Installation With Openshift Certified Operator

Learn how to install and use Digital.ai Release on your Red Hat platform using the Openshift Certified Operator. This guide provides a clear overview, configuration details, and customization options for a successful installation.

Overview

The Digital.ai Release Operator is based on a Helm chart available from here. The operator includes subcharts, which are dependencies required for the Release containers to run successfully. Nginx Ingress and Haproxy Ingress are disabled and not used with installations on Openshift (and the images are not used in the installation).

important

The installation is not performed using XL CLI.

Subcharts

The following subcharts are included as dependencies for the Release containers:

• PostgresSQL
• RabbitMQ
• Nginx Ingress Controller
• Haproxy Ingress Controller

Installation

To install Digital.ai Release using the Openshift Certified Operator, use the sample configuration provided below. This is a minimal configuration and is not recommended for production use. It uses embedded PostgreSQL and RabbitMQ.

apiVersion: xlr.digital.ai/v1alpha1
kind: DigitalaiRelease
metadata:
  name: dair-min
spec:
  k8sSetup:
    platform: Openshift
  auth:
    adminPassword: 'admin'
  licenseAcceptEula: true
  keystore:
    passphrase: 'test1234'
    keystore: 'zs7OzgAAAAIAAAABAAAAAwAWZGVwbG95aXQtcGFzc3N3b3JkLWtleQAAAY66Cf9nrO0ABXNyADNjb20uc3VuLmNyeXB0by5wcm92aWRlci5TZWFsZWRPYmplY3RGb3JLZXlQcm90ZWN0b3LNV8pZ5zC7UwIAAHhyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAJMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAN4cHVyAAJbQqzzF/gGCFTgAgAAeHAAAAARMA8ECD0yEJAHFhBOAgMDDUB1cQB+AAUAAACQUhNP1jw1dwOxWArpm0JBAX40fr4fvvAmyGGrx7mzlCVjb4uOxi4IroUoxcbBx8cpjiS6QzCUg6chsCQ0IABB6s7Tow2VR8vRlxXyxpJXvlUwfH8hwJn/ZK8rQuDsCkzd2rC+lYR0pEO0lUP3/AQ7dHJ4TgloyZOKKbWRNJvE4K4EOafqASuNTkyrr0SPflRydAAWUEJFV2l0aE1ENUFuZFRyaXBsZURFU3QAFlBCRVdpdGhNRDVBbmRUcmlwbGVERVO3iVKkgrEJQ78wacyjhp3UZBSB/Q=='
  replicaCount: 1
  hooks:
    getLicense:
      enabled: true
  persistence:
    storageClass: ''
    accessModes:
      - ReadWriteOnce
    size: 1Gi
  podSecurityContext:
    runAsUser: null
    runAsGroup: null
    fsGroup: null
  containerSecurityContext:
    runAsUser: null
    runAsGroup: null
  volumePermissions:
    enabled: false
  route:
    enabled: false
    annotations:
      haproxy.router.openshift.io/cookie_name: JSESSIONID
      haproxy.router.openshift.io/disable_cookies: 'false'
      haproxy.router.openshift.io/rewrite-target: /
      haproxy.router.openshift.io/timeout: 120s
    hostname: '<mandatory-release-hostname>'
    path: /
    tls:
      enabled: true
      termination: edge
  postgresql:
    install: true
    primary:
      persistence:
        size: 1Gi
        storageClass: ''
      resourcesPreset: "small"
      podSecurityContext:
        enabled: false
        runAsUser: null
        runAsGroup: null
        fsGroup: null
      containerSecurityContext:
        enabled: false
        runAsUser: null
        runAsGroup: null
    volumePermissions:
      enabled: false
  rabbitmq:
    install: true
    persistence:
      size: 1Gi
      storageClass: ''
    replicaCount: 1
    podSecurityContext:
      enabled: false
      runAsUser: null
      runAsGroup: null
      fsGroup: null
    containerSecurityContext:
      enabled: false
      runAsUser: null
      runAsGroup: null
    volumePermissions:
      enabled: false

Configuration Details

The following section explains the configuration used in the sample above.

• Autogenerated limited license
• Simple administrator initial password
• Default keystore setup
• Only one replica is set for all pods
• All pods are missing resource limit setup
• Default storage class and minimal size for persistent storage
• Release pods are using persistence access mode ReadWriteOnce (for Release pods, the requirement is to have ReadWriteMany)
• Embedded PostgreSQL for DB management
• Embedded RabbitMQ for message queue management

Security Configuration Details

Security settings are important for compliance and operational safety. The following are key security configuration details:

• podSecurityContext and containerSecurityContext disable the use of specific UIDs or GIDs, so the IDs can be assigned from the defined ranges (for example, from restricted SCC).
• volumePermissions.enabled: false disables automatic corrections of the mounted folders.

Customize Your Configuration

You can further personalize your configuration. Consider the following customization options:

• External DB: To avoid uncertified container images required by the subcharts, refer to these instructions for setting up an external DB.
• External Message Queue: To set up an external message queue, follow this guide.
• Custom License: To apply a custom license, refer to this process.
• Custom Configuration: For modifying the configuration files, use this guide.
• Truststore Setup: For modifying the default truststore for Release, use this guide.
• Plugin Management: Managing plugins can be done using the following methods:
  • Plugin Management Using XL CLI
  • Managing Plugins Offline for Kubernetes Environment

Providing Configuration With xl-cli kube install

You can provide the custom resource configuration using the xl-cli kube install command. When running xl-cli kube install, if you select the Openshift certified Kubernetes setup, the option name is "Openshift Certified needs installed operator on cluster." This generates the configuration that will deploy the operator custom resource for the Certified operator. In this case, the Certified operator must already be installed on the cluster. Other steps and questions are the same as for the standard installation: Installation Options Reference for Digital.ai Release.