Overview (Eureka)
Installation process
The Eureka installation process consists of the following parts:
Infrastructure creation. On this step, you need to prepare your infrastructure, where services will be running. Services themselves can be run on any platform, like kubernetes cluster, ECS clusters, on-premise servers, etc. As well, you need to prepare the Opensearch/Elasticsearch cluster, Postgresql database, and Kafka instance. It’s the prerequisites for the Eureka setup.
The Eureka platform consists of the following components: kong, keycloak, management modules, and set of applications. Applications are divided according to the functionality they offer and contain a variety of services.
You must implement the Kong and Keycloak components as soon as your infrastructure is prepared. The management components (mgr-tenants, mgr-application, and mgr-tenant-entitlemets) can then be deployed. You can begin working with applications as soon as those services are put into place.
Applications with the versions can be found <URL>. As well, you can generate your own version of application. For that, you need to use a template, like app-platform-minimal.
Verify the applications' validity and compatibility using a list of versions. After that, you can register and deploy applications.
After the deployment step, please make sure that all services are steady and healthy. If some of them won’t be ready, the entitlement process will fail.
Next step: tenant creation. During tenant creation one of the called application entitlement. On this step, mgr-tenant-entitlements will enable modules.
Once all applications are entitled, you need to create users in your new tenant to work with it. Users require some permissions. To add permissions to user, please create role entity in keycloak and assign capabilities that you need. After that, you can assign a role to the user.
UI creation. Please create a bundle with UI modules. Versions should be taken from application descriptors.
Your environment should be ready. Please perform manual validation to make sure that functional is working as expected.
DNS Configuration
Required DNS records
Examples
TLS/SSL Certificates
Obtaining certificates
Configuring certificates
Common Issues (Kitfox/FSE)
Troubleshooting hostname resolution
...
DNS configuration can be divided for two parts, public and private
Public DNS names are used for public communication, as private DNS is mostly used for service intercommunication.
Info |
---|
Public DNS should contain the following: |
Kong url.
Keycloak url.
Tenant url (for each tenant).
Info |
---|
Private zones contain the following information: |
Manager components
DB endpoint.
Opensearch endpoint.
Kafka endpoint.
Kong endpoint (private endpoint for service communication).
Keycloak endpoint (private endpoint for service communication).
Each module should contain a DNS entry.
TLS/SSL Certificates
Eureka components can work with encryption in transit. Encryption in transit defends your data after a connection is established and authenticated against potential attackers by:
Removing the need to trust the lower layers of the network, which are commonly provided by third parties.
Reducing the potential attack surface.
Preventing attackers from accessing data if communications are intercepted
Connection to components like kong, keycloak, manager components, and sidecars required additional configuration. To configure applications in TLS mode, please update the configuration of the modules and update environment values.
Ex: mgr-tenants require configuration of the module itself. As well, it’s communicating with keycloak service, so we need to provide keycloak TRUSTSTORE information.
SSL Configuration environment variables
Name | Default value | Required | Description |
---|---|---|---|
SERVER_PORT | 8081 | false | Server HTTP port. Should be specified manually in case of SSL enabled. |
SERVER_SSL_ENABLED | false | false | Manage server's mode. If |
SERVER_SSL_KEY_STORE | false | Path to the keystore. Mandatory if | |
SERVER_SSL_KEY_STORE_TYPE | BCFKS | false | Type of the keystore. By default, the BCFKS value is used. |
SERVER_SSL_KEY_STORE_PROVIDER | BCFIPS | false | Provider of the keystore. |
SERVER_SSL_KEY_STORE_PASSWORD | false | Password for keystore. | |
SERVER_SSL_KEY_PASSWORD | false | Password for key in keystore. |
Keycloak specific environment variables
KC_CLIENT_TLS_ENABLED | - | false | Enables TLS for keycloak clients. |
KC_CLIENT_TLS_TRUSTSTORE_PATH | - | false | Truststore file path for keycloak clients. |
KC_CLIENT_TLS_TRUSTSTORE_PASSWORD | - | false | Truststore password for keycloak clients. |
KC_CLIENT_TLS_TRUSTSTORE_TYPE | - | false | Truststore file type for keycloak clients. |
More detailed information can be found on a github page for all components (mgr-tenants).
Common Issues:
Info |
---|
Capabilities issue |
After the entitlement process, the next step is to create users. If you are performing this step using automation, creation of some capabilities might be in progress. And if you are trying to assign those capabilities to users, they simply may not exist in the system. Before users creation, make sure that the capabilities creation process is finished. You can do that by checking kafka topics. You need to verify that topic with the name <clusterName>.<tenantName>.mgr-tenant-entitlements.capability has no messages.
Info |
---|
RAML modules issue for mod-graphql service |
For graphql module, you need to provide RAML_MODULES env variable. Without it, the module itself is not able to pull required information and start. If mod-graphql service is not steady, applications won’t be entitled successfully. Please make sure that proper variable set for mod-graphql
Warning |
---|
Issue with enabling application |
Based on the applications that you have provided, there might be several issues during the entitlement process.
Some of the modules are not steady. If one or several modules are not healthy, the entitlement process will fail. Fix errors inside modules.
Incompatible versions: all applications have their own dependencies. If the provided versions of applications are not compatible, you will receive a validation error inside logs.
Dependencies issue: different versions of applications might have incompatible versions of interfaces. Please check that you have the correct versions of the applications specified.
Module-specific issue: during enable process, some of the module can have a problem individually. It might be related to the migration problems from version to version or any other issues. Please fix error for the particle module and restart entitlement process
Info |
---|
Hardcoded mod-users version in sidecar (mod-consortia-keycloak) |
Mod-consortia-keycloak service should have ENV variable with mod-users version. If version of the mod-users service were updated but sidecars task definition were not updated, we might have a problem with mod-consortia-keycloak service during enable process. Please update version of mod-users if you encountered issues during entitlement process for mod-consortia-keycloak serive