Privacera Platform master publication

Customize deployment files
:
Customize deployment files

This topic shows how you can configure additional properties by merging Kubernetes configuration YAML files. When you install and deploy Privacera services, default Kubernetes configuration files for each Privacera service get created. If you want to extend the configuration of a Privacera service, you can create a new configuration file where all the new properties get defined, and then merge them together.

Configuration filenames

The following table provides the list of Privacera services whose configurations can be merged. The tables gives the list of configuration files for a Privacera service that can be created and merged, and where these configuration files should be stored in a directory. You would need to refer this table to get the filename and location when creating the new configuration file.

Service Name

Custom Service Directory

Config File Names

Auditserver

~/privacera/privacera-manager/config/custom-vars/auditserver

- auditserver-service.yml

- auditserver-storageclass.yml

- auditserver-statefulset.yml

Audit-fluentd

~/privacera/privacera-manager/config/custom-vars/audit-fluentd

- audit-fluentd-service.yml

- audit-fluentd-storageclass.yml

- audit-fluentd-statefulset.yml

Access-Request-Manager

~/privacera/privacera-manager/config/custom-vars/portal

- access-request-manager-service.yml

- access-request-manager-deployment.yml

Mariadb

~/privacera/privacera-manager/config/custom-vars/mariadb

- mariadb-service.yml

- mariadb-secret.yml

- mariadb-pvc.yml

- mariadb-storageclass.yml

- mariadb-deployment.yml

Zookeeper

~/privacera/privacera-manager/config/custom-vars/zookeeper

- zookeeper-service.yml

- zookeeper-poddisruptionbudget.yml

- zookeeper-storageclass.yml

- zookeeper-statefulset.yml

Solr

~/privacera/privacera-manager/config/custom-vars/solr

- solr-service.yml

- solr-poddisruptionbudget.yml

- solr-storageclass.yml

- solr-statefulset.yml

Ranger-admin

~/privacera/privacera-manager/config/custom-vars/ranger-admin

- ranger-service.yml

- ranger-service-ingress.yml

- ranger-deployment.yml

Ranger-usersync

~/privacera/privacera-manager/config/custom-vars/ranger-usersync

- usersync-deployment.yml

Ranger-kms/crypto

~/privacera/privacera-manager/config/custom-vars/ranger-kms

- ranger-kms-service.yml

- ranger-kms-deployment.yml

Peg

~/privacera/privacera-manager/config/custom-vars/peg

- peg-service.yml

- peg-deployment.yml

- peg-hpa.yml

Portal

~/privacera/privacera-manager/config/custom-vars/portal

- portal-service.yml

- portal-deployment.yml

Dataserver

~/privacera/privacera-manager/config/custom-vars/dataserver

- dataserver-service.yml

- dataserver-service-account.yml

- dataserver-role-binding.yml

- dataserver-deployment.yml

Discovery

~/privacera/privacera-manager/config/custom-vars/discovery

- discovery-service.yml

- discovery-pvc.yml

- discovery-storageclass.yml

- discovery-deployment.yml

Policysync

~/privacera/privacera-manager/config/custom-vars/policysync

- policysync-deployment.yml

- policysync-pvc.yml

- policysync-rocksdb-pvc.yml

- policysync-storageclass.yml

Kafka

~/privacera/privacera-manager/config/custom-vars/kafka

- kafka-statefulset.yml

Pkafka

~/privacera/privacera-manager/config/custom-vars/pkafka

- pkafka-deployment.yml

Trino

~/privacera/privacera-manager/config/custom-vars/trino

- trino-deployment.yml

- trino-service.yml

- trino-worker-statefulset.yml

- trino-worker-storageclass.yml

Grafana

~/privacera/privacera-manager/config/custom-vars/grafana

- grafana-service.yml

- grafana-pvc.yml

- grafana-storageclass.yml

- grafana-deployment.yml

Graphite

~/privacera/privacera-manager/config/custom-vars/graphite

- graphite-service.yml

- graphite-pvc.yml

- graphite-storageclass.yml

- graphite-deployment.yml

Common - RBAC

~/privacera/privacera-manager/config/custom-vars/rbac

- service-account.yml

- role.yml

- role-binding.yml

Procedure

To merge Kubernetes configuration files, perform the following steps:

  1. Refer to the table above, and choose the service whose configuration you want to be merged. Get the filename of the configuration file, and the directory where the file will be stored.

  2. Create the directory with the service name. Replace <SERVICE_NAME> with the name of the Privacera service whose configuration you want to merge.

    cd ~/privacera/privacera-manager/config/custom-vars
    mkdir <SERVICE_NAME>
    
  3. Create the new configuration file. Replace <CONFIG_FILENAME> with the name of the configuration file of the Privacera service.

    vi <CONFIG_FILENAME>
    
  4. Add the properties in the configuration file. The following is an example of adding a nodeselector property.

    spec:template:spec:nodeSelector:node:privacera
    
  5. Verify the deployment file by running the setup command.

    ./privacera-manager.sh setup
    

    Once the command is completed, you can find the deployment file at the following location:

    vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/<CONFIG_FILENAME>
    
  6. Run the update command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
Example for assigning pods to a node

If you want to assign a pod to a node for the Portal service, perform the following steps:

  1. From the table above, refer the Portal service, and get the filename, portal-deployment.yml.

  2. Create the directory with the service name as portal.

    cd ~/privacera/privacera-manager/config/custom-vars
    mkdir portal
    
  3. Create the configuration file, portal-deployment.yml.

    vi portal-deployment.yml
    
  4. Add the following property in the configuration file. Modify the <key> and <value>.

    spec:template:spec:nodeSelector:<key>:<value>
  5. Before running the install, verify the deployment file by running the setup command.

    ./privacera-manager.sh setup
    

    Once the command is completed, you can find the deployment file at the following location:

    vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/portal-deployment.yml
    

    Contents of the custom portal deployment file is merged with the regular portal deployment file already available in Privacera Manager using Ansible Combine Filter. This merge only works with hashes/dictionaries. The new deployment file is generated in the output folder in the YAML format.

    CLick the tabs to display the properties of the deployment file before and after running the setup command.

    Before

    The following are the properties of the deployment file before running the setup command.

                apiVersion: apps/v1
                kind: Deployment
                metadata:
                labels:
                    app: portal
                name: portal
                spec:
                replicas: 1
                selector:
                    matchLabels:
                    app: portal
                strategy:
                    type: Recreate
                template:
                    metadata:
                    labels:
                        app: portal
                    spec:
                    containers:
                    - image: hub2.privacera.com/privacera:rel.latest
                        imagePullPolicy: IfNotPresent
                        livenessProbe:
                        failureThreshold: 3
                        initialDelaySeconds: 400
                        periodSeconds: 30
                        tcpSocket:
                            port: 6868
                        name: portal
                        ports:
                        - containerPort: 6868
                        readinessProbe:
                        failureThreshold: 6
                        initialDelaySeconds: 120
                        periodSeconds: 30
                        tcpSocket:
                            port: 6868
                        resources:
                        limits:
                            cpu: '0.5'
                            memory: 2457M
                        requests:
                            cpu: '0.2'
                            memory: 307M
                        volumeMounts:
                        - mountPath: /opt/privacera/portal/conf
                        name: conf-vol
                        - mountPath: /opt/privacera/portal/bin
                        name: bin-vol
                    imagePullSecrets:
                    - name: privacera-hub
                    initContainers:
                    - command:
                        - bash
                        - -c
                        - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 --
                        image: hub2.privacera.com/privacera:rel.latest
                        name: wait-for-zookeeper
                    - command:
                        - bash
                        - -c
                        - /scripts/wait-for-it.sh solr-service:8983 -t 300 --
                        image: hub2.privacera.com/privacera:rel.latest
                        name: wait-for-solr
                    - command:
                        - bash
                        - -c
                        - /scripts/wait-for-it.sh mariadb:3306 -t 300 --
                        image: hub2.privacera.com/privacera:rel.latest
                        name: wait-for-mariadb
                    - command:
                        - bash
                        - -c
                        - cp -r /conf_ro/. /opt/privacera/portal/conf
                        image: hub2.privacera.com/privacera:rel.latest
                        name: copy-conf
                        volumeMounts:
                        - mountPath: /opt/privacera/portal/conf
                        name: conf-vol
                        - mountPath: /conf_ro
                        name: portal-conf
                    - command:
                        - bash
                        - -c
                        - cp -r /bin_ro/. /opt/privacera/portal/bin
                        image: hub2.privacera.com/privacera:rel.latest
                        name: copy-bin
                        volumeMounts:
                        - mountPath: /opt/privacera/portal/bin
                        name: bin-vol
                        - mountPath: /bin_ro
                        name: portal-bin
                    restartPolicy: Always
                    securityContext:
                        fsGroup: 200
                    serviceAccountName: privacera-sa
                    topologySpreadConstraints:
                    - labelSelector:
                        matchLabels:
                            app: portal-1
                        maxSkew: 1
                        topologyKey: zone
                        whenUnsatisfiable: ScheduleAnyway
                    - labelSelector:
                        matchLabels:
                            app: portal-1
                        maxSkew: 1
                        topologyKey: node
                        whenUnsatisfiable: DoNotSchedule
                    volumes:
                    - configMap:
                        name: portal-conf
                        name: portal-conf
                    - configMap:
                        defaultMode: 493
                        name: portal-bin
                        name: portal-bin
                    - emptyDir: {}
                        name: conf-vol
                    - emptyDir: {}
                        name: bin-vol
                status: {}
    

    After

    The following are the properties of the deployment file after running the setup command. Two additional lines nodeSelector: and node: privacera are added.

                apiVersion: apps/v1
                kind: Deployment
                metadata:
                labels:
                    app: portal
                name: portal
                spec:
                replicas: 1
                selector:
                    matchLabels:
                    app: portal
                strategy:
                    type: Recreate
                template:
                    metadata:
                    labels:
                        app: portal
                    spec:
                    containers:
                    - image: hub2.privacera.com/privacera:rel.latest
                        imagePullPolicy: IfNotPresent
                        livenessProbe:
                        failureThreshold: 3
                        initialDelaySeconds: 400
                        periodSeconds: 30
                        tcpSocket:
                            port: 6868
                        name: portal
                        ports:
                        - containerPort: 6868
                        readinessProbe:
                        failureThreshold: 6
                        initialDelaySeconds: 120
                        periodSeconds: 30
                        tcpSocket:
                            port: 6868
                        resources:
                        limits:
                            cpu: '0.5'
                            memory: 2457M
                        requests:
                            cpu: '0.2'
                            memory: 307M
                        volumeMounts:
                        - mountPath: /opt/privacera/portal/conf
                        name: conf-vol
                        - mountPath: /opt/privacera/portal/bin
                        name: bin-vol
                    imagePullSecrets:
                    - name: privacera-hub
                    initContainers:
                    - command:
                        - bash
                        - -c
                        - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 --
                        image: hub2.privacera.com/privacera:rel.latest
                        name: wait-for-zookeeper
                    - command:
                        - bash
                        - -c
                        - /scripts/wait-for-it.sh solr-service:8983 -t 300 --
                        image: hub2.privacera.com/privacera:rel.latest
                        name: wait-for-solr
                    - command:
                        - bash
                        - -c
                        - /scripts/wait-for-it.sh mariadb:3306 -t 300 --
                        image: hub2.privacera.com/privacera:rel.latest
                        name: wait-for-mariadb
                    - command:
                        - bash
                        - -c
                        - cp -r /conf_ro/. /opt/privacera/portal/conf
                        image: hub2.privacera.com/privacera:rel.latest
                        name: copy-conf
                        volumeMounts:
                        - mountPath: /opt/privacera/portal/conf
                        name: conf-vol
                        - mountPath: /conf_ro
                        name: portal-conf
                    - command:
                        - bash
                        - -c
                        - cp -r /bin_ro/. /opt/privacera/portal/bin
                        image: hub2.privacera.com/privacera:rel.latest
                        name: copy-bin
                        volumeMounts:
                        - mountPath: /opt/privacera/portal/bin
                        name: bin-vol
                        - mountPath: /bin_ro
                        name: portal-bin
                    nodeSelector:
                      node: privacera
                    restartPolicy: Always
                    securityContext:
                        fsGroup: 200
                    serviceAccountName: privacera-sa
                    topologySpreadConstraints:
                    - labelSelector:
                        matchLabels:
                            app: portal-1
                        maxSkew: 1
                        topologyKey: zone
                        whenUnsatisfiable: ScheduleAnyway
                    - labelSelector:
                        matchLabels:
                            app: portal-1
                        maxSkew: 1
                        topologyKey: node
                        whenUnsatisfiable: DoNotSchedule
                    volumes:
                    - configMap:
                        name: portal-conf
                        name: portal-conf
                    - configMap:
                        defaultMode: 493
                        name: portal-bin
                        name: portal-bin
                    - emptyDir: {}
                        name: conf-vol
                    - emptyDir: {}
                        name: bin-vol
                status: {}
    
  6. Run the update command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update