# Alternative 2: Ansible - Step-by-Step

{% hint style="info" %}
**Why do we have a step-by-step deployment alternative?**

While it is possible to automate all the deployment steps listed in this section, since one of core propositions of Rierino is an open architecture, we provide our clients full transparency over the list of activities that are happening.

This approach also allows customization of each step based on performance and cost optimization decisions.
{% endhint %}

## Set-up the Deployer

Rierino platform uses a central deployment coordinator, facilitated through Kubernetes jobs and services. As the first step for deployment, this coordinator should be configured.

* [ ] Create a "deployment" namespace on Kubernetes cluster, to be used solely by the central deployment coordinator

{% code overflow="wrap" %}

```shell
kubectl create namespace deployment
```

{% endcode %}

* [ ] Create a "deployer-sa" service account on "deployment" namespace, which will be used as the service account for deployment activities

{% code overflow="wrap" %}

```shell
kubectl create serviceaccount --namespace=deployment deployer-sa
```

{% endcode %}

* [ ] Create a "deployer-admin" cluster role with cluster admin rights

{% code overflow="wrap" %}

```sh
kubectl create clusterrole deployer-admin --verb=* --resource=*
```

{% endcode %}

* [ ] Create a cluster role binding, assigning "deployer-admin" role to "deployer-sa" service account on "deployment" namespace

{% code overflow="wrap" %}

```shell
kubectl create clusterrolebinding deployer-admin:deployment:deployer-sa --clusterrole=deployer-admin --serviceaccount=deployment:deployer-sa --namespace=deployment
```

{% endcode %}

* [ ] Install [Global helm chart](/installation/artifacts/helm-charts/initialization-charts/global.md) on "deployment" namespace, which will initialize config maps and secrets for the deployer

{% code overflow="wrap" %}

```shell
helm upgrade --install global-deployment https://rierino-open.github.io/helm-charts/unit/global --namespace=deployment
```

{% endcode %}

* [ ] Set global secrets on "deployment" namespace, which will be used for access to Rierino artifacts during deployments

Add your provided Rierino username and password for the [Maven repository](/installation/artifacts/maven-repository.md):

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/MAVEN_USER", "value" : "[BASE64 ENCODED USERNAME]"}]'
```

{% endcode %}

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/MAVEN_PASSWORD", "value" : "[BASE64 ENCODED PASSWORD]"}]'
```

{% endcode %}

Add your provided Rierino token for Git repositoryd including [Ansible playbooks](/installation/artifacts/ansible-playbooks.md):

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "replace", "path" : "/data/GIT_TOKEN", "value" : "[BASE64 ENCODED TOKEN]"}]'
```

{% endcode %}

Add your provided Rierino token for Git repository including [deployment assets](/installation/artifacts/deployment-assets.md):

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "replace", "path" : "/data/ASSET_TOKEN", "value" : "[BASE64 ENCODED TOKEN]"}]'
```

{% endcode %}

Add your provided Rierino username and password for the [Docker repository](/installation/artifacts/docker-repository.md):

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/DOCKER_USER", "value" : "[BASE64 ENCODED USERNAME]"}]'
```

{% endcode %}

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/DOCKER_PASSWORD", "value" : "[BASE64 ENCODED PASSWORD]"}]'
```

{% endcode %}

If you are using AWS as the cloud provider, add your AWS credentials:

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/AWS_ACCESS_KEY_ID", "value" : "[BASE64 ENCODED AWS_ACCESS_KEY_ID]"}]'
```

{% endcode %}

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/AWS_SECRET_KEY", "value" : "[BASE64 ENCODED AWS_SECRET_KEY]"}]'
```

{% endcode %}

If you are using GCP as the cloud provider, add your service account file:

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/service_account.json", "value" : "[BASE64 ENCODED SERVICE ACCOUNT FILE]"}]'
```

{% endcode %}

{% hint style="info" %}
Other cloud providers may require additional credentials as well as customization of ansible inventory files.
{% endhint %}

{% hint style="info" %}
You can also provide all these secrets during initial installation of the deployment global helm chart using sourceEncoded variable.
{% endhint %}

* [ ] Install [Deployer API helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer-api.md) on "deployment" namespace and "infra-pool" node pool, which will deploy a web service utilizing [deployer](/installation/artifacts/helm-charts/initialization-charts/deployer.md) jobs to facilitate all microservice deployments

{% code overflow="wrap" %}

```shell
helm upgrade --install --force global-deployerapi https://rierino-open.github.io/helm-charts/unit/deployerapi --namespace=deployment --set cloud=gcp --set pool=infra-pool
```

{% endcode %}

Now, you can start deploying Rierino workloads and services using the deployer job and deployer api service.

{% hint style="info" %}
Deployer jobs use Ansible playbooks, which in turn install helm charts, for service deployments. While it is possible to use helm charts directly for service deployments instead, this approach allows centralized management of asset credentials, as well as more structured utilization of deployment asset files to set details of chart parameters.
{% endhint %}

## Populate Assets

Rierino deployment requires various configurations on prerequisite systems, which are executed using [initialization playbooks](/installation/artifacts/ansible-playbooks.md#initialization-playbooks).

* [ ] Import MongoDB data including configuration of the core services as well as any business modules that will be later used

<pre class="language-shell" data-overflow="wrap"><code class="lang-shell">helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/mongodb-import.yml --set cloud=<a data-footnote-ref href="#user-content-fn-1">gcp</a>
</code></pre>

{% hint style="info" %}
You can add --set values.mongodb\_uri=\[MONGODB\_URI] parameter if MongoDB servers are not already tagged and can be discovered by Ansible inventory plugin.
{% endhint %}

* [ ] Create Kafka topics that will be utilized by runners

{% code overflow="wrap" %}

```shell
helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/kafka-create-topic.yml --set cloud=gcp
```

{% endcode %}

{% hint style="info" %}
You can add --set values.kafkaServers=\[KAFKA\_SERVERS] parameter if Kafka servers are not already tagged and can be discovered by Ansible inventory plugin.
{% endhint %}

* [ ] Create Keycloak realm and clients, if authentication will be used with a Keycloak based authentication service

{% code overflow="wrap" %}

```shell
helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/keycloak-create-realm.yml --set cloud=gcp--set values.keycloak_admin_user=[KEYCLOAK_USER] --set values.keycloak_admin_password=[KEYCLOAK_PASSWORD]
```

{% endcode %}

{% hint style="info" %}
You can add --set values.kc\_api\_uri=\[KEYCLOAK\_URI] parameter if Keycloak server is not already tagged and can be discovered by Ansible inventory plugin.
{% endhint %}

{% hint style="info" %}
If additional systems will be utilized, you can use related deployment assets (e.g. Elasticsearch, Druid imports) as well.
{% endhint %}

## Deploy Admin Core Runners

The first set of Rierino services provide the admin core runners, which can be utilized afterwards to deploy additional services through the admin UI itself.

### Prepare Namespace

* [ ] Create a "admin-backend" namespace on Kubernetes cluster, to be used by admin core runners

{% code overflow="wrap" %}

```shell
kubectl create namespace admin-backend
```

{% endcode %}

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Global Helm" playbook](/installation/artifacts/ansible-playbooks.md#initialization-playbooks) and admin-backend related values, to set-up required config maps and secrets for admin core runners

<pre class="language-shell" data-overflow="wrap"><code class="lang-shell">helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/global-helm.yml --set cloud=<a data-footnote-ref href="#user-content-fn-2">gcp</a> --set values.assetSource=<a data-footnote-ref href="#user-content-fn-3">core</a> --set values.namespace=<a data-footnote-ref href="#user-content-fn-4">admin-backend</a>
</code></pre>

{% hint style="info" %}
Depending on your MongoDB, Kafka, Keycloak configurations as well as your cloud service provider, you may need to override parameters in [Global Helm playbook](/installation/artifacts/ansible-playbooks.md#initialization-playbooks).
{% endhint %}

### Deploy Core Runners

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Runner Helm" playbook](/installation/artifacts/ansible-playbooks.md#application-playbooks) and admin-core related values, to install admin core CRUD and RPC runners

<pre class="language-shell" data-overflow="wrap"><code class="lang-shell">helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/runner-helm.yml --set cloud=gcp --set values.assetSource=core --set values.source=<a data-footnote-ref href="#user-content-fn-5">file</a> --set values.deploymentId=<a data-footnote-ref href="#user-content-fn-6">admin_core</a>
</code></pre>

* [ ] Check from your cloud service provider to confirm that admin\_core deployment is now up and running in admin-backend namespace.

### Deploy Authentication Runner

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Runner Helm" playbook](/installation/artifacts/ansible-playbooks.md#application-playbooks) and admin-token related values, to install admin authentication runner

<pre class="language-shell" data-overflow="wrap"><code class="lang-shell">helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/runner-helm.yml --set cloud=gcp --set values.assetSource=core --set values.source=<a data-footnote-ref href="#user-content-fn-5">file</a> --set values.deploymentId=<a data-footnote-ref href="#user-content-fn-7">admin_token</a>
</code></pre>

* [ ] Check from your cloud service provider to confirm that admin\_token deployment is now up and running in admin-backend namespace.

## Deploy Admin Gateway Services

Next set of Rierino services provide the admin gateway and authentication services, which expose backend runners to outside the cluster.

### Prepare Namespace

* [ ] Create a "admin-gateway" namespace on Kubernetes cluster, to be used for API gateway, authentication and session management services

{% code overflow="wrap" %}

```shell
kubectl create namespace admin-gateway
```

{% endcode %}

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Global Helm" playbook](/installation/artifacts/ansible-playbooks.md#initialization-playbooks) and admin-gateway related values, to set-up required config maps and secrets for gateway services

<pre class="language-shell" data-overflow="wrap"><code class="lang-shell">helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/global-helm.yml --set cloud=<a data-footnote-ref href="#user-content-fn-2">gcp</a> --set values.assetSource=<a data-footnote-ref href="#user-content-fn-3">core</a> --set values.namespace=<a data-footnote-ref href="#user-content-fn-8">admin-gateway</a>
</code></pre>

* [ ] Set global secrets on "admin-gateway" namespace, which will be used for authentication operations on API gateway and authentication server

Add secrets required by admin gateway:

{% code overflow="wrap" %}

```shell
kubectl patch secret global-secrets --namespace admin-gateway --type=json -p='[{"op" : "add", "path" : "/data/properties", "value" : "[BASE64 ENCODED PROPERTIES]"}]'
```

{% endcode %}

Where properties should include:

<pre><code>rierinoKV.shared.gateway.secret=<a data-footnote-ref href="#user-content-fn-9">[BASE64 ENCODED SECRET]</a>
<a data-footnote-ref href="#user-content-fn-10">rierinoKV.shared.kc_gateway_admin_client.secret=[KEYCLOAK ADMIN CLIENT SECRET]</a>
</code></pre>

### Deploy API Gateway

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Gateway Helm" playbook](/installation/artifacts/ansible-playbooks.md#application-playbooks) and gateway\_admin related values, to install deployment and services related to admin API gateway

{% code overflow="wrap" %}

```shell
helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/gateway-helm.yml  --set cloud=gcp --set values.assetSource=core --set values.controller=gateway_admin
```

{% endcode %}

* [ ] Check from your cloud service provider to confirm that gateway\_admin deployment is now up and running in admin-gateway namespace. You should be also able to send curl requests to load balancer endpoint for this service.

## Deploy Admin UI

Last component to deploy for initialization of Rierino core platform is the admin UI, which allows user interaction with backend services.

### Prepare Namespace

* [ ] Create a "admin-ui" namespace on Kubernetes cluster, to be used for admin user interface services

{% code overflow="wrap" %}

```shell
kubectl create namespace admin-ui
```

{% endcode %}

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Global Helm" playbook](/installation/artifacts/ansible-playbooks.md#initialization-playbooks) and admin-ui related values, to set-up required config maps and secrets for admin UI

<pre class="language-shell" data-overflow="wrap"><code class="lang-shell">helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/global-helm.yml --set cloud=<a data-footnote-ref href="#user-content-fn-2">gcp</a> --set values.assetSource=<a data-footnote-ref href="#user-content-fn-3">core</a> --set values.namespace=<a data-footnote-ref href="#user-content-fn-11">admin-ui</a>
</code></pre>

### Deploy Front-end

* [ ] Execute [Deployer helm chart](/installation/artifacts/helm-charts/initialization-charts/deployer.md) on "deployment" namespace with ["Admin UI Helm" playbook](/installation/artifacts/ansible-playbooks.md#application-playbooks) to install deployment and services related to admin UI

{% code overflow="wrap" %}

```shell
helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/adminui-helm.yml  --set cloud=gcp --set values.call_values.rierinoPullPolicy=Always
```

{% endcode %}

* [ ] Check from your cloud service provider to confirm that adminui deployment is now up and running in admin-ui namespace. You should be also able to use and internet browser to access the load balancer endpoint for this service and start using Rierino.

[^1]: To be replaced by the cloud service provider used.

[^2]: Set according to the cloud service provider used (e.g. aws for Amazon)

[^3]: Indicates that only core platform assets will be deployed

[^4]: Indicates that playbook will be deployed on "admin-backend" namespace, and will be using "admin-backend" kv domain assets

[^5]: Indicates that this deployment is provided as a file in deployment assets repository and will not be received from API gateway (since it is the initial set of runners)

[^6]: Indicates that details are provided as the admin\_core deployment

[^7]: Indicates that details are provided as the admin\_token deployment

[^8]: Indicates that playbook will be deployed on "admin-gateway" namespace

[^9]: Secret can be anything, and will be used for encryption of gateway web tokens

[^10]: Required only if Keycloak authentication is used

[^11]: Indicates that playbook will be deployed on "admin-ui" namespace


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.rierino.com/installation/deployment-alternatives/kubernetes-deployment/alternative-2-ansible-step-by-step.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.