背景简介
Pega SRS (search-n-reporting-service) 容器化部署
环境信息
- Kubernetes 已安装 【Kubernetes - 安装】
- Helm 已安装 【Helm - 安装】
- Containerd 已安装 【Containerd - 安装】
- Pega 容器已申请 【官方教程】
详细步骤
补充信息:
dev-upgrade: 本次部署使用的命名空间nfs-csi-myk8s-pega-dev-es: 本次部署使用的持久化配置 StorageClass
第一步: 创建 ES 所需的 StorageClass 或 PV ,提供数据持久化,参考连接:【Kubernetes - volumeClaimTemplate】【Kubernetes - 配置 NFS 数据持久化】
第二步: 配置 es-basic-auth-secret.yaml 文件
apiVersion: v1
kind: Secret
metadata:
name: elastic-certificates
type: kubernetes.io/basic-auth
stringData:
username: es-user # kubernetes.io/basic-auth 类型的必需字段
password: es-password # kubernetes.io/basic-auth 类型的必需字段
创建 secret
# kubectl apply -f es-basic-auth-secret.yaml -n dev-upgrade
secret/elastic-certificates created
第三步: 获取 SRS 配置文件
# helm inspect values pega/backingservices > backingservices.yaml
更新 SRS 配置文件
---
global:
imageCredentials:
registry: "pega-docker.downloads.pega.com"
username: "PEGA_PROVIDE_USERID"
password: "PEGA_PROVIDE_TOKEN"
# Specify the value of your Kubernetes provider
k8sProvider: "k8s"
# Search and Reporting Service (SRS) Configuration
srs:
# Set srs.enabled=true to enable SRS
enabled: true
# specify unique name for the deployment based on org app and/or srs applicable environment name. eg: acme-demo-dev-srs
deploymentName: "dev-upgrade-srs"
# Configure the location of the busybox image that is used during the deployment process of
# the internal Elasticsearch cluster
busybox:
image: "alpine:3.18.3"
imagePullPolicy: "IfNotPresent"
srsRuntime:
# Number of pods to provision
replicaCount: 1
# docker image of the srs-service, platform-services/search-n-reporting-service:dockerTag
srsImage: "pega-docker.downloads.pega.com/platform-services/search-n-reporting-service:1.28.1"
# To avoid exposing Docker credentials, optionally create a separate Docker config secret.
# Specify secret names as an array of comma-separated strings. For example: ["secret1", "secret2"]
imagePullSecretNames: []
env:
# AuthEnabled may be set to true when there is an authentication mechanism in place between SRS and Pega Infinity.
AuthEnabled: false
# When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty.
OAuthPublicKeyURL: ""
# This section specifies the elasticsearch cluster configuration.
srsStorage:
# Setting srsStorage.provisionInternalESCluster to true will provision an internal elasticsearch cluster using the configuration
# specified in the `elasticsearch` section
# If you do not enable SRS and the srs.enabled parameter is set to false, always set srs.srsStorage.provisionInternalESCluster=false
provisionInternalESCluster: true
# To use your own Elasticsearch cluster, set srsStorage.provisionInternalESCluster to false and then
# set the external Elasticsearch cluster URL and port details below when using an externally managed elasticsearch
# Ensure that the specified endpoint is accessible from the kubernetes cluster pods.
# domain: ""
# port: 9200
# protocol: https
# The elasticsearch connection supports three authentication methods: basic authentication ,
# AWS IAM role-based authentication and Elasticsearch secure connection(tls).
# Set srs.srsStorage.tls.enabled: true to enable the use of TLS-based authentication to your Elasticsearch service
# whether is it running as an internalized or externalized service in your SRS cluster.
tls:
enabled: false
# To specify a certificate used to authenticate an external Elasticsearch service (with tls.enabled: true and srsStorage.provisionInternalESCluster: false),
# uncomment the following lines to specify the TLS certificate name with password for your Elasticsearch service.
# Default certificatePassword value will be empty if not used.
# certificateName: "Certificate_Name"
# certificatePassword: "password"
# To specify a certificate using a secret, uncomment the certsSecret parameter and provide the secret name containing your certificate and certificate password.
# Use the full name of the certificate file (together with file extension, for example, “certificate.p12” or “certificate.jks”) as a key name in the secret. Use this key name
# to configure the “certificateName” parameter. Use a key name “password” to provide the certificate password in the secret.
# certsSecret: srs-certificates
# Set srs.srsStorage.basicAuthentication.enabled: true to enable the use of basic authentication to your Elasticsearch service
# whether is it running as an internalized or externalized service in your SRS cluster.
basicAuthentication:
enabled: true
# To configure basic authentication or TLS-based authentication to your externally-managed Elasticsearch service in your SRS cluster,
# uncomment and add the parameter details: srs.srsStorage.esCredentials.username and srs.srsStorage.esCredentials.password.
# esCredentials:
# username: "username"
# password: "password"
# To use a secret to configure basic authentication or TLS-based authentication between your external Elasticsearch service and SRS,
# uncomment the authSecret parameter and set it to the secret name. Use "username" and "password" as keys for your secret.
# authSecret: srs-elastic-credentials
# To configure AWS IAM role-based authentication to your externally-managed Elasticsearch cluster, uncomment
# and add the parameter details: srs.srsStorage.awsIAM and its associated region, srs.srsStorage.awsIAM.region
# awsIAM:
# region: "AWS_ELASTICSEARCH_REGION"
# To configure either authentication method, when the elasticsearch domain requires an open internet connection,
# set the requireInternetAccess parameter to "true".
requireInternetAccess: false
constellation:
enabled: false
constellation-messaging:
enabled: false
name: YOUR_MESSAGING_SERVICE_DEPLOYMENT_NAME
image: YOUR_MESSAGING_SERVICE_IMAGE:TAG
replicas: 1
# This section specifies the configuration for deploying an internal elasticsearch cluster for use with SRS.
# The configuration for rest of the values defined under 'elasticsearch' are to define the elasticsearch cluster
# based on helm charts defined at https://github.com/elastic/helm-charts/tree/master/elasticsearch and may be modified
# as per runtime and storage requirements.
elasticsearch:
# For internally provisioned Elasticsearch server, the imageTag parameter is set by default to 7.17.9, which is the
# recommended Elasticsearch server version for k8s version >= 1.25.
# Use this parameter to change it to 7.10.2 or 7.16.3 for k8s version < 1.25 and make sure to update the Elasticsearch helm chart version in requirements.yaml.
imageTag: 7.17.9
replicas: 2
# Permit co-located instances for solitary minikube virtual machines.
antiAffinity: "soft"
# Shrink default JVM heap.
esJavaOpts: "-Xmx1024m -Xms1024m"
# Allocate smaller chunks of memory per pod.
# This section specifies the elasticsearch cluster configuration for authentication and TLS.
# If you previously set srs.srsStorage.tls.enabled: true, you must uncomment the line to use protocol: https parameter.
# protocol: https
# Uncomment the below lines if you want to deploy/upgrade Elasticsearch server version >= 8.x
# createCert: false
# secret:
# enabled: false
# protocol: http
# For deployments that use TLS-based authentication to an internal Elasticsearch service in the SRS cluster,
# uncomment and appropriately add below lines under esConfig.elasticsearch.yml.
# xpack.security.http.ssl.enabled: true
# xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
# xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
esConfig:
elasticsearch.yml: |
xpack.security.enabled: false
xpack.security.transport.ssl.enabled: false
# xpack.security.transport.ssl.verification_mode: certificate
# xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
# xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
# Uncomment the below lines if you want to deploy/upgrade Elasticsearch server version >= 8.x by adding below lines under esConfig.elasticsearch.yml.
# action.destructive_requires_name: false
# ingest.geoip.downloader.enabled: false
# Use this section to include additional, supported environmental variables for Elasticsearch basic authentication.
# The parameter values can be read from a specified secrets file.
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
key: username
resources:
requests:
cpu: "1000m"
memory: "2Gi"
limits:
cpu: "2000m"
memory: "3Gi"
volumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
storageClassName: "nfs-csi-myk8s-pega-dev-es"
resources:
requests:
# configure volume size of the elasticsearch nodes based on search data storage requirements. The default storage size from elasticsearch is 30Gi.
storage: 30Gi
# elasticsearch.secretMounts will help reading certificates from elastic-certificates secret.
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
# For Openshift deployments, you must enable the following custom values. For details
# refer to https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/openshift.
# securityContext:
# runAsUser: null
# podSecurityContext:
# fsGroup: null
# runAsUser: null
# sysctlInitContainer:
# enabled: false
部署 SRS
# helm install dev-app-srs pega/backingservices -n dev-upgrade --values backingservices.yaml
NAME: dev-app-srs
LAST DEPLOYED: Mon Mar 3 13:46:30 2025
NAMESPACE: dev-upgrade
STATUS: deployed
REVISION: 1
第四步: 查看部署状态
$ kubectl get pod,pv,pvc,svc -n dev-upgrade
NAME READY STATUS RESTARTS AGE
pod/dev-upgrade-srs-697cb7db6d-62sx8 1/1 Running 0 11m
pod/elasticsearch-master-0 1/1 Running 0 11m
pod/elasticsearch-master-1 1/1 Running 0 11m
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS VOLUMEATTRIBUTESCLASS REASON AGE <unset> 68d
persistentvolume/pvc-08a7c3c1-afb1-4d42-9192-91dfe63dafbe 30Gi RWO Retain Bound dev-upgrade/elasticsearch-master-elasticsearch-master-0 nfs-csi-myk8s-pega-dev-es <unset> 11m
persistentvolume/pvc-a3a16839-8c59-4ad4-82d1-c852efaa08e5 30Gi RWO Retain Bound dev-upgrade/elasticsearch-master-elasticsearch-master-1 nfs-csi-myk8s-pega-dev-es <unset> 11m <unset> 67d
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTESCLASS AGE
persistentvolumeclaim/elasticsearch-master-elasticsearch-master-0 Bound pvc-08a7c3c1-afb1-4d42-9192-91dfe63dafbe 30Gi RWO nfs-csi-myk8s-pega-dev-es <unset> 11m
persistentvolumeclaim/elasticsearch-master-elasticsearch-master-1 Bound pvc-a3a16839-8c59-4ad4-82d1-c852efaa08e5 30Gi RWO nfs-csi-myk8s-pega-dev-es <unset> 11m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dev-upgrade-srs ClusterIP 10.99.252.10 <none> 8080/TCP,80/TCP 11m
service/elasticsearch-master ClusterIP 10.99.226.229 <none> 9200/TCP,9300/TCP 11m
service/elasticsearch-master-headless ClusterIP None <none> 9200/TCP,9300/TCP 11m
以上便是本文的全部内容,感谢您的阅读,如遇到任何问题,欢迎在评论区留言,我会通过邮件回复。