Versions Compared

Old Version 36

changes.mady.by.user Wei Siong Siow

Saved on

compared with

New Version 37

changes.mady.by.user Jenni Wallin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Having completed the preparations, it is now time to install Usage Engine Private Edition.

Main Installation Example

In this main installation example, it is assumed that the following optional resources have been added while preparing for the installation (see Kubernetes Cluster Add-ons - OCI):

  • ingress-nginx-controller

  • cert-manager

Example Certificate

Since cert-manager is being used to provide TLS to the Usage Engine Private Edition installation in this example, you need to create an issuer in order to generate the required certificate.

Here we are going to use an ACME issuer type that is configured to match the Kubernetes cluster that was set up previously in the Preparations - OCI (4.2) chapter:

Code Block
languageyaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: example-issuer
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <your email address of choice>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
      - dns01:
          webhook:
            groupName: acme.d-n.be
            solverName: oci
            config:
              ociProfileSecretName: oci-profile

...

Code Block
languagebash
kubectl apply -f example-issuer.yaml

Load Balancer TLS Certificate

With ClusterIssuer setup properly, we can proceed to generate TLS Certificate and import into OCI Certificates Service.

...

Info

Note: User need not to import server certificate, CA certificate and private key into OCI Certificate Service anymore if OCI Native Ingress controller version 1.3.8 and above is installed. Load balancer TLS certificate can be obtained from Ingress secret internally.

This helm chart property oci.certificates.enabled must be set to false in Install Helm Chart section. Helm chart property oci.certificates.id can be omitted.

Skip the next section and proceed to TLS Backendset Secret section.

Import into OCI Certificates Service

Go to OCI console management, search for Certificates service. On the Certificates service page, click Create Certificate and follow these steps

...

  1. Click Next and proceed to Create Certificate

  2. Wait for the certificate to be created.

  3. Copy and save the certificate’s ocid. This ocid will be set to the oci.certificates.id property in the helm chart value file in the next section.

TLS Backendset Secret

The SSL configuration between the load balancer and the backend servers (worker nodes) in the backend set is known as backend SSL. In this case, the backend set is referring to Platform Pod on worker nodes. To implement backend SSL, you store the SSL certificates and private key in the form of Kubernetes secret.

...

Info

These secret names ca-ser-secret and lb-cert are default secret name used internally in PE helm chart. If user intended to use different secret name, these helm chart properties MUST be set in uepe-values.yaml. For example,

oci.loadbalancer.secret=lb-cert-<cluster-name>

oci.loadbalancer.backendsetSecret=ca-ser-secret-<cluster-name>

Install Helm Chart

Although the number of helm value combinations to set is virtually endless, some values should more or less always be set.

...

Value

Comment

oci.certificates.enabled

This value determine to use OCI SSL certificate or Kubernetes secret for Load Balancer SSL termination. Default value is true for certificate if it is not set. Set it to false to switch to Kubernetes secret.

oci.certificates.id

This value should be set to match the ocid of certificate created in previous section, Import-into-OCI-Certificates-Service. Not in used if oci.certificates.enabled is false.

oci.backendNSG

Value is taken from the backend_nsg listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI | Create-Basic-Cluster-and-additional-infrastructure section.

oci.healthcheck.desktoponline.port

desktop-online backend set health check port, i.e., 9001

oci.healthcheck.ingressnginx.port

ingress nginx backend set health check port, i.e., 443

global.ingressController.serviceName

This is the name of the Kubernetes Service that was created adding the Kubernetes Add-ons | ingress-nginx-controller.

global.domain

Value is taken from the cluster_dns_zone_name listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI | Create-Basic-Cluster-and-additional-infrastructure section.

global.imagePullSecrets

This is referencing an image pull secret containing the credentials required in order to pull container images from the Digital Route AWS ECR registry. If you are hosting the container images in your own container registry, depending on how that is configured, another image pull secret is probably needed. See https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481567/Common+Usage+Engine+Private+Edition+Preparations#Container-Images for additional information.

licenseKey

The license key that can be found in the licenseKey file that you have previously received (see the https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/General+Pre-requisites#License section). 

log.format

If you need to use dedicated log collection and monitoring tools like Fluent-bit, Elasticsearch, Kibana or AWS CloudWatch for Usage Engine Private Edition, make sure the log format is configured to json. See Configure Log Collection, Target, and Visualization - OCI for additional information.

platform.tls.*

These values are set to use the example issuer created at the beginning of this chapter. This should only be seen as an example and the values should be adjusted according to the real world situation.

postgres.adminUsername

Value is taken from the db_admin_user listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI | Create-Basic-Cluster-and-additional-infrastructure section.

postgres.host

Value is taken from the db_endpoint listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI | Create-Basic-Cluster-and-additional-infrastructure section.

postgres.port

Value is taken from the db_port listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI | Create-Basic-Cluster-and-additional-infrastructure section.

persistence.existingClaim

The persistent volume claim name created in previous section OCI-Add-ons | oci-file-service-storage | Static Provisioning.

Ignore if persistence.enabled is false

...

The Usage Engine Private Edition installation is now complete.

Other Common Installation Configurations

Here follows a few common installation configurations for the Usage Engine Private Edition helm chart.

They should be seen as variations to the main installation example outlined above.

Persistent File Storage

If you have chosen to prepare for persistent file storage, there are two different ways of configuring your Usage Engine Private Edition installation to use it.

Use Bundled OCI Specific PVC

Specifically for OCI, the Usage Engine Private Edition helm chart contains a bundled persistent volume claim. This persistent volume claim is using the fss-dyn-storage storage class. To enable it, simply set the following helm values:

...

Code Block
languagebash
kubectl get persistentvolumeclaims mz-bundled-pvc -o yaml

Reference Arbitrary PVC

Usage Engine Private Edition can be configured to reference an arbitrary persistent volume claim by setting the following helm values:

...

Insert excerpt
General Installation Configurations (4.1)
General Installation Configurations (4.1)
namecommon-installation-configurations
nopaneltrue