Customize Deployment Files
This topic shows how you can configure additional properties by merging Kubernetes configuration YAML files. When you install and deploy Privacera services, default Kubernetes configuration files for each Privacera service get created. If you want to extend the configuration of a Privacera service, you can create a new configuration file where all the new properties get defined, and then merge them together.
Configuration Filenames
The following table provides the list of Privacera services whose configurations can be merged. The tables gives the list of configuration files for a Privacera service that can be created and merged, and where these configuration files should be stored in a directory. You would need to refer this table to get the filename and location when creating the new configuration file.
Service Name | Custom Service Directory | Config File Names |
---|---|---|
Auditserver | ~/privacera/privacera-manager/config/custom-vars/auditserver | - auditserver-service.yml - auditserver-storageclass.yml - auditserver-statefulset.yml |
Audit-fluentd | ~/privacera/privacera-manager/config/custom-vars/audit-fluentd | - audit-fluentd-service.yml - audit-fluentd-storageclass.yml - audit-fluentd-statefulset.yml |
Access-Request-Manager | ~/privacera/privacera-manager/config/custom-vars/portal | - access-request-manager-service.yml - access-request-manager-deployment.yml |
Mariadb | ~/privacera/privacera-manager/config/custom-vars/mariadb | - mariadb-service.yml - mariadb-secret.yml - mariadb-pvc.yml - mariadb-storageclass.yml - mariadb-deployment.yml |
Zookeeper | ~/privacera/privacera-manager/config/custom-vars/zookeeper | - zookeeper-service.yml - zookeeper-poddisruptionbudget.yml - zookeeper-storageclass.yml - zookeeper-statefulset.yml |
Solr | ~/privacera/privacera-manager/config/custom-vars/solr | - solr-service.yml - solr-poddisruptionbudget.yml - solr-storageclass.yml - solr-statefulset.yml |
Ranger-admin | ~/privacera/privacera-manager/config/custom-vars/ranger-admin | - ranger-service.yml - ranger-service-ingress.yml - ranger-deployment.yml |
Ranger-usersync | ~/privacera/privacera-manager/config/custom-vars/ranger-usersync | - usersync-deployment.yml |
Ranger-kms/crypto | ~/privacera/privacera-manager/config/custom-vars/ranger-kms | - ranger-kms-service.yml - ranger-kms-deployment.yml |
Peg | ~/privacera/privacera-manager/config/custom-vars/peg | - peg-service.yml - peg-deployment.yml - peg-hpa.yml |
Portal | ~/privacera/privacera-manager/config/custom-vars/portal | - portal-service.yml - portal-deployment.yml |
Dataserver | ~/privacera/privacera-manager/config/custom-vars/dataserver | - dataserver-service.yml - dataserver-service-account.yml - dataserver-role-binding.yml - dataserver-deployment.yml |
Discovery | ~/privacera/privacera-manager/config/custom-vars/discovery | - discovery-service.yml - discovery-pvc.yml - discovery-storageclass.yml - discovery-deployment.yml |
Policysync | ~/privacera/privacera-manager/config/custom-vars/policysync | - policysync-deployment.yml - policysync-pvc.yml - policysync-rocksdb-pvc.yml - policysync-storageclass.yml |
Kafka | ~/privacera/privacera-manager/config/custom-vars/kafka | - kafka-statefulset.yml |
Pkafka | ~/privacera/privacera-manager/config/custom-vars/pkafka | - pkafka-deployment.yml |
Trino | ~/privacera/privacera-manager/config/custom-vars/trino | - trino-deployment.yml - trino-service.yml - trino-worker-statefulset.yml - trino-worker-storageclass.yml |
Grafana | ~/privacera/privacera-manager/config/custom-vars/grafana | - grafana-service.yml - grafana-pvc.yml - grafana-storageclass.yml - grafana-deployment.yml |
Graphite | ~/privacera/privacera-manager/config/custom-vars/graphite | - graphite-service.yml - graphite-pvc.yml - graphite-storageclass.yml - graphite-deployment.yml |
Common - RBAC | ~/privacera/privacera-manager/config/custom-vars/rbac | - service-account.yml - role.yml - role-binding.yml |
Procedure
To merge Kubernetes configuration files, perform the following steps:
-
Refer to the table above, and choose the service whose configuration you want to be merged. Get the filename of the configuration file, and the directory where the file will be stored.
-
Create the directory with the service name. Replace
<SERVICE_NAME>
with the name of the Privacera service whose configuration you want to merge.cd ~/privacera/privacera-manager/config/custom-vars mkdir <SERVICE_NAME>
-
Create the new configuration file. Replace
<CONFIG_FILENAME>
with the name of the configuration file of the Privacera service.vi <CONFIG_FILENAME>
-
Add the properties in the configuration file. The following is an example of adding a nodeselector property.
spec: template: spec: nodeSelector: node: privacera
-
Verify the deployment file by running the
setup
command../privacera-manager.sh setup
Once the command is completed, you can find the deployment file at the following location:
vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/<CONFIG_FILENAME>
-
Run the update command.
cd ~/privacera/privacera-manager ./privacera-manager.sh update
Example: Assigning pods to a node
If you want to assign a pod to a node for the Portal service, perform the following steps:
-
From the table above, refer the Portal service, and get the filename,
portal-deployment.yml
. -
Create the directory with the service name as portal.
cd ~/privacera/privacera-manager/config/custom-vars mkdir portal
-
Create the configuration file,
portal-deployment.yml
.vi portal-deployment.yml
-
Add the following property in the configuration file. Modify the
<key>
and<value>
.spec: template: spec: nodeSelector: <key>: <value>
-
Before running the install, verify the deployment file by running the
setup
command../privacera-manager.sh setup
Once the command is completed, you can find the deployment file at the following location:
vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/portal-deployment.yml
Contents of the custom portal deployment file is merged with the regular portal deployment file already available in Privacera Manager using Ansible Combine Filter. This merge only works with hashes/dictionaries. The new deployment file is generated in the output folder in the YAML format.
CLick the tabs to display the properties of the deployment file before and after running the
setup
command.The following is the properties of the deployment file before running the
setup
command. Expand to view it.Expand
apiVersion: apps/v1 kind: Deployment metadata: labels: app: portal name: portal spec: replicas: 1 selector: matchLabels: app: portal strategy: type: Recreate template: metadata: labels: app: portal spec: containers: - image: hub2.privacera.com/privacera:rel.latest imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 400 periodSeconds: 30 tcpSocket: port: 6868 name: portal ports: - containerPort: 6868 readinessProbe: failureThreshold: 6 initialDelaySeconds: 120 periodSeconds: 30 tcpSocket: port: 6868 resources: limits: cpu: '0.5' memory: 2457M requests: cpu: '0.2' memory: 307M volumeMounts: - mountPath: /opt/privacera/portal/conf name: conf-vol - mountPath: /opt/privacera/portal/bin name: bin-vol imagePullSecrets: - name: privacera-hub initContainers: - command: - bash - -c - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 -- image: hub2.privacera.com/privacera:rel.latest name: wait-for-zookeeper - command: - bash - -c - /scripts/wait-for-it.sh solr-service:8983 -t 300 -- image: hub2.privacera.com/privacera:rel.latest name: wait-for-solr - command: - bash - -c - /scripts/wait-for-it.sh mariadb:3306 -t 300 -- image: hub2.privacera.com/privacera:rel.latest name: wait-for-mariadb - command: - bash - -c - cp -r /conf_ro/. /opt/privacera/portal/conf image: hub2.privacera.com/privacera:rel.latest name: copy-conf volumeMounts: - mountPath: /opt/privacera/portal/conf name: conf-vol - mountPath: /conf_ro name: portal-conf - command: - bash - -c - cp -r /bin_ro/. /opt/privacera/portal/bin image: hub2.privacera.com/privacera:rel.latest name: copy-bin volumeMounts: - mountPath: /opt/privacera/portal/bin name: bin-vol - mountPath: /bin_ro name: portal-bin restartPolicy: Always securityContext: fsGroup: 200 serviceAccountName: privacera-sa topologySpreadConstraints: - labelSelector: matchLabels: app: portal-1 maxSkew: 1 topologyKey: zone whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app: portal-1 maxSkew: 1 topologyKey: node whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: portal-conf name: portal-conf - configMap: defaultMode: 493 name: portal-bin name: portal-bin - emptyDir: {} name: conf-vol - emptyDir: {} name: bin-vol status: {}
The following is the properties of the deployment file after running the
setup
command. Expand to view it. Two additional linesnodeSelector:
andnode: privacera
are added.Expand
apiVersion: apps/v1 kind: Deployment metadata: labels: app: portal name: portal spec: replicas: 1 selector: matchLabels: app: portal strategy: type: Recreate template: metadata: labels: app: portal spec: containers: - image: hub2.privacera.com/privacera:rel.latest imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 initialDelaySeconds: 400 periodSeconds: 30 tcpSocket: port: 6868 name: portal ports: - containerPort: 6868 readinessProbe: failureThreshold: 6 initialDelaySeconds: 120 periodSeconds: 30 tcpSocket: port: 6868 resources: limits: cpu: '0.5' memory: 2457M requests: cpu: '0.2' memory: 307M volumeMounts: - mountPath: /opt/privacera/portal/conf name: conf-vol - mountPath: /opt/privacera/portal/bin name: bin-vol imagePullSecrets: - name: privacera-hub initContainers: - command: - bash - -c - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 -- image: hub2.privacera.com/privacera:rel.latest name: wait-for-zookeeper - command: - bash - -c - /scripts/wait-for-it.sh solr-service:8983 -t 300 -- image: hub2.privacera.com/privacera:rel.latest name: wait-for-solr - command: - bash - -c - /scripts/wait-for-it.sh mariadb:3306 -t 300 -- image: hub2.privacera.com/privacera:rel.latest name: wait-for-mariadb - command: - bash - -c - cp -r /conf_ro/. /opt/privacera/portal/conf image: hub2.privacera.com/privacera:rel.latest name: copy-conf volumeMounts: - mountPath: /opt/privacera/portal/conf name: conf-vol - mountPath: /conf_ro name: portal-conf - command: - bash - -c - cp -r /bin_ro/. /opt/privacera/portal/bin image: hub2.privacera.com/privacera:rel.latest name: copy-bin volumeMounts: - mountPath: /opt/privacera/portal/bin name: bin-vol - mountPath: /bin_ro name: portal-bin nodeSelector: node: privacera restartPolicy: Always securityContext: fsGroup: 200 serviceAccountName: privacera-sa topologySpreadConstraints: - labelSelector: matchLabels: app: portal-1 maxSkew: 1 topologyKey: zone whenUnsatisfiable: ScheduleAnyway - labelSelector: matchLabels: app: portal-1 maxSkew: 1 topologyKey: node whenUnsatisfiable: DoNotSchedule volumes: - configMap: name: portal-conf name: portal-conf - configMap: defaultMode: 493 name: portal-bin name: portal-bin - emptyDir: {} name: conf-vol - emptyDir: {} name: bin-vol status: {}
-
Run the update command.
cd ~/privacera/privacera-manager ./privacera-manager.sh update