Styra DAS Configuration and Installation
The following section describe Styra DAS Configuration and Installation.
Helm Chart
Self-Hosted Styra DAS is a Kubernetes-native product, deployed using a collection of Kubernetes manifests. Styra DAS is packaged and deployed as a Helm chart. Helm makes it easy to install, upgrade, and uninstall Kubernetes-native software.
This section covers how to install and manage Self-Hosted Styra DAS using Helm-native commands. We highly recommend this approach to Styra DAS management, but do recognize some customers are unable to use Helm in their deployment pipelines. If you require a non Helm-based deployment method, refer to Custom Installation methods.
Downloading Default Values
All Helm charts are configured with a chart-specific values.yaml
file. In order to configure Self-Hosted Styra DAS for installation, you first need to download the default values.yaml
file from Styra’s Helm chart repository. This can be done with the following commands:
# add styra helm repository to local helm repos
helm repo add styra https://charts.styra.com/charts
# update styra helm repository
helm repo update
# create local values.yaml file for customization
helm show values styra/styra-das > values.yaml
Customizing Values
After downloading the default values.yaml
file, the next step is customizing values.yaml
settings to reflect your intended configuration. The values.yaml
file is the source of truth for what settings are available within a given version of Self-Hosted Styra DAS. This section is intended to call out widely-applicable areas of configuration that can act as entry points to configuring values.yaml
.
While the configuration areas described in this section are good starting points, it is still recommended that the user read through the entirety of their values.yaml
file to see if there are any settings that may apply to their installation.
If you are using password authentication for your database, be sure to update the username and password in either the rds
or postgres
section of the values file.
TLS Customizations
If you're using AWS Load Balancer and Amazon Certificate Manager to handle SSL termination follow the steps below.
- Set
gateway.tls.enabled
to false. With the Load Balancer handling TLS, thegateway
service does not require managed certificates. - Add an
service.beta.kubernetes.io/aws-load-balancer-ssl-cert
annotation togateway.service.annotations
.
The resultant values.yaml
should resemble the following:
gateway:
tls:
enabled: false
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<REGION>:xxxxx:certificate/xxxxx
If you're using the AWS Load Balancer, the configuration annotations will go in the same place. For an external facing instance ALB it'll look like the following:
gateway:
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:<REGION>:xxxxx:certificate/xxxxx
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
Image Registries
Prepare a values.yaml
file for configuration as the source registry for container images. This is where installed Deployments and StatefulSets expect to find images for Styra DAS or supporting services.
The registry settings can be differentiated into three categories of source registry. While these are often the same, they are split into different sections to support using different registries for different categories of service if desired. These categories are:
- Styra DAS images
- Elasticsearch images (if running Elasticsearch in-cluster)
- PostgreSQL images (if running PostgreSQL in-cluster)
PostgreSQL images are only needed when running PostgreSQL in-cluster, which is not recommended for production deployments. This section will only discuss configuring registry access for Styra DAS and Elasticsearch images.
Styra DAS Images
The Styra DAS image registry settings require that the user first choose an approach from the Styra DAS Docker Images section.
If pulling images from registry.styra.com
, the following values will create an ImagePullSecret using the created Styra DAS Token, as well as configure all Styra DAS Deployments to use the created ImagePullSecret:
# Styra DAS image settings
# change `styraImagePullSecret` to true to use an imagePullSecret
styraRepository: registry.styra.com/styra
styraTag: on-prem-<STYRA_DAS_VERSION>
styraImagePullSecret: true
# Image pull secret Styra Images
styraRegistryCredentials:
registry: registry.styra.com
username: "<STYRA_DAS_TENANT_URL>"
password: "<STYRA_DAS_TOKEN_VALUE>"
If using an internal registry, the following values will do the same, but pull images from your organization’s internal registry.
# Styra DAS image settings
# change `styraImagePullSecret` to true to use an imagePullSecret
styraRepository: <CUSTOMER_REGISTRY_URL>/styra
styraTag: on-prem-<STYRA_DAS_VERSION>
styraImagePullSecret: true
# Image pull secret Styra Images
styraRegistryCredentials:
registry: <CUSTOMER_REGISTRY_URL>
username: "<CUSTOMER_REGISTRY_USERNAME>"
password: "<CUSTOMER_REGISTRY_PASSWORD>"
Elasticsearch Images
If you are going to be managing your own Elasticsearch instance, set elasticsearch.enabled
to false
.
By default, Kubernetes will attempt to pull Elasticsearch images from docker.io
. To use a specific registry, configure values.yaml
to use a different source for any deployed Elasticsearch images by uncommenting and configuring the elasticRegistryCredentials
section in values.yaml
through the following configuration:
# Image pull secret Elastic Images
elasticRegistryCredentials:
registry: "<ELASTICSEARCH_REGISTRY_URL>"
username: "<ELASTICSEARCH_REGISTRY_USERNAME>"
password: "<ELASTICSEARCH_REGISTRY_PASSWORD>"
Styra DAS Initial User
Styra DAS can be configured to create a root user with WorkspaceAdmin permissions during installation. This can be useful for initial bootstrapping of a Styra DAS installation, but it is generally recommended to configure access to an SMTP server to make inviting new users easier and more secure. This section will show examples of configuring both. One of these needs to be set up in order to allow at least one user to perform an initial logging in to invite more users.
Root User
This configuration will cause Styra DAS to be deployed with a root user. The root user will be provisioned with username and password credentials.
root_user:
enabled: true
email: "<ROOT_USER_EMAIL_ADDRESS>"
password: "<ROOT_USER_PASSWORD>"
SMTP User Invitation
Styra DAS can be configured with access to an SMTP server in order to send emails. This access will allow Styra DAS to send emails to either invite new users or provide existing users with a way of resetting passwords.
The following example would install Styra DAS with access to an SMTP server, as well as initialize the root user, styra_das_admin@myorg.com
. The user would then be able to set a password by going through the “Forgot Password” flow in the Styra DAS UI post-installation, bypassing the need to store a user password in the values.yaml
file.
# Configure the SMTP server settings
smtp:
enabled: true
serverAddress: "<SMTP_SERVER_ADDRESS>"
username: "styra_das_admin@myorg.com"
password: "<SMTP_SERVER_PASSWORD>"
# The user for SMTP server and also the default admin user created during the installation
# If SMTP is configured, users can reset their password via the "Forgot Password" flow
email:
from_address: “styra_das_admin@myorg.com”
Installing Styra DAS
The following sections describe the Styra DAS installation.
Installing From Styra’s Helm Repository
The preferred method of installing Self-Hosted Styra DAS using a Helm chart is to perform the installation directly from Styra’s Helm repository. This avoids the need to download the chart files locally. Installing directly from the Helm repository is generally both more convenient, and a good way of preventing unintended local changes to chart templates.
Installing Styra DAS directly from the Helm repository should work for most installations, however, there are cases in which it might make sense to download the charts locally instead. If any of the following are true, you may need to utilize the instructions in Installing From Local System instead.
The installation scenarios requiring chart download are:
- If you need to provide files other than
values.yaml
to the Helm chart (most commonly, TLS certificates) - If you need to make customizations to the chart files beyond what is possible in
values.yaml
. - If your organization requires that all installed software go through a centralized pipeline.
If none of the above are true, and you are able to install Styra DAS directly from Styra’s Helm repository, please utilize the following instructions.
Installing the Current Version
The following instructions will install the current version of Styra DAS using the values.yaml
file modified in Customizing Values.
These instructions assume you have already added the Styra DAS Helm repository to your local set of Helm repositories during value customization. The Styra DAS Helm repository can be added by running the following command:
helm repo add styra https://charts.styra.com/charts
# refresh all local helm repository version data
helm repo update
# create a namespace for styra das
kubectl create namespace styra-das
# install or upgrade the helm chart using local values.yaml file
helm upgrade --install styra-das styra/styra-das -n styra-das -f values.yaml
Installing Target Version
It is also possible to install non-latest versions of Styra DAS directly from the Helm repository. This can be done with the following instructions.
These instructions assume you have already added the Styra DAS Helm repository to your local set of Helm repositories during value customization. The Styra DAS Helm repository can be added by running the following command:
helm repo add styra https://charts.styra.com/charts
# refresh all local helm repository version data
helm repo update
# list all chart versions
helm search repo styra
# create a namespace
kubectl create namespace styra-das
# install or upgrade the helm chart using local values.yaml file
helm upgrade --install styra-das styra/styra-das -n styra-das -f values.yaml –version <TARGET_STYRA_DAS_VERSION>
Installing From Local System
While installing from Styra’s Helm Repository is the preferred means of installing Self-Hosted Styra DAS, there are scenarios in which it can be either required or preferable to download the Helm charts locally before installing them to a target cluster.
The installation scenarios requiring chart download are:
- If you need to provide files other than
values.yaml
to the Helm chart (most commonly, TLS certificates). - If you need to make customizations to the chart files beyond what is possible in
values.yaml
. - If your organization requires that all installed software go through a centralized pipeline.
If any of the above are true, the following instructions will allow you to download the Styra DAS Helm chart locally.
These instructions assume you have already added the Styra DAS Helm repository to your local set of Helm repositories during value customization. The Styra DAS Helm repository can be added by running the following command:
helm repo add styra https://charts.styra.com/charts
# refresh all local helm repository version data
helm repo update
# list all chart versions
helm search repo styra
# download and untar the chart
helm pull styra/styra-das \
--untar \
--version <TARGET_STYRA_DAS_VERSION>
After downloading the Helm charts locally, make any required changes to the charts. Once the charts are ready for installation, use the following instructions to install Styra DAS from a local copy of the charts to a target Kubernetes cluster.
If you are adding TLS certificates to the gateway
service using gateway.tls.fromFile
, make sure to put them in a tls
folder in the main chart folder. Following the instructions above, this would mean an example gateway.crt
file would need to be located at styra-das/tls/gateway.crt
.
# create a namespace for Styra DAS
kubectl create namespace styra-das
# install or upgrade the helm chart
helm upgrade --install styra-das ./styra-das -n styra-das -f values.yaml
Custom Installation
Installing From Styra’s Helm Repository is the preferred installation method for Self-Hosted Styra DAS. However, some customers have policies or technology stacks that require them to render the Styra DAS Helm chart into raw Kubernetes manifests before deployment. The following instructions demonstrate how to use helm template
to convert the Styra DAS Helm chart into a YAML file containing every Kubernetes manifest used during installation. This file can then be split into individual manifests as needed.
These instructions assume you have already added the Styra DAS Helm repository to your local set of Helm repositories during value customization. The Styra DAS Helm repository can be added by running the following command:
helm repo add styra https://charts.styra.com/charts
# refresh all local helm repository version data
helm repo update
# list all chart versions
helm search repo styra
# generate kube manifest containing templated chart resources
helm template styra-das styra/styra-das --version <TARGET_STYRA_DAS_VERSION> > styra-das-manifest.yaml
# create a namespace for Styra DAS
kubectl create namespace styra-das
# (If applying directly) Apply kube manifest to target cluster
kubectl apply -f styra-das-manifest.yaml -n styra-das