This is a helm release for Project Eirini.

NOTE: This is an experimental release and is still considered work in progress.

• Make sure your Kubernetes cluster meets all SCF related Kubernetes Requirements.
• Install helm

Note: Eirini is currently being tested with HELM > 2.11.0, Kubernetes 1.10, and Docker as the container runtime (containerd is not supported just yet).

1. Choose a non NFS based StorageClass because MySQL does not work well with it. For additional information you can take a look at Storage Class

2. Create a values.yaml based on this template.

3. Make the Eirini helm repository available to helm:

   helm repo add eirini https://cloudfoundry-incubator.github.io/eirini-release

4. Install UAA:

   helm install eirini/uaa --namespace uaa --name uaa --values <your-values.yaml>

5. Export the UAA ca certificate using the following commands:

   SECRET=$(kubectl get pods --namespace uaa -o jsonpath='{.items[?(.metadata.name=="uaa-0")].spec.containers[?(.name=="uaa")].env[?(.name=="INTERNAL_CA_CERT")].valueFrom.secretKeyRef.name}')
   CA_CERT="$(kubectl get secret $SECRET --namespace uaa -o jsonpath="{.data['internal-ca-cert']}" | base64 --decode -)"

6. Install CF:

   helm install eirini/cf --namespace scf --name scf --set "secrets.UAA_CA_CERT=${CA_CERT}" --values <your-values.yaml>

7. Use the following command to verify that every CF control plane pod is running and ready:

   watch kubectl get pods -n scf

As storage class, you can deploy a hostpath provisioner to your cluster. You can for example follow the documentation in this repository. hostpath is not recommended for production use.

You can execute the following commands to have the hostpath provisioner installed in your Kube cluster:

kubectl create -f https://raw.githubusercontent.com/MaZderMind/hostpath-provisioner/master/manifests/rbac.yaml
kubectl create -f https://raw.githubusercontent.com/MaZderMind/hostpath-provisioner/master/manifests/deployment.yaml
kubectl create -f https://raw.githubusercontent.com/MaZderMind/hostpath-provisioner/master/manifests/storageclass.yaml

In a production settings ideally there should be existing storage classes that work with the deployment. In that case, you can either remove the storage_class properties from your scf-config-values.yaml file to use the default storage class, or alternatively set the properties to the storage class needed.

In IBM Kubernetes Service, it is recommended to use storage block storage class. See more how to enable it in IBM Cloud documentation

Additional details about deploying Eirini can be found in the contrib folder.

Eirini generates certificates for all your internal services to work. However, Containerd requires trusted certificate. You can manually change the certificate that is used by modifying private-registry-cert secret in your scf namespace and restarting bits pod.

IKS provides ingress with signed certificate. The certificate is stored in a secret in default namespace and has the same name as your cluster.

It is recommended to deploy Eirini with ingress and use that certificate in IKS.

When an app is pushed with Eirini, the pods are assigned the default Service Account in opi.namespace. By default, when the cluster is deployed with RBAC authentication method, that Service Account should not have any read/write permissions to the Kubernetes API. Since RBAC is preffered to ABAC, we recommend using the former.

• SCF documentation
• Eirini Continuous Integration Pipeline