diff --git a/helm/README-vault.md b/helm/README-vault.md index 0fab95888fe99817695f93e6126f211d8412d365..948a7a1736b28f5f6d697997ba92c2a7912e2a3d 100644 --- a/helm/README-vault.md +++ b/helm/README-vault.md @@ -1,52 +1,81 @@ -# Install vault +# Install Vault + +Add the HashiCorp Helm repository and install Vault in the `mon` namespace: + +```bash +helm repo add hashicorp https://helm.releases.hashicorp.com +helm upgrade --install vault hashicorp/vault -n mon --set server.standalone.enabled=true --create-namespace ``` -$ helm repo add hashicorp https://helm.releases.hashicorp.com -$ helm upgrade --install vault hashicorp/vault -n mon --set server.standalone.enabled=true --create-namespace -# if you are using ingress controller, please use: -$ helm upgrade --install vault hashicorp/vault -n mon --set server.ingress.enabled=true --set server.ingress.hosts[0].host="vault.mon.int" --set server.ingress.ingressClassName=nginx --set server.standalone.enabled=true --create-namespace +## Using an Ingress Controller -# verify pods are running -$ kubectl -n mon get pods +If you are using an ingress controller, install Vault with: +```bash +helm upgrade --install vault hashicorp/vault -n mon \ + --set server.ingress.enabled=true \ + --set server.ingress.hosts[0].host="vault.mon.int" \ + --set server.ingress.ingressClassName=nginx \ + --set server.standalone.enabled=true \ + --create-namespace ``` -NOTA: If using ingressRoute. Please, create a file with: +## Verify Vault Pods + +Check that Vault pods are running: + +```bash +kubectl -n mon get pods ``` + --- -apiVersion: traefik.containo.us/v1alpha1 +## Using Traefik IngressRoute + +If you are using **IngressRoute** (Traefik), create a file named `ingress-route.yaml` with the following content: + +```yaml +apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: - name: vault-ingress-route + name: vault-ingress-route namespace: mon spec: - entryPoints: [web] + entryPoints: [web] routes: - kind: Rule match: Host(`vault.mon.int`) services: - kind: Service - name: vault-internal + name: vault-internal port: 8200 scheme: http - -``` ``` -# deploy ingress route +See more information [here](https://doc.traefik.io/traefik/getting-started/quick-start-with-kubernetes/). -$ kubectl apply -f ingress-route.yaml +Apply the ingress route: + +```bash +kubectl apply -f ingress-route.yaml ``` -# Creating vault PKI and certificates - -## Considerations: - - If you change values by default in the `capi/values.yaml`. Please, consider have a look of some topics: - - You will need to create PKI and certificates, therefore. The `VAULT_TOKEN` provided must have sufficient permissions in Vault to create it - - Modify: - - `namespace` in `vault-job/vault-job.yaml`. The namespace should be changed in the entire file. By default is `mon` (same namespace when capif is deployed) - - `export VAULT_ADDR` using the service deployed to vault. By default is `http://vault-internal:8200` - - `export VAULT_TOKEN` using the token created to vault. By default is `dev-only-token` - - `DOMAIN1` - variable used for generate certificate (CSR) to capif `(ex: DOMAIN1=capif.mobile.cloud)`. + +--- + +# Creating Vault PKI and Certificates + +## Considerations + +If you change default values in `capi/values.yaml`, review the following: + +- You must create PKI and certificates. The `VAULT_TOKEN` provided must have sufficient permissions in Vault. +- Modify these variables as needed: + - `namespace` in `vault-job/vault-job.yaml` (default: `mon`, should match your deployment namespace) + - `export VAULT_ADDR` (default: `http://vault-internal:8200`) + - `export VAULT_TOKEN` (default: `dev-only-token`) + - `DOMAIN1` for generating CSRs for Capif (example: `DOMAIN1=capif.mobile.cloud`) + +Apply the Vault job manifests: + +```bash +kubectl apply -f vault-job/ ``` -$ kubectl apply -f vault-job/ -``` \ No newline at end of file diff --git a/helm/README.md b/helm/README.md index 3fd0ff3192ae80d745c7e475ed47ca38a6ddd402..c875cfffb5fccc0b623f5448b0fea854acc5f55d 100644 --- a/helm/README.md +++ b/helm/README.md @@ -1,47 +1,52 @@ # Install CAPIF in Kubernetes using HELM ## Dependencies -- Helm -- `Ingress` already in cluster (if configured in capif - `values.yaml`) - - ``` + +- [Helm](https://helm.sh/) +- `Ingress` controller already installed in the cluster (if enabled in CAPIF's `values.yaml`) + - **To install NGINX Ingress controller (if not present):** + ```sh # OPTIONAL - if not exists Ingress in cluster, use this command to install it - $ helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort + helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort # OPTIONAL - if you need specify the nodePort in cluster use - $ helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort --set controller.service.nodePorts.http=32080 --set controller.service.nodePorts.https=32443 --namespace ingress-nginx --create-namespace --set controller.extraArgs."enable-ssl-passthrough=true" --kubeconfig ../oneke-new.kubeconfig + helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx --set rbac.create=true --set controller.service.type=NodePort --set controller.service.nodePorts.http=32080 --set controller.service.nodePorts.https=32443 --namespace ingress-nginx --create-namespace --set controller.extraArgs."enable-ssl-passthrough=true" --kubeconfig ../oneke-new.kubeconfig # Check if ssl-passthrough is enabled in nginx controller. - $ kubectl -n ingress-nginx get deploy -o yaml | grep passthrough + kubectl -n ingress-nginx get deploy -o yaml | grep passthrough ``` -- `PersistentVolumeClain` already in cluster (if configured in capif) - -## Considerations before to install/deploy: -- **Prometheus**: - - You can install prometheus but you will need permissions to deploy prometheus in the cluster. The helm creates a ClusterRole to access to all resources in the cluster. - - If you don't have permission or there is already provided a Prometheus - in the cluster. in `capif/values.yaml` gives the field `monitoring.prometheus.enable: ""` - - Grafana will need the endpoint to prometheus. Please keep in mind setup the grafana's field in `capif/values.yaml` +- `PersistentVolumeClaim` already created in the cluster (if enabled in CAPIF) + +## Considerations Before Installation + +- **Prometheus**: + - You can install Prometheus, but you will need permissions to deploy it in the cluster. The Helm chart creates a ClusterRole to access all resources. + - If you lack permissions or Prometheus is already provided, set `monitoring.prometheus.enable: ""` in `capif/values.yaml`. + - Grafana will need the Prometheus endpoint. Make sure to configure the relevant field in `capif/values.yaml`. + - **Vault**: - - You will need a instance of vault already deployed. If the cluster doesn't provide the vault instance. You can install it following the next [steps](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md) - - Once the vault is provided in the cluster. You need to create the PKI and certificates. Follow the vault-job [step](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md#creating-vault-pki-and-certificates) to create it - - Setup the `parametersVault.env.VaultHostname`: This is the endPoint to vault. This endpoint can be a service/ingress of kubernetes - - Setup `parametersVault.env.VaultPort`: This is the port listenting to vault instance - - Setup `parametersVault.env.vaultAccessToken`: This is the token used for capif to create the certificates in vault. If vault owns of you. Use the token created in [Vault readme](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/README-vault.md#creating-vault-pki-and-certificates) . Otherwise, the admin - of the cluster will provide you the token. This token will need sufficient permissions to create PKI and certificates. -- **CAPIF** - - Please, have a look of [`values.yaml`](https://github.com/Telefonica/CAPIF_Future_Network_Lab/blob/main/helm/capif/values.yaml) file and setup according to the conditions - ``` - # download dependencies - $ helm dependency build capif/ - -# check ingress_ip.oneke -kubectl get svc -A | grep nginx - -# install capif -$ helm upgrade --install -n mon monitoring-capif capif/ --set nginx.nginx.env.capifHostname=mon-capif.monitoring.int --set ingress_ip.oneke="10.17.173.127" --atomic --create-namespace - ``` - -NOTA: The deployment can take until 8 minutes to be ready. Please, if it fails, re-install CAPIF + - An instance of Vault must be deployed. If not available, follow the [Vault installation steps](./README-vault.md). + - After Vault is available, create the PKI and certificates as described in the [Vault job step](./README-vault.md#creating-vault-pki-and-certificates). + - Set `parametersVault.env.VaultHostname` to the Vault endpoint (can be a Kubernetes service or ingress). + - Set `parametersVault.env.VaultPort` to the Vault port. + - Set `parametersVault.env.vaultAccessToken` to a token with permissions to create PKI and certificates. Use the token from the [Vault README](./README-vault.md#creating-vault-pki-and-certificates) or obtain one from the cluster admin. + +- **CAPIF**: + - Review and configure the [`values.yaml`](capif/values.yaml) file according to your environment. + + ```sh + # Download dependencies + helm dependency build capif/ + + # Check ingress IP + kubectl get svc -A | grep nginx + + # Install CAPIF + helm upgrade --install -n mon monitoring-capif capif/ --set nginx.nginx.env.capifHostname=mon-capif.monitoring.int --set ingress_ip.oneke="10.17.173.127" --atomic --create-namespace + ``` + +> **Note:** Deployment may take up to 8 minutes to be ready. If it fails, try reinstalling CAPIF. ## Troubleshooting -- [`Mongo stuck`](https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=troubleshooting-mongodb-pod-fails-start-container-exit-code-14-100) \ No newline at end of file + +- [MongoDB pod fails to start (Exit code 14 or 100)](https://www.ibm.com/docs/en/cloud-paks/cp-biz-automation/20.0.x?topic=troubleshooting-mongodb-pod-fails-start-container-exit-code-14-100) \ No newline at end of file