Version: Deploy 24.1

Installation with Openshift Certified Operator

Learn how to install and use this product on your Red Hat platform.

Overview

Digital.ai Deploy operator is based on helm chart that is available from here. The operator includes subcharts which are dependencies for the Deploy containers to run successfully. Nginx Ingress and Haproxy ingress are disabled and not used with installations on the Openshift (and the images are not used in the installation).

Important: The installation is not performed using XL CLI.

Subcharts

Installation

The installation can be done using the sample configuration provided below. Note that this is a minimal configuration and it's not recommended for production use. This configuration disables SCC creation and uses embedded Postgresql and RabbitMQ.

apiVersion: xld.digital.ai/v1alpha1
kind: DigitalaiDeploy
metadata:
  name: daid-min
spec:
  k8sSetup:
    platform: Openshift
  auth:
    adminPassword: 'admin'
  licenseAcceptEula: true
  keystore:
    passphrase: 'test1234'
    keystore: 'zs7OzgAAAAIAAAABAAAAAwAWZGVwbG95aXQtcGFzc3N3b3JkLWtleQAAAY66C46srO0ABXNyADNjb20uc3VuLmNyeXB0by5wcm92aWRlci5TZWFsZWRPYmplY3RGb3JLZXlQcm90ZWN0b3LNV8pZ5zC7UwIAAHhyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAJMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAN4cHVyAAJbQqzzF/gGCFTgAgAAeHAAAAARMA8ECPqEw2Wp+c6yAgMDDUB1cQB+AAUAAACQFrl6s2pnsB+GJD8vlN3Y0SItmbtfPy6n2A5qREEJWWLN9OYLu7BokScBMyFChFjIhQGwCpjMP4j+VLCgpW6GKREmYHQgKjWqWn7A+DMF9eT68ygZAD+ceIZB5buvsGM2LCYzyHJcmtujv+hpqevoTgOKKMd4U3wVV96n4B5QbkVXHYtGZWbWxk5gCHLoWhV5dAAWUEJFV2l0aE1ENUFuZFRyaXBsZURFU3QAFlBCRVdpdGhNRDVBbmRUcmlwbGVERVP+nQgVx6wurZB9hBxaIkk/6EEAPQ=='
  hooks:
    getLicense:
      enabled: true
  securityContextConstraints:
    enabled: false
  centralConfiguration:
    replicaCount: 1
    podSecurityContext:
      runAsUser: null
      runAsGroup: null
      fsGroup: null
    containerSecurityContext:
      runAsUser: null
      runAsGroup: null
    volumePermissions:
      enabled: false
  master:
    replicaCount: 1
    persistence:
      storageClass: ''
      size: 1Gi
    podSecurityContext:
      runAsUser: null
      runAsGroup: null
      fsGroup: null
    containerSecurityContext:
      runAsUser: null
      runAsGroup: null
    volumePermissions:
      enabled: false
  worker:
    replicaCount: 1
    persistence:
      storageClass: ''
      size: 1Gi
    podSecurityContext:
      runAsUser: null
      runAsGroup: null
      fsGroup: null
    containerSecurityContext:
      runAsUser: null
      runAsGroup: null
    volumePermissions:
      enabled: false
  route:
    enabled: false
    annotations:
      haproxy.router.openshift.io/cookie_name: SESSION_XLD
      haproxy.router.openshift.io/disable_cookies: "false"
      haproxy.router.openshift.io/rewrite-target: /
    hostname: '<mandatory-deploy-hostname>'
    path: /
    tls:
      enabled: true
      termination: edge
  postgresql:
    install: true
    primary:
      persistence:
        size: 1Gi
        storageClass: ''
      podSecurityContext:
        enabled: false
        runAsUser: null
        runAsGroup: null
        fsGroup: null
      containerSecurityContext:
        enabled: false
        runAsUser: null
        runAsGroup: null
      securityContextConstraints:
        enabled: false
    volumePermissions:
      enabled: false
  rabbitmq:
    install: true
    persistence:
      size: 1Gi
      storageClass: ''
    replicaCount: 1
    podSecurityContext:
      enabled: false
      runAsUser: null
      runAsGroup: null
      fsGroup: null
    containerSecurityContext:
      enabled: false
      runAsUser: null
      runAsGroup: null
    securityContextConstraints:
      enabled: false
    volumePermissions:
      enabled: false

If SCC is required, it must be managed manually. The necessary permissions for accessing SecurityContextConstraints must be granted when SCC is enabled; otherwise, the following error will occur:

securitycontextconstraints.security.openshift.io \"daid-doc-digitalai-deploy-privileged\" is forbidden: User \"system:serviceaccount:openshift-operators:xld-controller-manager\" cannot get resource \"securitycontextconstraints\" in API group \"security.openshift.io\" at the cluster scope"

Configuration Details

The sample configuration uses:

Autogenerated limited license
Simple administrator initial password
Default keystore setup
Only one replica is set for all pods
All Pods are missing resource limit setup
Default storage class and minimal size for persistent storage
Embedded PostgreSQL for DB management
Embedded RabbitMQ for message queue management

Security Configuration Details

securityContextConstraints.enabled: false - disables creation of SCCs;
podSecurityContext/containerSecurityContext - that disables the use of specific UIDs or GIDs, so the IDs can be assigned from the defined ranges (for example from restricted SCC);
volumePermissions.enabled: false - disables automatic corrections of the mounted folders.

Customize Your Configuration

Configurations can be further personalized. Here are some areas you might want to consider:

External DB: For avoiding uncertified container images required by the subcharts, refer to these instructions for setting up an external DB.
External Message Queue: To set up an external message queue, follow this guide.
Custom License: To apply a custom license, refer to this process.
Custom Configuration: For modifying the configuration files, use this guide.
Truststore Setup: For modifying default truststore for deploy, use this guide.
Plugin Management: Managing plugins can be done using the following methods:
- Plugin Management using XL CLI
- Managing Plugins Offline for Kubernetes Environment

Overview​

Subcharts​

Installation​

Configuration Details​

Security Configuration Details​

Customize Your Configuration​