Info |
---|
Skip these steps if you already have an Elasticsearch cluster for Aspire to use and go directly to Deploying Aspire 5. |
The current guide is based on ECK quickstart
Install custom resource definitions
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create -f https://download.elastic.co/downloads/eck/1.7.0/crds.yaml kubectl apply -f https://download.elastic.co/downloads/eck/1.7.0/operator.yaml |
Create a file called elasticsearch.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 7.9.2 nodeSets: - name: default count: 1 config: node.store.allow_mmap: false |
Deploy the Elasticsearch cluster
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f elasticsearch.yaml |
The password will be stored in the environment variable called "PASSWORD"
Code Block | ||||
---|---|---|---|---|
| ||||
PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}') |
Create a file called kibana.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 7.9.2 count: 1 elasticsearchRef: name: quickstart |
Deploy Kibana
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f kibana.yaml |
Expose Kibana's port locally
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward service/quickstart-kb-http 5601 |
Anchor | ||||
---|---|---|---|---|
|
(Optional) Upload Kibana Dashboards
Kibana's port should be forwared into localhost:5601 as of Step #6 on the Elasticsearch deployment instructions
The environment variable $PASSWORD should hold the elastic's user password as of Step #3 on the Elasticsearch deployment instructions.
Code Block | ||||
---|---|---|---|---|
| ||||
curl -u "elastic:$PASSWORD" -k -F 'file=@/path/to/export.ndjson' \ -H 'kbn-xsrf:reporting' \ "https://localhost:5601/api/saved_objects/_import?overwrite=true" |
Replace <EMAIL> and <PASSWORD> with your registered email and password
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret docker-registry regcred \ --docker-server=docker.repository.sca.accenture.com \ --docker-username=<EMAIL> \ --docker-password=<PASSWORD>\ --docker-email=<EMAIL> |
Create file called aspire-config.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: ConfigMap metadata: name: aspire-config data: aspire_noSql_elastic_server: https://quickstart-es-http:9200 aspire_noSql_elastic_user: elastic aspire_noSql_elastic_authentication_basic: "true" com_accenture_aspire_ssl_trustAll: "true" |
Note |
---|
The com_accenture_aspire_ssl_trustAll is not recommended to be set as true in production environments, the recommended way is to import the untrusted certificate into a Java Key Store (see Configuring a Certificate Store) and then importing using the com_accenture_aspire_ssl_truststore_file property (see SSL Certificates Properties). |
Deploy ConfigMap
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-config.yaml |
Create a secret containing your settings.json and AspireLicense.lic files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-license-settings \ --from-file=/path/to/AspireLicense.lic \ --from-file=/path/to/config/settings.json |
Create a file called aspire-upload-job.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: batch/v1
kind: Job
metadata:
name: aspire-upload
spec:
template:
spec:
containers:
- name: aspire-upload-reg-pod
image: docker.repository.sca.accenture.com/docker/aspire:5.0-rc
command: [ "/bin/bash", "-c", "./opt/aspire/upload-license-settings.sh" ]
env:
- name: ASPIRE_LICENSE_PATH
value: /tmp/AspireLicense.lic
- name: ASPIRE_SETTINGS_PATH
value: /tmp/settings.json
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
envFrom:
- configMapRef:
name: aspire-config
volumeMounts:
- name: license-settings-secret
mountPath: /tmp
volumes:
- name: license-settings-secret
secret:
secretName: aspire-license-settings
restartPolicy: Never
imagePullSecrets:
- name: regcred
backoffLimit: 4 |
Run job
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-upload-job.yaml |
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl logs -f |
Create a random 32 bytes file which will be your key
Code Block | ||||
---|---|---|---|---|
| ||||
head -c 32 /dev/urandom > encryption.key |
Create the secret using the encryption.key file
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key |
Create Kubernetes ConfigMap holding the CA and Java Keystore with the certificate for the Aspire servers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key --from-file myKeystore.jks |
Create file called aspire-managers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
kind: Service
metadata:
name: aspire-managers
labels:
app: aspire-managers
spec:
ports:
- port: 50505
name: aspire-manager
clusterIP: None
selector:
app: aspire-managers
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: aspire-manager
spec:
selector:
matchLabels:
app: aspire-managers # has to match .spec.template.metadata.labels
serviceName: "aspire-managers"
replicas: 1 # by default is 1
template:
metadata:
labels:
app: aspire-managers # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: aspire-managers
image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc
resources:
requests:
memory: "4Gi"
cpu: 2
limits:
memory: "4Gi"
cpu: 2
ports:
- containerPort: 50505
name: aspire-manager
env:
- name: ASPIRE_MANAGER_NODE
value: 'true'
- name: aspire_max_heap_memory
value: '4g'
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
- name: aspire_encryption_key_file
value: '/opt/aspire/encryption/encryption.key'
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: ASPIRE_SSL_KEYSTORE_PASS
# value: '123456'
# - name: ASPIRE_SSL_KEYSTORE
# value: '/opt/aspire/tls/myKeystore.jks'
# - name: ASPIRE_SSL_CA
# value: '/opt/aspire/tls/ca.crt'
# - name: aspire_security_https_only
# value: 'true'
envFrom:
- configMapRef:
name: aspire-config
volumeMounts:
- name: encryption-key
mountPath: /opt/aspire/encryption
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# mountPath: /opt/aspire/tls
# readOnly: true
command: ["/bin/bash"]
args:
- -c
- >-
export com_accenture_aspire_server_hostname=$(hostname -f) &&
./opt/aspire/entrypoint.sh
volumes:
- name: encryption-key
secret:
secretName: aspire-encryption-key
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# secret:
# secretName: aspire-certs
imagePullSecrets:
- name: regcred
|
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
Create file called aspire-workers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1
kind: Service
metadata:
name: aspire-workers
labels:
app: aspire-workers
spec:
ports:
- port: 50505
name: aspire-worker
clusterIP: None
selector:
app: aspire-workers
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: aspire-worker
spec:
selector:
matchLabels:
app: aspire-workers # has to match .spec.template.metadata.labels
serviceName: "aspire-workers"
replicas: 2 # by default is 1
template:
metadata:
labels:
app: aspire-workers # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: aspire-workers
image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc
resources:
requests:
memory: "8Gi"
cpu: 2
limits:
memory: "16Gi"
cpu: 4
ports:
- containerPort: 50505
name: aspire-worker
env:
- name: ASPIRE_WORKER_NODE
value: 'true'
- name: aspire_max_heap_memory
value: '16g'
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
- name: aspire_encryption_key_file
value: '/opt/aspire/encryption/encryption.key'
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: ASPIRE_SSL_KEYSTORE_PASS
# value: '123456'
# - name: ASPIRE_SSL_KEYSTORE
# value: '/opt/aspire/tls/myKeystore.jks'
# - name: ASPIRE_SSL_CA
# value: '/opt/aspire/tls/ca.crt'
# - name: aspire_security_https_only
# value: 'true'
envFrom:
- configMapRef:
name: aspire-config
volumeMounts:
- name: encryption-key
mountPath: /opt/aspire/encryption
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# mountPath: /opt/aspire/tls
# readOnly: true
command: ["/bin/bash"]
args:
- -c
- >-
export com_accenture_aspire_server_hostname=$(hostname -f) &&
./opt/aspire/entrypoint.sh
volumes:
- name: encryption-key
secret:
secretName: aspire-encryption-key
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# secret:
# secretName: aspire-certs
imagePullSecrets:
- name: regcred
|
Deploy workers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-workers.yaml |
Expose Manager port
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward pod/aspire-manager-0 50505 |