Info |
---|
Skip these steps if you already have an Elasticsearch cluster for Aspire to use and go directly to Deploying Aspire 5. |
The current guide below is based on ECK quickstart. If you need a production deployment or a more detailed process description, please refer to:
Run Elasticsearch on ECK | Elastic Cloud on Kubernetes [master] | Elastic
Node configuration | Elastic Cloud on Kubernetes [master] | Elastic
Install custom resource definitions
Code Block | ||
---|---|---|
|
Install custom resource definitions
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create -f https://download.elastic.co/downloads/eck/1.7.0/crds.yaml kubectl apply -f https://download.elastic.co/downloads/eck/1.7.0/operator.yaml |
Create a file called elasticsearch.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: quickstart spec: version: 7.9.2 nodeSets: - name: default count: 1 config: node.store.allow_mmap: false |
Deploy the Elasticsearch cluster
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f elasticsearch.yaml |
The password will be stored in the environment variable called "PASSWORD"
Code Block | ||||
---|---|---|---|---|
| ||||
PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}') |
Create a file called kibana.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: quickstart spec: version: 7.9.2 count: 1 elasticsearchRef: name: quickstart |
Deploy Kibana
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f kibana.yaml |
Expose Kibana's port locally
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward service/quickstart-kb-http 5601 |
Anchor | ||||
---|---|---|---|---|
|
(Optional) Upload Kibana Dashboards
Kibana's port should be forwared forwarded into localhost:5601 as of Step #6 on the Elasticsearch deployment instructions
The environment variable $PASSWORD should hold the elastic's user password as of Step #3 on the Elasticsearch deployment instructions.
Code Block | ||||
---|---|---|---|---|
| ||||
curl -u "elastic:$PASSWORD" -k -F 'file=@/path/to/export.ndjson' \ -H 'kbn-xsrf:reporting' \ "https://localhost:5601/api/saved_objects/_import?overwrite=true" |
Replace <EMAIL> and <PASSWORD> with your registered email and password
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret docker-registry regcred \ --docker-server=docker.repository.sca.accenture.com \ --docker-username=<EMAIL> \ --docker-password=<PASSWORD>\ --docker-email=<EMAIL> |
Create a file called aspire-config.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: ConfigMap metadata: name: aspire-config data: aspire_noSql_elastic_server: https://quickstart-es-http:9200 aspire_noSql_elastic_user: elastic aspire_noSql_elastic_authentication_basic: "true" com_accenture_aspire_ssl_trustAll: "true" |
Deploy ConfigMap
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-config.yaml |
Note |
---|
The com_accenture_aspire_ssl_trustAll is not recommended to be set as true in production environments, the recommended way is to import the untrusted certificate into a Java Key Store (see Configuring a Certificate Store) and then importing using the com_accenture_aspire_ssl_truststore_file property (see SSL Certificates Properties). |
Deploy ConfigMap
Create a file called aspire-upload-job.yaml
Code Block | |||||
---|---|---|---|---|---|
| |||||
kubectl apply -f aspire- | upload-jobconfig.yaml | ||||
linenumbers | true | ||||
collapse | true |
Create a secret containing your settings.json and AspireLicense.lic files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-license-settings \
--from-file=/path/to/AspireLicense.lic \
--from-file=/path/to/config/settings.json |
Create a file called aspire-upload-job.yaml
Note |
---|
When using a non local kubernetes cluster, make sure to change the image url to where the images are hosted. |
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: batch/v1
kind: Job
metadata:
name: aspire-upload
spec:
template:
spec:
containers:
- name: aspire-upload-reg-pod
image: docker.repository.sca.accenture.com/docker/aspire:5.2.2
command: [ "/bin/bash", "-c", "./opt/aspire/upload-license-settings.sh" ]
env:
- name: ASPIRE_LICENSE_PATH
value: /tmp/AspireLicense.lic
- name: ASPIRE_SETTINGS_PATH
value: /tmp/settings.json
- name: aspire_noSql_elastic_password
valueFrom:
secretKeyRef:
name: quickstart-es-elastic-user
key: elastic
envFrom:
- configMapRef:
name: aspire-config
volumeMounts:
- name: license-settings-secret
mountPath: /tmp
volumes:
- name: license-settings-secret
secret:
secretName: aspire-license-settings
restartPolicy: Never
imagePullSecrets:
- name: regcred
backoffLimit: 4 |
Run job
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-upload-job.yaml |
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl logs -f |
Create a random 32 bytes file which will be your key
Code Block | ||||
---|---|---|---|---|
| ||||
head -c 32 /dev/urandom > encryption.key |
Create the secret using the encryption.key file
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key |
Create Kubernetes ConfigMap holding the CA and Java Keystore with the certificate for the Aspire servers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl create secret generic aspire-encryption-key --from-file=encryption.key --from-file myKeystore.jks |
Create a file called aspire-managers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: Service metadata: name: aspire-managers labels: app: aspire-managers spec: ports: - port: 50505 name: aspire-manager clusterIP: None selector: app: aspire-managers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-manager spec: selector: matchLabels: app: aspire-managers # has to match .spec.template.metadata.labels serviceName: "aspire-managers" replicas: 1 # by default is 1 template: metadata: labels: app: aspire-managers # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - name: aspire-managers image: docker.repository.sca.accenture.com/docker/aspire:5.2.2 resources: requests: memory: "4Gi" cpu: 2 limits: memory: "4Gi" cpu: 2 ports: - containerPort: 50505 name: aspire-manager env: - name: ASPIRE_MANAGER_NODE value: 'true' - name: aspire_max_heap_memory value: '4g' - name: aspire_noSql_elastic_password valueFrom: secretKeyRef: name: quickstart-es-elastic-user key: elastic - name: aspire_encryption_key_file value: '/opt/aspire/encryption/encryption.key' # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: ASPIRE_SSL_KEYSTORE_PASS # value: '123456' # apiVersion: batch/v1 kind: Job metadata: name: aspire-upload spec: template: spec: containers: - name: aspire-upload-reg-pod ASPIRE_SSL_KEYSTORE # imagevalue: docker.repository.sca.accenture.com/docker/aspire:5.0-rc '/opt/aspire/tls/myKeystore.jks' # command: [ "/bin/bash", "-c", "sleep 2m && ./opt/aspire/upload-license-settings.sh" ] name: ASPIRE_SSL_CA # env: value: '/opt/aspire/tls/ca.crt' # - name: ASPIREaspire_security_LICENSEhttps_PATHonly # value: /tmp/AspireLicense.lic'true' - name: ASPIRE_SETTINGS_PATH envFrom: - configMapRef: value: /tmp/settings.json - name: aspire_noSql_elastic_password-config valueFromvolumeMounts: - secretKeyRef:name: encryption-key name: quickstart-es-elastic-user key: elastic mountPath: /opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - envFromname: tls-certs # - configMapRef: mountPath: /opt/aspire/tls # namereadOnly: aspire-configtrue restartPolicy: Never command: ["/bin/bash"] imagePullSecrets: - nameargs: regcred backoffLimit: 4 |
Run job
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-upload-job.yaml |
Immediately after running the job, you will have 2 minutes to copy the AspireLicense.lic and settings.json into the /tmp folder on the aspire-upload pod.
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk -v OFS='' '{print $1,":/tmp/"}' | xargs kubectl cp /path/to/config/AspireLicense.lic
kubectl get pods | grep aspire-upload | awk -v OFS='' '{print $1,":/tmp/"}' | xargs kubectl cp /path/to/config/settings.json |
Wait until it has uploaded the files
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl get pods | grep aspire-upload | awk '{print $1}' | xargs kubectl -f log |
- -c
- >-
export com_accenture_aspire_server_hostname=$(hostname -f) &&
./opt/aspire/entrypoint.sh
volumes:
- name: encryption-key
secret:
secretName: aspire-encryption-key
# Optional if HTTPS is required for the Aspire UI and REST endpoints
# - name: tls-certs
# secret:
# secretName: aspire-certs
imagePullSecrets:
- name: regcred
|
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
Create a file called aspire-workers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1
kind: Service
metadata:
name: aspire-workers
labels:
app: aspire-workers
spec:
ports:
- port: 50505
name: aspire-worker
clusterIP: None
selector:
app: aspire-workers
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: aspire-worker
spec:
selector:
matchLabels |
Create file called aspire-managers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
kind: Service metadata: name: aspire-managers labels: app: aspire-managers spec: ports: - port: 50505 name: aspire-manager clusterIP: None selector: app: aspire-managers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-manager spec: selector: matchLabels: app: aspire-managers # has to match .spec.template.metadata.labels serviceName: "aspire-managers" replicas: 1 # by default is 1 template: metadata: labels: app: aspire-managers # has to match .spec.selector.matchLabels spec: terminationGracePeriodSeconds: 10 containers: - name: aspire-managers image: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc resources: requests: memory: "2048Mi" cpu: 1 limits: app: aspire-workers # has to match .spec.template.metadata.labels memoryserviceName: "aspire-workers"4096Mi" replicas: 2 # by default is 1 template: cpumetadata: 2 labels: ports: app: aspire-workers # has to match .spec.selector.matchLabels - containerPortspec: 50505 terminationGracePeriodSeconds: 10 name: aspire-managercontainers: - envname: aspire-workers - name: ASPIRE_MANAGER_NODEimage: docker.repository.sca.accenture.com/docker/aspire:5.2.2 value: 'true'resources: - name: aspire_noSql_elastic_passwordrequests: valueFrommemory: "8Gi" cpu: 2 secretKeyRef: limits: name: quickstart-es-elastic-user memory: "16Gi" keycpu: elastic4 envFromports: - configMapRefcontainerPort: 50505 name: aspire-configworker command: ["/bin/bash"]env: args: - - -cname: ASPIRE_WORKER_NODE - >- value: 'true' - name: export comaspire_accenturemax_aspire_server_hostname=$(hostname -f) && heap_memory value: '16g' ./opt/aspire/entrypoint.sh imagePullSecrets: - name: aspire_noSql_elastic_password - name: regcred |
Deploy managers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-managers.yaml |
Create file called aspire-workers.yaml
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
apiVersion: v1 kind: Service metadata: name: aspire-workers labels valueFrom: secretKeyRef: app: aspire-workers spec: ports: - port: 50505 name: aspire-worker clusterIPname: Nonequickstart-es-elastic-user selector: app: aspire-workers --- apiVersion: apps/v1 kind: StatefulSet metadata: name: aspire-worker spec: selector: matchLabelskey: elastic app: aspire-workers # has to match .spec.template.metadata.labels serviceName: "aspire-workers" replicas: 2 # by default is 1 template: metadata: labels: - name: aspire_encryption_key_file value: '/opt/aspire/encryption/encryption.key' # Optional if HTTPS is required for the Aspire UI and REST endpoints # app: aspire-workers name: ASPIRE_SSL_KEYSTORE_PASS # has to match .spec.selector.matchLabels spec: terminationGracePeriodSecondsvalue: 10'123456' # containers: - name: aspire-workers ASPIRE_SSL_KEYSTORE # imagevalue: docker.repository.sca.accenture.com/docker/aspire-basic:5.0-rc '/opt/aspire/tls/myKeystore.jks' # resources: - name: ASPIRE_SSL_CA # requests: value: '/opt/aspire/tls/ca.crt' # - memoryname: "4096Mi" aspire_security_https_only # cpuvalue: 2'true' limitsenvFrom: - memoryconfigMapRef: "8096Mi" cpuname: 4aspire-config portsvolumeMounts: - containerPortname: 50505encryption-key namemountPath: aspire-worker env: /opt/aspire/encryption # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: ASPIRE_WORKER_NODE tls-certs # valuemountPath: 'true' /opt/aspire/tls # - namereadOnly: aspire_noSql_elastic_passwordtrue valueFrom:command: ["/bin/bash"] args: secretKeyRef: - -c name: quickstart-es-elastic >-user export key: elasticcom_accenture_aspire_server_hostname=$(hostname -f) && envFrom: ./opt/aspire/entrypoint.sh - configMapRefvolumes: - name: aspireencryption-configkey command: ["/bin/bash"]secret: args: - -c - >- secretName: aspire-encryption-key # Optional if HTTPS is required for the Aspire UI and REST endpoints # - name: tls-certs # export com_accenture_aspire_server_hostname=$(hostname -f) && secret: # ./opt/aspire/entrypoint.sh secretName: aspire-certs imagePullSecrets: - name: regcred |
Deploy workers
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl apply -f aspire-workers.yaml |
Expose Manager port
Code Block | ||||
---|---|---|---|---|
| ||||
kubectl port-forward pod/aspire-manager-0 505050505 |