K8s Install Addons
Once Cloud infrastructure is put in place and access to kubernetes cluster is verified, then you can start with setting up required addons. This page explains how to install the required addons for the PenfieldAI application on your Kubernetes cluster.
Storage
There are default storage classes exists but you have to setup one for persistance and encrypted volumes. Please follow the appropriate section based on the cloud provider you use:
AWS
EKS has default storage class called gp2, but we are creating a new one for encryption and persistence volume. Use the command to deploy: kubectl apply -f gp3-encrypted-pv.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gp3-encrypted-pv
annotations:
storageclass.kubernetes.io/is-default-class: "false"
parameters:
type: gp3
encrypted: "true"
csi.storage.k8s.io/fstype: ext4
provisioner: ebs.csi.aws.com
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
## Copyright (C) 2022 Penfield.AI INC. - All Rights Reserved ##
Azure
AKS has default storage class called default, but can create a new one for retaining the persistence volume. Use the command to deploy: kubectl apply -f managed-premium-pv.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
annotations:
storageclass.kubernetes.io/is-default-class: "false"
name: managed-premium-pv
parameters:
kind: Managed
cachingmode: ReadOnly
storageaccounttype: Premium_LRS
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
## Copyright (C) 2022 Penfield.AI INC. - All Rights Reserved ##
Once created, update the default disk to mananged-premium, this needs to be done in two steps:
-
Mark existing
defaultStorageClass as default: as non-default:kubectl patch storageclass default -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' -
Mark existing
mananged-premiumStorageClass as default:kubectl patch storageclass managed-premium -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
Deploy penfield-app secrets
Secrets will be used to fetch the senstive data inside kubernetes pods. To deploy secrets, run the following command:
kubectl create ns penfield-app
kubectl apply -f penfieldai-secrets.yaml -n penfield-app
This is only needed for Postgres DB, Same secret will be modified when you deploy Penfield-app later on.
For reference penfield-secrets.yaml file looks like:
apiVersion: v1
kind: Secret
metadata:
name: penfield-secrets
type: Opaque
data:
POSTGRES_USER: <base 64 encoded value>
POSTGRES_PASSWORD: <base 64 encoded value>
Deploy penfield-app regcred
Regcred will be used to fetch the images from PenfieldAI image repository. To deploy regcred, run the following command:
Username and Password must be provided by PenfieldAI.
kubectl create secret docker-registry regcred \
--docker-server=https://registry.gitlab.com \
--docker-username=<Username> \
--docker-password=<Password> \
-n penfield-app
Deploy SSL certificates (optional)
If you are using AWS SSL termination can be done at ALB level and AWS ACM supports to create certificate and use in ALB for this purpose. So if you are using AWS public cloud this won't be applicable. If you are using Azure or other private cloud, you need to deploy the SSL certificates inside cluster. Once you have SSL certificates from your provider for the FQDN (Fully Qualified Domain Name), you can deploy them using the following command:
kubectl create secret tls ingress-tls \
--namespace penfield-app \
--key path/to/key/file.key \
--cert path/to/cert/file.crt
When you will deploy penfield-app in the next step, make sure you use TLS settings in the values file for the ingress endpoints.