OpenShift Liberty Modernization

Modernizing enterprise Java workloads from IBM WebSphere Application Server to containerized Open Liberty on a bare metal OKD 4.x cluster — with full CI/CD automation, GitOps delivery, session clustering, and observability.

Type

Enterprise Modernization

Platform

OKD 4.x (OpenShift)

Hardware

3x Beelink SER5 Max

Status

All 5 Phases Complete

View Source Code Documentation

OpenShift / OKD 4.x Open Liberty Jakarta EE 10 Tekton Pipelines Argo CD Ansible Hazelcast Prometheus Grafana GitHub Actions Vagrant

Project Overview

This project demonstrates the complete modernization lifecycle that enterprises face when moving off legacy IBM WebSphere Application Server Network Deployment. It covers automating the existing environment with Ansible, migrating to Open Liberty, containerizing workloads, deploying to OpenShift via the WebSphere Liberty Operator, and running production-grade operations with monitoring, HA, and horizontal pod autoscaling.

Why This Matters:

Enterprise Java modernization is one of the most common migration patterns in DevOps
Demonstrates real OpenShift/OKD operations on bare metal infrastructure
Covers the full journey from legacy automation to cloud-native GitOps delivery
Uses Operator-managed workloads, not just raw Deployments
Three-tier CI/CD pipeline mirrors enterprise production patterns

Infrastructure

OKD Node 1

Beelink SER5 Max
AMD Ryzen 7 6800U (8C/16T)
32GB LPDDR5
1TB NVMe
Control plane + worker (converged)

OKD Node 2

Beelink SER5 Max
AMD Ryzen 7 6800U (8C/16T)
32GB LPDDR5
1TB NVMe
Control plane + worker (converged)

OKD Node 3

Beelink SER5 Max
AMD Ryzen 7 6800U (8C/16T)
32GB LPDDR5
1TB NVMe
Control plane + worker (converged)

The 3-node cluster runs the full OKD platform with converged control plane and worker roles, supporting the Liberty Operator, Argo CD, Prometheus monitoring, and all workloads. Installed via the OKD Assisted Installer.

Project Phases

All five phases are complete. Each phase builds on the previous one, covering the full modernization lifecycle.

Phase 1 — OKD Cluster Setup

3-node bare metal OKD 4.x cluster installed via Assisted Installer. WebSphere Liberty Operator deployed and validated with a sample application end-to-end.

Phase 2 — Liberty Containerization

Multi-stage Dockerfile builds a Jakarta EE 10 application on Open Liberty. Image pushed to GHCR, deployed via the Liberty Operator CR, and exposed through an OpenShift Route.

Phase 3 — Ansible WAS Automation

Vagrant provisions a 4-node WAS ND simulation (DMGR, two managed nodes, IHS). Ansible playbooks handle installation, cluster creation, application deployment, and IHS reverse proxy configuration.

Phase 4 — CI/CD Pipeline

GitHub Actions provides pre-merge quality gates. Tekton pipelines handle on-cluster builds with buildah. Argo CD watches the repository and auto-syncs deployments to OKD with self-heal enabled.

Phase 5 — HA and Operations

Hazelcast JCache provides session replication across Liberty instances. IHS load balances traffic. Prometheus scrapes Liberty metrics via mpMetrics, Grafana visualizes JVM and request data, and PrometheusRules fire alerts on pod failures, high latency, and error rates.

CI/CD Pipeline Architecture

The pipeline is split across three systems, each handling what it does best:

Stage	System	Responsibility
Quality Gates	GitHub Actions	Maven build, unit tests, Hadolint, Trivy scan. Blocks merge on failure. No cluster resources consumed.
Image Build	Tekton (OpenShift Pipelines)	On-cluster buildah image builds after merge to main. Pushes to GHCR, commits new image tag back to repo.
Deployment	Argo CD (OpenShift GitOps)	Watches manifests for changes. Auto-syncs the OpenLibertyApplication CR with self-heal and auto-prune.

This separation means GitHub Actions never needs direct cluster access for builds, Tekton leverages the cluster's own container runtime, and Argo CD provides a single source of truth for what's deployed.

Core Components

WebSphere Liberty Operator

Manages the application lifecycle via OpenLibertyApplication CRDs, handling probe injection, service creation, and route exposure.

Hazelcast Session Clustering

Embedded Hazelcast with Kubernetes-native discovery provides session replication across Liberty instances without an external cache tier.

Tekton Pipelines

On-cluster CI with buildah. No Docker-in-Docker required. Triggered by a self-hosted GitHub Actions runner pod inside the cluster.

Argo CD GitOps

Watches the repository for manifest changes and auto-syncs deployments to OKD. Self-heal ensures drift is corrected automatically.

Prometheus Observability

ServiceMonitors scrape Liberty mpMetrics. Grafana dashboards visualize JVM and request data. PrometheusRules fire alerts on failures.

Ansible WAS Automation

Playbooks and wsadmin Jython scripts automate the legacy WAS ND environment, demonstrating the "before" state that motivates modernization.

Technical Implementation

Application Stack:

Jakarta EE 10 / MicroProfile 6.1 application on Open Liberty 24.x
JAX-RS REST endpoints with MicroProfile Health liveness and readiness probes
Multi-stage Docker build (Maven build stage + Liberty runtime stage)
Edge-terminated TLS via OpenShift Routes

Quick Start:

# Build Liberty image locally
docker build -t nexusliberty-app:latest ./docker/liberty-app/

# Test locally
docker run -p 9080:9080 -p 9443:9443 nexusliberty-app:latest
# App available at http://localhost:9080/nexusapp/

# Deploy to OKD (Argo CD auto-syncs, or manually):
oc apply -f openshift/liberty-deployment/WebSphereLibertyApplication.yaml

Repository Structure:

nexusliberty/
├── app/                    # Jakarta EE application (Maven)
├── docker/
│   ├── liberty-app/        # Liberty container image + server.xml
│   └── ihs/                # IHS (Apache HTTPD) load balancer
├── openshift/
│   ├── liberty-deployment/ # Liberty Operator CR + RBAC
│   ├── ihs-deployment/     # IHS load balancer manifests
│   ├── monitoring/         # Prometheus + Grafana configs
│   └── pipelines/          # Tekton CI pipeline
├── cluster/                # OKD cluster-level config + GitOps
├── ansible/                # WAS ND automation playbooks + roles
├── scripts/wsadmin/        # wsadmin Jython admin scripts
├── vagrant/                # WAS ND on-prem simulation (4-node)
└── docs/                   # Phase walkthroughs and runbooks

Engineering Decisions

Open Liberty over IBM WAS Liberty — Open-source upstream runtime with no license fees. Same enterprise features, and the Liberty Operator supports it natively.
Hazelcast JCache for sessions — Embedded with Kubernetes-native discovery via the K8s API. No external cache tier needed, keeps the architecture simple while demonstrating real HA.
Three-tier CI/CD split — GitHub Actions for cloud-hosted quality gates, Tekton for on-cluster builds with buildah, Argo CD for GitOps delivery. Each system does what it's best at.
Liberty Operator over raw Deployments — CRD-based lifecycle management mirrors how enterprises deploy Liberty on OpenShift in production.
Vagrant simulation for WAS ND — Demonstrates automation skill and the legacy "before" state without requiring an IBM license.

Skills Demonstrated

Project Phases

CI/CD Systems

Bare Metal Nodes

11+

Technologies

DevOps Skills:

OpenShift Operations: OKD cluster installation, Operator management, Routes, RBAC
GitOps: Argo CD application syncing with self-heal and auto-prune
CI/CD Pipelines: GitHub Actions, Tekton Pipelines, multi-stage delivery
Containerization: Multi-stage Docker builds, Liberty server configuration, GHCR registry
Configuration Management: Ansible playbooks, roles, inventory management, wsadmin scripting
Monitoring: Prometheus ServiceMonitors, Grafana dashboards, PrometheusRule alerts
High Availability: Hazelcast session clustering, IHS load balancing, HPA scaling
Enterprise Java: Jakarta EE 10, MicroProfile 6.1, Liberty Operator CRDs