Deploying PingIntelligence in Kubernetes cluster - PingIntelligence for APIs

Deploying PingIntelligence in Kubernetes cluster - PingIntelligence for APIs - 4.4

PingIntelligence

bundle

pingintelligence-44

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 4.4

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-44

pingintelligence

private

ContentType_ce

Page created: 6 Nov 2020 |

Page updated: 12 May 2021

| 3 min read

4.4 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

Complete the following steps to deploy PingIntelligence in a Kubernetes cluster:

Download PingIntelligence Docker toolkit from the download site.
Untar the docker toolkit by entering the following command.
```
tar -zxf <PingIntelligence Docker toolkit>
```
Build the PingIntelligence docker images by completing the steps mentioned in Build the PingIntelligence Docker images topic.
Navigate to pingidentity/docker-toolkit/examples/kubernetes directory to edit the pi4api-k8s-poc file.

Edit the environment variable in pi4api-k8s-poc file to configure the ASE deployment mode. The values can be inline or sideband. Following is a snippet of the file showing the environment variable.

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: ase
  labels:
    app: ase
spec:
  serviceName: ase-internal-service
  replicas: 1
  selector:
    matchLabels:
      app: ase
  template:
    metadata:
      labels:
        app: ase
    spec:
      terminationGracePeriodSeconds: 60
      securityContext:
        runAsUser: 10001
        fsGroup: 0
      containers:
        - name: ase
          image: pingidentity/ase:4.3
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
              name: management
            - containerPort: 9090
              name: logs
          command:
            - "/bin/bash"
            - "-c"
            - "/opt/pingidentity/ase/entrypoint.sh"
          env:
            - name: TZ
              value: "Etc/UTC"
            - name: MODE
              value: "inline"

            - name: ENABLE_CLUSTER
              value: "true"
            - name: ENABLE_ABS
              value: "true"
            - name: ABS_ENDPOINT
              value: "abs-0.abs-internal-service:8080"
            - name: ABS_ACCESS_KEY
              value: "abs_ak"
            - name: ABS_SECRET_KEY
              value: "abs_sk"

Add ABS and ASE license in the ConfigMaps section of the pi4api-k8s-poc file.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: abs-license
data:
  PingIntelligence.lic: |
    ID=
    Organization=
    Product=PingIntelligence
    Module=ABS
    Version=4.3
    IssueDate=
    EnforcementType=
    ExpirationDate=
    MaxTransactionsPerMonth=
    Tier=
    SignCode=
    Signature=

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ase-license
data:
  PingIntelligence.lic: |
    ID=
    Product=PingIntelligence
    Module=ASE
    Version=4.3
    IssueDate=
    EnforcementType=
    ExpirationDate=
    MaxTransactionsPerMonth=
    Tier=
    SignCode=
    Signature=

Create a namespace.

$ sudo su
# kubectl create namespace pingidentity

Apply the edited pi4api-k8s-poc.yml file to deploy the resources on the Kubernetes cluster.

# kubectl apply -f pi4api-k8s-poc.yml -n pingidentity

daemonset.apps/startup-script created
statefulset.apps/mongo created
statefulset.apps/abs created
statefulset.apps/ase created
statefulset.apps/dashboard created
service/abs-external-service created
service/ase-external-service created
service/dashboard-external-service created
service/mongo-internal-service created
service/abs-internal-service created
service/ase-internal-service created

Verify that the deployment is successful by entering the following command.

# kubectl get pod -n pingidentity
NAME                   READY   STATUS    RESTARTS   AGE
abs-0                  1/1     Running   0          139m
ase-0                  1/1     Running   0          25m
mongo-0                1/1     Running   1          139m
startup-script-5d5d6   1/1     Running   0          119m
dashboard-0            1/1     Running   1          139m

Fetch the IP addresses of ASE, ABS, and Dashboard by entering the following command.

# kubectl get svc -n pingidentity
NAME                      TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                          AGE

abs-external-service      NodePort    10.100.81.119    <none>        8080:31080/TCP,9090:31090/TCP   3m12s
abs-internal-service      ClusterIP   None             <none>        8080/TCP                        3m12s
ase-external-service      NodePort    10.104.103.138   <none>        80:31000/TCP,443:31443/TCP      3m12s
ase-internal-service      ClusterIP   None             <none>        8020/TCP,8010/TCP               3m12s
mongo-internal-service    ClusterIP   None             <none>        27017/TCP                       3m12s
dashboard-external-service   NodePort    10.100.8.48      <none>        443:31030/TCP                3m12s

If you are deploying in the sideband mode, take the NodePort IP address of ASE to use in API gateway integration.