NOTA: If using ingressRoute. Please, create a file with:
## Verify Vault Pods
Check that Vault pods are running:
```bash
kubectl -n mon get pods
```
---
## Using Traefik IngressRoute
If you are using **IngressRoute** (Traefik), create a file named `ingress-route.yaml` with the following content:
```yaml
apiVersion:traefik.containo.us/v1alpha1
kind:IngressRoute
metadata:
@@ -30,23 +50,32 @@ spec:
name:vault-internal
port:8200
scheme:http
```
```
# deploy ingress route
See more information [here](https://doc.traefik.io/traefik/getting-started/quick-start-with-kubernetes/).
$ kubectl apply -f ingress-route.yaml
```
# Creating vault PKI and certificates
## Considerations:
- If you change values by default in the `capi/values.yaml`. Please, consider have a look of some topics:
- You will need to create PKI and certificates, therefore. The `VAULT_TOKEN` provided must have sufficient permissions in Vault to create it
- Modify:
-`namespace` in `vault-job/vault-job.yaml`. The namespace should be changed in the entire file. By default is `mon` (same namespace when capif is deployed)
-`export VAULT_ADDR` using the service deployed to vault. By default is `http://vault-internal:8200`
-`export VAULT_TOKEN` using the token created to vault. By default is `dev-only-token`
-`DOMAIN1` - variable used for generate certificate (CSR) to capif `(ex: DOMAIN1=capif.mobile.cloud)`.
Apply the ingress route:
```bash
kubectl apply -f ingress-route.yaml
```
$ kubectl apply -f vault-job/
---
# Creating Vault PKI and Certificates
## Considerations
If you change default values in `capi/values.yaml`, review the following:
- You must create PKI and certificates. The `VAULT_TOKEN` provided must have sufficient permissions in Vault.
- Modify these variables as needed:
-`namespace` in `vault-job/vault-job.yaml` (default: `mon`, should match your deployment namespace)
kubectl -n ingress-nginx get deploy -o yaml | grep passthrough
```
-`PersistentVolumeClain` already in cluster (if configured in capif)
-`PersistentVolumeClaim` already created in the cluster (if enabled in CAPIF)
## Considerations Before Installation
## Considerations before to install/deploy:
-**Prometheus**:
- You can install prometheus but you will need permissions to deploy prometheus in the cluster. The helm creates a ClusterRole to access to all resources in the cluster.
- If you don't have permission or there is already provided a Prometheus
in the cluster. in `capif/values.yaml` gives the field `monitoring.prometheus.enable: ""`
- Grafana will need the endpoint to prometheus. Please keep in mind setup the grafana's field in `capif/values.yaml`
- You can install Prometheus, but you will need permissions to deploy it in the cluster. The Helm chart creates a ClusterRole to access all resources.
- If you lack permissions or Prometheus is already provided, set `monitoring.prometheus.enable: ""` in `capif/values.yaml`.
- Grafana will need the Prometheus endpoint. Make sure to configure the relevant field in `capif/values.yaml`.
-**Vault**:
- You will need a instance of vault already deployed. If the cluster doesn't provide the vault instance. You can install it following the next [steps](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md)
- Once the vault is provided in the cluster. You need to create the PKI and certificates. Follow the vault-job [step](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md#creating-vault-pki-and-certificates) to create it
- Setup the `parametersVault.env.VaultHostname`: This is the endPoint to vault. This endpoint can be a service/ingress of kubernetes
- Setup `parametersVault.env.VaultPort`: This is the port listenting to vault instance
- Setup `parametersVault.env.vaultAccessToken`: This is the token used for capif to create the certificates in vault. If vault owns of you. Use the token created in [Vault readme](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md#creating-vault-pki-and-certificates) . Otherwise, the admin
of the cluster will provide you the token. This token will need sufficient permissions to create PKI and certificates.
-**CAPIF**
- Please, have a look of [`values.yaml`](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/capif/values.yaml) file and setup according to the conditions
```
# download dependencies
$ helm dependency build capif/
- An instance of Vault must be deployed. If not available, follow the [Vault installation steps](./README-vault.md).
- After Vault is available, create the PKI and certificates as described in the [Vault job step](./README-vault.md#creating-vault-pki-and-certificates).
- Set `parametersVault.env.VaultHostname` to the Vault endpoint (can be a Kubernetes service or ingress).
- Set `parametersVault.env.VaultPort` to the Vault port.
- Set `parametersVault.env.vaultAccessToken` to a token with permissions to create PKI and certificates. Use the token from the [Vault README](./README-vault.md#creating-vault-pki-and-certificates) or obtain one from the cluster admin.
# check ingress_ip.oneke
-**CAPIF**:
- Review and configure the [`values.yaml`](capif/values.yaml) file according to your environment.
-[MongoDB pod fails to start (Exit code 14 or 100)](https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=troubleshooting-mongodb-pod-fails-start-container-exit-code-14-100)
