Alternative 2: Ansible - Step-by-Step

Step-by-step deployment option uses kubectl and Helm commands to facilitate a more customized deployment plan

Why do we have a step-by-step deployment alternative?

While it is possible to automate all the deployment steps listed in this section, since one of core propositions of Rierino is an open architecture, we provide our clients full transparency over the list of activities that are happening.

This approach also allows customization of each step based on performance and cost optimization decisions.

Set-up the Deployer

Rierino platform uses a central deployment coordinator, facilitated through Kubernetes jobs and services. As the first step for deployment, this coordinator should be configured.

Create a "deployment" namespace on Kubernetes cluster, to be used solely by the central deployment coordinator

kubectl create namespace deployment

Create a "deployer-sa" service account on "deployment" namespace, which will be used as the service account for deployment activities

kubectl create serviceaccount --namespace=deployment deployer-sa

Create a "deployer-admin" cluster role with cluster admin rights

kubectl create clusterrole deployer-admin --verb=* --resource=*

Create a cluster role binding, assigning "deployer-admin" role to "deployer-sa" service account on "deployment" namespace

kubectl create clusterrolebinding deployer-admin:deployment:deployer-sa --clusterrole=deployer-admin --serviceaccount=deployment:deployer-sa --namespace=deployment

Install Global helm chart on "deployment" namespace, which will initialize config maps and secrets for the deployer

helm upgrade --install global-deployment https://rierino-open.github.io/helm-charts/unit/global --namespace=deployment

Set global secrets on "deployment" namespace, which will be used for access to Rierino artifacts during deployments

Add your provided Rierino username and password for the Maven repository:

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/MAVEN_USER", "value" : "[BASE64 ENCODED USERNAME]"}]'

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/MAVEN_PASSWORD", "value" : "[BASE64 ENCODED PASSWORD]"}]'

Add your provided Rierino token for Git repositoryd including Ansible playbooks:

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "replace", "path" : "/data/GIT_TOKEN", "value" : "[BASE64 ENCODED TOKEN]"}]'

Add your provided Rierino token for Git repository including deployment assets:

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "replace", "path" : "/data/ASSET_TOKEN", "value" : "[BASE64 ENCODED TOKEN]"}]'

Add your provided Rierino username and password for the Docker repository:

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/DOCKER_USER", "value" : "[BASE64 ENCODED USERNAME]"}]'

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/DOCKER_PASSWORD", "value" : "[BASE64 ENCODED PASSWORD]"}]'

If you are using AWS as the cloud provider, add your AWS credentials:

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/AWS_ACCESS_KEY_ID", "value" : "[BASE64 ENCODED AWS_ACCESS_KEY_ID]"}]'

kubectl patch secret global-secrets-env --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/AWS_SECRET_KEY", "value" : "[BASE64 ENCODED AWS_SECRET_KEY]"}]'

If you are using GCP as the cloud provider, add your service account file:

kubectl patch secret global-secrets --namespace deployment --type=json -p='[{"op" : "add", "path" : "/data/service_account.json", "value" : "[BASE64 ENCODED SERVICE ACCOUNT FILE]"}]'

Other cloud providers may require additional credentials as well as customization of ansible inventory files.

You can also provide all these secrets during initial installation of the deployment global helm chart using sourceEncoded variable.

Install Deployer API helm chart on "deployment" namespace and "infra-pool" node pool, which will deploy a web service utilizing deployer jobs to facilitate all microservice deployments

helm upgrade --install --force global-deployerapi https://rierino-open.github.io/helm-charts/unit/deployerapi --namespace=deployment --set cloud=gcp --set pool=infra-pool

Now, you can start deploying Rierino workloads and services using the deployer job and deployer api service.

Deployer jobs use Ansible playbooks, which in turn install helm charts, for service deployments. While it is possible to use helm charts directly for service deployments instead, this approach allows centralized management of asset credentials, as well as more structured utilization of deployment asset files to set details of chart parameters.

Populate Assets

Rierino deployment requires various configurations on prerequisite systems, which are executed using initialization playbooks.

Import MongoDB data including configuration of the core services as well as any business modules that will be later used

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/mongodb-import.yml --set cloud=gcp

You can add --set values.mongodb_uri=[MONGODB_URI] parameter if MongoDB servers are not already tagged and can be discovered by Ansible inventory plugin.

Create Kafka topics that will be utilized by runners

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/kafka-create-topic.yml --set cloud=gcp

You can add --set values.kafkaServers=[KAFKA_SERVERS] parameter if Kafka servers are not already tagged and can be discovered by Ansible inventory plugin.

Create Keycloak realm and clients, if authentication will be used with a Keycloak based authentication service

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/keycloak-create-realm.yml --set cloud=gcp--set values.keycloak_admin_user=[KEYCLOAK_USER] --set values.keycloak_admin_password=[KEYCLOAK_PASSWORD]

You can add --set values.kc_api_uri=[KEYCLOAK_URI] parameter if Keycloak server is not already tagged and can be discovered by Ansible inventory plugin.

If additional systems will be utilized, you can use related deployment assets (e.g. Elasticsearch, Druid imports) as well.

Deploy Admin Core Runners

The first set of Rierino services provide the admin core runners, which can be utilized afterwards to deploy additional services through the admin UI itself.

Prepare Namespace

Create a "admin-backend" namespace on Kubernetes cluster, to be used by admin core runners

kubectl create namespace admin-backend

Execute Deployer helm chart on "deployment" namespace with "Global Helm" playbook and admin-backend related values, to set-up required config maps and secrets for admin core runners

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/global-helm.yml --set cloud=gcp --set values.assetSource=core --set values.namespace=admin-backend

Depending on your MongoDB, Kafka, Keycloak configurations as well as your cloud service provider, you may need to override parameters in Global Helm playbook.

Deploy Core Runners

Execute Deployer helm chart on "deployment" namespace with "Runner Helm" playbook and admin-core related values, to install admin core CRUD and RPC runners

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/runner-helm.yml --set cloud=gcp --set values.assetSource=core --set values.source=file --set values.deploymentId=admin_core

Check from your cloud service provider to confirm that admin_core deployment is now up and running in admin-backend namespace.

Deploy Authentication Runner

Execute Deployer helm chart on "deployment" namespace with "Runner Helm" playbook and admin-token related values, to install admin authentication runner

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/runner-helm.yml --set cloud=gcp --set values.assetSource=core --set values.source=file --set values.deploymentId=admin_token

Check from your cloud service provider to confirm that admin_token deployment is now up and running in admin-backend namespace.

Deploy Admin Gateway Services

Next set of Rierino services provide the admin gateway and authentication services, which expose backend runners to outside the cluster.

Prepare Namespace

Create a "admin-gateway" namespace on Kubernetes cluster, to be used for API gateway, authentication and session management services

kubectl create namespace admin-gateway

Execute Deployer helm chart on "deployment" namespace with "Global Helm" playbook and admin-gateway related values, to set-up required config maps and secrets for gateway services

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/global-helm.yml --set cloud=gcp --set values.assetSource=core --set values.namespace=admin-gateway

Set global secrets on "admin-gateway" namespace, which will be used for authentication operations on API gateway and authentication server

Add secrets required by admin gateway:

kubectl patch secret global-secrets --namespace admin-gateway --type=json -p='[{"op" : "add", "path" : "/data/properties", "value" : "[BASE64 ENCODED PROPERTIES]"}]'

Where properties should include:

rierinoKV.shared.gateway.secret=[BASE64 ENCODED SECRET]
rierinoKV.shared.kc_gateway_admin_client.secret=[KEYCLOAK ADMIN CLIENT SECRET]

Deploy API Gateway

Execute Deployer helm chart on "deployment" namespace with "Gateway Helm" playbook and gateway_admin related values, to install deployment and services related to admin API gateway

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/gateway-helm.yml  --set cloud=gcp --set values.assetSource=core --set values.controller=gateway_admin

Check from your cloud service provider to confirm that gateway_admin deployment is now up and running in admin-gateway namespace. You should be also able to send curl requests to load balancer endpoint for this service.

Deploy Admin UI

Last component to deploy for initialization of Rierino core platform is the admin UI, which allows user interaction with backend services.

Prepare Namespace

Create a "admin-ui" namespace on Kubernetes cluster, to be used for admin user interface services

kubectl create namespace admin-ui

Execute Deployer helm chart on "deployment" namespace with "Global Helm" playbook and admin-ui related values, to set-up required config maps and secrets for admin UI

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/global-helm.yml --set cloud=gcp --set values.assetSource=core --set values.namespace=admin-ui

Deploy Front-end

Execute Deployer helm chart on "deployment" namespace with "Admin UI Helm" playbook to install deployment and services related to admin UI

helm upgrade --install global-deployer-job https://rierino-open.github.io/helm-charts/unit/deployer --namespace=deployment --set playbook=playbooks/_application/adminui-helm.yml  --set cloud=gcp --set values.call_values.rierinoPullPolicy=Always

Check from your cloud service provider to confirm that adminui deployment is now up and running in admin-ui namespace. You should be also able to use and internet browser to access the load balancer endpoint for this service and start using Rierino.

PreviousAlternative 1: Ansible - Fully Automated NextCloud Specific Details

Last updated 1 year ago