Deploy on k8s using operators

[Fabio Beider]

Hey guys, 

I'm trying to test deploy on k8s (AWS EKS) using operators.

1. Installed Kogito, Infinispan and Strimzi operators using OLM, and following the install instructions on each operator page at OperatorsHub
   1. All default values, all operators created at "operators" namespace
2. Applied the data-index.yaml present at https://github.com/kiegroup/kogito-cloud-operator/blob/master/examples/kubernetes/travel-agency/data-index.yaml at "default" namespace

Result:

1. Infinispan server pod did not came up
2. DataIndex pod cannot connect to Infinispan server (for obvious reasons) but it did not connect also with the kafka pod that did came up

Notice that at this point, I do not have anything related to my domain

Any guideline on my issues?

Best regards,

Fabio

[Ricardo Zanini]

Hi Fabio!

Looks like something's wrong with the provision of the Infinispan Resource managed by the Infinispan Operator. Just for you to know, in these early versions, Kogito Operator creates a minimal Infinispan resource to facilitate demos and examples people might want to run on their clusters. We will remove this feature in the next version (1.4.0). Meaning that users would have to first deploy and configure their infrastructure before deploying Kogito services. Our operator will then configure the services based on the provided infra.

That means that the Kogito Operator is not responsible to manage Infinispan resources, so I will kindly ask you to try to solve this problem first by trying to deploy a minimal Infinispan server using their examples:

https://github.com/infinispan/infinispan-operator/blob/master/deploy/cr/minimal/cr_minimal.yaml (use 1 replica instead of 2)

Also, we've just released a new version of the operator: https://github.com/kiegroup/kogito-cloud-operator/releases/tag/v1.3.0

Can you try updating?

To sum up:

1. Delete the https://github.com/kiegroup/kogito-cloud-operator/blob/master/examples/kubernetes/travel-agency/data-index.yaml example (kubectl delete -f <URL>)

2. Try to install only the Infinispan server in your namespace first: https://github.com/infinispan/infinispan-operator/blob/master/deploy/cr/minimal/cr_minimal.yaml

3. If everything went well, try to apply our example by modifying the KogitoInfra to point to the Infinispan you just created:

```
apiVersion: app.kiegroup.org/v1beta1
kind: KogitoInfra
metadata:
  name: kogito-infinispan-infra
spec:
  resource:
    apiVersion: infinispan.org/v1
    kind: Infinispan

    name: example-infinispan

```

You can always check the status of the KogitoInfra configuration by running: `kubeclt describe kogitoinfra/kogito-infinispan-infra`

Let me know the results.

Cheers!

Zanini

--
You received this message because you are subscribed to the Google Groups "Kogito development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kogito-developm...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/c73f3ae3-3145-4466-b5bb-55c4f64a095fn%40googlegroups.com.

[Fabio Beider]

Hey Ricardo, thanks for the extremely quick reply.

To give you an intermediate update (as I did not yet tried your suggestions):

1. Figured out what kept Infinispan server from going up: https://github.com/infinispan/infinispan-operator/issues/392. I applied the workaround and the pod came up
2. After that, I tried to deploy DataIndex and the issue was: ERROR [org.inf.HOTROD] (HotRod-client-async-pool-1-1) ISPN004007: Exception encountered. Retry 10 out of 10: org.infinispan.client.hotrod.exceptions.TransportException:: java.lang.SecurityException: ISPN004031: The selected authentication mechanism 'PLAIN' is not among the supported server mechanisms: [SCRAM-SHA-512, SCRAM-SHA-384, SCRAM-SHA-256, SCRAM-SHA-1, DIGEST-SHA-512, DIGEST-SHA-384, DIGEST-SHA-256, DIGEST-SHA, CRAM-MD5, DIGEST-MD5]
   1. It looks to me that DataIndex is trying to talk with Infinispan with different mechanisms. So I probably have to do a little more configuration at Infinispan or DataIndex

That being said, I will try to update my script to follow your new guideline and see if the results are different.

I'll come back as soon as I have results.

Thanks again for the help,

Fabio

[Ricardo Zanini]

Hi Fabio!

We use the PLAIN mechanism when no TLS is configured in the cluster. See: https://github.com/kiegroup/kogito-cloud-operator/pull/646

This scenario is likely to happen on OpenShift. Since you're using k8s, do you mind verifying if Infinispan created a secret for encrypted connections on your namespace?

Zanini

To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/57fe1be9-5ba6-4e1f-a298-019b53206d28n%40googlegroups.com.

[Fabio Beider]

Hey Ricardo, sorry for taking so long.

Here is the secrets created related to infinispan:

NAME                                                          TYPE                                                                    DATA   AGE

default-token-vbs5w                                 kubernetes.io/service-account-token            3           3h19m

infinispan-operator-token-bgl6s              kubernetes.io/service-account-token            3           3h19m

kogito-infinispan-credential                     Opaque                                                                2           3h10m

kogito-infinispan-generated-secret        Opaque                                                                1            3h17m

This is a volume defined in the infinispan pod:

default-token-vbs5w:

    Type:        Secret (a volume populated by a Secret)

    SecretName:  default-token-vbs5w

    Optional:    false

Does this help answer your question? (sorry, I'm just getting started with k8s)

Fabio

[Fabio Beider]

Ricardo, good morning!

What do I have to set to make this work on k8s?

Is it on data-index side or on infinispan side?

Thanks again for you help,

Fabio

[Ricardo Zanini]

Hi Fabio!

Sorry, my last Friday was full. We need to understand why your ISPN server is not running. Kogito does not support ISPN 12, which is the version I think you had installed. Can you retry installing the Infinispan Operator from channel 2.0.x instead?

Then make sure that you install the `example-infinispan` that I pointed to you in the last email before installing the Data Index.

Thanks!

Zanini

To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/ca0e4c9f-4381-4905-9b28-dcab66f8c494n%40googlegroups.com.

[Fabio Beider]

No worries about that!.

Will try what you are suggesting.

But, just to be clear, after resolving the issue with the lock, the ISPN server is running.

The problema now is related to the TLS.

DataIndex is trying to connect using a PLAIN mechanism, but my cluster does not have TLS enabled so ISPN server does not accept PLAIN.

IS there a way to tell DateIndex to use another mechanism, or the only way if to configure TLS?

Thanks again,

Fabio 

You received this message because you are subscribed to a topic in the Google Groups "Kogito development mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kogito-development/jJpaRiVkUHk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kogito-developm...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/CAGVeHuUYoqM%3Dx1k2-EOES%3DNHe0GJ1Yz7SsyKHQrYNhsBQ0mGrw%40mail.gmail.com.

[Ricardo Zanini]

Hi Fabio!

Normally, if there's no secret enabled by the Kogito Operator, the default connection is PLAIN. If ISPN is requiring encryption, you either have to configure it to accept PLAIN connections or add a certificate to make this connection working. I'll run some tests this afternoon on minikube and let you know my setup. Could be a bug, thou.

Zanini

To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/CAA-_%2Bme1V%3DHmc4Xgbqtrqy_V_4Y57UFhbFBL2V0DO4e9YNvRRA%40mail.gmail.com.

[Fabio Beider]

Ricardo, just FYI, downgrading ISPN operator to 2.0.x channel AND changing the operator YAML to get the 2.0.5.Final image did the trick.

Thanks for your help.

I'll probably write a blog post with all my discovery history on this.

Thanks again,

Fabio

To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/CAGVeHuVOzRVugz2B-tenbaWqEyGQqhs14KKE9hOm576gw-4-eg%40mail.gmail.com.

[Ricardo Zanini]

Hi Fabio!

Please do. :)

Or you can make a Stackoverflow question and answer it.

Zanini

To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/CAA-_%2BmffCZMW%3DhEP_mg35HVyn8RuZGDFS83Gs6%2B5xmfpk8x4hQ%40mail.gmail.com.

[Fabio Beider]

Will do!

I'll just have to check why my Kogito PoC process does not stay up on k8s. 

The logs do not show any errors, just a warning about @Channel{channel:'kogito_incoming_stream'} has no upstream, which is weird because this PoC only has outgoing messages.

And on local env (aka my machine :P) it works.

It is probably best to have a full scenario working before writing the post.

Fabio

To view this discussion on the web visit https://groups.google.com/d/msgid/kogito-development/CAGVeHuUfz5iCz0Bhe%3DFci_P4mmTmz8w4iTNdcmOt70iTAD8gkQ%40mail.gmail.com.