...
Excerpt | ||
---|---|---|
| ||
The preparations described below are required to install |
...
Usage Engine using Helm charts and Docker images. Read through the steps below and follow each step before installing. | ||
Page Properties | ||
---|---|---|
| ||
Fetching and Configuring Helm ChartsYou will download the Helm chart with the instructions below:
When you are required to enter the <chart version>, refer |
...
to Release Information for the Helm Chart version required | ||||
Info | ||||
---|---|---|---|---|
| ||||
The Helm chart configuration installs a large portion of the product, apart from the ECD instance.
|
...
|
...
title | Access Control for Kubernetes Resources |
---|
|
...
|
...
|
Note | ||
---|---|---|
| ||
All information about available properties and values that you may want to update are contained within the Helm chart itself. |
...
title | Note! |
---|
Ensure that there is no firewall rule that restricts access to the exposed ports to the cluster. See Installation - Private Cloud(3.0)for more information concerning ports.
In the case a Downgrade is needed later, you must define Persistent Storage.
For information about Persistent Storage, see Persistent Storage (2.2).
Create kubernetes docker pull secret
All the usage-engine-private-edition container images are kept in a private repository (AWS ECR).
In order to pull the container images in the Kubernetes cluster you will need to create a secret for use with Digitalroute AWS ECR. You will need to have the access keys provided by Digitalroute in order to create the secret.
Export AWS keys
Code Block $ export AWS_ACCESS_KEY_ID=<access key provided by Digitalroute> $ export AWS_SECRET_ACCESS_KEY=<secret access key provided by Digitalroute> $ export AWS_REGION=eu-west-1
Create Secret
Code Block $ kubectl create secret docker-registry <name of the secret> \ --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \ --docker-username=AWS \ --docker-password=$(aws ecr get-login-password --region eu-west-1) \ -n <namespace>
Example
Create secret named ecr-cred in default namespace.Code Block $ kubectl create secret docker-registry ecr-cred \ --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \ --docker-username=AWS \ --docker-password=$(aws ecr get-login-password --region eu-west-1) \ -n default //Verify that the secret is created. $ kubectl get secret ecr-cred -n default NAME TYPE DATA AGE ecr-cred kubernetes.io/dockerconfigjson 1 25s
When installing usage-engine-private-edition you will need to use the ecr-cred secret in set values.
Info | ||||
---|---|---|---|---|
Example
The created pull secret will only be valid for 12 hours! You can at any time re-create the pull secret by deleting and creating again.
|
Using CronJob to sync ECR credentials as a Kubernetes secret
This is the recommended procedure to make sure the secret is always valid.
Copy the below content in a yaml file and make sure to update the namespaces and access keys.
The yaml code below updates the secret ecr-cred every 8 hours in the given namespace.
Code Block |
---|
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: <your namespace>
spec:
suspend: false
schedule: 0 */8 * * *
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: ecr-credentials-sync
restartPolicy: Never
volumes:
- name: token
emptyDir:
medium: Memory
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
env:
- name: AWS_ACCESS_KEY_ID
value: <access key provided by Digitalroute>
- name: AWS_SECRET_ACCESS_KEY
value: <secret access key provided by Digitalroute>
- name: REGION
value: eu-west-1
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region ${REGION} > /token/ecr-token
containers:
- image: bitnami/kubectl
name: create-secret
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-cred
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- |-
kubectl create secret docker-registry $SECRET_NAME \
--dry-run=client \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password="$(cat /token/ecr-token)" \
-o yaml | kubectl apply -f -
|
Code Block |
---|
$ touch cronjob-k8s-ecr-secret.yaml
// paste the above code in the file.
$ kubectl apply -f cronjob-k8s-ecr-secret.yaml -n <namespace>
//Example
$ kubectl apply -f cronjob-k8s-ecr-secret.yaml -n default
role.rbac.authorization.k8s.io/ecr-credentials-sync created
rolebinding.rbac.authorization.k8s.io/ecr-credentials-sync created
serviceaccount/ecr-credentials-sync created
cronjob.batch/ecr-credentials-sync created |