When you have completed the preparations you can proceed to install Usage Engine Private Edition.

Main Installation Example

In this main installation example, it is assumed that the following optional resources have been added while preparing for the installation (see Kubernetes Cluster Add-ons - OCI (4.2)):

ingress-nginx-controller
cert-manager

Example Certificate

Since cert-manager is being used to provide TLS to the Usage Engine Private Edition installation in this example, you need to create an issuer to generate the required certificate.

In this example, we are going to use an ACME issuer type that is configured to match the Kubernetes cluster that was set up previously in the Preparations - OCI (4.2) chapter:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: example-issuer
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: <your valid email address>
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: example-issuer-account-key
    solvers:
      - dns01:
          webhook:
            groupName: acme.d-n.be
            solverName: oci
            config:
              ociProfileSecretName: oci-profile

A few things that should be noted:

Set email to your email address of choice.
The oci-profile is the credential to access Oracle Cloud Infrastructure API. If you choose another name for the secret than oci-profile, ensure you modify the value of ociProfileSecretName in the ClusterIssuer.

Create a yaml file named oci-profile.yaml. The secret oci-profile should look like this:

apiVersion: v1
kind: Secret
metadata:
  name: oci-profile
type: Opaque
stringData:
  tenancy: <tenancy_ocid from terraform output>
  user: <user_ocid configured in terraform.tfvars>
  region: <region from terraform output>
  fingerprint: <fingerprint configured in terraform.tfvars>
  privateKey: |
    -----BEGIN RSA PRIVATE KEY-----
    ...KEY DATA HERE...
    -----END RSA PRIVATE KEY-----
  privateKeyPassphrase: "private keys passphrase or empty string if none"

Create the secret prior to ClusterIssuer creation. To install secret oci-profile to cert-manager namespace run the following command:

kubectl apply -f oci-profile.yaml -n cert-manager

Assuming that the issuer spec above has been saved into a file called example-issuer.yaml, you can create it by running the following command:

Load Balancer TLS Certificate

With ClusterIssuer setup properly, we can proceed to generate TLS Certificate and import into OCI Certificates Service.

To generate certificate, create a yaml file named certificate.yaml with the following contents:

Execute the yaml file by running the following command:

Wait for a while and confirm that the certificate has been generated successfully by running the following command:

The output will show that the certificate named lbcert’s status is ready

Extract the server certificate and CA certificate from secret lbcert by running the following command:

Separate server certificate and CA certificate into two files by running the following command:

Rename first generated file as server certificate file by running the following command:

Rename second generated file as CA certificate file by running the following command:

Extract the private key from secret lbcert by running the following command:

The server certificate, CA certificate and private key are now stored in tls.crt, ca.crt and tls.key respectively. The next step is to import them into the OCI Certificates Service.

Note!

You do not need to import the server certificate, CA certificate and private key into the OCI Certificate Service anymore if OCI Native Ingress controller version 1.3.8 and above is installed. The load balancer TLS certificate can be obtained from Ingress secret internally.

This helm chart property oci.certificates.enabled must then be set to false when following the Install Helm Chart section. The helm chart property oci.certificates.id can be omitted.

Skip the next section and proceed to TLS Backendset Secret section.

Import into OCI Certificates Service

Go to the OCI console management and search for Certificates service. On the Certificates service page, click Create Certificate and follow these steps:

Select Certificate Type Imported and key in a unique name.
Click Next to go to Certificate Configuration page.
Upload the tls.crt, ca.crt and tls.key files according to table below:

OCI Certificates Configuration	file to upload

OCI Certificates Configuration	file to upload
Certificate	`tls.crt`
Certificate Chain	`ca.crt`
Private Key	`tls.key`

Click Next and proceed to Create Certificate.
Wait for the certificate to be created.
Copy and save the certificate’s ocid. This ocid will be set to the oci.certificates.id property in the helm chart value file in the next section.

TLS Backendset Secret

The SSL configuration between the load balancer and the backend servers (worker nodes) in the backend set is known as backend SSL. In this case, the backend set is referring to the Platform Pod on the worker nodes. To implement backend SSL, store the SSL certificates and private key in the form of a Kubernetes secret.

The CA certificate and private key generated from the previous section can be reused to generate the Kubernetes secret needed by the backend set.

To store the certificate and the private key as a secret in Kubernetes, run the following command:

The backend set secret named ca-ser-secret has now been created in the namespace uepe.

Note!

These secret names ca-ser-secret and lb-cert are default secret names used internally in the Usage Engine Private Edition helm chart. If you intend to use a different secret name, these helm chart properties MUST be set in uepe-values.yaml:

oci.loadbalancer.secret=lb-cert-<cluster-name>

oci.loadbalancer.backendsetSecret=ca-ser-secret-<cluster-name>

Install Helm Chart

Although the number of helm value combinations to set is virtually endless, there are some values should practically always be set.

Start by creating a file called uepe-values.yaml, and in that file, specify a minimal set of values that will serve as a good starting point:

In the example below, it is assumed that you have configured the Postgres admin password through a secret. If you have not done so, see Usage Engine Private Edition Preparations - OCI (4.2) | Bootstrapping System Credentials [inlineExtension] for guidance.

Below you can find information on how you can determine the values to set in your particular installation:

Value	Comment

Value	Comment
`oci.certificates.enabled`	This value indicates if you to use OCI SSL certificate or Kubernetes secret for Load Balancer SSL termination. The default value is `false` if it is not set, which means that the SSL certificate is obtained from the Kubernetes secret internally. Set it to `true` if you want to use OCI SSL certificate.
`oci.certificates.id`	This value should be set to match the ocid of certificate created in previous section, Import-into-OCI-Certificates-Service. This value is not in used if `oci.certificates.enabled` is false.
`oci.backendNSG`	This value is taken from the `backend_nsg` listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI \| Create-Basic-Cluster-and-additional-infrastructure section.
`oci.healthcheck.desktoponline.port`	This is the desktop-online backend set health check port, 9001.
`oci.healthcheck.ingressnginx.port`	This is the ingress nginx backend set health check port, 443.
`global.ingressController.serviceName`	This is the name of the Kubernetes `Service` that was created adding the Kubernetes Add-ons \| ingress-nginx-controller.
`global.domain`	This value is taken from the `cluster_dns_zone_name` listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI \| Create-Basic-Cluster-and-additional-infrastructure section.
`global.imagePullSecrets`	This is referencing an image pull secret containing the credentials required in order to pull container images from the DigitalRoute AWS ECR registry. If you are hosting the container images in your own container registry, another image pull secret might be needed, depending on how it is configured. See General Usage Engine Private Edition Preparations (4.2) for additional information.
`licenseKey`	This is the license key that can be found in the `licenseKey` file that you have previously received, see section.
`log.format`	If you need to use dedicated log collection and monitoring tools like Fluent-bit, Elasticsearch, Kibana or AWS CloudWatch for Usage Engine Private Edition, ensure that the log format is configured to `json`. See Configure Log Collection, Target, and Visualization - OCI for additional information.
`platform.tls.*`	These values are set to use the example issuer created at the beginning of this page. This should only be seen as an example and the values should be adjusted according to the real world scenario.
`postgres.adminUsername`	This value is taken from the `db_admin_user` listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI \| Create-Basic-Cluster-and-additional-infrastructure section.
`postgres.host`	This value is taken from the `db_endpoint` listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI \| Create-Basic-Cluster-and-additional-infrastructure section.
`postgres.port`	This value is taken from the `db_port` listed in the terraform output produced in the Set Up Kubernetes Cluster - OCI \| Create-Basic-Cluster-and-additional-infrastructure section.
`persistence.existingClaim`	The persistent volume claim name created in previous section OCI-Add-ons \| oci-file-service-storage \| Static Provisioning. Ignore if `persistence.enabled` is false

You can use the following command to install Usage Engine Private Edition:

Where <version> is the version of Usage Engine Private Edition to install, for example 4.0.0.

Check that all pods are running and that all pod containers become ready by running the following command:

This may take a little while

To get the Desktop Online web user interface hostname run the following command:

The output shows the FQDN hostname, IP address and port to access the desktop online user interface.

You should now be able to access the Desktop Online user interface at:
https://desktop-online.example-cluster.stratus.oci.digitalroute.net/
It may take a little while before the DNS record gets registered.

The Usage Engine Private Edition installation is now complete.

Other Common Installation Configurations

Bellow are a few common installation configurations for the Usage Engine Private Edition helm chart.

They should be seen as variations to the main installation example outlined above.

Persistent File Storage

If you have selected to prepare for persistent file storage, there are two different ways of configuring your Usage Engine Private Edition installation to use it.

Use Bundled OCI Specific PVC

Specifically for OCI, the Usage Engine Private Edition helm chart contains a bundled persistent volume claim. This persistent volume claim is using the fss-dyn-storage storage class. To enable it, set the following helm values:

Where the persistence.bundledClaim.storageRequest value is used to control the size of the requested storage (default is 1Gi).

You can use the following command to inspect the persistent volume claim that gets created as a result of setting the above helm values:

Reference Arbitrary PVC

Usage Engine Private Edition can be configured to reference an arbitrary persistent volume claim by setting the following helm values:

In this example, my-pvc is an arbitrary persistent volume claim that you have created before hand.

Usage Engine Private Edition 4 Documentation

Usage Engine Private Edition Installation - OCI (4.2)