Introduction

...

Once the execution is completed in console will see prompt "EALTEdge Environment Installed  in unsecured mode , Components Install MECM and MEC Hosts Successfully"

...

Once the execution is completed in console will see prompt "EALTEdge Environment Installed in secured mode , Components Install MECM and MEC Hosts Successfully"

Other Options:

To Install only MECM Node

** Install in unsecured mode - Dev mode

root@akraino-mec-0002:~# ansible-playbook ealt-all.yml -i ealt-inventory.ini --tags "mecm" --extra-vars "operation=install mode=dev" 

** Install in secured mode

root@akraino-mec-0002:~# ansible-playbook ealt-all.yml -i ealt-inventory.ini --tags "mecm" --extra-vars "operation=install mode=prod" 

To Install only MEC Host
** Install in unsecured mode

root@akraino-mec-0002:~# ansible-playbook ealt-all.yml -i ealt-inventory.ini --tags "mep" --extra-vars "operation=install mode=dev"

** Install in secured mode

root@akraino-mec-0002:~# ansible-playbook ealt-all.yml -i ealt-inventory.ini --tags "mep" --extra-vars "operation=install mode=prod"

...

1. git clone the ealt-edge repo, to download the software to install the EALTEdge Environment.

root@akraino-mec-0002:~# git clone "https://gerrit.akraino.org/r/ealt-edge"

2. go to CLI directory 

root@akraino-mec-0002:~#cd ealt/infra/cli/

root@akraino-mec-0002:~#chmod +x build _cli.sh

root@akraino-mec-0002:~#source build_cli.sh

root@akraino-mec-0002:~#cd ~/ealt-edge/ocd/infra/playbooks

Note: The CLI Commands to setup the environment should be executed only from above path.

3.  Edit the Configuration File : ealt-inventory.ini with the details of MECM and MEC Hosts. 

root@akraino-mec-0002:~#vi ealt-inventory.ini

4. Execute the below command to install EALTEdge Environment 

In non secure mode

root@akraino-mec-0002:~#ealt init all 

or 

root@akraino-mec-0002:~#ealt init all --mode dev

In Secure Mode (TLS Enabled)

root@akraino-mec-0002:~#ealt init all --mode prod

Above command will install the various component. Refer the below table for detail information. 

Other CLI Commands:

Command to Install only MECM Node.

root@akraino-mec-0002:~#ealt init manager

To Install MECM node in Secure Mode

root@akraino-mec-0002:~#ealt init manager -m prod

Command to Install only MEC Host (MEP Node)

root@akraino-mec-0002:~#ealt init edge

or 

root@akraino-mec-0002:~#ealt init edge -m dev

MEC Host in Secure (TLS/HTTPS) Mode

root@akraino-mec-0002:~#ealt init edge -m prod

Following packages will be installed in the cluster in the respective nodes:-

...

export MECMClusterIP='edgegallery.org' #Map the DNS Name to the MECM IP in /etc/hosts file.

Command Supported:-

Application Package Management CLI Commands:

...

root@akraino-mec-0002:~#ealt clean all 
root@akraino-mec-0002:~#ealt clean mecm
root@akraino-mec-0002:~#ealt clean mep

Vault documentation

#Akraino
**This document explains how to generate certificate by using vault and cert manager**
##Cluster Architecture
##Make a cluster
##The Image try to put with reference to our environment, with reference to EALT Edge. Can make a picture where Vault will be running in MEC Host (as Root CA) , ##Cert Manager and Applications (App1, App2)
##1. Add helm repo
```
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault
```
##2. Generate root token and Unseal Key
```
kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=""
```
##Note: Root token we will use when we will login vault pod, Unseal Key and Root token will looks like below ex-
##Unseal Key 1: QcTX47IacKidIjFWSrkGLiQG1fwaqoInEz0SqAZ7rMs=
##Initial Root Token: s.A0SXgscZxbCeJRd1AjsVzvUU

##Generated Unseal key need to put in below command then vault will start running as a pod
```
kubectl exec -ti vault-0 -- vault operator unseal <Unseal Key>
```
##Vault is initialised as a pod
##By using below command can login in vault pod
```
kubectl exec -it vault-0 -- /bin/sh
```
##Vault Initialisation and Configuration Steps
####Once we initialize the vault pod we get unseal key and root token, need to put the root token
```
vault login <root token>
```
##Enable the PKI secrets engine
##By default, the secrets engine will mount at the name of the engine. To enable the secrets engine at a ##different path, use the -path argument.
```
vault secrets enable pki
```
##Keep the value in sync with the comment. 30 days, Increase the TTL by tuning the secrets engine. The default value of 30 days may be too short
```
vault secrets tune -default-lease-ttl=2160h -max-lease-ttl=87600h pki
```
##Configure a CA certificate and private key. It can generate ##its own self-signed root
## ealtedge.com is a your common_name or base url
```
vault write pki/root/generate/internal common_name=ealtedge.com ttl=8760h
```
##Update the CRL location and issuing certificates. These values can be updated in the future.
```
vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
```
##It will allow your domain and subdomain
```
vault write pki/roles/my-role allowed_domains=ealtedge.com allow_subdomains=true max_ttl=8760h
```
##Generate a new credential by writing to the /issue endpoint with the name of the role
##The output will include a dynamically generated private key and certificate which corresponds to the ##given role
##The issuing CA and trust chain is also returned for automation simplicity
```
vault write pki/issue/my-role common_name=www.ealtedge.com
```

####Enabling AppRole in Vault
```
vault auth enable approle
```

##Writing vault policy
```
vault policy write pki-policy -<<EOF
path "pki*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"]}
EOF
```
##Write Auth role
```
vault write auth/approle/role/my-role secret_id_ttl=8760h token_num_uses=0 token_ttl=2160h token_max_ttl=8760h secret_id_num_uses=0 policies=pki-policy
```
##Note:-
##my-role - is the role name
##secret_id_ttl - (Optional) The number of seconds after which any SecretID expires
##token_num_uses - (Optional) The period, if any, in number of seconds to set on the token
##token_ttl - (Optional) The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
##token_max_ttl - (Optional) The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
##secret_id_num_uses - (Optional) The number of times any particular SecretID can be used to fetch a token from this AppRole, after which the SecretID will expire. ##A value of zero will allow unlimited uses.

##Read Auth role
##Here it will give you role id which you need to use in vault-approle-issuer.yml
```
vault read auth/approle/role/my-role/role-id
```
##Generate secret id
```
vault write -f auth/approle/role/my-role/secret-id
```
##By using above 2 command role id and secret id you need to pass in below command
```
vault write auth/approle/login role_id=<role-id> secret_id=<secret-id>
```
###########################
##If the command successful then vault configuration and authentication via approle is completed
###########################

##YAML files to be modified
##First execute below yaml file
```
kubectl apply -f cert-manager.yaml
```
##Need to replace with the latest secret id in base64 format by using below command
##Secret id already generate when we are executing vault command, need to use same secret id here
```
echo secret-id | base64
```
##The output of above command has to be replaced in the vault-apply-secret.yml file data.secretId
```
kubectl apply -f vault-apply-secret.yml
```
##No you will get one ip where your vault is running so that ip you can get by using below command
##Copy vault ip from below command
```
kubectl get svc
```
##Now vault ip and role id need to replace in vault-approle-issuer.yml file
##Role id already generated when we are executing vault commands
```
kubectl apply -f vault-approle-issuer.yml
```
##NOTE: spec.vault.server: IP here you need to change vault ip which you will get when u ren 'kubectl get svc'
##spec.vault.auth.roleId this is you need to replace and need to put latest role id which you get in 'vault read auth/approle/role/my-role/role-id'

##Then final we need to execute below yaml file
```
kubectl apply -f vault-cert-certificate.yml
```
#######################################
Certificate generate process completed
#######################################

##Now get ca certificate use below command
```
curl http://10.43.130.35:8200/v1/pki/ca/pem
```
##10.43.130.35 is your vault ip, need to replace with latest vault ip

Image Modified

Kong documentation

...

MECM

...

...