Installation with IE Provisioning CLI¶
Download and Install the IE Provisioning CLI¶
-
Log into the Industrial Edge Hub.
China Region
For users in China region please log into the Industrial Edge Hub China.
-
Navigate to
Download Software. - In the
Industrial Edge Provisioning CLI - Ubuntutile, clickDownload. The IE Provisioning CLI for Linux is downloaded to your Internet browser's default download folder. -
To execute the IE Provisioning CLI, install the binary:
sudo install ieprovision /usr/local/bin/
To provision the IEM from Windows use the IECTL. Use iectl provision install instead of ieprovision install.
Install the IEM Pro on the K8s Cluster using the CLI¶
To install the IEM Pro it is necessary to have the ieprovision CLI installed.
The host system running ieprovision needs internet access to reach the domains listed in Contacted domain names and connection to the Kubernetes cluster at the same time.
Before triggering the installation please ensure to set the context of the cluster by using kubectl config use-context to the right context for the installation.
NOTICE
For the installation the kubeconfig in ~/.kube/config is used and environmenmt variables will be ignored.
Since the installation depends heavily on the infrastructure, such as whether a proxy is used or how exactly the IEM Pro will be accessed later, several cli-parameters must be set. Therefore it is recommended to read the IE Gateway and TLS Termination. documentation beforehand. It's also necessary to specify the correct FQDN (Fully Qualified Domain Name) or IP during installation, otherwise the IEM Pro will not be reachable after deployment.
In the Helm Chart reference all default values can be seen.
In any case, it should be checked which storage class is being used (kubectl get storageclass).
And it's also very important to set the right proxy values (see Configuring a Proxy via Provisioning CLI).
To install the IEM Pro, there is an Install using templates function and also an Install using bash command.
Both do the same thing, but in different ways. For anyone without experience with a CLI, it is recommended to use the template onboarding.
Onboarding using Templates¶
Use the template command to create a quickstart configuration file:
ieprovision template > template.yaml
This command creates an example template.yaml in the current directory of the terminal:
Example template
central-auth:
keycloak:
customerRealmAdmin:
#
# Email of the initial IEM admin
email: customer.admin@siemens.com
#
# first name of the initial IEM admin
firstName: customer
#
# last name of the initial IEM admin
lastName: admin
#
# username of the initial IEM admin
username: customer_admin
initialUser:
#
# email of the initial keycloak user
email: iem.user@siemens.com
#
# Enable creation of the initial IEM user
enabled: true
#
# first name of the initial keycloak user
firstName: iem
#
# last name of the initial keycloak user
lastName: user
#
# username of the initial keycloak user
username: iem_user
global:
#
# Application Secret Key
applicationSecretKey: b33ee64a-8917-4e5f-a5cf-70c7bb4bb84d
#
# Password for Customer Realm Admin
customerAdminPassword: R1IvwvkmYkz#
#
# Password for database user
databaseUserPassword: ""
#
# Hostname for accessing the IEM
hostname: ""
#
# Password for IAM administrator
iamAdminPassword: IV6k*W$WXmfz
#
# Password for IAM Auth Proxy
iamAuthProxyClientSecret: ""
#
# Client Secret for IAM SDK
iamSdkClientSecret: ""
#
# Password for IEM administrator
iemAdminPassword: F#4tRjIb1P1Z
#
# sets the passwords of initial users as temporary
temporaryPassword: false
output:
#
# Print out initial user passwords?
printPasswords: true
NOTICE
The template file contains default values which must be changed by the operator. The ieprovision CLI generates a template with random pre-fill passwords.
NOTICE
The email and username values are case-sensitive and will be automatically converted to lowercase in certain system components. To ensure proper functionality, always provide these values in lowercase letters.
The IP address of the cluster or DNS name must be used for the hostname in the template file.
The IEM Pro is installed using the IEM instance configuration file and the completed template file:
ieprovision install <configuration-file.json> --values template.yaml
NOTICE
You can request additional information by using -v and --log-config.
Onboarding using bash command¶
You can also manually install the IEM in the Kubernetes cluster. The parametesrs are the same as for the installation using the template function.
Install the IEM on the K8s cluster using ieprovision install:
Example install
ieprovision install <config> \
--set global.hostname=<hostname or ip> \
--namespace iem \
--set global.storageClass=<storageClass> \
--set global.storageClassPg=<storageClass> \
--set global.certChain="$(cat <path-to-iem-certificate[.crt]> | base64 -w 0)"
NOTICE
You can request additional information by using -v and --log-config.
| Parameter | Explanation | Example |
|---|---|---|
| configuration-file | You need to enter the path to your iem-configuration-file | ./configuration-1a457v7cjndhvhjcn843.json |
| --set global.hostname | Enter the public IP of your cluster | 192.168.49.2 |
| --namespace | Namespace of your IEM | iem |
| --set global.storageClass | Storage class of the IEM cluster (show all volumes with kubectl get storageclass) default value is standard |
standard |
| --set global.StorageClassPg | Storage class Postgress of the IEM cluster (show all volumes with kubectl get storageclass) default value is standard |
standard |
| --set global.certChain | Path to certificate of the IEM [.crt] | ./gencert/our/myCert.crt |
NOTICE
When upgrading IEM using ieprovisioning/iectl, the CLI uses helm API to to interact with kubernetes cluster to upgrade the IEM. This can result that during an upgrade, Kubernetes temporarily runs the new Pod alongside the existing Pod. This can cause a short-term increase in resource usage. Ensure your cluster has sufficient resource quotas to support this overlap and avoid scheduling issues.
Configure Global Application Import Control¶
To enhance security and administrative control during deployment, global Helm settings can be configured during installation or upgrade to determine whether management applications and device applications are allowed to be imported. These settings provide an additional layer of protection.
Relevant Management and Device applications configuration are the following:
| Parameter | Description | Default |
|---|---|---|
| --set global.disableAppImportForManagement | Disable import of management application | true |
| --set global.disableAppImportForDevice | Disable import of device application | true |
NOTICE
The above configuration are available from the chart version v2.x.x onwards.
Switching from Provisioning CLI to Direct Helm¶
When adapting existing script using the Provisioning CLI to Helm only a few changes are necessary as the provisioning CLI already uses the same flags as helm for users inputs. Only these changes are necessary:
ieprovision installis replaced byhelm install- For verbose output use the flag
--debug(replacing-vand--log-output) - The namespace does not default to
iemanymore (helm uses the context from kubeconfig instead) and has to be set manually using-n. - Helm requires manually setting the release name. Please note: The release name has to be shorter than 32 characters for the installation to work. An autogenerated release name would be too long therefore setting the name manually is required.
- The flag
--chartcannot be used anymore. Instead download the chart from IEHub and include it without flag (e.g. as./application-management-service-v1.12.11.tgz)
Any flags --set, -f, --values, etc. can be kept without changes.
An IEM Pro installed using the Provisioning CLI can be upgraded using helm directly.
NOTICE
IEMs that have been previously setup using the ieprovision can also be upgraded using the Helm CLI commands. But managing IEMs that have been setup using the Helm CLI with the ieprovision is not possible!