Skip to main content
Version: 7.3

Installation using Kubernetes

This section describes how to deploy ASM using Kubernetes (K8s).

note

The instructions below refer to a fresh installation of ASM.

You can install K8s in one of the following ways:

🖥️ Local installation using minikube.

☁️ Cloud installation using EKS by Amazon Web Services (AWS).

Requirements

To run ASM locally on a K8s minikube environment, install:

  • Kubernetes and kubectl

    The open-source system for automating deployment, scaling, and management of containerized applications along with its command line tool.

  • minikube

    Local K8s for macOS, Linux, and Windows.

  • AWS CLI

    The official command line interface to manage AWS services.

  • Helm

    The package manager for K8s.

  • Docker and Docker Compose

    The open platform to package and run applications in isolated containers along with the tool for defining and running multi-container Docker applications.

Preparation

Axiomatics Services Manager is downloaded via AWS CLI. If you have not already done so, install AWS CLI following the instructions in AWS documentation.

  1. Configure the Axiomatics AWS CLI account using the aws configure command, as explained in the AWS documentation. This procedure requires an Access key ID and a Secret access key, which will have been provided to you by Axiomatics.

    tip

    Optionally, you can create and use profiles to store these settings, as described here. This could come in handy in deployments using a remote registry which requires an additional AWS CLI account from your side.

  2. The ASM distribution is downloaded as a ZIP file, containing a pre-configured Docker-based installation. Run the following command in the terminal to download ASM:

    aws s3api get-object --bucket axiomatics-customer-artifacts --key releases/com/axiomatics/axiomatics-services-manager/axiomatics-services-manager/7.3.0-0/axiomatics-services-manager-7.3.0-0.zip axiomatics-services-manager-7.3.0-0.zip

Docker registry

The Docker registry is a server side application that stores and lets you distribute Docker images. It is recommended to work with the remote registry provided by Axiomatics, or optionally your own remote registry. However, for local installations only, if a remote registry cannot be supported by your specific setup, then you can deploy a local registry server.

Follow the steps below according to your specific setup:

Log in to the Amazon ECR registry provided by Axiomatics.

aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin 748131003707.dkr.ecr.eu-central-1.amazonaws.com

Docker image

Important

If you are using the Axiomatics registry you should skip this section. However, if you are using your own remote or local registry, the steps below are required.

Build and push the Docker image
  1. Extract the ASM distribution ZIP file to the folder from where you want to run ASM.

  2. Navigate to the docker folder of the extracted distribution.

    1. Open the credentials.txt file and update the placeholder values for Access key ID and Secret access key with the values provided by Axiomatics.

      note

      These are the same values that were used in setting up AWS CLI.

    2. Open the .env file and add your registry.

      REGISTRY=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/
    3. Optionally, for deployments that include Access Decision Service (ADS):

      Add your hostname

      Open the .env file and update the values of HOST and CERTIFICATE_CN with your own hostname.

      note

      In case you are working with localhost, use the special domain host.docker.internal.

  3. Enable the BuildKit feature of Docker:

    $Env:DOCKER_BUILDKIT=1
  4. Run the following command to build ASM.

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml build 
  5. Run the following command to push the image to your registry.

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml push

SSL Certificate

In production environments, you should import trusted certificates only, while in dev and test environments you have the ability to create a self-signed certificate.

ASM requires a PKCS#12 (Public Key Cryptography Standard #12) certificate. In case you already have a certificate with different format such as .pem, you should convert it to PKCS#12. The certificate file must be named cert.keystore.p12. During the creation of the certificate, the name (or alias) must be set to server.

  1. Navigate to the docker/api.gateway/certs/ folder of the extracted distribution.
  2. Copy your certificate to this folder.

ASM K8s installation

  1. Navigate to the kubernetes directory.

    Add the axiomatics_ASM.license license file and launch a terminal window in this directory.

  2. Run the following command to start minikube.

    minikube start
    #In case the system is slow, use the following command instead:
    minikube start --memory 4096
  3. After minikube has started, launch a new terminal window and create a tunnel.

    minikube tunnel
    Important

    This terminal window should remain open during the K8s installation.

  4. On the initial terminal window, create the ASM namespace.

    kubectl create namespace axiomatics-asm

Create ConfigMaps

kubectl create configmap certs --from-file=../docker/api.gateway/certs -n axiomatics-asm

Create secrets

  1. Create a Kubernetes database secret.

    kubectl create secret generic db-connection \
    --from-literal=dbuser=postgres \
    --from-literal=dbpassword=password \
    --from-literal=dbhost=db \
    --from-literal=dbport=5432 \
    --from-literal=adm_dbname=domain_manager \
    --from-literal=keycloak_dbname=keycloak \
    --from-literal=asm_dburl=postgresql://db:5432/asm \
    --namespace=axiomatics-asm
  2. Create an ADM credentials secret.

    kubectl create secret generic adm-credentials \
    --from-literal=admApiAuthUsername=admin \
    --from-literal=admApiAuthPassword=secret -n axiomatics-asm
  3. Create a Keycloak credentials secret.

    kubectl create secret generic keycloak-credentials \
    --from-literal=keycloakUser=admin \
    --from-literal=keycloakPassword=admin -n axiomatics-asm
  4. Create a secret for pulling from ECR.

    Important

    Skip this step if you are using a Local registry.

    kubectl create secret docker-registry regcred \
    --docker-server=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com \
    --docker-username=AWS --docker-password=$(aws ecr get-login-password) \
    --namespace=axiomatics-asm
  5. Create an ASM License secret.

    kubectl create secret generic asm-license \
    --from-file=axiomatics_ASM.license \
    --namespace axiomatics-asm

Final steps

You can deploy ASM with the Dashboard functionality enabled or disabled.

  1. Follow the steps below according to your specific setup:

    Navigate to the kubernetes directory and install ASM using Helm.

    Important

    Replace the placeholders with your own values. For details, see the table below.

    helm install -n axiomatics-asm asm -f asmcharts/values.yaml asmcharts --set imageRegistry=<image_registry> --set asmHostname=<your_asm_hostname>
    tip

    Store this command in a TXT file for future reference, such as when upgrading to a later version of ASM or in case you want to enable cluster-level logging.

    PlaceholderValue
    <image_registry>The image registry:
    - For local registry: host.docker.internal:5000
    - For remote or Axiomatics registry: <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/
    <your_asm_hostname>The hostname assigned to the instance running ASM. The default is localhost.
  2. List all pods and make sure they are all running.

    kubectl get all -n axiomatics-asm

Troubleshooting

Extra commands that could assist your troubleshooting effort.

Important

In the snippets below replace

  • <region_code> with your cluster's AWS Region
  • <aws_account_id> with your AWS account ID

Kubernetes statuses

ErrImagePull

If the pod status is ErrImagePull because of an expired registry credentials secret:

  1. Delete secret.
    kubectl delete secret regcred -n axiomatics-asm
  2. Recreate it.
    kubectl create secret docker-registry regcred --docker-server=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password) --namespace=axiomatics-asm 

ImagePullBackOff

The status ImagePullBackOff means that the ECR Docker image is too large and cannot be downloaded. To resolve this issue, use the following commands to download the required image within minikube.

Important

Replace the placeholders with the appropriate values before running the commands.

minikube ssh
su - root # Default password is 'root'
apt-get update
apt-get install unzip
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws configure # Provide AWS Access Key ID and AWS Secret Access Key
aws ecr get-login-password --region <region_code> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com
docker pull <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/asm-core:<version>

What's next?

Add users

During the deployment, a Keycloak service was also installed, to serve as an authentication module for the users of ASM. Only a default administrative user is created automatically at this time. All other users must be created and assigned a role in Keycloak, before they can log in to ASM.

To add more users and map them to roles you must use Keycloak as described in Manage users in Keycloak. Then, you can assign them to projects following the instructions in the Users and projects topic.

Important

For deployments with Policy Designer, you should also configure Keycloak accordingly.

Additional configuration

Once the installation of ASM has been verified as successful, there are additional configurations you may want to consider.