Document toolboxDocument toolbox

Deploy Hermod 4.x on Kubernetes

This article includes updates for Hermod 4.0.4.

This article describes how to deploy a Hermod image on Kubernetes.

Prerequisites for Hermod deployment

  • A Kubernetes service subscription where you must create and deploy Hermod

  • A public DNS name which devices can reach

  • Matching certificates for the public address

  • An installed/deployed instance of an SQL server, for example, PostgreSQL, Microsoft SQL Server, Maria DB, or Oracle

Step-by-step instruction

Download the Hermod docker image and file structure

  1. Sign in to Nexus Support portal.

  2. Go to Nexus Smart ID Clients (Personal and Hermod) > Smart ID Messaging  and select a Hermod version to download the *.zip file. 

  3. Unpack the *.zip file.

  4. Open the extracted folder, for example, 4.x.y.RELEASE. 
    The folder contains the Hermod installation file and a simple-setup file to set up a default configuration. 

  5. Unpack simple-setup.zip. 

  6. Place the docker image on a location where the Kubernetes cluster can access and pull the image from.

Create the storage yml file

Edit the file hermod-config with the correct values for your environment. It will be used to store Hermod configuration file.

Example: hermod-config.yml

apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: finalizers: - kubernetes.io/pvc-protection name: hermod-config namespace: test spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: default volumeMode: Filesystem volumeName: hermod-config

Create the Hermod deployment yml file

Edit the file hermod-deployment with the correct values for your environment.

Important! The actual values must match the specific deployment scenarios. The hermod-depoyment code below is only intended as an example. 

Example: hermod-deployment.yml

apiVersion: v1 items: - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "2" generation: 3 labels: app: hermod name: hermod namespace: test spec: replicas: 1 revisionHistoryLimit: 2 selector: matchLabels: app: hermod strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: labels: app: hermod configmap-version: "1" annotations: prometheus.io/scrape: "true" prometheus.io/scheme: "http" prometheus.io/path: "prometheus" prometheus.io/port: "20400" name: hermod spec: containers: - args: image: nexusgocontainerregistry.azurecr.io/nexus-personal/hermod:4.0.4.RELEASE imagePullPolicy: Always args: - --spring.profiles.active=native - --spring.datasource.url=${DB_URI} - --spring.datasource.username=${DB_USERNAME} - --spring.datasource.password=${DB_PASSWORD} name: hermod ports: - containerPort: 20400 protocol: TCP resources: {} env: - name: JAVA_OPTS value: -Xms256m -Xmx512m -XX:MaxMetaspaceSize=512m -XX:CompressedClassSpaceSize=64m -Xss256k -Xmn8m -XX:InitialCodeCacheSize=4m -XX:ReservedCodeCacheSize=64m -XX:MaxDirectMemorySize=64m - name: DB_URI valueFrom: secretKeyRef: key: DB_URI name: hermod-secret-test-postgres - name: DB_USERNAME valueFrom: secretKeyRef: key: DB_USERNAME name: hermod-secret-test-postgres - name: DB_PASSWORD valueFrom: secretKeyRef: key: DB_PASSWORD name: hermod-secret-test-postgres readinessProbe: httpGet: path: /ms port: 20400 initialDelaySeconds: 20 timeoutSeconds: 5 periodSeconds: 30 securityContext: privileged: false runAsNonRoot: true runAsUser: 1000 terminationMessagePath: /dev/termination-log volumeMounts: - name: hermod-config mountPath: /home/docker/config volumes: - name: hermod-config configMap: name: hermod dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 kind: List metadata: {} resourceVersion: "" selfLink: ""

 

Create the Hermod configuration yml file

Edit the file hermod-configuration with the correct values for your environment.

Important!  The actual values must match the specific deployment scenarios such as configure clientId, public URL, TLS/SSL and url, username, password for the specified database. The code below is only intended as an example. 

Example: hermod-configuration.yml

kind: ConfigMap apiVersion: v1 metadata: name: hermod namespace: test data: application.yml: |- logging: level: org.springframework.context.annotation.AnnotationConfigApplicationContext: ERROR org.springframework.boot.SpringApplication: ERROR org.springframework.cloud.config.client: ERROR org.springframework.web.reactive.function.client.WebClient: TRACE com.netflix: INFO reactor.netty.http.client: TRACE com.nexusgroup: TRACE com.relayrides: INFO org.mongodb.driver: TRACE com.nexusgroup.plugout.message.server.filters.VersionHttpFilter: ERROR com.nexusgroup.cod.hermod.service.MessagePlugoutService: ERROR org.hibernate.stat: DEBUG #org.apache.http: TRACE pattern: console: "%d{yyyy-MM-dd}T%d{HH:mm:ss.SSS}Z ${LOG_LEVEL_PATTERN:- %5p} [%t] %-40.40logger{39} [%mdc] : %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" server: servlet: context-path: / error: include-message: always include-binding-errors: never include-stacktrace: never include-exception: false springdoc: override-with-generic-response: false api-docs: enabled: false swagger-ui: enabled: false spring: jpa: properties: hibernate: show-sql: false format-sql: true generate-statistics: false hibernate: ddl-auto: validate cloud: kubernetes: reload: enabled: true management: info: env: enabled: true endpoints: web: exposure: include: health, info, refresh, prometheus endpoint: prometheus: enabled: true application: rest: client: keep-a-live-timeout: -1 connection-timeout: 8 hermod: scheduler: exec: threads: 100 rest: uribase: hide-exceptions: false # Hide sensitive/long data in event logs? events: hide-sensitive: true allowed-clients: # X-Api-Key: aGVybW9kLXRlc3QtY2xpZW50Ojc5YjY1NzUwODc3NzQwOGJhNDA2ZjM1NDNjYTg3ZmFkYjc0MmNmNmM3NjEzNDc0MTg5ZGJlZjI5NWEyNTIzMmM= - client-id: hermod-test-client key: 56UGzk8qZm67YDhkzwuEfpYkLMubram8P9KryXGG9PEa76Xnku5Z6B7c8MKAf66X # Optional username:password to be supplied for basic authentication in callbacks # callback-basic-auth: username:password # The callback URL base for this specific client callback-url: http://hermod:20400 # Message server library settings message-server-library: public-url: https://<my-hermod-server>:20400/ms

Create the Hermod service yml file

Edit the file hermod-service with the correct values for your environment.

Example: hermod-service.yml

apiVersion: v1 items: - apiVersion: v1 kind: Service metadata: labels: app: hermod name: hermod namespace: test spec: ports: - nodePort: 30400 port: 20400 protocol: TCP targetPort: 20400 selector: app: hermod sessionAffinity: None type: NodePort kind: List metadata: {} resourceVersion: "" selfLink: ""

Optional: Create the Hermod database secret YML file

Edit the file hermod-secret with the correct values for your environment.

Example: hermod-secret.yml

apiVersion: v1 data: DB_URI: amRiYzpzcWxzZXJ2ZXI6Ly9uZ2F6LWRldnNxbDAxZC5kYXRhYmFzZS53aW5kb3dzLm5ldDoxNDMzO2RhdGFiYXNlPWhlcm1vZC1kZXY7dXNlcj1oZXJtb2R1c2VyO3Bhc3N3b3JkPWNvZGEhUUFaeHN3MjtlbmNyeXB0PXRydWU7dHJ1c3RTZXJ2ZXJDZXJ0aWZpY2F0ZT1mYWxzZTtob3N0TmFtZUluQ2VydGlmaWNhdGU9Ki5kYXRhYmFzZS53aW5kb3dzLm5ldDtsb2dpblRpbWVvdXQ9MzA7Cg== kind: Secret metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"v1","data":{"DB_URI":"amRiYzpzcWxzZXJ2ZXI6Ly9uZ2F6LWRldnNxbDAxZC5kYXRhYmFzZS53aW5kb3dzLm5ldDoxNDMzO2RhdGFiYXNlPWhlcm1vZC1kZXY7dXNlcj1oZXJtb2R1c2VyO3Bhc3N3b3JkPWNvZGEhUUFaeHN3MjtlbmNyeXB0PXRydWU7dHJ1c3RTZXJ2ZXJDZXJ0aWZpY2F0ZT1mYWxzZTtob3N0TmFtZUluQ2VydGlmaWNhdGU9Ki5kYXRhYmFzZS53aW5kb3dzLm5ldDtsb2dpblRpbWVvdXQ9MzA7Cg=="},"kind":"Secret","metadata":{"annotations":{},"name":"hermod-secret","namespace":"default"}} name: hermod-secret namespace: test type: Opaque

Deploy yml files

You can deploy the yml files on Kubernetes by using the following command:
kubectl --kubeconfig <kubernetes-config> apply -f <file_name>.yml

 

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions