/diffgram-helm

Helm Chart for Diffgram

Primary LanguageSmarty

diffgram-helm

Helm Chart for DIffgram

Full Tutorial on Azure: https://medium.com/diffgram/tutorial-installing-diffgram-on-azure-aks-b9447685e271

How to Install:

A. Pre-requisites

Ingress Controller

If you are using minikube make sure you've done:

minikube addons enable ingress

To have the ingress enabled, otherwise you won't be able to acess your diffgram services from outside the cluster.

If you are not on minikube, you can use the Nginx K8s Ingress Controller. Check how to install on your cloud provider here: https://kubernetes.github.io/ingress-nginx/deploy/

TLS Ceritificates

Using minikube (For local testing)

Install Cert Manager

https://artifacthub.io/packages/helm/microfunctions/cert-manager

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true

Default domain on diffgram is: example.com so make sure you add that to your local hosts file:

echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts

In order for TLS to work on your local machine, you will need to provide local certificate authorities. Otherwise your web browser will detect the certificates as invalid.

To do that you can generate a key and certificate like this:

# Generate key
openssl genrsa -out ca.key 2048
# Create CA certificate signing it with the previous key.
openssl req -x509 -new -nodes -key ca.key -sha256 -subj "/CN=sampleissuer.local" -days 1024 -out ca.crt -extensions v3_ca

Now create the certificates as secrets on your minkube cluster:

kubectl create secret tls my-local-ca-key-pair --key=ca.key --cert=ca.crt

Finally Modify your values.yaml so that helm chart can grab the secret using cert-manager issuers. Set tlsIssuer to issuer-local and localCaSecretName to the name you have to the secret created above:

tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod"
localCaSecretName: my-local-ca-key-pair

Using cert-manager & Public Domains

Caution

This guide assumes you will be using a regular domain name like diffgram.com. If you are using an auto generated domain name it may require different configuration. SSL is up to you/your IT team. For debugging the config tools like SSL Labs may be useful.

Guide
  1. If you want to have TLS connections, please make sure you have a domain available and access to the name servers so you can modify the records to point to the IP addresses of the ingress.

helm repo add jetstack https://charts.jetstack.io

helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true

  1. Now edit the values.yaml of Diffgram’s helm chart and change the following keys:
  • diffgramDomain: set it to the domain you own.
  • useCertManager: set this to true. This will allow the certificate issue to be created so you can automatically get a TLS certificate for your domain with let’s encrypt.
  • tlsIssuer set this to letsencrypt-prod so that TLS is validated by Let's Encrypt.
  1. Reinstall the helm chart

helm upgrade -n diffgram-ns diffgram -f diffgram/new_updated_values_from_above_step.yaml

  1. After a few minutes you should be able to see the issuer and the certificate generated. You can confirm this by running: kubectl describe issuer letsencrypt-prod

B. Installation

git clone https://github.com/diffgram/diffgram-helm/

cd diffgram-helm && helm dependency build

helm install -n diffgram-ns diffgram . --create-namespace

If you don't change anything on values.yaml. You will have the namespace default created on your cluster

Note: if on Minikube: run echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts

To point minikube to domain example.com (or whatever domain you have set in the diffgramDomain inside values.yaml

Values to Change in values.yaml

Check section D. to see required values.

You can substitute ./diffgram-helm with whatever the path to this repo is on your local machine. Also feel free to install on any other namespace.

Future versions will provide a repo to download the chart without cloning from github.

C. Main Structure

When deploying this chart there are 5 main components to be aware of:

1. default-service: This is the service in charge for most of the API calls and data management. Both for the SDK and for the Frontend UI.

2. walrus-service: This is a long running service for CPU intensive processing. Things like video, splitting, huge files copying and other maintainance tasks are performed on this service

3. frontend-service: Static VueJS frontend for accessing Diffgram.

4. db-service: A PostgresSQL database, we usually recommend linking an external managed cloud service like AWS RDS, GCP SQL Service, or Azure Managed SQL Service.

5. ingress: A Nginx ingress controller for accessing all the services. This is the entry point and router to all the above services.

D. Configurations:

The following are some of the most important configurations of the values.yaml in the helm chart. Please feel free to contact us if you have any questions on any of the configurations.

4.1 Database Settings

1. dbSettings.dbProvider: Set this to “rds”, "azure", or "local" depending on your DB managed service.

2. dbSettings.rdsEndpoint: Set this to your RDS instance endpoint, so diffgram can use it as the database.

3. dbSettings.dbProvider: Set this to “rds”

4, dbSettings.dbUser: Set this to the postgres user you want to use with Diffgram.

5. dbSettings.dbName: Set this to Postgres Database name you want to create the tables on

6. dbSettings.dbPassword: Set this to RDS instance’s password

4.2 Diffgram Configuration Settings

1. diffgramSecrets.DIFFGRAM_STATIC_STORAGE_PROVIDER: Set this to “aws”, "azure", or "gcp" depending on your DB managed service. Default is aws 1. diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID: Set this to your AWS credentials access key. Make sure the account has permissions to the S3 bucket you’ll use as static storage.

2. diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET: Set this to your AWS credentials secret. Make sure the account has permissions to the S3 bucket you’ll use as static storage.

3. diffgramSettings.DIFFGRAM_S3_BUCKET_NAME: Set this to your S3’s bucket name for static file storage.

4. diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME: Set this to your S3’s bucket name for static file storage.

E. Common Issues:

1. My Helm Chart gets stuck during install and the timesout with

Try doing kubectl get pods and find a pod named diffgram-pre-install-{SOME-ID}.

Now do kubectl logs diffgram-pre-install-{SOME-ID} -c pre-upgrade-alembic-hook

This will show the logs of the POD to further debug the issue. Most common causes for this error are:

  • Missing Blob Storage Provider Credentials (Either AWS Access Keys, GCP Service Account or Azure Conn String)

2. directory_id header is not present on my SDK requests.

Your ingress might not have the allow-underscores-in-headers config. Please enable it by looking at this config: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-underscores-in-headers