Currents depends on several third-party services that are not bundled with the Helm chart. You are responsible for allocating resources, installing, and maintaining these services. During the installation process, you’ll need to provide credentials so Currents can configure these services as needed.
We provide a quick reference of how to create those services for your convenience. The documented configuration for the connected stateful services (mongo, clickhouse) are not definitive, and may not be adequate for all production setups.
This will setup a 2-node Mongo Cluster, with each being 10Gb available for storage size.
helm install community-operator community-operator --repo https://mongodb.github.io/helm-charts
kubectl create secret generic mongo-admin-password --from-literal=password=$(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | head -c 32)
kubectl create secret generic mongo-currents-password --from-literal=password=$(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | head -c 32)
Create the MongoDB Databases Resources file to apply
mongodb-community-resources.yaml
apiVersion: mongodbcommunity.mongodb.com/v1
kind: MongoDBCommunity
metadata:
name: mongodb
spec:
members: 2
type: ReplicaSet
version: "7.0.17"
security:
authentication:
modes: ["SCRAM"]
users:
- name: cluster-admin
db: admin
passwordSecretRef: # a reference to the secret that will be used to generate the user's password
name: mongo-admin-password
roles:
- name: clusterAdmin
db: admin
- name: userAdminAnyDatabase
db: admin
- name: dbAdminAnyDatabase
db: admin
scramCredentialsSecretName: admin-scram
- name: currents-user
db: currents
passwordSecretRef: # a reference to the secret that will be used to generate the user's password
name: mongo-currents-password
roles:
- name: dbOwner
db: currents
scramCredentialsSecretName: currents-scram
additionalMongodConfig:
storage.wiredTiger.engineConfig.journalCompressor: zlib
Apply the MongoDBCommunity Resource to create the Database
kubectl apply -f mongodb-community-resources.yaml
For ClickHouse there are several production support options:
For this guide we are going to install the open-source Altinity Kubernetes Operator for ClickHouse
Advanced configuration available at: (docs: https://github.com/Altinity/helm-charts/blob/main/charts/clickhouse/README.md )
This will setup a 1-node 1-shard ClickHouse Replicated Server (10Gb Storage)
kubectl create secret generic clickhouse-default-pass --from-literal=password=$(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | head -c 32)
kubectl create secret generic clickhouse-currents-pass --from-literal=password=$(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | head -c 32)
helm install clickhouse-operator altinity-clickhouse-operator --repo https://docs.altinity.com/clickhouse-operator
helm install clickhouse clickhouse --repo https://helm.altinity.com \
--set=clickhouse.defaultUser.password_secret_name=clickhouse-default-pass \
--set-json='clickhouse.users=[{"name":"currents","password_secret_name":"clickhouse-currents-pass"}]' \
--set operator.enabled=false
Follow this step if you plan to use provider (S3, Cloudflare) object storage (recommended).
Ensure you have created an Object Storage bucket for Currents in your provider.
If using S3, you can choose to setup IAM permissions for the Currents service account. If so, you can skip the rest of these steps, and setup the IAM access after installing the Helm chart.
AWS_ACCESS_KEY_ID=<replace-with-access-key-id>
AWS_SECRET_ACCESS_KEY=<replace-with-secret-access-key>
kubectl create secret generic currents-storage-user --from-literal=apiId=$AWS_ACCESS_KEY_ID --from-literal=keySecret=$AWS_SECRET_ACCESS_KEY
currents-storage-user and your Object Storage bucket later in these instructions.Install Minio if you don’t have access to an Object Storage provider (S3, Cloudflare). You will need an additional subdomain for Minio.
Creates a single Pod instance of Minio with 10Gb of storage.
helm install minio-operator operator \
--repo https://operator.min.io/ \
--set operator.env\[0\].name=WATCHED_NAMESPACE \
--set operator.env\[0\].value=currents \
--set operator.replicaCount=1
printf 'export MINIO_ROOT_USER="%s"\nexport MINIO_ROOT_PASSWORD="%s"\n' $(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | LC_ALL=C tr -dc 'a-zA-Z0-[B9' | head -c 32) $(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | head -c 32) > minio-config.env
kubectl create secret generic currents-minio-env-configuration --from-file=config.env=minio-config.env
kubectl create secret generic currents-minio-user --from-literal=CONSOLE_ACCESS_KEY=$(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | LC_ALL=C tr -dc 'a-zA-Z0-9' | head -c 32) --from-literal=CONSOLE_SECRET_KEY=$(head -c 512 /dev/urandom | LC_ALL=C tr -cd 'a-zA-Z0-9' | head -c 32)
Create a Minio Tenant Values file
minio-tenant-helm-config.yaml
tenant:
name: currents-minio
configSecret:
name: currents-minio-env-configuration
existingSecret: true
accessKey: null
secretKey: null
pools:
- servers: 1
name: pool-0
volumesPerServer: 1
size: 10Gi
storageAnnotations: { }
storageLabels: { }
annotations: { }
labels: { }
tolerations: [ ]
nodeSelector: { }
affinity: { }
resources: { }
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
topologySpreadConstraints: [ ]
buckets:
- name: currents
users:
- name: currents-minio-user
helm install minio-tenant tenant --repo https://operator.min.io/ -f minio-tenant-helm-config.yaml
Create an Ingress Resource to expose the Minio S3 api
Be sure to customize the following:
alb.ingress.kubernetes.io/certificate-arnspec.ingressClassNamespec.rules.hostfile: minio-eks-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-minio
annotations:
# Set to 'internet-facing' to expose to the public
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/group.name: currents
# Set the ARN a resource managed by aws certificate manager, that matches the DNS host
alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:"
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
alb.ingress.kubernetes.io/success-codes: '200,403'
spec:
ingressClassName: alb-currents
rules:
# Set the storage DNS name
- host: storage.eks.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio
port:
number: 443
kubectl apply -f minio-eks-ingress.yaml
For sending outgoing emails like Automated reports.
SMTP_USERNAME=<replace-with-smtp-username>
SMTP_PASSWORD=<replace-with-smtp-password>
kubectl create secret generic currents-email-smtp --from-literal=username=$SMTP_USERNAME --from-literal=password=$SMTP_PASSWORD
currents-email-smtp and your SMTP host later in these instructions.openssl genrsa -out gitlab-key.pem 2048
kubectl create secret generic currents-gitlab-key --from-file=gitlab-key.pem
currents-gitlab-key later in these instructions.