Versions Compared

Old Version 3

changes.mady.by.user Jonas Thungren

Saved on

compared with

New Version Current

changes.mady.by.user Jenni Wallin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

namecommon-installation-prep

Add Helm Repository

Add the helm repository where the Usage Engine Private Edition helm chart is located like this:

Code Block
languagebash
helm repo add digitalroute https://digitalroute-public.github.io/usage-engine-private-edition

Although not a strict requirement, the install commands used throughout this installation guide assumes that the repository has been added like this.

System Database

The Usage Engine Private Edition helm chart is capable of automatically creating the system database at install time. However, that assumes that you are able to supply database administrator credentials (see Bootstrapping System Credentials).

If, for one reason or another, you are unable to supply that, the system database must be created manually prior to installing the Usage Engine Private Edition helm chart.

A tool called uepe-sys-db-tool.jar is provided to facilitate this. ← This tool does not exist yet

To use it, simply go to Release Information, download it for the relevant version, and then execute it like this:

Code Block
languagebash
java -jar uepe-sys-db-tool.jar

The instructions on screen will guide you through the process of configuring the database, and once done, a set of database scripts will be generated. These database scripts can then be used to create the system database.

TLS

If you plan on installing Usage Engine Private Edition with TLS enabled, there are three different ways of providing the required certificate:

  • Cert-manager

  • Secret

  • Disk-based keystore (deprecated)

Here follows an explanation of the preparations required for each of the three.

Cert-manager

The most automated and secure way to provide the certificate is to use cert-manager.

If it is not already installed in your Kubernetes cluster, follow these instructions on how to install cert-manager.

Cert-manager must be backed by a certificate authority (CA) to sign the certificates. Once configured with a CA, cert-manager will automatically sign and renew certificates for the system as needed. Configuring cert-manager with a CA is done by creating an Issuer or ClusterIssuer resource (this resource will be referenced later when installing Usage Engine Private Edition).

Refer to Configuring Issuers for a all the details.

This is an example of a ClusterIssuer specification that uses the ACME issuer provided by the Let’s Encrypt CA:

Code Block
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: example-issuer
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: admin@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: example-issuer
    solvers:
    # example: cross-account zone management for example.com
    # this solver uses ambient credentials (i.e. inferred from the environment or EC2 Metadata Service)
    # to assume a role in a different account
    - selector:
        dnsZones:
          - "uepe.example.com"
      dns01:
        route53:
          hostedZoneID: XXXXXXXXXXXX
          region: eu-west-1

It’s also possible to use an issuer specifiction that will issue a self-signed certificate:

Code Block
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: example-issuer
spec:
  selfSigned: {}

Note that this is strictly for testing purposes and should never be used in production.

Regardless of the chosen issuer specification, to create the issuer, simply put the specification in a yaml file (here we call it example-issuer.yaml), and then execute a command like this:

Code Block
kubectl apply -f example-issuer.yaml

Based on the example above the created ClusterIssuer can be inspected like this:

Code Block
kubectl get clusterissuers example-issuer -o yaml

Secret

If you do not want to automate the certificate provisioning with cert-manager, you can instead manually install a public certificate in a Kubernetes Secret and then refer to that when installing Usage Engine Private Edition.

The Secret must include a keystore file (keystore.jks) in JKS format as well as separate files for key (tls.key) and certificate (tls.crt).

This is an example script that can generate a Secret like that (make sure to set the parameters at the beginning of the script before executing it):

Code Block
#!/bin/sh
KEY_PASSWORD=<your chosen key password>
STORE_PASSWORD=<your chosen keystore password>
DNAME=CN=exampledomain.com,O=Example
NAMESPACE=<namespace>
keytool -genkey -keystore keystore.jks -storepass $STORE_PASSWORD -keypass $KEY_PASSWORD -alias certificate -keyalg RSA -keysize 2048 -dname $DNAME
keytool -importkeystore -srckeystore keystore.jks -srcstorepass $STORE_PASSWORD -srckeypass $KEY_PASSWORD -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias certificate -deststorepass $STORE_PASSWORD -destkeypass $KEY_PASSWORD
openssl pkcs12 -in keystore.p12  -nokeys -out tls.crt -password pass:$KEY_PASSWORD
openssl pkcs12 -in keystore.p12  -nodes -nocerts -out tls.key -password pass:$KEY_PASSWORD
kubectl create secret generic uepe-cert -n $NAMESPACE --from-file=keystore.jks --from-file=tls.key --from-file=tls.crt

Note that this will generate a self-signed certificate, which is not suitable for use in publicly exposed interfaces.

Once the Secret has been generated, its content can be inspected like this:

Code Block
kubectl -n <namespace> get secrets uepe-cert -o yaml

Disk-based keystore

Certificates and keys can also be stored in keystore files on persistent disk. This option is the least secure and is deprecated. It is kept solely for backward compatibility reasons.

<the existing doc for this option is very limited but from what I can tell the only prep needed is to setup persistent storage>

Bootstrapping System Credentials

Usage Engine Private Edition uses a number of system credentials in order to function as expected.

These system credentials are kept in a Kubernetes secret called env-secrets located in the same namespace as where Usage Engine Private Edition is being installed.

This secret can be populated in three different ways:

  • Manually creating and populating it prior to installing Usage Engine Private Edition.

  • Providing the credential(s) as helm values at install time. In which case the secret will be automatically created (if it does not already exist) and populated with the corresponding helm value(s). Be aware that storing credentials in a values.yaml file in version control is not secure. If you still need to do this you should consider using tools like https://github.com/mozilla/sops .

  • Letting it be automatically populated at install time. In which case the secret will be automatically created and populated. Passwords will consist of eight randomly generated characters.

Note that the three options are not mutually exclusive. It is possible to populate some credentials in advance, some through helm values, and let some be automatically generated.

Here follows an explanation of the system credentials used by Usage Engine Private Edition:

...

Secret Key

...

Corresponding Helm Value

...

Description

...

jdbcUser

...

platform.db.jdbcUser

...

The user that Usage Engine Private Edition uses when connecting to the system database.

...

jdbcPassword

...

platform.db.jdbcPassword

...

The password of the user that Usage Engine Private Edition uses when connecting to the system database. See jdbcUser.

If you created the system database manually (see the preparations for System Database), then you need to make sure to use the same password here.

...

mzownerPassword

...

platform.db.mzownerPassword

...

The password of the user owning the system database schema.

If you created the system database manually (see the preparations for System Database), then you need to make sure to use the same password here.

...

postgresqlPassword

...

postgres.adminPassword

...

The PostgreSQL database administrator password. Only relevant when using PostgreSQL to store the system database.

Required in order to have the system database automatically created when installing Usage Engine Private Edition.

If you created the system database manually (see the preparations for System Database), then you do not need to set this at all.

...

oraclePassword

...

oracle.adminPassword

...

The Oracle database administrator password. Only relevant when using Oracle to store the system database.

Required in order to have the system database automatically created when installing Usage Engine Private Edition.

If you created the system database manually (see the preparations for System Database), then you do not need to set this at all.

...

saphanaPassword

...

saphana.adminPassword

...

The SAP HANA database administrator password. Only relevant when using SAP HANA to store the system database.

Required in order to have the system database automatically created when installing Usage Engine Private Edition.

If you created the system database manually (see the preparations for System Database), then you do not need to set this at all.

...

operatorPassword

...

operator.operatorPassword

...

The password of the mzk8soperator user. This user is used for internal communication between the Operator and the Platform.

...

tlsKeystorePassword

...

platform.tls.key.storepassword

...

Keystore password. Used when installing Usage Engine Private Edition with TLS enabled.

You need to make sure that this password matches how the certificate was set up when preparing for TLS.

...

tlsKeyPassword

...

platform.tls.key.password

...

Key password. Used when installing Usage Engine Private Edition with TLS enabled.

You need to make sure that this password matches how the certificate was set up when preparing for TLS.

This is an example of how to create and populate the secret with some credentials:

Code Block
kubectl create secret generic env-secrets -n <namespace> \
--from-literal=jdbcPassword=<your chosen jdbc password> \
--from-literal=mzownerPassword=<your chosen mzowner password>

To inspect the content of the secret, simply execute the following command:

Code Block
kubectl get secret/env-secrets -n <namespace> -o yaml

To retrieve a given credential in cleartext, simply execute a command like this:

...

Before installing Usage Engine Private Edition, you need to set up a Kubernetes cluster on your private cloud. This can be done in several ways (from scratch/kubeadm tool/automated tool (kubespray/RKE/etc)) and is not documented here. Check the Compatibility Matrix to find out which versions of kubernetes are compatible with Usage Engine Private Edition.

This section contains the following subsections:

Child pages (Children Display)
allChildrentrue