Installation

Before you begin (Prerequisites)

  • Trisotech Digital Enterprise Suite License (received from support@trisotech.com)

  • A Kubernetes environment

    • The kubectl command line utility with a valid configuration connected to an existing cluster.

    • The helm command line utility with a valid configuration connected to an existing cluster.

    • A Kubernetes Ingress Controller (GKE Load Balancer, AWS ALB, AKS Application Gateway, nginx, Kong, …​ )

Installation

This installation procedure fetches the container images and helm charts from Trisotech official container registry (registry.trisotech.com). To use a private container registry, you will need to follow the instruction under the Private Container Registry page.

The installation is templated using helm charts.

Downloading the DES helm chart

Login to the trisotech registry using this command:

helm registry login -u license registry.trisotech.com

When prompted for a password, use the Trisotech license (DES or DDC) to authenticate.

Download the helm chart using this command:

helm pull oci://registry.trisotech.com/des/charts/des --version <VERSION>

Replace <VERSION> with the current version of the Digital Enteprise Suite. You can consult our release notes page to find the latest version available.

Installing using helm

Default installation can be done using this command:

 helm upgrade --install \
      --set image.tag=v<VERSION> \
      --set license=<LICENSE> \
      --set ingress.hosts[0]=<DNS_NAME> \
      --wait \
      --namespace=des \
      --create-namespace \
      --atomic \
      des des-<VERSION>.tgz

Replace <VERSION> with the current version of the Digital Enteprise Suite. You can consult our release notes page to find the latest version available.

The <VERSION> is replaced by X.X.X but Trisotech tags its container images with a lower case v before X.X.X. ex: The DES container image for version 12.0.0 is tagger v12.0.0 in the container registry. However, helm charts are tagged simply with a numeric version X.X.X without the v prefix.

Replace <DNS_NAME> with the ingress host name to use. This is the URL under which the DES will be accessible.

You can also add multiple ingress names.

If you wish to install in a different namespace than des, you can change that value in the --namespace=des command line option.

Customizing the ingress controller

By default, the chart will use an nginx ingress by setting the ingress className to nginx. It will also by default generate annotations for nginx ingress and for the Let’s Encrypt certificate manager. These extra annotations should be ignored by another ingress controller.

Ingress Controller

To change the ingress controller to a different ingress class, add the command line parameter to the helm installation:

--set ingress.className=nginx

You can also additional ingress annotations by adding the command line parameter(s) to the helm installation:

--set ingress.annotations."my\.ingress\.annotation"=value1
--set ingress.annotations."my\.other\.ingress\.annotation"=value2
...

TLS

To generate a tls section to the ingress to instruct the controller on which hosts require tls (https) and where the secret containing the certificate is, you can add the command line parameter(s) to the helm installation:

--set ingress.tls=true

This adds a tls section to the ingress with a secret named des-des-tls that you will need to fill with the tls secret.

To create this secret, you will need to create a secret containing:

Variable

Definition

NAME

The helm instance name (des in this case)

KEY

The file containing the RSA key

CERT

The certificate with chain
The certificate must contains all intermediates and the root certificate. They must be concatenated in order of precision (certificate, intermediate certificate, root certificate)

Here is the command to add the tls secret:

kubectl create secret tls des-des-tls \
        --key=<KEY> \
        --cert=<CERT>

Using nginx and Let’s Encrypt

If there is no existing ingress controller, the DES can work with the open source nginx ingress controller using https certificates managed by Let’s Encrypt.

First install nginx using helm:

kubectl create namespace ingress-basic

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

helm upgrade --install nginx-ingress ingress-nginx/ingress-nginx \
    --namespace ingress-basic \
    --create-namespace \
    --set rbac.create=true

Then install the certificate manager from Let’s Encrypt:

kubectl create namespace cert-manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

Confirm that each pod is in running state:

kubectl get pods --namespace cert-manager

Create the cluster issuer (Cert-Manager configuration):

cat << EOF > cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <EMAIL_ADDRESS>
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

kubectl apply -f cluster-issuer.yaml

Replacing <EMAIL_ADDRESS> with your email address.

Custom Ingress Definition

To disable the ingress generation and generate custom ingress separately, add the command line parameter to the helm installation:

--set ingress.enabled=false

Customizing storage

By default, the requested storage will be of the default storage class with a size of 30Gi.

You can see the default storage class by executing the command kubectl get storageclass and looking at which one of the storage is marked with a (default) annotation after its name. You may also want to choose a storage class that allows resizing of the volume (ALLOWVOLUMEEXPANSION property) also displayed by this command.

storage.size can only be updated after installation if supported by the storage class (see ALLOWVOLUMEEXPANSION value)

To change from the default storage class to a different one, add the command line parameter to the helm installation:

--set storage.storageClassName=my-storage-class
The chosen storage class is required to support extended file attributes.

To change the disk size, add the command line parameter to the helm installation:

--set storage.size=30Gi

Replace the size with the size that you would want.

Customizing Logging

Logging can be adapted to the log ingestor used by setting the logging helm variables.

Customizing the timezone

By default, the pod clock will be set to UTC. We do not recommend changing that value, but if desired, set the timezone based on Wikipedia for TZ values in the helm command line.

--set timezone=UTC

And changing the value from UTC to America/New_York, Europe/Paris, …​

OpenShift

When deploying to RedHat OpenShift, add an additional configuration on the helm installation to disable the running as a specific user id (openshift use a random one everytime) and disable ingress creation.

--set openshift=true

Initial Configuration

Please refer to the Administration section to continue the setup.

You will need to first setup a User Provider and add Client Access Licenses.

If you need to configure managed identities, please see follow the instructions here.

Also, make sure to go through the orientation course for administrators available in the application selection menu under Orientation.