - base-webapp/target/*.war

# Build docker images based on artifacts from the build stage.
push-docker-image: (2)
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  stage: push
  dependencies:
    - build-magnolia
  before_script:
    - export WEBAPP_IMAGE=${CI_REGISTRY_IMAGE}/magnolia-webapp
    - export GIT_TAG=$CI_COMMIT_SHORT_SHA (3)
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json (4)
  script:
    - cd base-webapp
    - /kaniko/executor --context . --dockerfile ./Dockerfile --destination "$WEBAPP_IMAGE:$GIT_TAG"

.deploy: (5)
  image: registry.gitlab.com/mironet/helm-kubectl-gomplate:v0.0.5
  stage: deploy
  before_script:
    - export GIT_TAG=$CI_COMMIT_SHORT_SHA
    - helm repo add mironet https://charts.mirohost.ch/
    - export HELM_CHART_VERSION={helm-chart-version}
    - export KUBECONFIG=$KUBE_CONFIG (6)

deploy-dev: (7)
  extends: .deploy
  script:
    - export DEPLOYMENT=dev
    - export LE_ENVIRONMENT=letsencrypt-prod
    - cat values.yml | gomplate > ${DEPLOYMENT}.yml
    - cat ${DEPLOYMENT}.yml
    - helm upgrade -i ${DEPLOYMENT} mironet/magnolia-helm --version ${HELM_CHART_VERSION} -f ${DEPLOYMENT}.yml --create-namespace -n ${DEPLOYMENT}
    - kubectl annotate --overwrite namespace ${DEPLOYMENT} field.cattle.io/projectId=\`kubectl get namespace default --output="jsonpath={.metadata.annotations.field\.cattle\.io/projectId}"` (8)
    - kubectl -n default get secret activation-key -o json | jq 'del(.metadata.annotations,.metadata.labels,.metadata.namespace,.metadata.resourceVersion,.metadata.uid,.metadata.namespace,.metadata.creationTimestamp)' | kubectl apply -n ${DEPLOYMENT}  -f - (9)
    - kubectl -n default get secret gitlab -o json | jq 'del(.metadata.annotations,.metadata.labels,.metadata.namespace,.metadata.resourceVersion,.metadata.uid,.metadata.namespace,.metadata.creationTimestamp)' | kubectl apply -n ${DEPLOYMENT}  -f - (9)
    - kubectl -n default get secret s3-backup-key -o json | jq 'del(.metadata.annotations,.metadata.labels,.metadata.namespace,.metadata.resourceVersion,.metadata.uid,.metadata.namespace,.metadata.creationTimestamp)' | kubectl apply -n ${DEPLOYMENT}  -f - (9)
  environment:
    name: dev (10)
  when: manual (11)

deploy-uat: (7)
  extends: .deploy
  script:
    - export DEPLOYMENT=uat
    - export LE_ENVIRONMENT=letsencrypt-prod
    - cat values.yml | gomplate > ${DEPLOYMENT}.yml
    - cat ${DEPLOYMENT}.yml
    - helm upgrade -i ${DEPLOYMENT} mironet/magnolia-helm --version ${HELM_CHART_VERSION} -f ${DEPLOYMENT}.yml --create-namespace -n ${DEPLOYMENT}
    - kubectl annotate --overwrite namespace ${DEPLOYMENT} field.cattle.io/projectId=\`kubectl get namespace default --output="jsonpath={.metadata.annotations.field\.cattle\.io/projectId}"` (8)
    - kubectl -n default get secret activation-key -o json | jq 'del(.metadata.annotations,.metadata.labels,.metadata.namespace,.metadata.resourceVersion,.metadata.uid,.metadata.namespace,.metadata.creationTimestamp)' | kubectl apply -n ${DEPLOYMENT}  -f - (9)
    - kubectl -n default get secret gitlab -o json | jq 'del(.metadata.annotations,.metadata.labels,.metadata.namespace,.metadata.resourceVersion,.metadata.uid,.metadata.namespace,.metadata.creationTimestamp)' | kubectl apply -n ${DEPLOYMENT}  -f - (9)
    - kubectl -n default get secret s3-backup-key -o json | jq 'del(.metadata.annotations,.metadata.labels,.metadata.namespace,.metadata.resourceVersion,.metadata.uid,.metadata.namespace,.metadata.creationTimestamp)' | kubectl apply -n ${DEPLOYMENT}  -f - (9)
  environment:
    name: dev (10)
  when: manual (11)
1 In the build-magnolia stage, the web app is built using maven, as with any Magnolia project.
2 In the push-docker-image stage, the Docker image is built and pushed to the Docker registry (in this case the GitLab registry), using the Dockerfile located in the webapp folder.
3 The GIT_TAG is used to set the tag for the created Docker image.
4 The environment variables are set automatically by GitLab if the GitLab registry is used for the project.

We recommend that you use GitLab.

env variables
  • $CI_REGISTRY_USER

  • $CI_REGISTRY_PASSWORD

  • $CI_REGISTRY

5 The general deployment stage defines the helm chart repo and the version of the Helm chart to be used in the actual deployments.
6 The KUBE_CONFIG CI/CD variable should be defined as type File and hold KubeConfig of the cluster the deployment should go to. The same variable can be defined in different environment scopes (see 10)
7 The actual deployment stages define the namespace and prefix for the deployment. These stages can be duplicated for different namespaces (so that deployments can run in parallel on the cluster) and for different clusters (see 10).
8 The newly created namespace is added to the Rancher default project.
9 The needed secrets are copied over from the default namespace to the newly created namespace.
10 The environment name corresponds to the environment scope (dev or prod) defined in the Deployments section. In different environments the same variable names can be used.
11 The deployment must be triggered manually.

The values.yml file

The values.yml file will hold the configuration used by the Magnolia Helm Chart in the process of deploying the application to the cluster. Properties like DEPLOYMENT must be the same as in the .gitlab-ci.yml file.

Here, we provide you with a template values.yml file to get you started.

For more details on values, see our Magnolia PaaS Helm Values reference page.
Prod vs non-prod

Typically, you will have a values.yml file for both prod and non-prod as the values will be different depending on if the deployment is intended for testing or production. We encourage you to have separate files for this purpose.

Example:

  • test = values.yml

  • prod = values-prod.yml

Cert-manager
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/proxy-body-size: 512m
    cert-manager.io/cluster-issuer: "letsencrypt-prod" (1)
1 The cert-manager is automatically created by us. However, you can use your own. If you choose to do this, please contact the Magnolia PaaS Helpdesk.

Sample file

values.yml
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/proxy-body-size: 512m
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
  #
  # run author and public in different contexts and use the same domain name
  # only one of these hosts/tls sections may be active
  #
  hosts:
    - host: {{ .Env.DEPLOYMENT }}.<realm>.magnolia-platform.com (1) (2)
      paths:
        - path: /
          instance: public
        - path: /author
          instance: author
  tls:
  - hosts:
    - {{ .Env.DEPLOYMENT }}.<realm>.magnolia-platform.com (1) (2)
    secretName: {{ .Env.DEPLOYMENT }}-<realm>-magnolia-platform-com (1) (2)
  #
  # run author and public in ROOT context and use different domain names
  # only one of these hosts/tls sections may be active
  #
#  hosts:
#  - host: {{ .Env.DEPLOYMENT }}.author.<realm>.magnolia-platform.com
#    paths:
#    - path: /
#      instance: author
#  - host: {{ .Env.DEPLOYMENT }}.frontend-author.<realm>.magnolia-platform.com
#    paths:
#    - path: /
#      instance: frontend-author
#  - host: {{ .Env.DEPLOYMENT }}.public.<realm>.magnolia-platform.com
#    paths:
#    - path: /
#      instance: public
#  - host: {{ .Env.DEPLOYMENT }}.frontend-public.<realm>.magnolia-platform.com
#    paths:
#    - path: /
#      instance: frontend-public
#  tls:
#  - hosts:
#    - {{ .Env.DEPLOYMENT }}.author.<realm>.magnolia-platform.com
#    - {{ .Env.DEPLOYMENT }}.public.<realm>.magnolia-platform.com
#    - {{ .Env.DEPLOYMENT }}.frontend-author.<realm>.magnolia-platform.com
#    - {{ .Env.DEPLOYMENT }}.frontend-public.<realm>.magnolia-platform.com
#    secretName: {{ .Env.DEPLOYMENT }}-<realm>-magnolia-platform-com
image:
  pullSecrets: (3)
    - name: gitlab
  pullPolicy: Always
magnoliaAuthor:
  enabled: true
  restartPolicy: Always
  redeploy: true (4)
  bootstrap:
    password: "<password>" (5)
  #
  # run author and public in different contexts and use the same domain name
  # only one of these contextPath values may be active
  #
  contextPath: /author
  #
  # run author and public in ROOT context and use different domain names
  # only one of these contextPath values may be active
  #
#  contextPath: /
  sameSiteCookies: strict
  webarchive:
    repository: {{ .Env.CI_REGISTRY_IMAGE }}/magnolia-webapp
    tag: {{ .Env.GIT_TAG | quote }}
  activation:
    useExistingSecret: True (6)
    secret:
      name: activation-key
      key: activation-secret
  env:
    - name: instance
      value: "author"
    - name: deployment
      value: {{ .Env.DEPLOYMENT }}
    - name: magnolia.superuser.enabled
      value: "true"
    - name: magnolia.superuser.password
      value: "<password>" (5)
    - name: magnolia.bootstrap.license.owner
      value: "[replace with email]" (7)
    - name: magnolia.bootstrap.license.key
      value: "[replace with key]" (7)
  setenv:
    memory:
      maxPercentage: 60 (8)
  resources:
    requests:
      memory: 4Gi (9)
    limits:
      memory: 4Gi (9)
  livenessProbe:
    enabled: true
    path: "/.rest/status"

  db:
    persistence:
      size: "10Gi" (10)
    contentsync:
      enabled: true
    restore:
      enabled: False
    backup:
      enabled: True (11)
      env:
        - name: MGNLBACKUP_USE_PG_WAL
          value: "true"
        - name: MGNLBACKUP_SYNC_DIR
          value: "/archive"
        - name: MGNLBACKUP_NO_STDOUT
          value: "true"
        - name: MGNLBACKUP_LOGLEVEL
          value: "debug"
        - name: MGNLBACKUP_BUCKET
          value: "<realm>-backup-bucket" (2)
        - name: MGNLBACKUP_PREFIX
          value: "{{ .Env.DEPLOYMENT }}/author"
        - name: MGNLBACKUP_CRON
          value: "0 3 * * *" (12)
        - name: MGNLBACKUP_KEEPDAYS
          value: "30"
        #
        # Choose backup location based on cloud provider of the cluster
        #
        # Backup to S3
        - name: MGNLBACKUP_S3_ENDPOINT (13)
          value: "s3.eu-central-1.amazonaws.com"
        - name: MGNLBACKUP_S3_REGION
          value: "eu-central-1"
        - name: MGNLBACKUP_S3_ACCESSKEY
          valueFrom:
            secretKeyRef:
              name: s3-backup-key
              key: accesskey
        - name: MGNLBACKUP_S3_SECRETKEY
          valueFrom:
            secretKeyRef:
              name: s3-backup-key
              key: secretkey
        - name: MGNLBACKUP_TAGS_RELEASE
          value: {{ .Env.DEPLOYMENT }}
        # Backup to Azure storage
#        - name: MGNLBACKUP_AZ_ACCOUNT_NAME
#          valueFrom:
#            secretKeyRef:
#              name: az-backup-key
#              key: AccountName
#        - name: MGNLBACKUP_AZ_ACCOUNT_KEY
#          valueFrom:
#            secretKeyRef:
#              name: az-backup-key
#              key: AccountKey

magnoliaPublic:
  enabled: true
  replicas: 1 (14)
  restartPolicy: Always
  bootstrap:
    password: <password>" (5)
  contextPath: /
  sameSiteCookies: strict
  webarchive:
    repository: {{ .Env.CI_REGISTRY_IMAGE }}/magnolia-webapp
    tag: {{ .Env.GIT_TAG | quote }}
  activation:
    useExistingSecret: True (6)
    secret:
      name: activation-key
      key: activation-secret
  env:
    - name: instance
      value: "public"
    - name: deployment
      value: {{ .Env.DEPLOYMENT }}
    - name: magnolia.superuser.enabled
      value: "true"
    - name: magnolia.superuser.password
      value: "<password>" (5)
    - name: magnolia.bootstrap.license.owner
      value: "[replace with email]" (7)
    - name: magnolia.bootstrap.license.key
      value: "[replace with key]" (7)
  setenv:
    memory:
      maxPercentage: 80 (8)
  resources:
    requests:
      memory: 4Gi (9)
    limits:
      memory: 4Gi (9)
  livenessProbe:
    enabled: true
    path: "/.rest/status"
  db:
    persistence:
      size: "10Gi" (10)
    contentsync:
      enabled: true
    restore:
      enabled: False
    backup:
      enabled: True (11)
      env:
        - name: MGNLBACKUP_USE_PG_WAL
          value: "true"
        - name: MGNLBACKUP_SYNC_DIR
          value: "/archive"
        - name: MGNLBACKUP_NO_STDOUT
          value: "true"
        - name: MGNLBACKUP_LOGLEVEL
          value: "debug"
        - name: MGNLBACKUP_HERITAGE
          value: "magnolia-backup"
        - name: MGNLBACKUP_BUCKET
          value: "<realm>-backup-bucket" (2)
        - name: MGNLBACKUP_PREFIX
          value: "{{ .Env.DEPLOYMENT }}/public"
        - name: MGNLBACKUP_CRON
          value: "0 3 * * *" (12)
        - name: MGNLBACKUP_KEEPDAYS
          value: "30"
        #
        # Choose backup location based on cloud provider of the cluster
        #
        # Backup to S3
        - name: MGNLBACKUP_S3_ENDPOINT (13)
          value: "s3.eu-central-1.amazonaws.com"
        - name: MGNLBACKUP_S3_REGION
          value: "eu-central-1"
        - name: MGNLBACKUP_S3_ACCESSKEY
          valueFrom:
            secretKeyRef:
              name: s3-backup-key
              key: accesskey
        - name: MGNLBACKUP_S3_SECRETKEY
          valueFrom:
            secretKeyRef:
              name: s3-backup-key
              key: secretkey
        - name: MGNLBACKUP_TAGS_RELEASE
          value: {{ .Env.DEPLOYMENT }}
        # Backup to Azure storage
#        - name: MGNLBACKUP_AZ_ACCOUNT_NAME
#          valueFrom:
#            secretKeyRef:
#              name: az-backup-key
#              key: AccountName
#        - name: MGNLBACKUP_AZ_ACCOUNT_KEY
#          valueFrom:
#            secretKeyRef:
#              name: az-backup-key
#              key: AccountKey


# Additional jars which should be loaded into tomcat can be specified here.
jars:
  - name: jmx-exporter
    repository: registry.gitlab.com/mironet/magnolia-jar
    tag: jmx_prometheus_javaagent-0.13.0
    env:
      - name: INIT_DEST
        value: /extraLibs/
    initScript: /init.sh
1 The {{ .Env.DEPLOYMENT }} value should be set by the build pipeline and should be the same as used in the RELEASE value in the Helm call.
A wildcard DNS entry for <realm>.magnolia-platform.com `would support any valid value for `{{ .Env.DEPLOYMENT }} and create a corresponding SSL certificate.
2 The <realm> name is generated by Magnolia when we create your cluster. You can set this value as shortname while creating the Magnolia project using the Cloud Archetype
This is typically your company name.
3 Specify the pullSecrets.
if the webarchive image is located in a private registry, see [Use Docker secret].
4 Boolean specifying if there is an automatic redeployment triggered by changes.
defaults
  • magnoliaAuthor = false

  • magnoliaPublic = true

If set to true the instance is restarted even if the tag of the webarchive was not changed between deployments.

5 Specify the environment password.
This must be the same in all places for the bootstrapping container to work correctly.
6 The activation key is handled by the bootstrapper container. This keeps magnoliaAuthor and magnoliaPublic in sync.
7 These 2 values must be replaced with the license info for this project, provided by Magnolia.
8 Specify the maximum percentage memory that is reserved for the tomcat container.

Default = 60

9 Sets your memory for requests and limits.
4GB is typically sufficient for Magnolia CMS.
10 Sets the volume size of the database.
10Gi is typically sufficient for a dev environment, 100Gi for production.
11 Defines that backups of the database are taken and stored to an S3 bucket or Azure storage (depending on your cloud provider) provisioned by Magnolia. The value of the MGNLBACKUP_BUCKET will be provided to you by Magnolia
Every transaction is written, which allows point-in-time recovery, see PostGres Continuous Archiving for more details.
12 Defines the time when the full backup of the database takes place, in CRON syntax.
The example shows every day at 3am.
13 The values for the endpoints and credential secrets will be provided by Magnolia, comment either the _S3_ or _AZ_ values, depending on your cloud provider
14 The replicas parameter used on magnoliaPublic defines how many public instances are created. If not defined, 1 public instance is created.

Clone Secrets with Rancher 2.6

Before Rancher 2.6, you could create a ("project-unbound") secret in the All namespace. Rancher made those secrets available to all projects and namespaces.

This feature was deprecated deprecated with Rancher 2.6 for a good reason, as it breaks recommended namespace isolation.

To achieve this same goal:

  1. Copy the secrets using the Rancher UI:

  2. Then clone the desired secret and into the target namespace (ie. namespace uat).

    clonesecret 1blur

    clonesecret 2blur

values.yml

This is good to know when needed in the values.yml file under the useExistingSecret field as it will provide the activation key secret for the target environment.

...
magnoliaAuthor:
  replicas: 1
  restartPolicy: Always
  redeploy: true
  contextPath: /author
  webarchive:
    repository: {{ .Env.CI_REGISTRY_IMAGE }}/magnolia-webapp
    tag: "{{ .Env.GIT_TAG | quote }}"
  bootstrap:
    password: "<password>"
  activation:
    useExistingSecret: True (1)
    secret:
      name: activation-key
      key: activation-secret
...
magnoliaPublic:
  replicas: 2
  restartPolicy: Always
  contextPath: /
  webarchive:
    repository: {{ .Env.CI_REGISTRY_IMAGE }}/magnolia-webapp
    tag: "{{ .Env.GIT_TAG | quote }}"
  bootstrap:
    password: "<password>"
  activation:
    useExistingSecret: True (1)
    secret:
      name: activation-key
      key: activation-secret
...
1 The activation key is handled by the bootstrapper container. This keeps magnoliaAuthor and magnoliaPublic in sync.
Feedback

PaaS

×

Location

This widget lets you know where you are on the docs site.

You are currently perusing through the Magnolia PaaS docs.

Main doc sections

DX Core Headless PaaS Legacy Cloud Incubator modules