Hostnames Configuration

Owned by Ievgeniia Lymar
Last updated: Oct 22, 2024 by Artem Akimov
1 min read

Overview (Eureka)

Installation process

The Eureka installation process consists of the following parts:

  • Infrastructure creation. On this step, you need to prepare your infrastructure, where services will be running. Services themselves can be run on any platform, like kubernetes cluster, ECS clusters, on-premise servers, etc. As well, you need to prepare the Opensearch/Elasticsearch cluster, Postgresql database, and Kafka instance. It’s the prerequisites for the Eureka setup.

  • The Eureka platform consists of the following components: kong, keycloak, management modules, and set of applications. Applications are divided according to the functionality they offer and contain a variety of services.

  • You must implement the Kong and Keycloak components as soon as your infrastructure is prepared. The management components (mgr-tenants, mgr-application, and mgr-tenant-entitlemets) can then be deployed. You can begin working with applications as soon as those services are put into place.

  • Applications with the versions can be found <URL>. As well, you can generate your own version of application. For that, you need to use a template, like app-platform-minimal.

  • Verify the applications' validity and compatibility using a list of versions. After that, you can register and deploy applications.

  • After the deployment step, please make sure that all services are steady and healthy. If some of them won’t be ready, the entitlement process will fail.

  • Next step: tenant creation. During tenant creation one of the called application entitlement. On this step, mgr-tenant-entitlements will enable modules.

  • Once all applications are entitled, you need to create users in your new tenant to work with it. Users require some permissions. To add permissions to user, please create role entity in keycloak and assign capabilities that you need. After that, you can assign a role to the user.

  • UI creation. Please create a bundle with UI modules. Versions should be taken from application descriptors.

  • Your environment should be ready. Please perform manual validation to make sure that functional is working as expected.

DNS Configuration

DNS configuration can be divided for two parts, public and private

Public DNS names are used for public communication, as private DNS is mostly used for service intercommunication.

Public DNS should contain the following:

  • Kong url.

  • Keycloak url.

  • Tenant url (for each tenant).

 

Private zones contain the following information:

  • Manager components

  • DB endpoint.

  • Opensearch endpoint.

  • Kafka endpoint.

  • Kong endpoint (private endpoint for service communication).

  • Keycloak endpoint (private endpoint for service communication).

  • Each module should contain a DNS entry.

 

TLS/SSL Certificates

Eureka components can work with encryption in transit. Encryption in transit defends your data after a connection is established and authenticated against potential attackers by:

  • Removing the need to trust the lower layers of the network, which are commonly provided by third parties.

  • Reducing the potential attack surface.

  • Preventing attackers from accessing data if communications are intercepted

Connection to components like kong, keycloak, manager components, and sidecars required additional configuration. To configure applications in TLS mode, please update the configuration of the modules and update environment values.
Ex: mgr-tenants require configuration of the module itself. As well, it’s communicating with keycloak service, so we need to provide keycloak TRUSTSTORE information.

SSL Configuration environment variables

Name

Default value

Required

Description

Name

Default value

Required

Description

SERVER_PORT

8081

false

Server HTTP port. Should be specified manually in case of SSL enabled.

SERVER_SSL_ENABLED

false

false

Manage server's mode. If true, then SSL will be enabled.

SERVER_SSL_KEY_STORE

 

false

Path to the keystore. Mandatory if SERVER_SSL_ENABLED is true.

SERVER_SSL_KEY_STORE_TYPE

BCFKS

false

Type of the keystore. By default, the BCFKS value is used.

SERVER_SSL_KEY_STORE_PROVIDER

BCFIPS

false

Provider of the keystore.

SERVER_SSL_KEY_STORE_PASSWORD

 

false

Password for keystore.

SERVER_SSL_KEY_PASSWORD

 

false

Password for key in keystore.

KC_CLIENT_TLS_ENABLED

-

false

Enables TLS for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_PATH

-

false

Truststore file path for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_PASSWORD

-

false

Truststore password for keycloak clients.

KC_CLIENT_TLS_TRUSTSTORE_TYPE

-

false

Truststore file type for keycloak clients.

More detailed information can be found on a github page for all components (mgr-tenants).

Common Issues:

After the entitlement process, the next step is to create users. If you are performing this step using automation, creation of some capabilities might be in progress. And if you are trying to assign those capabilities to users, they simply may not exist in the system. Before users creation, make sure that the capabilities creation process is finished. You can do that by checking kafka topics. You need to verify that topic with the name <clusterName>.<tenantName>.mgr-tenant-entitlements.capability has no messages.

For graphql module, you need to provide RAML_MODULES env variable. Without it, the module itself is not able to pull required information and start. If mod-graphql service is not steady, applications won’t be entitled successfully. Please make sure that proper variable set for mod-graphql

Based on the applications that you have provided, there might be several issues during the entitlement process.

  • Some of the modules are not steady. If one or several modules are not healthy, the entitlement process will fail. Fix errors inside modules.

  • Incompatible versions: all applications have their own dependencies. If the provided versions of applications are not compatible, you will receive a validation error inside logs.

  • Dependencies issue: different versions of applications might have incompatible versions of interfaces. Please check that you have the correct versions of the applications specified.

  • Module-specific issue: during enable process, some of the module can have a problem individually. It might be related to the migration problems from version to version or any other issues. Please fix error for the particle module and restart entitlement process

Mod-consortia-keycloak service should have ENV variable with mod-users version. If version of the mod-users service were updated but sidecars task definition were not updated, we might have a problem with mod-consortia-keycloak service during enable process. Please update version of mod-users if you encountered issues during entitlement process for mod-consortia-keycloak serive