Requirements
Release Notice
GoodData.CN ready for Kubernetes will be published during May 2021. Stay tuned and watch GoodData Developers website.
System Requirements
While there are many Kubernetes configurations possible, some minimal requirements must be met.
Kubernetes Cluster
- Version 1.15 or higher
- 3 worker nodes, each with at least 2 vCPU and 4 GB RAM
- Supported Ingress Controller installed and configured to match your infrastructure:
- Dynamic Volume Provisioner (StorageClass)
Domain Name System (DNS)
- You must be able to update your DNS and add a proper
AorCNAMErecord for your load balancer where the application will be exposed. - We recommend using External DNS if your DNS provider is supported and if it suits your use case based on Deployment Considerations. Otherwise, be prepared to add a DNS record manually.
PKI Infrastructure
- Server certificate and private key, issued and signed by some Certificate Authority who your clients trust. Consult the Deployment Considerations for suitable certificate management solution.
Local Docker Registry (on Air-gapped Deployments)
- Application images need to be pushed to your private docker registry if your cluster does not have access to the Internet.
Installation Requirements
- Kubectl: Default Kubernetes CLI.
- Helm: Application deployment is done using Helm 3. Download and install the Helm client binary to the workstation that you plan to use for GoodData.CN installation.
- Permissions: You need admin-level permissions on two Kubernetes namespaces (described below):
pulsar- for Apache Pulsar deploymentgooddata-cn- for GoodData.CN deployment
Preparation
Choose Hostname
To make GoodData.CN accessible to users, you need a DNS hostname for application Ingress. This hostname must belong to the domain you have under your control.
You may use, for example, gooddata-cn.company.com or analytics.company.com.
You may need additional hostname for Dex which is OIDC provider bundled with the GoodData.CN helmchart. If you have your own OIDC provider you do not need this additional hostname.
You may use, for example auth.company.com.
This hostname will be referred to as Ingress host later in this guide.
If you do not use an External DNS as suggested above, add the new hostname to your DNS server manually.
The type of the record should be one of the following:
A- if you want to point it to the IP address of your Load balancer representing your Ingress hostCNAME- if you rather prefer to refer to an existing Load balancer hostname.
Note that adding a DNS record is not necessary if you already have a matching wildcard DNS record pointing to your Load balancer (such as *.company.com in our example).
Get TLS Certificate
The GoodData.CN application does not use TLS encryption but it assumes that the TLS is terminated on the load balancer because hardware Load balancers usually have highly optimized SSL accelerators and offer better throughput.
Use the standard process to get the TLS certificate for the Ingress hostname that you chose. This process may vary depending on the Certification Authority you are using and is not described in detail in this guide.
In the end, you should have two files
- the public server certificate
- the private server key
Upload both files to your Load balancer.
Note: It is possible that you already have a so-called wildcard certificate matching your chosen Ingress hostname loaded in Load balancer. In this case you don’t need to get another certificate and you can use the wildcard certificate to encrypt client traffic between your users and the GoodData.CN application.
Pull Application Images to Your Registry (Air-gapped installations only)
If your Kubernetes cluster runs in a secure, isolated environment and therefore it does not have access to the Internet, you need to pull all required images from a GoodData docker registry and Docker hub, and push them to your private docker registry that your cluster can access.
You will need the following images:
- Apache Pulsar
apachepulsar/pulsar:2.6.1
- GoodData.CN
registry.anywhere.gooddata.com/afm-exec-api:${TAG}registry.anywhere.gooddata.com/analytical-designer:${TAG}registry.anywhere.gooddata.com/apidocs:${TAG}registry.anywhere.gooddata.com/aqe:${TAG}registry.anywhere.gooddata.com/auth-service:${TAG}registry.anywhere.gooddata.com/dashboards:${TAG}registry.anywhere.gooddata.com/home-ui:${TAG}registry.anywhere.gooddata.com/ldm-modeler:${TAG}registry.anywhere.gooddata.com/metadata-api:${TAG}registry.anywhere.gooddata.com/result-cache:${TAG}registry.anywhere.gooddata.com/scan-model:${TAG}registry.anywhere.gooddata.com/sql-executor:${TAG}registry.anywhere.gooddata.com/tools:${TAG}docker.io/peterevans/curl-jq:1.0docker.io/library/postgres:11.6quay.io/dexidp/dex:v2.26.0
- GoodData.CN subcharts
docker.io/bitnami/minideb:busterdocker.io/bitnami/pgpool:4.2.0-debian-10-r20docker.io/bitnami/postgres-exporter:0.8.0-debian-10-r304docker.io/bitnami/postgresql-repmgr:11.10.0-debian-10-r38docker.io/oliver006/redis_exporter:v1.13.1docker.io/library/redis:6.0.7-alpine
Note: Variable ${TAG} depends on the GoodData.CN release that you plan to install. You can obtain its value from Release Notes for the particular version of the GoodData.CN application.
Get Helm Charts
Pulsar is deployed from Apache’s Helm repository, so you need to register this repository within your Helm client first.
$ helm repo add apache https://pulsar.apache.org/charts
"apache" has been added to your repositories
Pull the Helm chart of the Apache Pulsar and extract to local disk. We recommend to use the version
2.6.1-2 since it was tested with GoodData.CN.
helm pull --version 2.6.1-2 --untar apache/pulsar
Pull the helm chart for the GoodData.CN from the GoodData registry. Use the username and password you got from GoodData to access the GoodData registry.
Note: Storing Helm charts in the OCI-compatible registry is still marked as an experimental feature by Helm developers.
To enable this functionality, you need to set the following environment variable:
HELM_EXPERIMENTAL_OCI=1.
$ export HELM_EXPERIMENTAL_OCI=1
$ helm registry login -u <your-name> registry.anywhere.gooddata.com
Password:
Login succeeded
$ helm chart pull registry.anywhere.gooddata.com/charts/gooddata-cn:1.0.1
1.0.1: Pulling from registry.anywhere.gooddata.com/charts/gooddata-cn
ref: registry.anywhere.gooddata.com/charts/gooddata-cn:1.0.1
digest: 6c812b171e5dce439bfaf67e22d06c9216d187960e1cc7a22ffca3b564cbbef9
size: 56.3 KiB
name: gooddata-cn
version: 1.0.1
Status: Downloaded newer chart for registry.anywhere.gooddata.com/charts/gooddata-cn:1.0.1
$ helm chart list
REF NAME VERSION DIGEST SIZE CREATED
registry.anywhere.gooddata.com/charts/gooddata-cn:1.0.1 gooddata-cn 1.0.1 6c812b1 56.3 KiB 3 minutes
Now that you downloaded the GoodData.CN Helm chart, you may extract its contents to a local directory:
$ helm chart export registry.anywhere.gooddata.com/charts/gooddata-cn:1.0.1
ref: registry.anywhere.gooddata.com/charts/gooddata-cn:1.0.1
digest: 6c812b171e5dce439bfaf67e22d06c9216d187960e1cc7a22ffca3b564cbbef9
size: 56.3 KiB
name: gooddata-cn
version: 1.0.1
Exported chart to gooddata-cn/
$ ls gooddata-cn pulsar
gooddata-cn:
charts Chart.yaml README.md templates values.yaml
pulsar:
Chart.yaml templates values.yaml
Create Kubernetes Namespaces
As a cluster administrator, create the following two namespaces:
$ kubectl create namespace pulsar
namespace/pulsar created
$ kubectl create namespace gooddata-cn
namespace/gooddata-cn created
For the rest of the installation process, the user running Helm has sufficient permissions in these two namespaces.
Install NGINX Ingress
If you already have your Kubernetes cluster with NGINX Ingress deployed, you do not need to perform any actions. GoodData.CN will work with your existing NGINX Ingress installation. Otherwise, it is required to deploy it.
Create NGINX Ingress Namespace
$ kubectl create namespace pulsar
namespace/pulsar created
Add NGINX Ingress Helm repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
Install the NGINX Ingress
helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx \
--set controller.replicaCount=2
Create PullImageSecret
To allow pulling images from the GoodData registry, you have to add your credentials to your cluster:
$ kubectl -n gooddata-cn create secret docker-registry gooddata-creds \
--docker-server=https://registry.anywhere.gooddata.com/ \
--docker-username=<your-name> \
--docker-password=<your-password>
Note
For air-gapped installations, this secret must point to your private Docker registry.