Versions Compared

Old Version 28

changes.mady.by.user Vidyashree Rama

Saved on

compared with

New Version Current

changes.mady.by.user Arvind Patel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

root@akraino-mec-0002:~#cd ~/ealt-edge/ocd/infra/playbooks

Note: The CLI Commands to setup the environment should be executed only from above path.

3.  Edit the Configuration File : ealt-inventory.ini with the details of MECM and MEC Hosts. 

...

4. Execute the below command to install EALTEdge Environment 

In non secure mode

root@akraino-mec-0002:~#ealt init all 

or 

root@akraino-mec-0002:~#ealt init all --mode dev

In Secure Mode (TLS Enabled)

root@akraino-mec-0002:~#ealt init all --mode prod

Above command will install the various component. Refer the below table for detail information. 

Other CLI Commands:

Command to Install only MECM Node.

root@akraino-mec-0002:~#ealt init mecmmanager

To Install MECM node in Secure Mode

root@akraino-mec-0002:~#ealt init mep

Following packages will be installed in the cluster in the respective nodes:-

MECM  pkgs:  Docker, Kubernetes , Helm, Grafana, Calico, PostgresSQL and AppLCM.

MEC Host pkgs: Docker, K3S, Helm, RabbitMQ, Prometheus, CAdvisor, Kong, Vault, Cert-Manager , PostgresSQL, MEP Server and MEP Agent.

Deploying Application Packages : Using CLI

Prerequisite : The EALTEdge Environment should be installed.  One MECM and one MEC Host atleast.

Pre-configuration : Need to set the below parameters as environment variables on VM where EALTEdge CLI is being installed.

export ONBOARDPACKAGEPATH= <Path where Application CSAR Package is kept in the Node where CLI is running>
export MECMClusterIP=<IP of MECM Node> #IP of Node where MECM is installed.
export MECMClusterPort=30001 #(Node Port of applcm service running on MECM)

To enable HTTPS Mode while using CLI, additional configurations have to be done. The configurations are as follows:

export CertificateKeyFile=<Path of CA Cert>
export EALTSSLMode=1 #If need to disable https mode modify the flag to 0

export MECMClusterIP='edgegallery.org' #Map the DNS Name to the MECM IP in /etc/hosts file.

...

manager -m prod

Command to Install only MEC Host (MEP Node)

root@akraino-mec-0002:~#ealt init edge

or 

root@akraino-mec-0002:~#ealt init edge -m dev

MEC Host in Secure (TLS/HTTPS) Mode

root@akraino-mec-0002:~#ealt init edge -m prod

Following packages will be installed in the cluster in the respective nodes:-

MECM  pkgs:  Docker, Kubernetes , Helm, Grafana, Calico, PostgresSQL and AppLCM.

MEC Host pkgs: Docker, K3S, Helm, RabbitMQ, Prometheus, CAdvisor, Kong, Vault, Cert-Manager , PostgresSQL, MEP Server and MEP Agent.

Deploying Application Packages : Using CLI

Prerequisite : The EALTEdge Environment should be installed.  One MECM and one MEC Host at least.

Pre-configuration : Need to set the below parameters as environment variables on the Virtual Machine / Host  where EALTEdge Command Line Interface tool  is being installed.

export ONBOARDPACKAGEPATH= <Path where Application CSAR Package is kept in the Node where CLI is running>
export MECMClusterIP=<IP of MECM Node> #IP of Node where MECM is installed.
export MECMClusterPort=30001 #(Node Port of applcm service running on MECM)

To enable HTTPS Mode while using CLI, additional configurations have to be done. The configurations are as follows:

export CertificateKeyFile=<Path of CA Cert>
export EALTSSLMode=1 #If need to disable https mode modify the flag to 0

export MECMClusterIP='edgegallery.org' #Map the DNS Name to the MECM IP in /etc/hosts file.


Command Supported:-

Application Package Management CLI Commands:
  1. Package On Boarding

...

Application Package Management CLI Commands:
  1. Package On Boarding : root@akraino-mec-0002:~#ealt app create -f "sample_app.csar "
  2. Package Info Query: root@akraino-mec-0002:~#ealt app info -i "<package id number>"
  3. Package Delete : root@akraino-mec-0002:~#ealt app create -f "sample_app.csar "
  4. Package Info Query: root@akraino-mec-0002:~#ealt app info -i "<package id number>"
  5. Package Delete: root@akraino-mec-0002:~#ealt app delete -i "<package id number>"

...


root@akraino-mec-0002:~#ansible-playbook ealt-all-uninstall.yml -i ealt-inventory.ini --extra-vars "operation=uninstall"
root@akraino-mec-0002:~#ansible-playbook ealt-all-uninstall.yml -i ealt-inventory.ini --tags "infra" --extra-vars "operation=uninstall"
root@akraino-mec-0002:~#ansible-playbook ealt-all-uninstall.yml -i ealt-inventory.ini --tags "mecm" --extra-vars "operation=uninstall"
root@akraino-mec-0002:~#ansible-playbook ealt-all-uninstall.yml -i ealt-inventory.ini --tags "mep" --extra-vars "operation=uninstall"

Using CLI

-mec-0002:~#ansible-playbook ealt-all-uninstall.yml -i ealt-inventory.ini --tags "mecm" --extra-vars "operation=uninstall"
root@akraino-mec-0002:~#ansible-playbook ealt-all-uninstall.yml -i ealt-inventory.ini --tags "mep" --extra-vars "operation=uninstall"

Using CLI

root@akraino-mec-0002:~#ealt clean all 
root@akraino-mec-0002:~#ealt clean mecm
root@akraino-mec-0002:~#ealt clean mep


Vault documentation

**This document explains how to generate certificate by using vault and cert manager**
##Cluster Architecture
![](Vault_Cert_Arch)
##Make a cluster
##The Image try to put with reference to our environment, with reference to EALT Edge. Can make a picture where Vault will be running in MEC Host (as Root CA) , ##Cert Manager and Applications (App1, App2)
##1. Add helm repo
```
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault
```
##2. Generate root token and Unseal Key
```
kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=""
```
##Note: Root token we will use when we will login vault pod, Unseal Key and Root token will looks like below ex- 
##Unseal Key 1: QcTX47IacKidIjFWSrkGLiQG1fwaqoInEz0SqAZ7rMs=
##Initial Root Token: s.A0SXgscZxbCeJRd1AjsVzvUU

##Generated Unseal key need to put in below command then vault will start running as a pod
```
kubectl exec -ti vault-0 -- vault operator unseal <Unseal Key>
```
##Vault is initialised as a pod
##By using below command can login in vault pod
```
kubectl exec -it vault-0 -- /bin/sh
```
##Vault Initialisation and Configuration Steps
####Once we initialize the vault pod we get unseal key and root token, need to put the root token
```
vault login <root token>
```
##Enable the PKI secrets engine
##By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a ##different path, use the -path argument.
```
vault secrets enable pki
```
##Keep the value in sync with the comment. 30 days, Increase the TTL by tuning the secrets engine. The default value of 30 days may be too short
```
vault secrets tune -default-lease-ttl=2160h -max-lease-ttl=87600h pki
```
##Configure a CA certificate and private key. It can generate ##its own self-signed root
## ealtedge.com is a your common_name or base url
```
vault write pki/root/generate/internal common_name=ealtedge.com ttl=8760h
```
##Update the CRL location and issuing certificates. These values can be updated in the future.
```
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
```
##It will allow your domain and subdomain
```
vault write pki/roles/my-role allowed_domains=ealtedge.com allow_subdomains=true max_ttl=8760h
```
##Generate a new credential by writing to the /issue endpoint with the name of the role
##The output will include a dynamically generated private key and certificate which corresponds to the ##given role
##The issuing CA and trust chain is also returned for automation simplicity
```
vault write pki/issue/my-role common_name=www.ealtedge.com
```

####Enabling AppRole in Vault
```
vault auth enable approle
```

##Writing vault policy
```
vault policy write pki-policy -<<EOF
path "pki*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
EOF
```
##Write Auth role
```
vault write auth/approle/role/my-role secret_id_ttl=8760h token_num_uses=0 token_ttl=2160h token_max_ttl=8760h secret_id_num_uses=0 policies=pki-policy
```
##Note:-
##my-role - is the role name
##secret_id_ttl - (Optional) The number of seconds after which any SecretID expires
##token_num_uses - (Optional) The period, if any, in number of seconds to set on the token
##token_ttl - (Optional) The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
##token_max_ttl - (Optional) The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
##secret_id_num_uses - (Optional) The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. ##A value of zero will allow unlimited uses.

##Read Auth role
##Here it will give you role id which you need to use in vault-approle-issuer.yml
```
vault read auth/approle/role/my-role/role-id
```
##Generate secret id
```
vault write -f auth/approle/role/my-role/secret-id
```
##By using above 2 command role id and secret id you need to pass in below command
```
vault write auth/approle/login role_id=<role-id> secret_id=<secret-id>
```
###########################
##If the command successful then vault configuration and authentication via approle is completed
###########################

##YAML files to be modified
##First execute below yaml file
```
kubectl apply -f cert-manager.yaml
```
##Need to replace with the latest secret id in base64 format by using below command
##Secret id already generate when we are executing vault command, need to use same secret id here
```
echo secret-id | base64
```
##The output of above command has to be replaced in the vault-apply-secret.yml file data.secretId
```
kubectl apply -f vault-apply-secret.yml
```
##No you will get one ip where your vault is running so that ip you can get by using below command
##Copy vault ip from below command
```
kubectl get svc
```
##Now vault ip and role id need to replace in vault-approle-issuer.yml file
##Role id already generated when we are executing vault commands
```
kubectl apply -f vault-approle-issuer.yml
```
##NOTE: spec.vault.server: IP here you need to change vault ip which you will get when u ren 'kubectl get svc'
##spec.vault.auth.roleId this is you need to replace and need to put latest role id which you get in 'vault read auth/approle/role/my-role/role-id'

##Then final we need to execute below yaml file
```
kubectl apply -f vault-cert-certificate.yml
```
#######################################
Certificate generate process completed
#######################################

##Now get ca certificate use below command
```
curl http://10.43.130.35:8200/v1/pki/ca/pem
```
##10.43.130.35 is your vault ip, need to replace with latest vault ip

Image Added


Kong documentation


**This document explains how to configure mep and kong**
##set up the EALT Environment. Refer the Installation Guide[Specify the installation guide wiki url]
##Mep will install as a pod

##First create setup by using below command server running in https
```
ansible-playbook ealt-all.yml -i ealt-inventory.ini --extra-vars "operation=install mode=prod"
```
##For http use below command
```
ansible-playbook ealt-all.yml -i ealt-inventory.ini --extra-vars "operation=install mode=dev"
```
##Mep will install as a pod
##MEP services will be running in the MEC Host (MEP)
##Check the mep running or not use below command
```
kubectl get po -n mep
```
##Output -
![](mep1)
```
kubectl get svc -n mep
```
##Output -
![](mep2)
##Configure Kong
##HTTPS Env - Rest API request Adding Services and Adding Route in Kong API Gateway
```
https://www.ealtedge.org:30012/services
https://www.ealtedge.org:30012/routes
```
##DNS mapping should be done correctly

##HTTPS Env - Rest API request deleting route and services
```
https://www.ealtedge.org:30012/services/http-mp1
https://www.ealtedge.org:30012/routes/mp1
```
##HTTP Env - Rest API request Adding Services and Adding Route in Kong API Gateway
```
http://www.ealtedge.org:30011/services
http://www.ealtedge.org:30011/routes
```
##DNS mapping should be done correctly

##HTTP Env - Rest API request deleting route and services
```
http://www.ealtedge.org:30011/services/http-mp1
http://www.ealtedge.org:30011/routes/mp1
```

##To verify the configurations done in Kong.
##Trigger the below Rest API

##In HTTP mode.
```
http://www.ealtedge.org:30010/mp1/mep/mec_service_mgmt/v1/applications/id123456/services
```
##In HTTPS Mode
```
https://www.ealtedge.org:30011/mp1/mep/mec_service_mgmt/v1/applications/id123456/services
```

##Get certificate from MEP server
##Login MEP server
```
cd /tmp/mepserver/deploy/
```
##Given path you will get all required certificates
```
ca.crt
tls.key
tls.crt
```
##ca.crt client certificate
##tls.key is a server key
##tls.crt server certificate

Image AddedImage Addedroot@akraino-mec-0002:~#ealt clean all 
root@akraino-mec-0002:~#ealt clean mecm
root@akraino-mec-0002:~#ealt clean mep

Troubleshooting

Error Message Guide

N/A

Maintenance

...