Skip to main content

The most recent patch for this version is 7.6.1.  Learn more  

Version: 7.6

Installation using Kubernetes

You can deploy ASM using Kubernetes (K8s) in one of the following ways:

🖥️ Local installation using minikubeOpens in a new tab.

☁️ Cloud installation using EKSOpens in a new tab by Amazon Web Services (AWS).

note

The instructions below refer to a fresh installation of ASM.

Preparation

To run ASM locally on a K8s minikube environment, install:

  • KubernetesOpens in a new tab and kubectlOpens in a new tab

    The open-source system for automating deployment, scaling, and management of containerized applications along with its command line tool.

  • minikubeOpens in a new tab

    Local K8s for macOS, Linux, and Windows.

  • AWS CLIOpens in a new tab

    The official command line interface to manage AWS services.

  • HelmOpens in a new tab

    The package manager for K8s.

  • DockerOpens in a new tab and Docker ComposeOpens in a new tab

    The open platform to package and run applications in isolated containers along with the tool for defining and running multi-container Docker applications.

AWS CLI

Axiomatics Services Manager is downloaded using the AWS CLI. If you have not already done so, install AWS CLI following the instructions in AWS documentationOpens in a new tab.

  1. Configure the Axiomatics AWS CLI account using the aws configure command, as explained in the AWS documentationOpens in a new tab. This procedure requires an Access key ID and a Secret access key, which will have been provided to you by Axiomatics.

    tip

    Optionally, you can create and use profiles to store these settings, as described in this AWS help pageOpens in a new tab. This could come in handy in deployments using a remote registry which requires an additional AWS CLI account from your side.

  2. The ASM distribution is downloaded as a ZIP file, containing a pre-configured Docker-based installation. Run the following command in the terminal to download ASM:

    aws s3api get-object --bucket axiomatics-customer-artifacts --key releases/com/axiomatics/axiomatics-services-manager/axiomatics-services-manager/7.6.1-0/axiomatics-services-manager-7.6.1-0.zip axiomatics-services-manager-7.6.1-0.zip

Docker registry

The Docker registry is a server side application that stores and lets you distribute Docker images. It is recommended to work with the remote registry provided by Axiomatics, or optionally your own remote registry. However, for local installations only, if a remote registry cannot be supported by your specific setup, then you can deploy a local registry server.

Follow the steps below according to your specific setup:

Log in to the Amazon ECR registry provided by Axiomatics.

aws ecr get-login-password --region eu-central-1 | docker login --username AWS --password-stdin 748131003707.dkr.ecr.eu-central-1.amazonaws.com

Docker image

Important

If you are using the Axiomatics registry you should skip this section. However, if you are using your own remote or local registry, the steps below are required.

Build and push the Docker image

  1. Extract the ASM distribution ZIP file to the folder from where you want to run ASM.

  2. Navigate to the docker folder of the extracted distribution.

    1. Open the credentials.txt file and update the placeholder values for Access key ID and Secret access key with the values provided by Axiomatics.

      note

      These are the same values that were used in setting up AWS CLI.

    2. Open the .env file and add your registry.

      REGISTRY=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/

    3. Optionally, for deployments that include Access Decision Service (ADS):

      Add your hostname

      Open the .env file and update the values of HOST and CERTIFICATE_CN with your own hostname.

      note

      In case you are working with localhost, use the special domain host.docker.internal.

  3. Enable the BuildKit feature of Docker:

    $Env:DOCKER_BUILDKIT=1

  4. Build the ASM service and push the image to your registry.

    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml build 
    docker-compose -f docker-compose.yml -f docker-compose.dashboard.yml push

SSL Certificate

In production environments, you should import trusted certificates only, while in dev and test environments you have the ability to create a self-signed certificate.

ASM requires a PKCS#12 (Public Key Cryptography Standard #12) certificate. In case you already have a certificate with different format such as .pem, you should convert it to PKCS#12. The certificate file must be named cert.keystore.p12. During the creation of the certificate, the name (or alias) must be set to server.

  1. Navigate to the docker/api.gateway/certs/ folder of the extracted distribution.
  2. Copy your certificate to this folder.

Custom configuration

Optionally, you can customize the deployment to your specific requirements by editing the files located within the kubernetes/asmcharts/configurations directory and its subfolders. Each file contains comprehensive comments for every property explaining their purpose and impact.

Important

Changes to the default configuration introduce potential risks and should be performed with caution. We strongly advise against unnecessary modifications and recommend exploring alternative solutions whenever possible.

Editing the configuration post-deployment is possible, but require specific steps to be followed, as described in the Update configuration during runtime section.

ASM K8s installation

  1. Navigate to the kubernetes directory.

    Add the axiomatics_ASM.license license file and launch a terminal window in this directory.

  2. Start minikube.

    minikube start

  3. After minikube has started, launch a new terminal window and create a tunnel.

    minikube tunnel
    Important

    This terminal window should remain open during the K8s installation.

  4. On the initial terminal window, create the ASM namespace.

    kubectl create namespace axiomatics-asm

Create ConfigMaps

kubectl create configmap certs --from-file=../docker/api.gateway/certs -n axiomatics-asm

Create secrets

  1. Create a Kubernetes database secret.

    kubectl create secret generic db-connection \
    --from-literal=dbuser=postgres \
    --from-literal=dbpassword=password \
    --from-literal=dbhost=db \
    --from-literal=dbport=5432 \
    --from-literal=adm_dbname=domain_manager \
    --from-literal=keycloak_dbname=keycloak \
    --from-literal=asm_dburl=postgresql://db:5432/asm \
    --namespace=axiomatics-asm

  2. Create a Keycloak credentials secret.

    kubectl create secret generic keycloak-credentials \
    --from-literal=keycloakUser=admin \
    --from-literal=keycloakPassword=admin -n axiomatics-asm

  3. Create a secret for pulling from ECR.

    Important

    Skip this step if you are using a Local registry.

    kubectl create secret docker-registry regcred \
    --docker-server=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com \
    --docker-username=AWS --docker-password=$(aws ecr get-login-password) \
    --namespace=axiomatics-asm

  4. Create an ASM License secret.

    kubectl create secret generic asm-license \
    --from-file=axiomatics_ASM.license \
    --namespace axiomatics-asm

Final steps

You can deploy ASM with the Dashboard functionality enabled or not.

  1. Follow the steps below according to your specific setup:

    The Dashboard provides visualization of key metrics for monitoring the authorization performance of the running instances of Access Decision Service (ADS).

    Navigate to the kubernetes directory and install ASM using Helm.

    Important

    Replace the placeholders with your own values. For details, see the table below.

    helm install -n axiomatics-asm asm -f asmcharts/values.yaml asmcharts --set imageRegistry=<image_registry> --set asmHostname=<your_asm_hostname> --set enableMetricsDashboard=true
    tip

    Store this command in a TXT file for future reference, such as when upgrading to a later version of ASM or in case you want to enable cluster-level logging.

PlaceholderValue
<image_registry>The image registry:
- For local registry: host.docker.internal:5000/
- For remote or Axiomatics registry: <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/
<your_asm_hostname>The hostname assigned to the instance running ASM. The default is localhost.

  1. SSH to minikube, update the permissions, and exit.

    Important

    Run each of the following commands individually.

    minikube ssh
    sudo -i
    cd /tmp/hostpath-provisioner/axiomatics-asm
    chown -R 999:999 db/
    exit
    exit

  2. List all pods and make sure they are all running.

    kubectl get all -n axiomatics-asm
Important

If you need to modify the configuration after successful deployment, refer to the instructions in the Update configuration during runtime section.

Troubleshooting
Extra commands that could assist your troubleshooting effort.
Important

In the snippets below replace

  • <region_code> with your cluster's AWS Region
  • <aws_account_id> with your AWS account ID

Kubernetes statuses

ErrImagePull

If the pod status is ErrImagePull because of an expired registry credentials secret:

  1. Delete secret.
    kubectl delete secret regcred -n axiomatics-asm
  2. Recreate it.
    kubectl create secret docker-registry regcred --docker-server=<aws_account_id>.dkr.ecr.<region_code>.amazonaws.com --docker-username=AWS --docker-password=$(aws ecr get-login-password) --namespace=axiomatics-asm

ImagePullBackOff

The status ImagePullBackOff means that the ECR Docker image is too large and cannot be downloaded. To resolve this issue, use the following commands to download the required image within minikube.

Important

Replace the placeholders with the appropriate values before running the commands.

Important

Run each of the following commands individually.

minikube ssh
su - root # Default password is 'root'
apt-get update
apt-get install unzip  
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install 
aws configure # Provide AWS Access Key ID and AWS Secret Access Key
aws ecr get-login-password --region <region_code> | docker login --username AWS --password-stdin <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com
docker pull <aws_account_id>.dkr.ecr.<region_code>.amazonaws.com/axiomatics/asm-core:<version>

Log in to ASM

  1. After the installation has finished, open a web browser window and go to:

    https://localhost/asm if you are using the default hostname.

  2. The login page for ASM displays. Use the default credentials:

    • Username: asm-admin
    • Password: password

    You will immediately be prompted to change the password. After doing so, you are logged in to ASM for the first time.

What's next?

Additional configuration

Once the installation of ASM has been verified as successful, there are additional configurations you may want to consider.

Add users

During the deployment, a Keycloak service was also installed, to serve as an authentication module for the users of ASM. Only a default administrative user is created automatically at this time. All other users must be created and assigned a role in Keycloak, before they can log in to ASM.

To add more users and map them to roles you must use Keycloak as described in Manage users in Keycloak. Then, you can assign them to projects following the instructions in the Users and projects topic.

Important

For deployments with Policy Designer, you should also configure Keycloak accordingly.