Kubernetes deployment preparation

A minimal Siren Investigate deployment consists of the following:

  • Secrets containing the Investigate configuration file: the certificates and keys.

  • A StatefulSet to run the Investigate containers.

  • A service to load balance the Investigate containers in the StatefulSet.

Before you store secrets on the Kubernetes cluster, make sure your cluster is configured to effectively encrypt them. For more information, see the Kubernetes documentation and the documentation of your cluster provider.

Creating the configuration file

  1. On the machine where you have kubectl installed, create a directory named investigate.

  2. Optional: If you want to deploy Investigate to a specific namespace, create the namespace with kubectl create namespace <name>, for example:

    kubectl create namespace siren

  3. In the investigate directory, create a file named investigate.yml and add the following content to the file:

    # Listen on all IP addresses
server.host: "0.0.0.0"

# Disable SSL on Investigate (see the documentation to enable TLS between the ingress and Investigate)
server.ssl.enabled: false

# Set to the URL of your Elasticsearch cluster including the port
elasticsearch.url: "https://siren-es-http:9200"

# If you want to disable completely the verification of the Elasticsearch Cluster certificate, set to "none".
#
# If your cluster is using a public CA, for example if it's hosted on Elastic Cloud, set the verificationMode to "full"
#
# If your cluster is using a private CA, set the verification mode to "certificate"
# and set elasticsearch.ssl.certificateAuthorities to the path of a file containing the CA certificate chain.
elasticsearch.ssl.verificationMode: none

elasticsearch.username: "sirenserver"

# Specify the password of the sirenserver user
elasticsearch.password: "password"

kibana.defaultAppId: "dashboard"

investigate_access_control:
  enabled: true
  acl:
    enabled: true
  admin_role: investigate_admin
  cookie:
    name: 'kac'
    # This password will be used to encrypt the session cookie, make sure to customize it
    password: '7vGx4(hLwNur19trqYZkSnOvT$U@*o9r'
    # Change to true when exposing Investigate to the Internet using TLS
    secure: false
  backend: xpack

siren_scripting:
  enabled: true
  browserApiWhitelist:
    - 'Math'
    - 'setTimeout'
    - 'clearInterval'
    - 'setInterval'
    - 'document.getElementById'
  librariesWhitelist:
    - 'lodash'
    - 'EUI'
    - 'React'

  4. Customize the following parameters:

    • elasticsearch.url: the URL of the Elasticsearch cluster, including the port.

    • elasticsearch.password: the password of the sirenserver user.

    • investigate_access_control.cookie.password: a 32 ASCII character key used to encrypt cookies.

  5. Upload the configuration file as a secret named investigate-config, for example:

    kubectl -n siren create secret generic investigate-config --from-file=investigate.yml=investigate.yml

    You can use the same command to create additional secrets referenced in your Investigate configuration file, such as TLS certificates and keys.

Creating the StatefulSet

  1. Create a file named investigate-set.yaml and add the following content:

    # Headless service for internal resolution.
apiVersion: v1
kind: Service
metadata:
  name: investigate
spec:
  clusterIP: None
  ports:
  - port: 5606
    name: http
  selector:
    app: investigate
---
# Investigate containers
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: investigate
  labels:
    app: investigate
spec:
  serviceName: investigate
  replicas: 1
  selector:
    matchLabels:
      app: investigate
  template:
    metadata:
      labels:
        app: investigate
    spec:
      terminationGracePeriodSeconds: 30
      containers:
      - name: investigate
        image: sirensolutions/siren-investigate:12.1.4
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 5606
        livenessProbe:
          tcpSocket:
            port: 5606
          initialDelaySeconds: 20
          periodSeconds: 10
        startupProbe:
          tcpSocket:
            port: 5606
          initialDelaySeconds: 20
          periodSeconds: 20
          failureThreshold: 30
        resources:
          limits:
            memory: 6Gi
            cpu: 2
          requests:
            memory: 6Gi
            cpu: 2
        env:
          # The URL of the data cluster. Make sure to set this to the same value as "elasticsearch.url" in the Investigate configuration file.
          - name: ELASTICSEARCH_URL
            value: "https://siren-es-http:9200"
          # Increase this number when you want to force a statefulset upgrade
          # after changing the configuration secret, then apply the statefulset again.
          - name: CONFIG_VERSION
            value: "1"
          - name: INSTANCE_ID
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
        volumeMounts:
        - name: config
          mountPath: /opt/siren-investigate/config/investigate.yml
          readOnly: true
          subPath: investigate.yml
      volumes:
      - name: config
        secret:
          defaultMode: 0644
          secretName: investigate-config

  2. Apply the manifest, for example:

    kubectl -n siren apply -f investigate-set.yaml

  3. After a few minutes, confirm that the StatefulSet is ready:

    kubectl -n siren get statefulset/investigate

NAME          READY   AGE
investigate   1/1     97s

    You can view the logs of the Investigate pod with the following command:

    kubectl -n siren logs pod/investigate-0

    To test that Investigate is running, forward Investigate to your machine, for example:

    kubectl -n siren port-forward service/investigate 5606

  4. Sign in to http://localhost:5606.

Next step

To see how to change the Investigate configuration and perform version upgrades see the Maintaining Siren Investigate on Kubernetes section.