...
See ECK quickstart on how to deploy Elasticsearch / Kibana on Kubernetes.
If using HTTPS on elasticsearch, make sure the certificate is signed by a Trusted CA, otherwise you would need to have access to its CA certificate, and import it into a JKS for Aspire to trust. See Enable HTTPS for instructions on how to import a certificate authority.
...
...
...
...
Info |
---|
Skip these steps if you already have an Elasticsearch cluster for Aspire to use |
...
and go directly to Deploying Aspire 5. |
The guide below is based on ECK quickstart
...
Install custom resource definitions
. If you need a production deployment or a more detailed process description, please refer to:
Run Elasticsearch on ECK | Elastic Cloud on Kubernetes [master] | Elastic
Node configuration | Elastic Cloud on Kubernetes [master] | Elastic
Install custom resource definitions
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create -f https://download.elastic.co/downloads/eck/1.7.0/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/1.7.0/operator.yaml |
Create a file called elasticsearch.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: 7.9.2
nodeSets:
- name: default
count: 1
config:
node.store.allow_mmap: false |
Deploy the Elasticsearch cluster
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f elasticsearch.yaml |
The password will be stored in the environment variable called "PASSWORD"
Code Block | ||||
---|---|---|---|---|
| ||||
PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}') |
Create a file called kibana.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: quickstart
spec:
version: 7.9.2
count: 1
elasticsearchRef:
name: quickstart |
Deploy Kibana
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f kibana.yaml |
Expose Kibana's port locally
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward service/quickstart-kb-http 5601 |
...
...
Anchor | ||||
---|---|---|---|---|
|
(Optional) Upload Kibana Dashboards
Kibana's port should be
...
forwarded into localhost:5601 as of Step #6 on the Elasticsearch deployment instructions
The environment variable $PASSWORD should hold the elastic's user password as of Step #3 on the Elasticsearch deployment instructions.
Code Block | ||||
---|---|---|---|---|
| ||||
curl -u "elastic:$PASSWORD" -k -F 'file=@/path/to/export.ndjson' \ -H 'kbn-xsrf:reporting' \ "https://localhost:5601/api/saved_objects/_import?overwrite=true" |
...
Replace <EMAIL> and <PASSWORD> with your registered email and password
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret docker-registry regcred \
--docker-server=docker.repository.sca.accenture.com \
--docker-username=<EMAIL> \
--docker-password=<PASSWORD>\
--docker-email=<EMAIL> |
Create a file called aspire-config.yaml
Code Block | ||||
---|---|---|---|---|
|
...
| ||||||
apiVersion: v1
kind: ConfigMap
metadata:
name: aspire-config
data:
aspire_noSql_elastic_server: https://quickstart-es-http:9200
aspire_noSql_elastic_user: elastic
aspire_noSql_elastic_authentication_basic: "true"
com_accenture_aspire_ssl_trustAll: "true" |
...
Deploy ConfigMap
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-config.yaml |
Note |
---|
The com_accenture_aspire_ssl_trustAll is not recommended to be set as true in production environments, the recommended way is to import the untrusted certificate into a Java Key Store (see Configuring a Certificate Store) and then importing using the com_accenture_aspire_ssl_truststore_file property (see SSL Certificates Properties). |
Deploy ConfigMap
...
Code Block | |
---|---|
|
...
|
...
kubectl apply -f aspire-config.yaml |
Create a secret containing your settings.json and AspireLicense.lic files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-license-settings \
--from-file=/path/to/AspireLicense.lic \
--from-file=/path/to/config/settings.json |
Create a file called aspire-upload-job.yaml
Note |
---|
When using a non local kubernetes cluster, make sure to change the image url to where the images are hosted. |
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: batch/v1
kind: Job
metadata:
name: aspire-upload
spec:
template:
spec:
containers:
- name: aspire-upload-reg-pod
image: docker.repository.sca.accenture.com/docker/aspire:5.2.2
command: [ "/bin/bash", "-c", "./opt/aspire/upload-license-settings.sh" ]
env:
- name: ASPIRE_LICENSE_PATH
value: /tmp/AspireLicense.lic
- name: ASPIRE_SETTINGS_PATH
value: /tmp/settings.json
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
envFrom:
- configMapRef:
name: aspire-config
volumeMounts:
- name: license-settings-secret
mountPath: /tmp
volumes:
- name: license-settings-secret
secret:
secretName: aspire-license-settings
restartPolicy: Never
imagePullSecrets:
- name: regcred
backoffLimit: 4 |
Run job
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-upload-job.yaml |
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl logs -f |
Create a random 32 bytes file which will be your key
Code Block | ||||
---|---|---|---|---|
| ||||
head -c 32 /dev/urandom > encryption.key |
Create the secret using the encryption.key file
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key |
Create Kubernetes ConfigMap holding the CA and Java Keystore with the certificate for the Aspire servers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key --from-file myKeystore.jks |
Create a file called aspire-managers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1
kind: Service
metadata:
name: aspire-managers
labels:
app: aspire-managers
spec:
ports:
- port: 50505
name: aspire-manager
clusterIP: None
selector:
app: aspire-managers
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: aspire-manager
spec:
selector:
matchLabels:
app: aspire-managers # has to match .spec.template.metadata.labels
serviceName: "aspire-managers"
replicas: 1 # by default is 1
template:
metadata:
labels:
app: aspire-managers # has to match .spec.selector.matchLabels
spec:
terminationGracePeriodSeconds: 10
containers:
- name: aspire-managers
image: docker.repository.sca.accenture.com/docker/aspire:5.2.2
resources:
requests:
memory: "4Gi"
cpu: 2
limits:
memory: "4Gi"
cpu: 2
ports:
- containerPort: 50505
name: aspire-manager
env:
- name: ASPIRE_MANAGER_NODE
value: 'true'
- name: aspire_max_heap_memory
value: '4g'
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
- name: aspire_encryption_key_file
value: '/opt/aspire/encryption/encryption.key'
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: ASPIRE_SSL_KEYSTORE_PASS
# value: '123456'
# - name: ASPIRE_SSL_KEYSTORE
# |
...
|
...
value: |
...
'/opt/aspire/tls/myKeystore.jks' # |
...
|
...
|
...
|
...
- |
...
name: ASPIRE_SSL_CA # |
...
value: '/opt/aspire/tls/ca.crt' # - name: |
...
aspire_security_ |
...
https_ |
...
only # value: |
...
'true' |
...
envFrom: - configMapRef: |
...
|
...
|
...
name: aspire |
...
-config |
...
volumeMounts: - |
...
name: encryption-key |
...
mountPath: /opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - |
...
name: tls-certs # |
...
...
mountPath: /opt/aspire/tls # |
...
readOnly: |
...
true |
...
|
...
|
...
command: ["/bin/bash"] |
...
|
...
args: |
...
|
...
Run job
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-upload-job.yaml |
...
Immediately after running the job, you will have 2 minutes to copy the AspireLicense.lic and settings.json into the /tmp folder on the aspire-upload pod.
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk -v OFS='' '{print $1,":/tmp/"}' | xargs kubectl cp /path/to/config/AspireLicense.lic
kubectl get pods | grep aspire-upload | awk -v OFS='' '{print $1,":/tmp/"}' | xargs kubectl cp /path/to/config/settings.json |
...
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl -f log |
- -c
- >-
export com_accenture_aspire_server_hostname=$(hostname -f) &&
./opt/aspire/entrypoint.sh
volumes:
- name: encryption-key
secret:
secretName: aspire-encryption-key
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# secret:
# secretName: aspire-certs
imagePullSecrets:
- name: regcred
|
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
Create a file called aspire-workers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1
kind: Service
metadata:
name: aspire-workers
labels:
app: aspire-workers
spec:
ports:
- port: 50505
name: aspire-worker
clusterIP: None
selector:
app: aspire-workers
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: aspire-worker
spec:
selector:
matchLabels:
app: aspire-workers # has to match .spec.template.metadata.labels
serviceName: "aspire-workers"
replicas: 2 # by default is 1
template:
metadata:
labels:
|
...
Create file called aspire-managers.yaml
...
language | yml |
---|---|
theme | RDark |
linenumbers | true |
collapse | true |
...
|
...
app: |
...
aspire-workers # has to match .spec.selector.matchLabels |
...
spec: |
...
|
...
|
...
terminationGracePeriodSeconds: |
...
10 containers: - name: aspire- |
...
workers |
...
image: docker.repository.sca.accenture.com/docker/aspire:5.2.2 |
...
resources: |
...
requests: |
...
|
...
|
...
memory: |
...
"8Gi" |
...
cpu: 2 |
...
limits: |
...
memory: "16Gi" |
...
cpu: |
...
4 |
...
ports: - |
...
containerPort: 50505 |
...
|
...
name: aspire- |
...
worker |
...
env: - |
...
name: ASPIRE_WORKER_NODE |
...
|
...
value: 'true' - name: |
...
aspire_ |
...
max_ |
...
heap_memory |
...
value: '16g' |
...
- name: |
...
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
...
Create file called aspire-workers.yaml
...
language | yml |
---|---|
theme | RDark |
linenumbers | true |
collapse | true |
...
aspire_noSql_elastic_password valueFrom: secretKeyRef: |
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
name: |
...
quickstart-es-elastic-user |
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
|
...
key: elastic |
...
- name: aspire_encryption_key_file value: '/opt/aspire/encryption/encryption.key' # Optional if HTTPS is required for the Aspire UI and REST endpoints # |
...
|
...
- |
...
name: ASPIRE_SSL_KEYSTORE_PASS # |
...
|
...
|
...
|
...
|
...
|
...
value: |
...
'123456' |
...
# |
...
|
...
- name: |
...
ASPIRE_SSL_KEYSTORE # |
...
value: |
...
'/opt/aspire/tls/myKeystore.jks' # |
...
- name: ASPIRE_SSL_CA # |
...
value: '/opt/aspire/tls/ca.crt' # - |
...
name: |
...
aspire_security_https_only # |
...
value: |
...
'true' |
...
envFrom: |
...
- |
...
configMapRef: |
...
...
name: |
...
aspire-config |
...
volumeMounts: - |
...
name: |
...
encryption-key |
...
mountPath: |
...
/opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: |
...
tls-certs # |
...
mountPath: |
...
/opt/aspire/tls # |
...
...
readOnly: |
...
true |
...
command: ["/bin/bash"] args: |
...
- -c |
...
|
...
- |
...
>- |
...
export |
...
com_accenture_aspire_server_hostname=$(hostname -f) && |
...
./opt/aspire/entrypoint.sh |
...
volumes: |
...
- name: |
...
encryption- |
...
key |
...
secret: |
...
|
...
secretName: aspire-encryption-key # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: tls-certs # |
...
|
...
|
...
secret: # |
...
secretName: aspire-certs imagePullSecrets: - name: regcred |
Deploy workers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-workers.yaml |
Expose Manager port
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward pod/aspire-manager-0 |
...