Step 6 - Install and configure prerequisite components
Gather role ARNs
If you have the role ARNs from the roles created in Prerequisites step, you can skip this part.
Instead, if you have role names, please use below commands to get the role ARNs. Make sure to set the prefix and profile in the below commands before running them.
prefix=""
profile=""
external_secrets_iam_role_arn=$(aws iam get-role --role-name role-cdrp-ext-secrets-${prefix} --profile ${profile} --query 'Role.Arn')
echo "external_secrets_iam_role_arn=${external_secrets_iam_role_arn}"
efs_iam_role_arn=$(aws iam get-role --role-name role-cdrp-efs-csi-${prefix} --profile ${profile} --query 'Role.Arn')
echo "external_secrets_iam_role_arn=${efs_iam_role_arn}"
Now that you have access to the Helm charts, they can be deployed.
- First install the prerequisite components:
# Install RabbitMQ cluster operator
helm upgrade --install rabbitmq-cluster-operator oci://glasswallhub.azurecr.io/docker/bitnamicharts/rabbitmq-cluster-operator \
--atomic \
--version 4.4.23 \
--set global.imageRegistry=glasswallhub.azurecr.io \
--set global.imagePullSecrets[0]=acr-secret \
--set global.security.allowInsecureImages=true \
--set msgTopologyOperator.fullnameOverride=rabbitmq-messaging-topology-operator \
--set clusterOperator.image.repository="cgr.dev/rabbitmq-cluster-operator" \
--set clusterOperator.image.tag=2.17.0 \
--set msgTopologyOperator.image.repository="cgr.dev/rabbitmq-messaging-topology-operator" \
--set msgTopologyOperator.image.tag=1.18.0 \
--set credentialUpdaterImage.repository="cgr.dev/rabbitmq-default-user-credential-updater" \
--set credentialUpdaterImage.tag=1.0.9 \
--set rabbitmqImage.repository="cgr.dev/rabbitmq" \
--set rabbitmqImage.tag=4.2.4 \
--set clusterOperator.watchAllNamespaces=false \
--set clusterOperator.watchNamespaces={cdrplatform} \
--set msgTopologyOperator.watchAllNamespaces=false \
--set msgTopologyOperator.watchNamespaces={cdrplatform} \
--set clusterOperator.resources.requests.cpu=100m \
--set clusterOperator.resources.requests.memory=256Mi \
--set clusterOperator.resources.limits.cpu=100m \
--set clusterOperator.resources.limits.memory=256Mi \
--set msgTopologyOperator.resources.requests.cpu=100m \
--set msgTopologyOperator.resources.requests.memory=256Mi \
--set msgTopologyOperator.resources.limits.cpu=100m \
--set msgTopologyOperator.resources.limits.memory=256Mi
# Install KEDA
helm upgrade --install keda "oci://glasswallhub.azurecr.io/ghcr/home-operations/charts-mirror/keda" --atomic \
--namespace cdrplatform \
--set imagePullSecrets[0].name=acr-secret \
--set global.image.registry="glasswallhub.azurecr.io" \
--set image.keda.repository="cgr.dev/keda" \
--set image.keda.tag=2.18.3 \
--set image.metricsApiServer.repository="cgr.dev/keda-metrics-apiserver" \
--set image.metricsApiServer.tag=2.18.3 \
--set image.webhooks.repository="cgr.dev/keda-admission-webhooks" \
--set image.webhooks.tag=2.18.3 \
--version 2.18.3
# Install nginx ingress controller
helm upgrade --install nginx-ingress oci://glasswallhub.azurecr.io/k8s/ingress-nginx/charts/ingress-nginx --atomic \
--set imagePullSecrets[0].name=acr-secret \
--set global.image.registry="glasswallhub.azurecr.io" \
--set controller.image.image="cgr.dev/ingress-nginx-controller" \
--set controller.admissionWebhooks.patch.image.image="cgr.dev/kube-webhook-certgen" \
--set controller.image.digest=null \
--set controller.admissionWebhooks.patch.image.digest=null \
--version v4.13.3
# Install External Secrets
helm upgrade --install external-secrets oci://glasswallhub.azurecr.io/ghcr/external-secrets/charts/external-secrets \
--atomic \
--set imagePullSecrets[0].name=acr-secret \
--set webhook.imagePullSecrets[0].name=acr-secret \
--set certController.imagePullSecrets[0].name=acr-secret \
--set image.repository="glasswallhub.azurecr.io/cgr.dev/external-secrets" \
--set image.tag=0.16.2 \
--set webhook.image.repository="glasswallhub.azurecr.io/cgr.dev/external-secrets" \
--set webhook.image.tag=0.16.2 \
--set certController.image.repository="glasswallhub.azurecr.io/cgr.dev/external-secrets" \
--set certController.image.tag=0.16.2 \
--version 0.16.2 \
--set installCRDs=true
# Replace ${external_secrets_iam_role_arn} with the ARN value of the role that has access to Secrets Manager,
# and ${region} with your AWS region.
helm upgrade --install cdrplatform-external-secrets -n cdrplatform cdrplatform-external-secrets --atomic --create-namespace \
--set cloud_providers.aws.enabled=true \
--set cloud_providers.aws.secretsManager.iam_role="${external_secrets_iam_role_arn}" \
--set cloud_providers.aws.secretsManager.region="${region}"
# Replace ${efs_iam_role_arn} with the ARN value of the role for EFS CSI driver.
helm upgrade -i aws-efs-csi-driver aws-efs-csi-driver/aws-efs-csi-driver \
--namespace cdrplatform \
--set image.repository=602401143452.dkr.ecr.${region}.amazonaws.com/eks/aws-efs-csi-driver \
--set controller.serviceAccount.create=true \
--set controller.serviceAccount.name=sa-efs-csi-controller \
--set controller.serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="${efs_iam_role_arn}"
- Note, when upgrading the
rabbitmq-cluster-operatorHelm chart CRDs will not be installed. If new CRDs are introduced in the new releases, the CRDs need to be installed manually to avoid issues with running the RabbitMQ cluster operator pods.
helm pull oci://glasswallhub.azurecr.io/docker/bitnamicharts/rabbitmq-cluster-operator --untar
kubectl apply -f rabbitmq-cluster-operator/crds/
- Then, install the supporting components:
# Replace ${file_system_id} and ${storageAmount} with values for your environment.
helm upgrade --install cdrplatform-storage -n cdrplatform cdrplatform-storage \
--set cloud_provider=aws \
--set aws.efs.file_system_id=${file_system_id} \
--set storageAmount=${storageAmount}
helm upgrade --install cdrplatform-rabbitmq -n cdrplatform cdrplatform-rabbitmq \
--set image.registry=glasswallhub.azurecr.io \
--set image.tag=171395 \
--set cloud_provider=aws \
--atomic