Versions Compared

Version Old Version 2 New Version Current
Changes made by

Adnan Alkallas

Ylva Andersson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated title.

This article describes how to deploy the Smart ID Messaging component a Hermod image on Kubernetes.

Prerequisites for

...

Hermod deployment

  • A Kubernetes service subscription where you need to must create and deploy Hermod

  • A public DNS name which devices can reach

  • Matching certificates for the public address

  • An installed/deployed instance of an SQL server, for example, PostgreSQL, Microsoft SQL Server, Maria DB, or Oracle

Step-by-step instruction

Download the Hermod docker image and file structure

  1. Sign in to Nexus Support portal.

  2. Go to Nexus Smart ID Clients (Personal and Hermod) > Smart ID Messaging  and select a Hermod version to download the *.zip file. 

  3. Unpack the *.zip file.

  4. Open the extracted folder, for example, 3.x.y.RELEASE
    The folder contains the Hermod installation file and a simple-setup file to set up a default configuration. 

  5. Unpack simple-setup.zip

  6. Store Place the docker image somewhere so for on a location where the Kubernetes cluster needs to pull can access and pull the image from.

Create

...

the storage yml file

Edit the file hermod-deploymentconfig with the correct values for your environment. It will be used to store Hermod configuration file.
Important! The actual values must match the specific deployment scenarios. The hermod-depoyment code below is only intended as an example. 

Expand
titleExample

Example: hermod-

...

config.yml

Code Block
apiVersion: v1 items: - 
apiVersion:
apps/
v1

kind:
Deployment 
PersistentVolumeClaim
metadata:
  
annotations:
  finalizers:
  -
deployment.
kubernetes.io/
revision: "2"
pvc-protection
  name: 
hermod-config
generation:
3
 namespace: test
labels
spec:
  accessModes:
  -
app: hermod
ReadWriteOnce
name
resources:
hermod
namespace
requests:
test
spec:
replicas
storage:
1
1Gi
revisionHistoryLimit
storageClassName:
2
default
selector
volumeMode: Filesystem
matchLabels: app: hermod strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: 
volumeName: hermod-config

Create the Hermod deployment yml file

Edit the file hermod-deployment with the correct values for your environment.

Info

Important! The actual values must match the specific deployment scenarios. The hermod-depoyment code below is only intended as an example. 

Expand
titleExample

Example: hermod-deployment.yml

Code Block
apiVersion: v1
items:
- apiVersion: apps/v1
  kind: Deployment
  metadata:
    annotations:
      deployment.kubernetes.io/revision: "2"
    generation: 3
    labels:
      
app: hermod
    name: hermod
configmap-version
namespace:
"1"
test
  spec:
    replicas:
annotations:
1
    revisionHistoryLimit: 2
prometheus.io/scrape
selector:
"true"
     matchLabels:
prometheus.io/scheme: "http" 
   app: hermod
    strategy:
prometheus.io/path:
"prometheus"
  rollingUpdate:
prometheus.io/port
maxSurge:
"20400"
1
name
maxUnavailable:
hermod
0
spec
type: RollingUpdate
    template:
containers
metadata:
- args
labels:
image: nexusgocontainerregistry.azurecr.io/nexus-personal/hermod:3.7.0.RELEASE
app: hermod
imagePullPolicy
configmap-version:
Always
"1"
args
annotations:
- --spring.profiles.active=native 
prometheus.io/scrape: "true"
-
--spring.datasource.url=${DB_URI}
prometheus.io/scheme: "http"
- --spring.datasource.username=${DB_USERNAME} 
prometheus.io/path: "prometheus"
-
--spring.datasource.password=${DB_PASSWORD} 
prometheus.io/port: "20400"
        
name: hermod
      spec:
ports:
     containers:
        -
containerPort
args:
20400
protocol: TCP
image: nexusgocontainerregistry.azurecr.io/nexus-personal/hermod:3.7.0.RELEASE
resources
imagePullPolicy:
{}
Always
env
args:
          -
name: JAVA_OPTS
--spring.profiles.active=native
          
-
value: 
-
Xms256m -Xmx512m -XX:MaxMetaspaceSize=512m -XX:CompressedClassSpaceSize=64m 
-spring.datasource.url=${DB_URI}
          -
Xss256k
 -
Xmn8m -XX:InitialCodeCacheSize=4m -XX:ReservedCodeCacheSize=64m
-spring.datasource.username=${DB_USERNAME}
          -
-XX:MaxDirectMemorySize=64m 
--spring.datasource.password=${DB_PASSWORD}
-
 name:
DB_URI
hermod
valueFrom
ports:
          - containerPort: 20400
secretKeyRef:
           protocol: TCP
key:
DB_URI
     resources: {}
name
env:
hermod-secret-test-postgres
          
- name:
DB
JAVA_
USERNAME
OPTS
valueFrom
value: -Xms256m -Xmx512m -XX:MaxMetaspaceSize=512m -XX:CompressedClassSpaceSize=64m
secretKeyRef:
    -Xss256k -Xmn8m -XX:InitialCodeCacheSize=4m -XX:ReservedCodeCacheSize=64m
key:
DB_USERNAME
    -XX:MaxDirectMemorySize=64m
          
- name:
hermod-secret-test-postgres
DB_URI
-
name:
DB_PASSWORD 
valueFrom:
              secretKeyRef:
                key: DB_
PASSWORD
URI
                name: hermod-secret-test-postgres
          -
readinessProbe
name: DB_USERNAME
httpGet
valueFrom:
path
secretKeyRef:
/ms
port
key:
20400
DB_USERNAME
initialDelaySeconds:
20
   name: hermod-secret-test-postgres
timeoutSeconds:
5
 - name: DB_PASSWORD
periodSeconds: 30
   valueFrom:
securityContext
secretKeyRef:
privileged
key:
false
 DB_PASSWORD
                name: hermod-secret-test-postgres
runAsNonRoot
readinessProbe:
true
            httpGet:
runAsUser:
1000
terminationMessagePath
path: /
dev/termination-log
ms
volumeMounts:
    port:
- name: pvc-hermod mountPath: /home/docker/config volumes: - name: pvc-hermod configMap: name: hermod dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 kind: List metadata: {} resourceVersion: "" selfLink: ""

Create Hermod configuration YML file

Edit the config

Code Block
kind: ConfigMap apiVersion: v1 metadata: name: hermod namespace: test data: application.yml: |- logging: level: 
20400
            initialDelaySeconds: 20
            timeoutSeconds: 5
            periodSeconds: 30
          securityContext:
            privileged: false         
            runAsNonRoot: true
            runAsUser: 1000
          terminationMessagePath: /dev/termination-log
          volumeMounts:
            - name: hermod-config
              mountPath: /home/docker/config
        volumes:
        - name: hermod-config
          configMap:
            name: hermod
        dnsPolicy: ClusterFirst
        restartPolicy: Always
        securityContext: {}
        terminationGracePeriodSeconds: 30
kind: List
metadata: {}
resourceVersion: ""
selfLink: ""

Create the Hermod configuration yml file

Edit the file hermod-configuration with the correct values for your environment.

Info

Important!  The actual values must match the specific deployment scenarios such as configure clientId, public URL, TLS/SSL and url, username, password for the specified database. The code below is only intended as an example. 

Expand
titleExample

Example: hermod-configuration.yml

Code Block
kind: ConfigMap
apiVersion: v1
metadata:
  name: hermod
  namespace: test
data:
  application.yml: |-

    logging:
      level:
        org.springframework.context.annotation.AnnotationConfigApplicationContext: ERROR
        org.springframework.boot.SpringApplication: ERROR
        org.springframework.cloud.config.client: ERROR
        org.springframework.web.reactive.function.client.WebClient: TRACE
        com.netflix: INFO
        reactor.netty.http.client: TRACE
        com.nexusgroup: TRACE
org.springframework.context.annotation.AnnotationConfigApplicationContext
 com.relayrides:
ERROR
INFO
        org.
springframework
mongodb.
boot.SpringApplication
driver:
ERROR
TRACE
org.springframework.cloud.config.client
com.nexusgroup.plugout.message.server.filters.VersionHttpFilter: ERROR
org
com.
springframework
nexusgroup.
web
cod.
reactive
hermod.
function
service.
client.WebClient
MessagePlugoutService:
TRACE
ERROR
com
org.hibernate.
netflix
stat:
INFO
DEBUG
reactor
#org.
netty
apache.http
.client
: TRACE
com.nexusgroup
pattern:
TRACE
com.relayrides: INFO org.mongodb.driver: TRACE
console: "%d{yyyy-MM-dd}T%d{HH:mm:ss.SSS}Z ${LOG_LEVEL_PATTERN:- %5p} [%t] %-40.40logger{39} [%mdc] : %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}"
com.nexusgroup.plugout.message.
server
.filters.VersionHttpFilter
:
ERROR
com.nexusgroup.cod.hermod.service.MessagePlugoutService
servlet:
ERROR
org.hibernate.stat: DEBUG 
context-path: /
#org.apache.http
error:
TRACE
pattern
include-message: always
console: "%d{yyyy-MM-dd}T%d{HH:mm:ss.SSS}Z ${LOG_LEVEL_PATTERN:- %5p} [%t] %-40.40logger{39} [%mdc] : %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" 
 include-binding-errors: never
        include-stacktrace: never
server
include-exception: false
servlet
springdoc:
context-path
override-with-generic-response:
/
false
error
api-docs:
include-message
enabled:
always
false
include-binding-errors: never
swagger-ui:
include-stacktrace
enabled: false
never

    spring:
include-exception:
false
springdoc
jpa:
override-with-generic-response: false
properties:
api-docs:
    hibernate:
enabled:
false
swagger
show-
ui
sql: false
enabled:
false
    format-sql: true
spring:
jpa
generate-statistics: false
properties
hibernate:
hibernate
ddl-auto: validate
      cloud:
dialect:
org.hibernate.dialect.PostgreSQLDialect
  kubernetes:
show-sql
reload:
false
format-sql
enabled: true
    management:
generate-statistics
info:
false
hibernate
env:
ddl-auto
enabled:
validate
true
cloud
endpoints:
kubernetes:

        web:
reload:
       exposure:
enabled:
true
      include: health, info, refresh,
management:
prometheus
info
endpoint:
env
prometheus:
          enabled: true
endpoints
application:
web
rest:
exposure
client:
          keep-a-live-timeout: -1
include:
health,
info,
refresh,
prometheus
endpoint
connection-timeout: 8
prometheus
hermod:
enabled
scheduler:
true
application:
    exec:
rest:
client
threads: 100
keep-a-live-timeout
rest:
-1
connection-timeout
uribase:
8
hermod:
  hide-exceptions: false

        #
scheduler:
Hide sensitive/long data in
exec:
event logs?
        events:
threads:
100
      hide-sensitive: true
rest:
uribase
allowed-clients:
          #
hide
X-Api-
exceptions
Key: aGVybW9kLXRlc3QtY2xpZW50Ojc5YjY1NzUwODc3NzQwOGJhNDA2ZjM1NDNjYTg3ZmFkYjc0MmNmNmM3NjEzNDc0MTg5ZGJlZjI5NWEyNTIzMmM=
false
# Hide sensitive/long data in event logs?
- client-id: hermod-test-client
events
key: 
56UGzk8qZm67YDhkzwuEfpYkLMubram8P9KryXGG9PEa76Xnku5Z6B7c8MKAf66X
hide-sensitive: true
        # Optional username:password to
#
be
Enable
supplied
CORS
for
on /rest/ms endpoint ?
basic authentication in callbacks
cors:
    # callback-basic-auth: username:password
enabled:
false
    # The callback URL base for this
allowed-origins: 'https://doc.nexusgroup.com'
specific client
path
callback-
patterns
url:
'
http:/
rest/command/**,/rest/command/poll/**'
/hermod:20400
allowed-headers:
'*'
       # Message server library settings
#
URL
and
API-key
to
HermodCfg
server which also can host client configuration
message-server-library:
hermod-cfg-server:
enabled: true url: http://hermodcfg:20490 api-key: CUkrhHzqZRCPvuKbHMZs4PSq73pdnU2Jre5NdYDML7JPJqc2s42JZqqxPhW8wa6c # All clients have moved to HermodCfg server. Use the scripts in ../hermodcfg/ to add/modify/list allowed-clients: # X-Api-Key: aGVybW9kLXRlc3Q6NzliNjU3NTA4Nzc3NDA4YmE0MDZmMzU0M2NhODdmYWRiNzQyY2Y2Yzc2MTM0NzQxODlkYmVmMjk1YTI1MjMyYw== 
public-url: https://<my-hermod-server>:20400/ms

Create the Hermod service yml file

Edit the file hermod-service with the correct values for your environment.

Expand
titleExample

Example: hermod-service.yml

Code Block
apiVersion: v1
items:
- apiVersion: v1
  kind: Service
  metadata:
    labels:
      app: hermod
    name: hermod
    namespace: test
  spec:
    ports:
    - nodePort: 30400
      port: 20400
-
client-id
protocol:
hermod-test
TCP
      targetPort: 20400
key
selector:
56UGzk8qZm67YDhkzwuEfpYkLMubram8P9KryXGG9PEa76Xnku5Z6B7c8MKAf66X
      app: hermod
callback-url
sessionAffinity:
http://hermod:20400
None
    type: NodePort
kind: List
metadata: {}
resourceVersion:
content-provider-url: http://hermod-testapp:20488/hermod-testapp/rest/content # Message server library settings message-server-library: # Make sure you also change the certificates above public-url: https://hermod-test.go.nexusgroup.com/ms 
""
selfLink: ""

Optional: Create the Hermod database secret YML file

Edit the file hermod-secret with the correct values for your environment.

Expand
titleExample

Example: hermod-secret.yml

Code Block
apiVersion: v1
data:
  DB_URI: amRiYzpzcWxzZXJ2ZXI6Ly9uZ2F6LWRldnNxbDAxZC5kYXRhYmFzZS53aW5kb3dzLm5ldDoxNDMzO2RhdGFiYXNlPWhlcm1vZC1kZXY7dXNlcj1oZXJtb2R1c2VyO3Bhc3N3b3JkPWNvZGEhUUFaeHN3MjtlbmNyeXB0PXRydWU7dHJ1c3RTZXJ2ZXJDZXJ0aWZpY2F0ZT1mYWxzZTtob3N0TmFtZUluQ2VydGlmaWNhdGU9Ki5kYXRhYmFzZS53aW5kb3dzLm5ldDtsb2dpblRpbWVvdXQ9MzA7Cg==
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"DB_URI":"amRiYzpzcWxzZXJ2ZXI6Ly9uZ2F6LWRldnNxbDAxZC5kYXRhYmFzZS53aW5kb3dzLm5ldDoxNDMzO2RhdGFiYXNlPWhlcm1vZC1kZXY7dXNlcj1oZXJtb2R1c2VyO3Bhc3N3b3JkPWNvZGEhUUFaeHN3MjtlbmNyeXB0PXRydWU7dHJ1c3RTZXJ2ZXJDZXJ0aWZpY2F0ZT1mYWxzZTtob3N0TmFtZUluQ2VydGlmaWNhdGU9Ki5kYXRhYmFzZS53aW5kb3dzLm5ldDtsb2dpblRpbWVvdXQ9MzA7Cg=="},"kind":"Secret","metadata":{"annotations":{},"name":"hermod-secret","namespace":"default"}}
  name: hermod-secret
  namespace: test
type: Opaque

Deploy yml files

You can deploy the yml files on Kubernetes by using the following command:
kubectl --kubeconfig <kubernetes-config> apply -f <file_name>.yml