Installation guide
This guide takes you through installing OpsChain and configuring the administrator user.
Supported Platforms
OpsChain needs a container platform to run. It can be deployed on any of the following container platforms:
- Azure Kubernetes Services (AKS)
- Elastic Kubernetes Services (EKS)
- OpenShift Container Platform
- Self hosted Kubernetes (k8s or k3s) either on bare metal or a VM
The rest of this guide will assume that you are installing OpsChain on a self hosted K3s cluster. Please follow steps outlined in Installing K3s before you continue.
Access to software media and license
You must have acquired a license from LimePoint before you begin to install. If you don't have one, please reach out to your account manager or drop a note on support@limepoint.com As part of license acquisition you would also get credentials to download the installers.
You must have access to the following URLs from your network either directly or via a proxy.
Preparing configuration
Before you proceed please ensure you have a values.yaml file configured. Refer Understanding OpsChain Configuration Variables on how to create one.
Installation
Preparing your environment
To make the installation process more straightforward, let's define some environment variables that are required by the installation script and will be used in subsequent commands.
Matching the configured Kubernetes namespace
Our Helm chart will be deployed in the Kubernetes namespace we pass to Helm's command. To ensure our installation matches the Kubernetes' namespace it is in, we need to use the same value that has been configured in the OPSCHAIN_KUBERNETES_NAMESPACE inside the values.yaml file.
Using the namespace defined in your values.yaml file, we can do the following:
export KUBERNETES_NAMESPACE=your-configured-namespace-name-here
Encoding your licence
To pass your OpsChain licence into Helm, we first need to encode it to base64. To do so, locate where your licence is located at and pass it into the base64 command and store it in an environment variable, like so:
export OPSCHAIN_LICENCE_BASE64=$(base64 your-licence-path.lic)
Install OpsChain
With the supplied OpsChain Helm charts (e.g opschain-0.1.0+edge.tgz), your configured values.yaml and your configured environment variables, we can install OpsChain in the desired namespace by running:
helm upgrade --install opschain ./opschain-0.1.0+edge.tgz --create-namespace -n ${KUBERNETES_NAMESPACE} -f values.yaml --set opschainLicence=${OPSCHAIN_LICENCE_BASE_64} --wait --timeout 30m --insecure-skip-tls-verify
This will start the OpsChain server and its dependent services in separate Kubernetes pods. For more information on these containers see the architecture overview.
The command may take several minutes (upto 30 mins) to start as the OpsChain images are downloaded, especially with slower internet connections.
Do not close or end the shell session while the installation is still ongoing, doing so might render your installation unusable.
The kubectl command can be used to see the installation progress:
kubectl get all -n ${KUBERNETES_NAMESPACE}
While the installation is running, you can move to the next step where we'll set up the OpsChain CLI for interacting with the API.
Install the OpsChain CLI
For the next steps, we recommend switching your kubectl default context to the configured OpsChain namespace. You can achieve that by running:
kubectl config set-context --current --namespace=${KUBERNETES_NAMESPACE}
The OpsChain CLI binary can be downloaded from the opschain repository on GitHub.
Ensure you only download the build that matches your system's distribution. This tutorial will proceed with installing the OpsChain CLI for a Linux distribution.
After downloading the zip file, we can unzip it and make it executable like so:
$ unzip opschain-linux.zip
Archive: opschain-linux.zip
inflating: opschain
$ chmod +x opschain
To validate the CLI is working, run the following:
./opschain help
This should print OpsChain's CLI help guide. If that is not the case, please contact LimePoint support.
We suggest moving the binary to a location in your PATH to ensure it is easily accessible. By doing so, we can run the next commands from anywhere by just calling opschain.
Only proceed to the next steps if your OpsChain instance has been fully deployed and the API is ready. You can verify this by checking the readiness status of the opschain-api deployment:
kubectl get deployments.apps/opschain-api
The API is deployed and ready if the output of that command is:
NAME READY UP-TO-DATE AVAILABLE AGE
opschain-api 1/1 1 1 10m
Creating your first OpsChain user
The OpsChain API server requires a valid username and password for users to interact with its data.
OpsChain supports two authentication modes, but only one can be active at any given moment. See the authentication strategy setting reference for more information.
With that in mind, please ensure you follow the next step only for the currently configured OPSCHAIN_AUTH_STRATEGY variable in your values.yaml.
Please ensure there are no spaces included in the parameters you supply to opschain server utils.
Creating an LDAP authenticated user
To create a user that is authenticated via the configured LDAP, execute:
opschain server utils "create_user[opschain,password]"
Creating a locally authenticated user
To create a user that is authenticated locally in OpsChain, execute:
opschain server utils "create_local_user[opschain,password]"
Providing superuser access to a user
By default, users have permissions according to the authorisation policies assigned to them. OpsChain provides a special superuser policy that can be assigned for users that should not have their access restricted in any circumstance.
To provide superuser access to the newly created opschain user, execute:
opschain server utils "setup_superuser[opschain,true]"
Due to security risks, we strongly recommend keeping the number of users with superuser access as minimal as possible.
Configuring the OpsChain CLI
Create a CLI configuration file in your home directory based on the example:
vi ~/.opschainrc
The apiBaseUrl configuration in ~/.opschainrc must be updated to reflect the external OpsChain API address. This address reflects the OpsChain listening port specified in your values.yaml file in the previous guide. If you accepted the default setting, this will be http://localhost:3000.
If you used a different username and password for the user created in the previous steps, ensure you modify the .opschainrc file to reflect your changes.
Learn more about the opschainrc configuration in the advanced CLI configuration guide.
If you create a .opschainrc file in your current directory, this will be used in precedence to the version in your home directory.
Validating your CLI and API
To validate your CLI has access to the API, you can run the following:
opschain info
If everything is working, the output will look similar to:
┌────────────────┬───────────────────────────────────────────┐
│ CLI version │ 0.0.1 │
├────────────────┼───────────────────────────────────────────┤
│ Server version │ edge (f04a3bf) │
├────────────────┼───────────────────────────────────────────┤
│ Runner image │ limepoint/opschain-runner-enterprise:edge │
└────────────────┴───────────────────────────────────────────┘
Further configuration of the OpsChain CLI
OpsChain has native CLI binaries for Windows, macOS and Linux. See the advanced CLI configuration guide section of our CLI reference guide to download and configure the opschain executable for other operating systems and to have access to more configuration options.
What to do next
- (optional) Configure the OpsChain CLI further to improve your experience when interacting with OpsChain.
- Go to our getting started guide to learn more about OpsChain and familiarise yourself with our GUI and other CLI commands.
- Or skip to our tutorial for understanding the OpsChain structure from which you'll be able to run changes.