Configure HTTP2 for Release
This topic illustrates how to configure the settings required to install Release with HTTP2 backend enabled on a Kubernetes cluster.
When Release is started with http2, it starts on https/ssl endpoint, and the Release backend communicates with ingress on the configured HTTP2 backend endpoint.
Prerequisites
Note: keytool is available with Java JDK. It is required only when you want to generate a keystore.
Step 1—Create Keystore and Certificate Using OpenSSL
Run the following command:
openssl req -x509 -out localhost.crt -keyout localhost.key \
-newkey rsa:2048 -sha256 \
-subj '/CN=localhost'
openssl pkcs12 -export -in localhost.crt -inkey localhost.key -name localhost -out ssl-keystore.p12
Note: The keystore file must be in P12 format.
Keep this handy:
The keystore password and keystore key passphrase are generated after running the openssl command. These are required as inputs when you install Release using xl kube install for HTTP2 enabled setup.
Step2 —Configuring Keystore for Release Server to Enable HTTP2
When you use XL-CLI, you can specify the created keystore in 2 ways:
- Base64 encoded string (in a editor or specify the keystore file location)
- Generic secret
Step2.1 —Create Base64 Encoded String of Keystore File
Run the following command:
cat ssl-keystore.p12 | base64 -w 0
Step2.2 —Create Generic Secret for Keystore File
Important: This step is required only when specifying keystore as secret.
Run the following command:
kubectl create secret generic http2-tls-secret --from-file=ssl-keystore.p12=ssl-keystore.p12 -n digital-ai-release
Examples
Below are two examples of running xl kube install with enabling HTTP2 for Release.
Example 1: xl kube install Using Release Server Keystore File
C:\Users\Administrator>xl-client-23.3.0-windows-amd64.exe kube install
? Following kubectl context will be used during execution: `arn:aws:eks:us-east-1:932770550094:cluster/devops-operator-cluster-test-cluster`? Yes
? Select the Kubernetes setup where the Digital.ai Devops Platform will be installed, updated or cleaned: AWSEKS [AWS EKS]
? Do you want to use an custom Kubernetes namespace (current default is 'digitalai'): No
? Product server you want to perform install for: dai-release [Digital.ai Release]
...
? Do you want to enable http2 for release: Yes
? Select source of the keystore for the server: file [Path to the keystore file (the file can be in the raw format or base64 encoded)]
? Provide keystore file for the server: C:\Users\Administrator\certs\localhost.p12
? Provide the server keystore password: test
? Provide the server keystore key passphrase: test
? Select between supported ingress types: none [None - Ingress will not be set up during installation]
...
-------------------------------- ----------------------------------------------------
| LABEL | VALUE |
-------------------------------- ----------------------------------------------------
| AccessModeRelease | ReadWriteMany |
| AdminPassword | admin |
| CleanBefore | false |
| CreateNamespace | true |
| EnablePostgresql | true |
| EnableRabbitmq | true |
| ExternalOidcConf | external: false |
| GenerationDateTime | 20230502-114403 |
| Http2EnabledRelease | true |
| ImageNameRelease | xl-release |
| ImageRegistryType | default |
| ImageTag | 23.3.0 |
| IngressType | none |
| IsCustomImageRegistry | false |
| K8sSetup | AWSEKS |
| KeystorePassphrase | 4rSuEqVf21G6wS3g |
| License | LS0tIExpY2Vuc2UgLS0tCkxpY2Vuc2UgdmVyc2lvbjogMwpQ.. |
| LicenseFile | C:\Users\Administrator\license\release-license.lic |
| LicenseSource | file |
| OidcConfigType | no-oidc |
| OidcConfigTypeInstall | no-oidc |
| OperatorImageReleaseGeneric | xebialabs/release-operator:23.3.0 |
| OsType | windows |
| PostgresqlPvcSize | 1 |
| PostgresqlStorageClass | my-efs |
| ProcessType | install |
| PvcSizeRelease | 1 |
| RabbitmqPvcSize | 1 |
| RabbitmqReplicaCount | 1 |
| RabbitmqStorageClass | my-efs |
| ReleaseKeystore | MIIJ/AIBAzCCCcIGCSqGSIb3DQEHAaCCCbMEggmvMIIJqzCC.. |
| ReleaseKeystoreFile | C:\Users\Administrator\certs\localhost.p12 |
| ReleaseKeystoreKeyPassword | test |
| ReleaseKeystorePassword | test |
| ReleaseKeystoreSource | file |
| RemoteRunnerUseDefaultLocation | true |
| RepositoryKeystoreSource | generate |
| RepositoryName | xebialabs |
| ServerType | dai-release |
| ShortServerName | xlr |
| StorageClass | my-efs |
| UseCustomNamespace | false |
| XlrReplicaCount | 1 |
? Do you want to proceed to the deployment with these values? Yes
For current process files will be generated in the: digitalai/dai-release/digitalai/20230502-114403/kubernetes
Generated answers file successfully: digitalai\generated_answers_dai-release_digitalai_install-20230502-114403.yaml
Starting install processing.
Created keystore digitalai/dai-release/digitalai/20230502-114403/kubernetes/repository-keystore.jceks
Skip creating namespace digitalai, already exists
Generated files successfully for AWSEKS installation.
Applying resources to the cluster!
Applied resource clusterrole/xlr-operator-proxy-role from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\cluster-role-digital-proxy-role.yaml
Applied resource clusterrole/xlr-operator-manager-role from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\cluster-role-manager-role.yaml
Applied resource clusterrole/xlr-operator-metrics-reader from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\cluster-role-metrics-reader.yaml
Applied resource service/xlr-operator-controller-manager-metrics-service from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\controller-manager-metrics-service.yaml
Applied resource customresourcedefinition/digitalaireleases.xlr.digital.ai from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\custom-resource-definition.yaml
Applied resource deployment/xlr-operator-controller-manager from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\deployment.yaml
Applied resource role/xlr-operator-leader-election-role from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\leader-election-role.yaml
Applied resource rolebinding/xlr-operator-leader-election-rolebinding from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\leader-election-rolebinding.yaml
Applied resource clusterrolebinding/xlr-operator-manager-rolebinding from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\manager-rolebinding.yaml
Applied resource clusterrolebinding/xlr-operator-proxy-rolebinding from the file digitalai\dai-release\digitalai\20230502-114403\kubernetes\template\proxy-rolebinding.yaml
Applied resource digitalairelease/dai-xlr from the file digitalai/dai-release/digitalai/20230502-114403/kubernetes/dai-release_cr.yaml
Install finished successfully!
Example 2: xl kube install Using Release Server Keystore Secret
C:\Users\Administrator>xl-client-23.3.0-windows-amd64.exe kube install
? Following kubectl context will be used during execution: `arn:aws:eks:us-east-1:932770550094:cluster/devops-operator-cluster-test-cluster`? Yes
? Select the Kubernetes setup where the Digital.ai Devops Platform will be installed, updated or cleaned: AWSEKS [AWS EKS]
? Do you want to use an custom Kubernetes namespace (current default is 'digitalai'): No
? Product server you want to perform install for: dai-release [Digital.ai Release]
...
? Do you want to enable http2 for release: Yes
? Select source of the keystore for the server: secret [Generic Secret containing keystore file with key as ssl-keystore.p12]
? Provide the generic secret name with the release server keystore added as key ssl-keystore.p12: http2-tls-secret
? Provide the server keystore password: test
? Provide the server keystore key passphrase: test
? Select between supported ingress types: none [None - Ingress will not be set up during installation]
...
-------------------------------- ----------------------------------------------------
| LABEL | VALUE |
-------------------------------- ----------------------------------------------------
| AccessModeRelease | ReadWriteMany |
| AdminPassword | admin |
| CleanBefore | false |
| CreateNamespace | true |
| EnablePostgresql | true |
| EnableRabbitmq | true |
| ExternalOidcConf | external: false |
| GenerationDateTime | 20230502-125654 |
| Http2EnabledRelease | true |
| ImageNameRelease | xl-release |
| ImageRegistryType | default |
| ImageTag | 23.3.0 |
| IngressType | none |
| IsCustomImageRegistry | false |
| K8sSetup | AWSEKS |
| KeystorePassphrase | JILR8MbG18U479RG |
| License | LS0tIExpY2Vuc2UgLS0tCkxpY2Vuc2UgdmVyc2lvbjogMwpQ.. |
| LicenseFile | C:\Users\Administrator\license\release-license.lic |
| LicenseSource | file |
| OidcConfigType | no-oidc |
| OidcConfigTypeInstall | no-oidc |
| OperatorImageReleaseGeneric | xebialabs/release-operator:23.3.0 |
| OsType | windows |
| PostgresqlPvcSize | 1 |
| PostgresqlStorageClass | my-efs |
| ProcessType | install |
| PvcSizeRelease | 1 |
| RabbitmqPvcSize | 1 |
| RabbitmqReplicaCount | 1 |
| RabbitmqStorageClass | my-efs |
| ReleaseKeystoreKeyPassword | test |
| ReleaseKeystorePassword | test |
| ReleaseKeystoreSecretName | http2-tls-secret |
| ReleaseKeystoreSource | secret |
| RemoteRunnerUseDefaultLocation | true |
| RepositoryKeystoreSource | generate |
| RepositoryName | xebialabs |
| ServerType | dai-release |
| ShortServerName | xlr |
| StorageClass | my-efs |
| UseCustomNamespace | false |
| XlrReplicaCount | 1 |
? Do you want to proceed to the deployment with these values? Yes
For current process files will be generated in the: digitalai/dai-release/digitalai/20230502-125654/kubernetes
Generated answers file successfully: digitalai\generated_answers_dai-release_digitalai_install-20230502-125654.yaml
Starting install processing.
Created keystore digitalai/dai-release/digitalai/20230502-125654/kubernetes/repository-keystore.jceks
Skip creating namespace digitalai, already exists
Generated files successfully for AWSEKS installation.
Applying resources to the cluster!
Applied resource clusterrole/xlr-operator-proxy-role from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\cluster-role-digital-proxy-role.yaml
Applied resource clusterrole/xlr-operator-manager-role from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\cluster-role-manager-role.yaml
Applied resource clusterrole/xlr-operator-metrics-reader from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\cluster-role-metrics-reader.yaml
Applied resource service/xlr-operator-controller-manager-metrics-service from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\controller-manager-metrics-service.yaml
Applied resource customresourcedefinition/digitalaireleases.xlr.digital.ai from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\custom-resource-definition.yaml
Applied resource deployment/xlr-operator-controller-manager from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\deployment.yaml
Applied resource role/xlr-operator-leader-election-role from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\leader-election-role.yaml
Applied resource rolebinding/xlr-operator-leader-election-rolebinding from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\leader-election-rolebinding.yaml
Applied resource clusterrolebinding/xlr-operator-manager-rolebinding from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\manager-rolebinding.yaml
Applied resource clusterrolebinding/xlr-operator-proxy-rolebinding from the file digitalai\dai-release\digitalai\20230502-125654\kubernetes\template\proxy-rolebinding.yaml
Applied resource digitalairelease/dai-xlr from the file digitalai/dai-release/digitalai/20230502-125654/kubernetes/dai-release_cr.yaml
Install finished successfully!
Note: When HTTP2 is enabled for Release, out-of-the-box ingress type options such as nginx or haproxy become ineffective. To handle HTTP2 backends, an external ingress controller needs to be set up separately. During installation, an external ingress type must be selected and an IngressClass Kubernetes resource that can handle HTTP2 backends must be pre-created (before installation). It's important to ensure that the ingress uses the created IngressClass to properly handle HTTP2 backends.