Skip to content
Snippets Groups Projects

GONRG-5542 fix update readme for ref arch

Merged GONRG-5542 fix update readme for ref arch
GONRG-5542-fix-update-readme-for-ref-arch into master
Merged Tejinder Dhingra requested to merge GONRG-5542-fix-update-readme-for-ref-arch into master
Compare
and
1 file
+ 124
41
Compare changes
  • Side-by-side
  • Inline
helm/osdu-infra-onprem/README.md
+ 124
41
@@ -33,67 +33,141 @@ This chart bootstraps OSDU services and all the required infrastructure applicat
* Well-Delivery
* Workflow
Helm chart can be installed in **two modes**:
### 1. **Development mode**
Helm chart installs OSDU to the namespace **not labeled with Istio**: [^3]
* it requires fewer hardware resources.
* it reduces security: Istio security policy will not be applied for partition and entitlements OSDU services, which means that authentication will not work for requests because authentication is configured on the Istio side
* Istio is required and used for traffic routing
This mode is recommended for development purposes only.
### 2. **Secure mode**
Helm chart is installed to the namespace **labeled with Istio**[^3].
* In this case, each pod works with an Istio sidecar injected with a security policy and authentication.
* it requires more hardware resources than development mode [^4]
**We strongly recommend the approach for any publicly available endpoints.**
## Prerequisites
### Kubernetes cluster
Before starting installation, please ensure that all the required tools and resources are ready and configured.
The steps to install the helm charts in one of the two, Development or Secure, modes follow the instructions as below, respectively:
The code was tested on **Kubernetes cluster**(v1.21.11)[^1] with **Istio**[^2] (1.12.6) [^1]
* **To install the helm charts in Development mode perform steps 1 to 4 and verify the requirements as in step 6.**
* **To install the helm charts in Secure mode perform the steps 1 to 5 and verify the requirements as in step 6.**
The default storage class should be specified,
to check use the command:
### 1. Operating system
```sh
kubectl get sc
```
The code works on Debian-based Linux (Debian 10+ and Ubuntu 20.04+) and Windows WSL 2. All other operating systems, including macOS and Google Cloud Shell, are not verified and supported.
### 2. Packages
Packages needed for installation from a local computer.
* **Kubectl** (version: v1.21.0 or higher) [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl)[^1]
* **HELM** (version: v3.7.1 or higher) [helm](https://helm.sh/docs/intro/install/)[^1]
### 3. Kubernetes cluster
Create a kubernetes cluster with the following requirements:
* **Hardware resources**
The minimum hardware requirements differ for two modes of Helm installation *(described below)*:
* For Development mode minimum 8 vCPUs and 16 GB of RAM should be available cumulatively in all nodes.
* For Secure mode minimum 11 vCPUs and 27 GB of RAM should be available cumulatively in all nodes.
* **Storage Class**
Specify the stoarge class with the command below:
```sh
kubectl annotate sc <STORAGE_CLASS_NAME> "storageclass.kubernetes.io/is-default-class"="true"
```
### 4. Install ISTIO in cluster
if not scpecified use command:
Install ISTIO, version 1.12.6 or above. Visit [this site](https://istio.io/latest/docs/setup/getting-started/) for detailed information about how to install ISTIO in your cluster.
### 5. Add namespace label (for secure mode)
***This step is required to install the helm charts in secure mode.***
Add a namespace label, to application &lt;namespace&gt; to instruct Istio to automatically inject Envoy sidecar proxies when you deploy your application later.
To add the namespace run the following command, replace &lt;namespace&gt; with the namespace in which your application would be installed
```sh
kubectl annotate sc <STORAGE_CLASS_NAME> "storageclass.kubernetes.io/is-default-class"="true"
kubectl label namespace <namespace> istio-injection=enabled
```
The installation requires at least 2 cluster nodes. It is partially compatible with [minikube](https://github.com/kubernetes/minikube) (see more details in the [examples](../../examples/osdu_onprem_minikube/README.md)).
### 6. Verification
Helm chart could be installed in **two modes**:
To verify that all the resources and tools are ready for installation, perform the following steps:
1. #### **Development mode**
* To check kubectl version run:
Helm chart installs OSDU to the namespace **not labeled with Istio**: [^3]
```sh
kubectl version --short | grep 'Client Version'
```
* it requires fewer hardware resources: 2 worker nodes (not used by other processes) with 4 vCPU and 11 GB RAM per each[^4]
* it reduces security: Istio security policy will not be applied for partition and entitlements OSDU services, which means that authentication will not work for requests because authentication is configured on the Istio side
* Istio is required and used for traffic routing
* To check Helm version run:
This mode is recommended for development purposes only.
```sh
helm version | awk -F '[{,]' '{print $1 $2}'
```
2. #### **Secure mode**
* To check if you are connected to correct cluster run:
Helm chart is installed to the namespace **labeled with Istio**[^3].
```sh
kubectl config current-context
```
* In this case, each pod works with an Istio sidecar injected with a security policy and authentication.
* it requires the following free hardware resources: 11 vCPU, 27 GB RAM[^4]
* To check the nodes in kubernetes cluster run:
**We strongly recommend the approach for any publicly available endpoints.**
```sh
kubectl get nodes
```
[^1]: It is possible to use other versions, but it hasn't been tested
* To verify ISTIO installation run:
[^2]: Istio is installed with Istio Ingress Gateway
```sh
kubectl get svc -A | grep 'istio-'
```
[^3]: You can find more information about labeling [here](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection) (Istio) or [here](https://cloud.google.com/service-mesh/docs/managed/select-a-release-channel#default-injection-labels) (Anthos Service Mesh)
The output list should include following services:
* istio-citadel
* istio-galley
* istio-ingressgateway
* istio-pilot
* istio-policy
* istio-sidecar-injector
* istio-telemetry
[^4]: Hardware requirements were specified during a test installation
* To get ISTIO Ingress Gateway IP address run:
### Operating system
```sh
kubectl get svc istio-ingressgateway -A
```
The code works in Debian-based Linux (Debian 10 and Ubuntu 20.04) and Windows WSL 2. All other operating systems, including macOS and Google Cloud Shell, are not verified and supported.
* For secure mode ensure if application &lt;namespace&gt; is labeled.
Run the following command to check if the &lt;namespace&gt; is enabled for istio-injection:
### Packages
```sh
kubectl label namespace <namespace> istio-injection=enabled
```
Packages are only needed for installation from a local computer.
The output should include the lines:
| NAME | STATUS | AGE | ISTIO-INJECTION |
| -- | -- | -- | -- |
| &lt;namespace&gt; | ACTIVE | 35m | enabled |
* **HELM** (version: v3.7.1 or higher) [helm](https://helm.sh/docs/intro/install/)[^1]
[^1]: It is possible to use other versions, but it hasn't been tested
* **Kubectl** (version: v1.21.0 or higher) [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl)[^1]
[^3]: You can find more information about labeling [here](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection) (Istio) or [here](https://cloud.google.com/service-mesh/docs/managed/select-a-release-channel#default-injection-labels) (Anthos Service Mesh)
[^4]: Hardware requirements were specified during a test installation
## Installation
@@ -419,22 +493,17 @@ helm install osdu-onprem
It takes about 10-20 minutes to install infrastructure applications and OSDU services. It is an expected behavior pods restart several times until they are ready.
### Uninstall OSDU on-prem helm chart
To uninstall OSDU on-prem helm chart use commands:
```sh
helm uninstall osdu-onprem
```
After the helm install process is completed, it provides the list of OSDU Services endpoints, which you can use for verification of the status of your applications. Before verification please wait for around 20 mins till all the pods are in running state.
Delete secrets and pvc:
To check the status of pods do run the following command from terminal
```sh
kubectl delete secret --all; kubectl delete pvc --all
kubectl get pods
```
### OSDU services endpoints
The list of OSDU services endpoints would look like as below, wherein "domain_name" would be replaced with the domain you have provided earlier in values.yaml.
<pre>
CRS-Catalog: "http://osdu.domain_name/api/crs/catalog/v2/info"
@@ -559,6 +628,20 @@ Example of output message after the previous command if you use default variable
</details>
### Uninstall OSDU on-prem helm chart
To uninstall OSDU on-prem helm chart use commands:
```sh
helm uninstall osdu-onprem
```
Delete secrets and pvc:
```sh
kubectl delete secret --all; kubectl delete pvc --all
```
## Install logging and monitoring helm chart
Helm chart with logging and monitoring tools could be installed as described [here](../logging-and-monitoring).