Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

The preparations described below are required to install Usage Engine using Helm charts and Docker images. Read through the steps below and follow each step before installing.

Fetching and Configuring Helm Charts

You will download the Helm chart with the instructions below:

  • Helm chart: usage-engine-private-edition

When you are required to enter the <chart version>, refer to Release Information for the Helm Chart version required

The Helm chart configuration installs a large portion of the product, apart from the ECD instance. 

  1. Add the helm repository

    $ helm repo add usage-engine-private-edition 'https://digitalroute-public.github.io/usage-engine-private-edition'
$ helm repo update

  2. Check if the charts are available:

    $ helm search repo -l usage-engine-private-edition/usage-engine-private-edition --version <chart version>
 
Example:
$ helm search repo -l usage-engine-private-edition/usage-engine-private-edition --version 2.0.0

#The output:
		NAME                        						CHART VERSION             	APP VERSION DESCRIPTION                    
 
usage-engine-private-edition/usage-engine-private-edition    	2.0.0    			The Usage Engine Private Edition helm chart                  

  3. Create a directory dedicated for the installation and download the platform Helm chart.

    $ mkdir <your directory>
$ cd <your directory>
$ helm fetch usage-engine-private-edition/usage-engine-private-edition --version <chart version> --untar

  4. Make sure the Helm chart is defined for on-premise (Private cloud) by viewing the file: usage-engine-private-edition / values.yaml

    $ cat usage-engine-private-edition/values.yaml | grep environment:
# Only on-premise and aws supported for now
environment: on-premise

  5. If required, modify the Helm chart for the needed level of Access Control for Kubernetes Resources

    Usage Engine relies on Role Based Access Control (RBAC) when specifying the level of access needed for the kubernetes resources involved in any given Usage Engine installation. 

    Essentially, to make sure that the service account used has the right level of access in order for Usage Engine to function properly.
    Some features do require cluster wide access to certain resources (typically resources that are not namespaced). This is realized by the use of ClusterRoles. If ClusterRoles are not permitted in the given kubernetes cluster for one reason or another, those features will have to be switched off.

    The following helm values can be used to switch off features relying on ClusterRoles, see the Helm chart for further details:

    - mzonline.ecd.nodeHostSelectionEnabled
    - mzOperator.rbacAuthProxy.enabled

Ensure that there is no firewall rule that restricts access to the exposed ports to the cluster. See Installation - Private Cloud(3.0)for more information concerning ports.

In the case a Downgrade is needed later, you must define Persistent Storage.

For information about Persistent Storage, see Persistent Storage (2.2).

Create kubernetes docker pull secret

All the usage-engine-private-edition container images are kept in a private repository (AWS ECR).

In order to pull the container images in the Kubernetes cluster you will need to create a secret for use with Digitalroute AWS ECR. You will need to have the access keys provided by Digitalroute in order to create the secret.

  1. Export AWS keys

    $ export AWS_ACCESS_KEY_ID=<access key provided by Digitalroute>
$ export AWS_SECRET_ACCESS_KEY=<secret access key provided by Digitalroute>
$ export AWS_REGION=eu-west-1

  2. Create Secret

    $ kubectl create secret docker-registry <name of the secret> \
    --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com  \
    --docker-username=AWS \
    --docker-password=$(aws ecr get-login-password --region eu-west-1) \
    -n <namespace>

    Example
    Create secret named ecr-cred in default namespace.

    $ kubectl create secret docker-registry ecr-cred \
    --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com  \
    --docker-username=AWS \
    --docker-password=$(aws ecr get-login-password --region eu-west-1) \
    -n default

//Verify that the secret is created.
$ kubectl get secret ecr-cred -n default
NAME       TYPE                             DATA   AGE
ecr-cred   kubernetes.io/dockerconfigjson   1      25s

When installing usage-engine-private-edition you will need to use the ecr-cred secret in set values.

Example

$ helm install uepe usage-engine-private-edition --set "global.imagePullSecrets[0].name=ecr-cred"

The created pull secret will only be valid for 12 hours! 

You can at any time re-create the pull secret by deleting and creating again.

//Example
$ kubectl delete secret ecr-cred -n default
$ kubectl create secret docker-registry ecr-cred \
--docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password --region eu-west-1) \
-n default

Using CronJob to sync ECR credentials as a Kubernetes secret

This is the recommended procedure to make sure the secret is always valid.

Copy the below content in a yaml file and make sure to update the namespaces and access keys.

The yaml code below updates the secret ecr-cred every 8 hours in the given namespace.

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
rules:
- apiGroups: [""]
  resources:
  - secrets
  verbs:
  - get
  - create
  - patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
subjects:
- kind: ServiceAccount
  name: ecr-credentials-sync
roleRef:
  kind: Role
  name: ecr-credentials-sync
  apiGroup: ""
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: ecr-credentials-sync
  namespace: <your namespace>
spec:
  suspend: false
  schedule: 0 */8 * * *
  failedJobsHistoryLimit: 1
  successfulJobsHistoryLimit: 1
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: ecr-credentials-sync
          restartPolicy: Never
          volumes:
          - name: token
            emptyDir:
              medium: Memory
          initContainers:
          - image: amazon/aws-cli
            name: get-token
            imagePullPolicy: IfNotPresent
            env:
 			- name: AWS_ACCESS_KEY_ID
			  value: <access key provided by Digitalroute>
			- name: AWS_SECRET_ACCESS_KEY
			  value: <secret access key provided by Digitalroute>
            - name: REGION
              value: eu-west-1
            volumeMounts:
            - mountPath: /token
              name: token
            command:
            - /bin/sh
            - -ce
            - aws ecr get-login-password --region ${REGION} > /token/ecr-token
          containers:
          - image: bitnami/kubectl
            name: create-secret
            imagePullPolicy: IfNotPresent
            env:
            - name: SECRET_NAME
              value: ecr-cred
            volumeMounts:
            - mountPath: /token
              name: token
            command:
            - /bin/sh
            - -ce
            - |-
              kubectl create secret docker-registry $SECRET_NAME \
                --dry-run=client \
                --docker-server=https://462803626708.dkr.ecr.eu-west-1.amazonaws.com \
                --docker-username=AWS \
                --docker-password="$(cat /token/ecr-token)" \
                -o yaml | kubectl apply -f -              

$ touch cronjob-k8s-ecr-secret.yaml
// paste the above code in the file.
$ kubectl apply -f cronjob-k8s-ecr-secret.yaml -n <namespace>


//Example
$ kubectl apply -f cronjob-k8s-ecr-secret.yaml -n default
role.rbac.authorization.k8s.io/ecr-credentials-sync created
rolebinding.rbac.authorization.k8s.io/ecr-credentials-sync created
serviceaccount/ecr-credentials-sync created
cronjob.batch/ecr-credentials-sync created
  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.