Installing OpenAIN in Kubernetes environment
The steps below will guide you when deploying OpenIAM to the manually preinstalled AKS. Here, all infrastructure services are internal.
Set Docker environment variables
Create an account on Dockerhub.
Export the following environment variables.
export DOCKER_REGISTRY=docker.ioexport DOCKERHUB_USERNAME=******export DOCKERHUB_PASSWORD=******
Replacing the ***** with corresponding values.
Install Helm
- Helm version to be installed is v3.3.4
https://github.com/helm/helm/releases/tag/v3.3.4
For Linux systems, follow the instructions below.
Download Help with the following command.
https://get.helm.sh/helm-v3.3.4-linux-amd64.tar.gz
- Unpack the file downloaded as follows.
tar -zxvf helm-v3.3.4-linux-amd64.tar.gz
- Find the Helm binary in the unpacked directory, and move it to its desired destination by running the following command.
mv linux-amd64/helm /usr/local/bin/helm
Install Terraform
- The version of Terraform should be 0.12.21.
https://releases.hashicorp.com/terraform/0.12.21/
- For Linux systems, run the following commands to install Terraform.
wget https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zipunzip terraform_0.12.21_linux_amd64.zipsudo mv terraform /usr/local/bin/terraform
Kubernetes Version
We have tested our Terraform and Helpelm scripts with Kubernetes v1.25. Please use this version. No other versions are supported at this time.
Prerequisites
Vault
We use Vault in order to securely store secrets. Our applications use certificate based authentication in order to securely talk to Vault. Our images will generate a self-signed certificate to be used for Vault. However, if you would like to use your own certificate, you can perform the following steps.
- Get a public/private keypair from a valid CA Authority, and put the files into the following directories.
.vault/vault.key- the private key..vault/vault.crt- the public key.
- Then, run the following command.
. env.shopenssl pkcs12 -export -in .vault/vault.crt -inkey .vault/vault.key -out .vault/vault.jks -password pass:${VAULT_KEYPASS}
In case you are using Terraform, make sure that ${VAULT_KEYPASS} above matches vault.vaultKeyPassword in terraform.tfvars.
- Put all of the resulting files into
openiam-configmap/.vault/, i.e. perform the following.
cp .vault/vault.key openiam-configmap/.vault/cp .vault/vault.crt openiam-configmap/.vault/cp .vault/vault.jks openiam-configmap/.vault/
SMTP Server
You will need to set up an SMTP server. If running in AWS, you use SES, which is very simple to set up. If you do not have a corporate SMTP server, there are numerous SMTP Cloud Servers which you can use. Setting up SMTP is outside the scope of this document.
RabbitMQ TLS
You can optionally run RabbitMQ with TLS enabled.
Adding your own TLS Certificates to RabbitMQ
If you would like to use your own certificates with RabbitMQ, you will need to get a public/private keypair from a valid CA authority, and generate a JKS file. Please follow the instructions in the RabbitMQ TLS document.
Generating a self-signed certificate
You can also generate a self-signed certificate by running
./generate.rabbitmq.certs.sh
HTTPS certificates
When running in Kubernetes, we expose port 80, and 443 if https is enabled. Our Apache HTTPD server listens to these ports. To set up https, see our SSL document for a list of required files.
Set required values in env.sh
Set the
APP_NAMEvariable inenv.shto a unique string. This is a unique identifier and will not be seen by end users.If you're running in AWS, set the OSS variable in
env.shto-oss.
Configure extra VHost and Apache configurations
You can optionally add 'extra' VHost and Apache configurations. To do that, simply modify .apache/extraVHost.conf and .apache/extraApache.conf as needed. These files shall be put in /usr/local/apache2/conf/add, in the rproxy pod.
Initialize and Setup
Run the setup script
./setup.sh
RabbitMQ
Exposing externally
To expose the RabbitMQ service externally, uncomment the following lines in rabbitmq.values.yaml.
# Uncomment to expose externally# service:# type: LoadBalancer# clusterIP: None
Note that you will have to re-run setup.sh after doing this.
Deploying with Terraform
Deploying Kubernetes via Terraform is a recommended approach. The guide to do this can be found here.
Deploying without Terraform
You can deploy without using Terraform, but this method is much more complex, requires much more configuration, and is not recommended. In case deployment without Terraform is required, you can find the respective guide here.
Confirming successful deployment
Confirm that all pods are up and running with the following command.
kubectl get pods
Ensure that the READY column does not have any failed pods. The example response is given below.
Example of running pod
test100-esb-0 1/1 Running 0 2m3s
Example of failed pod
test100-esb-0 0/1 CrashLoopBackOff 4 2m3s
Debugging failed pods
If a certain pod fails, gather its logs for analysis as follows.
kubectl logs pods/<name_of_failed_pod>
Accessing your deployed instance
To access your deployed instance of OpenIAM, run the following command.
. env.shkubectl get "service/${APP_NAME}-rproxy"
The output of the above command will contain an EXTERNAL IP column, as shown below.
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEtest100-rproxy LoadBalancer 172.20.27.78 a0375c89dd2ec11e98bca0648c64953f-439827441.us-west-2.elb.amazonaws.com 80:32468/TCP 3m57s
Curl the above URL.
curl -L "http://${EXTERNAL_IP_FROM_ABOVE}/webconsole"
You may want to add a CNAME alias for the above URL, to make it more readable.
Switching Between Environments/Clients.
We provide a convenient shell script, which saves off Terraform files to a specific location, or copies Terraform files from that location to this project.
Example on saving files
The following command will save the Terraform files from this project into /tmp/client_name/prod.
./terraform.client.sh save /tmp client_name prod
Example on using files
The following command will use the Terraform files from /tmp/client_name/prod.
./terraform.client.sh use /tmp client_name prod