Inrupt Enterprise Solid Server (ESS) Deployment on OCI

Overview

Inrupt ESS is provided in container image pieces deployed via descriptive, infrastructure-as-code configuration files. The general steps are to setup a (or access an existing) kubernetes cluster, integrate customer configuration parameters into .yaml deployment descriptions, and finally deploy via the .yaml descriptions.

kubernetes

If you are not using an existing kubernetes cluster, create a new cluster on OCI via your preferred method, Terraform/OCI command line, OCI console, etc. The ‘Quick Create’ option using the OCI Console will work fine for this situation, creating a node pool, networking components and everything else that is needed for a basic kubernetes cluster. Refer to OCI documentation at https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengcreatingclusterusingoke.htm if needed.

You will need a management and control box in OCI to host the configuration, control and deployment. I use an Oracle Linux 9 instance, but any box that can run kubectl and docker/podman should work fine. The management machine could be external to OCI if you make the kubernetes cluster accessible via a public subnet or ssh tunnel. Also note that OCI Cloud Shell is available to run kubectl.
To install kubectl, refer to the kubernetes documentation at https://kubernetes.io/docs/tasks/tools/ . kubectl is available for Linux, macOS and Windows.

kubernetes Required Features

The cluster will need an ingress controller and a certificate manager.

Ingress Controller

Any ingress controller will work. The easiest choice is likely the kubernetes NGINX ingress controller. kubernetes github provides an OCI specific deployment descriptor that can be deployed via:

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.5.1/deploy/static/provider/cloud/deploy.yaml

(1.5.1 is the current version at the time of this writing)

After the ingress controller is created, set it as the default ingress controller for the cluster using the following piece of yaml

apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  labels:
    app.kubernetes.io/component: controller 
  name: nginx
  annotations:
    ingressclass.kubernetes.io/is-default-class: "true"
spec:
  controller: k8s.io/ingress-nginx

Find the external IP address of the ingress controller (for example “kubectl get service -A”) and add entries to your /etc/hosts or DNS server to set the ESS DNS names to resolve to that address.

Certificate Management Controller

Use the standard cert-manager:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.yaml

(1.11.0 is the current version at the time of this writing)

ESS Configuration & Deployment

The ESS product consists of a set of services assembled into a kubernetes deployment. Template configurations are provided and run through kustomize, incorporating site specific configuration parameters. Follow the process detailed in the Inrupt installation guide, https://docs.inrupt.com/ess/latest/installation/ .

Note, if you are using podman instead of Docker to run kustomizer container used to retrieve the initial template, it will fail due to podman rootless containers. Add the Z flag to redo the disklabel on the directory mount inside the container as demonstrated in the following command.

podman run -it -v ${HOME}/ess:/kustomize:Z docker.software.inrupt.com/inrupt-kustomizer:2.0

(refer to https://www.redhat.com/sysadmin/user-namespaces-selinux-rootless-containers for more details on podman, rootless containers, SELinux and disklabels).

Accessing ESS

Access ESS at https://start.{ESS DOMAIN}/ in a browser as described at the end of the Inrupt installation document.