Page History

Step-by-step guide

Deploy Elasticsearch and Kibana.

The current guide is based on ECK quickstart

1. Install custom resource definitions

   Code Block
   language bash theme RDark
   kubectl create -f https://download.elastic.co/downloads/eck/1.7.0/crds.yaml kubectl apply -f https://download.elastic.co/downloads/eck/1.7.0/operator.yaml

2. Deploy Elasticsearch cluster (single node)

   1. Create a file called elasticsearch.yaml

      Code Block
      language yml theme RDark title elasticsearch.yaml linenumbers true collapse true
      apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 7.9.2 nodeSets: - name: default count: 1 config: node.store.allow_mmap: false

   2. Deploy the Elasticsearch cluster

      Code Block
      language bash theme RDark
      kubectl apply -f elasticsearch.yaml

3. Obtain Basic Authentication password

   1. The password will be stored in the environment variable called "PASSWORD"

      Code Block
      language bash theme RDark
      PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

4. Deploy Kibana cluster

   1. Create a file called kibana.yaml

      Code Block
      language yml theme RDark title kibana.yaml linenumbers true collapse true
      apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 7.9.2 count: 1 elasticsearchRef: name: quickstart

   2. Deploy Kibana

      Code Block
      language bash theme RDark
      kubectl apply -f kibana.yaml

5. Expose Kibana's port locally

   Code Block
   language bash theme RDark
   kubectl port-forward service/quickstart-kb-http 5601

6. Browse to Kibana at https://localhost:5601/ (HTTPS warnings will appear on the browser due to the self-signed certificates elasticsearch and kibana generates)
   1. Log in using username "elastic" and the password obtained at step #3.

Deploy Aspire 5

1. (Optional) Upload Kibana Dashboards

   1. Download export.ndjson

   2. Kibana's port should be forwared into localhost:5601 as of Step #6 on the Elasticsearch deployment instructions

   3. The environment variable $PASSWORD should hold the elastic's user password as of Step #3 on the Elasticsearch deployment instructions.

      Code Block
      language bash theme RDark
      curl -u "elastic:$PASSWORD" -k -F 'file=@/path/to/export.ndjson' \ -H 'kbn-xsrf:reporting' \ "https://localhost:5601/api/saved_objects/_import?overwrite=true"

2. Create kubernetes secret for connecting to SCA docker registry

   1. Replace <EMAIL> and <PASSWORD> with your registered email and password

      Code Block
      language bash theme RDark
      kubectl create secret docker-registry regcred \ --docker-server=docker.repository.sca.accenture.com \ --docker-username=<EMAIL> \ --docker-password=<PASSWORD>\ --docker-email=<EMAIL>

3. Create Aspire ConfigMap
   1. Holds common configuration options for your Aspire 5 deployment.

   2. Create file called aspire-config.yaml

      Code Block
      language yml theme RDark title aspire-config.yaml linenumbers true collapse true
      apiVersion: v1 kind: ConfigMap metadata: name: aspire-config data: aspire_noSql_elastic_server: https://quickstart-es-http:9200 aspire_noSql_elastic_user: elastic aspire_noSql_elastic_authentication_basic: "true" com_accenture_aspire_ssl_trustAll: "true"

      Note
      The com_accenture_aspire_ssl_trustAll is not recommended to be set as true in production environments, the recommended way is to import the untrusted certificate into a Java Key Store (see Configuring a Certificate Store) and then importing using the com_accenture_aspire_ssl_truststore_file property (see SSL Certificates Properties).

   3. Deploy ConfigMap

      Code Block
      language bash theme RDark
      kubectl apply -f aspire-config.yaml

4. Upload License and Settings to Elasticsearch
5. 
   

   1. Create a secret containing your settings.json and AspireLicense.lic files

      Code Block
      language bash theme RDark
      kubectl create secret generic aspire-license-settings \ --from-file=/path/to/AspireLicense.lic \ --from-file=/path/to/config/settings.json

   2. Create a file called aspire-upload-job.yaml

      Code Block
      language yml theme RDark title aspire-upload-job.yaml linenumbers true collapse true
      apiVersion: batch/v1 kind: Job metadata: name: aspire-upload spec: template: spec: containers: - name: aspire-upload-reg-pod image: docker.repository.sca.accenture.com/docker/aspire:5.0-rc command: [ "/bin/bash", "-c", "./opt/aspire/upload-license-settings.sh" ] env: - name: ASPIRE_LICENSE_PATH value: /tmp/AspireLicense.lic - name: ASPIRE_SETTINGS_PATH value: /tmp/settings.json - name: aspire_noSql_elastic_password valueFrom: secretKeyRef: name: quickstart-es-elastic-user key: elastic envFrom: - configMapRef: name: aspire-config volumeMounts: - name: license-settings-secret mountPath: /tmp volumes: - name: license-settings-secret secret: secretName: aspire-license-settings restartPolicy: Never imagePullSecrets: - name: regcred backoffLimit: 4

   3. Run job

      Code Block
      language bash theme RDark
      kubectl apply -f aspire-upload-job.yaml

   4. Wait until it has uploaded the files

      Code Block
      language bash theme RDark
      kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl logs -f

6. Create kubernetes secret for the Aspire cluster wide encryption key

   1. Create a random 32 bytes file which will be your key

      Code Block
      language bash theme RDark
      head -c 32 /dev/urandom > encryption.key

   2. Create the secret using the encryption.key file

      Code Block
      language bash theme RDark
      kubectl create secret generic aspire-encryption-key --from-file=encryption.key

7. (Optional) Generate Certificates
   1. Generate self-signed certificates. Follow steps at Configuring Certificates for steps on doing this. Also make sure to generate a Java Keystore.
      1. Create 2 certificates one for each FQDN of each subdomain:
         1. *.aspire-managers.default.svc.cluster.local → import it into managers.jks
         2. *.aspire-workers.default.svc.cluster → import it into workers.jks
      2. If you have custom certificates, just import them into a java keystore. If the certificates are trusted the the CA's certificates are not needed.

   2. Create Kubernetes ConfigMap holding the CA and Java Keystore with the certificate for the Aspire servers

      Code Block
      language bash theme RDark
      kubectl create secret generic aspire-encryption-key --from-file=encryption.key --from-file myKeystore.jks

8. Deploy Managers

   1. Create file called aspire-managers.yaml

      Code Block
      language yml theme RDark title aspire-managers.yaml linenumbers true collapse true
      kind: Service metadata: name: aspire-managers labels: app: aspire-managers spec: ports: - port: 50505 name: aspire-manager clusterIP: None selector: app: aspire-managers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-manager spec: selector: matchLabels: app: aspire-managers # has to match .spec.template.metadata.labels serviceName: "aspire-managers" replicas: 1 # by default is 1 template: metadata: labels: app: aspire-managers # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - name: aspire-managers image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc resources: requests: memory: "2048Mi" cpu: 1 limits: memory: "4096Mi" cpu: 2 ports: - containerPort: 50505 name: aspire-manager env: - name: ASPIRE_MANAGER_NODE value: 'true' - name: aspire_noSql_elastic_password valueFrom: secretKeyRef: name: quickstart-es-elastic-user key: elastic - name: aspire_encryption_key_file value: '/opt/aspire/encryption/encryption.key' # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: ASPIRE_SSL_KEYSTORE_PASS # value: '123456' # - name: ASPIRE_SSL_KEYSTORE # value: '/opt/aspire/tls/myKeystore.jks' # - name: ASPIRE_SSL_CA # value: '/opt/aspire/tls/ca.crt' # - name: aspire_security_https_only # value: 'true' envFrom: - configMapRef:

   Deploy Managers

   1. Create file called aspire-managers.yaml

      Code Block
      language yml theme RDark title aspire-managers.yaml linenumbers true collapse true
      kind: Service metadata: name: aspire-managers labels: app: aspire-managers spec: ports: - port: 50505 name: aspire-manager clusterIP: None selector: app: aspire-managers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-manager spec: selector: matchLabels: app: aspire-managers # has to match .spec.template.metadata.labels serviceName: "aspire-managers" replicas: 1 # by default is 1 template: metadata: labels: app: aspire-managers # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - name: aspire-managers image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc resources:name: aspire-config requestsvolumeMounts: - memoryname: "2048Mi"encryption-key cpumountPath: 1 limits: /opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - memoryname: "4096Mi" tls-certs # cpumountPath: 2 /opt/aspire/tls # ports: readOnly: true - containerPortcommand: 50505["/bin/bash"] args: name: aspire-manager env:- -c - name: ASPIRE_MANAGER_NODE>- value: 'true' export com_accenture_aspire_server_hostname=$(hostname -f) && - name: aspire_noSql_elastic_password ./opt/aspire/entrypoint.sh valueFromvolumes: - name: encryption-key secretKeyRef: secret: namesecretName: quickstartaspire-esencryption-elastic-userkey # Optional if HTTPS key: elastic is required for the Aspire UI and REST endpoints # - name: aspire_encryption_key_file tls-certs # value: '/opt/aspire/encryption/encryption.key' secret: # envFrom: secretName: aspire-certs - configMapRefimagePullSecrets: - name: regcred name: aspire-config

   2. Deploy managers

      Code Block
      language bash theme RDark
      kubectl apply -f aspire-managers.yaml

9. Deploy Workers

   1. Create file called aspire-workers.yaml

      Code Block
      language yml theme RDark title aspire-workers.yaml linenumbers true collapse true
      apiVersion: volumeMounts: - v1 kind: Service metadata: name: encryptionaspire-keyworkers labels: mountPathapp: /opt/aspire/encryptionaspire-workers spec: ports: - port: 50505 commandname: ["/bin/bash"]aspire-worker clusterIP: None selector: app: aspire-workers --- apiVersion: argsapps/v1 kind: StatefulSet metadata: name: aspire-worker spec: selector: matchLabels: - -c app: aspire-workers # has to match .spec.template.metadata.labels serviceName: "aspire-workers" >- replicas: 2 # by default is 1 template: metadata: export com_accenture_aspire_server_hostname=$(hostname -f) && labels: app: aspire-workers # has to match ./opt/aspire/entrypoint.sh.spec.selector.matchLabels volumesspec: - nameterminationGracePeriodSeconds: encryption-key10 secretcontainers: - secretNamename: aspire-encryption-keyworkers imagePullSecrets: - name: regcred image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc

      Deploy managers

      Code Block
      language bash theme RDark
      kubectl apply -f aspire-managers.yaml

   Deploy Workers

   1. Create file called aspire-workers.yaml

      Code Block
      language yml theme RDark title aspire-workers.yaml linenumbers true collapse true
      apiVersion: v1 kind: Service metadata resources: name: aspire-workers labels requests: app: aspire-workers spec: ports: - port: 50505 memory: "4096Mi" cpu: 2 name: aspire-worker clusterIP: None selectorlimits: app: aspire-workers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-worker spec: selector: matchLabelsmemory: "8096Mi" app: aspire-workers # has to match .spec.template.metadata.labels serviceNamecpu: "aspire-workers"4 replicas: 2 # by default is 1 templateports: metadata: - labelscontainerPort: 50505 app: aspire-workers # has to match .spec.selector.matchLabelsname: aspire-worker spec: terminationGracePeriodSecondsenv: 10 containers: - name: ASPIRE_WORKER_NODE - name: aspire-workers image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc value: 'true' resources: - name: aspire_noSql_elastic_password requests: valueFrom: memory: "4096Mi" secretKeyRef: cpu: 2 limits: name: quickstart-es-elastic-user memorykey: "8096Mi"elastic - cpuname: 4 aspire_encryption_key_file ports: - containerPort: 50505 value: '/opt/aspire/encryption/encryption.key' # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: aspire-worker ASPIRE_SSL_KEYSTORE_PASS # env: value: '123456' # - name: ASPIRE_WORKERSSL_NODEKEYSTORE # value: 'true/opt/aspire/tls/myKeystore.jks' # - name: aspireASPIRE_noSqlSSL_elastic_passwordCA # valueFrom: value: '/opt/aspire/tls/ca.crt' # - secretKeyRef: name: aspire_security_https_only # name: quickstart-es-elastic-uservalue: 'true' key: elasticenvFrom: - nameconfigMapRef: aspire_encryption_key_file valuename: '/opt/aspire/encryption/encryption.key'aspire-config envFromvolumeMounts: - configMapRefname: encryption-key namemountPath: aspire-config volumeMounts: /opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: encryption-key : tls-certs # mountPath: /opt/aspire/tls # mountPathreadOnly: /opt/aspire/encryptiontrue command: ["/bin/bash"] args: - -c - >- export com_accenture_aspire_server_hostname=$(hostname -f) && -f) && ./opt/aspire/entrypoint.sh volumes: - name: encryption-key secret: secretName: ./opt/aspire/entrypoint.sh volumes: aspire-encryption-key # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: encryptiontls-keycerts # secret: # secretName: aspire-encryption-keycerts imagePullSecrets: - name: regcred

   2. Deploy workers

      Code Block
      language bash theme RDark
      kubectl apply -f aspire-workers.yaml

10. Expose Manager port

    Code Block
    language bash theme RDark
    kubectl port-forward pod/aspire-manager-0 50505

11. Browse to Aspire Admin UI at http://localhost:50505