Kubernetes deployment preparation

A minimal Siren Investigate deployment consists of the following:

  • Secrets containing the Investigate configuration file: the certificates and keys.

  • A StatefulSet to run the Investigate containers.

  • A service to load balance the Investigate containers in the StatefulSet.

Before you store secrets on the Kubernetes cluster, make sure your cluster is configured to effectively encrypt them. For more information, see the Kubernetes documentation and the documentation of your cluster provider.

Creating the configuration file

  1. On the machine where you have kubectl installed, create a directory named investigate.

  2. Optional: If you want to deploy Investigate to a specific namespace, create the namespace with kubectl create namespace <name>, for example:

    kubectl create namespace siren
  3. In the investigate directory, create a file named investigate.yml and add the following content to the file:

    # Listen on all IP addresses
    server.host: "0.0.0.0"
    
    # Disable SSL on Investigate (see the documentation to enable TLS between the ingress and Investigate)
    server.ssl.enabled: false
    
    # Set to the URL of your Elasticsearch cluster including the port
    elasticsearch.url: "https://siren-es-http:9200"
    
    # If you want to disable completely the verification of the Elasticsearch Cluster certificate, set to "none".
    #
    # If your cluster is using a public CA, for example if it's hosted on Elastic Cloud, set the verificationMode to "full"
    #
    # If your cluster is using a private CA, set the verification mode to "certificate"
    # and set elasticsearch.ssl.certificateAuthorities to the path of a file containing the CA certificate chain.
    elasticsearch.ssl.verificationMode: none
    
    elasticsearch.username: "sirenserver"
    
    # Specify the password of the sirenserver user
    elasticsearch.password: "password"
    
    kibana.defaultAppId: "dashboard"
    
    investigate_access_control:
      enabled: true
      acl:
        enabled: true
      admin_role: investigate_admin
      cookie:
        name: 'kac'
        # This password will be used to encrypt the session cookie, make sure to customize it
        password: '7vGx4(hLwNur19trqYZkSnOvT$U@*o9r'
        # Change to true when exposing Investigate to the Internet using TLS
        secure: false
      backend: xpack
    
    siren_scripting:
      enabled: true
      browserApiWhitelist:
        - 'Math'
        - 'setTimeout'
        - 'clearInterval'
        - 'setInterval'
        - 'document.getElementById'
      librariesWhitelist:
        - 'lodash'
        - 'EUI'
        - 'React'
  4. Customize the following parameters:

    • elasticsearch.url: the URL of the Elasticsearch cluster, including the port.

    • elasticsearch.password: the password of the sirenserver user.

    • investigate_access_control.cookie.password: a 32 ASCII character key used to encrypt cookies.

  5. Upload the configuration file as a secret named investigate-config, for example:

    kubectl -n siren create secret generic investigate-config --from-file=investigate.yml=investigate.yml

    You can use the same command to create additional secrets referenced in your Investigate configuration file, such as TLS certificates and keys.

Creating the StatefulSet

  1. Create a file named investigate-set.yaml and add the following content:

    # Headless service for internal resolution.
    apiVersion: v1
    kind: Service
    metadata:
      name: investigate
    spec:
      clusterIP: None
      ports:
      - port: 5606
        name: http
      selector:
        app: investigate
    ---
    # Investigate containers
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: investigate
      labels:
        app: investigate
    spec:
      serviceName: investigate
      replicas: 1
      selector:
        matchLabels:
          app: investigate
      template:
        metadata:
          labels:
            app: investigate
        spec:
          terminationGracePeriodSeconds: 30
          containers:
          - name: investigate
            image: sirensolutions/siren-investigate:12.1.4
            imagePullPolicy: IfNotPresent
            ports:
            - containerPort: 5606
            livenessProbe:
              tcpSocket:
                port: 5606
              initialDelaySeconds: 20
              periodSeconds: 10
            startupProbe:
              tcpSocket:
                port: 5606
              initialDelaySeconds: 20
              periodSeconds: 20
              failureThreshold: 30
            resources:
              limits:
                memory: 6Gi
                cpu: 2
              requests:
                memory: 6Gi
                cpu: 2
            env:
              # The URL of the data cluster. Make sure to set this to the same value as "elasticsearch.url" in the Investigate configuration file.
              - name: ELASTICSEARCH_URL
                value: "https://siren-es-http:9200"
              # Increase this number when you want to force a statefulset upgrade
              # after changing the configuration secret, then apply the statefulset again.
              - name: CONFIG_VERSION
                value: "1"
              - name: INSTANCE_ID
                valueFrom:
                  fieldRef:
                    fieldPath: metadata.name
            volumeMounts:
            - name: config
              mountPath: /opt/siren-investigate/config/investigate.yml
              readOnly: true
              subPath: investigate.yml
          volumes:
          - name: config
            secret:
              defaultMode: 0644
              secretName: investigate-config
  2. Apply the manifest, for example:

    kubectl -n siren apply -f investigate-set.yaml
  3. After a few minutes, confirm that the StatefulSet is ready:

    kubectl -n siren get statefulset/investigate
    
    NAME          READY   AGE
    investigate   1/1     97s

    You can view the logs of the Investigate pod with the following command:

    kubectl -n siren logs pod/investigate-0

    To test that Investigate is running, forward Investigate to your machine, for example:

    kubectl -n siren port-forward service/investigate 5606
  4. Sign in to http://localhost:5606.

Next step

To see how to change the Investigate configuration and perform version upgrades see the Maintaining Siren Investigate on Kubernetes section.