Versions Compared

Old Version 18

changes.mady.by.user Shashikanth VH

Saved on

compared with

New Version Current

changes.mady.by.user Arvind Patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The prerequisites and pre-installation software and hardware should be ready before executing the installation steps.

In BP first release Two types of installation mechanisms are provided in this release , as below 

  1. Ansible-Playbook single command
  2. Command Line Interface (CLI)

...

  • One-Click Deployment Node
  • MECM Node
  • MEC Hosts .Node

Note: For Development environment two nodes  is sufficient, where one node plays a dual role of One-Click Deployment Node and MECM Node with other as MEC Host.

...

                                                 Figure: EALTEdge Deployment Architecture

Note: EALTEdge Blueprint Deployment has been tested on Cloud VM and is not tested on Bare-Metal Environment. Though, theoretically deployment should work  in bare metal,  provided hardware and software prerequisites are met. Kindly refer R3 - Test Documentation of Enterprise Applications on Lightweight 5G Telco Edge (EALTEdge) to get details on the tested deployment.

...

The number of Hardware requirements depends mainly on the Use Case Scenario and the enterprise scale. A use case can have one MECM Cluster  with single one or multiple MEC Host clusterHost clusters.

The minimum number of nodes required for a complete EALTEdge Topology is three. (Bare-Metal or Virtual Machines) 

...

Installation High-Level Overview

The blueprint provides single command one click deployment and command-line interface for installing the EALTEdge blueprint components.

...

NoUsage
1

Jump Host (One Click Deployment Node)

MECM (Controller)

3MEC Host (Edge Node)


All the nodes should have internet connectivity , network interface and network connectivity between the  VM's. 

...

Login to the Jump Host and perform the below configuration steps (Steps : as below-

1. Generate public key : #ssh-keygen

...

** Install in unsecured mode - Dev mode

root@akraino-mec-0002:~# ansible-playbook ealt-all.yml -i ealt-inventory.ini --tags "mecm" --extra-vars "operation=install mode=dev" 

...

root@akraino-mec-0002:~#cd ~/ealt-edge/ocd/infra/playbooks

Note: The CLI Commands to setup the environment should be executed only from above path.

3.  Edit the Configuration File : ealt-inventory.ini with the details of MECM and MEC Hosts. 

...

4. Execute the below command to install EALTEdge Environment 

In non secure mode

root@akraino-mec-0002:~#ealt init all 

or 

root@akraino-mec-0002:~#ealt init all --mode dev

In Secure Mode (TLS Enabled)

root@akraino-mec-0002:~#ealt init all --mode prod

Above command will install the various component. Above command will install the various component. Refer the below table for detail information. 

Other CLI Commands:

Command to Install only MECM Node.

root@akraino-mec-0002:~#ealt init mecmmanager

To Install MECM node in Secure Mode

root@akraino-mec-0002:~#ealt init mepmanager -m prod

Command to Install only MEC Host (MEP Node)

root@akraino-mec-0002:~#ealt init edge

or 

root@akraino-mec-0002:~#ealt init edge -m dev

MEC Host in Secure (TLS/HTTPS) Mode

root@akraino-mec-0002:~#ealt init edge -m prod

Following packages will be Following packages will be installed in the cluster in the respective nodes:-

MECM MECM  pkgs Docker, Kubernetes , Helm, Grafana, Calico, PostgresSQL and AppLCM.

MEC Host pkgs: Docker, K3S, Helm, RabbitMQ, Prometheus, CAdvisor, Kong, Vault, Cert-Manager , PostgresSQL, MEP Server and MEP Agent.

Deploying Application Packages : Using CLI

Precondition Prerequisite : The EALTEdge Environment should be installed.  One MECM and one MEC Host atleastat least.

Pre-configuration : Need to set the below parameters as environment variables on VM the Virtual Machine / Host  where EALTEdge CLI Command Line Interface tool  is being installed.

export ONBOARDPACKAGEPATH= <Path where Application CSAR Package is kept in the Node where CLI is running>
export MECMClusterIP=<IP of MECM Node> #IP of Node where MECM is installed.
export MECMClusterPort=30001 #(Node Port of applcm service running on MECM)

Command Supported:-
Application Package Management CLI Commands:

To enable HTTPS Mode while using CLI, additional configurations have to be done. The configurations are as follows:

export CertificateKeyFile=<Path of CA Cert>
export EALTSSLMode=1 #If need to disable https mode modify the flag to 0

export MECMClusterIP='edgegallery.org' #Map the DNS Name to the MECM IP in /etc/hosts file.


Command Supported:-

Application Package Management CLI Commands:
  1. Package On Boarding
  2. Package On Boarding : root@akraino-mec-0002:~#ealt app create -f "sample_app.csar "
  3. Package Info Query : root@akraino-mec-0002:~#ealt app info create -i "<package id number>f "sample_app.csar "
  4. Package DeleteInfo Query: root@akraino-mec-0002:~#ealt app info -i "<package id number>"
  5. Package Delete: root@akraino-mec-0002:~#ealt app delete -i "<package id number>"

...

root@akraino-mec-0002:~#ealt clean all 
root@akraino-mec-0002:~#ealt clean mecm
root@akraino-mec-0002:~#ealt clean mep


Vault documentation

**This document explains how to generate certificate by using vault and cert manager**
##Cluster Architecture
![](Vault_Cert_Arch)
##Make a cluster
##The Image try to put with reference to our environment, with reference to EALT Edge. Can make a picture where Vault will be running in MEC Host (as Root CA) , ##Cert Manager and Applications (App1, App2)
##1. Add helm repo
```
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault
```
##2. Generate root token and Unseal Key
```
kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=""
```
##Note: Root token we will use when we will login vault pod, Unseal Key and Root token will looks like below ex- 
##Unseal Key 1: QcTX47IacKidIjFWSrkGLiQG1fwaqoInEz0SqAZ7rMs=
##Initial Root Token: s.A0SXgscZxbCeJRd1AjsVzvUU

##Generated Unseal key need to put in below command then vault will start running as a pod
```
kubectl exec -ti vault-0 -- vault operator unseal <Unseal Key>
```
##Vault is initialised as a pod
##By using below command can login in vault pod
```
kubectl exec -it vault-0 -- /bin/sh
```
##Vault Initialisation and Configuration Steps
####Once we initialize the vault pod we get unseal key and root token, need to put the root token
```
vault login <root token>
```
##Enable the PKI secrets engine
##By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a ##different path, use the -path argument.
```
vault secrets enable pki
```
##Keep the value in sync with the comment. 30 days, Increase the TTL by tuning the secrets engine. The default value of 30 days may be too short
```
vault secrets tune -default-lease-ttl=2160h -max-lease-ttl=87600h pki
```
##Configure a CA certificate and private key. It can generate ##its own self-signed root
## ealtedge.com is a your common_name or base url
```
vault write pki/root/generate/internal common_name=ealtedge.com ttl=8760h
```
##Update the CRL location and issuing certificates. These values can be updated in the future.
```
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
```
##It will allow your domain and subdomain
```
vault write pki/roles/my-role allowed_domains=ealtedge.com allow_subdomains=true max_ttl=8760h
```
##Generate a new credential by writing to the /issue endpoint with the name of the role
##The output will include a dynamically generated private key and certificate which corresponds to the ##given role
##The issuing CA and trust chain is also returned for automation simplicity
```
vault write pki/issue/my-role common_name=www.ealtedge.com
```

####Enabling AppRole in Vault
```
vault auth enable approle
```

##Writing vault policy
```
vault policy write pki-policy -<<EOF
path "pki*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
EOF
```
##Write Auth role
```
vault write auth/approle/role/my-role secret_id_ttl=8760h token_num_uses=0 token_ttl=2160h token_max_ttl=8760h secret_id_num_uses=0 policies=pki-policy
```
##Note:-
##my-role - is the role name
##secret_id_ttl - (Optional) The number of seconds after which any SecretID expires
##token_num_uses - (Optional) The period, if any, in number of seconds to set on the token
##token_ttl - (Optional) The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
##token_max_ttl - (Optional) The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
##secret_id_num_uses - (Optional) The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. ##A value of zero will allow unlimited uses.

##Read Auth role
##Here it will give you role id which you need to use in vault-approle-issuer.yml
```
vault read auth/approle/role/my-role/role-id
```
##Generate secret id
```
vault write -f auth/approle/role/my-role/secret-id
```
##By using above 2 command role id and secret id you need to pass in below command
```
vault write auth/approle/login role_id=<role-id> secret_id=<secret-id>
```
###########################
##If the command successful then vault configuration and authentication via approle is completed
###########################

##YAML files to be modified
##First execute below yaml file
```
kubectl apply -f cert-manager.yaml
```
##Need to replace with the latest secret id in base64 format by using below command
##Secret id already generate when we are executing vault command, need to use same secret id here
```
echo secret-id | base64
```
##The output of above command has to be replaced in the vault-apply-secret.yml file data.secretId
```
kubectl apply -f vault-apply-secret.yml
```
##No you will get one ip where your vault is running so that ip you can get by using below command
##Copy vault ip from below command
```
kubectl get svc
```
##Now vault ip and role id need to replace in vault-approle-issuer.yml file
##Role id already generated when we are executing vault commands
```
kubectl apply -f vault-approle-issuer.yml
```
##NOTE: spec.vault.server: IP here you need to change vault ip which you will get when u ren 'kubectl get svc'
##spec.vault.auth.roleId this is you need to replace and need to put latest role id which you get in 'vault read auth/approle/role/my-role/role-id'

##Then final we need to execute below yaml file
```
kubectl apply -f vault-cert-certificate.yml
```
#######################################
Certificate generate process completed
#######################################

##Now get ca certificate use below command
```
curl http://10.43.130.35:8200/v1/pki/ca/pem
```
##10.43.130.35 is your vault ip, need to replace with latest vault ip

Image Added


Kong documentation


**This document explains how to configure mep and kong**
##set up the EALT Environment. Refer the Installation Guide[Specify the installation guide wiki url]
##Mep will install as a pod

##First create setup by using below command server running in https
```
ansible-playbook ealt-all.yml -i ealt-inventory.ini --extra-vars "operation=install mode=prod"
```
##For http use below command
```
ansible-playbook ealt-all.yml -i ealt-inventory.ini --extra-vars "operation=install mode=dev"
```
##Mep will install as a pod
##MEP services will be running in the MEC Host (MEP)
##Check the mep running or not use below command
```
kubectl get po -n mep
```
##Output -
![](mep1)
```
kubectl get svc -n mep
```
##Output -
![](mep2)
##Configure Kong
##HTTPS Env - Rest API request Adding Services and Adding Route in Kong API Gateway
```
https://www.ealtedge.org:30012/services
https://www.ealtedge.org:30012/routes
```
##DNS mapping should be done correctly

##HTTPS Env - Rest API request deleting route and services
```
https://www.ealtedge.org:30012/services/http-mp1
https://www.ealtedge.org:30012/routes/mp1
```
##HTTP Env - Rest API request Adding Services and Adding Route in Kong API Gateway
```
http://www.ealtedge.org:30011/services
http://www.ealtedge.org:30011/routes
```
##DNS mapping should be done correctly

##HTTP Env - Rest API request deleting route and services
```
http://www.ealtedge.org:30011/services/http-mp1
http://www.ealtedge.org:30011/routes/mp1
```

##To verify the configurations done in Kong.
##Trigger the below Rest API

##In HTTP mode.
```
http://www.ealtedge.org:30010/mp1/mep/mec_service_mgmt/v1/applications/id123456/services
```
##In HTTPS Mode
```
https://www.ealtedge.org:30011/mp1/mep/mec_service_mgmt/v1/applications/id123456/services
```

##Get certificate from MEP server
##Login MEP server
```
cd /tmp/mepserver/deploy/
```
##Given path you will get all required certificates
```
ca.crt
tls.key
tls.crt
```
##ca.crt client certificate
##tls.key is a server key
##tls.crt server certificate

Image AddedImage Added

Troubleshooting

Error Message Guide

N/A

Maintenance

...