Infoworks Installation on Azure Kubernetes Service (AKS)

NOTE If you have not installed Azure Kubernetes Service, refer to Installing Azure Kubernetes Service (AKS).

NOTE To check the supported version of MongoDB by Infoworks, refer to MongoDB Atlas Recommended Configuration.

Prerequisites

NOTE

If you are using MAC OS to deploy Infoworks on to cluster, you must install the following package:

NOTE If you are managing external VNet, refer to the official AKS documentation.

• Ensure that AKS Kubernetes cluster is connected to internet.

• Set up AKS Kubernetes cluster. For more information, refer to the Azure Docs.

• Ensure that Kubernetes version should be 1.27.x or above.

• Infoworks recommends creating the AKS Kubernetes cluster with private access and a VM as a Bastion host with Linux-based OS should be created within the VPC.

• To use an external Azure Container Registry (ACR) for pulling the images for Infoworks setup, ensure that all the required images are pushed to the the specified external registry and it is integrated with AKS. This is applicable if IW_HOSTED_REGISTRY is set to false. To get the required container images, contact your Infoworks representative.

• If INGRESS_CONTROLLER_CLASS is set to nginx, then Infoworks recommends setting up ingress-controller externally with the required configuration. To set up nginx ingress-controller externally, refer to External Setup for Ingress Controller.

• If KEDA_ENABLED is set to true, then Infoworks recommends setting up KEDA externally with the required configuration. To set up KEDA externally, refer to External KEDA Setup.

• Install Azure CLI, Helm, and Kubectl on the Bastion host VM instance.

• To install pip module, run apt install python3-pip command.

• Ensure that the following Python packages are available on the server before starting the installation.

  • pycryptodomex (version3.15.0)
  • argparse

• If the aforementioned packages are not available, execute the following command

xxxxxxxxxx

python3 -m pip install argparse pycryptodomex==3.15.0

• Verify the following prerequisites
  • Run az version to ensure that az is installed.
  • Run helm version to ensure that Helm is installed.
  • Run kubectl version to ensure that Kubectl is installed.
  • Run python3 -V to ensure that python3 is installed.
  • Run python3 -m pip to ensure that pip model is installed.

xxxxxxxxxx

root@aks-dev-qa-bastion:~$ az version

{

  "azure-cli": "2.0.81",

   "azure-cli-core": "2.0.81",

   "azure-cli-telemetry": "1.0.4",

   "extensions": {

    "azure-devops": "0.17.0"

  }

}

root@bastion-host-devqa:$ helm version

version.BuildInfo{Version:"v3.14.2", GitCommit:"c309b6f0ff63856811846ce18f3bdc93d2b4d54b", GitTreeState:"clean", GoVersion:"go1.21.7"}

root@bastion-host-devqa:$ kubectl version --short

Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.

Client Version: v1.27.3

Kustomize Version: v5.0.1

root@aks-dev-qa-bastion:~# python3 -V

Python 3.8.10

root@aks-dev-qa-bastion:~# python3 -m pip

Usage:

  /usr/bin/python3 -m pip <command> [options]

• Set up Kubernetes Cluster in AKS for connection using az

NOTE The following procedure is a one-time activity for the user.

Step 1: Execute az login.

xxxxxxxxxx

root@aks-dev-qa-bastion:~$ az login

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code RS6X8HQZQ to authenticate.

After successful verification, the following confirmation message appears.

xxxxxxxxxx

[

{

"cloudName": "AzureCloud",

"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",

"isDefault": true,

"name": "Subscription-Name",

"state": "Enabled",

"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",

"user": {

"name": "xxxxxxxxx@infoworks.domain",

"type": "user"

}

}

Step 2: Identify the cluster name, zone/region, and project you want to connect to. Run the following command with these details:

xxxxxxxxxx

az aks get-credentials --resource-group <resourceGroupName> --name <AKSClusterName> --subscription <SubscriptionID>

xxxxxxxxxx

Merged "<AKSClusterName>" as current context in /home/infoworks/.kube/config

Persistent Storages

NOTE Azure Kubernetes Service RBAC Cluster Admin is required to run Infoworks installation.

Persistence ensures to persist the data even if a pod restarts or fails due to various reasons. Infoworks needs the following persistent storages to be configured:

• Databases (MongoDB and Postgres) and RabbitMQ
• Infoworks Job Logs and Uploads

Run the following command to fetch the storage classes:

xxxxxxxxxx

kubectl get storageclass --no-headers

NOTE The storageclass should have the reclaim policy Retain.

xxxxxxxxxx

Azurefile               file.csi.azure.com 

azurefile-csi           file.csi.azure.com 

azurefile-csi-premium   file.csi.azure.com 

azurefile-premium       file.csi.azure.com 

default (default)       disk.csi.azure.com 

managed                 disk.csi.azure.com 

managed-csi             disk.csi.azure.com 

managed-csi-premium     disk.csi.azure.com 

managed-premium         disk.csi.azure.com

Installing Infoworks on Kubernetes

NOTE Assuming IW_HOME=/opt/infoworks.

NOTE The following steps must be performed by the user who has completed the prerequisites procedure mentioned earlier.

Step 1: Create Infoworks directory under /opt.

sudo mkdir -p /opt/infoworks

Step 2: Change permissions of /opt/infoworks directory

sudo chown -R <user>:<group/user> /opt/infoworks

Step 3: Change the directory path to /opt/infoworks.

cd /opt/infoworks

Step 4: To download Infoworks Kubernetes template, execute the following command:

xxxxxxxxxx

wget https://iw-saas-setup.s3.us-west-2.amazonaws.com/6.1/iwx_installer_k8s_6.1.3.tar.gz

Step 5: Extract the downloaded file.

xxxxxxxxxx

tar xzf iwx_installer_k8s_6.1.3.tar.gz

Step 6: Navigate to the extracted directory iw-k8s-installer.

Step 7: Open configure.sh file in the directory.

Step 8: Configure the following parameters as described in the table, and then save the file

NOTE Namespace and release names should not contain underscore (_). Release names should not start with numbers.

NOTE If you want to enable SSL before installing Infoworks, refer to Enabling SSL section.

Generic Configuration

Autoscaling Configuration

NOTE The total number of concurrent Infoworks jobs that can be submitted by each Hangman instance/pod is configured using num_executors in conf.properties. If the number of Hangman instances changes due to autoscaling, then the total number of jobs Infoworks handles also changes. To fix the total number of concurrent Infoworks jobs, you must disable the autoscaling on the Hangman service and set the number of Hangman replicas manually as described in the Enabling Scalability section.

External Container Registry Configuration

The following table lists the External Container Registry Configuration for Infoworks Setup. These configurations should be set only if the Container Registry used to pull the images is different from the one hosted by Infoworks.

The following fields are valid if IW_HOSTED_REGISTRY set to false

Service Mesh Configuration for Security

NOTE Infoworks supports linkerd as of now.

Keyvault and Keyvault Authentication Configuration

MongoDB Configuration

The following fields are applicable if EXTERNAL_MONGO= true.

Keyvault Configuration for MongoDB

The following fields are applicable if EXTERNAL_MONGO= true and KEYVAULT_ENABLED=true.

NOTE If KEYVAULT_GLOBAL_ENABLED= true, the following will default to true. If KEYVAULT_GLOBAL_ENABLED=false, configure the following fields.

PostgresDB Configuration

The following fields are applicable if EXTERNAL_POSTGRESDB= true

Keyvault Configuration for PostgresDB

The following fields are applicable if EXTERNAL_POSTGRESDB=true and KEYVAULT_ENABLED=true.

NOTE If KEYVAULT_GLOBAL_ENABLED=true, the following will default to true. If KEYVAULT_GLOBAL_ENABLED=false, configure the following fields.

Step 9 (Optional): Enable NodeSelector/Toleration and Custom annotations etc. by editing values.yaml file manually before deploying Infoworks deployment.

Step 10 (Optional): To run Infoworks jobs on separate workloads, edit values.yaml file under infoworks folder. Specifically, you need to edit jobnodeSelector and jobtolerations fields based on the node pool you created in the Node Pools.

NOTE If you want to run Infoworks services on other node pools, you can edit nodeSelector and tolerations fields.

xxxxxxxxxx

nodeSelector: {}

tolerations: []

jobnodeSelector:

  group: development

jobtolerations:

  - key: "dedicated"

    operator: "Equal"

    value: "iwjobs"

    effect: "NoSchedule"

Step 11 (Optional): To define the PaaS passwords, there are two methods:

First method

The password must be put in pre-existing secrets in the same namespace.

For MongoDB

(i) Set MONGODB_USE_SECRET_PASSWORD=true

(ii) To create the custom secret resource, run the following commands from the iw-k8s-installer directory.

xxxxxxxxxx

$ encrypted_mongo_password=$(./infoworks_security/infoworks_security.sh --encrypt -p "<mongo-password>" | xargs echo -n | base64 -w 0)

$ IW_NAMESPACE=<IW_NAMESPACE> 

$ MONGODB_SECRET_NAME=<MONGODB_SECRET_NAME>

$ kubectl create ns ${IW_NAMESPACE}

$ kubectl apply -f - <<EOF

apiVersion: v1

kind: Secret

metadata:

  name: ${MONGODB_SECRET_NAME}

  namespace: ${IW_NAMESPACE}

data:

  MONGO_PASS: ${encrypted_mongo_password}

type: Opaque

EOF

NOTE Set the MONGODB_SECRET_NAME and IW_NAMESPACE according to the inputs given to the automated script. <mongo-password> is the plaintext password.

For Postgres

(i) Set POSTGRESDB_USE_SECRET_PASSWORD=true

(ii) To create the custom secret resource, run the following commands from the iw-k8s-installer directory.

xxxxxxxxxx

$ encrypted_postgres_password=$(./infoworks_security/infoworks_security.sh --encrypt -p "<postgres-password>" | xargs echo -n | base64 -w 0)

$ IW_NAMESPACE=<IW_NAMESPACE> 

$ POSTGRESDB_SECRET_NAME=<POSTGRESDB_SECRET_NAME>

$ kubectl create ns ${IW_NAMESPACE}

$ kubectl apply -f - <<EOF

apiVersion: v1

kind: Secret

metadata:

  name: ${POSTGRESDB_SECRET_NAME}

  namespace: ${IW_NAMESPACE}

data:

  POSTGRES_PASS: ${encrypted_postgres_password}

type: Opaque

EOF

NOTE Set the POSTGRESDB_SECRET_NAME and IW_NAMESPACE according to the inputs given to the automated script. postgres-password is the plaintext password.

Second Method

You can give the password to the Automated Script, which will encrypt it to store it in the templates.

Step 12 (Optional): Enable NodeSelector/Toleration and Custom annotations etc. by editing values.yaml file manually before deploying Infoworks deployment.

Step 13: To run the script, you must provide execute permission beforehand by running the following command.

xxxxxxxxxx

chmod 755 iw_deploy.sh

Step 14: Run the script

NOTE If you see this error, "INSTALLATION FAILED: failed post-install: timed out waiting for the condition", you can ignore this as it does not affect Infoworks installation.

xxxxxxxxxx

./iw_deploy.sh

NOTE: (Optional) Enable NodeSelector/Toleration and  Custom annotations  etc., by editing values.yaml file manually before deploying infoworks app 

​

​

Checking for basic Prerequisites.

Found HELMv3

Found KUBECTL

Testing Kubernetes basic cluster connection

Validation is done: Kubernetes Cluster is Authorized 

​

​

Enter kubernetes namespace to deploy Infoworks

v1

Enter release name for infoworks 

v1

Creating v1 namespace on kubernetes cluster 

namespace/v1 created

​

​

Input the Kubernetes Cluster Cloud Provider Environment- aws/gcp/azure 

azure

​

​

List of available StorageClass in Kubernetes Cluster 

azurefile

azurefile-csi

azurefile-csi-premium

azurefile-premium

default

managed

managed-csi

managed-csi-premium

managed-premium

INFO: NFS and Database (Disk) persistance is recommended and always set to True 

Enter NFS StorageClass: Select StorageClass from list

azurefile

GCR is being used by Infoworks by default, to override cloud specific azure registry input "false"  Default: "true"

true

Enter DATABASE StorageClass: Select StorageClass from list

managed

ENABLE INGRESS: true or false Default: "true"

true

Select Ingress Controller Class: cloud native "cloud" or external "nginx" Default: "nginx"

nginx

Select Ingress type: internal or external Default: "internal"

external

Provisioning Nginx Ingress controller automatically.

NOTE: If the Ingress-Nginx is already provisioned manually skip this by selecting 'N'  

Do you want to continue y/n? Default: "y"

n

Enter DNS Hostname to access Infoworks: for example: iwapp.infoworks.local 

sample.infoworks.technology

ENABLE SSL for the Infoworks Ingress deployment (This enables port and protocol only): true or false Default: "true"

true

ENABLE HA for Infoworks Setup: true or false Default: "true"

false

Select whether all Secrets will be stored on an External Secret Store (enabling with any External DB Options requires enabling keyvault in the following steps)  Default: "false"

false

Select whether using a default keyvault for storing External MongoDB or PostgresDB details: true or false Default: "false"

true

Enter the uri for the Azure Keyvault. Example: https://keyvault.vault.azure.net 

https://example.vault.azure.net

Enter whether using Service Principal to authenticate to the keyvault. : true or false Default: "false"

true 

Enter the Service Principal Object ID

11111111-2222-3333-4444-555555555555

Enter the Service Principal Subscription ID

11111111-2222-3333-4444-555555555555

Enter the Service Principal Client ID

11111111-2222-3333-4444-555555555555

Enter the Service Principal Client Secret. Infoworks will encrypt the secret.

ENABLE external MongoDB access for Infoworks Setup: true or false Default: "false"

true

ENABLE SRV connection string for MongoDB access for Infoworks Setup: true or false, MongoDB Atlas default is true Default: "true"

true

Select whether the Mongo Host is stored on Keyvault: true or false Default: "false"

​

Defaulting to false

Input MongoDB DNS connection string for Infoworks Setup: Private link ex - {DB_DEPLOYMENT_NAME}-pl-0.{RANDOM}.mongodb.net 

mongo-pl-0.1234.mongodb.net

Select whether the Mongo User is stored on Keyvault: true or false Default: "false"

true

Enter the Keyvault Key for the Mongo Username. default: METADBUSER

METADBUSER

Select whether the Mongo Pass is stored on Keyvault: true or false Default: "false"

true

Enter the Keyvault Key for the Mongo Password. default: METADBPASS

METADBPASS

Input the database name of MongoDB for Infoworks Setup. default: infoworks-db 

infoworks-new

Input the scheduler database name of MongoDB for Infoworks Setup. default: quartzio 

quartzio

ENABLE external PostgresDB access for Infoworks Setup: true or false Default: "false"

true

Select whether the Postgres Host is stored on Keyvault: true or false Default: "false"

true

Enter the Keyvault Key for the Postgresdb Host. default: POSTGRESDBHOST

POSTGRESDBHOST

Select whether the Postgres User is stored on Keyvault: true or false Default: "false"

​

Defaulting to false

Input postgresDB Username for Infoworks Setup. Assuming the user have permissions to create databases if doesn't exist. 

infoworks

Select whether the Postgres Pass is stored on Keyvault: true or false Default: "false"

​

Defaulting to false

Input the Postgres user password for Infoworks database Setup. Infoworks will encrypt the Postgres password. 

Input the database name of Postgres for Infoworks Setup. default: airflow 

airflow

ENABLE Service mesh for Infoworks Setup, Only Linkerd supported: true or false Default: "false"

true

Input service mesh name for Infoworks Setup: Defaults to linkerd 

linkerd

​

​

helm upgrade -i v1 ./infoworks -n v1 -f ./infoworks/values.yaml

Since the above installation was configured for ingress-controller, run the following command to get the domain mapping done.

xxxxxxxxxx

NAME: intrue

LAST DEPLOYED: Fri Jul  2 17:25:20 2021

NAMESPACE: intrue

STATUS: deployed

REVISION: 1

xxxxxxxxxx

kubectl get ingress --namespace sample

xxxxxxxxxx

NAME         CLASS    HOSTS                         ADDRESS          PORTS   AGE

v1-ingress   <none>   sample.infoworks.technology   43.13.121.142   80      3m43s

NOTE Make sure to enable DNS mapping for IP address as per the above sample output.

Get the application URL by running these commands: http://sample.infoworks.technology

Log Archival Configuration

The following field is applicable if IW_LOG_ARCHIVAL= true

Users will also be able to further customise archival and retention periods, set maximum log sizes, and the schedule of the archival operation. Please refer to Custom Infoworks Configurations.

Enabling Linkerd Service Mesh for Ingress Controller

To enable the communication between the ingress controller and the infoworks pods via linkerd service mesh, perform the following steps:

There are two options to enable the communication which depends on the method by which ingress controller was set up.

Option 1 - Infoworks deployed the ingress controller.

If INGRESS_AUTO_PROVISIONER is set to true during installation, no additional configuration is required.

Option 2 - User deployed the Ingress Controller

If INGRESS_AUTO_PROVISIONER is set to false during installation, refer to the official Linkerd documentation to enable service mesh for your corresponding ingress controller.

Enabling SSL

If you set INGRESS_CONTROLLER_CLASS to nginx, add SSL Termination in the TLS section of values.yaml file either before running the automated script or after the deployment.

Step 1: Log in to Linux machine on the latest Debian-based OS.

Step 2: Ensure libssl-dev package is installed.

Step 3: Provide DNS Name for Infoworks deployment

Generating Self-Signed SSL Certificate:

To generate SSL, run the following commands:

xxxxxxxxxx

mkdir certificates

xxxxxxxxxx

cd certificates

xxxxxxxxxx

openssl genrsa -out ca.key 2048   # Creates a RSA key

NOTE Refer the following commands to replace "Infoworks.domain" and "subdomain.infoworks.domain" keywords with required domain and subdomain name.

xxxxxxxxxx

openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=CA/L=US/O=Infoworks, Inc./CN=Infoworks Root CA" -out ca.crt

xxxxxxxxxx

openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=CA/L=US/O=Infoworks, Inc./CN=*.infoworks.domain" -out server.csr

xxxxxxxxxx

openssl x509 -req -extfile <(printf "subjectAltName=DNS:infoworks.domain,DNS:subdomain.infoworks.domain") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

Keep a note of server.crt and server.key files for self-signed certificates for Nginx SSL Termination and provide the valid values for ingress_tls_secret_name and namespace_of_infoworks.

Run the following command to add the tls certificates to the Kubernetes cluster.

xxxxxxxxxx

kubectl create secret tls <ingress_tls_secret_name> --cert=server.crt --key=server.key -n <namespace_of_infoworks>

Edit values.yaml file to look similar to the following sample file.

xxxxxxxxxx

ingress:

  enabled: true

  protocol: https

  port: 443

  hostname: subdomain.infoworks.cloud

  ingressClassName: "nginx"

  annotations:

    nginx.ingress.kubernetes.io/proxy-body-size: 10m

    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"

    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"

    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"

  tls:

  - hosts:

    - subdomain.infoworks.cloud

    secretName: <ingress_tls_secret_name>

It is suggested to make changes in the values.yaml file and add the below parameters as annotations in the ingress block, replacing <URL> to the DNS of your deployment, as defined in IW_DNS_NAME.

xxxxxxxxxx

nginx.ingress.kubernetes.io/enable-cors: "true"

nginx.ingress.kubernetes.io/configuration-snippet: |

  proxy_hide_header Access-Control-Allow-Origin;

  add_header "Access-Control-Allow-Origin" "<URL>" always;

  add_header "Access-Control-Allow-Methods" "GET, PUT, POST, OPTIONS" always;

  add_header "Access-Control-Allow-Headers" "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization" always;

  add_header "Access-Control-Expose-Headers" "Content-Length,Content-Range" always;

nginx.ingress.kubernetes.io/cors-allow-credentials: "true"

After adding the annotations, the values.yaml file should look as shown below.

xxxxxxxxxx

ingress:

  enabled: true

  protocol: https

  port: 443

  hostname: subdomain.infoworks.cloud

  ingressClassName: "nginx"

  annotations:

    nginx.ingress.kubernetes.io/proxy-body-size: 10m

    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"

    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"

    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"

    nginx.ingress.kubernetes.io/enable-cors: "true"

    nginx.ingress.kubernetes.io/configuration-snippet: |

      proxy_hide_header Access-Control-Allow-Origin;

      add_header "Access-Control-Allow-Origin" "subdomain.infoworks.cloud" always;

      add_header "Access-Control-Allow-Methods" "GET, PUT, POST, OPTIONS" always;

      add_header "Access-Control-Allow-Headers" "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization" always;

      add_header "Access-Control-Expose-Headers" "Content-Length,Content-Range" always;

    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"

  tls:

  - hosts:

    - subdomain.infoworks.cloud

    secretName: <ingress_tls_secret_name>

NOTE If you have already performed the deployment and edit the values.yaml file, then run helm upgrade command.

Configuring Network Policy Rules

• Network policies are enabled by default for additional security. Please refer here for detailed documentation on network policies and for whitelisting additional namespaces.
• Navigate to the directory IW_HOME/iw-k8s-installer. And Run the iw_deploy script.

xxxxxxxxxx

./iw_deploy.sh

Custom Infoworks Configurations

Email Configuration

The following table lists the Custom Email Configuration for Infoworks Setup using custom email attributes.

Step 1: Update Email Configs as necessary.

• Navigate to the directory IW_HOME/iw-k8s-installer/infoworks.
• Edit the values.yaml file.
• Email configurations can be found under customiwConfigs section followed by emailSettings sub-section in values.yaml

Step 2: The structure and indentation of your values.yaml file should mirror the example provided below. Note that the actual values and entries may vary.

Update the values and save the file.

Step 3: Navigate to the directory IW_HOME/iw-k8s-installer. And Run the iw_deploy script.

xxxxxxxxxx

./iw_deploy.sh

NOTE During the above command's execution, when it prompts if we need to override, type y and press Enter.

Step 4: Restart all the deployments

xxxxxxxxxx

kubectl rollout restart deployment -n <namespace>

Airflow Configurations

The following table lists the airflow configurations for Infoworks setup. Follow below instructions to update them as necessary.

Step 1: Update Airflow Configs as necessary.

• Navigate to the directory IW_HOME/iw-k8s-installer/infoworks.
• Edit the values.yaml file.
• Airflow configurations can be found under customiwConfigs section followed by airflowCfg sub-section in values.yaml

Step 2: The structure and indentation of your values.yaml file should mirror the example provided below. Note that the actual values and entries may vary.

Update the values and save the file.

Step 3: Navigate to the directory IW_HOME/iw-k8s-installer. And Run the iw_deploy script.

xxxxxxxxxx

./iw_deploy.sh

NOTE During the above command's execution, when it prompts if we need to override, type y and press Enter.

Step 4: Restart all the deployments

xxxxxxxxxx

kubectl rollout restart deployment -n <namespace>

Log Archival Configurations

The following table lists the global Log Archival configurations for Infoworks setup. Follow below instructions to update them as necessary.

Step 1: Update Log Archival Configs as necessary.

• Navigate to the directory IW_HOME/iw-k8s-installer/infoworks.
• Edit the values.yaml file.
• Log Archival configurations can be found under logArchival section in values.yaml

Step 2: The structure and indentation of your values.yaml file should mirror the example provided below. Note that the actual values and entries may vary.

Step 3: Navigate to the directory IW_HOME/iw-k8s-installer. And Run the iw_deploy script.

xxxxxxxxxx

./iw_deploy.sh

Enabling High-Availability and Scalability

Enabling High-Availability

Infoworks installation enables high-availability configuration while setting up Infoworks in Kubernetes. You can enable high-availability by editing the helm file called values.yaml.

Step 1: To edit values.yaml file, perform the action given in the following snippet.

xxxxxxxxxx

global:

​

  haEnabled: true

  replicas: 2

Step 2: Run HELM upgrade command.

xxxxxxxxxx

helm upgrade <release_name> infoworks/ --values infoworks/values.yaml -n <namespace>

This enables the high availability for Infoworks.

Limitation For Kubernetes HA setup, local Postgres database is not completely HA compliant. In certain conditions, if the Postgres containers crash, it might result in workflow failures.

Enabling Scalability

Infoworks installation supports auto-scaling of pods.

For a scalable solution:

• There must be a minimum of two replicas, if HA is enabled.
• They can be scaled to any number based on available resources (CPU and memory).
• Infoworks supports scalability of source, pipeline, and workflow jobs out of the box. Ensure that there are available resources in the Kubernetes cluster.

Infoworks services will scale automatically based on the workloads and resource utilization for the running pods.

To modify any autoscaling configuration, edit the horizontalPodScaling sub-section under global section in the values.yaml file.

xxxxxxxxxx

global:

 ...

 ...

 horizontalPodScaling:

   hpaEnabled: true

   hpaMaxReplicas: 5

   scalingUpWindowSeconds: 20

   hpaScaleUpFreq: 45

   scalingDownWindowSeconds: 300

However, there are three pods which require manual scaling based on workload increase, namely platform-dispatcher, hangman, and orchestrator-scheduler.

There are two ways to enable scalability:

1. By editing the values.yaml file.

Step 1: Edit the values.yaml file.

xxxxxxxxxx

infoworks(deploymentname):

   replicas: 4

NOTE The “deploymentname” mentioned in the above parenthesis is given just for the ease of understanding. This deployment name can be a platform-dispatcher, hangman, or orchestrator-scheduler with actual name.

For example:

xxxxxxxxxx

infoworksHangman:

    replicas: 4

Step 2: To increase the scalability manually, run HELM upgrade command:

xxxxxxxxxx

helm upgrade <release_name> infoworks/ --values infoworks/values.yaml -n <namespace>

2. Using Kubectl

xxxxxxxxxx

kubectl scale --replicas=3 rs/<deploymentName>

NOTE The “deploymentname” mentioned in the above parenthesis is given just for the ease of understanding. This deployment name can be a “releasename-platform-id” with the actual name.

For example:

xxxxxxxxxx

kubectl scale --replicas=3 rs/releasename-hangman-id -n <namespace>

Optional Configuration

NOTE The following optional configurations hold true only when HA is enabled.

For setting up Pod Disruption Budget

A Pod Disruption Budget (PDB) defines the budget for voluntary disruption. In essence, a human operator is letting the cluster be aware of a minimum threshold in terms of available pods that the cluster needs to guarantee in order to ensure a baseline availability or performance. For more information, refer to the PDB documentation.

To set up PDB:

Step 1: Navigate to the directory IW_HOME/iw-k8s-installer .

Step 2: Edit the values.yaml file.

xxxxxxxxxx

vi infoworks/values.yaml

Step 3: Under the global section and pdb sub-section, set the enabled field to true.

xxxxxxxxxx

global:

  image:=

  pdb:

    enabled: true

    minAvailable: 1

Step 4: Run HELM upgrade command.

xxxxxxxxxx

helm upgrade <release_name> infoworks/ --values infoworks/values.yaml -n <namespace>

For setting up PodAntiAffinity

If the anti-affinity requirements specified by this field are not met at the scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. For more information, refer to the PodAntiAffinity documentation.

To set up PodAntiAffinity:

Step 1: Navigate to the directory IW_HOME/iw-k8s-installer .

Step 2: Edit the values.yaml file.

xxxxxxxxxx

vi infoworks/values.yaml

Step 3: Under the global section, set the podAntiAffinity field to true.

xxxxxxxxxx

global:

  image:=

  pdb:=

  podAntiAffinity: false

Step 4: Run HELM upgrade command.

xxxxxxxxxx

helm upgrade <release_name> infoworks/ --values infoworks/values.yaml -n <namespace>

LIMITATIONS If PodAntiAffinity is set to true, then node count = replicas+1. For example, let's assume that HA is enabled with two replicas, then we need to configure minimum three nodes running for the Infoworks Service Node Pool in Azure.

xxxxxxxxxx

global:

  haEnabled: true

  replicas: 2

Increasing the Size of PVCs

To scale the size of PVCs attached to the pods:

Step 1: Note the storage class of the PVCs to be scaled.

xxxxxxxxxx

kubectl -n <namespace> get pvc

Step 2: Ensure allowVolumeExpansion is set to true in the storageClass.

xxxxxxxxxx

kubectl edit storageClass <storage-class-of-pvc>

allowVolumeExpansion: true

Step 3: Delete the managing statefulset without deleting the pods.

xxxxxxxxxx

kubectl -n <namespace> get sts

kubectl -n <namespace> delete sts --cascade=orphan <statefulset name>

Step 4: For each PVC, upscale the size (ensure all PVCs attached managed by a single statefulset have the same size. For example, all Postgres managed PVCs must have the same size).

xxxxxxxxxx

kubectl -n <namespace> get pvc

kubectl -n <namespace> edit pvc <pvc-name>

Step 5: Navigate to the helm chart used for Infoworks deployment.

Step 6: Edit the values.yaml file to update the size of the corresponding database to the new value.

Step 7: Run the helm upgrade command.

xxxxxxxxxx

helm upgrade --recreate-pods --reuse-values -f <path-to-your-values.yaml> <your-release-name> <path-to-your-chart> -n <your-namespace>

Warning

Above upgrade command will recreate all pods with the same PVCs.

Updating the MongoDB and PostgresDB Credentials

To update the MongoDB and/or PostgresDB credentials in the Infoworks deployment, follow the below given procedure.

Updating the MongoDB Credentials

Updating Encrypted Passwords Stored in values.yaml

There are two methods to update password:

Method 1

To update MongoDB encrypted passwords that are stored in values.yaml file, with the existing configure.sh file, use the IW_DEPLOY script to populate values.yaml:

Step 1: Download and untar the Infoworks kubernetes template, if not already present, according to the iwx-version in your existing deployment.

xxxxxxxxxx

version="6.1.3"

major_version=$(echo $version | cut -d '.' -f 1,2)

wget https://iw-saas-setup.s3.us-west-2.amazonaws.com/$major_version/iwx_installer_k8s_$version.tar.gz

tar xzf iwx_installer_k8s_$version.tar.gz

Step 2: If a new template was downloaded, replace the iw-k8s-installer/configure.sh as well as iw-k8s-installer/infoworks/values.yaml with the older file.

xxxxxxxxxx

mv /path/to/older/configure.sh iw-k8s-installer/configure.sh

mv /path/to/older/values.yaml iw-k8s-installer/infoworks/values.yaml

Step 3: Change the directory path to iw-k8s-installer.

xxxxxxxxxx

cd iw-k8s-installer

Step 4: Replace the following values with a blank string in the configure.sh file.

xxxxxxxxxx

MONGODB_USERNAME=""

MONGODB_ENCRYPTED_PASSWORD=""

Step 5: Run iw_deploy.sh. Once you receive "Seems like you have already configured Infoworks once. Do you want to override? y/n Default: n", enter “Y”. This will prompt the user to provide input for the values that were blank in the previous step. The script will then replace the infoworks/values.yaml file with the updated values.

xxxxxxxxxx

infoworks@bastion-host:~/iw-k8s-installer$ ./iw_deploy.sh 

NOTE: (Optional) Enable NodeSelector/Toleration and  Custom

annotations  etc., by editing values.yaml file manually before deploying infoworks app 

Seems like you have already configured Infoworks once. Do you want to override? y/n  Default: n

y

Checking for basic Pre requisite.

Found HELMv3

Found KUBECTL

Testing Kubernetes basic cluster connection

Validation is done: Kubernetes Cluster is Authorized 

qa-531 Namespace already exists

​

Input MongoDB Username for Infoworks Setup. Assuming the user have permissions to create databases if doesn't exist. 

updated-mongouser

Input the MongoDB password for Infoworks database Setup. Infoworks will encrypt the MongoDB password. 

Upgrade INFOWORKS ...

 helm upgrade release-name ./infoworks --values ./infoworks/values.yaml -n namespace

Step 6: Run the following command to upgrade by specifying your namespace and helm release name according to the values given in the configure.sh file.

xxxxxxxxxx

helm upgrade $IW_RELEASE_NAME ./infoworks --values ./infoworks/values.yaml -n $IW_NAMESPACE

Method 2

To update MongoDB encrypted passwords, you can directly modify the values.yaml file.

Step 1: Download and untar the Infoworks Kubernetes Template, if not already present, according to the iwx-version in your existing deployment.

xxxxxxxxxx

version="6.1.3"

major_version=$(echo $version | cut -d '.' -f 1,2)

wget https://iw-saas-setup.s3.us-west-2.amazonaws.com/$major_version/iwx_installer_k8s_$version.tar.gz

tar xzf iwx_installer_k8s_$version.tar.gz

Step 2: If a new template was downloaded, replace the iw-k8s-installer/infoworks/values.yaml with the older file.

xxxxxxxxxx

mv /path/to/older/values.yaml iw-k8s-installer/infoworks/values.yaml

Step 3: Change the directory path to iw-k8s-installer directory.

xxxxxxxxxx

cd iw-k8s-installer

Step 4: Generate the encrypted passwords as needed. To generate any encrypted string, execute the following command.

xxxxxxxxxx

encrypted-mongo-password=$(./infoworks_security/infoworks_security.sh --encrypt -p "<password>")

This generates your passwords in a secure encrypted format, which has to be provided in the following steps.

Step 5: Replace the following yaml keys with the new values in the infoworks/values.yaml file, if needed.

xxxxxxxxxx

databases:

metaDB:

  auth:

    username: "mongo-username"

    encryptedMongoPass: "encrypted-mongo-password"

Step 6: Run the following command to upgrade by specifying your namespace and helm release name according to the installed kubernetes deployment specifications.

xxxxxxxxxx

helm upgrade $IW_RELEASE_NAME ./infoworks --values ./infoworks/values.yaml -n $IW_NAMESPACE

Updating Encrypted Passwords Stored as a Separate Secret

To update the MongoDB password:

Step 1: Run the following commands from the iw-k8s-installer directory.

xxxxxxxxxx

$ encrypted_mongo_password=$(./infoworks_security/infoworks_security.sh --encrypt -p "<mongo-password>" | xargs echo -n | base64 -w 0)

$ IW_NAMESPACE=<IW_NAMESPACE> 

$ MONGODB_SECRET_NAME=<MONGODB_SECRET_NAME>

$ kubectl patch secret -n ${IW_NAMESPACE} ${MONGODB_SECRET_NAME} --type='json' -p="[{'op' : 'replace' ,'path' : '/data/MONGO_PASS ,'value' : '${encrypted_mongo_password}'}]"

Step 2: Restart all pods except the databases.

xxxxxxxxxx

kubectl get pods -n ${IW_NAMESPACE} --no-headers=true | awk '!/-rabbitmq-|-postgres/{print $1}' | xargs  kubectl delete -n ${IW_NAMESPACE} pod

Updating the PostgresDB Credentials

Updating Encrypted Passwords Stored in values.yaml

There are two methods to update password:

Method 1

To update PostgresDB passwords that are stored in values.yaml file, with the existing configure.sh file, use the IW_DEPLOY script to populate values.yaml.

Step 1: Download and untar the Infoworks Kubernetes Template, if not already present, according to the iwx-version in your existing deployment.

xxxxxxxxxx

version="6.1.3"

major_version=$(echo $version | cut -d '.' -f 1,2)

wget

https://iw-saas-setup.s3.us-west-2.amazonaws.com/$major_version/iwx_installer_k8s_$version.tar.gz

tar xzf iwx_installer_k8s_$version.tar.gz

Step 2: If a new template was downloaded, replace the iw-k8s-installer/configure.sh as well as iw-k8s-installer/infoworks/values.yaml with the older file.

xxxxxxxxxx

mv /path/to/older/configure.sh iw-k8s-installer/configure.sh

mv /path/to/older/values.yaml iw-k8s-installer/infoworks/values.yaml

Step 3: Change the directory path to iw-k8s-installer.

xxxxxxxxxx

cd iw-k8s-installer

Step 4: Replace the following values with a blank string in the configure.sh file.

xxxxxxxxxx

POSTGRESDB_USERNAME=""

POSTGRESDB_ENCRYPTED_PASSWORD=""

Step 5: Run iw_deploy.sh. Once you receive "Seems like you have already configured Infoworks once. Do you want to override? y/n Default: n", enter “Y”. This will prompt the user to provide input for the values that were blank in the previous step. The script will then replace the infoworks/values.yaml file with the updated values.

xxxxxxxxxx

infoworks@bastion-host:~/iw-k8s-installer$ ./iw_deploy.sh 

NOTE: (Optional) Enable NodeSelector/Toleration and  Custom annotations  etc., by editing values.yaml file manually before deploying infoworks app 

Seems like you have already configured Infoworks once. Do you want to override? y/n  Default: n

y

Checking for basic Pre requisite.

Found HELMv3

Found KUBECTL

Testing Kubernetes basic cluster connection

Validation is done: Kubernetes Cluster is Authorized 

qa-531 Namespace already exists

​

Input postgresDB Username for Infoworks Setup. Assuming the user have permissions to create databases if doesn't exist. 

updated-postgresuser

Input the Postgres user password for Infoworks database Setup. Infoworks will encrypt the Postgres password.

Upgrade INFOWORKS ...

 helm upgrade release-name ./infoworks --values ./infoworks/values.yaml -n namespace

Step 6: Run the following command to upgrade by specifying your namespace and helm release name according to the values given in the configure.sh file.

xxxxxxxxxx

helm upgrade $IW_RELEASE_NAME ./infoworks --values ./infoworks/values.yaml -n $IW_NAMESPACE

Method 2

To update PostgresDB encrypted passwords, you can directly modify the values.yaml file.

Step 1: Download and untar the Infoworks Kubernetes Template, if not already present, according to the iwx-version in your existing deployment.

xxxxxxxxxx

version="6.1.3"

major_version=$(echo $version | cut -d '.' -f 1,2)

wget https://iw-saas-setup.s3.us-west-2.amazonaws.com/$major_version/iwx_installer_k8s_$version.tar.gz

tar xzf iwx_installer_k8s_$version.tar.gz

Step 2: If a new template was downloaded, replace the iw-k8s-installer/infoworks/values.yaml with the older file.

xxxxxxxxxx

mv /path/to/older/values.yaml iw-k8s-installer/infoworks/values.yaml

Step 3: Change the directory path to iw-k8s-installer.

xxxxxxxxxx

cd iw-k8s-installer

Step 4: Generate the encrypted passwords as needed. To generate any encrypted string, execute the following command.

xxxxxxxxxx

encrypted-postgres-password=$(./infoworks_security/infoworks_security.sh --encrypt -p "<password>")

This generates your passwords in a secure encrypted format, which has to be provided in the following steps.

Step 5: Replace the following yaml keys with the new values in the infoworks/values.yaml file, if needed.

xxxxxxxxxx

databases:

postgresDB

  auth:

    username: "postgres-username"

    encryptedPostgresPass: "encrypted-postgres-password"

Step 6: Run the following command to upgrade by specifying your namespace and helm release name according to the installed kubernetes deployment specifications.

xxxxxxxxxx

helm upgrade $IW_RELEASE_NAME ./infoworks --values ./infoworks/values.yaml -n $IW_NAMESPACE

Updating Encrypted Passwords Stored as a Separate Secret

To update the PostgresDB password:

Step 1: Run the following commands from the iw-k8s-installer directory.

xxxxxxxxxx

$ encrypted_postgres_password=$(./infoworks_security/infoworks_security.sh --encrypt -p "<postgres-password>" | xargs echo -n | base64 -w 0)

$ IW_NAMESPACE=<IW_NAMESPACE> 

$ POSTGRESDB_SECRET_NAME=<POSTGRESDB_SECRET_NAME>

$ kubectl patch secret -n ${IW_NAMESPACE} ${POSTGRESDB_SECRET_NAME} --type='json' -p="[{'op' : 'replace' ,'path' : '/data/POSTGRES_PASS' ,'value' : '${encrypted_postgres_password}'}]"

Step 2: Restart the orchestrator and orchestrator-scheduler pods.

xxxxxxxxxx

kubectl get pods -n ${IW_NAMESPACE} --no-headers=true | awk '/-orchestrator-/{print $1}' | xargs  kubectl delete -n ${IW_NAMESPACE} pod

Limitations

MongoDB Limitations

With HA enabled, scaling the pods from higher to lower has the following limitations:

• Pods need to be manually deleted from replication configuration.
• Disabling HA to Non-HA is not supported once HA is enabled.

Database Limitations

Applicable to PostgresDB, MongoDB, and RabbitMQ.

• PVC’s size can’t be decreased.
• Increasing a PVC’s size requires downtime.
• After downscaling pods, the extra PVCs needs to be manually deleted.

PostgresDB Limitations

In the current HA architecture, on Postgres connection disruption, airflow is unable to reconnect via new connection. Furthermore, the current Postgres proxy is too simplistic to handle connection pools. Hence, if a Postgres master goes down, all running workflows will fail.