ELMA365 On-Premises / Install ELMA365 to Kubernetes

Install ELMA365 to Kubernetes

 

ELMA365 can be deployed to an already working Kubernetes cluster. The ELMA365 deployment package consists of two Helm charts:

 

  • elma365-dbs. This chart includes a set of databases and data storages necessary for ELMA365 operation. You can also use custom PostgreSQL, MongoDB, Redis, and RabbitMQ databases and S3 object storage. In this case, you need to specify the connection strings for the values from the elma365 chart. Note that you can disable the installation of the corresponding components in the values-dbs.yaml file by setting their values to false (for example, for PostgreSQL, work with global.postgresql.enabled). If all five components of the chart are set to false, the chart does not need to be installed. Learn more about connecting to databases in the Connect to external databases article.
  • elma365. This chart contains the ELMA365 main package.

 

The installation has two steps and uses Helm v.3.

начало внимание

Note that elma365-extension charts are no longer supported. You can switch to elma365-dbs with new versions of databases by creating a dump and restoring it.

конец внимание

Helm chart download links

elma365-dbs: https://dl.elma365.com/onPremise/chart/latest/elma365-dbs.tar.gz

elma365: https://dl.elma365.com/onPremise/chart/latest/elma365.tar.gz

addons: https://dl.elma365.com/onPremise/chart/latest/addons.tar.gz 

You can also download a specific ELMA365 version, for example, 2022.7.5:

elma365: https://dl.elma365.com/onPremise/chart/master/elma365-2022.7.5.tar.gz

Install the elma365‑dbs chart

  1. Fill out the variables in the values-dbs.yaml file. If you are using custom databases, you can disable the installation of the databases included in the package by default.
  2. If a specific namespace needs to be created, include it in all the installation commands.
  3. Run the following command:

helm upgrade --install elma365-dbs ./elma365-dbs -f values-dbs.yaml [-n namespace]

Install the elma365 chart

  1. Fill out the variables in the in the values-elma365.yaml file.
  2. If you need to restore an ELMA365 dump, run the elma365db.sh script located in the elma365 chart before the installation:

./elma365db.sh --restore --namespace elma365 --path /backup/path/ [--kubeconfig /path/to/config --context prod]

  1. Run the following command to install the chart:

helm upgrade --install elma365 ./elma365 -f values-elma365.yaml --timeout=30m --wait [-n namespace]

  1. Save the values-elma365.yaml file for future updates.
  1. To create a dump, run the elma365db.sh script with the following command:

./elma365db.sh --dump --namespace elma365 --path /backup/path/ [--kubeconfig /path/to/config --context prod]

Install monitoring tools (optional)

  1. Download the addons helm chart using a link from the Helm chart download links.
  2. In the addons chart, in the values-addons.yaml file, in grafana and kube-prometheus-stack, specify the needed namespace for the monitoring service (for example, namespaceOverride: monitoring) and the address the monitoring service will be available at.
  3. Create a namespace for the monitoring service using the following command:

kubectl create namespace monitoring

  1. Install the chart using the following command:

helm upgrade --install addons ./addons -f values-addons.yaml

  1. In the values-elma365.yaml file of the elma365 chart, enable dashboards:

dashboard:
enabled:true

  1. Update the ELMA365 application using the following command:

helm upgrade elma365 ./elma365 -f values-elma365.yaml --timeout=30m

Install Linkerd and autoscaling services (optional)

Linkerd is a dedicated infrastructure layer that controls service-to-service communication, automatically encrypts connection, and processes request retries and timeouts. It also provides telemetry (success or delay rate) and many other features.

  1. Download the addons helm chart using a link from the Helm chart download links.
  2. Generate certificates using openssl by running the commands listed below. Linkerd requires a trust anchor certificate and an issuer certificate with its corresponding key to support mTLS connections between services. All certificates must use the ECDSA P-256 algorithm.

# Generate a CA private key
openssl ecparam -name prime256v1 -genkey -noout -out ca-private.pem
 
# Generate a CA public key
openssl ec -in ca-private.pem -pubout -out ca-public.pem
 
# Generate a self-signed CA certificate
openssl req -x509 -new -key ca-private.pem -days 365 -out ca.crt -subj "/CN=root.linkerd.cluster.local"
# Generate a CA private key
openssl ecparam -name prime256v1 -genkey -noout -out issuer-private.pem
 
# Generate an issuer public key
openssl ec -in issuer-private.pem -pubout -out issuer-public.pem
 
# Generate a certificate signing request
openssl req -new -key issuer-private.pem -out issuer.csr -subj "/CN=identity.linkerd.cluster.local" -addext basicConstraints=critical,CA:TRUE
 
# Generate an issuer certificate by signing the request
openssl x509 \
    -extfile /etc/ssl/openssl.cnf \
    -extensions v3_ca \
    -req \
    -in issuer.csr \
    -days 180 \
    -CA ca.crt \
    -CAkey ca-private.pem \
    -CAcreateserial \
    -extensions v3_ca \
    -out issuer.crt
# Delete the signing request
rm issuer.csr

  1. In the addons chart, enable the linkerd2 parameter in the values-addons.yaml file:

linkerd2:
  enabled:true

  1. In linkerd2, specify the needed namespace form the Linkerd service (for example, namespace: linkerd), the content of the certificates and the key, and the certificate’s expiry date (crtExpiry). Note that the value has to be the same as the issuer certificate’s expiry date.

identityTrustAnchorsPEM: |
    -----BEGIN CERTIFICATE-----
    ca.crt certificate content
    -----END CERTIFICATE-----
  identity:
    issuer:
      crtExpiry: 2023-03-30T05:28:39Z
      tls:
        crtPEM: |
          -----BEGIN CERTIFICATE-----
          issuer.crt certificate content 
          -----END CERTIFICATE-----
        keyPEM: |
          -----BEGIN EC PRIVATE KEY-----
          issuer-private.pem certificate content 
          -----END EC PRIVATE KEY-----

  1. Install the chart using the following command:

helm upgrade --install addons ./addons -f values-addons.yaml

  1. Add an annotation to the namespace with the ELMA365 application to automatically inject Linkerd proxy containers into ELMA365 services:

kubectl annotate namespace default linkerd.io/inject=enabled

  1. Enable autoscaling of services using the autoscaling parameter in the values-elma365.yaml file from the elma365 chart:

autoscaling:
    enabled:true

  1. Update the ELMA365 application using the following command:

helm upgrade elma365 ./elma365 -f values-elma365.yaml --timeout=30m

  1. Restart all services with the following command:

kubectl rollout restart deploy [-n namespace] && kubectl rollout restart ds [-n namespace]

Install NodeLocal DNS Cache (optional)

Installing NodeLocal DNS Cache helps to reduce the DNS query load in the Kubernetes cluster and make DNS lookup more consistent. This allows you to avoid DNAT rules, connection tracking, and restrictions on the number of connections.

To install the add-on:

  1. Download the addons Helm chart using a link from the Helm chart download links.
  2. Get the IP address of the kube-dns service:

kubectl get svc kube-dns -n kube-system -o jsonpath={.spec.clusterIP}

  1. In the addons chart, in the values-addons.yaml file, in node-local-dns, configure the following parameters:
  • pillar_dns_domain is the cluster’s domain.
  • pillar_dns_server it the IP address of the kube-dns service.
  • pillar_local_dns is the local IP cgbimaddress for NodeLocal DNS Cache.
  1. Install the chart by running the following command:

helm upgrade --install addons ./addons -f values-addons.yaml

Update ELMA365 to a new version

In the new chart, replace the values-elma365.yaml file with the one that was saved during the installation. Then run the following command:

helm upgrade --install elma365 ./elma365 -f values-elma365.yaml --timeout=30m --wait [-n namespace]

If database connection strings are changed during the update, restart all services using the following command:

kubectl default rollout restart deploy [-n namespace] && kubectl default rollout restart ds [-n namespace]

Uninstall

You can delete the charts by running the following commands:

helm uninstall elma365 [-n namespace]
 
helm uninstall elma365-dbs [-n namespace] 

 

Requirements for the Kubernetes configuration

 

The installed version of the Kubernetes cluster must support Kubernetes API v.2 and Kubernetes version 1.19

The pods must be granted proxy access to the external network.

If you are using microk8s software distribution as a ready-made Kubernetes cluster, make sure that the following components are installed:

 

  • storage (Default storage class)
  • dns (CoreDNS)
  • rbac (RBAC)
  • ingress (Ingress controller)
  • helm3 (Helm3)

 

To enable a component, use the microk8s.enable command. For example, you can enable ingress in the following way:

 

microk8s.enable ingress

 

The ingress controller configuration settings must be as follows:

 

extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP

If the Kubernetes in Docker (KinD) is used to install the cluster, the ingress controller must be enabled for deployment in the configuration file:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP

Found a typo? Highlight the text, press ctrl + enter and notify us