Skip to content

Customize Deployment Files#

This topic shows how you can configure additional properties by merging Kubernetes configuration YAML files. When you install and deploy Privacera services, default Kubernetes configuration files for each Privacera service get created. If you want to extend the configuration of a Privacera service, you can create a new configuration file where all the new properties get defined, and then merge them together.

Configuration Filenames#

The following table provides the list of Privacera services whose configurations can be merged. The tables gives the list of configuration files for a Privacera service that can be created and merged, and where these configuration files should be stored in a directory. You would need to refer this table to get the filename and location when creating the new configuration file.

Service Name Custom Service Directory Config File Names
Auditserver ~/privacera/privacera-manager/config/custom-vars/auditserver - auditserver-service.yml
- auditserver-storageclass.yml
- auditserver-statefulset.yml
Audit-fluentd ~/privacera/privacera-manager/config/custom-vars/audit-fluentd - audit-fluentd-service.yml
- audit-fluentd-storageclass.yml
- audit-fluentd-statefulset.yml
Access-Request-Manager ~/privacera/privacera-manager/config/custom-vars/portal - access-request-manager-service.yml
- access-request-manager-deployment.yml
Mariadb ~/privacera/privacera-manager/config/custom-vars/mariadb - mariadb-service.yml
- mariadb-secret.yml
- mariadb-pvc.yml
- mariadb-storageclass.yml
- mariadb-deployment.yml
Zookeeper ~/privacera/privacera-manager/config/custom-vars/zookeeper - zookeeper-service.yml
- zookeeper-poddisruptionbudget.yml
- zookeeper-storageclass.yml
- zookeeper-statefulset.yml
Solr ~/privacera/privacera-manager/config/custom-vars/solr - solr-service.yml
- solr-poddisruptionbudget.yml
- solr-storageclass.yml
- solr-statefulset.yml
Ranger-admin ~/privacera/privacera-manager/config/custom-vars/ranger-admin - ranger-service.yml
- ranger-service-ingress.yml
- ranger-deployment.yml
Ranger-usersync ~/privacera/privacera-manager/config/custom-vars/ranger-usersync - usersync-deployment.yml
Ranger-kms/crypto ~/privacera/privacera-manager/config/custom-vars/ranger-kms - ranger-kms-service.yml
- ranger-kms-deployment.yml
Peg ~/privacera/privacera-manager/config/custom-vars/peg - peg-service.yml
- peg-deployment.yml
- peg-hpa.yml
Portal ~/privacera/privacera-manager/config/custom-vars/portal - portal-service.yml
- portal-deployment.yml
Dataserver ~/privacera/privacera-manager/config/custom-vars/dataserver - dataserver-service.yml
- dataserver-service-account.yml
- dataserver-role-binding.yml
- dataserver-deployment.yml
Discovery ~/privacera/privacera-manager/config/custom-vars/discovery - discovery-service.yml
- discovery-pvc.yml
- discovery-storageclass.yml
- discovery-deployment.yml
Policysync ~/privacera/privacera-manager/config/custom-vars/policysync - policysync-deployment.yml
- policysync-pvc.yml
- policysync-rocksdb-pvc.yml
- policysync-storageclass.yml
Kafka ~/privacera/privacera-manager/config/custom-vars/kafka - kafka-statefulset.yml
Pkafka ~/privacera/privacera-manager/config/custom-vars/pkafka - pkafka-deployment.yml
Trino ~/privacera/privacera-manager/config/custom-vars/trino - trino-deployment.yml
- trino-service.yml
- trino-worker-statefulset.yml
- trino-worker-storageclass.yml
Grafana ~/privacera/privacera-manager/config/custom-vars/grafana - grafana-service.yml
- grafana-pvc.yml
- grafana-storageclass.yml
- grafana-deployment.yml
Graphite ~/privacera/privacera-manager/config/custom-vars/graphite - graphite-service.yml
- graphite-pvc.yml
- graphite-storageclass.yml
- graphite-deployment.yml
Common - RBAC ~/privacera/privacera-manager/config/custom-vars/rbac - service-account.yml
- role.yml
- role-binding.yml

Procedure#

To merge Kubernetes configuration files, perform the following steps:

  1. Refer to the table above, and choose the service whose configuration you want to be merged. Get the filename of the configuration file, and the directory where the file will be stored.

  2. Create the directory with the service name. Replace <SERVICE_NAME> with the name of the Privacera service whose configuration you want to merge.

    cd ~/privacera/privacera-manager/config/custom-vars
    mkdir <SERVICE_NAME>
    
  3. Create the new configuration file. Replace <CONFIG_FILENAME> with the name of the configuration file of the Privacera service.

    vi <CONFIG_FILENAME>
    
  4. Add the properties in the configuration file. The following is an example of adding a nodeselector property.

    spec:
      template:
        spec:
          nodeSelector:
            node: privacera
    
  5. Verify the deployment file by running the setup command.

    ./privacera-manager.sh setup
    

    Once the command is completed, you can find the deployment file at the following location:

    vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/<CONFIG_FILENAME>
    
  6. Run the update command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Example: Assigning pods to a node#

If you want to assign a pod to a node for the Portal service, perform the following steps:

  1. From the table above, refer the Portal service, and get the filename, portal-deployment.yml.

  2. Create the directory with the service name as portal.

    cd ~/privacera/privacera-manager/config/custom-vars
    mkdir portal
    
  3. Create the configuration file, portal-deployment.yml.

    vi portal-deployment.yml
    
  4. Add the following property in the configuration file. Modify the <key> and <value>.

    spec:
      template:
        spec:
          nodeSelector:
            <key>: <value>
    
  5. Before running the install, verify the deployment file by running the setup command.

    ./privacera-manager.sh setup
    

    Once the command is completed, you can find the deployment file at the following location:

    vi ~/privacera/privacera-manager/output/kubernetes/helm/portal/templates/portal-deployment.yml
    

    Contents of the custom portal deployment file is merged with the regular portal deployment file already available in Privacera Manager using Ansible Combine Filter. This merge only works with hashes/dictionaries. The new deployment file is generated in the output folder in the YAML format.

    CLick the tabs to display the properties of the deployment file before and after running the setup command.

    The following is the properties of the deployment file before running the setup command. Expand to view it.

    Expand
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    labels:
        app: portal
    name: portal
    spec:
    replicas: 1
    selector:
        matchLabels:
        app: portal
    strategy:
        type: Recreate
    template:
        metadata:
        labels:
            app: portal
        spec:
        containers:
        - image: hub2.privacera.com/privacera:rel.latest
            imagePullPolicy: IfNotPresent
            livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 400
            periodSeconds: 30
            tcpSocket:
                port: 6868
            name: portal
            ports:
            - containerPort: 6868
            readinessProbe:
            failureThreshold: 6
            initialDelaySeconds: 120
            periodSeconds: 30
            tcpSocket:
                port: 6868
            resources:
            limits:
                cpu: '0.5'
                memory: 2457M
            requests:
                cpu: '0.2'
                memory: 307M
            volumeMounts:
            - mountPath: /opt/privacera/portal/conf
            name: conf-vol
            - mountPath: /opt/privacera/portal/bin
            name: bin-vol
        imagePullSecrets:
        - name: privacera-hub
        initContainers:
        - command:
            - bash
            - -c
            - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 --
            image: hub2.privacera.com/privacera:rel.latest
            name: wait-for-zookeeper
        - command:
            - bash
            - -c
            - /scripts/wait-for-it.sh solr-service:8983 -t 300 --
            image: hub2.privacera.com/privacera:rel.latest
            name: wait-for-solr
        - command:
            - bash
            - -c
            - /scripts/wait-for-it.sh mariadb:3306 -t 300 --
            image: hub2.privacera.com/privacera:rel.latest
            name: wait-for-mariadb
        - command:
            - bash
            - -c
            - cp -r /conf_ro/. /opt/privacera/portal/conf
            image: hub2.privacera.com/privacera:rel.latest
            name: copy-conf
            volumeMounts:
            - mountPath: /opt/privacera/portal/conf
            name: conf-vol
            - mountPath: /conf_ro
            name: portal-conf
        - command:
            - bash
            - -c
            - cp -r /bin_ro/. /opt/privacera/portal/bin
            image: hub2.privacera.com/privacera:rel.latest
            name: copy-bin
            volumeMounts:
            - mountPath: /opt/privacera/portal/bin
            name: bin-vol
            - mountPath: /bin_ro
            name: portal-bin
        restartPolicy: Always
        securityContext:
            fsGroup: 200
        serviceAccountName: privacera-sa
        topologySpreadConstraints:
        - labelSelector:
            matchLabels:
                app: portal-1
            maxSkew: 1
            topologyKey: zone
            whenUnsatisfiable: ScheduleAnyway
        - labelSelector:
            matchLabels:
                app: portal-1
            maxSkew: 1
            topologyKey: node
            whenUnsatisfiable: DoNotSchedule
        volumes:
        - configMap:
            name: portal-conf
            name: portal-conf
        - configMap:
            defaultMode: 493
            name: portal-bin
            name: portal-bin
        - emptyDir: {}
            name: conf-vol
        - emptyDir: {}
            name: bin-vol
    status: {}
    

    The following is the properties of the deployment file after running the setup command. Expand to view it. Two additional lines nodeSelector: and node: privacera are added.

    Expand
    apiVersion: apps/v1
    kind: Deployment
    metadata:
    labels:
        app: portal
    name: portal
    spec:
    replicas: 1
    selector:
        matchLabels:
        app: portal
    strategy:
        type: Recreate
    template:
        metadata:
        labels:
            app: portal
        spec:
        containers:
        - image: hub2.privacera.com/privacera:rel.latest
            imagePullPolicy: IfNotPresent
            livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 400
            periodSeconds: 30
            tcpSocket:
                port: 6868
            name: portal
            ports:
            - containerPort: 6868
            readinessProbe:
            failureThreshold: 6
            initialDelaySeconds: 120
            periodSeconds: 30
            tcpSocket:
                port: 6868
            resources:
            limits:
                cpu: '0.5'
                memory: 2457M
            requests:
                cpu: '0.2'
                memory: 307M
            volumeMounts:
            - mountPath: /opt/privacera/portal/conf
            name: conf-vol
            - mountPath: /opt/privacera/portal/bin
            name: bin-vol
        imagePullSecrets:
        - name: privacera-hub
        initContainers:
        - command:
            - bash
            - -c
            - /scripts/wait-for-it.sh zk-0.zkensemble:2181:2181 -t 300 --
            image: hub2.privacera.com/privacera:rel.latest
            name: wait-for-zookeeper
        - command:
            - bash
            - -c
            - /scripts/wait-for-it.sh solr-service:8983 -t 300 --
            image: hub2.privacera.com/privacera:rel.latest
            name: wait-for-solr
        - command:
            - bash
            - -c
            - /scripts/wait-for-it.sh mariadb:3306 -t 300 --
            image: hub2.privacera.com/privacera:rel.latest
            name: wait-for-mariadb
        - command:
            - bash
            - -c
            - cp -r /conf_ro/. /opt/privacera/portal/conf
            image: hub2.privacera.com/privacera:rel.latest
            name: copy-conf
            volumeMounts:
            - mountPath: /opt/privacera/portal/conf
            name: conf-vol
            - mountPath: /conf_ro
            name: portal-conf
        - command:
            - bash
            - -c
            - cp -r /bin_ro/. /opt/privacera/portal/bin
            image: hub2.privacera.com/privacera:rel.latest
            name: copy-bin
            volumeMounts:
            - mountPath: /opt/privacera/portal/bin
            name: bin-vol
            - mountPath: /bin_ro
            name: portal-bin
        nodeSelector:
          node: privacera
        restartPolicy: Always
        securityContext:
            fsGroup: 200
        serviceAccountName: privacera-sa
        topologySpreadConstraints:
        - labelSelector:
            matchLabels:
                app: portal-1
            maxSkew: 1
            topologyKey: zone
            whenUnsatisfiable: ScheduleAnyway
        - labelSelector:
            matchLabels:
                app: portal-1
            maxSkew: 1
            topologyKey: node
            whenUnsatisfiable: DoNotSchedule
        volumes:
        - configMap:
            name: portal-conf
            name: portal-conf
        - configMap:
            defaultMode: 493
            name: portal-bin
            name: portal-bin
        - emptyDir: {}
            name: conf-vol
        - emptyDir: {}
            name: bin-vol
    status: {}
    
  6. Run the update command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Last update: September 15, 2021