Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Ansible playbook

The playbook installs the following components:

  • RKE2

  • Rancher

  • Longhorn

  • Prometheus (includes Grafana for centralized monitoring)

  • EFK (for centralized logging)

  • KEDA CRD

  • AC application (can be deployed in HA mode with each microservice running 2 replicas)

Prerequisites

Instances/Components

  • 3 Linux VM machines (minimum configuration required for HA configuration)

  • 1 Jumpbox with internet access and SSH connectivity to the above 3 Linux VM machines

  • Load Balancer on top of 3 Linux VM nodes

Here are the configurations of the 3 Linux VM machines that we used in the development environment:

name

public IP

private IP

memory

core

disk (SSD)

os

rancher1

3.134.212.46

172.31.33.225

32 GB

8

100 GB

Ubuntu

rancher2

3.131.224.248

172.31.47.85

32 GB

8

100 GB

Ubuntu

rancher3

18.216.242.13

172.31.44.236

32 GB

8

100 GB

Ubuntu

By default, the AC helm chart requires 250 GB for PV configuration.

When we used the Linux VM machine with 100 GB SSD, we couldn't deploy the AC helm chart correctly until we reduced the PV configuration to 60 GB.

So, the QA team may need to test the Ansible script on Linux VM that have higher disk storage configuration.

Connectivity

SSH connectivity with administrative privileges between the Jumpbox and each Linux VM node

For SSH connectivity, you should have a private key file in PEM (Privacy Enhanced Mail) format.

  • We can either use it with or without a passphrase-protected private key.

  • In the case of a passphrase-protected private key, you will be prompted to provide the password.

Software

Instance

OS

Software(s)

Jumpbox

Linux (Ubuntu/CentOS)

  • Python 2.7 (or higher)

  • PIP (Python Package Manager) 

Python and PIP come preinstalled on most Linux distributions!

  • Ansible 2.5 (or higher)

# on Ubuntu/CentOS
$ sudo yum install ansible

# on fedora
$ sudo dnf install ansible

Ports

We need the following inbound ports to be opened on Load Balancer and 3 Linux VM:

  • 9345 - required for RKE2 nodes clustering

  • 6443 - required for Kubernetes API

DNS

We need 2 different DNS (pointing to Load Balancer) for Ingress traffic routing to different components:

1st DNS for:

  • managing the RKE2 cluster

  • routing traffic to the Rancher GUI portal

2nd DNS for routing traffic to:

  • AC Portal

  • AC API Gateway (for REST and SOAP API calls)

  • Kibana dashboard for logging

  • Grafana dashboard for monitoring

Ideally, we would have used 1 DNS for traffic routing to all components.

But Rancher has a limitation in that it only supports Ingress routing based on hostname and not via context path. Therefore, we have to use a separate DNS (hostname) for routing traffic to Rancher.

Configuration

Before you begin to install, you need to update the following files available in the downloaded package.

  1. inventory file - defines the hosts (or group of hosts) upon which the playbook will run

  2. vars/general-config.yaml - consists of configuration variables to run the playbook

  3. vars/vault-config.yaml - consists of sensitive configuration variables (like passwords) to run the playbook, this file can be encrypted/decrypted using Ansible Vault

Update inventory file

Steps to update the inventory file:

  1. Find the inventory file in the Ansible package.

  2. Edit the file:

    1. Add the server nodes' domain or IP address under the "servers" group, RKE2 server (or master) will be deployed on these nodes.

    2. Add the agent node domain or IP address under the "agents" group, RKE2 agent (or worker) will be deployed on these nodes.

# rke2 cluster master/server nodes #
[servers]
#172.31.27.98

# rke2 cluster worker/agent nodes #
[agents]
#172.31.29.19

[k8s:children]
servers
agents

[servers:vars]
rke2_type=“server”

[agents:vars]
rke2_type=“agent”

[all:vars]
ansible_user={{ ssh_user }}
ansible_ssh_private_key_file={{ ssh_key_path }}

Update vars/general-config.yaml

  1. Find the general-config.yaml file from /vars in the Ansible package.

  2. Define the following properties in general-config.yaml

## SSH configuration to Lunix VM ##
# SSH user
ssh_user: 
# SSH private key file (pem)
ssh_key_path: 
# Sudo password
ansible_sudo_pass: "{{ vault_ansible_sudo_pass }}"

# Rancher domain (domain name mapped with load balancer configured on top of Linux VM)
rancher_lb_domain:
# Application domain (domain name mapped with load balancer configured on top of Linux VM)
app_lb_domain:

## RKE2 configuration ## 
# Pre-shared secret token for node registration
rke2_token: "{{ vault_rke2_token }}"

## Rancher configuration ## 
# rancher bootstrap password
rancher_gui_password: "{{ vault_rancher_gui_password }}"

## AC configuration ##
# Global values YAML file path
ac_global_values_yaml: "../vars/values-adeptia-connect.yaml"

# AC installation mode - set "true" for new AC installation, Or "false" to upgrade the existing environment
execute_static_job: true

## AC HA configuration ##
# Enable/Disable HA mode - true, false
ac_ha_mode: false

# backend database configuration
# backend database type, possible values are: MySQL, SQL-Server, Oracle
backend_db_type: 
backend_db_url: 
backend_db_username: "{{vault_backend_db_username}}"
backend_db_password: "{{vault_backend_db_password}}"

# log database configuration
# log database type, possible values are: MySQL, SQL-Server, Oracle
log_db_type: 
log_db_url: 
log_db_username: "{{vault_log_db_username}}"
log_db_password: "{{vault_log_db_password}}"

## Ingress SSL configuration ##
# TLS signed certificate in base64 encoding
tlsCrt: 
# TLS private key of certificate in base64 encoding
tlsKey:

Update vars/vault-config.yaml

  1. Find the vault-config.yaml file from /vars in Ansible extracted folder.

  2. Define the sensitive information (like passwords) in the vault-config.yaml.

vault_ansible_sudo_pass: 
vault_rancher_gui_password: adeptia1243
vault_rke2_token: defaultSecret123456

#envSecret#
vault_backend_db_username: 
vault_backend_db_password: 
vault_log_db_username: 
vault_log_db_password:

For added security, you can encrypt the sensitive information specified inside the vars/vault-config.yaml file.

Encrypt/Decrypt with Ansible Vault

Encrypting the file

To encrypt with Vault, use the ansible-vault encrypt command.

$ ansible-vault encrypt vault-config.yaml

Again, you will be prompted to provide and confirm a password. Afterward, a message will confirm the encryption:

Viewing Encrypted File

The ansible-vault view command feeds the contents of a file to standard out. By default, this means that the contents are displayed in the terminal.

$ ansible-vault view vault-config.yaml

You will be asked for the file’s password. After entering it successfully, the contents will be displayed:

As you can see, the password prompt is mixed into the output of file contents.

Decrypting Encrypted Files

To decrypt a vault-encrypted file, use the ansible-vault decrypt command.

$ ansible-vault decrypt vault-config.yaml

You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted and you will see decryption successfully message.

Execution

The package contains a shell file (adeptia-connect.sh) that can be run to execute the Ansible playbook with appropriate arguments.

Install

  1. Login into the Jump Box.

  2. Download and extract the Ansible Playbook package.

  3. Update the Ansible playbook configurations as per the instructions.

  4. Run the shell file (adeptia-connect.sh) to deploy the Rancher and AC application with the required dependencies.

    # set RW permission to the ssh private file (pem)
$ chmod 0600 <pem file>
# set executable permission to the shell file(adeptia-connect.sh)
$ chmod +x adeptia-connect.sh
# run the shell file
$ ./adeptia-connect.sh

You have the flexibility to pass the tag argument during the execution of the shell file to install different components as per requirement.

tagComponents--tag=install-all

Install all the components including RKE2, Rancher, AC, EFK, Prometheus, etc.

This is the default mode (if you don't provide any tag argument during the execution of the shell file)

--tag=install-basicInstalls all the components (RKE2, Rancher, AC, EFK, Prometheus, etc.) except the AC application--tag=install-acInstalls only AC application--tag=install-rke2Installs only RKE2 (server/agent)--tag=install-prometheusInstalls only Prometheus (and Grafana)--tag=install-efkInstalls only EFK

# to deploy only AC application
$ ./adeptia-connect.sh --tag=install-ac

# to run multiple tags, provide comma separated values
$ ./adeptia-connect.sh --tag=install-basic,install-ac

Using Ansible Vault encryption

You need to pass the argument --ask-vault-pass with the command to run the shell file (adeptia-connect.sh).

Ansible will prompt you for a password which it will use to decrypt any vault-protected content it finds.

$ ./adeptia-connect.sh --ask-vault-pass

Uninstall

Description

Command

Uninstall the complete package:

  • RKE2

  • Rancher

  • Longhorn

  • Prometheus (and Grafana)

  • EFK

  • AC

$ ./adeptia-connect.sh --tag=uninstall-all

Uninstall only AC

$ ./adeptia-connect.sh --tag=uninstall-ac

vault-p

  • No labels