Helm Chart for DIffgram
Full Tutorial on Azure: https://medium.com/diffgram/tutorial-installing-diffgram-on-azure-aks-b9447685e271
If you are using minikube make sure you've done:
minikube addons enable ingress
To have the ingress enabled, otherwise you won't be able to acess your diffgram services from outside the cluster.
If you are not on minikube, you can use the Nginx K8s Ingress Controller. Check how to install on your cloud provider here: https://kubernetes.github.io/ingress-nginx/deploy/
Install Cert Manager
https://artifacthub.io/packages/helm/microfunctions/cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true
Default domain on diffgram is: example.com so make sure you add that to your local hosts file:
echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts
In order for TLS to work on your local machine, you will need to provide local certificate authorities. Otherwise your web browser will detect the certificates as invalid.
To do that you can generate a key and certificate like this:
# Generate key
openssl genrsa -out ca.key 2048
# Create CA certificate signing it with the previous key.
openssl req -x509 -new -nodes -key ca.key -sha256 -subj "/CN=sampleissuer.local" -days 1024 -out ca.crt -extensions v3_ca
Now create the certificates as secrets on your minkube cluster:
kubectl create secret tls my-local-ca-key-pair --key=ca.key --cert=ca.crt
Finally Modify your values.yaml so that helm chart can grab the secret using cert-manager
issuers. Set tlsIssuer to issuer-local and localCaSecretName to the name you have to the secret created above:
tlsIssuer: issuer-local # One of: "issuer-local", "letsencrypt-staging", or "letsencrypt-prod"
localCaSecretName: my-local-ca-key-pair
This guide assumes you will be using a regular domain name like diffgram.com. If you are using an auto generated domain name it may require different configuration.
SSL is up to you/your IT team. For debugging the config tools like SSL Labs may be useful.
- If you want to have TLS connections, please make sure you have a domain available and access to the name servers so you can modify the records to point to the IP addresses of the ingress.
helm repo add jetstack https://charts.jetstack.io
helm install cert-manager --namespace default jetstack/cert-manager --set installCRDs=true
- Now edit the values.yaml of Diffgram’s helm chart and change the following keys:
- diffgramDomain: set it to the domain you own.
- useCertManager: set this to true. This will allow the certificate issue to be created so you can automatically get a TLS certificate for your domain with let’s encrypt.
- tlsIssuer set this to
letsencrypt-prodso that TLS is validated by Let's Encrypt.
- Reinstall the helm chart
helm upgrade -n diffgram-ns diffgram -f diffgram/new_updated_values_from_above_step.yaml
- After a few minutes you should be able to see the issuer and the certificate generated. You can confirm this by running:
kubectl describe issuer letsencrypt-prod
git clone https://github.com/diffgram/diffgram-helm/
cd diffgram-helm && helm dependency build
helm install -n diffgram-ns diffgram . --create-namespace
If you don't change anything on values.yaml. You will have the namespace default created on your cluster
Note: if on Minikube: run echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts
To point minikube to domain example.com (or whatever domain you have set in the diffgramDomain inside values.yaml
Check section D. to see required values.
You can substitute ./diffgram-helm with whatever the path to this repo is on your local machine. Also feel free to install on any other namespace.
Future versions will provide a repo to download the chart without cloning from github.
When deploying this chart there are 5 main components to be aware of:
1. default-service: This is the service in charge for most of the API calls and data management. Both for the SDK and for the Frontend UI.
2. walrus-service: This is a long running service for CPU intensive processing. Things like video, splitting, huge files copying and other maintainance tasks are performed on this service
3. frontend-service: Static VueJS frontend for accessing Diffgram.
4. db-service: A PostgresSQL database, we usually recommend linking an external managed cloud service like AWS RDS, GCP SQL Service, or Azure Managed SQL Service.
5. ingress: A Nginx ingress controller for accessing all the services. This is the entry point and router to all the above services.
The following are some of the most important configurations of the values.yaml in the helm chart. Please feel free to contact us if you have any questions on any of the configurations.
1. dbSettings.dbProvider: Set this to “rds”, "azure", or "local" depending on your DB managed service.
2. dbSettings.rdsEndpoint: Set this to your RDS instance endpoint, so diffgram can use it as the database.
3. dbSettings.dbProvider: Set this to “rds”
4, dbSettings.dbUser: Set this to the postgres user you want to use with Diffgram.
5. dbSettings.dbName: Set this to Postgres Database name you want to create the tables on
6. dbSettings.dbPassword: Set this to RDS instance’s password
1. diffgramSecrets.DIFFGRAM_STATIC_STORAGE_PROVIDER: Set this to “aws”, "azure", or "gcp" depending on your DB managed service. Default is aws
1. diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_ID: Set this to your AWS credentials access key. Make sure the account has permissions to the S3 bucket you’ll use as static storage.
2. diffgramSecrets.DIFFGRAM_AWS_ACCESS_KEY_SECRET: Set this to your AWS credentials secret. Make sure the account has permissions to the S3 bucket you’ll use as static storage.
3. diffgramSettings.DIFFGRAM_S3_BUCKET_NAME: Set this to your S3’s bucket name for static file storage.
4. diffgramSettings.ML__DIFFGRAM_S3_BUCKET_NAME: Set this to your S3’s bucket name for static file storage.
Try doing kubectl get pods and find a pod named diffgram-pre-install-{SOME-ID}.
Now do kubectl logs diffgram-pre-install-{SOME-ID} -c pre-upgrade-alembic-hook
This will show the logs of the POD to further debug the issue. Most common causes for this error are:
- Missing Blob Storage Provider Credentials (Either AWS Access Keys, GCP Service Account or Azure Conn String)
Your ingress might not have the allow-underscores-in-headers config. Please enable it by looking at this config: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#enable-underscores-in-headers