Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

working values.yaml for deployment via rancher ui #102

Open
bjin01 opened this issue Aug 12, 2024 · 1 comment
Open

working values.yaml for deployment via rancher ui #102

bjin01 opened this issue Aug 12, 2024 · 1 comment

Comments

@bjin01
Copy link

bjin01 commented Aug 12, 2024
edited
Loading

The https://github.com/trento-project/helm-charts/blob/main/charts/trento-server/values.yaml should be adapted or the docu should include an example values.yaml for trento-server that includes the subchart values especially for ingress for wanda and trento-web.

This values.yaml worked in my testing with rancher 2.9.1 and trento v2.3.2 on SLE-Micro 5.5.

global:
  logLevel: info
  postgresql:
    name: postgresql
    postgresqlPassword: postgres
    postgresqlUsername: postgres
    servicePort: 5432
  prometheus:
    name: prometheus-server
  rabbitmq:
    name: rabbitmq
    servicePort: 5672
  trentoWanda:
    name: wanda
    servicePort: 4000
  trentoWeb:
    name: web
    servicePort: 4000
postgresql:
  containerSecurityContext:
    runAsUser: 0
  enabled: true
  image:
    registry: registry.suse.com
    repository: suse/postgres
    tag: '14'
  persistence:
    mountPath: /var/lib/postgresql/data
  postgresqlDataDir: /var/lib/postgresql/data/trento
  securityContext:
    fsGroup: 0
prometheus:
  alertmanager:
    enabled: false
  configmapReload:
    enabled: false
  enabled: true
  kubeStateMetrics:
    enabled: false
  nodeExporter:
    enabled: false
  pushgateway:
    enabled: false
  server:
    configMapOverrideName: prometheus-configmap
    enabled: true
    extraConfigmapMounts: null
  serverFiles:
    prometheus.yml: {}
rabbitmq:
  auth:
    password: trento
    username: trento
  enabled: true
  persistence:
    enabled: true
  service:
    type: LoadBalancer
    
trento-wanda:
  enabled: true
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: "nginx"
      kubernetes.io/tls-acme: "true"
    hosts:
      - host: "trento.susedemo.de"
        paths:
          - path: /api/checks
            pathType: ImplementationSpecific
          - path: /api/v1/checks
            pathType: ImplementationSpecific
          - path: /api/v2/checks
            pathType: ImplementationSpecific
          - path: /api/v3/checks
            pathType: ImplementationSpecific
    tls:
      - secretName: wanda-tls
        hosts:
          - trento.susedemo.de
          
  image:
    repository: registry.suse.com/trento/trento-wanda
  nameOverride: wanda
  postgresql:
    image:
      registry: registry.suse.com
      repository: suse/postgres
      tag: '14'
      
trento-web:
  enabled: true
  
  adminUser:
    username: "admin"
    password: "suselinux"
  
  ingress:
    enabled: true
    annotations:
      kubernetes.io/ingress.class: "nginx"
      kubernetes.io/tls-acme: "true"
    hosts:
      - host: "trento.susedemo.de"
        paths:
          - path: /
            pathType: ImplementationSpecific
    tls:
      - secretName: trento-tls
        hosts:
          - trento.susedemo.de

    
  image:
    repository: registry.suse.com/trento/trento-web
  nameOverride: web
  postgresql:
    image:
      registry: registry.suse.com
      repository: suse/postgres
      tag: '14'

Additional remarks:

  • the service rabbitmq indeed needs type "LoadBalancer" or using an ingress controller that is able to foward tcp streams. Nginx ingress controller could be used for that but needs additional configs. In my case I used metallb as LB on kubernetes (RKE2).
trento3-rabbitmq              LoadBalancer   10.43.154.72    192.168.100.50   5672:31762/TCP,4369:31175/TCP,25672:30453/TCP,15672:30576/TCP
  • If tls is being used in ingress for trento-web then trento-agent needs to support "tls insecure" configurable option in /etc/trento/agent.yaml otherwise agent cannot report into trento-web.

Below is errror msg from trento-agent:

Aug 12 17:37:40 sap02 trento-agent[25685]: time="2024-08-12 17:37:40" level=error msg="Error while running discovery 'ha_cluster_discovery': Post \"https://trento.susedemo.de/api/v1/collect\": x509: certificate is valid for ingress.local, not trento.susedemo.de"
Aug 12 17:37:40 sap02 trento-agent[25685]: time="2024-08-12 17:37:40" level=info msg="ha_cluster_discovery discovery tick output: Error while running discovery 'ha_cluster_discovery': Post \"https://trento.susedemo.de/api/v1/collect\": x509: certificate is valid for ingress.local, not trento.susedemo.de"
@stefanotorresi
Copy link
Member

stefanotorresi commented Nov 15, 2024
edited
Loading

  • If tls is being used in ingress for trento-web then trento-agent needs to support "tls insecure" configurable option in /etc/trento/agent.yaml otherwise agent cannot report into trento-web.

hmm I'm not sure about this, the Agent doesn't allow insecure TLS by design.
The error message reports a certificate with ingress.local Common Name, while it looks like it should be trento.susedemo.de, are you sure this is not an ingress configuration issue? That is completely up to whatever annotations you put for the ingress controller, the helm chart doesn't prescribe anything there.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stefanotorresi @bjin01