Install on Kubernetes using Helm
If you don't have a Kubernetes cluster, follow the MicroK8S guide for the easiest deployment scenario.
Prerequisites
- Make sure you read the Identity management section to undestand the need of an OpenID provider (IdP).
By default, this chart will install Keycloak as an OpenID provider for the user authentication. - Have a functional Kubernetes cluster with
- cert-manager with a ClusterIssuer called
letsencrypt - ingress-nginx controller exposed via a public IP address.
- a default
StorageClass
- cert-manager with a ClusterIssuer called
- Configure a domain where to install Osie
cloud.<your-domain>.<tld>configured in your DNS pointing to your ingress IP- an
auth.<your-domain>.<tld>subdomain for Keycloak, if you don't already have an identity provider (IdP).
- Helm installed on your local machine.
Add the Helm repository
helm repo add osie https://helm.osie.io
helm repo update
Configure the values.yaml file
For the complete list of configurable variables, check the values.yaml file of the Chart.
Example 1: With Keycloak included
This configuration installs Keycloak as well using the Keycloak chart from Bitnami.
global:
ingress:
enabled: true
hostname: "cloud.example.com"
ingressClassName: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt
# Required by Keycloak when using Nginx ingress
nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
tls: true
keycloak:
ingress:
hostname: auth.example.com
smtp:
password: # smtp password
user: # smtp user
starttls: true
auth: true
port: 587
host: # smtp server
from: [email protected]
fromDisplayName: My Cloud Company
Example 2: Without Keycloak
If you have deployed your own identity provider, you have to manually specify the Oauth2 / OpenID configuration.
global:
ingress:
enabled: true
hostname: "cloud.example.com"
ingressClassName: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt
tls: true
# OpenID configuration for the Osie client portal
ui:
oauth2:
clientId: client-id
issuerUri: https://auth.example.com/path/to/openid
# (Optional) if you use different OpenID for the Administrators
# otherwise the ones from the client portal will be used
admin:
oauth2:
clientId: admin-client-id
issuerUri: https://auth.example.com/path/to/openid
keycloak:
enabled: false
smtp:
...
High Availability
If you have a highly available Kubernetes cluster (having 3+ nodes), then you can deploy the databases and the services
with replication and high availability. Below is an example of how the replicaCount and architecture can be adjusted.
ui:
replicaCount: 3
admin:
replicaCount: 3
api:
replicaCount: 3
keycloak:
replicaCount: 3
postgresql:
architecture: replication
mongodb:
architecture: replicaset
replicaCount: 3
redis:
architecture: replication
Install using the chart
By using the created values.yaml file you can proceed with the installation.
helm --namespace osie upgrade --install --create-namespace osie osie/osie -f values.yaml
Check the Kubernetes pods in the namespace.
$ kubectl -n osie get pods
osie-admin-5dc5b4ff59-hbzmz 1/1 Running 0 22h
osie-api-0 1/1 Running 0 22h
osie-keycloak-0 1/1 Running 0 28h
osie-mongodb-5fc58bbc78-mc6xw 1/1 Running 0 28h
osie-postgresql-0 1/1 Running 0 28h
osie-rabbitmq-0 1/1 Running 0 28h
osie-redis-master-0 1/1 Running 0 28h
osie-ui-566c759d8-srskk 1/1 Running 0 22h
Check the ingress hostnames.
$ kubectl -n osie get ingress
osie-admin nginx cloud.example.com 12.34.56.78 80, 443 28h
osie-api nginx cloud.example.com 12.34.56.78 80, 443 28h
osie-keycloak nginx cloud.example.com 12.34.56.78 80, 443 28h
osie-ui nginx cloud.example.com 12.34.56.78 80, 443 28h
Post installation
Now Osie is installed on your Kubernetes cluster and ready to be used. Here are some steps to be performed.
Save the bcrypt password
Osie encrypts some sensitive information that's stored in the database, such as passwords and access keys.
It uses a bcrypt symmetric key that's being configured as an environment variable (OSIE_ENCRYPTION_DEFAULT_KEY).
Since the encryption is symmetric the same key must be used to decrypt the data, therefore is very important the key is
not lost, otherwise some data from the database can't be decrypted.
The helm chart generates a random bcrypt password key that's saved inside the <release-name>-bcrypt secret.
It's recommended to save the key somewhere externally as well, so that you can reuse it in the event of a disaster recovery.
# Retrieve the bcrypt password and save it somewhere externally
kubectl -n osie get secret osie-bcrypt -o json | jq -r '.data."bcrypt-password"' | base64 -d
Log in to Osie Admin panel
The admin panel should be acessible at https://cloud.example.com/osie_admin.
The default admin username is osie_admin.
Retrieve the admin password from Kubernetes secret
If you have jq installed simply run
kubectl -n osie get secret osie-keycloak -o json | jq -r '.data."admin-password"' | base64 -d
Otherwise retrieve the secret and base64 decode the data.admin-password key.
kubectl -n osie get secret osie-keycloak -o yaml
Upgrading or reconfiguring
You can use the helm upgrade command to upgrade to newer versions of Osie or to restart the components if you make changes to the values.yaml.
If you used the chart to install Keycloak as well, it is recommended to prevent the keycloakConfigCli running again,
since that's only needed during the first installation
# Disable keycloakConfigCli to run again
keycloak:
keycloakConfigCli:
enabled: false
# First update the helm repository to get the latest chart version
helm repo update
# Run the helm upgrade command
helm --namespace osie upgrade osie osie/osie -f values.yaml
Automated Backups
Configure automated backups with Velero
Next steps
- Visit the Administrator's manual for the set-up instructions.