K8s/Openshift - VeridiumID Server Install Procedure 3.8.3
1. Prerequisites
Required tools: Helm 3, oc CLI 4.11.
Cluster requirements:
Ensure that cert-manager is installed and functioning correctly.
Ensure that a
StorageClasswithreclaimPolicy: Retainis available for database storage.
2. Prepare artifacts
2.1. Download values files and helm charts
Please download veridiumid-saas-3.8.3.zip then unpack it by executing:
wget --user <NEXUS_USER> --password <NEXUS_PWD> https://veridium-repo.veridium-dev.com/repository/helm-releases/veridiumid-containers/3.8.3/veridiumid-saas-3.8.3.zip
unzip -o veridiumid-saas-3.8.3.zip -d 3.8.3
cd 3.8.3Next customize the namespace and Cassandra datacenter name in configuration files:
sed -i 's|<NAMESPACE>|YOUR_NAMESPACE|g' values/*.yaml values/*/*.yaml
# example: sed -i 's|<NAMESPACE>|dev1|g' values/*.yaml
sed -i 's|<DATACENTER_NAME>|YOUR_DATACENTER_NAME|g' values/*.yaml values/*/*.yaml
# example: sed -i 's|<DATACENTER_NAME>|dc1|g' values/*.yaml
sed -i 's|<ENV_NO>|YOUR_ENV_NUMBER|g' values/*.yaml
# example: sed -i 's|<ENV_NO>|1|g' values/*.yaml
sed -i 's|<STORAGECLASS_PERSISTENCE>|YOUR_STORAGE_CLASS_FOR_DATABASES|g' values/*.yaml
# example: sed -i 's|<STORAGECLASS_PERSISTENCE>|storage-encrypted|g' values/*.yaml
sed -i 's|<STORAGECLASS_BACKUPS>|YOUR_STORAGE_CLASS_FOR_BACKUPS|g' values/*.yaml
# example: sed -i 's|<STORAGECLASS_BACKUPS>|efs-sc|g' values/*.yaml
sed -i 's|018397616607.dkr.ecr.eu-central-1.amazonaws.com|YOUR_REGISTRY_URL|g' values/*.yaml2.2. Docker images (only if using custom Docker registry)
Please download and unpack the following archive then upload its contents to your Docker registry.
SHA256: 9ca8502431e08c7b46dd740e2c511e2f1c267e748351432fdd70d42ba30658ef
MD5: 4039598412f318487bfa748cd960c64e
3. Cluster Setup
3.1. Install Custom Resource Definitions
oc create -f values/veridiumid-crds/eck-operator-crds.yaml
oc create -f values/veridiumid-crds/zookeeper.yaml
# When deploying to an Oracle database, skip the next step
oc create -f values/veridiumid-crds/k8ssandra-operator.yaml3.2. Create the target namespace (only if it isn’t already present)
oc apply -f values/namespace.yaml3.3. Create a Secret named vid-credentials-ecr containing your Docker registry username and password so the application can pull images from the Docker registry
oc create secret docker-registry vid-credentials-ecr --docker-server=<DOCKER_REGISTRY_SERVER> --docker-username=<DOCKER_USER> --docker-password=<DOCKER_PASSWORD> --docker-email=<DOCKER_EMAIL> -n <NAMESPACE>3.4. Create a PersistentVolumeClaim that will be used for backing up Zookeeper/ElasticSearch
oc -n <NAMESPACE> apply -f values/pvc-backups.yaml4. Generate CA and (optionally) Cassandra keystore
The installation can be configured by editing the values/vid-installer-values.yaml file and setting values according to your environment and specific requirements.
A full description of all available parameters is provided in the Configuration Reference (Appendix A).
When deploying to an Oracle database, configure the following parameters in values/vid-installer-values.yaml:
activeProfile: "rdbms"oracle.hostoracle.serviceoracle.usernameoracle.password
Next, execute the following:
helm install -n <NAMESPACE> -f values/vid-installer-values.yaml vid-installer helm/vid-installer-0.8.2.tgz
oc -n <NAMESPACE> exec job/vid-installer -- bash -c 'bash -xe 00-generate-ca.sh'
# When deploying to an Oracle database, skip the next step
oc -n <NAMESPACE> exec job/vid-installer -- bash -c 'cd /tmp && bash -xe /vid-installer/01-generate-cassandra-keystore.sh'5. Deploy persistence charts
5.1. Cassandra - When deploying to an Oracle database, skip this step
Edit the values/k8ssandra-values.yaml to change any values.
A full description of all available parameters is provided in the Configuration Reference (Appendix A).
# install the operator
helm upgrade --install --no-hooks -n <NAMESPACE> -f values/k8ssandra-operator-values.yaml k8ssandra-operator-<ENV_NO> helm/k8ssandra-operator-1.20.2-r3.tgz
# confirm operator is running: wait until status is "Running" and Ready is "1/1"
oc -n <NAMESPACE> get pod | grep k8ssandra-operator
# create the actual cluster
helm upgrade --install -n <NAMESPACE> -f values/k8ssandra-values.yaml k8ssandra-<ENV_NO> helm/vid-k8ssandra-0.8.2.tgz5.2. Elasticsearch
Edit the values/elasticsearch-values.yaml to change any values.
A full description of all available parameters is provided in the Configuration Reference (Appendix A).
Next, execute the following:
# install the operator
helm upgrade --install -n <NAMESPACE> -f values/eck-operator-values.yaml eck-operator-<ENV_NO> helm/eck-operator-2.1.0.tgz
# confirm operator is running: wait until status is "Running" and Ready is "1/1"
oc -n <NAMESPACE> get pod | grep eck-operator
# create the cluster
helm upgrade --install -n <NAMESPACE> -f values/elasticsearch-values.yaml elasticsearch-<ENV_NO> helm/elasticsearch-0.3.1.tgz
# check elasticsearch
oc -n <NAMESPACE> get pod | grep elasticsearch5.3. Zookeeper
Edit the values/zookeeper-values.yaml to change any values.
A full description of all available parameters is provided in the Configuration Reference (Appendix A).
# install the operator
helm upgrade --install -n <NAMESPACE> -f values/zookeeper-operator-values.yaml zookeeper-operator-<ENV_NO> helm/zookeeper-operator-0.2.15.tgz
# create the actual cluster
helm upgrade --install -n <NAMESPACE> --timeout 30m -f values/zookeeper-values.yaml zookeeper-<ENV_NO> helm/zookeeper-0.2.15.tgz6. Start the installer
oc -n <NAMESPACE> exec job/vid-installer -- bash -c 'bash install.sh'This will start the installation process.
Please allow up to 60 minutes to complete.
7. Deploy webapps
Edit the values/veridiumid-values.yaml to change any values.
A full description of all available parameters is provided in the Configuration Reference (Appendix A).
When deploying to an Oracle database, configure the following parameters in values/veridiumid-values.yaml:
global.activeProfile: "rdbms"
helm upgrade --install -n <NAMESPACE> -f values/veridiumid-values.yaml veridiumid helm/veridiumid-0.7.7.tgz8. Post-Installation
8.1. Update HAProxy certificate
The installation uses a self-signed certificate for HAProxy. We recommend using a trusted certificate for production purposes.
Please use a PEM file that includes the private key, certificate and full CA chain.
In order to update the certificate please execute the following commands:
# updates the secret that contains the certificate
oc get secret -n <NAMESPACE> vid-haproxy-certs -o yaml | sed "s,$(oc get secret -n <NAMESPACE> vid-haproxy-certs -ojsonpath='{.data.server\.pem}'),$(base64 -w 0 <FULL_PATH_TO_PEM_CERTIFICATE>),g" | oc apply -f -
# restarts HAProxy in order to load the new certificate from the secret
oc rollout restart -n <NAMESPACE> daemonset/vid-haproxy 8.2. Copy the certificate to WebsecAdmin (OPTIONAL)
In case you need WebsecAdmin to use the same certificate as HAProxy (for instance when exposing WebsecAdmin directly without proxying through HAProxy), connect to the vid-maintenance pod and execute the following:
bash /scripts/update-websecadmin-certificate-secret.sh8.3. Configure websecadmin
Please follow the configuration wizard that is presented when first launching WebsecAdmin. Additional instructions can be found at this link.
Once the configuration is complete, please go to
Settings - Certificates - Truststores, click onAdd Truststoreand upload the<FULL_PATH_TO_PEM_CERTIFICATE>file.To configure Veridium as identity provider, please go to
Settings - Services - SSP, click onConfigure Veridium as IDPin the right-side panel.
Known issues
On some occasions an error similar to the following could be encountered:
"Internal error occurred: failed calling webhook "http://vcassandradatacenter.kb.io ": Post "https://k8ssandra-operator-<ENV_NO>-cass-operator-webhook-service.<NAMESPACE>.svc:443/validate-cassandra-datastax-com-v1beta1-cassandradatacenter?timeout=10s": Address is not allowed"
To fix it, run the following command then retry:CODEoc delete ValidatingWebhookConfiguration k8ssandra-operator-<ENV_NO>-cass-operator-validating-webhook-configuration k8ssandra-operator-<ENV_NO>-validating-webhook-configurationElasticsearch crashes with the following error: "Unable to access 'path.repo' (/mnt/backups/elasticsearch-backup)"
Make sure the folder exists and is accessible for read/write.