Installation is based on information found in https://github.com/nortal/GovStack-IM-BB-SandBox-Deployment. The procedure is defined as a GitLab CI pipeline, so some adaptation was needed.
Due to existing playground deployment, the custom images were already in ECR. The deployment uses a slightly modified X-Road, and building X-Road is needed without access to the images.
Deployment
git clone https://github.com/nortal/GovStack-IM-BB-SandBox-Deployment
Set up ENV variables:
K8S_NAMESPACE=im-xroad
X_ROAD_IMAGE_TAG="7.2.2-IAM"
K8S_CS_SS_DB_STORAGE_CLASS_NAME=gp3
K8S_TLD_NAME=im-xroad.playground.sandbox-playground.com
K8S_EXPOSE_SERVICES=false
AWS_ACCOUNT=`<account id>`
AWS_DEFAULT_REGION=eu-central-1
X_ROAD_METRICS_IMAGE_TAG=latest
PUBSUB_TAG=0.0.1-develop-c5e275ed
PUBSUB_MESSAGING_API_IMAGE_TAG=$PUBSUB_TAG
PUBSUB_MANAGEMENT_API_IMAGE_TAG=$PUBSUB_TAG
PUBSUB_MANAGEMENT_UI_IMAGE_TAG=$PUBSUB_TAG
PUBSUB_SUBSCRIBER_MOCK_IMAGE_TAG=$PUBSUB_TAG
PUBSUB_DB_SCHEMA_IMAGE_TAG=$PUBSUB_TAG
MANAGEMENT_API_XROAD_SECURITY_SERVER_BASE_URL=<https://sandbox-xroad-ss3.${K8S_NAMESPACE}.svc.cluster.local:4000/api/v1/>
MANAGEMENT_API_XROAD_PUBSUB_SUBSYSTEM_IDENTIFIER=SANDBOX:GOV:PROVIDER:TEST
K8S_SUBNET_ALLOW_LIST=""
Core X-Road Deployment
echo "--- xroad_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 60m \
--namespace "$K8S_NAMESPACE" \
--set apiService.create=true \
--set global.serviceExt.enabled=$K8S_EXPOSE_SERVICES \
--set-string global.storageClassName=${K8S_CS_SS_DB_STORAGE_CLASS_NAME} \
--set-string xroad-ss.tokenPin="1234" \
--set-string xroad-cs.tokenPin="1234" \
--set-string sandbox-im-xroad-cs.serverTag="${X_ROAD_IMAGE_TAG}-cs" \
--set-string sandbox-im-x-road-ss.servers.ss1="${X_ROAD_IMAGE_TAG}-ss1" \
--set-string sandbox-im-x-road-ss.servers.ss2="${X_ROAD_IMAGE_TAG}-ss2" \
--set-string sandbox-im-x-road-ss.servers.ss3="${X_ROAD_IMAGE_TAG}-ss3" \
--set-string sandbox-im-x-road-ss.iamIssuerUri="<https://iam-${K8S_TLD_NAME}/realms/pubsub-realm>" \
--set-string sandbox-im-x-road-ss.iamAuthorizationUri="<https://iam-${K8S_TLD_NAME}/realms/pubsub-realm/protocol/openid-connect/auth>" \
--set-string sandbox-im-x-road-ss.iamTokenUri="<https://iam-${K8S_TLD_NAME}/realms/pubsub-realm/protocol/openid-connect/token>" \
--set-string sandbox-im-x-road-ss.iamUserInfoUri="<https://iam-${K8S_TLD_NAME}/realms/pubsub-realm/protocol/openid-connect/userinfo>" \
--set-string global.registry="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com" \
sandbox-im-xroad ./x-road/sandbox-im-x-road
Keycloak is part of PubSub, but it is shared with X-Road to provide authentication. For keycloak deployment, create new pubsub/keycloak/config/pubsub-realm-sandbox.json file based on existing template and change the URLs to be consistent with the selected external domain (K8S_TLD_NAME)
echo "--- keycloak_deploy ---" helm upgrade --install --atomic --debug \ --wait --timeout 15m \ --namespace "$K8S_NAMESPACE" \ --set serviceExt.enabled=$K8S_EXPOSE_SERVICES \ --set-string config.realmConfigFile="config/pubsub-realm-sandbox.json" \ keycloak-chart ./pubsub/keycloak
echo "--- x_road_metrics_uninstall ---"
helm uninstall --debug --wait --timeout 60m \
--namespace "$K8S_NAMESPACE" \
xroad-metrics
echo "--- x_road_metrics_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set-string database.initDb.image="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/xroad-metrics/init-db" \
--set-string database.initDb.image_tag=${X_ROAD_METRICS_IMAGE_TAG} \
--set-string collector.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/xroad-metrics/collector" \
--set-string collector.image.tag=${X_ROAD_METRICS_IMAGE_TAG} \
--set-string corrector.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/xroad-metrics/corrector" \
--set-string corrector.image.tag=${X_ROAD_METRICS_IMAGE_TAG} \
xroad-metrics ./x-road/x-road-metrics
PubSub
Set up access to X-Road Admin UIs
Create MANAGEMENT_API_XROAD_ADMIN_API_KEY on SS3
MANAGEMENT_API_XROAD_ADMIN_API_KEY=<API KEY>
echo "--- x_road_artemis_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set serviceExt.enabled=${K8S_EXPOSE_SERVICES} \
--set-string artemis.topLevelDomainName=${K8S_TLD_NAME} \
--set-string artemis.subnetAllowList="${K8S_SUBNET_ALLOW_LIST}" \
artemis ./pubsub/artemis/
echo "--- x_road_im-msg-db_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set-string topLevelDomainName=${K8S_TLD_NAME} \
--set-string subnetAllowList="${K8S_SUBNET_ALLOW_LIST}" \
im-msg-db oci://registry-1.docker.io/bitnamicharts/postgresql \
-f ./pubsub/im-msg-db/values.yaml
echo "--- im-msg-db-schema_uninstall ---"
helm uninstall --debug --wait --timeout 60m \
--namespace "$K8S_NAMESPACE" \
im-msg-db-schema
echo "--- x_road_im-msg-db-schema_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set-string imMsgBbSchema.image.tag=${PUBSUB_DB_SCHEMA_IMAGE_TAG} \
--set-string imMsgBbSchema.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/pubsub/schema" \
im-msg-db-schema ./pubsub/im-msg-db-schema/
echo "--- x_road_messaging-api_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set serviceExt.enabled=${K8S_EXPOSE_SERVICES} \
--set-string ingress.topLevelDomainName=${K8S_TLD_NAME} \
--set-string ingress.subnetAllowList="${K8S_SUBNET_ALLOW_LIST}" \
--set-string messagingApi.image.tag=${PUBSUB_MESSAGING_API_IMAGE_TAG} \
--set-string messagingApi.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/pubsub/messaging-api" \
messaging-api ./pubsub/messaging-api/
echo "--- x_road_management-api_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set serviceExt.enabled=${K8S_EXPOSE_SERVICES} \
--set-string serviceExt.topLevelDomainName=${K8S_TLD_NAME} \
--set-string serviceExt.subnetAllowList="${K8S_SUBNET_ALLOW_LIST}" \
--set-string managementApi.image.tag=${PUBSUB_MANAGEMENT_API_IMAGE_TAG} \
--set-string managementApi.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/pubsub/management-api" \
--set-string managementApi.xroadAdminClient.securityServerBaseUrl="${MANAGEMENT_API_XROAD_SECURITY_SERVER_BASE_URL}" \
--set-string managementApi.xroadAdminClient.apiKey="${MANAGEMENT_API_XROAD_ADMIN_API_KEY}" \
--set-string managementApi.xroadAdminClient.pubsubSubsystemIdentifier="${MANAGEMENT_API_XROAD_PUBSUB_SUBSYSTEM_IDENTIFIER}" \
--set-string managementApi.oauth2.issuerUri="<https://iam-${K8S_TLD_NAME}/realms/pubsub-realm>" \
--set-string managementApi.cors.allowedOrigins="<https://management-ui-${K8S_TLD_NAME}>" \
management-api ./pubsub/management-api/
echo "--- x_road_management-ui_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set serviceExt.enabled=${K8S_EXPOSE_SERVICES} \
--set-string ingress.topLevelDomainName=${K8S_TLD_NAME} \
--set-string ingress.subnetAllowList="${K8S_SUBNET_ALLOW_LIST}" \
--set-string managementUi.image.tag=${PUBSUB_MANAGEMENT_UI_IMAGE_TAG} \
--set-string managementUi.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/pubsub/management-ui" \
--set-string managementUi.iamIssuerUri="<https://iam-${K8S_TLD_NAME}/realms/pubsub-realm>" \
--set-string managementUi.managementApiUri="<https://management-ui-${K8S_TLD_NAME}>" \
management-ui ./pubsub/management-ui/
echo "--- x_road_subscriber-mock_deploy ---"
helm upgrade --install --atomic --debug \
--wait --timeout 15m \
--namespace "$K8S_NAMESPACE" \
--set-string subscriberMock.image.tag="${PUBSUB_SUBSCRIBER_MOCK_IMAGE_TAG}" \
--set-string subscriberMock.image.repository="${AWS_ACCOUNT}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/im/pubsub/subscriber-mock" \
subscriber-mock ./pubsub/subscriber-mock/
Add Comment