OTH Public Software

Prepare

To prepare a new deployment the following steps must be performed:

  • Outside kubernetes
    • Create MariaDB instance
    • Create RabbitMQ instance
  • For Kubernetes
    • Create namespace
    • Create secrets using the correct naming convention, with the correct keys present
    • Optional Create secret with TLS for ingress

For the steps outside kubernetes, we do not provide documentation, but to say that OTH uses AWS managed RDS for MariaDB and AWS MQ for RabbitMQ.

Kubernetes Resources

For the OTH we always set a customer and stage for a deploy. In this guide we will use oth as customer, and demo as stage.

For kubernetes resources OTH provides a small command line utility to help expedite the process. The tools use the connection setup for kubectl.

For installation of the tool please refer to: TODO SETUP

The tool currently supports a single init command and the ability to dump the configuration to standard out, so that the file can stored and transfered if so desired.

If you choose not to use the tool, you must create a namespace - we recommend using <customer>-<stage> to denote the deployment (using oth-demo for this example):

kubectl create namespace oth-demo

We recommend using that to name the deployment also.

Create a secret in the oth-demo namespace the name of the secret must be:

oth-<name>-secrets

For the specific keys please refer to the version specific documentation.

Using the

The following steps can be performed by:

export customer=oth
export stage=demo
export name=$customer-$stage
oth-k8s-bootstrap init -n $name -c $customer -s $stage \
   -a $AWS_ACCESS_KEY_ID -k $AWS_SECRET_ACCESS_KEY \
   --pv 2.70.00 \
   --dbpassword opentele --dbadminpassword opentele \
   --rabbitmqpassword rabbitmq

To see what is performed, the option --stdout can be added to the command above, which will be used it kubectl:

export customer=oth
export stage=demo
export name=$customer-$stage
oth-k8s-bootstrap init -n $name -c $customer -s $stage \
   -a $AWS_ACCESS_KEY_ID -k $AWS_SECRET_ACCESS_KEY \
   --pv 2.70.00 \
   --dbpassword opentele --dbadminpassword opentele \
   --rabbitmqpassword rabbitmq --stdout | kubectl apply -f

To dump it to a file:

export customer=oth
export stage=demo
export name=$customer-$stage
oth-k8s-bootstrap init -n $name -c $customer -s $stage \
   -a $AWS_ACCESS_KEY_ID -k $AWS_SECRET_ACCESS_KEY \
   --pv 2.70.00 \
   --dbpassword opentele --dbadminpassword opentele \
   --rabbitmqpassword rabbitmq --stdout | tee oth-init.json

The output is currently like this:

{
  "kind": "Namespace",
  "apiVersion": "v1",
  "metadata": {
    "name": "test-demo",
    "creationTimestamp": "2022-01-05T13:25:31Z"
  },
  "spec": {},
  "status": {}
}
{
  "kind": "Secret",
  "apiVersion": "v1",
  "metadata": {
    "name": "oth-test-demo-secrets",
    "namespace": "test-demo",
    "creationTimestamp": "2022-01-05T13:25:31Z",
    "labels": {
      "app.kubernetes.io/component": "oth-test-demo-secrets",
      "app.kubernetes.io/name": "oth-test-demo-secrets",
      "app.kubernetes.io/part-of": "test-demo",
      "app.kubernetes.io/productversion": "2.70.00"
    }
  },
  "data": {
    "audit-key": "eEk1WjViMFl3aTdDaXpYaGpFUTJ5ZzAxQUNESFhpTDk=",
    "audit-secret": "REMyc1h6ZjBFNm9vZnVIc0dxWHhxN3o3QWZOU2ZFM0hvS1hHMFVMeU05V2xGRFpwQzNhUHlscWxiS0RITjZqUg==",
    "aws-access-key-id": "QUtJQVYyNExMWTJSR1lJSlRWVTI=",
    "aws-secret-access-key": "ZGFCeHlLNGEwVmNwMVlJQkswQWVEcXU0TXVzc1lRYXMzY2U3OWJSeA==",
    "clinician-key": "aGg0RnlUS2RSaURkVlU4VHJ1T2gxeEhuTk5FRks0NjI=",
    "clinician-secret": "b2IydkVFUzFqU1gyQVVNek1vUnl5SW1TaWRpZG5LMTBCZ0FoU0ZpMGZOV1kxNmlHSmc4SkNkTXpzSnhvRjB0ZQ==",
    "guidance-key": "a0FudkRPNWtIbkcydFpTTms2WW00eDBKSXBEcDJaOU4=",
    "guidance-secret": "MU54MVNqNWR1UHdsc0tCamxyaXZhRThGVEYwaUpKWjkzVlppS3pqTTdxclhLTWNSNzBDRXc5emR2Z1N2VHo3aA==",
    "idp-rsa-private": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdUhEUDdpTGZXSHZ6MXMveWtoRVkrNFJ0K2p4RlQ1a01PMjc1MFpoV1ZvS3lXY2hBClNGV0tBaFBFek9CdW9WZWg5QmRCUzJlR1NGVUhKVWNKSTZVdncyaldoWWRiQTcwZ2g0T0IyZjhoeTluVVQvcjYKeVNrQlQ3VFRjc1c3UUpFVldZTFNIOXlzQ2I3SlRMYTRuUmd4WTlvRTA3dmtvZ1FLTVNnc0IrSmdRdy9YOU5BWApZVmsvdHhzNlh2bmU2clFNNUQ4MVlaY0pCTm9udzhXTmQ0R1hLYjFaN1BNajYzaVlLWDZjTCtqV0p3SHZQdHlpClZCeWZKR2FXMk55R2xWdENpMnRjVWpaNTRFVWhydHZiZTJ0aEQzMDZiMkpudFNNdThkWFc1bkNFVDJFZFJkQVUKOXBUNW1MM3h1YmpWbGFXQjBtRStIUkh1aEpLKy8rSkkxeFlQMXdJREFRQUJBb0lCQUZobVlaSitqbFBIblJoQgpOTDhEaU5qTUlUWUZleWJxY08xdmhEY0w3NTJwS0xoVmZWSHVCYVozT1NVRkVLRXQ4a2FlZXNJY1RVVVAwOHZ2Ckh4ZEJqZ0gzbHBJTFRQa2V4WitOelVmaHU1NEx1bkhYRmlvaUNDbmV2bFhOSmJHTm1CRDkzWjQ5MHdzY3NUaWUKZng5MFAvL2V0OStQdDhaYmIxTWVNUFJhY003UzBSd2Y1cE0wUVI0Z09ib01EVC9iTnZpNWJKZ2dVZk9BYlJNSApCcnZnYmdlV3VXYzhsR25uMXhHSVFlQzVaaHhFRDJ3eGFnK3NjaW9TdjkrN2VHZFZCRUo1TldMSHM1Zk0rUjEyCkVNencrcWZqNnMweFplcyt2Q1ZLYVhUSjlQZDBSY0QvZnBub0JRMllXTkNhRTFNYmNVV2M0TjlscFhSUFdXZFMKa0srUVZra0NnWUVBN0w1SmcwWWY1bmV2eTNLU0FEd1FQYUtFRm9tcHhack9SalU4MWxhcnlES09jQnJzZVg3VQpuVkw3U20zWitMQU8xZ1hEa0ZxNlNDRU5hQVNZTVlMMjNFbEM5QnZNRHd2L0JGVzFNenpkdHE3UEZxZ294ekVmCjFKWHVnMktLdzlGR2Q3b2IwVCtiOTArRXdFZHZpZFZYZ2pPUDFUQUhYK0VIaG1WUjJtdmY1Tk1DZ1lFQXgzRnMKL1cyVzVFN3JEamFVcnpGY3ZpN1lHVzFvS0I4T0dmRm92cXIxMG8wcGFZUGVHUXBmc093bUNnV1VJcXRMdFQ2cQpiSEJGdWYyZ3RUWDFVekx1aDNjNkZlbnhoRm5XL1d2T0RtbXZYbjUwcVFXWWM1UlZEYnQ5bFBkaE4rdGt6MkNsClI2ZjBqekhZamh6TEtLWEpWRjBlbWxJbmVZR1hyVG1XWTQvYWxtMENnWUJBRHRrTFdUMG1lam9wL1kwOTNRS3oKK3JaczlzRG1SQllPYnpkUDg5RzFjT0NUdXVWRGxxcm5DdDRON0oxdktneEpvdk9ncXJ2KzZscWJTNnIyc3E0agpPdnVQMjdtaVZLZWpQNkd4QklZbGVUVjF0dmladFZRY2pKa21HZExjVzFNSzhHTzRnZEtzMzJwWE1MMGdlWWFkCkoyQ0MyZVVVNzJtKzFzbUlKV3BHbXdLQmdGV1ZrOXFRbTI2dmV1aW5mVmhNaTJyRk9WQjRCWGtxRW1nSmt4UTIKMHJRZWhVWFZJNHFGVEJqa3pWSUJvTmJid09vdTBQMGxsSlpDZ3lNZjIzMXZYckpjOUYwUS9lWDRrMncrUmJjagpuUENrdlRVR3hLdmNYRDgvVkoySEpuM1RrbmYzRmhYUXVmNTB1bVFKY1JpcFErTGk3czMwTVNKUC9TR0ZrOFozCnBhcGxBb0dCQUsyZ05YbUN3ZlVLU1BPSGVVMkxwZlBpcmZxenNvSlZlZmMrUXdWUmQxOE1ucVQ2TVZZc3d0UHgKcGlaeDh3RDBFek1xQ2g5UFNGRGRibTBXR2ZkWUpsWHB4aEdnMUgyeXNZVlpxTm9zWDFnUUhTdmU3L3oxbnMzSwp4MjArcEp6M0Z3Y3dvU0taTXQyWThLbmRiSGRkVjhEV010YVZhREJ0VWtSd1BlUDErdDdyCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==",
    "idp-rsa-public": "LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXVIRFA3aUxmV0h2ejFzL3lraEVZKzRSdCtqeEZUNWtNTzI3NTBaaFdWb0t5V2NoQVNGV0sKQWhQRXpPQnVvVmVoOUJkQlMyZUdTRlVISlVjSkk2VXZ3MmpXaFlkYkE3MGdoNE9CMmY4aHk5blVUL3I2eVNrQgpUN1RUY3NXN1FKRVZXWUxTSDl5c0NiN0pUTGE0blJneFk5b0UwN3Zrb2dRS01TZ3NCK0pnUXcvWDlOQVhZVmsvCnR4czZYdm5lNnJRTTVEODFZWmNKQk5vbnc4V05kNEdYS2IxWjdQTWo2M2lZS1g2Y0wraldKd0h2UHR5aVZCeWYKSkdhVzJOeUdsVnRDaTJ0Y1VqWjU0RVVocnR2YmUydGhEMzA2YjJKbnRTTXU4ZFhXNW5DRVQyRWRSZEFVOXBUNQptTDN4dWJqVmxhV0IwbUUrSFJIdWhKSysvK0pJMXhZUDF3SURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K",
    "idp2-key": "MXNCdVp5UnpNbXRrVjNoQktlMGFUQmYwRHBQQ2E1NHE=",
    "idp2-secret": "TjRLMHlKR2hzVlF5QUl4d3BTd2FyZWU0b2tkOEMwbmdWUENoV3psNHAwVnRRbUdpUmFCbWdGUFV0Q1ZsQVlScg==",
    "logging-key": "dlQ5STFYWkN4MHdBQUlHVzF4QWRJZmxaWmNCSFVlMEU=",
    "logging-secret": "RXZ0RG9aSml0YXZManhnWnlUcHk0M3Y0MHdaeTVZTWdXOU9JNW02RmcwTTZQeWp6SzZNSkp6QnI2d0I5V2lPNA==",
    "mariadb-password": "b3BlbnRlbGU=",
    "mariadb-root-password": "b3BlbnRlbGU=",
    "measurements-key": "ZVFSOVZMVVBUZHptSm5LcTFVdHViSlQ4ZjlWYWR6U0o=",
    "measurements-secret": "anBSN3pjNjFPNEFxYmY3QkEzcnVrZ29GV2t0VjB4ZUVja3BXNkJFdkx6dkVXWU5GME5TRWJrcGlxNGpKSHpRUw==",
    "questionnaires-key": "SEpTMXR2aUY5NGJHV0RxTWRERDQ1Z0lyenV4dUxCdmo=",
    "questionnaires-secret": "cUxTd0FZSlBRaHBNSGd4VkpZbnRaY2FmcnNJT2cyT3lrNnFpdVF4ZEZlNE5zTDBsTVdMSktITXVoYlBoUlpqeQ==",
    "rabbitmq-admin-password": "M1ZjRllGTFBQalZ2eXdYdE5n",
    "rabbitmq-password": "cmFiYml0bXE=",
    "thresholds-key": "aE1PSlZMUU1wSllHNlpRM1pLTGNpTUFVWTlZSkZQY1M=",
    "thresholds-secret": "QmJBM2RVMVBRemlWUnFXZXVvS1NWSlRNR0RzMU5NdUVqQVFoamlKTEhieEZra2EwYU12aEFBd3VjandBWnJwWA==",
    "uis-key": "VjI4ZHE0ZmdYQnhhYUNRVTZnWXdJckhSTHZmSlBFZ0E=",
    "uis-secret": "OTJ5THVZdlhncGE1bVhSa21NU2lxMmhGN1hZdWxCQ0xERnFWVVBXUTVwUWpwcTZWeG9CTnRaU2dXdkl4Y0VwRA=="
  },
  "type": "Opaque"
}

Optional: Enable TLS termination

In order to setup TLS termination at the ingress, a TLS certificate must be provided. This must be stored within a secret in the namespace. The OTH controller uses the default of oth-tls-secret.

To create this secret by:

kubectl -n oth-sample create secret tls oth-tls-secret --cert  <path/to/certficate.pem> --key <path/to/key.key>

If the TLS connection is not terminated at the ingress, TLS must terminated before reaching the ingress.