Skip to content

Latest commit

 

History

History
181 lines (124 loc) · 5.07 KB

production-setup-through-helm.md

File metadata and controls

181 lines (124 loc) · 5.07 KB
description
The below scripts will help the adopters to deploy SunbirdRC services in the Kubernetes environment.

Production setup through Helm

System requirements

Please note that the below numbers are only for reference, they will vary based on the business domain and scale.

  1. Kubernetes cluster (any version above v1.26.3)
    • Master Node: 2 vCPU, 4 GB RAM, Disc Size: 50 GB, Nodes: 1
    • Worker Nodes: 4 vCPU, 8 GB RAM, Disc size: 100 GB, Nodes: 3
  2. Bastion server: 2 vCPU, 4 GB RAM, Disc Size: 50GB
  3. Postgres with a read replica: 4 vCPU 8 GB RAM, Disc Size: 100GB
  4. ElasticSearch: 4 vCPU, 8 GB RAM, Disc Size: 100GB
  5. API Gateway
  6. Public domain
  7. Server for Minio: 2 vCPU, 4 GB RAM, Disc Size: 100GB (Optional)
  8. CDN / any other alternative for hosting UI

Prerequisites

  • Kubernetes Cluster with minimum 3 nodes
  • Helm
  • kubectl
  • Ingress (https://kubernetes.github.io/ingress-nginx/deploy/)
  • Postgres DB (create a database for keycloak and registry)
  • ElasticSearch (Optional)
  • Kafka (Optional)
  • Redis (Optional)
  • Minio (Optional)
  • Domain URL (domain url mapped to Kubernetes cluster)

The above optional services are not mandatory for SunbirdRC services. It can be installed based on the requirement of the project. For more details https://docs.sunbirdrc.dev/learn/readme-1/high-level-architecture

Deployment steps

Clone the repo

git clone https://github.com/Sunbird-RC/sunbird-rc-core.git
cd infra

Pre-check

Make sure from the current directory you're able to run the below commands

kubectl cluster-info
kubectl get nodes
kubectl get ns
helm version

Create namespace

kubectl create ns demo-registry

Feel free to use a different name for the namespace. Use the same name in the rest of the commands.

Create secrets

Convert all the passwords/secrets into base64 format and update these values in values.yaml file

Secrets

  • DB_PASSWORD: Postgres database password
  • KEYCLOAK_ADMIN_PASSWORD: Keycloak admin password used to login to admin console
  • KEYCLOAK_DEFAULT_USER_PASSWORD: Default password to be set for new users created by registry
  • MINIO_SECRET_KEY: Minio secret key
  • ELASTIC_SEARCH_PASSWORD: Elastic search connection password
  • KEYCLOAK_ADMIN_CLIENT_SECRET: Client secret of keycloak admin client for registry

DB_PASSWORD, KEYCLOAK_ADMIN_PASSWORD and KEYCLOAK_DEFAULT_USER_PASSWORD are mandotry secrets to be set. Other secrets can be set to empty

Modify configuration values

Configuration values like database address, elastic search address etc should be modified in values.yaml file.

Schemas

All schema files should be placed in the schemas directory located at sunbird-rc-core/infra/helm_charts/charts/registry/schemas.

Configure signing keys

The signing keys should be placed in the below directories

Both public and private keys for signing

sunbird-rc-core/infra/helm_charts/charts/certificate-signer/keys

Only public key for exposure to verifiers

sunbird-rc-core/infra/helm_charts/charts/public-key-service/keys

Please note that by default a sample key is added. It is highly recommended to update this key before going to live.

Deploy helm charts

helm upgrade --install --namespace=demo-registry demo-registry helm_charts --create-namespace

Output

Release "demo-registry" does not exist. Installing it now.
NAME: demo-registry
LAST DEPLOYED: Thu May  4 17:02:08 2023
NAMESPACE: demo-registry
STATUS: deployed
REVISION: 1

Check if all the pods are running

kubectl get pods -n demo-registry

Import keycloak realm

  • Goto keycloak admin console <host>/auth/
  • Login with username admin and use the same password configured in secrets
  • Click on Master and select Add realm
  • Select https://github.com/Sunbird-RC/sunbird-rc-core/blob/main/imports/realm-export.json file
  • And click on Create

Configure keycloak secret

Get the keycloak secret from the keycloak admin console

  • Goto keycloak admin console <host>/auth/
  • Login with username admin and use the same password configured in the secrets
  • Goto clients page and click on admin-api
  • Goto Credentials tab and click on Regenerate Secret
  • Copy the secret

Configure secret in the registry

  • Get all secrets created
kubectl get secret -n demo-registry
  • Encode the secret in base64 format
echo -n "secret copied from keycloak" | base64
  • Open the secret in edit mode
kubectl edit secret rc-secret -n demo-registry

Replace empty string for KEYCLOAK_ADMIN_CLIENT_SECRET with the base64 encoded secret

  • Restart registry
kubectl rollout restart deploy/demo-registry -n demo-registry
  • Check the pods status
kubectl get pods -n demo-registry

Check registry APIs

Open the below url in the browser and check if you're able to get the swagger JSON <host>/registry/api/docs/swagger.json