Prepare the Kubernetes cluster

To prepare the Kubernetes cluster, perform the following tasks:

1. Create a namespace.
2. Install cert-manager.
3. Install LinkerD.
4. Check storage classes.
5. Create the Docker registry secret.
6. Install the Obcerv Operator.

Create a namespace

Create or choose an existing namespace where you will install Obcerv.

kubectl create namespace itrs

Multiple instances of Obcerv can be installed in the same cluster. However, there can only be one Obcerv instance in a namespace.

Install cert-manager

The Obcerv Operator installs an admission webhook that requires a TLS certificate.

Obcerv can use cert-manager to automatically generate TLS certificates required by some Obcerv components.

To install cert-manager, run:

helm repo add jetstack https://charts.jetstack.io
helm install cert-manager jetstack/cert-manager --set installCRDs=true -n itrs --wait

Alternatively, you can manually create TLS certificates for Obcerv components.

Manually create TLS certificates

Using cert-manager automates the process of creating TLS certificates. Optionally, you can choose to manually create and configure a certificate by performing the following steps:

1. Determine the following before generating your keys, certificates and Kubernetes Secrets:

   • Namespace where you will be installing the Obcerv Operator, referred to as <%namespace%> in following instructions.
   • Name of the Obcerv Operator instance, referred to as <%instance-name%> in following instructions.
   • Password you will use to protect the pkcs12 file, referred to as <%password%> in following instructions.
   • Name of the pkcs12 keystore file, referred to as <%keystore-name%> in following instructions.

2. Use your Certificate Authority (CA) to generate an RSA private key for your webhook server.

3. Generate a Certificate Signing Request (CSR), incorporating the fully qualified webhook service name "/CN=<%instance-name%>-webhook.<%namespace%>.svc", for the webhook private key, and sign it with the private key of the CA.

4. Generate a pkcs12 bundle containing the webhook server key and certificate, protected with a password.

5. Create a Kubernetes Secret containing the pkcs12 file. This secret should be prefixed with the name of the Obcerv Operator instance:

   kubectl create secret generic <%instance-name%>-webhook-tls --from-file=<%keystore-name%>=keystore.p12
   

6. Create a Kubernetes Secret containing the password for the pkcs12 file. This secret should be prefixed with the name of the Obcerv Operator instance:

   kubectl create secret generic <%instance-name%>-webhook-tls-password --from-literal=password='<%password%>'
   

7. Obtain the base64 encoded value of the certificate that signed the pkcs12 file and use the output as the caCertificate in your Helm values file.

   cat ca.crt | base64
   ...
   webhook.tls.caCertificate: <%...output from previous command...%>
   

Note

The value for the caCertification must be on a single line with no carriage returns.

8. Set the following Helm values:

   webhook:
     tls:
       selfSigned: false
   
       # Default secret name containing customer provided pkcs12 file loaded in a secret.
       keystoreSecret: "<%instance-name%>-webhook-tls"
   
       # Default name of the pkcs12 file inside the above secret
       keystoreSecretKey: "<%keystore-name%>" #defaults to "keystore.p12"
   
       # Password used when generating the pkcs12 file.
       keystorePasswordSecret: "<%instance-name%>-webhook-tls-password"
   
       # Base64 encoded value of the CA certificate that signed the certification for the webhook server.
       caCertificate: ""
   

Note

If you encounter errors installing the operator after manually configuring TLS certificates, consult the Troubleshooting steps.

Install LinkerD

LinkerD is used to enable mutual TLS between the Obcerv components. TLS inside the cluster is optional and is enabled by default.

However, in a testing or proof of concept deployment you may wish to disable TLS. In this case, LinkerD is not required.

LinkerD is installed in its own linkerd namespace by default.

Optional installation flags:

• Install in specific namespace: Add the -L namespace flag to the linkerd install command.
• Using a private Docker registry: If you have copied the required Docker images to your private registry following these instructions, then add the --registry <your-registry>/obcerv flag to the linkerd install command.

Install:

linkerd install | kubectl apply -f -

Ensure all components are installed before continuing:

linkerd check

Note

The linkerd install will generate certificates using a trust anchor with a validity of 365 days by default. See the Maintenance section for steps on how to manually rotate these prior to expiry.

Configure storage classes

Most Kubernetes clusters come with a default StorageClass pre-installed. This will likely suffice for many of the workloads. However, the Kafka and Timescale workloads benefit from higher-performing disks, a good starting point for these is 25 iops per GB. If an appropriate class does not already exist, it is strongly recommended that you create one to ensure acceptable performance. For example on AWS:

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: io1-25
provisioner: kubernetes.io/aws-ebs
parameters:
  type: io1
  iopsPerGB: "25"
  fsType: ext4
allowVolumeExpansion: true

We strongly recommend using storage classes that support automatic volume expansion so that volumes can be expanded to accommodate growth without significant downtime. We recommend against using local persistent volumes in production environments - they are viable only on single-node clusters and some persistence features that Obcerv depends on are not supported.

Create the Docker registry secret

By default, Kubernetes pulls Obcerv Docker images from our Docker registry. In order to authenticate, you must create a Secret with your ITRS credentials:

kubectl create secret docker-registry itrsdocker \
  --docker-server=https://docker.itrsgroup.com \
  --docker-username=<USERNAME> \
  --docker-password=<PASSWORD> \
  -n itrs

However, if you have elected to use an intermediary Docker registry:

• If the registry does not require authentication, a Secret is not required and you can skip this step.
• Otherwise, you must create a Secret with credentials for your Docker registry. See the example above, but use the URL of your registry instead.

Note

Contact your ITRS representative if you do not have the required credentials.

Install the Obcerv Operator

The operator can be installed once per cluster (watching all namespaces) or once for a subset of namespaces. By default, the operator will watch only the namespace into which it is installed.

Add or update the ITRS Helm repository:

helm repo add itrs https://helm.itrsgroup.com
helm repo update

Install with the default settings:

helm install obcerv-operator itrs/obcerv-operator --version 1.3.1 -n itrs --wait

To override the list of watched namespaces, append this to the above command:

# All namespaces
--set "namespaces="

# Specific namespace(s)
--set "namespaces={ns1,ns2}"