Install Deeploy

This repository is part of the [complete installation guide](https://deeploy-ml.zendesk.com/hc/en-150/categories/360002889759-Install) and contains detailed instructions how to install the Deeploy Software Stack on Kubernetes using [Helm](https://helm.sh/).

Table of Contents

• Table of Contents
• Install the Deeploy Software Stack
  • Step 1. Create the Deeploy namespaces
  • Step 2. Install Istio
  • Step 3. Install Knative
  • Step 4. Install Cert-manager
  • Step 5. Metrics Server
  • Step 6. Deeploy Helm chart
• Troubelshooting
  • Permission Denied errors on GKE

Install the Deeploy Software Stack

We assume that you now have the prerequisites and infrastructure ready as defined in the installation guide. From here we continue deploying the Deeploy software stack with dependencies. Make sure you are in the deeploy-core root folder.

Step 1. Create the Deeploy namespaces

Create all the Deeploy namespaces in kubernetes.

kubectl apply -f namespaces/

Step 2. Install Istio

Current Istio installation instructions are based on istio version 1.4.10 that should work on common cloud platforms. Always double check platform specific installation requirements and the istio helm installation instructions to check the latest installation instructions.

Installation steps:

1. Download the Istio release:

   curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.4.10 sh -

2. Install Istio CRD's:

   for i in ./istio-1.4.10/install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done

3. Install Istio:

   $ # A lighter template, with just pilot/gateway.
   # Based on install/kubernetes/helm/istio/values-istio-minimal.yaml
   helm template --namespace=istio-system \
   -f ./istio/values.yaml \
   istio-1.4.10/install/kubernetes/helm/istio \
   | sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \
   > ./istio.yaml
   
   kubectl apply -f istio.yaml

4. Wait for a couple seconds and verify everything is in the running state by running:

   kubectl get pods --namespace istio-system

For additional information about installing Istio, see the official website

Step 3. Install Knative

1. Install Knative CRDs using

   kubectl apply --filename ./knative/serving-crds.yml

2. Install core components

   kubectl apply --filename ./knative/serving-core.yml

3. Install the Knative Istio controller:

   kubectl apply --filename ./knative/serving-istio.yml

Step 4. Install Cert-manager

1. Install cert-manager.

2. (Optional) Set up auto-renewal through ACME. Only do this if you want to terminate TLS on this cluster. Make sure to generate two certificates as described above.

Step 5. Metrics Server

The Kubernetes Metrics Server is necessary for pod autoscaling. Most cloud providers pre-install the Metrics Server in your cluster, but some do not.

Validate that the metrics-server pod is running in the kube-system namespace. If not, install it.

• AWS EKS Metrics Server Guide
• Digital Ocean Metrics Server Guide

Step 6. Deeploy Helm chart

Edit ./helm/deeploy/values.yaml:

Deeploy General Values:

Parameter	Description	Default
host	the hostname on which you will be running deeploy	""
license.type	The type of license. Either "AWS" or "DEEPLOY"	"AWS"
license.deeployLicenseKey	if the license type is "DEEPLOY", this is the supplied Deeploy license key	""
license.availabilityZone	if the license type is "AWS", this is the region where your cluster resides	"eu-central-1"

Deeploy Image Repository Values:

Currently Deeploy is available from two image repositories

• AWS Marketplace (current default): 709825985650.dkr.ecr.us-east-1.amazonaws.com/deeploy/deeploy
• Docker: docker.io/deeployml

Parameter	Description	Default
images.registry	the registry to pull the Deeploy images from	"709825985650.dkr.ecr.us-east-1.amazonaws.com/deeploy/"
images.path	the path to the DeeployML registry	"/deeploy"
images.tag	the version tag of the deeploy deployment	same as application version
images.username	if the license type is "DEEPLOY", the supplied username for the Docker registry	""
images.password	f the license type is "DEEPLOY", the supplied password for the Docker registry	""

Deeploy Database Values:

Parameter	Description	Default
database.host	the hostname of the database server	""
database.port	the port for use of the database server	5432
database.username	the username to access the database. Note: this user needs to be a superuser	""
database.password	the password to access the database server	""
database.ssl.enabled	whether to enable SSL on the database. If true, must also set database.ssl.ca.	false
database.ssl.ca	the CA of your database provider. Must be set if database.ssl.enabled is true. E.g. for AWS, see this guide.	""

Deeploy Remote Blob Storage Values:

For Remote Blob Storage you have two options:

1. Use Remote Blob Storage (recommended). Deeploy currently supports AWS S3, Google Cloud Storage & Azure Blob Storage
2. Don't configure remote Storage (not recommended). Deeploy spawns an on-cluster Minio service. This is not recommended, as it makes Deeploy statefull on the cluster. If you do want to use it, set minio.enabled to true.

Parameter	Description	Default
remoteBlobStorage.enabled	whether to use off-cluster Blob storage. If enabled, set minio.enabled to false	true
minio.enabled	whether to use on-cluster S3 storage. If enabled, set remoteBlobStorage.enabled to false	false
remoteBlobStorage.type	storage service to use with Deeploy. One of AWS_S3, GCS, AZURE.	"AWS_S3"
remoteBlobStorage.aws.bucketName	name of the remote S3 storage bucket to use	""
remoteBlobStorage.aws.s3AccessKey	access key for the S3 server. Only set if remoteBlobStorage.type is AWS_S3.	""
remoteBlobStorage.aws.s3SecretKey	secret key for the S3 server Only set if remoteBlobStorage.type is AWS_S3.	""
remoteBlobStorage.gcp.gcloudApplicationCredentialsJson	the json file with the credentials for the GCP service account. Only set if remoteBlobStorage.type is GCS.	""
remoteBlobStorage.gcp.bucketName	name of the remote GS storage bucket to use	""
remoteBlobStorage.azure.subscriptionId	the id of the subscription that hosts the storage account. Only set if remoteBlobStorage.type is AZURE.	""
remoteBlobStorage.azure.containerName	the container name to use. Only set if remoteBlobStorage.type is AZURE.	""
remoteBlobStorage.azure.storageAccountName	the name of the Azure Storage Account. Only set if remoteBlobStorage.type is AZURE.	""
remoteBlobStorage.azure.tenantId	the Tenant ID of the Azure storage service. Only set if remoteBlobStorage.type is AZURE.	""
remoteBlobStorage.azure.clientId	the Client ID of the Azure storage service. Only set if remoteBlobStorage.type is AZURE.	""
remoteBlobStorage.azure.clientSecret	the Client Secret of the Azure storage service. Only set if remoteBlobStorage.type is AZURE.	""

Deeploy SMTP Values:

Parameter	Description	Default
email.smtpHost	the hostname of the smtp server	""
email.port	the port for use of the smtp server	""
email.username	the username to access the smtp server	""
email.password	the password to access the smtp server	""
email.fromAddress	the email address for Deeploy to send emails from, i.e. [email protected]	""

Deeploy Monitoring Values:

The Deeploy Monitoring feature sends anonimized usage data back to Deeploy. This helps us to improve the product.

Parameter	Description	Default
monitoring.enabled	whether to enable monitoring	false
monitoring.credentials.username	username for the monitoring server	""
monitoring.credentials.password	password for the monitoring server	""

Deeploy Security Values:

Parameter	Description	Default
security.tls.enabled	whether to enable TLS	true
security.adminCredentials.firstName	first name of the main admin user	""
security.adminCredentials.lastName	last name of the main admin user	""
security.adminCredentials.email	email of the main admin user	""
security.keyManagement.kmsType	either AWS or AZURE	""
security.keyManagement.aws.keyId	ID of a KMS key used to encrypt/decrypt. Only set if security.keyManagement.kmsType is AWS.	""
security.keyManagement.aws.accessKey	IAM Access Key of an account that has access to the key. Only set if security.keyManagement.kmsType is AWS.	""
security.keyManagement.aws.secretKey	IAM Secret Key of an account that has access to the key. Only set if security.keyManagement.kmsType is AWS.	""
security.keyManagement.azure.keyId	ID of the Azure Vault key. Only set if security.keyManagement.kmsType is AZURE.	""
security.keyManagement.azure.vaultName	name of the Azure vault. Only set if security.keyManagement.kmsType is AZURE.	""
security.keyManagement.azure.clientId	the Client ID of the client using the Azure Vault service. Only set if security.keyManagement.kmsType is AZURE.	""
security.keyManagement.azure.clientSecret	the Client Secret of the client using the Azure Vault service. Only set if security.keyManagement.kmsType is AZURE.	""
security.keyManagement.azure.tenantId	the Tenant ID of the Azure Vault service. Only set if security.keyManagement.kmsType is AZURE.	""

1. Deploy the Deeploy stack using

   helm install -f ./helm/deeploy/values.yaml deeploy ./helm/deeploy --namespace deeploy

   Important: This might print out the following line. This is expected behavior and not a bug:

   manifest_sorter.go:192: info: skipping unknown hook: "crd-install"

2. Add the s3 secret to the default service account:

   kubectl edit sa default -n deeploy

   and add the s3-secret name

   secrets:
   - name: default-...
   - name: s3-secret

   Close and save.

Create first admin user.

Troubelshooting

Permission Denied errors on GKE

When running on GKE (Google Kubernetes Engine), you may encounter a ‘permission denied’ error when creating some of the resources. This is a nuance of the way GKE handles RBAC and IAM permissions, and as such you should ‘elevate’ your own privileges to that of a ‘cluster-admin’ before running the above commands. If you have already run the above commands, you should run them again after elevating your permissions.