sde$ kubectl get nodes NAME STATUS ROLES AGE VERSION master1 Ready control-plane,master 23h v1.21.0 master2 Ready control-plane,master 23h v1.21.0 master3 Ready control-plane,master 23h v1.21.0 worker1 Ready <none> 23h v1.21.0 worker2 Ready <none> 23h v1.21.0 worker3 Ready <none> 23h v1.21.0
Install SD Elements
This page contains information about common helm
tasks. More information can also be found in the Requirements page.
Confirm the functionality of the Kubernetes cluster
All nodes should be 'Ready'.
Enabling OpenShift compatibility
This configuration is only compatible with SD Elements versions 2023.2 or newer.
|
When enabling OpenShift compatibility, the helm chart disables incompatible configurations (e.g. PodSecurityContext). |
Pre-requisites:
Configuration:
To enable OpenShift compatibility, add the following configuration to values.custom.yaml
global:
openshift:
enabled: true
web:
ingressClassName: openshift-default
rabbitmq:
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: false
postgresql:
primary:
containerSecurityContext:
enabled: false
runAsUser: null
allowPrivilegeEscalation: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- 'ALL'
podSecurityContext:
enabled: false
runAsUser: null
runAsGroup: null
fsGroup: null
seccompProfile:
type: RuntimeDefault
volumePermissions:
enabled: false
shmVolume:
enabled: false
We recommend using the OpenShift Container Platform Ingress Operator. The default IngressClassName
is openshift-default
, this value may differ in your environment.
Minio Tenant support in OpenShift
When using Minio Tenant with OpenShift, securityContext
, containerSecurityContext
, and volumeClaimTemplate
for each pool have to be updated as illustrated in the following example
minio-tenant:
enabled: true
tenant:
pools:
- servers: 1
name: pool-0
volumesPerServer: 1
size: 100Gi
securityContext:
runAsUser: null
runAsGroup: null
fsGroup: null
containerSecurityContext:
runAsUser: null
runAsGroup: null
volumeClaimTemplate:
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
Deploy SD Elements
-
Verify your installation prerequisites using a checklist like the following:
Sr No | Prerequisite Item | Verified | Example Variable |
---|---|---|---|
1 |
SDE version to install |
Yes/No |
|
2 |
The Helm release name for the SDE installation |
Yes/No |
|
3 |
Yes/No |
|
|
4 |
Shared Object Storage configured (e.g. AWS S3) (See Shared Object Storage) |
Yes/No |
|
5 |
DNS service installed and configured |
Yes/No |
N/A |
Nginx is the ingress controller used to test deployment compatibility among versions of SD Elements and EKS. Your deployment may use a different ingress controller. |
See Tested Versions for Kubernetes versions compatible with the SD Elements installation. |
-
Create a file
values.custom.yaml
with the following content:
global:
imageRegistryUsername: <SERVICE_USERNAME>
imageRegistryPassword: <SERVICE_PASSWORD>
sharedStorage:
bucketName: <BUCKET_NAME>
s3Url: https://s3.<S3_REGION>.amazonaws.com
s3AccessKey: <S3_ACCESS_KEY>
s3SecretKey: <S3_SECRET_KEY>
sde:
jwtSecret: your-jwt-secret
secretKey: your-secret-key
superuserPassword: your-superuser-password
systemAdminEmail: your-sysadmin-email@yourdomain
postgresql:
auth:
username: sde
password: your-database-password
sc-datastore:
clientPassword: your-datastore-password
rabbitmq:
auth:
erlangCookie: your-erlang-cookie
password: your-broker-password
sc-cam:
databasePassword: your-cam-database-password
brokerPassword: your-cam-broker-password
Replace any remaining passwords and secrets with random strings unique for your installation. Manage these secrets like any software that requires version control. |
Such keys and passwords encrypt or otherwise protect assets within your application. Subsequent changes to them could have potentially negative consequences, including SD Elements becoming unable to decrypt data. For a list of those items that should not be changed, please see [Additional Information]. |
-
Add the SD Elements Helm Repository
$ helm repo add sdelements https://repository.securitycompass.com/artifactory/sde-helm-prod \
--username <SERVICE_USERNAME> \
--password <SERVICE_PASSWORD>
-
Install the SD Elements chart
Note: RELEASE_NAME is an example, replace it with an appropriate name for this deployment
$ helm install RELEASE_NAME sdelements/sde --version <SDE_VERSION> --values values.custom.yaml
Confirm the helm chart has been installed
$ helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
RELEASE_NAME default 1 2023-03-22 17:22:18.453487279 -0400 EDT deployed sde-2023.1.00 2023.1.00
Validate the state of the pods
kubectl get pods
Pods associated with scheduled jobs such as integration may also show a status of 'Completed'.
Access SD Elements
It usually takes around 5-10 minutes to deploy SD Elements depending on the cluster performance and download speeds. During this time, attempts to access SD Elements will return a 503 error. |
Access to SD Elements is completed through its web service and the nginx controller you’ve selected for use can be configured to provide client access to SD Elements (see requirements).
Username and password
SD Elements supports password-based authentication by default. The superuser’s email and password is configured through the sde.superuserEmail
and sde.superuserPassword
nodes in the custom values file. See the Chart Values reference page for more information.