Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview (Eureka)

Installation process

The Eureka installation process consists of the following parts:

  • Infrastructure creation. On this step, you need to prepare your infrastructure, where services will be running. Services themselves can be run on any platform, like kubernetes cluster, ECS clusters, on-premise servers, etc. As well, you need to prepare the Opensearch/Elasticsearch cluster, Postgresql database, and Kafka instance. It’s the prerequisites for the Eureka setup.

  • The Eureka platform consists of the following components: kong, keycloak, management modules, and set of applications. Applications are divided according to the functionality they offer and contain a variety of services.

  • You must implement the Kong and Keycloak components as soon as your infrastructure is prepared. The management components (mgr-tenants, mgr-application, and mgr-tenant-entitlemets) can then be deployed. You can begin working with applications as soon as those services are put into place.

  • Applications with the versions can be found <URL>. As well, you can generate your own version of application. For that, you need to use a template, like app-platform-minimal.

  • Verify the applications' validity and compatibility using a list of versions. After that, you can register and deploy applications.

  • After the deployment step, please make sure that all services are steady and healthy. If some of them won’t be ready, the entitlement process will fail.

  • Next step: tenant creation. During tenant creation one of the called application entitlement. On this step, mgr-tenant-entitlements will enable modules.

  • Once all applications are entitled, you need to create users in your new tenant to work with it. Users require some permissions. To add permissions to user, please create role entity in keycloak and assign capabilities that you need. After that, you can assign a role to the user.

  • UI creation. Please create a bundle with UI modules. Versions should be taken from application descriptors.

  • Your environment should be ready. Please perform manual validation to make sure that functional is working as expected.

DNS Configuration

Required DNS records

Examples

TLS/SSL Certificates

Obtaining certificates

Configuring certificates

Common Issues (Kitfox/FSE)

Troubleshooting hostname resolution

...

DNS configuration can be divided for two parts, public and private

Public DNS names are used for public communication, as private DNS is mostly used for service intercommunication.

Info

Public DNS should contain the following:

  • Kong url.

  • Keycloak url.

  • Tenant url (for each tenant).

Info

Private zones contain the following information:

  • Manager components

  • DB endpoint.

  • Opensearch endpoint.

  • Kafka endpoint.

  • Kong endpoint (private endpoint for service communication).

  • Keycloak endpoint (private endpoint for service communication).

  • Each module should contain a DNS entry.

TLS/SSL Certificates

Eureka components can work with encryption in transit. Encryption in transit defends your data after a connection is established and authenticated against potential attackers by:

  • Removing the need to trust the lower layers of the network, which are commonly provided by third parties.

  • Reducing the potential attack surface.

  • Preventing attackers from accessing data if communications are intercepted

Connection to components like kong, keycloak, manager components, and sidecars required additional configuration. To configure applications in TLS mode, please update the configuration of the modules and update environment values.
Ex: mgr-tenants require configuration of the module itself. As well, it’s communicating with keycloak service, so we need to provide keycloak TRUSTSTORE information.

SSL Configuration environment variables

Name

Default value

Required

Description

SERVER_PORT

8081

false

Server HTTP port. Should be specified manually in case of SSL enabled.

SERVER_SSL_ENABLED

false

false

Manage server's mode. If true, then SSL will be enabled.

SERVER_SSL_KEY_STORE

false

Path to the keystore. Mandatory if SERVER_SSL_ENABLED is true.

SERVER_SSL_KEY_STORE_TYPE

BCFKS

false

Type of the keystore. By default, the BCFKS value is used.

SERVER_SSL_KEY_STORE_PROVIDER

BCFIPS

false

Provider of the keystore.

SERVER_SSL_KEY_STORE_PASSWORD

false

Password for keystore.

SERVER_SSL_KEY_PASSWORD

false

Password for key in keystore.

Keycloak specific environment variables

KC_CLIENT_TLS_ENABLED

-

false

Enables TLS for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_PATH

-

false

Truststore file path for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_PASSWORD

-

false

Truststore password for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_TYPE

-

false

Truststore file type for keycloak clients.

More detailed information can be found on a github page for all components (mgr-tenants).

Common Issues:

Info

Capabilities issue

After the entitlement process, the next step is to create users. If you are performing this step using automation, creation of some capabilities might be in progress. And if you are trying to assign those capabilities to users, they simply may not exist in the system. Before users creation, make sure that the capabilities creation process is finished. You can do that by checking kafka topics. You need to verify that topic with the name <clusterName>.<tenantName>.mgr-tenant-entitlements.capability has no messages.

Info

RAML modules issue for mod-graphql service

For graphql module, you need to provide RAML_MODULES env variable. Without it, the module itself is not able to pull required information and start. If mod-graphql service is not steady, applications won’t be entitled successfully. Please make sure that proper variable set for mod-graphql

Warning

Issue with enabling application

Based on the applications that you have provided, there might be several issues during the entitlement process.

  • Some of the modules are not steady. If one or several modules are not healthy, the entitlement process will fail. Fix errors inside modules.

  • Incompatible versions: all applications have their own dependencies. If the provided versions of applications are not compatible, you will receive a validation error inside logs.

  • Dependencies issue: different versions of applications might have incompatible versions of interfaces. Please check that you have the correct versions of the applications specified.

  • Module-specific issue: during enable process, some of the module can have a problem individually. It might be related to the migration problems from version to version or any other issues. Please fix error for the particle module and restart entitlement process

Info

Hardcoded mod-users version in sidecar (mod-consortia-keycloak)

Mod-consortia-keycloak service should have ENV variable with mod-users version. If version of the mod-users service were updated but sidecars task definition were not updated, we might have a problem with mod-consortia-keycloak service during enable process. Please update version of mod-users if you encountered issues during entitlement process for mod-consortia-keycloak serive