Versions Compared

Old Version 7

changes.mady.by.user Wei Siong Siow

Saved on

compared with

New Version 8

changes.mady.by.user Jenni Wallin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt
namecontainer-images

Container Images

Usage Engine Private Edition consists of the following container images hosted in the Digital Route AWS ECR registry:

Name

Description

462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>

This is the container image used by the platform pod.

462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-ec

This is the container image used by EC pods.

462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-operator

This is the container image used by the uepe-operator pod.

462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-ui

This is the container image used by the desktop-online pod.

Where <version> is the desired Usage Engine Private Edition version, for example 4.0.0.

info

Note!

Since Usage Engine Private Edition 3.1, the container images have multi-architecture support (AMD and ARM).

Hosting Container Images in Your Own Container Registry

If you have your own container registry, it is recommended that you host the Usage Engine Private Edition container images there rather than in the Digital Route AWS ECR registry.

In order to access the container images in the Digital Route AWS ECR registry, you will need to authenticate yourself first. Here is how you can do this using the docker CLI:

Code Block
languagebash
docker login -u AWS \
-p $(AWS_ACCESS_KEY_ID=<your aws access key> AWS_SECRET_ACCESS_KEY=<your aws secret access key> aws ecr get-login-password --region eu-west-1) \
462803626708.dkr.ecr.eu-west-1.amazonaws.com

Where <your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet).

Once authenticated, you can pull the container images, re-tag them and then finally push them to your own container image repository.

Depending on how your container registry is configured, you probably need to set up an image pull secret that allows the Kubernetes cluster to pull the container images from your container registry in runtime.

Image Pull Secret for Digital Route AWS ECR

On the other hand, if you do not have your own container image registry, then you need to set up an image pull secret that allows the Kubernetes cluster to pull the container images from the Digital Route AWS ECR in runtime.

Such a secret can be created like this:

Code Block
languagebash
kubectl create secret docker-registry ecr-cred \
    --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com  \
    --docker-username=AWS \
    --docker-password=$(AWS_ACCESS_KEY_ID=<your aws access key> AWS_SECRET_ACCESS_KEY=<your aws secret access key> aws ecr get-login-password --region eu-west-1) \
    -n uepe

Where <your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet).

Since AWS ECR credentials expire after 12 hours, the image pull secret needs to be refreshed regularly. This can be automated through a cron job. The following yaml spec is an example of such a cron job:

Code Block
languageyaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-credentials-sync
  namespace: uepe
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - create
  - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-credentials-sync
  namespace: uepe
subjects:
- kind: ServiceAccount
  name: ecr-credentials-sync
roleRef:
  kind: Role
  name: ecr-credentials-sync
  apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ecr-credentials-sync
  namespace: uepe
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: ecr-credentials-sync
  namespace: uepe
spec:
  suspend: false
  schedule: 0 */8 * * *
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: ecr-credentials-sync
          restartPolicy: Never
          volumes:
          - name: token
            emptyDir:
              medium: Memory
          initContainers:
          - image: amazon/aws-cli
            name: get-token
            imagePullPolicy: IfNotPresent
            env:
            - name: AWS_ACCESS_KEY_ID
              value: <your aws access key>
            - name: AWS_SECRET_ACCESS_KEY
              value: <your aws secret access key>
            - name: REGION
              value: eu-west-1
            volumeMounts:
            - mountPath: /token
              name: token
            command:
            - /bin/sh
            - -ce
            - aws ecr get-login-password --region ${REGION} > /token/ecr-token
          containers:
          - image: bitnami/kubectl
            name: create-secret
            imagePullPolicy: IfNotPresent
            env:
            - name: SECRET_NAME
              value: ecr-cred
            volumeMounts:
            - mountPath: /token
              name: token
            command:
            - /bin/sh
            - -ce
            - |-
              kubectl create secret docker-registry $SECRET_NAME \
                --dry-run=client \
                --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
                --docker-username=AWS \
                --docker-password="$(cat /token/ecr-token)" \
                -n uepe \
                -o yaml | kubectl apply -f -

Where <your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet).

Simply put the above yaml spec into a file called ecr-credentials-sync.yaml, and then use the following command to create it in your Kubernetes cluster:

Code Block
kubectl apply -f ecr-credentials-sync.yaml -n uepe

...

Excerpt
nametls-cert-manager-part-2

Insert excerpt
General Usage Engine Private Edition Preparations (4.3)
General Usage Engine Private Edition Preparations (4.3)
nametls-cert-manager-part-common-1
nopaneltrue

Please note that the ClusterIssuer mentioned above is only recommended for testing purposes and not for production. In the coming section, we will create a ClusterIssuer of ACME type, which is generally used in production environment.

info

Note!

If your

use case

deployment is intended for a production or production-like environment,

please

skip the self-signed ClusterIssuer creation below.

Insert excerpt
General Usage Engine Private Edition Preparations (4.3)
General Usage Engine Private Edition Preparations (4.3)
nametls-cert-manager-part-common-2
nopaneltrue

...

Note that the

Note!

The three options are not mutually exclusive. It is possible to populate some credentials in advance, some through helm values, and let some be automatically generated.

Here follows an explanation of the system credentials used by Usage Engine Private Edition:

Excerpt
namebootstrapping-system-credentials

Bootstrapping System Credentials
Anchor
bootstrapping-system-credentials
bootstrapping-system-credentials

Usage Engine Private Edition uses a number of system credentials in order to function as expected.

These system credentials are kept in a Kubernetes secret called env-secrets located in the same namespace as where Usage Engine Private Edition is being installed.

This secret can be populated in three different ways:

  • Manually creating and populating it prior to installing Usage Engine Private Edition.

  • Providing the credential(s) as helm values at install time. In which case the secret will be automatically created (if it does not already exist) and populated with the corresponding helm value(s). Be aware that storing credentials in a values.yaml file in version control is not secure. If you still need to do this you should consider using tools like https://github.com/mozilla/sops .

  • Letting it be automatically populated at install time. In which case the secret will be automatically created and populated. Passwords will consist of eight randomly generated characters.

Info

Secret Key

Corresponding Helm Value

Description

jdbcUser

platform.db.jdbcUser

The user that Usage Engine Private Edition uses when connecting to the system database.

jdbcPassword

platform.db.jdbcPassword

The password of the user that Usage Engine Private Edition uses when connecting to the system database. See jdbcUser.

If you created the system database manually (see the preparations for System Database), then you need to make sure to use the same password here.

mzownerPassword

postgres.mzownerPassword or oracle.mzownerPassword

The password of the user owning the system database schema.

If you created the system database manually (see the preparations for System Database), then you need to make sure to use the same password here.

postgresqlPassword

postgres.adminPassword

The PostgreSQL database administrator password. Only relevant when using PostgreSQL to store the system database.

Required in order to have the system database automatically created when installing Usage Engine Private Edition.

If you created the system database manually (see the preparations for System Database), then you do not need to set this at all.

oraclePassword

oracle.adminPassword

The Oracle database administrator password. Only relevant when using Oracle to store the system database.

Required in order to have the system database automatically created when installing Usage Engine Private Edition.

If you created the system database manually (see the preparations for System Database), then you do not need to set this at all.

saphanaPassword

saphana.adminPassword

The SAP HANA database administrator password. Only relevant when using SAP HANA to store the system database.

Required in order to have the system database automatically created when installing Usage Engine Private Edition.

If you created the system database manually (see the preparations for System Database), then you do not need to set this at all.

operatorPassword

operator.operatorPassword

The password of the mzk8soperator user. This user is used for internal communication between the Operator and the Platform.

tlsKeystorePassword

platform.tls.key.storepassword

Keystore password. Used when installing Usage Engine Private Edition with TLS enabled.

You need to make sure that this password matches how the certificate was set up when preparing for TLS.

tlsKeyPassword

platform.tls.key.password

Key password. Used when installing Usage Engine Private Edition with TLS enabled.

You need to make sure that this password matches how the certificate was set up when preparing for TLS.

This is an example of how to create and populate the secret with some credentials:

Code Block
languagebash
kubectl create secret generic env-secrets -n uepe \
--from-literal=postgresqlPassword=<db_password configured in the terraform.tfvars> \
--from-literal=mzownerPassword=<your chosen mzowner password>

To inspect the content of the secret, simply execute the following command:

Code Block
languagebash
kubectl get secret/env-secrets -n uepe -o yaml

To retrieve a given credential in cleartext, simply execute a command like this (where “jdbcPassword” in the template parameter is the credential you would like to inspect):

Code Block
languagebash
kubectl get secrets/env-secrets -n uepe --template={{.data.jdbcPassword}} | base64 -d

...