ICOS Core Suite¶
TODO: order content in a proper way
Step 1 ALT¶
First install the step cli
export RELEASE_NAME=core1
export RELEASE_NAMESPACE=icos-system
export CA_PUBLIC_URL=ca.core.icos-staging.10-160-3-151.sslip.io
step ca init --deployment-type=standalone --name=my-icos-continuum-ca --dns "$CA_PUBLIC_URL" --dns "$RELEASE_NAME-step-certificates.$RELEASE_NAMESPACE.svc.cluster.local" --dns 127.0.0.1 --address=0.0.0.0:9000 --provisioner admin --helm
The command will prompt for a key that will be used to encrypt the CA secrets. Enter a password or type "Enter" to let the script generate one. Take note of the generated password (CA_PASSWORD).
Encode the CA_PASSWORD in base64
ENCODED_PWD = echo "CA_PASSWORD" | base64
Take note of the generated output (CA_HELM_VALUES).
Now generate a yaml file for the ICOS Core Suite:
global:
external:
# the dns name of this node. This will be used to generate the DNS Names for the IAM and Lighthouse services
host: core.icos-staging.10-160-3-151.sslip.io
icos-ca:
step-certificates:
#
# Copy here the entire output of the `step init ca` command. Pay attention to keep it indented under the `icos-ca.step-certificates` section.
#
#
inject:
enabled: true
# Config contains the configuration files ca.json and defaults.json
config:
files:
ca.json:
root: /home/step/certs/root_ca.crt
federateRoots: []
[...]
secrets:
ca_password: <BASE64_ENCODED_PWD>
provisioner_password: <BASE64_ENCODED_PWD>
[...]
helm install --namespace icos-system core1 /data/ICOS/code/suites/icos-core/ --values my-values.yaml --set icos-ingress-controller.step-issuer.icos-issuer.enabled=false
Persistence¶
Disable persistence:
icos-iam:
keycloak:
postgresql:
primary:
persistence:
enabled: false
icos-ca:
step-certificates:
ca:
db:
persistent: false
Backup / Restore¶
RELEASE_NAME=testcore kubectl get secret/$RELEASE_NAME-step-certificates-ca-password secret/$RELEASE_NAME-step-certificates-provisioner-password configmap/$RELEASE_NAME-step-certificates-secrets configmap/$RELEASE_NAME-step-certificates-config configmap/$RELEASE_NAME-step-certificates-certs -o yaml > ca_backup.yaml
helm upgrade --install --namespace gabriele-core testcore /data/ICOS/code/suites/icos-core/ --values values-2.yaml --values persistence.yaml --set icos-ca.step-certificates.bootstrap.enabled=false --set icos-ca.step-certificates.bootstrap.configmaps=false --set icos-ca.step-certificates.bootstrap.secrets=false
Exposure¶
TODO: move in the icos-ingress-controller chart documentation
It is disabled by default
Load Balancer¶
By default, Nginx Ingress Controller is used to expose the Suite services. The Nginx Ingress Controller is, by default, is exposed as LoadBalancer service. It can be exposed using the node's host ports (80 and 443 by default) using the following configuration:
icos-ingress-controller:
enabled: true
nginx-ingress-controller:
enabled: true
kind: DaemonSet
daemonset:
useHostPort: true
service:
type: ClusterIP
Second method:¶
Troubleshooting¶
In StepIssuer log:
"The requested resource could not be found. Please see the certificate authority logs for more info.
In the cert-manager-controller log:
failed calling webhook \"webhook.cert-manager.io\": failed to call webhook: Post \"https://cert-manager-webhook.cert-manager.svc:443/validate?timeout=30s\": service \"cert-manager-webhook\" not found" logger="cert-manager.controller" key="gabriele-core/testcore-keycloak"
kubectl get MutatingWebhookConfiguration and delete the old ones
kubectl get validatingwebhookconfigurations and delete the old ones
reinstall helm
Error "spec.caBundle: Required value" is shown when performing an helm install/updgrade¶
If you see this error:
* StepClusterIssuer.certmanager.step.sm "icos-step-ca-issuer" is invalid: [spec.provisioner.kid: Required value, spec.caBundle: Required value]
this is