diff --git a/components/docs-chef-io/content/automate/ha.md b/components/docs-chef-io/content/automate/ha.md index 19de628f362..33963e7d4ae 100644 --- a/components/docs-chef-io/content/automate/ha.md +++ b/components/docs-chef-io/content/automate/ha.md @@ -65,6 +65,27 @@ The Chef Automate HA Architecture involves the following clusters as part of the - [Chef Automate](https://docs.chef.io/automate/) - [Chef Server](https://docs.chef.io/server/) +## Provisioning + +Chef Automate High Availability solution can run on systems provisioned by cloud providers and on-premise infrastructure. Appropriately provisioned backend, frontend and bastion systems will help in smooth deployment and installation experience. + + - On-premise provisioning + - Cloud provisioning + +### On-premise provisioning + + Customer can provision virtual machines or bare metal machines on supported operating system with required system settings to deploy Automate HA solution. + +### Cloud provisioing + Systems and services from following cloud providers are supported: + + - [AWS](https://docs.chef.io/automate/ha_aws_deploy_steps/#steps-to-provision) + - Azure + - Google + +Once cloud systems are provisioned, Automate HA solution can be deployed on the cloud infrastructure. +For AWS we have a simplified provisioning utility, whereas for Azure and Google we expect customers to manually provision the systems. + ## Deployment Methods Chef Automate High Availability (HA) supports two types of deployment: @@ -88,6 +109,23 @@ The two-step deployment process is as shown below: - Deployment of services on the provisioned infrastructure. - Installation of *PostgreSQL*, *OpenSearch*, *Chef Automate*, and *Chef Infra Server* will be done in this step. +### Cloud Deployment using Azure + +The two-step deployment process is as shown below: + +- Provisioning Infrastructure: Manually provision the infrastructure +- Deployment of services on the provisioned infrastructure (follow the [On-premise Deployment steps](/automate/ha_onprim_deployment_procedure/)). + - Installation of *PostgreSQL*, *OpenSearch*, *Chef Automate*, and *Chef Infra Server* will be done in this step. +- Only File System Backup and Restore is supported. + +### Cloud Deployment using Google Cloud Platform (GCP) + +The two-step deployment process is as shown below: + +- Provisioning Infrastructure: Manually provision the infrastructure +- Deployment of services on the provisioned infrastructure (follow the [On-premise Deployment steps](/automate/ha_onprim_deployment_procedure/)). + - Installation of *PostgreSQL*, *OpenSearch*, *Chef Automate*, and *Chef Infra Server* will be done in this step. + ## Performance (Benchmarking) Please refer to the [Performance Benchmarking document](/automate/ha_performance_benchmarks/) for the detailed performance benchmark numbers diff --git a/components/docs-chef-io/content/automate/ha_add_nodes_to_the_deployment.md b/components/docs-chef-io/content/automate/ha_add_nodes_to_the_deployment.md index dc0e7aaea04..1c3fcd8654c 100644 --- a/components/docs-chef-io/content/automate/ha_add_nodes_to_the_deployment.md +++ b/components/docs-chef-io/content/automate/ha_add_nodes_to_the_deployment.md @@ -27,6 +27,7 @@ Chef Automate HA comes with five different types of deployment flows. This page {{< note >}} - The flags like `opensearch-ips` and `postgresql-ips` are only applicable for the Chef Managed Database cluster +- If `/hab` volume is externally mounted, then trigger the `add node`/`remove node` command from the `/hab` directory. {{< /note >}} diff --git a/components/docs-chef-io/content/automate/ha_cert_rotation.md b/components/docs-chef-io/content/automate/ha_cert_rotation.md index eae61fb3e3b..e20a6569927 100644 --- a/components/docs-chef-io/content/automate/ha_cert_rotation.md +++ b/components/docs-chef-io/content/automate/ha_cert_rotation.md @@ -45,9 +45,7 @@ To understand how to generate certificates, refer to the [Certificate Generation ### Rotate Cluster Certificates -If you want to rotate certificates of the entire cluster using single command, then you can follow the below commands: - -To rotate certificates of entire cluster using single command, we need a certificate template. +To rotate the certificate for a node (automate,chef-server,postgres,opensearch) in the cluster, please provide the certificate file path in `certificate-config.toml` file. - To generate certificate template use below command @@ -130,7 +128,7 @@ To rotate the Automate Load balancer root certificate: [cs_nginx.v1.sys.ngx.http] ssl_verify_depth = 6 [global.v1.external.automate.ssl] - server_name = "https://" + server_name = "" root_cert = """""" ``` diff --git a/components/docs-chef-io/content/automate/ha_cert_selfsign.md b/components/docs-chef-io/content/automate/ha_cert_selfsign.md index 444845eaba7..fe7620b4c5a 100644 --- a/components/docs-chef-io/content/automate/ha_cert_selfsign.md +++ b/components/docs-chef-io/content/automate/ha_cert_selfsign.md @@ -44,38 +44,38 @@ You can create a self-signed key and certificate pair with the **OpenSSL** utili ```bash # !/bin/bash - echo extendedKeyUsage = clientAuth, serverAuth > server_cert_ext.cnf - echo subjectAltName = DNS:chefadmin >> server_cert_ext.cnf - echo extendedKeyUsage = clientAuth, serverAuth > node_cert_ext.cnf - echo subjectAltName = DNS:chefnode >> node_cert_ext.cnf - echo extendedKeyUsage = clientAuth, serverAuth > client_cert_ext.cnf - echo subjectAltName = DNS:chefclient >> client_cert_ext.cnf - openssl genrsa -out root-ca-key.pem 2048 - openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=progress" -out root-ca.pem -days 1095 -addext basicConstraints=CA:TRUE - - # Admin cert - openssl genrsa -out admin-key-temp.pem 2048 - openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem - openssl req -new -key admin-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefadmin" -out admin.csr - openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 1095 -extfile server_cert_ext.cnf - - # Node cert 1 - openssl genrsa -out node1-key-temp.pem 2048 - openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem - openssl req -new -key node1-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode" -out node1.csr - openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 1095 -extfile node_cert_ext.cnf - - # Node cert 2 - openssl genrsa -out node2-key-temp.pem 2048 - openssl pkcs8 -inform PEM -outform PEM -in node2-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node2-key.pem - openssl req -new -key node2-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode" -out node2.csr - openssl x509 -req -in node2.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node2.pem -days 1095 -extfile node_cert_ext.cnf - - # Client cert - openssl genrsa -out client-key-temp.pem 2048 - openssl pkcs8 -inform PEM -outform PEM -in client-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out client-key.pem - openssl req -new -key client-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefclient" -out client.csr - openssl x509 -req -in client.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out client.pem -days 1095 -extfile client_cert_ext.cnf +echo extendedKeyUsage = clientAuth, serverAuth > server_cert_ext.cnf +echo subjectAltName = DNS:chefadmin >> server_cert_ext.cnf +echo extendedKeyUsage = clientAuth, serverAuth > node_cert_ext.cnf +echo subjectAltName = DNS:chefnode >> node_cert_ext.cnf +echo extendedKeyUsage = clientAuth, serverAuth > client_cert_ext.cnf +echo subjectAltName = DNS:chefclient >> client_cert_ext.cnf + openssl genrsa -out root-ca-key.pem 2048 + openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=progress" -out root-ca.pem -days 1095 -addext basicConstraints=CA:TRUE + + # Admin cert + openssl genrsa -out admin-key-temp.pem 2048 + openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem + openssl req -new -key admin-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefadmin" -out admin.csr + openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 1095 -extfile server_cert_ext.cnf + + # Node cert 1 + openssl genrsa -out node1-key-temp.pem 2048 + openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem + openssl req -new -key node1-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode" -out node1.csr + openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 1095 -extfile node_cert_ext.cnf + + # Node cert 2 + openssl genrsa -out node2-key-temp.pem 2048 + openssl pkcs8 -inform PEM -outform PEM -in node2-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node2-key.pem + openssl req -new -key node2-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode" -out node2.csr + openssl x509 -req -in node2.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node2.pem -days 1095 -extfile node_cert_ext.cnf + + # Client cert + openssl genrsa -out client-key-temp.pem 2048 + openssl pkcs8 -inform PEM -outform PEM -in client-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out client-key.pem + openssl req -new -key client-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefclient" -out client.csr + openssl x509 -req -in client.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out client.pem -days 1095 -extfile client_cert_ext.cnf ``` 1. The script generates the certificates at the newly created directory, `rotate-certs` in this case. diff --git a/components/docs-chef-io/content/automate/ha_chef_backend_to_automate_ha.md b/components/docs-chef-io/content/automate/ha_chef_backend_to_automate_ha.md index 3875dbe28ca..9b95a602374 100644 --- a/components/docs-chef-io/content/automate/ha_chef_backend_to_automate_ha.md +++ b/components/docs-chef-io/content/automate/ha_chef_backend_to_automate_ha.md @@ -115,6 +115,7 @@ Before restoring the backup on the Automate HA Chef Server, configure [S3 storag ## Restore Data to Chef Automate HA +To restore the data, you will need to use the `knife-ec-backup` utility, which can be installed on any of the Automate HA Chef-Infra-Server nodes. - Execute the below command to install the habitat package for `knife-ec-backup` ```sh diff --git a/components/docs-chef-io/content/automate/ha_disaster_recovery_setup.md b/components/docs-chef-io/content/automate/ha_disaster_recovery_setup.md index 62593b70f92..a294da5f2a9 100644 --- a/components/docs-chef-io/content/automate/ha_disaster_recovery_setup.md +++ b/components/docs-chef-io/content/automate/ha_disaster_recovery_setup.md @@ -98,12 +98,6 @@ Configure backups for both clusters using either [file system](/automate/ha_back - We don't recommend creating backups from the disaster recovery cluster unless it has become the active cluster and receiving traffic from the clients/nodes. - - Stop all the services on all Automate and Chef Infra frontend nodes using the following command: - - ```sh - systemctl stop chef-automate - ``` - - Make sure both backup and restore cron are aligned. - Run the following command in one of the Automate nodes to get the IDs of all the backups: @@ -132,6 +126,12 @@ Configure backups for both clusters using either [file system](/automate/ha_back password = "admin" ``` + - Stop all the services on all Automate and Chef Infra frontend nodes using the following command: + + ```sh + systemctl stop chef-automate + ``` + - In the disaster recovery cluster, use the following sample command to restore the latest backup from any Chef Automate frontend instance. For **S3/MinIO** execute the following command from the Bootstrapped Automate node to restore: diff --git a/components/docs-chef-io/content/automate/ha_on_premises_deployment_prerequisites.md b/components/docs-chef-io/content/automate/ha_on_premises_deployment_prerequisites.md index a5187bd2b72..61674f13f14 100644 --- a/components/docs-chef-io/content/automate/ha_on_premises_deployment_prerequisites.md +++ b/components/docs-chef-io/content/automate/ha_on_premises_deployment_prerequisites.md @@ -92,13 +92,13 @@ Current Automate HA integrates with the following non-Chef tools: ### Minimum Hardware Requirement -| Instance | Count | vCPU | RAM | Storage Size(/hab) | AWS Machine Type | GCP Machine Type | Additional Space | -| ----------------- | ----- | ---- | --- | ------------------ | ---------------- | ---------------- | ----------------- | -| Chef Automate | 2 | 2 | 8 | 200 GB | m5.large | n2-standard-2 | /var/tmp=5% /root=20% | -| Chef Infra Server | 2 | 2 | 8 | 200 GB | m5.large | n2-standard-2 | /var/tmp=5% /root=20% | -| PostgreSQL DB | 3 | 2 | 8 | 200 GB | m5.large | n2-standard-2 | /var/tmp=5% /root=20% | -| OpenSearch DB | 3 | 2 | 8 | 200 GB | m5.large | n2-standard-2 | /var/tmp=5% /root=20% | -| Bastion Machine | 1 | 2 | 8 | 200 GB | m5.large | n2-standard-2 | /var/tmp=5% /root=20% | +| Instance | Count | vCPU | RAM | Storage Size(/hab) | AWS Machine Type | AZURE Machine Type | GCP Machine Type | Additional Space | +| ----------------- | ----- | ---- | --- | ------------------ | ---------------- | ------------------ | ---------------- | ----------------- | +| Chef Automate | 2 | 2 | 8 | 200 GB | m5.large | Standard_D2as_v4 | n2-standard-2 | /var/tmp=5% /root=20% | +| Chef Infra Server | 2 | 2 | 8 | 200 GB | m5.large | Standard_D2as_v4 | n2-standard-2 | /var/tmp=5% /root=20% | +| PostgreSQL DB | 3 | 2 | 8 | 200 GB | m5.large | Standard_D2as_v4 | n2-standard-2 | /var/tmp=5% /root=20% | +| OpenSearch DB | 3 | 2 | 8 | 200 GB | m5.large | Standard_D2as_v4 | n2-standard-2 | /var/tmp=5% /root=20% | +| Bastion Machine | 1 | 2 | 8 | 200 GB | m5.large | Standard_D2as_v4 | n2-standard-2 | /var/tmp=5% /root=20% | {{< note >}} For production, OpenSearch volume size also depends on the number of nodes and frequency of Chef Infra Client runs and compliance scans. diff --git a/components/docs-chef-io/content/automate/ha_onprim_deployment_procedure.md b/components/docs-chef-io/content/automate/ha_onprim_deployment_procedure.md index cfa58afcb84..6f2fa1d120c 100644 --- a/components/docs-chef-io/content/automate/ha_onprim_deployment_procedure.md +++ b/components/docs-chef-io/content/automate/ha_onprim_deployment_procedure.md @@ -30,7 +30,20 @@ Please see the [On-Premises Prerequisites](/automate/ha_on_premises_deployment_p Provision the other nodes in the high availability cluster before deploying the bastion host. -Make sure you have all resources either on existing infrastructure or on existing cloud infrastructure (AWS/Google Cloud Platform). +Make sure you have all resources either on existing infrastructure or on existing cloud infrastructure (`AWS`/`Azure`/`GoogleCloudPlatform`). +For Cloud Infrastructure following are supported: + +### AWS + + Infrastructure on AWS can either be provisioned manually or using [provision utility](https://docs.chef.io/automate/ha_aws_deploy_steps/#steps-to-provision). + +### Azure + + Infrastructure on Azure should be provisioned manually by the user before deploying Automate HA Solution. + +### GCP + + Infrastructure on GCP should be provisioned manually by the user before deploying Automate HA Solution. ## Deploy the bastion host @@ -45,7 +58,12 @@ Make sure you have all resources either on existing infrastructure or on existin " ``` - To download specific version bundle, replace `latest.aib` with Chef Automate version number. For example, `4.2.59.aib`. + {{< note spaces=4 >}} + + In case `/usr/bin` is not there then check for `/bin` directory + + {{< /note >}} + To download specific version bundle, replace `latest.aib` with Chef Automate version number. For example, `4.12.144.aib`. {{< note spaces=4 >}}