Prepare the Kubernetes cluster
Create a namespace
Create or choose an existing namespace where you will install Obcerv.
kubectl create namespace itrs
Multiple instances of Obcerv can be installed in the same cluster, however there can only be one Obcerv instance in a namespace.
Install cert-manager
Obcerv can use cert-manager to automatically generate TLS certificates required by some Obcerv components.
To install cert-manager, run:
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --set installCRDs=true -n itrs --wait
Alternatively, you can manually create TLS certificates for Obcerv components.
Install LinkerD
LinkerD is used to enable mutual TLS between the Obcerv components. TLS inside the cluster is optional and is enabled by default.
However, in a testing or proof of concept deployment you may wish to disable TLS. In this case LinkerD is not required.
LinkerD is installed in its own linkerd namespace by default.
Optional installation flags:
- Install in specific namespace: Add the
-L namespaceflag to thelinkerd installcommand. - Using a private Docker registry: If you have copied the required Docker images to your private registry
following these instructions, then add the
--registry <your-registry>/obcervflag to thelinkerd installcommand.
Install:
linkerd install | kubectl apply -f -
Ensure all components are installed before continuing:
linkerd check
Storage classes
Most Kubernetes clusters come with a default StorageClass pre-installed. This will likely suffice for many of the workloads. However, the Kafka and Timescale workloads benefit from higher-performing disks, a good starting point for these is 25 iops per GB. If an appropriate class does not already exist, it is strongly recommended that you create one to ensure acceptable performance. For example on AWS:
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: io1-25
provisioner: kubernetes.io/aws-ebs
parameters:
type: io1
iopsPerGB: "25"
fsType: ext4
allowVolumeExpansion: true
We strongly recommend using storage classes that support automatic volume expansion so that volumes can be expanded to accommodate growth without significant downtime.
Create the Docker registry secret
By default, Kubernetes pulls Obcerv Docker images from our Docker registry. In order to authenticate, you must create a Secret with your ITRS credentials:
kubectl create secret docker-registry itrsdocker \
--docker-server=https://docker.itrsgroup.com \
--docker-username=<USERNAME> \
--docker-password=<PASSWORD> \
-n itrs
However, if you have elected to use an intermediary Docker registry:
- If the registry does not require authentication, a
Secretis not required and you can skip this step. - Otherwise, you must create a
Secretwith credentials for your Docker registry. See the example above, but use the URL of your registry instead.
Note: Contact your ITRS representative if you do not have the required credentials.
Install the Obcerv operator
The operator can be installed once per cluster (watching all namespaces) or once for a subset of namespaces. By default, the operator will watch only the namespace into which it is installed.
Add or update the ITRS Helm repository:
helm repo add itrs https://helm.itrsgroup.com
helm repo update
Install with the default settings:
helm install obcerv-operator itrs/obcerv-operator --version 1.1.0 -n itrs --wait
To override the list of watched namespaces, append this to the above command:
# All namespaces
--set "namespaces="
# Specific namespace(s)
--set "namespaces={ns1,ns2}"