Skip to main content

Privacera Documentation

Merge Kubernetes configuration files

You can configure additional properties by merging Kubernetes configuration YAML files. When you install and deploy Privacera services, default Kubernetes configuration files for each Privacera service are created. If you want to extend the configuration of a Privacera service, you can create a new configuration file where all the new properties get defined, and then merge them together.

To merge Kubernetes configuration files:

  1. Choose the service whose configuration you want to be merged. See ???.

  2. Get the filename of the configuration file, and the directory where the file will be stored.

  3. Create the directory with the service name. Replace <SERVICE_NAME> with the name of the Privacera service whose configuration you want to merge.

    cd ~/privacera/privacera-manager/config/custom-vars
    mkdir <SERVICE_NAME>
    
  4. Create the new configuration file. Replace <CONFIG_FILENAME> with the name of the configuration file of the Privacera service.

    vi <CONFIG_FILENAME>
    
  5. Add the properties in the configuration file. The following is an example of adding a nodeSelector property.

    spec:template:spec:nodeSelector:node:privacera
    
  6. Verify the deployment file by running the setup command.

    ./privacera-manager.sh setup
    

    Once the command is completed, you can find the deployment file at the following location:

    vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/<CONFIG_FILENAME>
  7. Run the update command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Example: Assign pods to a node

If you want to assign a pod to a node for the Portal service, perform the following steps:

  1. From the table above, refer the Portal service, and get the filename, portal-deployment.yml.

  2. Create the directory with the service name as portal.

    cd ~/privacera/privacera-manager/config/custom-vars
    mkdir portal
    
  3. Create the configuration file, portal-deployment.yml.

    vi portal-deployment.yml
    
  4. Add the following property in the configuration file. Modify the <key> and <value>.

    spec:template:spec:nodeSelector:<key>:<value>
  5. Before running the install, verify the deployment file by running the setup command.

    ./privacera-manager.sh setup
    

    Once the command is completed, you can find the deployment file at the following location:

    vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/portal-deployment.yml
  6. Update Privacera Manager.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

The custom portal deployment file is merged with the regular portal deployment file already available in Privacera Manager using Ansible Combine Filter. This merge only works with hashes/dictionaries. The new deployment file is generated in the output folder in the YAML format.

Click the tabs to display the properties of the deployment file before and after running the setup command.

Before

The following are the properties of the deployment file before running the setup command:

  apiVersion: apps/v1
            kind: Deployment
            metadata:
            labels:
                app: portal
            name: portal
            spec:
            replicas: 1
            selector:
                matchLabels:
                app: portal
            strategy:
                type: Recreate
            template:
                metadata:
                labels:
                    app: portal
                spec:
                containers:
                - image: hub2.privacera.com/privacera:rel.latest
                    imagePullPolicy: IfNotPresent
                    livenessProbe:
                    failureThreshold: 3
                    initialDelaySeconds: 400
                    periodSeconds: 30
                    tcpSocket:
                        port: 6868
                    name: portal
                    ports:
                    - containerPort: 6868
                    readinessProbe:
                    failureThreshold: 6
                    initialDelaySeconds: 120
                    periodSeconds: 30
                    tcpSocket:
                        port: 6868
                    resources:
                    limits:
                        cpu: '0.5'
                        memory: 2457M
                    requests:
                        cpu: '0.2'
                        memory: 307M
                    volumeMounts:
                    - mountPath: /opt/privacera/portal/conf
                    name: conf-vol
                    - mountPath: /opt/privacera/portal/bin
                    name: bin-vol
                imagePullSecrets:
                - name: privacera-hub
                initContainers:
                - command:
                    - bash
                    - -c
                    - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 --
                    image: hub2.privacera.com/privacera:rel.latest
                    name: wait-for-zookeeper
                - command:
                    - bash
                    - -c
                    - /scripts/wait-for-it.sh solr-service:8983 -t 300 --
                    image: hub2.privacera.com/privacera:rel.latest
                    name: wait-for-solr
                - command:
                    - bash
                    - -c
                    - /scripts/wait-for-it.sh mariadb:3306 -t 300 --
                    image: hub2.privacera.com/privacera:rel.latest
                    name: wait-for-mariadb
                - command:
                    - bash
                    - -c
                    - cp -r /conf_ro/. /opt/privacera/portal/conf
                    image: hub2.privacera.com/privacera:rel.latest
                    name: copy-conf
                    volumeMounts:
                    - mountPath: /opt/privacera/portal/conf
                    name: conf-vol
                    - mountPath: /conf_ro
                    name: portal-conf
                - command:
                    - bash
                    - -c
                    - cp -r /bin_ro/. /opt/privacera/portal/bin
                    image: hub2.privacera.com/privacera:rel.latest
                    name: copy-bin
                    volumeMounts:
                    - mountPath: /opt/privacera/portal/bin
                    name: bin-vol
                    - mountPath: /bin_ro
                    name: portal-bin
                restartPolicy: Always
                securityContext:
                    fsGroup: 200
                serviceAccountName: privacera-sa
                topologySpreadConstraints:
                - labelSelector:
                    matchLabels:
                        app: portal-1
                    maxSkew: 1
                    topologyKey: zone
                    whenUnsatisfiable: ScheduleAnyway
                - labelSelector:
                    matchLabels:
                        app: portal-1
                    maxSkew: 1
                    topologyKey: node
                    whenUnsatisfiable: DoNotSchedule
                volumes:
                - configMap:
                    name: portal-conf
                    name: portal-conf
                - configMap:
                    defaultMode: 493
                    name: portal-bin
                    name: portal-bin
                - emptyDir: {}
                    name: conf-vol
                - emptyDir: {}
                    name: bin-vol
            status: {}
After

The following are the properties of the deployment file after running the setup command. Two additional lines nodeSelector: and node: privacera are added:

apiVersion: apps/v1
            kind: Deployment
            metadata:
            labels:
                app: portal
            name: portal
            spec:
            replicas: 1
            selector:
                matchLabels:
                app: portal
            strategy:
                type: Recreate
            template:
                metadata:
                labels:
                    app: portal
                spec:
                containers:
                - image: hub2.privacera.com/privacera:rel.latest
                    imagePullPolicy: IfNotPresent
                    livenessProbe:
                    failureThreshold: 3
                    initialDelaySeconds: 400
                    periodSeconds: 30
                    tcpSocket:
                        port: 6868
                    name: portal
                    ports:
                    - containerPort: 6868
                    readinessProbe:
                    failureThreshold: 6
                    initialDelaySeconds: 120
                    periodSeconds: 30
                    tcpSocket:
                        port: 6868
                    resources:
                    limits:
                        cpu: '0.5'
                        memory: 2457M
                    requests:
                        cpu: '0.2'
                        memory: 307M
                    volumeMounts:
                    - mountPath: /opt/privacera/portal/conf
                    name: conf-vol
                    - mountPath: /opt/privacera/portal/bin
                    name: bin-vol
                imagePullSecrets:
                - name: privacera-hub
                initContainers:
                - command:
                    - bash
                    - -c
                    - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 --
                    image: hub2.privacera.com/privacera:rel.latest
                    name: wait-for-zookeeper
                - command:
                    - bash
                    - -c
                    - /scripts/wait-for-it.sh solr-service:8983 -t 300 --
                    image: hub2.privacera.com/privacera:rel.latest
                    name: wait-for-solr
                - command:
                    - bash
                    - -c
                    - /scripts/wait-for-it.sh mariadb:3306 -t 300 --
                    image: hub2.privacera.com/privacera:rel.latest
                    name: wait-for-mariadb
                - command:
                    - bash
                    - -c
                    - cp -r /conf_ro/. /opt/privacera/portal/conf
                    image: hub2.privacera.com/privacera:rel.latest
                    name: copy-conf
                    volumeMounts:
                    - mountPath: /opt/privacera/portal/conf
                    name: conf-vol
                    - mountPath: /conf_ro
                    name: portal-conf
                - command:
                    - bash
                    - -c
                    - cp -r /bin_ro/. /opt/privacera/portal/bin
                    image: hub2.privacera.com/privacera:rel.latest
                    name: copy-bin
                    volumeMounts:
                    - mountPath: /opt/privacera/portal/bin
                    name: bin-vol
                    - mountPath: /bin_ro
                    name: portal-bin
                nodeSelector:
                  node: privacera
                restartPolicy: Always
                securityContext:
                    fsGroup: 200
                serviceAccountName: privacera-sa
                topologySpreadConstraints:
                - labelSelector:
                    matchLabels:
                        app: portal-1
                    maxSkew: 1
                    topologyKey: zone
                    whenUnsatisfiable: ScheduleAnyway
                - labelSelector:
                    matchLabels:
                        app: portal-1
                    maxSkew: 1
                    topologyKey: node
                    whenUnsatisfiable: DoNotSchedule
                volumes:
                - configMap:
                    name: portal-conf
                    name: portal-conf
                - configMap:
                    defaultMode: 493
                    name: portal-bin
                    name: portal-bin
                - emptyDir: {}
                    name: conf-vol
                - emptyDir: {}
                    name: bin-vol
            status: {}

Privacera services configuration filenames

The following table lists the configuration files for a Privacera service that you can create and merge and shows where these configuration files should be stored in a directory. When creating a new configuration file, refer this table to get the filename and location.

Service Name

Custom Service Directory

Config File Names

Auditserver

~/privacera/privacera-manager/config/custom-vars/auditserver

  • auditserver-service.yml

  • auditserver-storageclass.yml

  • auditserver-statefulset.yml

Audit-fluentd

~/privacera/privacera-manager/config/custom-vars/audit-fluentd

  • audit-fluentd-service.yml

  • audit-fluentd-storageclass.yml

  • audit-fluentd-statefulset.yml

Access-Request-Manager

~/privacera/privacera-manager/config/custom-vars/portal

  • access-request-manager-service.yml

  • access-request-manager-deployment.yml

Mariadb

~/privacera/privacera-manager/config/custom-vars/mariadb

  • mariadb-service.yml

  • mariadb-secret.yml

  • mariadb-pvc.yml

  • mariadb-storageclass.yml

  • mariadb-deployment.yml

Zookeeper

~/privacera/privacera-manager/config/custom-vars/zookeeper

  • zookeeper-service.yml

  • zookeeper-poddisruptionbudget.yml

  • zookeeper-storageclass.yml

  • zookeeper-statefulset.yml

Solr

~/privacera/privacera-manager/config/custom-vars/solr

  • solr-service.yml

  • solr-poddisruptionbudget.yml

  • solr-storageclass.yml

  • solr-statefulset.yml

Ranger-admin

~/privacera/privacera-manager/config/custom-vars/ranger-admin

  • ranger-service.yml

  • ranger-service-ingress.yml

  • ranger-deployment.yml

Ranger-usersync

~/privacera/privacera-manager/config/custom-vars/ranger-usersync

  • usersync-deployment.yml

Ranger-kms/crypto

~/privacera/privacera-manager/config/custom-vars/ranger-kms

  • ranger-kms-service.yml

  • ranger-kms-deployment.yml

Peg

~/privacera/privacera-manager/config/custom-vars/peg

  • peg-service.yml

  • peg-deployment.yml

  • peg-hpa.yml

Portal

~/privacera/privacera-manager/config/custom-vars/portal

  • portal-service.yml

  • portal-deployment.yml

Dataserver

~/privacera/privacera-manager/config/custom-vars/dataserver

  • dataserver-service.yml

  • dataserver-service-account.yml

  • dataserver-role-binding.yml

  • dataserver-deployment.yml

Discovery

~/privacera/privacera-manager/config/custom-vars/discovery

  • discovery-service.yml

  • discovery-pvc.yml

  • discovery-storageclass.yml

  • discovery-deployment.yml

Policysync

~/privacera/privacera-manager/config/custom-vars/policysync

  • policysync-deployment.yml

  • policysync-pvc.yml

  • policysync-rocksdb-pvc.yml

  • policysync-storageclass.yml

Kafka

~/privacera/privacera-manager/config/custom-vars/kafka

  • kafka-statefulset.yml

Pkafka

~/privacera/privacera-manager/config/custom-vars/pkafka

  • pkafka-deployment.yml

Trino

~/privacera/privacera-manager/config/custom-vars/trino

  • trino-deployment.yml

  • trino-service.yml

  • trino-worker-statefulset.yml

  • trino-worker-storageclass.yml

Grafana

~/privacera/privacera-manager/config/custom-vars/grafana

  • grafana-service.yml

  • grafana-pvc.yml

  • grafana-storageclass.yml

  • grafana-deployment.yml

Graphite

~/privacera/privacera-manager/config/custom-vars/graphite

  • graphite-service.yml

  • graphite-pvc.yml

  • graphite-storageclass.yml

  • graphite-deployment.yml

Common - RBAC

~/privacera/privacera-manager/config/custom-vars/rbac

  • service-account.yml

  • role.yml

  • role-binding.yml