Lightkeeper tool

Prerequisite: You must be a member of the VA-ABD-RRD GitHub team

Followed Getting Started instructions and GETTING-STARTED page to install lightkeeper.

Development Environment Step:

Important

the following lightkeeper commands must be run from the VA network (GFE or CAG).

• Execute below command:

  lightkeeper create clusterconfig nonprod > kube_config

• Transfer kube_config from GFE to development laptop (where kubectl is installed) and save it as ~/.kube/config.

  NOTE:- this config is for the `nonprod` cluster (containing `dev`, `qa`, and `sandbox` only )

• Execute below command for Prod cluster ( containing prod-test and prod),

lightkeeper create clusterconfig prod > kube_config`

• see for cluster info.

  NOTE:- If you're switching between the two clusters, remember to use the right config file.

• Remember to specify the namespace (e.g., --namespace va-abd-rrd-dev) for all kubectl commands, e.g.:

  `kubectl get pods --namespace va-abd-rrd-dev`

  `helm list --namespace va-abd-rrd-dev`

Important

• Kube config needs to be renewed every 90 days.

• Be cautious when running commands as this may affect others using VRO in these environments, particularly in the prod-test and prod environments where PII/PHI and various secrets are visible.

• Tip: For a nice GUI to monitor the status, try the Lens app.

  • TODO: document how to set up Lens app

• Tip: By default, your access to virtual machines inside VA Network does not permit bi-directional clipboard access. This is true for both Citrix Access Gateway (CAG), and Azure Remote Desktop. This restriction makes it extremely difficult to operate in these environments. Clipboard access is highly recommended, and we encourage all engineers working within the LHDI environment to request clipboard permissions by following the steps in this article (note: accessing this article requires being within the VA Network to begin with).

Watch VRO logs

To follow the logs for the app container in the dev environment:

# Use the namespace corresponding to the dev environment
alias kc='kubectl -n va-abd-rrd-dev'

# List the pods; we want the vro-api pod with 7 containers in it
kc get pods
NAME                                 READY   STATUS    RESTARTS      AGE
vro-api-7ff6569c78-jj9zk             7/7     Running   2 (17m ago)   22m
vro-api-postgres-7776cbd54f-wkf8r    1/1     Running   0             22m
vro-api-rabbit-mq-7ff55bcb5f-6rg46   1/1     Running   0             22m
vro-api-redis-555446854-ksgjt        1/1     Running   0             22m

# Follow the logs for the abd-vro-api in the vro-api pod
kc logs -f vro-api-7ff6569c78-jj9zk -c abd-vro-api

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.7.4)

2022-11-18 18:47:11.835  INFO 1 --- [           main] gov.va.vro.VroApplication                : Starting VroApplication using Java 17.0.5 on vro-api-7ff6569c78-jj9zk with PID 1 (/project/vro-app.jar started by docker in /project)
2022-11-18 18:47:11.839  INFO 1 --- [           main] gov.va.vro.VroApplication                : The following 2 profiles are active: "compose", "dev"
2022-11-18 18:47:15.525  INFO 1 --- [           main] .s.d.r.c.RepositoryConfigurationDelegate : Multiple Spring Data modules found, entering strict repository configuration mode

Machine user login (DevOPS - Step only ):

IMPORTANT:- This step is only for Automated GH workflows and GH Actions. Not for Development use.

Use this step to generate kubernetes config for both prod and non-prod clusters

• Execute .\lighkeeper login
• Follow the OTP Url generated by lightkeeper in a browser
• Follow instruction provided in section OTP https://github.com/department-of-veterans-affairs/abd-vro/wiki/Machine-User-Account to log in to GitHub
• Generate *_KUBE_CONFIG secrets for GitHub Action workflows by executing

lightkeeper create clusterconfig nonprod | base64 > DEV_KUBE_CONFIG
lightkeeper create clusterconfig prod | base64 > PROD_KUBE_CONFIG

If the environment does not support base64, consider using certutil to perform the encoding, for example:

lightkeeper create clusterconfig nonprod > DEV_KUBE_CONFIG_RAW
certutil -encode DEV_KUBE_CONFIG_RAW DEV_KUBE_CONFIG

• Update DEV_KUBE_CONFIG and PROD_KUBE_CONFIG in GitHub secrets in git GH Action secrets

• Then test deploying to LHDI.

• IMPORTANT: Since the config expires in 90 days, the DEV_KUBE_CONFIG and PROD_KUBE_CONFIG in git GH Action secrets need to be updated regularly so that GitHub Action workflows that interact with LHDI continue to work.

  • this rotation was last executed: Aug 13, 2024
  • 90 days from the last rotation: Nov 11, 2024