Commit cdb43f1c authored by Jorge Moratinos's avatar Jorge Moratinos
Browse files

Merge branch 'upgrading_helm_documentation' into 'staging' 

Fixed README.md broken links, updated README-vault.md

See merge request !138
parents 819bd25f 1c3b241b

helm/README-vault.md

+57 −28
Original line number Original line Diff line number Diff line 
# Install vault

# Install Vault



Add the HashiCorp Helm repository and install Vault in the `mon` namespace:



```bash

helm repo add hashicorp https://helm.releases.hashicorp.com

helm upgrade --install vault hashicorp/vault -n mon --set server.standalone.enabled=true --create-namespace

```

```

$ helm repo add hashicorp https://helm.releases.hashicorp.com

$ helm upgrade --install vault hashicorp/vault -n mon --set server.standalone.enabled=true --create-namespace





# if you are using ingress controller, please use:

## Using an Ingress Controller

$ helm upgrade --install vault hashicorp/vault -n mon --set server.ingress.enabled=true --set server.ingress.hosts[0].host="vault.mon.int" --set server.ingress.ingressClassName=nginx --set server.standalone.enabled=true --create-namespace





# verify pods are running

If you are using an ingress controller, install Vault with:

$ kubectl -n mon get pods





```bash

helm upgrade --install vault hashicorp/vault -n mon \

  --set server.ingress.enabled=true \

  --set server.ingress.hosts[0].host="vault.mon.int" \

  --set server.ingress.ingressClassName=nginx \

  --set server.standalone.enabled=true \

  --create-namespace

```

```

NOTA: If using ingressRoute. Please, create a file with:





## Verify Vault Pods



Check that Vault pods are running:



```bash

kubectl -n mon get pods

```

```



---

---





## Using Traefik IngressRoute



If you are using **IngressRoute** (Traefik), create a file named `ingress-route.yaml` with the following content:



```yaml

apiVersion: traefik.containo.us/v1alpha1

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

kind: IngressRoute

metadata:

metadata:
@@ -30,23 +50,32 @@ spec: 
          name: vault-internal

          name: vault-internal

          port: 8200

          port: 8200

          scheme: http

          scheme: http



```

```

```

See more information [here](https://doc.traefik.io/traefik/getting-started/quick-start-with-kubernetes/).

# deploy ingress route





$ kubectl apply -f ingress-route.yaml

Apply the ingress route:

```



# Creating vault PKI and certificates

```bash



kubectl apply -f ingress-route.yaml

## Considerations:

  - If you change values by default in the `capi/values.yaml`. Please, consider have a look of some topics:

    - You will need to create PKI and certificates, therefore. The `VAULT_TOKEN` provided must have sufficient permissions in Vault to create it

    - Modify:

      - `namespace` in `vault-job/vault-job.yaml`. The namespace should be changed in the entire file. By default is `mon` (same namespace when capif is deployed)

      - `export VAULT_ADDR` using the service deployed to vault. By default is `http://vault-internal:8200`

      - `export VAULT_TOKEN` using the token created to vault. By default is `dev-only-token`

      - `DOMAIN1` - variable used for generate certificate (CSR) to capif `(ex: DOMAIN1=capif.mobile.cloud)`.

```

```

$ kubectl apply -f vault-job/



---



# Creating Vault PKI and Certificates



## Considerations



If you change default values in `capi/values.yaml`, review the following:



- You must create PKI and certificates. The `VAULT_TOKEN` provided must have sufficient permissions in Vault.

- Modify these variables as needed:

  - `namespace` in `vault-job/vault-job.yaml` (default: `mon`, should match your deployment namespace)

  - `export VAULT_ADDR` (default: `http://vault-internal:8200`)

  - `export VAULT_TOKEN` (default: `dev-only-token`)

  - `DOMAIN1` for generating CSRs for Capif (example: `DOMAIN1=capif.mobile.cloud`)



Apply the Vault job manifests:



```bash

kubectl apply -f vault-job/

```
 
```

helm/README.md

+40 −35
Original line number Original line Diff line number Diff line 
# Install CAPIF in Kubernetes using HELM

# Install CAPIF in Kubernetes using HELM





## Dependencies

## Dependencies

- Helm



-  `Ingress` already in cluster (if configured in capif - `values.yaml`)

- [Helm](https://helm.sh/)

  - ```

- `Ingress` controller already installed in the cluster (if enabled in CAPIF's `values.yaml`)

  - **To install NGINX Ingress controller (if not present):**

    ```sh

    # OPTIONAL - if not exists Ingress in cluster, use this command to install it

    # OPTIONAL - if not exists Ingress in cluster, use this command to install it

    $ helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort

    helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort





    # OPTIONAL - if you need specify the nodePort in cluster use

    # OPTIONAL - if you need specify the nodePort in cluster use

    $ helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort --set controller.service.nodePorts.http=32080 --set controller.service.nodePorts.https=32443 --namespace ingress-nginx --create-namespace --set controller.extraArgs."enable-ssl-passthrough=true" --kubeconfig ../oneke-new.kubeconfig 

    helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort --set controller.service.nodePorts.http=32080 --set controller.service.nodePorts.https=32443 --namespace ingress-nginx --create-namespace --set controller.extraArgs."enable-ssl-passthrough=true" --kubeconfig ../oneke-new.kubeconfig 





    # Check if ssl-passthrough is enabled in nginx controller.

    # Check if ssl-passthrough is enabled in nginx controller.

    $ kubectl -n ingress-nginx get deploy -o yaml | grep passthrough

    kubectl -n ingress-nginx get deploy -o yaml | grep passthrough

    ```

    ```

-  `PersistentVolumeClain` already in cluster (if configured in capif)

- `PersistentVolumeClaim` already created in the cluster (if enabled in CAPIF)



## Considerations Before Installation





## Considerations before to install/deploy:

- **Prometheus**:

- **Prometheus**:

    - You can install prometheus but you will need permissions to deploy prometheus in the cluster. The helm creates a ClusterRole to access to all resources in the cluster. 

    - You can install Prometheus, but you will need permissions to deploy it in the cluster. The Helm chart creates a ClusterRole to access all resources.

    - If you don't have permission or there is already provided a Prometheus

    - If you lack permissions or Prometheus is already provided, set `monitoring.prometheus.enable: ""` in `capif/values.yaml`.

      in the cluster. in `capif/values.yaml` gives the field `monitoring.prometheus.enable: ""`

    - Grafana will need the Prometheus endpoint. Make sure to configure the relevant field in `capif/values.yaml`.

        - Grafana will need the endpoint to prometheus. Please keep in mind setup the grafana's field in `capif/values.yaml`



- **Vault**:

- **Vault**:

    - You will need a instance of vault already deployed. If the cluster doesn't provide the vault instance. You can install it following the next [steps](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md)

  - An instance of Vault must be deployed. If not available, follow the [Vault installation steps](./README-vault.md).

    - Once the vault is provided in the cluster. You need to create the PKI and certificates. Follow the vault-job [step](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md#creating-vault-pki-and-certificates) to create it

  - After Vault is available, create the PKI and certificates as described in the [Vault job step](./README-vault.md#creating-vault-pki-and-certificates).

        - Setup the `parametersVault.env.VaultHostname`: This is the endPoint to vault. This endpoint can be a service/ingress of kubernetes

    - Set `parametersVault.env.VaultHostname` to the Vault endpoint (can be a Kubernetes service or ingress).

        - Setup `parametersVault.env.VaultPort`: This is the port listenting to vault instance

    - Set `parametersVault.env.VaultPort` to the Vault port.

        - Setup `parametersVault.env.vaultAccessToken`: This is the token used for capif to create the certificates in vault. If vault owns of you. Use the token created in [Vault readme](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md#creating-vault-pki-and-certificates) . Otherwise, the admin

    - Set `parametersVault.env.vaultAccessToken` to a token with permissions to create PKI and certificates. Use the token from the [Vault README](./README-vault.md#creating-vault-pki-and-certificates) or obtain one from the cluster admin.

        of the cluster will provide you the token. This token will need sufficient permissions to create PKI and certificates.

- **CAPIF**

    - Please, have a look of [`values.yaml`](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/capif/values.yaml) file and setup according to the conditions

 ```

 # download dependencies 

 $ helm dependency build capif/





# check ingress_ip.oneke

- **CAPIF**:

    - Review and configure the [`values.yaml`](capif/values.yaml) file according to your environment.



      ```sh

      # Download dependencies 

      helm dependency build capif/



      # Check ingress IP

      kubectl get svc -A | grep nginx

      kubectl get svc -A | grep nginx





# install capif

      # Install CAPIF

$ helm upgrade --install -n mon monitoring-capif capif/ --set nginx.nginx.env.capifHostname=mon-capif.monitoring.int --set ingress_ip.oneke="10.17.173.127" --atomic --create-namespace

      helm upgrade --install -n mon monitoring-capif capif/ --set nginx.nginx.env.capifHostname=mon-capif.monitoring.int --set ingress_ip.oneke="10.17.173.127" --atomic --create-namespace

      ```

      ```





NOTA: The deployment can take until 8 minutes to be ready. Please, if it fails, re-install CAPIF

> **Note:** Deployment may take up to 8 minutes to be ready. If it fails, try reinstalling CAPIF.





## Troubleshooting

## Troubleshooting

- [`Mongo stuck`](https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=troubleshooting-mongodb-pod-fails-start-container-exit-code-14-100)
 


 No newline at end of file
 
- [MongoDB pod fails to start (Exit code 14 or 100)](https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=troubleshooting-mongodb-pod-fails-start-container-exit-code-14-100)
 
 No newline at end of file