Add the helm repository where the Usage Engine Private Edition helm chart is located by running the following command: Although not a strict requirement, the install commands used throughout this installation guide assume that the repository has been added like this. Add Helm Repository
helm repo add digitalroute https://digitalroute-public.github.io/usage-engine-private-edition
Usage Engine Private Edition consists of the following container images hosted in the Digital Route AWS ECR registry: Name Description This is the container image used by the platform pod. This is the container image used by EC pods. This is the container image used by the uepe-operator pod. This is the container image used by the desktop-online pod. Where Note! Since Usage Engine Private Edition 3.1, the container images have multi-architecture support (AMD and ARM). If you have your own container registry, it is recommended that you host the Usage Engine Private Edition container images there rather than in the Digital Route AWS ECR registry. In order to access the container images in the Digital Route AWS ECR registry, you will need to authenticate yourself first. Here is how you can do this using the Where Once authenticated, you can pull the container images, re-tag them and then finally push them to your own container image repository. Depending on how your container registry is configured, you probably need to set up an image pull secret that allows the Kubernetes cluster to pull the container images from your container registry in runtime. On the other hand, if you do not have your own container image registry, then you need to set up an image pull secret that allows the Kubernetes cluster to pull the container images from the Digital Route AWS ECR in runtime. Such a secret can be created like this: Where Since AWS ECR credentials expire after 12 hours, the image pull secret needs to be refreshed regularly. This can be automated through a cron job. The following yaml spec is an example of such a cron job: Where Simply put the above yaml spec into a file called Container Images
462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-ec462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-operator462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition:<version>-ui<version> is the desired Usage Engine Private Edition version, for example 4.0.0.Hosting Container Images in Your Own Container Registry
docker CLI:docker login -u AWS \
-p $(AWS_ACCESS_KEY_ID=<your aws access key> AWS_SECRET_ACCESS_KEY=<your aws secret access key> aws ecr get-login-password --region eu-west-1) \
462803626708.dkr.ecr.eu-west-1.amazonaws.com
<your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet).Image Pull Secret for Digital Route AWS ECR
kubectl create secret docker-registry ecr-cred \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password=$(AWS_ACCESS_KEY_ID=<your aws access key> AWS_SECRET_ACCESS_KEY=<your aws secret access key> aws ecr get-login-password --region eu-west-1) \
-n uepe
<your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet).kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: uepe
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ecr-credentials-sync
namespace: uepe
subjects:
- kind: ServiceAccount
name: ecr-credentials-sync
roleRef:
kind: Role
name: ecr-credentials-sync
apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ecr-credentials-sync
namespace: uepe
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: ecr-credentials-sync
namespace: uepe
spec:
suspend: false
schedule: 0 */8 * * *
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
jobTemplate:
spec:
template:
spec:
serviceAccountName: ecr-credentials-sync
restartPolicy: Never
volumes:
- name: token
emptyDir:
medium: Memory
initContainers:
- image: amazon/aws-cli
name: get-token
imagePullPolicy: IfNotPresent
env:
- name: AWS_ACCESS_KEY_ID
value: <your aws access key>
- name: AWS_SECRET_ACCESS_KEY
value: <your aws secret access key>
- name: REGION
value: eu-west-1
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- aws ecr get-login-password --region ${REGION} > /token/ecr-token
containers:
- image: bitnami/kubectl
name: create-secret
imagePullPolicy: IfNotPresent
env:
- name: SECRET_NAME
value: ecr-cred
volumeMounts:
- mountPath: /token
name: token
command:
- /bin/sh
- -ce
- |-
kubectl create secret docker-registry $SECRET_NAME \
--dry-run=client \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password="$(cat /token/ecr-token)" \
-n uepe \
-o yaml | kubectl apply -f -
<your aws access key> and <your aws secret access key> are the access keys provided by Digital Route (see https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/161481605/Common+Pre-requisites#ECR-Access-Keys in case you have not received any access keys yet).ecr-credentials-sync.yaml, and then use the following command to create it in your Kubernetes cluster:kubectl apply -f ecr-credentials-sync.yaml -n uepe
The Usage Engine Private Edition helm chart is capable of automatically creating the system database at install time. However, that assumes that you are able to supply database administrator credentials (see Bootstrapping System Credentials). If, for one reason or another, you are unable to supply that, the system database must be created manually prior to installing the Usage Engine Private Edition helm chart. A tool called To use it, simply go to Release Information, download it for the relevant version, and then execute it like this: The instructions on screen will guide you through the process of configuring the database, and once done, a set of database scripts will be generated. These database scripts can then be used to create the system database and database users. Following the instructions on the screen, you are also required to supply the JDBC user and JDBC password that Usage Engine Private Edition will use to connect to its system database. The main entry point script mentioned at the end of the instruction, is the ONLY file that should be executed by the user. The rest of the files are referenced by the main entry point script to complete the database creation. Example - SAP Hana The SAP Hana instruction would look like this. The main entry point script Example - PostgreSQL The PostgreSQL instruction would look like this. The main entry point script Note! If the postgreSQL administrator user argument is not passed in, the script will assume the Example - Oracle The Oracle instruction would look like this. The main entry point script For AWS RDS Oracle, The main entry point script is aws_rds_oracle_create_ts_user.sql and should be executed in sqlplus terminal like this: At the end of the execution, you may connect to the database instance via database client tool. Once connected to the database instance, verify that system database and database users have been created successfully. However, you won’t see any database table being created in the system database. This was designed deliberately as the database tables will only be created during the installation of the Usage Engine Private Edition.System Database
uepe-sys-db-tool.jar is provided to facilitate this.java -jar uepe-sys-db-tool.jar
Script generation successfully completed!
Please find your system database creation scripts inside the uepe-sys-db-scripts.tar file.
The saphana_create_instance.sh script is the main entry point.
saphana_create_instance.sh should be executed by the user like this:./saphana_create_instance.sh <SAP HANA administrator user> <SAP HANA administrator password>
Script generation successfully completed!
Please find your system database creation scripts inside the uepe-sys-db-scripts.tar file.
The postgre_create_instance.sh script is the main entry point.
postgre_create_instance.sh should be executed like this, passing the <postgreSQL administrator user> as the argument../postgre_create_instance.sh <postgreSQL administrator user>
postgres user as the default administrator user.Script generation successfully completed!
Please find your system database creation scripts inside the uepe-sys-db-scripts.tar file.
The oracle_create_instance.sh script is the main entry point.
For AWS environment, please execute aws_rds_oracle_create_ts_user.sql with sql client as the main entry point.
oracle_create_instance.sh should be executed like this:./oracle_create_instance.sh
SQL>@aws_rds_oracle_create_ts_user.sql
It is strongly recommended to install Usage Engine Private Edition with TLS enabled, and there are two different ways of providing the required certificate: cert-manager Secret Here follows an explanation of the preparations required for each of the two.TLS
The most automated and secure way to provide the certificate is to use https://cert-manager.io/ . If it is not already installed in your Kubernetes cluster, follow these instructions on how to install the cert-manager https://cert-manager.io/docs/installation/helm/ chart. Make sure to install a version that is listed in the Compatibility Matrix (4.2).cert-manager
To use cert-manager with Oracle Cloud Infrastructure as a DNS provider, you need to install ACME Webhook for OCI.
Add cert-manager-webhook-oci repository to helm:
helm repo add cert-manager-webhook-oci https://dn13.gitlab.io/cert-manager-webhook-oci
Example installation command:
helm install --namespace cert-manager cert-manager-webhook-oci cert-manager-webhook-oci/cert-manager-webhook-oci
The solver for OCI is introduced in the next section - Usage Engine Private Edition Installation. To know more about cert-maanger webhook project for OCI, please click here.
Cert-manager must be backed by a certificate authority (CA) to sign the certificates. Once configured with a CA, cert-manager will automatically sign and renew certificates for the system as needed. Configuring cert-manager with a CA is done by creating an Refer to https://cert-manager.io/docs/configuration/ for a all the details. It’s also possible to use an issuer specifiction that will issue a self-signed certificate: Please note that the Note! If your deployment is intended for a production or production-like environment, skip the self-signed Regardless of the chosen issuer specification, to create the issuer, simply put the specification in a yaml file (here we call it Based on the example above the created Issuer or ClusterIssuer resource (this resource will be referenced later when installing Usage Engine Private Edition). apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: example-issuer
spec:
selfSigned: {}
ClusterIssuer mentioned above is only recommended for testing purposes and not for production. In the coming section, we will create a ClusterIssuer of ACME type, which is generally used in production environment.ClusterIssuer creation below.example-issuer.yaml), and then execute a command like this:kubectl apply -f example-issuer.yaml
ClusterIssuer can be inspected like this:kubectl get clusterissuers example-issuer -o yaml
If you do not want to automate the certificate provisioning with cert-manager, you can instead manually install a public certificate in a Kubernetes The This is an example script that can generate a Note that this will generate a self-signed certificate, which is not suitable for use in publicly exposed interfaces. Once the Secret
Secret and then refer to that when installing Usage Engine Private Edition.Secret must include a keystore file (keystore.jks) in JKS format as well as separate files for key (tls.key) and certificate (tls.crt). Secret like that (make sure to set the parameters at the beginning of the script before executing it):#!/bin/sh
KEY_PASSWORD=<your chosen key password>
STORE_PASSWORD=<your chosen keystore password>
DNAME=CN=exampledomain.com,O=Example
NAMESPACE=uepe
keytool -genkey -keystore keystore.jks -storepass $STORE_PASSWORD -keypass $KEY_PASSWORD -alias certificate -keyalg RSA -keysize 4096 -dname $DNAME
keytool -importkeystore -srckeystore keystore.jks -srcstorepass $STORE_PASSWORD -srckeypass $KEY_PASSWORD -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias certificate -deststorepass $STORE_PASSWORD -destkeypass $KEY_PASSWORD
openssl pkcs12 -in keystore.p12 -nokeys -out tls.crt -password pass:$KEY_PASSWORD
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out tls.key -password pass:$KEY_PASSWORD
kubectl create secret generic uepe-cert -n $NAMESPACE --from-file=keystore.jks --from-file=tls.key --from-file=tls.crt
Secret has been generated, its content can be inspected like this:kubectl -n uepe get secrets uepe-cert -o yaml
Usage Engine Private Edition uses a number of system credentials in order to function as expected. These system credentials are kept in a Kubernetes secret called This secret can be populated in three different ways: Manually creating and populating it prior to installing Usage Engine Private Edition. Providing the credential(s) as helm values at install time. In which case the secret will be automatically created (if it does not already exist) and populated with the corresponding helm value(s). Be aware that storing credentials in a values.yaml file in version control is not secure. If you still need to do this you should consider using tools like https://github.com/mozilla/sops . Letting it be automatically populated at install time. In which case the secret will be automatically created and populated. Passwords will consist of eight randomly generated characters. Note that the three options are not mutually exclusive. It is possible to populate some credentials in advance, some through helm values, and let some be automatically generated. Here follows an explanation of the system credentials used by Usage Engine Private Edition: Secret Key Corresponding Helm Value Description The user that Usage Engine Private Edition uses when connecting to the system database. The password of the user that Usage Engine Private Edition uses when connecting to the system database. See If you created the system database manually (see the preparations for System Database), then you need to make sure to use the same password here. The password of the user owning the system database schema. If you created the system database manually (see the preparations for System Database), then you need to make sure to use the same password here. The PostgreSQL database administrator password. Only relevant when using PostgreSQL to store the system database. Required in order to have the system database automatically created when installing Usage Engine Private Edition. If you created the system database manually (see the preparations for System Database), then you do not need to set this at all. The Oracle database administrator password. Only relevant when using Oracle to store the system database. Required in order to have the system database automatically created when installing Usage Engine Private Edition. If you created the system database manually (see the preparations for System Database), then you do not need to set this at all. The SAP HANA database administrator password. Only relevant when using SAP HANA to store the system database. Required in order to have the system database automatically created when installing Usage Engine Private Edition. If you created the system database manually (see the preparations for System Database), then you do not need to set this at all. The password of the Keystore password. Used when installing Usage Engine Private Edition with TLS enabled. You need to make sure that this password matches how the certificate was set up when preparing for TLS. Key password. Used when installing Usage Engine Private Edition with TLS enabled. You need to make sure that this password matches how the certificate was set up when preparing for TLS. This is an example of how to create and populate the secret with some credentials: To inspect the content of the secret, simply execute the following command: To retrieve a given credential in cleartext, simply execute a command like this (where “jdbcPassword” in the template parameter is the credential you would like to inspect):Bootstrapping System Credentials
env-secrets located in the same namespace as where Usage Engine Private Edition is being installed.jdbcUserplatform.db.jdbcUserjdbcPasswordplatform.db.jdbcPasswordjdbcUser.mzownerPasswordpostgres.mzownerPassword or oracle.mzownerPasswordpostgresqlPasswordpostgres.adminPasswordoraclePasswordoracle.adminPasswordsaphanaPasswordsaphana.adminPasswordoperatorPasswordoperator.operatorPasswordmzk8soperator user. This user is used for internal communication between the Operator and the Platform. tlsKeystorePasswordplatform.tls.key.storepasswordtlsKeyPasswordplatform.tls.key.passwordkubectl create secret generic env-secrets -n uepe \
--from-literal=postgresqlPassword=<db_password configured in the terraform.tfvars> \
--from-literal=mzownerPassword=<your chosen mzowner password>
kubectl get secret/env-secrets -n uepe -o yaml
kubectl get secrets/env-secrets -n uepe --template={{.data.jdbcPassword}} | base64 -d