You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Common helm chart for deploy images into kubernetes.

Prerequirements

1. Clone the repo
git clone https://gitlab.prozorro.sale/prozorro-sale/prozorro-deployment
2. Create k8s namespace

Compatible k8s versions are:

  • v1.21.14
  • v1.22.17
  • v1.23.15
  • v1.24.9
NS=prozorro-sale
kubectl create namespace $NS
3. Add rg-stable repo to helm
helm repo add rg-stable https://helm.prozorro.sale
4. Update dependency
helm dependency update ./helm/prozorro-deployment
5. Set up credentials of private registry to your namespace

Helm chart automatically provides secret for registries If you do not use CI/CD gitlab.prozorro.sale or you need to connect other registries you can define these variables in values

registry_credentials:
  - registry: registry.other.com
    username: "user.other.com"
    password: "password.other.com"


6. Set up ingress controller if you need it.

It is possible to install the same ingress controller as used in Denovo (clause 6.1), or a suitable alternative (clause 6.2)

6.1 Ingress controller used in Denovo

For install pleas read denovo ingress-nginx version

Clone to another directory

git clone -b nginx-0.28.0 git@github.com:kubernetes/ingress-nginx.git
cd ingress-nginx/deploy/static/
kubectl apply -f mandatory.yaml
kubectl apply -f provider/baremetal/service-nodeport.yaml

ingress controller version

sudo kubectl exec -it -n ingress-nginx  pod/nginx-ingress-controller-5f4b8fc989-6xpqn  -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       0.28.0
  Build:         git-1f93cb8f3
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.17.7
-------------------------------------------------------------------------------
namespace/ingress-nginx configured
configmap/nginx-configuration created
configmap/tcp-services created
configmap/udp-services created
serviceaccount/nginx-ingress-serviceaccount created
clusterrole.rbac.authorization.k8s.io/nginx-ingress-clusterrole created
role.rbac.authorization.k8s.io/nginx-ingress-role created
rolebinding.rbac.authorization.k8s.io/nginx-ingress-role-nisa-binding created
clusterrolebinding.rbac.authorization.k8s.io/nginx-ingress-clusterrole-nisa-binding created
deployment.apps/nginx-ingress-controller created
limitrange/ingress-nginx created

kubectl -n ingress-nginx get all
NAME                                           READY   STATUS    RESTARTS   AGE
pod/nginx-ingress-controller-cff87d767-4mbrl   1/1     Running   0          23s
pod/nginx-ingress-controller-cff87d767-8rlwc   1/1     Running   0          3m53s
pod/nginx-ingress-controller-cff87d767-dkvnc   1/1     Running   0          23s
pod/nginx-ingress-controller-cff87d767-jd6v5   1/1     Running   0          23s
NAME                                       READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/nginx-ingress-controller   4/4     4            4           3m53s
NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/nginx-ingress-controller-cff87d767   4         4         4       3m53s

Additional info:

6.2 Alternative Ingress controller

Clone to another directory

Kube version 1.22-1.25

helm install ingress-nginx ingress-nginx/ingress-nginx --version 4.3.0 --set controller.kind=DaemonSet -n ingress-nginx-testing
git clone -b v1.5.0 https://github.com/nginxinc/kubernetes-ingress/
cd kubernetes-ingress/deployments/helm-chart
helm install --name rg-gw . --set rbac.create=true --set controller.hostNetwork=true --set controller.kind=daemonset --namespace ingress-nginx

Additional info:

7. Create bucket secrets for document-service (necessary for S3 storage type)

bucket-secret - s3 bucket env variables

BUCKET_ACCESS_KEY=
BUCKET_SECRET_KEY=
BUCKET_HOST=
BUCKET_NAME=
STORAGE_NAME=
kubectl -n $NS create secret generic bucket-secret --from-env-file=<path to env file>

Additional info: Document service

For local development use memory storage type

8. Create secrets with api keys for services

Create private and public keys is a pair of RS256 signature:

Filenames should be api-key and api-key.pub

openssl genpkey -out api-key -algorithm rsa
openssl rsa -in api-key -outform PEM -pubout -out api-key.pub

Create such secrets:

  • procedure-api-keys (procedure)
  • registry-api-keys (registry)
  • jobber-api-keys (jobber)
  • marketplace-api-keys (marketplace)
  • auth-api-keys (auth)
kubectl -n $NS create secret generic <secret name> --from-file=<path to private key [api-key]> --from-file=<path to public key [api-key.pub]>

Create private and public keys is a pair of RS256 signature for document service:

Filenames should be ds-key and ds-key.pub

openssl genpkey -out ds-key -algorithm rsa
openssl rsa -in ds-key -outform PEM -pubout -out ds-key.pub
kubectl -n $NS create secret generic document-service-keys --from-file=<path to private key [ds-key]> --from-file=<path to public key [ds-key.pub]>
9. Date config with holidays and working days
kubectl -n $NS create configmap date-config --from-file values/date-config.yml
10. Auth files

To find more information about auth files structure check auth README

Example of auth file:

brokers:
  broker_name:
    token: <hash>
    broker_info:
      legal_name:
        uk_UA: broker_legal_name
        en_US: broker_legal_name
    permissions:
      procedures:
        renewables:
          - procedure
          - bids
        timber: [ ]
        subsoil:
          - procedure
          - bids
        railwayCargo:
          - procedure
          - bids
        dgf: [ ]
      registry:
        object:
          - "*"

Create such secrets:

  • auth-file (procedure)
  • registry-auth-file (registry)
  • jobber-auth-file (jobber)
  • marketplace-auth-file (marketplace)
  • relocation-auth-file (relocation)
  • survey-auth-file (survey)
  • billing-auth-file (billing)
kubectl -n $NS create secret generic <secret name> --from-file=<path to auth.yml file>
11. Service auth token for mirror clients

Create token for mirror client. Token must be defined in auth file (see point 10). To create token use auth CLI

Create such secrets:

  • service-auth-token (procedure)
  • registry-service-auth-token (registry)
  • announcement-service-auth-token (jobber)
kubectl -n $NS create secret generic <secret name> --from-literal=TOKEN=<token>
12. Credentials file for registry service importer

Generate credentials file for google drive and google spreadsheets by making a project in https://console.cloud.google.com.

To create cred file:

kubectl -n $NS create secret generic gapi-creds-file --from-file=<path to creds.json file>
13. Do pre requirement steps for survey deployment
14. For installing local or latest images
helm package --app-version=<app_version> --version=<version> ./helm/prozorro-deployment
helm upgrade -i --namespace=<namespace> <realese_name> prozorro-helm-*.tgz -f specs/base-procedure-spec.yaml -f specs/custom-procedure-spec.yaml -f values/local-values.yaml

More examples you can find in Makefile

Swift storage

If you need to deploy document service with swift file storage, needs to create kubernetes services swift-auth and swift-storage, with defined auth and storage ip's.

  • No labels