Info |
---|
Skip these steps if you already have an Elasticsearch cluster for Aspire to use and go directly to Deploying Aspire 5. |
The current guide below is based on ECK quickstart. If you need a production deployment or a more detailed process description, please refer to:
Run Elasticsearch on ECK | Elastic Cloud on Kubernetes [master] | Elastic
Node configuration | Elastic Cloud on Kubernetes [master] | Elastic
Install custom resource definitions
Code Block | |
---|---|
|
Install custom resource definitions
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create -f https://download.elastic.co/downloads/eck/1.7.0/crds.yaml kubectl apply -f https://download.elastic.co/downloads/eck/1.7.0/operator.yaml |
Create a file called elasticsearch.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 7.9.2 nodeSets: - name: default count: 1 config: node.store.allow_mmap: false |
Deploy the Elasticsearch cluster
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f elasticsearch.yaml |
The password will be stored in the environment variable called "PASSWORD"
Code Block | ||||
---|---|---|---|---|
| ||||
PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}') |
Create a file called kibana.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 7.9.2 count: 1 elasticsearchRef: name: quickstart |
Deploy Kibana
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f kibana.yaml |
Expose Kibana's port locally
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward service/quickstart-kb-http 5601 |
Anchor | ||||
---|---|---|---|---|
|
(Optional) Upload Kibana Dashboards
Kibana's port should be forwared forwarded into localhost:5601 as of Step #6 on the Elasticsearch deployment instructions
The environment variable $PASSWORD should hold the elastic's user password as of Step #3 on the Elasticsearch deployment instructions.
Code Block | ||||
---|---|---|---|---|
| ||||
curl -u "elastic:$PASSWORD" -k -F 'file=@/path/to/export.ndjson' \ -H 'kbn-xsrf:reporting' \ "https://localhost:5601/api/saved_objects/_import?overwrite=true" |
Replace <EMAIL> and <PASSWORD> with your registered email and password
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret docker-registry regcred \ --docker-server=docker.repository.sca.accenture.com \ --docker-username=<EMAIL> \ --docker-password=<PASSWORD>\ --docker-email=<EMAIL> |
Create a file called aspire-config.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: ConfigMap metadata: name: aspire-config data: aspire_noSql_elastic_server: https://quickstart-es-http:9200 aspire_noSql_elastic_user: elastic aspire_noSql_elastic_authentication_basic: "true" com_accenture_aspire_ssl_trustAll: "true" |
Note |
---|
The com_accenture_aspire_ssl_trustAll is not recommended to be set as true in production environments, the recommended way is to import the untrusted certificate into a Java Key Store (see Configuring a Certificate Store) and then importing using the com_accenture_aspire_ssl_truststore_file property (see SSL Certificates Properties). |
Deploy ConfigMap
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-config.yaml |
Create a
secret containing your settings.json and AspireLicense.lic files
Code Block | |
---|---|
|
|
kubectl create secret generic aspire- |
license-settings \
--from-file=/path/to/AspireLicense.lic \
--from-file=/path/to/config/settings.json |
Create a file called aspire-upload-job.yaml
Note |
---|
When using a non local kubernetes cluster, make sure to change the image url to where the images are hosted. |
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: batch/v1
kind: Job
metadata:
name: aspire-upload
spec:
template:
|
spec: containers: - name: aspire-upload-reg-pod image: docker.repository.sca.accenture.com/docker/aspire:5.2. |
2 command: [ "/bin/bash", "-c", " |
./opt/aspire/upload-license-settings.sh" ]
env:
- name: ASPIRE_LICENSE_PATH
value: /tmp/AspireLicense.lic
- name: ASPIRE_SETTINGS_PATH
value: /tmp/settings.json
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
envFrom:
- configMapRef:
name: aspire-config
|
|
|
volumeMounts: |
- name: |
license-settings-secret |
|
Run job
language | bash |
---|---|
theme | RDark |
|
|
|
Immediately after running the job, you will have 2 minutes to copy the AspireLicense.lic and settings.json into the /tmp folder on the aspire-upload pod.
language | bash |
---|---|
theme | RDark |
|
|
|
|
|
|
mountPath: /tmp volumes: - name: license-settings-secret secret: secretName: aspire-license-settings restartPolicy: Never imagePullSecrets: - name: regcred backoffLimit: 4 |
Run job
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-upload-job.yaml |
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl logs -f |
Create a random 32 bytes file which will be your key
Code Block | ||||
---|---|---|---|---|
| ||||
head -c 32 /dev/urandom > encryption.key |
Create the secret using the encryption.key file
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key |
Create Kubernetes ConfigMap holding the CA and Java Keystore with the certificate for the Aspire servers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key --from-file myKeystore.jks |
Create a file called aspire-managers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1
kind: Service
metadata:
name: aspire-managers
labels:
app: aspire-managers
spec:
ports:
- port: 50505
name: aspire-manager
clusterIP: None
selector:
app: aspire-managers
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: aspire-manager
spec:
selector:
matchLabels:
app: aspire-managers # has to match .spec.template.metadata.labels
serviceName: "aspire-managers"
replicas: 1 # by default is 1
template:
metadata:
labels:
app: aspire-managers # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: aspire-managers
image: docker.repository.sca.accenture.com/docker/aspire:5.2.2
resources:
requests:
memory: "4Gi"
cpu: 2
limits:
memory: "4Gi"
cpu: 2
ports:
- containerPort: 50505
name: aspire-manager
env:
- name: ASPIRE_MANAGER_NODE
value: 'true'
- name: aspire_max_heap_memory
value: '4g'
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
- name: aspire_encryption_key_file
value: '/opt/aspire/encryption/encryption.key'
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: ASPIRE_SSL_KEYSTORE_PASS
# value: '123456'
# - name: ASPIRE_SSL_KEYSTORE
# value: '/opt/aspire/tls/myKeystore.jks'
# - name: ASPIRE_SSL_CA
# value: '/opt/aspire/tls/ca.crt'
# - name: aspire_security_https_only
# value: 'true'
envFrom:
- configMapRef:
name: aspire-config
volumeMounts:
- name: encryption-key
mountPath: /opt/aspire/encryption
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# mountPath: /opt/aspire/tls
# readOnly: true
command: ["/bin/bash"]
args:
- -c
- >-
export com_accenture_aspire_server_hostname=$(hostname -f) &&
./opt/aspire/entrypoint.sh
volumes:
- name: encryption-key
secret:
secretName: aspire-encryption-key
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# secret:
# secretName: aspire-certs
imagePullSecrets |
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl -f log |
Create file called aspire-managers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
kind: Service metadata: name: aspire-managers labels: app: aspire-managers spec: ports: - port: 50505 name: aspire-manager clusterIP: None selector: app: aspire-managers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-manager spec: selector: matchLabels: app: aspire-managers # has to match .spec.template.metadata.labels serviceName: "aspire-managers" replicas: 1 # by default is 1 template: metadata: labels: app: aspire-managers # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - name: aspire-managersregcred |
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
Create a file called aspire-workers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: Service metadata: name: aspire-workers labels:image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc resources: requests: memory: "2048Mi" app: aspire-workers spec: ports: - port: 50505 cpuname: 1aspire-worker clusterIP: None selector: app: aspire-workers --- apiVersion: limitsapps/v1 kind: StatefulSet metadata: name: aspire-worker spec: selector: memory: "4096Mi"matchLabels: app: aspire-workers # has to match .spec.template.metadata.labels cpuserviceName: 2"aspire-workers" replicas: 2 # by default is 1 portstemplate: metadata: - containerPort: 50505 labels: nameapp: aspire-manager workers # has to match .spec.selector.matchLabels envspec: terminationGracePeriodSeconds: 10 - name: ASPIRE_MANAGER_NODEcontainers: value: 'true'- name: aspire-workers - nameimage: aspire_noSql_elastic_passworddocker.repository.sca.accenture.com/docker/aspire:5.2.2 valueFromresources: requests: secretKeyRef: memory: "8Gi" name: quickstart-es-elastic-user cpu: 2 keylimits: elastic envFrom: memory: "16Gi" - configMapRef: cpu: 4 nameports: aspire-config command - containerPort: ["/bin/bash"] 50505 args: name: aspire-worker - -cenv: - >- name: ASPIRE_WORKER_NODE export com_accenture_aspire_server_hostname=$(hostname -f) &&value: 'true' - ./opt/aspire/entrypoint.shname: aspire_max_heap_memory imagePullSecrets: - name: regcred |
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
Create file called aspire-workers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: Service metadata: name: aspire-workers labels: app: aspire-workers spec: ports: - port: 50505 name: aspire-worker clusterIP: None selector: app: aspire-workers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-worker spec: selector: matchLabels: app: aspire-workers # has to match .spec.template.metadata.labels serviceName: "aspire-workers" replicas: 2 # by default is 1 template: metadata: labels: app: aspire-workers # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: value: '16g' - name: aspire_noSql_elastic_password valueFrom: secretKeyRef: name: quickstart-es-elastic-user key: elastic - name: aspire_encryption_key_file value: '/opt/aspire/encryption/encryption.key' # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: ASPIRE_SSL_KEYSTORE_PASS # value: '123456' # - name: aspire-workers ASPIRE_SSL_KEYSTORE # image value: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc resources: '/opt/aspire/tls/myKeystore.jks' # requests: - name: ASPIRE_SSL_CA # memoryvalue: "4096Mi" '/opt/aspire/tls/ca.crt' # - cpuname: 2 aspire_security_https_only # limits: value: 'true' envFrom: memory: "8096Mi" - configMapRef: cpu: 4 ports: name: aspire-config - containerPortvolumeMounts: 50505 - name: aspireencryption-workerkey env: - name: ASPIRE_WORKER_NODE mountPath: /opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - valuename: 'true' tls-certs # - namemountPath: aspire_noSql_elastic_password /opt/aspire/tls # valueFromreadOnly: true command: ["/bin/bash"] secretKeyRef: args: name:- quickstart-es-elastic-userc key: elastic - >- envFrom: export com_accenture_aspire_server_hostname=$(hostname -f) configMapRef:&& name: aspire-config./opt/aspire/entrypoint.sh volumes: command: ["/bin/bash"] - name: encryption-key argssecret: secretName: aspire- encryption-ckey # Optional if HTTPS is required for the Aspire UI and -REST >-endpoints # - name: tls-certs # export com_accenture_aspire_server_hostname=$(hostname -f) && secret: # ./opt/aspire/entrypoint.sh secretName: aspire-certs imagePullSecrets: - name: regcred |
Deploy workers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-workers.yaml |
Expose Manager port
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward pod/aspire-manager-0 505050505 |