Installing Using Kubernetes

Installing BitBroker on Kubernetes, either for cloud or for local development

There are several ways in which you can install BitBroker, depending on what you are trying to achieve.

Are you trying to deploy to a public cloud or to a local environment? Are you wanting to use BitBroker in a production environment, or as a local sandbox, perhaps you are developing data connectors or even trying to enhance BitBroker itself?

In this section, we will cover in detail and step-by-step, all the different ways in which you can install a BitBroker instance using Kubernetes, to help you achieve your goals.

Bootstrapping Fresh Installations

For all Kubernetes installations, you should be aware of the ways in which fresh installations perform certain bootstrap operations.

Bootstrap User

Every fresh installation of BitBroker comes with one preinstalled user (uid: 1). This user is automatically created when the system is bought-up for the first time.

As we will explain below, this user is linked to the authorization of API calls. The user is also important for the up-coming web portal BitBroker control interface.

Bootstrap Coordinator Token

All interactions with BitBroker stem, ultimately, from interactions with the Coordinator API. This is the main administrative API for the whole system. In order to use this API, you need an access token.

Using this API, new users can be created and then promoted to have coordinator status. This results in the production of a new coordinator access token for them. But this act of promotion itself, requires permission. So how can we get started with this circular scenario?

Whenever a fresh system is installed using Kubernetes, a special bootstrap coordinator authorization token is produced. This token is valid for use with the Coordinator API. You can use this token to get going with the process of then creating your own users and giving them coordinator status.

It is possible, but not recommended, to use the bootstrap coordinator token in normal operation. Instead, you should use it to create your own master coordinator user and then utilize their token for further operations.

The bootstrap coordinator token is a different (longer) format, to normal coordinator tokens.

The detailed install steps below, will contain more information about how to extract and use this bootstrap token.

In all the sample calls below, we use a placeholder value for the bootstrap token. Enter your bootstrap coordinator token into the box below, in order to update the sample calls with your install details:

Your Bootstrap Coordinator Authorization Token

Cloud Kubernetes Installation

In the section, we will explore how to you can use our pre-prepared Helm charts to install a complete BitBroker instance into your cloud of choice. These charts will be downloaded directly from Docker Hub.

This section assumes you are familiar with Kubernetes and Helm. If you are new to these technologies, we advise that you become familiar with them first, before trying out the steps outlined below.

This type of deployment will give you full access to the complete BitBroker feature set, including full policy enforcement. The system will be accessible to anyone to whom you grant access.

In all the sample calls below, we use the placeholder text https://your-cloud-host for the host base URL. Enter your cloud host base URL into the box below, in order to update the sample calls with your install details:

Your Cloud Host Base URL

Prerequisites

Start with a clean machine, with no remnants of previous BitBroker installations. Please ensure you have the following software installed, configured and operational:

Kubernetes command line tools
Helm command line tools
cURL command line tool (used for testing installs only)

Create a brand new directory to act as a workspace for your installation:

mkdir bbk
cd bbk

Make sure that your current Kubernetes context is pointing at your cloud of choice:

kubectl config get-contexts

Installation

First, let’s prepare the context we want to install:

helm repo add bit-broker https://bit-broker.github.io/charts
JWKS=$(docker run bbkr/auth-service:latest npm run --silent create-jwks)
kubectl apply -f https://app.getambassador.io/yaml/emissary/2.2.2/emissary-crds.yaml

Next, let’s extract and save the default chart values:

helm show values bit-broker/bit-broker > values.yaml

Next update values.yaml with your required values:

Value	Description
`global.portal.host`	Your base DNS host
`global.gateway.certificateIssuer`	Set to `true` for automatic certificates with Let’s Encrypt
`global.gateway.tlsSecret`	if `certificateIssuer` is false, setup your own secret here

Now we are ready to run the cloud installation with the selected values:

helm install --values values.yaml \
             --create-namespace bit-broker \
             --set bbk-auth-service.JWKS=$JWKS \
             --namespace bit-broker \
               bit-broker/bit-broker

This step takes a few moments to complete. After it has finished, you will see a series of notes which discuss some key points about your installation. The sections on JWKS, Auth Service and Rate Service are for advanced use cases, and you can ignore these for now.

It can take a few moments for the system to come into existence and for it to complete its initialization steps. You can test that the system is up-and-ready, by the using this command:

if [ $(curl --max-time 5 --write-out '%{http_code}' --silent --head --output /dev/null https://your-cloud-host/coordinator/v1) == "401" ]; then echo "Ready"; else echo "Not Ready"; fi;

This will output Not Ready until all the servers are up, after which it will output Ready. Keep trying this command until it signals it’s OK to proceed.

Installing a DNS Alias

If you want to add an alias to this installation into your DNS record, then you need to first get the service load balancer address:

kubectl get svc --no-headers -o custom-columns=":status.loadBalancer.ingress[0].hostname" --selector=app.kubernetes.io/name=bbk-emissary-ingress -n bit-broker | head -1

Then you can use this to add an ALIAS into your DNS record. Depending on the domain and the registrar, the procedure and naming terminology will be different. Here is an example procedure for AWS’s Route 53.

Bootstrap Coordinator Token

A key thing to note in the results output, is the section which says: “Here is how to get the Coordinator token”. Extracting and recording this token is a vital step to proceed with the install. This is the bootstrap coordinator token, which we outlined earlier in this document.

As the results output states, you can get hold of this bootstrap coordinator token as follows:

kubectl exec $(kubectl get pods --no-headers -o custom-columns=":metadata.name" --selector=app=bit-broker-bbk-auth-service -n bit-broker | head -1) -n bit-broker -c auth-service -- npm run sign-token coordinator $(kubectl get secret --namespace bit-broker bit-broker-bbk-admin-jti -o jsonpath="{.data.ADMIN_JTI}" | base64 --decode)

This is a long command and it will take a few seconds to complete. It will output the token, which will be in the format of a long string. Copy this token and store in a secure location. Be careful if sharing this token, as it has full rights to the entire Coordinator API.

Testing Your Installation

If everything worked as expected, the BitBroker API servers will be up-and-running in your cloud waiting for calls. You can test this by using the sample call below:

curl https://your-cloud-host/coordinator/v1 \
     --header "x-bbk-auth-token: bootstrap-token-goes-here"

The base end-points of all the three API servers respond with a small announcement:

{
    "now": "2022-06-16T10:44:53.970Z",
    "name": "bit-broker coordinator service",
    "base": "https://your-cloud-host/coordinator/v1",
    "status": "production"
}

Like all BitBroker API end-points, these require a working authorization to be in place. Hence, this announcement can be used for testing or verification purposes.

Uninstallation

If you want to completely uninstall this instance of BitBroker, you should follow these steps:

helm uninstall bit-broker -n bit-broker
kubectl delete -f https://app.getambassador.io/yaml/emissary/2.2.2/emissary-crds.yaml
kubectl delete namespace bit-broker
helm repo remove bit-broker
docker ps -a | grep "bbkr/" | awk '{print $1}' | xargs docker rm
rm values_local.*

This will remove all the key elements which were created as part of the installation. If you want to go further and clear out all the images which were downloaded too, use the following:

docker images -a | grep "bbkr/" | awk '{print $3}' | uniq | xargs docker rmi

Local Kubernetes Installation

In the section, we will explore how to you can use our pre-prepared Helm charts to install a complete BitBroker instance on your local machine. These charts will be downloaded directly from Docker Hub.

This type of install is suitable for development purposes only.

This section assumes you are familiar with Kubernetes and Helm. If you are new to these technologies, we advise that you become familiar with them first, before trying out the steps outlined below.

This type of deployment will give you full access to the complete BitBroker feature set, including full policy enforcement. But the system will only be available on your local machine.

This section assumes have already installed Kubernetes and Helm command line tools. It also assumes you have installed and are running Docker Desktop.

Prerequisites

Start with a clean machine, with no remnants of previous BitBroker installations. Please ensure you have the following software installed, configured and operational:

Kubernetes command line tools
Helm command line tools
Docker Desktop
cURL command line tool (used for testing installs only)

Before starting, make sure that Kubernetes is enabled within Docker Desktop. Settings » Kubernetes » Enable Kubernetes.

Before starting, make sure that you don’t have any other service listening on port 80 of your localhost.

Create a brand new directory to act as a workspace for your installation:

mkdir bbk
cd bbk

Make sure that your current Kubernetes context is docker-desktop:

kubectl config get-contexts
kubectl config use-context docker-desktop

Installation

First, let’s prepare the context we want to install:

helm repo add bit-broker https://bit-broker.github.io/charts
JWKS=$(docker run bbkr/auth-service:latest npm run --silent create-jwks)
kubectl apply -f https://app.getambassador.io/yaml/emissary/2.2.2/emissary-crds.yaml

Our pre-prepared Helm charts are, by default, configured for production, cloud environments. However, here we want to install to localhost only. So we need to make some modifications to the default chart to cater for this:

helm show values bit-broker/bit-broker > values_local.yaml
sed -e 's/gateway[ ]*:/gateway: {}/g' \
    -e 's/acmeProvider/# acmeProvider/g' \
    -e 's/certificateIssuer/# certificateIssuer/g' \
    -e 's/#[ ]*host:[ ]*"https:\/\/bit-broker.io"/host: "http:\/\/localhost"/g' \
    -i '_old' \
    values_local.yaml

Now we are ready to run the local installation:

helm install --values values_local.yaml \
             --create-namespace bit-broker \
             --set bbk-auth-service.JWKS=$JWKS \
             --namespace bit-broker \
               bit-broker/bit-broker

It can take a few moments for the system to come into existence and for it to complete its initialization steps. You can test that the system is up-and-ready, by the using this command:

if [ $(curl --max-time 5 --write-out '%{http_code}' --silent --head --output /dev/null http://localhost/coordinator/v1) == "401" ]; then echo "Ready"; else echo "Not Ready"; fi;

This will output Not Ready until all the servers are up, after which it will output Ready. Keep trying this command until it signals it’s OK to proceed.

Bootstrap Coordinator Token

As the results output states, you can get hold of this bootstrap coordinator token as follows:

kubectl exec $(kubectl get pods --no-headers -o custom-columns=":metadata.name" --selector=app=bit-broker-bbk-auth-service -n bit-broker | head -1) -n bit-broker -c auth-service -- npm run sign-token coordinator $(kubectl get secret --namespace bit-broker bit-broker-bbk-admin-jti -o jsonpath="{.data.ADMIN_JTI}" | base64 --decode)

Testing Your Installation

If everything worked as expected, the BitBroker API servers will be up-and-running on localhost waiting for calls. You can test this by using the sample call below:

curl http://localhost/coordinator/v1 \
     --header "x-bbk-auth-token: bootstrap-token-goes-here"

The base end-points of all the three API servers respond with a small announcement:

{
    "now": "2022-06-16T10:44:53.970Z",
    "name": "bit-broker coordinator service",
    "base": "http://localhost/coordinator/v1",
    "status": "production"
}

Like all BitBroker API end-points, these require a working authorization to be in place. Hence, this announcement can be used for testing or verification purposes.

Uninstallation

If you want to completely uninstall this instance of BitBroker, you should follow these steps:

helm uninstall bit-broker -n bit-broker
kubectl delete -f https://app.getambassador.io/yaml/emissary/2.2.2/emissary-crds.yaml
kubectl delete namespace bit-broker
helm repo remove bit-broker
docker ps -a | grep "bbkr/" | awk '{print $1}' | xargs docker rm
rm values_local.*

This will remove all the key elements which were created as part of the installation. If you want to go further and clear out all the images which were downloaded too, use the following:

docker images -a | grep "bbkr/" | awk '{print $3}' | uniq | xargs docker rmi