基于Docker部署Camunda8 Self-Managed
根据官方的提示,首先需要说明一下:虽然Camunda提供的Docker镜像本身支持用于生产用途,但Docker Compose文件旨在供开发人员用于在本地运行环境,并不是为在生产使用而设计的,另一方面也还受着开源协议的约束。根据官方的建议,生产中还是应使用 Kubernetes。
同时,提供的 Docker 映像仅在 Linux 系统上支持用于生产用途;Windows 或 macOS 仅支持开发环境。
服务镜像安装
Camunda通过 Dockerhub 提供 Docker 镜像,所有这些镜像是公开可访问的,但Web Modeler 除外。下面是官方提供的镜像相关信息,供大家参考:
Component | Docker image | Link to configuration options |
---|---|---|
Zeebe | camunda/zeebe:latest | Environment variables |
Operate | camunda/operate:latest | Operate configuration |
Tasklist | camunda/tasklist:latest | Tasklist configuration |
Identity | camunda/identity:latest | Configuration variables |
Optimize | camunda/optimize:latest | Environment variables |
Connectors | camunda/connectors:latest | Connectors configuration |
Connectors Bundle | camunda/connectors-bundle:latest | Connectors configuration |
其中,Zeebe是唯一一个经常被作为独立组件单独运行的服务。在这种情况下,它不需要任何其他内容,直接docker 运行即可:
docker run --name zeebe -p 26500-26502:26500-26502 camunda/zeebe:latest
上述命令,将提供以下端口的代理节点:
8080:Gateway REST API(这是客户端需要使用的端口之一)
26500:Gateway gRPC API(这是客户端需要使用的端口之一)
26501:Command API(内部,网关到代理)
26502:Internal API(内部,代理到代理)
多平台镜像支持
自Camunda 8.2.0版本后,所有Camunda8 的Docker镜像都以多平台镜像的方式提供,Docker 客户端应自动拉取适合您平台的映像。但需要注意,Camunda8官方提及,linux/amd64镜像可用于生产环境,但linux/arm64镜像目前经建议用于开发环境。
Web Modeler
在之前的博文也提到到了,Web Modeler仅提供商业版。同理,Web Modeler Self-Managed 也仅供商业版用户使用。
Web Modeler的Docker镜像不是公开可访问的,但商业版用户可以从Camunda的私有Docker仓库获取,如下供参考,最新信息以官网为准。
Web Modeler Component | Docker image |
---|---|
Backend (restapi ) | registry.camunda.cloud/web-modeler-ee/modeler-restapi:latest |
Frontend (webapp ) | registry.camunda.cloud/web-modeler-ee/modeler-webapp:latest |
WebSocket server | registry.camunda.cloud/web-modeler-ee/modeler-websockets:latest |
配置说明
Zeebe
Volumes
默认数据卷位于 /usr/local/zeebe/data 下,它包含应保留的所有数据。
Configuration
Zeebe 配置位于 /usr/local/zeebe/config/application.yaml。
日志记录配置位于 /usr/local/zeebe/config/log4j2.xml。
当然,我们还可以使用环境变量更改Docker映像的配置,详细的内容可参考官网,这里不展开了。
可用的环境变量:
- ZEEBE_LOG_LEVEL :设置 Zeebe Logger 的日志级别(默认值:info)。
- ZEEBE_BROKER_NETWORK_HOST:设置要绑定到的主机地址,而不是容器的 IP。
- ZEEBE_BROKER_CLUSTER_INITIALCONTACTPOINTS:在集群设置中设置其他代理的联系点。
Optimize
某些配置属性是可选的,并且具有默认值:
Name | Description | Default value |
---|---|---|
SPRING_PROFILES_ACTIVE | Determines the mode Optimize is to be run in. For Self-Managed, set to ccsm . | |
CAMUNDA_OPTIMIZE_DATABASE | Determines the database Optimize will use. Allowed values: elasticsearch or opensearch | elasticsearch |
CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_URL | The URL at which Identity can be accessed by Optimize. | |
CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_BACKEND_URL | The URL at which the Identity auth provider can be accessed by Optimize. This should match the configured provider in Identity and is to be used for container to container communication. | |
CAMUNDA_OPTIMIZE_IDENTITY_CLIENTID | The Client ID used to register Optimize with Identity. | |
CAMUNDA_OPTIMIZE_IDENTITY_CLIENTSECRET | The secret used when registering Optimize with Identity. | |
CAMUNDA_OPTIMIZE_IDENTITY_AUDIENCE | The audience used when registering Optimize with Identity. | |
OPTIMIZE_ELASTICSEARCH_HOST* | The address/hostname under which the Elasticsearch node is available. | localhost |
OPTIMIZE_ELASTICSEARCH_HTTP_PORT* | The port number used by Elasticsearch to accept HTTP connections. | 9200 |
CAMUNDA_OPTIMIZE_OPENSEARCH_HOST** | The address/hostname under which the OpenSearch node is available. | localhost |
CAMUNDA_OPTIMIZE_OPENSEARCH_HTTP_PORT ** | The port number used by OpenSearch to accept HTTP connections. | 9205 |
CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED | Determines if same-site is enabled for Optimize cookies. This must be set to false . | true |
CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_USERNAME * | The username for authentication in environments where a secured Elasticsearch connection is configured. | |
CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_PASSWORD * | The password for authentication in environments where a secured Elasticsearch connection is configured. | |
CAMUNDA_OPTIMIZE_OPENSEARCH_SECURITY_USERNAME** | The username for authentication in environments where a secured OpenSearch connection is configured. | |
CAMUNDA_OPTIMIZE_OPENSEARCH_SECURITY_PASSWORD** | The password for authentication in environments where a secured OpenSearch connection is configured. | |
CAMUNDA_OPTIMIZE_ENTERPRISE | This should only be set to true if an Enterprise License has been acquired. | true |
CAMUNDA_OPTIMIZE_ZEEBE_ENABLED | Enables import of Zeebe data in Optimize. | false |
CAMUNDA_OPTIMIZE_ZEEBE_NAME | The record prefix for exported Zeebe records. | zeebe-record |
CAMUNDA_OPTIMIZE_ZEEBE_PARTITION_COUNT | The number of partitions configured in Zeebe. | 1 |
CAMUNDA_OPTIMIZE_SHARING_ENABLED | Enable/disable the possibility to share reports and dashboards. | true |
SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI | Authentication for the Public REST API using a resource server to validate the JWT token. Complete URI to get public keys for JWT validation. | null |
OPTIMIZE_API_ACCESS_TOKEN | Authentication for the Public REST API using a static shared token. Will be ignored if SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI is also set. |
例如,这个 docker-compose 配置:
optimize:
container_name: optimize
image: camunda/optimize:latest
ports:
- 8090:8090
environment:
- SPRING_PROFILES_ACTIVE=ccsm
- CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_URL=http://localhost:9090
- CAMUNDA_OPTIMIZE_IDENTITY_ISSUER_BACKEND_URL=http://keycloak:8080/auth/realms/camunda-platform
- CAMUNDA_OPTIMIZE_IDENTITY_CLIENTID=optimize
- CAMUNDA_OPTIMIZE_IDENTITY_CLIENTSECRET=secret
- CAMUNDA_OPTIMIZE_IDENTITY_AUDIENCE=optimize-api
- OPTIMIZE_ELASTICSEARCH_HOST=localhost
- OPTIMIZE_ELASTICSEARCH_HTTP_PORT=9200
- CAMUNDA_OPTIMIZE_SECURITY_AUTH_COOKIE_SAME_SITE_ENABLED=false
- CAMUNDA_OPTIMIZE_ENTERPRISE=false
- CAMUNDA_OPTIMIZE_ZEEBE_ENABLED=true
- CAMUNDA_OPTIMIZE_ZEEBE_NAME=zeebe-record
- CAMUNDA_OPTIMIZE_ZEEBE_PARTITION_COUNT=1
- CAMUNDA_OPTIMIZE_SHARING_ENABLED=true
- SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=https://weblogin.cloud.company.com/.well-known/jwks.json
- OPTIMIZE_API_ACCESS_TOKEN=secret
Self-Managed Optimize 必须连接到配置的数据库才能写入和读取数据。此外,Optimize也需要连接到Identity进行身份验证。这两个要求都可以使用上述选项进行配置。
此外,根据官方说的,还必须在Identity中将Optimize配置为客户端,并且仅当用户具有对Optimize具有 write * 权限的角色时,才会被授予对Optimize的访问权限。
要使Optimize导入Zeebe数据,Optimize必须知道数据记录导出到数据库时使用的前缀是什么,这个也需要写在配置里。
Connectors
关于Connectors,我们可以使用官方提供的Docker Compose文件来便捷的部署和使用各种Connectors,其中部署会使用到Connectors Bundle Docker映像。
需要注意的是,Connectors也存在开源协议的情况,一方面camunda提供了官方的connector,另一方面也可以使用一些其他开源的connector。相关信息可以在 Connectors Bundle 项目中查找概述。
运行单connector容器实例
docker run --rm --name=MyConnectorsInstance \
--network=camunda-platform_camunda-platform \
-e ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS=zeebe:26500 \
-e ZEEBE_CLIENT_SECURITY_PLAINTEXT=true \
-e CAMUNDA_CONNECTOR_POLLING_ENABLED=false \
-e CAMUNDA_CONNECTOR_WEBHOOK_ENABLED=false \
-e OPERATE_CLIENT_ENABLED=false \
camunda/connectors-bundle:latest