I’m trying to install OpenIAM Community Edition on a private Kubernetes cluster using the recommended Terraform install path. I’m trying to install version 4.2.2 as this is the default tag of the Bitbucket repository.
I changed the recommended variables in the env.sh and terraform.tfvars files. I also changed the source of the deployment module in the main.tf to source = "./modules/core/helm" as mentioned in the documentation.
On my first attempt I did not change the CONTAINER_SERVICE_NAMESPACE variable in the env.sh file which then lead to a lot of ImagePullBackOff errors in many of my kubernetes pods. I then figured out that the community edition images are located in a different path on the image repository. On my second attempt I changed the CONTAINER_SERVICE_NAMESPACE to openiam_service_ce since I found some of the images in this directory. Now I still get a lot of ImagePullBackOff errors because the images still can not be found.
I’m not sure what I’m doing wrong or what I’m missing in the documentation because I can’t seem to find any hint on what DOCKER_REGISTRY or CONTAINER_SERVICE_NAMESPACE setting to use to successfully pull all the images used by the helm charts.
This is new to me. I couldn’t find any information about this in the docs but so be it.
You mentioned the RPM download link and the docker-swarm installation documentation. As far as I can see at the docker-compose Bitbucket repository it is not meant to be for high availability deployments. To ensure high availability I would need to follow the RPM installation for HA deployments, right?
you will be able to see a download section to get the RPM files. You should use 4.2.1.15 for your tests. You can find details around the RPM install and HA here: Deploying via RPM on Linux
The limitation around the K8 installs is more around our ability to support K8 deployments on the community . we see many more questions related to this type of deployment and why we are currently limiting this.
We are in the process of creating in a new getting started guide that will be include both RPM + K8 deployments and hopefully simplify the effort. Once we publish this (later in january), we will be support K8 deployments on the community.
Also, the manner in which we do enterprise and community will be changing (for the better). We will publish these details in the next week.
I was just wondering if the K8 installation for the CE is already supported? We have a lot of issues using the docker swarm installation in our environment.
after a few days the deployment stops working and the containers get stuck in a restart loop. I took some time to invest what is happening and I was able to see that the vault gets sealed. I manually unseald it and restarted all the containers using the shutdown and startup script. Now the next error occurs. It seems like the ESB is not able to communicate properly with the vault or find the correct keys in the vault. I didn’t debug it completely but it seems like now the SSL Certificate is missing or the vault is pretty much empty.
I get following logs from the vault container:
INFO 1 — [ main] org.openiam.vault.VaultConfigResolver : Could not find property ‘https://vault:8200/v1/secret/openiam/vault.secret.elasticsearch.password’ in vault.
…
INFO 1 — [ main] org.openiam.vault.VaultConfigResolver : Could not find property ‘https://vault:8200/v1/secret/openiam/vault.secret.rabbitmq.jks.password’ in vault.
…
ERROR 1 — [ main] o.s.boot.SpringApplication : Application run failed
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name ‘accessCertificationServiceImpl’: Unsatisfied dependency expressed through field ‘userDataService’; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException:
…
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: Master key is null
Since @suneetshah pointed out that the K8s deployment will be supported soon I would happily switch to this because then we would hopefully be able to use OpenIAM in our production environment.
