Created
May 17, 2019 04:06
-
-
Save zufardhiyaulhaq/ef9aa383292b34bf68198016c5fe1c49 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #1 Install Helm | |
| curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bash | |
| cat > /tmp/helm.yaml <<EOF | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: helm | |
| namespace: kube-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: helm | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: cluster-admin | |
| subjects: | |
| - kind: ServiceAccount | |
| name: helm | |
| namespace: kube-system | |
| EOF | |
| kubectl create -f /tmp/helm.yaml | |
| helm init --service-account helm | |
| #2 Add Wireapp Repository | |
| helm repo add wire https://s3-eu-west-1.amazonaws.com/public.wire.com/charts | |
| helm repo update | |
| #3 Install non-persistent, non-highly-available databases | |
| helm upgrade --install --namespace demo demo-databases-ephemeral wire/databases-ephemeral --wait | |
| #4 Install AWS service mocks | |
| helm upgrade --install --namespace demo demo-fake-aws wire/fake-aws --wait | |
| #5 Install wire-server | |
| git clone https://github.com/wireapp/wire-server-deploy | |
| cd wire-server-deploy | |
| cp values/wire-server/demo-values.example.yaml values/wire-server/demo-values.yaml | |
| cp values/wire-server/demo-secrets.example.yaml values/wire-server/demo-secrets.yaml | |
| openssl rand -base64 64 | env LC_CTYPE=C tr -dc a-zA-Z0-9 | head -c 42 | |
| OnKDMoFg50ZCJoFEAC4f2nrwWe21Z8B5A3uT4frTkv | |
| docker run --rm quay.io/wire/alpine-intermediate /dist/zauth -m gen-keypair -i 1 | |
| public: Tw2-Y0kdx0-8Xq59LGLfFxWv4c-WVOf9w7e-hfXDvWg= | |
| secret: WNJ4Pjk0LzaqQ9wr5B4BcGWMEk62ivhVcaVoDqrqMJBPDb5jSR3HT7xern0sYt8XFa_hz5ZU5_3Dt76F9cO9aA== | |
| nano values/wire-server/demo-secrets.yaml | |
| ``` | |
| brig: | |
| secrets: | |
| smtpPassword: "plain-password-gmail-account" | |
| zAuth: | |
| publicKeys: "Tw2-Y0kdx0-8Xq59LGLfFxWv4c-WVOf9w7e-hfXDvWg=" | |
| privateKeys: "WNJ4Pjk0LzaqQ9wr5B4BcGWMEk62ivhVcaVoDqrqMJBPDb5jSR3HT7xern0sYt8XFa_hz5ZU5_3Dt76F9cO9aA" | |
| turn: | |
| secret: OnKDMoFg50ZCJoFEAC4f2nrwWe21Z8B5A3uT4frTkv | |
| awsKeyId: dummykey | |
| awsSecretKey: dummysecret | |
| setTwilio: |- | |
| sid: "dummy" | |
| token: "dummy" | |
| setNexmo: |- | |
| key: "dummy" | |
| secret: "dummy" | |
| cargohold: | |
| secrets: | |
| awsKeyId: dummykey | |
| awsSecretKey: dummysecret | |
| galley: | |
| secrets: | |
| awsKeyId: dummykey | |
| awsSecretKey: dummysecret | |
| gundeck: | |
| secrets: | |
| awsKeyId: dummykey | |
| awsSecretKey: dummysecret | |
| proxy: | |
| secrets: | |
| proxy_config: |- | |
| secrets { | |
| youtube = "..." | |
| googlemaps = "..." | |
| soundcloud = "..." | |
| giphy = "..." | |
| spotify = "Basic ..." | |
| } | |
| nginz: | |
| secrets: | |
| zAuth: | |
| publicKeys: "Tw2-Y0kdx0-8Xq59LGLfFxWv4c-WVOf9w7e-hfXDvWg=" | |
| basicAuth: "Basic ..." | |
| team-settings: | |
| secrets: | |
| configJson: | |
| ``` | |
| nano values/wire-server/demo-values.yaml | |
| ... | |
| tags: | |
| proxy: false | |
| spar: false | |
| team-settings: false | |
| account-pages: false | |
| cassandra-migrations: | |
| cassandra: | |
| host: cassandra-ephemeral | |
| replicaCount: 1 | |
| elasticsearch-index: | |
| elasticsearch: | |
| host: elasticsearch-ephemeral | |
| brig: | |
| replicaCount: 1 | |
| config: | |
| cassandra: | |
| host: cassandra-ephemeral | |
| replicaCount: 1 | |
| elasticsearch: | |
| host: elasticsearch-ephemeral | |
| useSES: false | |
| aws: | |
| sqsEndpoint: http://fake-aws-sqs:4568 | |
| dynamoDBEndpoint: http://fake-aws-dynamodb:4567 | |
| internalQueue: integration-brig-events-internal | |
| blacklistTable: integration-brig-userkey-blacklist | |
| prekeyTable: integration-brig-prekeys | |
| externalUrls: | |
| nginz: https://api.example.com | |
| teamSettings: https://teams.example.com | |
| teamCreatorWelcome: https://teams.example.com/login | |
| teamMemberWelcome: https://wire.example.com/download | |
| optSettings: | |
| setCookieDomain: example.com | |
| emailSMS: | |
| general: | |
| emailSender: account@gmail.com | |
| smsSender: "insert-sms-sender-for-twilio" # change this if SMS support is desired | |
| smtp: | |
| host: smtp.gmail.com | |
| port: 587 | |
| connType: tls | |
| proxy: | |
| replicaCount: 1 | |
| cannon: | |
| replicaCount: 1 | |
| drainTimeout: 10 | |
| cargohold: | |
| replicaCount: 1 | |
| config: | |
| aws: | |
| s3Bucket: dummy-bucket | |
| s3Endpoint: http://fake-aws-s3:9000 | |
| s3DownloadEndpoint: https://bare-s3.example.com | |
| galley: | |
| replicaCount: 1 | |
| config: | |
| cassandra: | |
| host: cassandra-ephemeral | |
| replicaCount: 1 | |
| settings: | |
| conversationCodeURI: https://example.com/join/ | |
| gundeck: | |
| replicaCount: 1 | |
| config: | |
| cassandra: | |
| host: cassandra-ephemeral | |
| replicaCount: 1 | |
| aws: | |
| account: "123456789012" | |
| region: eu-west-1 | |
| arnEnv: integration | |
| queueName: integration-gundeck-events | |
| sqsEndpoint: http://fake-aws-sqs:4568 | |
| snsEndpoint: http://fake-aws-sns:4575 | |
| nginz: | |
| replicaCount: 1 | |
| config: | |
| ws: | |
| useProxyProtocol: false | |
| nginx_conf: | |
| # using prod means mostly that some internal endpoints are not exposed | |
| env: prod | |
| #env: testing | |
| external_env_domain: example.com | |
| drainTimeout: 10 | |
| terminationGracePeriodSeconds: 30 | |
| webapp: | |
| replicaCount: 1 | |
| config: | |
| externalUrls: | |
| backendRest: bare-https.example.com | |
| backendWebsocket: bare-ssl.example.com | |
| backendDomain: example.com | |
| appHost: bare-webapp.example.com | |
| team-settings: | |
| replicaCount: 1 | |
| config: | |
| externalUrls: | |
| backendRest: bare-https.example.com | |
| backendWebsocket: bare-ssl.example.com | |
| backendDomain: example.com | |
| appHost: bare-webapp.example.com | |
| account-pages: | |
| replicaCount: 1 | |
| config: | |
| externalUrls: | |
| backendRest: bare-https.example.com | |
| backendDomain: example.com | |
| appHost: bare-webapp.example.com | |
| ... | |
| helm upgrade --install --namespace demo demo-wire-server wire/wire-server \ | |
| -f values/wire-server/demo-values.yaml \ | |
| -f values/wire-server/demo-secrets.yaml \ | |
| --wait | |
| #6 Install ingress | |
| cp values/nginx-lb-ingress/demo-secrets.example.yaml values/nginx-lb-ingress/demo-secrets.yaml | |
| cp values/nginx-lb-ingress/demo-values.example.yaml values/nginx-lb-ingress/demo-values.yaml | |
| nano values/nginx-lb-ingress/demo-values.yaml | |
| ... | |
| teamSettings: | |
| enabled: false | |
| accountPages: | |
| enabled: false | |
| tls: | |
| enabled: true | |
| # NOTE: These values are suggested for deployments on bare metal and | |
| # should be adjusted on a per installation basis | |
| config: | |
| dns: | |
| https: bare-https.example.com | |
| ssl: bare-ssl.example.com | |
| webapp: bare-webapp.example.com | |
| fakeS3: bare-s3.example.com | |
| teamSettings: bare-team.example.com | |
| accountPages: bare-account.example.com | |
| ... | |
| * generate certificate | |
| openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -subj '/CN=*.example.com' | |
| cat cert.pem (public) | |
| cat key.pem (private) | |
| nano values/nginx-lb-ingress/demo-secrets.yaml | |
| ... | |
| secrets: | |
| tlsWildcardCert: | | |
| -----BEGIN CERTIFICATE----- | |
| MIIFAzCCAuugAwIBAgIJAKT5QIHyXbLMMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV | |
| BAMMDSouZXhhbXBsZS5jb20wHhcNMTkwNTE1MTU0OTU3WhcNMjAwNTE0MTU0OTU3 | |
| WjAYMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOC | |
| Ag8AMIICCgKCAgEAvvRv8XW91e9EpnBnYVSOYB79YetO5LfAKlwkRY7JZaZ7VD58 | |
| h10jMzHL56ImqEra1qWxV9qFzw3KqDywj2LG8XotpZBhH1mdSoTk9lD880WL1wm8 | |
| 2DuH812Zg6yP8bkhUqc2Imh0X8XUaMNwu/rCn0hwfvAcGwMZ2U5LkKueYAS22GT/ | |
| iCin7GOwdTFQu8yW0teZ9pF4FVkcfArQyWLIwD08LqRyqbFk8X3sAnTbKsB295Iv | |
| C9KH5uLsfs79y6VNwcqxncSf0dm8LULsUPF3BhDQuqr3qiTwb93NGsZpyEDzDADk | |
| z8CgwoTZ4EgiFL687vqDADl9uLwTz931+2OQQZvSZFtKjNBq7qGYiHo7Nv0CTENn | |
| b+hpu/VMNU4DX7hrXuNhKXkT2J8k7WE6YMCOj6cCv8qAaUbuPou4hju8RizQjxxi | |
| psMlwZKwo/h67EKVBzhbME5hCHwyEDKhFF703FQRjVcqJjzTcE2nVh+QOIzfQi2T | |
| bXOQE5iaf2a4qKtJvUSt6YgVwbGYANAtXovZRhDV2xhMBGbzEFIOlcE78+M002Ml | |
| aJAoiAogcPtxbrvscmyOEceXl9O6tY/47pZme+nTfKCtzS5HfChfvT6VK/D3JKae | |
| 2GKwdQsgRlJS1K7aMhEcEMtOU0y2SMiDiwTZ+vnNZUrzp/mfaJ9SsiTqT4sCAwEA | |
| AaNQME4wHQYDVR0OBBYEFIzDZCBi2Z9qpGAr6fY/kUIlThmyMB8GA1UdIwQYMBaA | |
| FIzDZCBi2Z9qpGAr6fY/kUIlThmyMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL | |
| BQADggIBAKLoU6pKxRqx7NNoessvRX52sht8KaB2QegHTVvdm0Zb6TUi568ZhDHJ | |
| +L11GC+4N0cVm4Hxu691n9VFJVM+MkX06hjayhIPSyCzGYbKP52957sln9QaM4oC | |
| 03oMWRtC3F5oBhEI71jv3bUXBAE6QZUlI8/BaeDaldu4d+oudVz/70qGuUq4ZroN | |
| xraGUF1IiYudaBA7SmysEJhblZs5U+eofgu8gHf6dIldiyeF1pqjsunyQEKXtOWV | |
| am/LtIfA0YYSuiJLYWTHNiEod2Se8A32etPAp89hEUWDEB8tbvnGFS3jDjYVCpUZ | |
| IX5bTjWSKPnjbwiNIoRwBnRaMcClJxDZT9cqgOsROI185esYcJiLB5s10ngNh+1q | |
| ukTdjKcA1v57mxvLubOMs08NcOy9znj0FGd+aZWVsPykgosBoYjhSMgGLsY2ZJDD | |
| Shdmzt5qz+wWn/1Myiusxl+Vw+bor7VyhDfnSblStuuHHz7ZVhMRf9IntagPxzSJ | |
| JOkMFb1eTCxwDslcoHs93HlP8CPgRtvY8NhSZkGUWAaF2UaxBMBWj6uUlGbx83dW | |
| D/ZSWX755gEfukYUj+M1MpVCLzUrPMObBBUrdiV9GHupaDLW+l7vKgpmwJuIkRxM | |
| YJzDJ0NpgitAMUQDZeQbh8xdKbOZ2GL1hZlNVVK8M0hqpZ2U1n7O | |
| -----END CERTIFICATE----- | |
| tlsWildcardKey: | | |
| -----BEGIN ENCRYPTED PRIVATE KEY----- | |
| MIIJjjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIywDL2H2qOukCAggA | |
| MBQGCCqGSIb3DQMHBAgmubopRrfRGgSCCUholbEU6uSIGcoxO90OZMgjc7z7ApyV | |
| Q9A9y6SoOw6Q2Owtp38jQisP5N7AtZNwPxHLigU5TKwZZdIPLM0DxIYNDmxZ7URJ | |
| G6bAFMqbJocXMa5M1+p4bFSDF4ObIFAATr6Fiwts1mPQqAP4utHR1EBx+4x5Tuqj | |
| PrdDn9tCTAp418tYWM8tT8BIpmpHp1lfo5iFtLWysYfHTcrytTtKJNeR4CsoApaf | |
| VWwzOgzGYUkWech7aGSKc2MfU3PWN90EYjfBB2s4N7KbsyAc7okzD9SnN0+QmHz/ | |
| PypnKsxhrekDWrH0oFbD3NPr9VK2YiAx9JHdi1D/V/qyaOs/RJ+GokPmW2BQ0AlG | |
| cg9fPUU/pTaGEbUXaGsswPKLim5wxspS+EB2zc8PnTMWQmFqF8rHxPqwRoG9gclw | |
| xbQOsBLxwGge6XY8bXKbf0K/PhRbhA5F8HjEQUT4dbOmDaxMhlnXqgF/qFcpKONk | |
| F4G6RH4u9T2K6K3Emg6feosk0FhQQuLNv5FOFlTftem9Ax4Ha7xUNmHtZ7+Nc/7k | |
| zi0WwSknoUnaPHRID67HKjTb61+mZRR55SqXJKz27vPqdfNsGcDzbc3t4VDFc4Xx | |
| NNcO8btzNkftQhV0b6OmnicPHCrBeWECK8un2gH9q4QOmBHObAi2DJy26uAwWJWl | |
| IEAiznYFdWPy8DltzeF0C+XevEjA+vbtGdt3fTho5DPZo6h13yNtjW9tH1421i/R | |
| Ajp+YqsvepFvrlfZMYS7EqOxaEpwfNvZ4ga7WUJxuzYaAc3r8FP9mnm+KH6ooxvt | |
| G9rjUICEzR/FR1oshemFeN8l7PUsoz5dU4yDXxoq0dZGCtszVRCq75gb4Ri2Oq5t | |
| 8z/CrLlTTIXWKUQUQl3Qvp+QWJdpLgcz0dI/8Z1KZfxuO83ii+t3w+bEJIl+XsCl | |
| vBmwbmagbg2/iQlMtm9V9x1/Oozny92k3qBOqgM2ALcmUaGmm37JRXZ0LwrX5D2D | |
| Y+5MIJNrJUMbJhDHx2djs73W9G11CfEiDWPJLxueXBpFe8AxeiczADkX5UVvPYjV | |
| U3AgSONHx06qy+nAZ51kFWsn9nW3C9EiGHPQ2jDPwVQNOkjWU00MjYMVNUNKh0pW | |
| K/izH3GUCjtd2Jvpp3kTCq4mzglhw+rlwVhaeaDW53zfIhU6/OIPU/rrZv4Cy/Jk | |
| JYrRbrVBv9wzb1Vtv3Mrgw9l/oG85k6hMS4gxdzyyiJuTXnd6ZIzbQYy9SpZag/m | |
| elQbM/tEp/BrAghPEl+qPLQtfkhN3FfASvim4LD9dOVbG65DGx3mkjMyITKZGWEK | |
| 2ZysL3Llzd/zTvRXhXc4kq2jAFOKxMv7U5iRhqhwjLZNQq7WU+/rPTpN57Xc7AUQ | |
| Uy7bC9kKATZrZejdPy3u7i0GcpUGgamK13lIrFF97+Tq0zDZQBSXfGpLyi+o8ol7 | |
| QZa80CXAoNdIVyp6j7dlL5plRT4uTk3LiMYeoZFc6z4RaGqt4Kq9zSidCUUb+wu1 | |
| 5utkaVbZrzB+fhelhW/gghft6YPP4jz+PEwxj8QpyJcR2Nko4WwAzrCvfrN2E8zZ | |
| D6w9lcxsHaBrAn1ZtnUoSmoAfMSzLX8o2bw+0crFHU1yIC6I/muaoWEAWyu3s3eZ | |
| 9GT0fadnNcnEwhjUAbu6WDpCbHXvT3tE3UKd5TCvo+V4H1WHWM9ZdBc36tzPLqHY | |
| eANK9X+KUK9lC3+ppPlc80FnipqBXO2YYnLQ+xigns6DQk2ibjLpXBpUIVHXZ5hj | |
| MpZEK3CjejFkr1KTStIxhvL1jRdCnYdkjf3jo8PnvuC8MkMgBb8UFVym5mbs3b/+ | |
| uGHU7eMeXPhd/ocaDjYnn/Z+vNxfudJMCPdWev6Ejj0uPDSjk9dLBgU33hguVvnu | |
| OztEoHhTNcF1OPevUK+HC/Kw7KPtt5acOW3stROiHLUe2Kj53X5rmBQMw6FLA8XG | |
| ACe6duUS44ZcXIdwhnTP1CwY46ePkTwSQkyCcVHFkjmr8uDFbem1GRVU/Hd0m1qP | |
| od4IkzbGFqRJwxO0dHD3pmwbmaJT+sMoz/wyDGpeM6MRRQ9fDyWTv4CUPWP6io9L | |
| q2bqrKJYql97h5t59AsYxMQdzvstlv+HVxOzQVbxyHYKE4YENxa/HmmLXqwbQ4vH | |
| c2lSF1vGizAa3SoY2QQNaCo+09S19qpKZ+unD8NzdtYY3qREkFawgl9kZuioWIDc | |
| k1QZn4lS8UAJ/cUvBDeD+uL7xTjmCLkfyHPA/bxHmk/zR+miwInZU2mAWDep/Yg4 | |
| IA4lQD+MnyJdEtmx04mx1oCGe1OBzAdCQYQAec658Ajxbh1U+77jFlNJxEYtBW0I | |
| APCy/Q1FGpcMs+QQVGzGaL7u3NFylHFUaTG/CbuY+8V69uM/m8qm4nb1L7v+pHNc | |
| xBMeapa2xqcTxX6B7rbIHep4ZO2L3N3JlAOalOQljPDPcotgWVjdhOfhxvZV8p0g | |
| XPp47IIeOfISZuPyC7D2B2/tp8bKuNyXXK/++Lo1wSRd+7w/UiS6U9/d9kSkZ1R1 | |
| F84d2/WV1U94QQmmyGI4XCTnGLMLyD2zCtMPlLNtFlpcbPJmRauBKExilBO1GAEt | |
| QE1fwtQoUlq4A+yfMUfGJRpjVwQwdAWus6sQNMy5NZKdRHgMFW/asMmAOF7EWT9e | |
| bJZByJg/llP+wExMiKNOOeKrvLVitXmEDulsNnXHjRtgOoX4IES/+Ec8kMmEwjKx | |
| 9TjOHntCU+61jua1sCvCGgDJ4SnGi+afAczGpwvK2/U04UfVYdwGXFvOPzzAjLwd | |
| SjsNjWzVaEpQloSdXo5rhljnMd0I5k8JLLmUMklon9sib2LMD6b+ibook7gcEpXL | |
| jF1WjVW9Roccw6HMTD9gGNNfMq45I8K9YX1G/w4yMyaXMJg8AYRyJ/LXDYp0kyQb | |
| xhsMDInuFAQqbr6UsGhjBhmUYE3boDJi9YSYY8L44qtNWuXFgjW1kF6AA1np6pLh | |
| Jg32Z0kcyYJc0SwcmJnsUgP6Ze4QQ3LQnKKRUgDgOaGfkkb0E4bSzrVGgDbXfUWI | |
| SgmByYD0G6CrgRSpiXNotQZUxzoEIVS3xuqag1kjCjRLMgKxjFbmJfVnAi1NTFqt | |
| IiC2nMdVX8X4boestdSng9HjwPcpLpacfSbuVu4lGwmWOx54yvfmaMrE5mO114hl | |
| QQ8= | |
| -----END ENCRYPTED PRIVATE KEY----- | |
| ``` | |
| helm upgrade --install --namespace demo demo-nginx-lb-ingress wire/nginx-lb-ingress \ | |
| -f values/nginx-lb-ingress/demo-values.yaml \ | |
| -f values/nginx-lb-ingress/demo-secrets.yaml | |
| #8 Check ingress services | |
| kubectl edit svc -n demo demo-nginx-lb-ingress-nginx-ingress-controller | |
| * add externalIP (we dont use metallb) | |
| ... | |
| selector: | |
| xxx: xxxx | |
| externalIPs: | |
| - 10.202.202.40 | |
| ... | |
| #9 open wire-app service | |
| 10.202.202.40 bare-https.example.com | |
| 10.202.202.40 bare-ssl.example.com | |
| 10.202.202.40 bare-webapp.example.com | |
| 10.202.202.40 bare-s3.example.com | |
| 10.202.202.40 bare-team.example.com | |
| 10.202.202.40 bare-account.example.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment