Difference between revisions of "AUTH/Current/AuthPEGuide/Deploy"
(Published) |
|||
| Line 1: | Line 1: | ||
| − | {{ | + | {{ArticlePEServiceDeploy |
| − | | | + | |ServiceId=6f7f1a8d-4e60-4b8d-a6f0-8cafdbdf0a3e |
| − | | | + | |IncludeAssumptions=Yes |
| − | |||
| − | |||
|Section={{Section | |Section={{Section | ||
|alignment=Vertical | |alignment=Vertical | ||
| Line 21: | Line 19: | ||
<source lang="text">oc get clusterversion</source> | <source lang="text">oc get clusterversion</source> | ||
| − | Create a new project for Genesys Authentication:{{NoteFormat| | + | Create a new project for Genesys Authentication:{{NoteFormat|Deploy Genesys Authentication in the '''gws''' namespace if you use the default OpenShift Ingress Controller; otherwise, deploy in the '''gauth''' namespace.|}} |
| − | <source lang="text">oc new-project | + | <source lang="text">oc new-project gws</source> |
===GKE=== | ===GKE=== | ||
Log in to the GKE cluster from the host where you will run the deployment: | Log in to the GKE cluster from the host where you will run the deployment: | ||
Revision as of 16:35, April 22, 2022
Contents
Learn how to deploy Genesys Authentication into a private edition environment.
Assumptions
- The instructions on this page assume you are deploying the service in a service-specific namespace, named in accordance with the requirements on Creating namespaces. If you are using a single namespace for all private edition services, replace the namespace element in the commands on this page with the name of your single namespace or project.
- Similarly, the configuration and environment setup instructions assume you need to create namespace-specific (in other words, service-specific) secrets. If you are using a single namespace for all private edition services, you might not need to create separate secrets for each service, depending on your credentials management requirements. However, if you do create service-specific secrets in a single namespace, be sure to avoid naming conflicts.
Prepare your environment
To prepare your environment for the deployment, complete the steps in this section for either OpenShift or Google Kubernetes Engine (GKE).
OpenShift
Log in to the OpenShift cluster from the host where you will run the deployment:
oc login --token <token> --server <url of api server>
First confirm the cluster is running:
oc get clusterversionoc new-project gwsGKE
Log in to the GKE cluster from the host where you will run the deployment:
gcloud container clusters get-credentials <cluster>{
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"name": "gauth",
"labels": {
"name": "gauth"
}
}
}kubectl apply -f create-gauth-namespace.jsonkubectl describe namespace gauthDeploy
To deploy Genesys Authentication, you'll need the Helm package and your overrides file. Copy values.yaml and the Helm package (gauth-<version>.tgz) to the installation location.
For OpenShift, select the gauth project (or gws if you are using the OpenShift Ingress Controller) you created in Prepare your environment:
oc project gauth
For debugging purposes, use the following command to render templates without installing so you can check that resources are created properly:
helm template --debug /gauth-<version>.tgz -f values.yaml
The result shows Kubernetes descriptors. The values you see are generated from Helm templates, and based on settings from values.yaml. Ensure that no errors are displayed; you will later apply this configuration to your Kubernetes cluster.
Now you're ready to deploy Genesys Authentication:
helm install gauth ./gauth-<version>.tgz -f values.yaml -n gauth
Configure external access
Follow the instructions for either OpenShift or GKE to make the Genesys Authentication services accessible from outside the cluster.
Create routes in OpenShift
After deploying, make the Genesys Authentication services accessible from outside the OpenShift cluster using the standard HTTP port. Make sure to use the same hostname for all three routes. Genesys recommends using the following hostname format: gauth.<cluster-subdomain>. For example, the VCE cluster (https://console-openshift-console.apps.<yourclusterdomain>.com/) should have the hostname gauth.apps.<yourclusterdomain>.com
oc create route edge --service=<env-service> --hostname=<hostname> --path /environment oc create route edge --service=<gauth-service> --hostname=<hostname> --path /auth oc create route edge --service=<gauth-auth-ui-service> --hostname=<hostname> --path /ui/auth
Verify the new route is created in the gauth namespace (or gws if you are using the OpenShift Ingress Controller):
oc get route -n gauth
The result includes the following information about the services:
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD env gauth.apps.<yourclusterdomain>.com /environment gauth-environment https None gauth gauth.apps.<yourclusterdomain>.com /auth gauth-auth https None gauth-auth-ui gauth.apps.<yourclusterdomain>.com /ui/auth gauth-auth-ui https None
Note: HOST is the host name generated by OpenShift.
Provision ingresses for GKE
After deploying, make Genesys Authentication services accessible from outside the GKE cluster using the NGINX Ingress Controller.
Create a YAML file called gauth-ingress.yaml with the content below. Note: Replace gws.<domain> and gauth.<domain> with your GWS and Genesys Authentication domains, such asgws.test.dev.apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: gauth-gws-ingress
namespace: gauth
annotations:
# add an annotation indicating the issuer to use.
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
# Custom annotations for NGINX Ingress Controller
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
rules:
- host: gws.<domain> - e.g. gws.test.dev
http:
paths:
- path: /ui/auth/.*
backend:
serviceName: gauth-auth-ui
servicePort: 80
- path: /auth/.*
backend:
serviceName: gauth-auth
servicePort: 80
- path: /environment/.*
backend:
serviceName: gauth-environment
servicePort: 80
tls:
- hosts:
- gws.<domain> - e.g. gws.test.dev
secretName: gauth-gws-ingress-cert
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: gauth-gauth-ingress
namespace: gauth
annotations:
# add an annotation indicating the issuer to use.
cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
# Custom annotations for NGINX Ingress Controller
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
rules:
- host: gauth.<domain> - e.g. gauth.test.dev
http:
paths:
- path: /ui/auth/.*
backend:
serviceName: gauth-auth-ui
servicePort: 80
- path: /auth/.*
backend:
serviceName: gauth-auth
servicePort: 80
- path: /environment/.*
backend:
serviceName: gauth-environment
servicePort: 80
tls:
- hosts:
- gauth.<domain> - e.g. gauth.test.dev
secretName: gauth-gauth-ingress-certkubectl apply -f gauth-ingress.yaml -n gwsValidate the deployment
Check the installed Helm release:
helm list
The results should show the Genesys Authentication deployment details. For example:
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION gauth gauth 1 2021-05-20 11:56:32.5531685 +0530 +0530 deployed gauth-0.1.77 0.1
Check the gauth namespace (or gws if you are using the OpenShift Ingress Controller) status:
helm status gauth
The result should show the namespace details with a status of deployed:
NAME: gauth LAST DEPLOYED: Thu May 20 11:56:32 2021 NAMESPACE: gauth STATUS: deployed REVISION: 1 TEST SUITE: None
Check the Genesys Authentication Kubernetes objects created by Helm:
kubectl get all -n gauth
The result should show all the created pods, service ConfigMaps, and so on.
Finally, verify that you can now access Genesys Authentication at the following URL: https://<hostname>/ui/auth/sign-in.html