This repository contains Helm charts for deploying and managing the Private Data Fabric Tenant Operator on Kubernetes clusters. The Tenant Operator enables the creation and management of tenant environments within your Kubernetes infrastructure.
Before beginning the installation, ensure you have the following:
- Kubernetes Cluster: A running Kubernetes cluster with sufficient permissions
- kubectl: Installed and configured to interact with your Kubernetes cluster
- Helm: Version 3.x or later installed
- Container Registry Access: Access to the container registry containing the required images
- Cluster Admin Privileges: Required for creating cluster-wide resources
All necessary container images can be found in the MapR Technologies Docker Hub repository.
Follow these steps to install and configure the Tenant Operator and related components.
Cert-Manager is required for managing certificates within the cluster.
# Apply Cert-Manager CRDs
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.8.0/cert-manager.crds.yaml
# Add the Jetstack Helm Repository and update
helm repo add jetstack https://charts.jetstack.io
helm repo update
# Install Cert-Manager in the 'cert-manager' namespace
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.8.0Create a PriorityClass to ensure critical pods are scheduled with higher priority.
# Save the following YAML as 'hpe-critical-priorityclass.yaml'
cat <<EOF > hpe-critical-priorityclass.yaml
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: hpe-critical
value: 1000000
globalDefault: false
description: "Priority class for critical HPE pods"
EOF
# Apply the PriorityClass
kubectl apply -f hpe-critical-priorityclass.yamlInstall the registry certificate on all cluster nodes according to your internal security procedures.
Note: The exact steps for this will vary depending on your specific environment. Refer to your internal documentation for guidance.
Install the Tenant Operator using Helm:
helm install tenant-operator tenant-operator-chart/ \
-n hpe-df-tenant \
--create-namespace \
-f tenant-operator-chart/values.yamlYou can customize the installation by modifying the values.yaml file or providing override values with the --set flag.
Run the external secret generation script on a cluster node:
# Execute the script from the repository root
./gen-external-secrets.shThis script generates the necessary external secrets for cluster communication.
# Create the namespace for external cluster information
kubectl create namespace hpe-externalclusterinfo
# Apply the generated external secrets
kubectl apply -f /tmp/mapr-external-secrets.yaml# Create the hpe-secure namespace
kubectl create namespace hpe-secure
# Create LDAP ConfigMap (replace with your actual LDAP configuration)
cat <<EOF > ldapclient-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: ldapclient-cm
namespace: hpe-secure
annotations:
kubectl.kubernetes.io/last-applied-configuration: "{}"
data:
ldap.conf: |
BASE http://example.com
URI test
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT allow
SASL_NOCANON on
EOF
# Apply the ConfigMap
kubectl apply -f ldapclient-cm.yamlCreate a secret for pulling container images in the tenant namespace:
# Replace <your-base64-encoded-docker-config> with your actual encoded docker config
cat <<EOF > imagepull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: imagepull
namespace: sampletenant
labels:
hpe.com/cluster: none
hpe.com/component: imagepull
hpe.com/namespacetype: Tenant
hpe.com/tenant: sampletenant
hpe.com/version: 7.0.0
data:
.dockerconfigjson: "<your-base64-encoded-docker-config>"
type: kubernetes.io/dockerconfigjson
EOF
# Apply the secret
kubectl apply -f imagepull-secret.yamlTo generate the base64-encoded docker config:
# Login to your Docker registry
docker login <your-registry>
# Encode the Docker config file
cat ~/.docker/config.json | base64 -w 0# Create the ClusterRole for PV operations
cat <<EOF > hpe-pvcreate-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: hpe-pvcreate
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["create", "delete", "get", "list", "watch"]
EOF
# Apply the ClusterRole
kubectl apply -f hpe-pvcreate-clusterrole.yamlDeploy a tenant using the provided example configuration:
kubectl apply -f tenant-crs/external-full.yamlYou should customize the tenant configuration according to your requirements before applying it.
Modify the tenant roles to include necessary permissions:
# Example: Add PV permissions to the tenant role
kubectl edit role hpe-sampletenant-role -n sampletenantAdd the following rules to the role:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets", "pods", "configmaps"]
verbs: ["create", "delete", "get", "list", "watch", "update", "patch"]You can run Spark applications using one of two authentication methods:
Navigate to the tenant CLI pod and execute the bundled script:
./ticketcreator.shThis script generates a Kubernetes secret containing the authentication ticket.
/opt/mapr/spark/spark-3.5.1/bin/spark-shell \
--master k8s://https://<kubernetes-controller-host>:6443 \
--conf spark.executor.instances=2 \
--conf spark.mapr.user.secret=<generated-secret-name> \
--conf spark.kubernetes.container.image=<spark-image> \
--conf spark.kubernetes.namespace=<tenant-namespace> \
--conf spark.kubernetes.container.image.pullPolicy=Always \
--conf spark.mapr.cluster.configMap=cluster-cm \
--conf spark.authenticate=false \
--conf spark.authenticate.enableSaslEncryption=false \
--conf spark.kubernetes.authenticate.driver.serviceAccountName=hpe-<tenant-namespace>Replace the following placeholders:
<kubernetes-controller-host>: The hostname or IP address of your Kubernetes controller<generated-secret-name>: The name of the secret generated by theticketcreator.shscript<spark-image>: The full name of the Spark container image (e.g.,docker.io/maprtech/spark:3.5.1)<tenant-namespace>: The namespace where your tenant is deployed (e.g.,sampletenant)
Use the following curl command to generate your JWT token:
curl -k -d 'client_id=edf-client' \
-d 'client_secret=<your-client-secret>' \
-d 'username=<your-username>' \
-d 'password=<your-password>' \
-d 'grant_type=password' \
'https://<sso-node>:6443/realms/master/protocol/openid-connect/token' | \
jqReplace the placeholder values with your actual authentication information.
# Extract tokens from the JWT response
ACCESS_TOKEN=$(echo $JWT_RESPONSE | jq -r '.access_token')
REFRESH_TOKEN=$(echo $JWT_RESPONSE | jq -r '.refresh_token')
# Create a secret with the tokens
cat <<EOF > jwt-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: <token-secret-name>
namespace: <tenant-namespace>
type: Opaque
data:
CLUSTER_NAME: $(echo -n "<your-cluster-name>" | base64 -w 0)
JWT_REFRESH_TOKEN: $(echo -n "$REFRESH_TOKEN" | base64 -w 0)
JWT_TOKEN: $(echo -n "$ACCESS_TOKEN" | base64 -w 0)
EOF
# Apply the secret
kubectl apply -f jwt-secret.yaml/opt/mapr/spark/spark-3.5.1/bin/spark-shell \
--master k8s://https://<kubernetes-controller-host>:6443 \
--conf spark.executor.instances=2 \
--conf spark.mapr.jwt.secret=<token-secret-name> \
--conf spark.kubernetes.container.image=<spark-image> \
--conf spark.kubernetes.namespace=<tenant-namespace> \
--conf spark.kubernetes.container.image.pullPolicy=Always \
--conf spark.mapr.cluster.configMap=cluster-cm \
--conf spark.authenticate=false \
--conf spark.authenticate.enableSaslEncryption=false \
--conf spark.kubernetes.authenticate.driver.serviceAccountName=<tenant-namespace>Replace the following placeholders:
<kubernetes-controller-host>: The hostname or IP address of your Kubernetes controller<token-secret-name>: The name of the secret containing your JWT tokens<spark-image>: The full name of the Spark container image<tenant-namespace>: The namespace where your tenant is deployed