Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Rancher is an an open-source multi-cluster orchestration platform that makes it easy for you to deploy and manage an application on Kubernetes cluster.

Adeptia packages Rancher and Security focused Kubernetes (RKE2) along with Adeptia Connect application and other components in Ansible Playbook. You need to download and run this package that deploys the followings in the same order.

  • RKE2 – Security focused Kubernetes

  • Rancher UI – UI to centrally manage a multi-cluster Kubernetes environment

  • Longhorn – Cloud native distributed block storage for Kubernetes

  • Prometheus including Grafana – For centralized monitoring

  • Elasticsearch, Fluentd, and Kibana (EFK) – For centralized logging

  • Kubernetes Event Driven Autoscaler (KEDA) – For pods autoscaling

  • Adeptia Connect application (can be deployed in HA mode with each microservice running 2 replicas)

Prerequisites and

Before you begin to run Ansible Playbook, ensure that you have,

  • At least three Linux VMs, each with the following minimum configuration:

    • RAM – 32 GB

    • Processor cores – 8

    • Hard disk – 250 GB

  • One Jumpbox with internet access and SSH connectivity with the above 3 Linux VM machines

  • Ansible 2.5 (or higher) installed on Jumpbox.
    You can install Ansible on Ubuntu OS by running the following command:

    $ sudo apt install ansible

  • Load Balancer on top of 3 Linux VM nodes

  • Administrative privileges on Jumpbox and each Linux VM node

  • SSH Private key in PEM (Privacy Enhanced Mail) format for communication between the VMs

You can use the PEM file with or without passphrase protection.

  • Inbound ports opened on Load Balancer and 3 Linux VM:

    • 9345 - required for RKE2 nodes clustering

    • 6443 - required for Kubernetes API

  • DNS domain for accessing Rancher UI

  • DNS domain for accessing Adeptia Connect portal

=================================================================================

DNS

We need 2 different DNS (pointing to Load Balancer) for Ingress traffic routing to different components:

1st DNS for:

  • managing the RKE2 cluster

  • routing traffic to the Rancher GUI portal

2nd DNS for routing traffic to:

  • AC Portal

  • AC API Gateway (for REST and SOAP API calls)

  • Kibana dashboard for logging

  • Grafana dashboard for monitoring

==============================================================================================

Once you have met the prerequisites, update the following files containing the details of VMs, Load Balancer, ports, DNS, SSH connectivity, and other configuration details required for running Ansible Playbook. These files are available in Ansible Playbook package that you have downloaded.

  • inventory file – Defines the hosts (or group of hosts) on which the Playbook runs

  • vars/general-config.yaml - Contains the configuration variables to run the Playbook

  • vars/vault-config.yaml - Contains sensitive information, such as passwords, required to validate and run the Playbook

Steps to update inventory file

  1. Open the inventory file.

  2. Add the domain name or IP address of the three VMs under the [servers] group as shown in the example code snippet below.

RKE2 server (or master) will be deployed on these nodes.

# rke2 cluster master/server nodes #
[servers]
xxx.xx.xx.xx
xxx.xx.xx.xx
xxx.xx.xx.xx

# rke2 cluster worker/agent nodes #
[agents]
xxx.xx.xx.xx

[k8s:children]
servers
agents

[servers:vars]
rke2_type=“server”

[agents:vars]
rke2_type=“agent”

[all:vars]
ansible_user={{ ssh_user }}
ansible_ssh_private_key_file={{ ssh_key_path }}

You can also add the domain name or IP address of an RKE2 agent under the [agents] group if you have one.

RKE2 agent (or worker) will be deployed on these nodes.

Steps to update vars/general-config.yaml

  1. Navigate to /vars in the Ansible Playbook.

  2. Open the general-config.yaml file.

  3. Update the following properties.

Property

Description

ssh_key_path

Name of SSH private key (pem) file.

rancher_lb_domain

Domain name of Rancher

app_lb_domain

Domain name of Adeptia Connect application

rke2_token

Secret token for node registration.

execute_static_job

AC installation mode.

Set the value for this property to true for fresh installation and false in case you are upgrading from a lower AC v4.x environment.

ac_ha_mode

Enable/Disable High Availability (HA) mode.

Possible values are:

  • true

  • false

backend_db_type

Backend database type.

Possible values are:

  • MySQL

  • SQL-Server

  • Oracle

backend_db_url

Value for Azure SQL Database

  • jdbc:sqlserver://<DB Hostname>:<Port Number>;database=<Backend Database Name>

Value for Oracle Database

  • jdbc:oracle:thin:@<hostName>:<portNumber>:<S ID/ServiceName>

Value for Azure MySQL Database

  • jdbc:mysql://<hostName>:<portNumber>/<DBName>?useSSL=true

log_db_type

Log database type.

Possible values are:

  • MySQL

  • SQL-Server

  • Oracle

log_db_url

Value for Azure SQL Database

jdbc:sqlserver://<DB Hostname>:<Port Number>;database=<Log Database Name>

Value for Oracle Database

jdbc:oracle:thin:@<hostName>:<portNumber>:<S ID/ServiceName>

Value for Azure MySQL Database

jdbc:mysql://<hostName>:<portNumber>/<DBName>?useSSL=true

tlsCrt

TLS signed certificate in base64 encoding (for Ingress)

tlsKey

TLS private key of certificate in base64 encoding (for ingress)

Update vars/vault-config.yaml

  1. Find the vault-config.yaml file from /vars in Ansible extracted folder.

  2. Define the sensitive information (like passwords) in the vault-config.yaml.

vault_ansible_sudo_pass: 
vault_rancher_gui_password: adeptia1243
vault_rke2_token: defaultSecret123456

#envSecret#
vault_backend_db_username: 
vault_backend_db_password: 
vault_log_db_username: 
vault_log_db_password:

  • , this file can be encrypted/decrypted using Ansible Vault

For added security, you can encrypt the sensitive information specified inside the vars/vault-config.yaml file.

Encrypt/Decrypt with Ansible Vault

Encrypting the file

To encrypt with Vault, use the ansible-vault encrypt command.

$ ansible-vault encrypt vault-config.yaml

Again, you will be prompted to provide and confirm a password. Afterward, a message will confirm the encryption:

Viewing Encrypted File

The ansible-vault view command feeds the contents of a file to standard out. By default, this means that the contents are displayed in the terminal.

$ ansible-vault view vault-config.yaml

You will be asked for the file’s password. After entering it successfully, the contents will be displayed:

As you can see, the password prompt is mixed into the output of file contents.

Decrypting Encrypted Files

To decrypt a vault-encrypted file, use the ansible-vault decrypt command.

$ ansible-vault decrypt vault-config.yaml

You will be prompted for the encryption password for the file. Once you enter the correct password, the file will be decrypted and you will see decryption successfully message.

Execution

The package contains a shell file (adeptia-connect.sh) that can be run to execute the Ansible playbook with appropriate arguments.

Install

  1. Login into the Jump Box.

  2. Download and extract the Ansible Playbook package.

  3. Update the Ansible playbook configurations as per the instructions.

  4. Run the shell file (adeptia-connect.sh) to deploy the Rancher and AC application with the required dependencies.

    # set RW permission to the ssh private file (pem)
$ chmod 0600 <pem file>
# set executable permission to the shell file(adeptia-connect.sh)
$ chmod +x adeptia-connect.sh
# run the shell file
$ ./adeptia-connect.sh

You have the flexibility to pass the tag argument during the execution of the shell file to install different components as per requirement.

tagComponents--tag=install-all

Install all the components including RKE2, Rancher, AC, EFK, Prometheus, etc.

This is the default mode (if you don't provide any tag argument during the execution of the shell file)

--tag=install-basicInstalls all the components (RKE2, Rancher, AC, EFK, Prometheus, etc.) except the AC application--tag=install-acInstalls only AC application--tag=install-rke2Installs only RKE2 (server/agent)--tag=install-prometheusInstalls only Prometheus (and Grafana)--tag=install-efkInstalls only EFK

# to deploy only AC application
$ ./adeptia-connect.sh --tag=install-ac

# to run multiple tags, provide comma separated values
$ ./adeptia-connect.sh --tag=install-basic,install-ac

Using Ansible Vault encryption

You need to pass the argument --ask-vault-pass with the command to run the shell file (adeptia-connect.sh).

Ansible will prompt you for a password which it will use to decrypt any vault-protected content it finds.

$ ./adeptia-connect.sh --ask-vault-pass

Uninstall

Description

Command

Uninstall the complete package:

  • RKE2

  • Rancher

  • Longhorn

  • Prometheus (and Grafana)

  • EFK

  • AC

$ ./adeptia-connect.sh --tag=uninstall-all

Uninstall only AC

$ ./adeptia-connect.sh --tag=uninstall-ac

vault-p

  • No labels