openssl genrsa -out rootCA.key 4096openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crtopenssl genrsa -out star.platform.local.key 2048openssl req -new -sha256 \
-key star.platform.local.key \
-subj "/C=IT/ST=TN/O=FBK/CN=*.platform.local" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:*.platform.local,DNS:www.platform.local")) \
-out star.platform.local.csropenssl x509 -req -in star.platform.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out star.platform.local.crt -days 500 -sha256openssl genrsa -out api-gw.platform.local.key 2048openssl req -new -sha256 \
-key api-gw.platform.local.key \
-subj "/C=IT/ST=TN/O=FBK/CN=api.platform.local" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:api.platform.local,DNS:gw.platform.local,DNS:api-manager,DNS:api-manager.global.svc.cluster.local")) \
-out api-gw.platform.local.csropenssl x509 -req -in api-gw.platform.local.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out api-gw.platform.local.crt -days 500 -sha256openssl pkcs12 -export -in api-gw.platform.local.crt -inkey api-gw.platform.local.key -name "apigwself" -certfile rootCA.crt -out apigwself.pfxkeytool -importkeystore -srckeystore apigwself.pfx -srcstoretype pkcs12 -destkeystore apigwself.jks -deststoretype JKSGet a copy of the client-truststore.jks file from the <PRODUCT_HOME>/repository/resources/security/ directory.
keytool -export -alias apigwself -keystore apigwself.jks -file apigwself.pemkeytool -import -alias apigwself -file apigwself.pem -keystore client-truststore.jks -storepass wso2carbonkeytool -import -trustcacerts -keystore client-truststore.jks -alias rootCA.platform.local -file rootCA.crtkeytool -storepasswd -keystore client-truststore.jksopenssl genrsa -out am-analytics.key 2048openssl req -new -sha256 \
-key am-analytics.key \
-subj "/C=IT/ST=TN/O=FBK/CN=am-analytics" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:am-analytics,DNS:api-manager-analytics,DNS:api-manager-analytics.global.svc.cluster.local")) \
-out am-analytics.csropenssl x509 -req -in am-analytics.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out am-analytics.crt -days 500 -sha256openssl pkcs12 -export -in am-analytics.crt -inkey am-analytics.key -name "am-analytics" -certfile rootCA.crt -out am-analytics.pfxkeytool -importkeystore -srckeystore am-analytics.pfx -srcstoretype pkcs12 -destkeystore am-analytics.jks -deststoretype JKSGet a copy of the client-truststore.jks file from the <PRODUCT_HOME>/repository/resources/security/ directory.
keytool -export -alias am-analytics -keystore am-analytics.jks -file am-analytics.pemkeytool -import -alias am-analytics -file am-analytics.pem -keystore client-truststore.jks -storepass wso2carbonkeytool -import -trustcacerts -keystore client-truststore.jks -alias rootCA.platform.local -file rootCA.crtkeytool -storepasswd -keystore client-truststore.jksopenssl genrsa -out dss.key 2048openssl req -new -sha256 \
-key dss.key \
-subj "/C=IT/ST=TN/O=FBK/CN=dss.platform.local" \
-reqexts SAN \
-config <(cat /etc/ssl/openssl.cnf \
<(printf "\n[SAN]\nsubjectAltName=DNS:dss.platform.local,DNS:dss,DNS:dss-wso2,DNS:dss.global.svc.cluster.local")) \
-out dss.csropenssl x509 -req -in dss.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out dss.crt -days 500 -sha256openssl pkcs12 -export -in dss.crt -inkey dss.key -name "dss" -certfile rootCA.crt -out dss.pfxkeytool -importkeystore -srckeystore dss.pfx -srcstoretype pkcs12 -destkeystore dss.jks -deststoretype JKSGet a copy of the client-truststore.jks file from the <PRODUCT_HOME>/repository/resources/security/ directory.
keytool -export -alias dss -keystore dss.jks -file dss.pemkeytool -import -alias dss -file dss.pem -keystore client-truststore.jks -storepass wso2carbonkeytool -import -trustcacerts -keystore client-truststore.jks -alias rootCA.platform.local -file rootCA.crtkeytool -import -trustcacerts -keystore client-truststore.jks -alias lets-encrypt -file lets-encrypt-x3-cross-signed.pemkeytool -storepasswd -keystore client-truststore.jksDownload Nifi-Toolkit Link
Generate Server certs
nifi-toolkit-1.11.4/bin/tls-toolkit.sh standalone -n 'nifi.platform.local' \
--subjectAlternativeNames 'nifi,nifi.platform.local,nifi.global.svc.cluster.local' \
--additionalCACertificate ca/rootCA.crt -S 'platform' -P 'platform' -C 'CN=admin,OU=NIFI'Convert Client certs and key to PEM format
openssl pkcs12 -clcerts -nokeys -out admin-cert.pem -in CN\=admin_OU\=NIFI.p12
openssl pkcs12 -clcerts -nocerts -nodes -out admin-private-key.pem -in CN\=admin_OU\=NIFI.p12keytool -import -trustcacerts -keystore truststore.jks -alias rootCA.platform.local -file rootCA.crtBefore beginning with the installation, ensure that you have a 3 nodes Kubernetes cluster with at least 4 CPUs and 8 GB RAM each.
az aks create -g kube-test -n platform-test --kubernetes-version 1.17.7 \
--location westeurope --network-plugin azure --network-policy calico --node-count 3 \
--node-vm-size Standard_D8s_v3 --ssh-key-value kube-test.pub --nodepool-name d8sv3 \
--max-pods 250az aks install-cliaz aks get-credentials -g kube-test -n platform-testcurl https://helm.baltorepo.com/organization/signing.asc | sudo apt-key add -
sudo apt-get install apt-transport-https --yes
echo "deb https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
sudo apt-get update
sudo apt-get install helm
helm repo add stable https://kubernetes-charts.storage.googleapis.com/Official Documentation Link
Create Azure Public IP and grant access to Kubernetes cluster
az network public-ip create --name kube-test-istio-public-ip --resource-group kube-test --allocation-method Static --location westeurope --sku Standard
az ad app list --filter "displayname eq 'kube-test'" --query '[].appId' --output tsv
az role assignment create --assignee <AppID> --role "Network Contributor" --scope /subscriptions/<subscription id>/resourceGroups/<resource group name>Get public-IP and add it on helm/istio/istio-config.yaml file.
az network public-ip show --resource-group kube-test --name kube-test-istio-public-ip --query ipAddress --output tsv
curl -L https://istio.io/downloadIstio | sh -
cd istio-1.7.3
export PATH=$PWD/bin:$PATH
istioctl install -f /home/ffais/project/platform/helm/istio/istio-config.yamlOfficial Documentation Link
Generate wildcard certificate and create a secret with it.
kubectl -n istio-system create secret tls wild-card-cert --key=privkey.pem --cert=fullchain.pemkubectl create ns global
kubectl label namespaces global istio-injection=enabled
kubectl apply -f helm/istio/global-gateway.ymlkubectl create namespace monitoring
helm repo add loki https://grafana.github.io/loki/charts
helm repo update
helm upgrade --install loki loki/loki-stack --namespace monitoring --version 0.40.1 --values ./helm/monitoring/loki-stack/values-azure-v0.40.1.yamlhelm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm upgrade --install prometheus-operator prometheus-community/kube-prometheus-stack --namespace monitoring --version 9.4.3 --values ./helm/monitoring/prometheus-operator/values-azure-v9.4.3.yamlkubectl apply -f helm/istio/monitoring-virtual-service.ymlkubectl -n monitoring get podsExample output:
NAME READY STATUS RESTARTS AGE
alertmanager-prometheus-operator-alertmanager-0 2/2 Running 0 36m
loki-0 1/1 Running 0 48m
loki-promtail-hpp77 1/1 Running 0 48m
loki-promtail-wgqnn 1/1 Running 0 48m
prometheus-operator-grafana-68b69d65cd-24zz4 2/2 Running 0 36m
prometheus-operator-kube-state-metrics-66b4c95cd9-9729n 1/1 Running 0 36m
prometheus-operator-operator-86d4f4ccf5-h2mt2 2/2 Running 0 36m
prometheus-operator-prometheus-node-exporter-hs72t 1/1 Running 0 36m
prometheus-operator-prometheus-node-exporter-q6zk8 1/1 Running 0 36m
prometheus-prometheus-operator-prometheus-0 3/3 Running 1 36m
kubectl create ns databasesEdit credentials using SQL init script under initializationFiles: option in values file (helm/databases/mysql-values-azure-v1.6.6.yaml).
helm upgrade --install mysql stable/mysql --namespace databases --version 1.6.6 --values helm/databases/mysql-values-azure-v1.6.6.yaml Edit credentials using init script under initializationFiles: option in values file (helm/databases/mongo-values-azure-v8.1.5.yaml).
helm upgrade --install mongo bitnami/mongodb --version 8.1.5 --namespace databases --values helm/databases/mongo-values-v8.1.5.yamlCreate kuberentes secrets:
kubectl -n global create secret generic aac-db-creds --from-literal=username=ac --from-literal=password=ac
kubectl -n global create secret generic aac-admin-creds --from-literal=username=admin --from-literal=password=adminTo generate new key please follow the instructions available Here.
kubectl -n global create secret generic aac-keystore --from-file=helm/aac/config/keystore.jwksInstall AAC
helm upgrade --install aac ./charts/aac/ --namespace global --values ./helm/aac/aac-values.yamlkubectl apply -f helm/istio/aac-virtual-service.ymlInstall AAC-Org
kubectl -n global create secret generic aac-org-aac-creds \
--from-literal=username=dCX9UNzK-q47c-t4d9-F6yf-4YDO-wCvj6Z4CR7Os \
--from-literal=password=PZAN48kL-ak62-u8PK-mT5q-8U2L-qpcfWFj2VCRthelm upgrade --install aac-org ./charts/aac-org --namespace global --values ./helm/aac-org/aac-org-values.yamlkubectl apply -f helm/istio/aac-org-virtual-service.ymlTO DOCreate kuberentes secrets:
kubectl -n global create secret generic api-manager-db-creds --from-literal=username=wso2carbon \
--from-literal=password=wso2carbon
kubectl -n global create secret generic api-manager-aac-creds \
--from-literal=username=uom9BViJ-c3pQ-Jb0E-xm1K-cV9U-rdpIOui4wQGn \
--from-literal=password=Jc1jc7yt-2HiH-05X3-53LO-5yDm-tK8WG1lDIU2t
kubectl -n global create secret generic api-manager-admin-creds --from-literal=username=admin \
--from-literal=password=admin
kubectl -n global create secret generic api-manager-keystore --from-file=apigwself.jks --from-file=client-truststore.jks
kubectl -n global create secret generic api-manager-keystore-pass \
--from-literal=keystore=platform --from-literal=truststore=platform
kubectl -n global create secret generic api-manager-keystore-analytics \
--from-file=am-analytics.jks \
--from-file=client-truststore.jks
kubectl -n global create secret generic api-manager-analytics-keystore-pass --from-literal=keystore=platform \
--from-literal=truststore=platformInstall Api-Manager
helm upgrade --install api-manager ./charts/api-manager/ --namespace global --values ./helm/api-manager/api-manager-values.yamlkubectl apply -f helm/istio/api-manager-destination-rule.yamlkubectl apply -f helm/istio/api-manager-virtualservice.ymlCreate kuberentes secrets:
kubectl -n global create secret generic dss-keystore --from-file=dss.jks --from-file=client-truststore.jks
kubectl -n global create secret generic dss-creds --from-literal=username=admin --from-literal=password=admin
kubectl -n global create secret generic dss-db-creds --from-literal=username=wso2carbon --from-literal=password=wso2carbon
kubectl -n global create secret generic dss-keystore-creds --from-literal=keystore=platform --from-literal=truststore=platform
kubectl -n global create secret generic dss-aac-creds --from-literal=username=BBoAt563-1pNF-5OvS-2caE-W4rK-zG8Vbro5n2Km --from-literal=password=f0rjMnK5-NeF3-OV8d-g7jA-QiB0-Elm8AO0UzDXX
Install DSS
helm upgrade --install dss ./charts/dss/ --namespace global --values ./helm/dss/dss-values.yamlkubectl apply -f helm/istio/dss-destination-rule.yamlkubectl apply -f helm/istio/dss-virtualservice.ymlkubectl -n global create secret generic minio-creds --from-literal=accesskey=admin --from-literal=secretkey=admin12345Configure applications clientid in minio-values.yaml
helm upgrade --install minio stable/minio --namespace global --version 5.0.31 --values helm/minio/minio-values-v5.0.31.yamlkubectl apply -f helm/istio/minio-virtualservice.ymlkubectl -n global create secret generic grafana-creds --from-literal=admin-user=grafana --from-literal=admin-password=grafanaConfigure applications clientid in grafana-values.yaml
Install grafana
helm upgrade --install grafana stable/grafana --version 5.4.1 --namespace global --values ./helm/grafana/grafana-values.v5.4.1.yamlkubectl apply -f helm/istio/grafana-virtual-service.ymlTO DOkubectl create ns syskubectl label namespaces sys istio-injection=enabledCreate azure container registry:
az acr create --resource-group kube-test --name sclconfigtest --sku BasicTake note of loginServer in the output, which is the fully qualified registry name (all lowercase).
az acr update -n sclconfigtest --admin-enabled true
az acr credential show -n sclconfigtestConfigure applications clientid in nuclio-sys-values.yaml
Create kuberentes secrets using azure container registy credentials:
kubectl -n sys create secret docker-registry registry-credentials --docker-username <username> --docker-password <password1> --docker-server <server> --docker-email <your-email>kubectl -n sys create secret generic nifi-user-cert-pem --from-file=nifi-cert.pem \
--from-file=admin-private-key.pem \
--from-file=admin-cert.pemInstall Nuclio Sys
helm upgrade --install -n sys nuclio-sys charts/nuclio/ --values ./helm/nuclio/nuclio-sys-values.yamlkubectl apply -f helm/istio/nuclio-internal-virtualservice.ymlTO DOGenatare random string for Encryption key
openssl rand -base64 32kubectl -n global create secret generic gatekeeper-client-creds \
--from-literal=clientid=VwD2mWIY-dk7u-h7WA-5map-ZTB8-1hSX3UVwItMp \
--from-literal=clientsecret=63xurmJL-4KhJ-5SwF-0PtH-Ze3a-5YpKeQ1b3gLa \
--from-literal=encryptionkey=63d9311968fc9a184dbe6b255d1556c0Install Gatekeeper
helm upgrade --install gatekeeper ./charts/gatekeeper/ --namespace global --values ./helm/gatekeeper/gatekeeper-values.yamlkubectl apply -f ./helm/istio/gatekeeper-virtualservice.ymlTO DOkubectl -n global create secret generic nifi-keystore --from-file=keystore.jks --from-file=truststore.jks
kubectl -n global create secret generic nifi-keystore-creds --from-literal=keystore=platform --from-literal=truststore=platform
kubectl -n global create secret generic nifi-aac-creds \
--from-literal=username=6wLlM5LH-mg3R-Pr6E-mG4W-8YDM-64203Hf007dY \
--from-literal=password=T6lpdUIK-w2Ke-Z4X8-9tAz-Pk81-zMMpd0HZFKCeInstall Nifi
helm upgrade --install nifi ./charts/nifi/ --namespace global --values ./helm/nifi/nifi-values.yamlkubectl apply -f ./helm/istio/nifi-destination-rule.yml
kubectl apply -f ./helm/istio/nifi-virtualservice.ymlTO DOkubectl create ns jhubConfigure applications clientid in jupyterhub-values.yaml
Install JupyterHub
helm upgrade --install jhub jupyterhub/jupyterhub --namespace jhub --version=0.9.1 --values helm/jupyterhub/jupyterhub-values-v0.9.1.ymlkubectl apply -f ./helm/istio/jhub-virtualservice.ymlTO DOInstall Cyclotron
Configure applications clientid in jupyterhub-values.yaml
helm upgrade --install cyclotron charts/cyclotron/ --values helm/cyclotron/cyclotron-values.yaml --namespace globalkubectl apply -f ./helm/istio/cyclotron-virtualservice.ymlTO DOInstall databases
Clone Zalando Postgres-Operator:
git clone https://github.com/zalando/postgres-operator.git
cd postgres-operatorInstall Zalando Postgres-Operator:
helm install postgres-operator ./charts/postgres-operator --namespace global
kubectl apply -f helm/resource-manager/minimal-postgres-manifest.yamlInstall Mysql:
helm upgrade --install mysql stable/mysql --namespace global --version 1.6.6 --values helm/resource-manager/mysql-values-azure-v1.6.6.yaml To get your root password run:
kubectl get secret --namespace global mysql -o jsonpath="{.data.mysql-root-password}" | base64 --decode; echoCreate new secret with root username and password:
kubectl -n global create secret generic mysql-creds --from-literal=username=root --from-literal=password=VI9PvSJGbg
kubectl -n global create secret generic minio-creds --from-literal=accesskey=admin --from-literal=secretkey=admin12345
kubectl -n global create secret generic rs-db-creds --from-literal=username=rm --from-literal=password=rm
kubectl -n global create secret generic rs-oauth-creds --from-literal=username=4gefZIzy-wto8-n7nI-Cl9A-6abl-pEUMrnBGx3fv --from-literal=password=2uEieKZ8-Y5yo-h7mz-6HgF-tj5P-OBBV6TlihCK0Install resource-manager
helm upgrade --install rm charts/resource-manager/ --values helm/resource-manager/resource-manager-values.yaml --namespace globalkubectl apply -f ./helm/istio/resource-manager-virtualservice.ymlTO DOThe DigitalHub Platform may also be installed with Docker-Compose.
Run these shell commands to create a network and start each component. Nginx should be started after all enabled components have been launched.
docker network create platform-net
docker-compose -p platform.local -f database.yml up -d
docker-compose -p platform.local -f aac.yml up -d
docker-compose -p platform.local -f apim-analytics.yml up -d
docker-compose -p platform.local -f apim.yml up -d
docker-compose -p platform.local -f dss.yml up -d
docker-compose -p platform.local -f nifi.yml up -d
docker-compose -p platform.local -f cyclotron.yml up -d
docker-compose -p platform.local -f nginx.yml up -dFor API Manager, keep in mind that, if you need to restart the container, you should remove it via docker rm -f container_name_or_id and then run its corresponding command above again. Stopping and restarting it without removing it will result in an error.
The same is true for DSS.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent