Skip to content

Latest commit

 

History

History
129 lines (97 loc) · 5.6 KB

requirements.md

File metadata and controls

129 lines (97 loc) · 5.6 KB

Requirements

You can find the general requirements in the openDesk documentation. Please study them before beginning. This howto only touches on requirements concerning the rollout on an SCS cluster.

Preparation of your local environment

Command line tools

You will need the following command line tools on your machine:

If you run into any problems, please check the openDesk requirements for the required software versions of these tools.

KUBECONFIG

Store the cluster access information for your SCS cluster in ~/.kube/config. Test the access to the cluster on your command line with a kubectl command, e.g. kubectl get nodes.

Preparation of the nameserver

openDesk consists of a number of resources with different virtual host names and subdomains. The proposed procedure deploys openDesk on a subdomain that matches the name of the namespace you choose. You will thus get URLs like portal.dev.example.org or wiki.prod.example.org.

Therefore it is recommended to create a wildcard A record for the domain in your nameserver (e.g. *.example.org) and point it to your cluster's public IP address.

It is of course possible to create individual A records for all resources.

The choice of your nameserver has an impact: It is recommended to use a nameserver that gives you API access: In this howto, TLS certificates are fetched from the certification authority Letsencrypt. Because of the number of different services, a wildcard certificate comes in handy. Note that you can only request wildcard certificates from Letsencrypt via the dns-01 challenge. To do so you need a nameserver with API access. If your nameserver does not support this, you can delegate the zone to a different nameserver and fetch an API access token from there.

Preparation of the Kubernetes cluster

Install cert-manager

Install cert-manager in your cluster. It is required to include the custom resource definitions (--set installCRDs=true).

helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
helm upgrade -i cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true

Deploy a certificate issuer

The openDesk helmfiles are based on the assumption that you - as the cluster admin - take care of a certificate issuer that can just be used then. For Letsencrypt's ACME dns-01 challenge add a cluster issuer by defining it in a file, e.g. clusterIssuer.yaml and applying it to the cluster. Check the documentation for your respective DNS provider to put together the relevant configuration details.

---
apiVersion: v1
kind: Secret
metadata:
  name: my-dns-provider
data:
  secret-access-key: my-generated-access-token
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    privateKeySecretRef:
      name: example-account-key
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          my-dns-provider:
            region: eu-west-1
            accessKeyID: my-key-id
            secretAccessKeySecretRef:
              name: my-dns-provider
              key: secret-access-key
        selector:
          dnsNames:
            - '*.example.org'
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    privateKeySecretRef:
      name: example-account-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - dns01:
          my-dns-provider:
            region: eu-west-1
            accessKeyID: my-key-id
            secretAccessKeySecretRef:
              name: my-dns-provider
              key: secret-access-key
        selector:
          dnsNames:
            - '*.example.org'

Ingress Controller

Ingress-nginx is the only tested ingress controller. The installation must support snippet annotations (allowSnippetAnnotations=true). You can install and update it as shown below. Note that for production environments it is recommended to reconsider the HSTS setting given here.

helm upgrade --install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx  --namespace ingress-nginx --create-namespace --set controller.allowSnippetAnnotations=true --set controller.config.hsts=false

Prometheus

Prometheus is a requirement:

helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm upgrade -i prometheus prometheus-community/kube-prometheus-stack --namespace prometheus --create-namespace

Storage

Clarify with your SCS cluster operator what kind of storage your K8s cluster provides. Your configuration will need the according information. You can query the available storage classes like so:

kubectl get storageclasses.storage.k8s.io

You can hand over the storage class in your values.yaml.gotmpl (see Getting Started).

Optional: Credentials for a mail relay

If you want your openDesk deployment to be able to send outgoing emails, have the hostname and credentials of an SMTP relay at hand.