Kubernetes (K8s)
This tutorial demonstrates how to deploy the Open AMT Cloud Toolkit on a local Kubernetes single-node cluster. Alternatively, you can also deploy using a managed service through a Cloud Service Provider such as Azure Kubernetes Service (AKS). See AKS.
Kubernetes, also known as K8s, is an open-source system for automating deployment, scaling, and management of containerized applications. Learn more about Kubernetes here.
Prerequisites¶
Important - For Linux
If deploying on a Linux machine, Docker Desktop is not available. You must use Docker Engine alongside a local Kubernetes cluster tool such as minikube or kubeadm.
Create Kubernetes Secrets¶
1. Private Docker Registry Credentials¶
If you are using a private docker registry, you'll need to provide your credentials to K8S.
kubectl create secret docker-registry registrycredentials --docker-server=<your-registry-server> --docker-username=<your-username> --docker-password=<your-password>
Where:
- <your-registry-server> is your Private Docker Registry FQDN.
- <your-username> is your Docker username.
- <your-password> is your Docker password.
2. MPS/KONG JWT¶
This is the secret used for generating and verifying JWTs.
kubectl create secret generic open-amt-admin-jwt --from-literal=kongCredType=jwt --from-literal=key="admin-issuer" --from-literal=algorithm=HS256 --from-literal=secret="<your-secret>"
Where:
- <your-secret> is your chosen strong secret.
3. KONG ACL for JWT¶
This configures KONG with an Access Control List (ACL) to allow an admin user open-amt-admin
to access endpoints using the JWT retrieved when logging in.
kubectl create secret generic open-amt-admin-acl --from-literal=kongCredType=acl --from-literal=group=open-amt-admin
4. MPS Web Username and Password¶
This is the username and password that is used for requesting a JWT. These credentials are also used for logging into the Sample Web UI.
kubectl create secret generic mpsweb --from-literal=user=<your-username> --from-literal=password=<your-password>
Where:
- <your-username> is a username of your choice.
-
<your-password> is a strong password of your choice.
Important - Using Strong Passwords
The password must meet standard, strong password requirements:
- 8 to 32 characters
- One uppercase, one lowercase, one numerical digit, one special character
5. Database connection strings¶
-
Configure the database connection strings used by MPS, RPS, and MPS Router.
Where:
- <USERNAME> is the username for the Postgres database.
- <PASSWORD> is the password for the Postgres database.
- <SERVERURL> is the loction for the Postgres database.
-
Create RPS connection string secret.
kubectl create secret generic rps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/rpsdb?sslmode=no-verify
-
Create MPS Router connection string secret.
kubectl create secret generic mpsrouter --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=no-verify
-
Create MPS connection string secret.
kubectl create secret generic mps --from-literal=connectionString=postgresql://<USERNAME>:<PASSWORD>@<SERVERURL>:5432/mpsdb?sslmode=disable
Update Configuration¶
Edit values.yaml¶
-
Clone the Open AMT Cloud Toolkit.
git clone --recursive https://github.com/open-amt-cloud-toolkit/open-amt-cloud-toolkit --branch v2.0.0
-
Open the
values.yaml
file in./open-amt-cloud-toolkit/kubernetes/charts/
. -
Update the mps, rps, webui, and mpsrouter keys to point to your own container registries.
images: mps: "vprodemo.azurecr.io/mps:latest" rps: "vprodemo.azurecr.io/rps:latest" webui: "vprodemo.azurecr.io/webui:latest" mpsrouter: "vprodemo.azurecr.io/mpsrouter:latest"
-
Update the
commonName
key in the mps section with the IP Address of your development device.mps: commonName: "<your-ip-address>" # storageClassName: "" storageAccessMode: "ReadWriteOnce" replicaCount: 1 logLevel: "silly" jwtExpiration: 1440
-
Save and close the file.
Apply Volumes¶
-
Provide a
PersistentVolume
that can match thePersisentVolumeClaim
for MPS. For a local, single-node cluster, you can use the following example YAML. It is provided in./kubernetes/charts/volumes/local.yaml
.Provided local.yaml Example
apiVersion: v1 kind: PersistentVolume metadata: name: mps-certs labels: type: local spec: accessModes: - ReadWriteOnce capacity: storage: 1Gi hostPath: path: "/mnt/data/mpscerts"
-
Apply it to your cluster.
kubectl apply -f ./kubernetes/charts/volumes/local.yaml
Create Databases and Schema¶
-
Use the database schema files to initialize the hosted Postgres DB in the following steps.
Where:
- <HOST> is the location of the Postgres database.
- <USERNAME> is the username for the Postgres database.
-
Create the RPS database.
psql -h <HOST> -p 5432 -d postgres -U <USERNAME> -W -c "CREATE DATABASE rpsdb"
-
Create tables for the new 'rpsdb'.
psql -h <HOST> -p 5432 -d rpsdb -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/init.sql
-
Create the MPS database.
psql -h <HOST> -p 5432 -d postgres -U <USERNAME> -W -f ./open-amt-cloud-toolkit/data/initMPS.sql
Deploy Open AMT Cloud Toolkit Using Helm¶
-
Deploy using Helm.
helm install openamtstack ./kubernetes/charts
Success
NAME: openamtstack LAST DEPLOYED: Wed Jul 14 12:59:29 2021 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None
-
View the pods. You might notice
openamtstack-vault-0
is not ready. This will change after we initialize and unseal Vault. All others should be Ready and Running.kubectl get pods
Success
NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 1/1 Running 0 5m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 5m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 5m openamtstack-vault-0 0/1 Running 0 5m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 5m rps-79877bf5c5-hnv8t 1/1 Running 0 5m webui-784cd49976-bj7z5 1/1 Running 0 5m
Initialize and Unseal Vault¶
Danger - Download and Save Vault Keys
Make sure to download your Vault credentials and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.
Tip - Finding the Vault UI External IP Address
The external IP of your Vault UI service can be found by running:
kubectl get services openamtstack-vault-ui
-
Please refer to HashiCorp documentation on how to Initialize and unseal Vault. Stop and return here after signing in to Vault with the
root_token
. -
After initializing and unsealing the vault, you need to enable the Key Value engine.
-
Click Enable New Engine +.
-
Choose KV.
-
Click Next.
-
Leave the default path and choose version 2 from the drop down.
-
Click Enable Engine.
Vault Token Secret¶
-
Add the root token as a secret to the k8s cluster so that the services can access Vault.
kubectl create secret generic vault --from-literal=vaultKey=<your-root-token>
Where:
- <your-root-token> is your
root_token
generated by Vault.
- <your-root-token> is your
-
View the pods. All pods should now be Ready and Running.
kubectl get pods
Success
NAME READY STATUS RESTARTS AGE mps-6984b7c69d-8d5gf 1/1 Running 0 7m mpsrouter-9b9bc499b-pwn9j 1/1 Running 0 7m openamtstack-kong-55b65d558c-gzv4d 2/2 Running 0 7m openamtstack-vault-0 1/1 Running 0 7m openamtstack-vault-agent-injector-7fb7dcfcbd-dlqqg 1/1 Running 0 7m rps-79877bf5c5-hnv8t 1/1 Running 0 7m webui-784cd49976-bj7z5 1/1 Running 0 7m