Prerequisite Note

Before you start deploying the One Connect platform, make sure you meet the following requirements:

Compatible Operating Systems:
Kubernetes cluster nodes must use Linux operating systems.

Affinity for Other Operating Systems:
If cluster nodes use operating systems other than Linux, it will be necessary to configure affinity in the setup to ensure that processes run only on Linux nodes. For this adjustment, contact the Onibex team, who will provide you with installation-specific support and instructions.

Requires .zip oneconnect-kubernetes attachments

Creating Kubernetes Service

1. Log in to Azure services
2. Select Kubernetes Services services.
   

1. Create a new Kubernetes cluster.
   

1. The subscription will be selected in project details.
2. Add a new resource group with a name that can be identified in next steps.
   

1. In cluster details, select the Azure pre-selected instance size (One Connect can run on smaller instances).
   

1. Select the region where you want to deploy the cluster and leave the other options by default, unless a specific option is needed.
   

1. In this step of nodes, if necessary, additional nodes can be added (there is no One Connect restriction on the number of nodes required).
   

1. Ultimately, Review + create, review the details of the new cluster to be created.
2. In the conceptual testing network section, it is possible to leave the default options unless a specific configuration for the deployment network is required.
3. For input and output traffic between pods, the network policy must be configured in 'none', since all pods interact with each other. If the cluster requires a specific network policy, the traffic that will be allowed between pods should be reviewed individually.
4. Once the networking section is reviewed, press Create and the cluster can be created by One Connect. The above sections are needed.
   

1. The following screens will be observed while the cluster is created.
   

1. Once the creation process is completed, the new cluster can be viewed in the list of Kubernetes services.
   

Pre-setting Kubernetes

Configuring YAML Files in Kubernetes:

A number of .txt files that are .yaml manifests will be delivered to be applied in the Kubernetes configuration. All files are applied in the same way:

1. Enter the recently created Kubernetes to start the setup.
2. Select "Create", "Apply YAML" and copy the text from the referenced file into the documentation.
3. Creation of Namespace "oneconnect" (manifesto - namespace.txt):
4. To apply the manifesto:

1. Navigate to: "Namespaces".
   
2. Select "Create", "Apply YAML".

Secret private repository onibex dockerhub. (dockerhub.yaml)

1. Navigate to: "Configuration", "Secrets", "Create".
   

Kubernetes role builder account (role.txt)

1. Navigate to: "Configuration", "Config Maps", "Create".
   

Service account builder service account (builder-serviceaccount.txt)

1. Navigate to: "Configuration", "Config Maps", "Create".
   

Service account role binding (role-binding.txt)

1. Navigate to: "Configuration", "Config Maps", "Create".
   

Creating deployments One Connect

You must navigate to the "Workloads", "Create", "Apply YAML" and apply the following files. This applies to all deployments and can be created in any order.

There are a total of 7 manifestos:

• apigateway-deployment.yaml
• auth-deployment.yaml
• builder-deployment.yaml(Review settings in the note at the end of this step)
• cwcback-deployment.yaml
• emailbuilder-deployment.yaml
• logs-deployment.yaml
• metrics-deployment.yaml

Note

For the builder-deployment.yaml file:

1. Deployment includes an environment variable called KUBERNETES_ISINGRESSACTIVE.
2. If you want to enable access to workspaces services created over the Internet through an Ingress, set the value of this variable to true. In this case, it is mandatory to complete Step 5.
3. If no internet connection is required, set the value to false. This will close external access and Step 6 will be required to create an internal entry point for services

Creating services in OneConnect

• apigateway-service.yaml
• auth-service.yaml
• builder-service.yaml
• cwcback-service.yaml
• emailbuilder-service.yaml
• logs-service.yaml
• metrics-service.yaml
  

Configuring the Producer Ingress Cluster (OPTIONAL)

Note:This step applies only if, during Step 3 (creation of deployments), the environment variableKubernetes_isingressactivein the manifestobuilder-deployment.yamlwas configured with the valuetrue.

1. You should navigate to the "Services and Ingress" section, select "create" and then click on "ingress". A pop-up should appear to enable the configuration needed in the cluster to have ingress, as shown in the picture. Click the "Enable" button.
   

1. You should wait a few minutes while reconfiguring the cluster.
   

1. It will be possible to navigate to the "Services and Ingress" section, select "Ingress" and the "Create" option will be enabled.
   

1. To create an Ingress in Azure, the manifesto should not be applied.yamlwhich comes in the configuration. Instead, the Azure wizard should be used in the "Create, Ingress" option.
   

1. Two Ingresses must be created: one calledproducer-oneconnectand another callapigatewayboth in the namespace "oneconnect". In both cases, reference is made to the serviceapigateway. At the time of creation, the steps are equally valid for both services.
   
2. The step of creating the Key Vault must be done only once and more certificates should be added only if they are different domains for the apigateway and oneconnect.
   

1. A new Key Vault must be created because Azure's policy for Ingress requires them as mandatory.
   

1. Click on the "Select a certificate" option and create it with the default options.
   

1. You can select the created Key Vault and must be chosen at the time of creating it. In the "Select Certificate" option, the certificate must be converted to the format.pfxso you can import it and refer to the Key Vault.
   

1. You can proceed to review the settings and create the ingress.
   

Creating an internal load balancer as a private entry point

Note:If the environment variableKubernetes_isingressactiveis configured infalse, you must follow this step to:

• Keep services restricted exclusively to the internal environment without an internet connection.
• Generate a private entry point that allows access to the user portal and the workspaces created.
  

Instructions:

1. Navigate to the "Services and Ingress" section in the Kubernetes cluster.
2. Select the "Create" options, then "Apply YAML".
3. Apply the manifestoInternal-loadbalancer.yamlto configure the internal load balancer.

This will create a private entry point that will ensure connectivity within the internal environment in Azure.

After the load balancer is generated, the IP that appears as "external" is the private IP to which the connection for cloud services must be opened on port 9000.

For example, an endpoint valid for making REST requests for login would be:http://10.224.0.222:9000/auth/api/v1/auth/signin

Optionally, if an internal IP is required for a workspace and the IP deployment cluster cannot be used, after generating a workspace you can follow the same step using the manifestointernallb-workspace.yamland change the values in to the name of the generated workspace.