Deploying Server
Deploying Quantotto Server onto Kubernetes is done in two grand steps (partially leveraging Quantotto K8s CLI)
- Configure server
qtok8s server config: this is prep step for deployment - Deploy product with
helmfile: actual deployment step
Configure
-
This step requires access credentials to private DockerHub repositories (at this time, Quantotto images are not yet public).
Make sure you took a note of username and password for images repo before proceeding. -
Run
qtok8s server config -
Provide answers to multiple prompts (or accept defaults where relevant)
-
Here are the settings that will need your attention:
$ qtok8s server config --help Usage: qtok8s server config [OPTIONS] Configures product settings prior to deployment Options: --quantotto-version TEXT Quantotto version to deploy [default: 3.1.0; required] --portal-fqdn TEXT Fully qualified domain name of Quantotto portal [required] --cluster-domain TEXT Fully qualified domain name of target Kubernetes cluster [required] --server-namespace TEXT Kubernetes server namespace [default: quantotto; required] --customer-namespace-prefix TEXT Kubernetes customer namespace prefix [default: quantotto-; required] --repo TEXT Docker image repository [default: quantotto; required] --repo-user TEXT Docker image repository user [default: quantotto; required] --repo-password TEXT Docker image repository password [required] --storage-class TEXT Storage class for Kubernetes volumes [default: my-local-storage; required] --retention-days INTEGER Days to retain captured data [default: 3; required] --qdb-password TEXT Quantotto DB password [required] --mongodb-password TEXT Mongo DB password [required] --ldap-admin-password TEXT LDAP administrator password [required] --encrypt-secrets TEXT Provide PGP key (pgp:<key>) or path to sops.yaml (sops:<sops path>) to encrypt secrets --help Show this message and exit.
NOTES:
- You can either provide some or all of the above options in a command line or omit them; if omitting, you will be prompted for missing options.
- In most cases, provided defaults will work fine
ENCRYPTION NOTES:
Secrets will be encrypted during generation of helmfile templates. You have to provide--encrypt-secretscommand line option as explained below.Supported encryption options:
- PGP key:
- provide key fingerprint as
--encrypt-secretsvalue in thepgp:12345678ABCDEFform replacing 12345678ABCDEF with your key.- you can list all available keys locally with
gpg --list-keys.- use
gpg --full-generate-keyto create a new key if neededCustom SOPS: supply your own SOPS configuration file as
--encrypt-secretsvalue in thesops:path/to/sops.yamlform
Example:qtok8s server config --encypt-secrets pgp:C8737843287239328934
Once complete, the command will render a few deployment templates and will display a specific helmfile command for actual deployment.
Deploy
- CD to helmfile folder
-
Run:
helmfile -f $QUANTOTTO_HOME/install/helmfile/server_helmfile.yaml sync
Deployment might take a minute to complete. Once helmfile command completed successfully, watch quantotto namespace (assuming you didn’t specify different namespace) and wait until all PODs are in Ready and Running state:
watch kubectl -n quantotto get pods
When all pods are ready, the output will look similar to below:
NAME READY STATUS RESTARTS AGE
auth-api-c845dbbd8-7v9jb 1/1 Running 0 2m21s
config-api-687db6dd8c-sp4xt 1/1 Running 0 3m4s
data-api-6bf658cf87-bvjsd 1/1 Running 0 2m22s
faces-archive-api-7fbf5b77ff-rq66z 1/1 Running 0 2m21s
ftp-7fbb6d5c8f-964rq 1/1 Running 0 2m21s
h5serv-56b5b54df4-xj5sm 1/1 Running 0 2m21s
hydra-79954484d-hfplr 1/1 Running 0 3m6s
hydra-hydra-maester-6c66b94c4b-t9m89 1/1 Running 0 3m6s
influxdb-0 1/1 Running 0 2m21s
mgmt-api-6bd5f69dd5-mttw8 1/1 Running 0 2m21s
mongodb-b4cb5c97b-gnp8z 1/1 Running 0 2m20s
neo4j-neo4j-core-0 1/1 Running 0 2m20s
nginx-55cdf446cd-vsdd5 1/1 Running 0 2m21s
openldap-0 1/1 Running 1 3m12s
qdb-76446cb477-shckg 1/1 Running 0 3m12s
redis-master-0 1/1 Running 0 2m20s
Portal FQDN (assume we chose portal.example.com as our FQDN):
- Make sure that Portal FQDN that you configured is either DNS resolvable or listed in /etc/hosts
-
To retrieve portal’s external IP, run
kubectl get svc nginx -n quantotto; it will be listed under theEXTERNAL-IPcolumn:NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE nginx LoadBalancer 10.97.54.25 192.168.0.212 15000:30123/TCP,443:32058/TCP 6m29sIn case of this example, External IP is
192.168.0.212. -
If not configured in DNS, /etc/hosts should have the following line:
192.168.0.212 portal.example.com
Management Console:
- Make sure Management Console is up by navigating to https://portal.example.com (Portal FQDN should be the same as you used when configuring server deployment).
- You should see “Certificate not trusted” page
- Make sure to save certificate from browser to file import as Trusted. On Windows, as an example, place it under “Trusted People” store of Local Machine
- After that Refresh page, accept the warning and you should see a login page.
We still didn’t create any Customer, so you won’t be able to actually log in, but it is a good extra validation that server was deployed successfully.
Super-admin secret:
-
Super-admin secret is required for further configuration steps; retrieve it from Kubernetes by running (this will save it in super.txt):
echo $(kubectl get secrets/config-super-admin -n quantotto --template={{.data.HYDRA_SUPER_ADMIN_SECRET}} | base64 --decode) > super.txt