Run the deployment script

To deploy ArcGIS Enterprise on Kubernetes, you run a bash script along with Kubernetes manifests. The deployment package is available for download from My Esri and is delivered as a .tar.gz file. Prior to running the deployment script, review instructions to get started.

Run the deployment script in interactive mode

If you run the ArcGIS Enterprise on Kubernetes deployment script without specifying a configuration parameters file, it opens in interactive mode. The script prompts for each parameter and immediately checks the validity of each value. This provides a fast way to verify each configuration parameter for your deployment.

  1. On your Kubernetes client machine, open a terminal as an administrator.
  2. Change directories to where your deployment script is located.
  3. In the terminal, run the deployment script using the following command format:
    ./deploy.sh
    
  4. Complete the parameters.

    The script prompts you for the following parameters, one at a time. If you provide an invalid value, the script immediately returns an error and prompts for a valid parameter. The following is a summary of the user inputs:

    Note:

    You do not need to run this script as the root user.

    • Deployment platformArcGIS Enterprise on Kubernetes uses ingress to route incoming traffic to the services in the cluster. If you are deploying in a managed Kubernetes service by a cloud provider, such as Amazon Web Services EKS or Microsoft Azure Kubernetes Service (AKS), the ingress controller can be exposed externally using a load balancer service by the cloud provider. In this case, ArcGIS Enterprise on Kubernetes provisions a load balancer during the deployment process.
    • Load balancer—During deployment, ArcGIS Enterprise on Kubernetes can provision selected cloud load balancers with the Azure Load Balancer (external and internal) and AWS Network Load Balancer (NLB-External and NLB-Internal). Each option prompts you to specify the load balancer's IP. In this release, only the Azure load balancers support this option; AWS EKS do not support the load balancer IP option. If you're using OpenShift, you can use Routes, which is typically backed by HAProxy or Big-IP based load balancers.
    • Namespace—The Kubernetes cluster namespace where ArcGIS Enterprise on Kubernetes will be deployed.
    • Encryption Keyfile—The encryption keyfile is a plain text file used for AES-256 encryption and decryption of passwords. The contents of this file is plain text that you specify and should not contain any passwords. This file should remain in a fixed location and the contents should not be changed.
    • Registry Host—The fully qualified domain name (FQDN) of the container registry host (for example, docker.io).
    • Image Path—The image repository that's used to pull the container images (for example, esridocker).
    • Registry Username—The user name for an account in the specified container registry that stores permissions to pull from the registry.
    • Registry Password—The password for the specified container registry account.
    • Fully Qualified Domain Name—The FQDN needed to access ArcGIS Enterprise on Kubernetes. This points to a load balancer, reverse proxy, edge router, or other web front-end point configured to route traffic to the ingress controller.
    • Context Path—The context path used in the URL for ArcGIS Enterprise on Kubernetes (for example, https://<FQDN>/<context path>).
      Note:

      Once deployment is complete, the context path you specify here will be used when configuring ArcGIS Enterprise on Kubernetes Web Adaptor with your organization.

    • Node Port—The ingress controller exposes external traffic over service type "LoadBalancer" or "NodePort". The port can be specified in the range of 30000-32767. If a port is not specified, Kubernetes automatically allocates an available port in this range.
    • TLS Certificate—A TLS certificate (either self-signed or third-party CA-signed) is required with the FQDN and subject alternate name. This will be the default TLS certificate for the ingress controller.

When you have provided all valid parameters, a properties file is saved to your current working directory. Use this property file to automate future deployments or undeploy ArcGIS Enterprise on Kubernetes.

The final deployment step is to create your ArcGIS Enterprise organization.

Tip:

The deployment script uses kubectl commands to validate prerequisites, such as a valid namespace. If the kubectl command is unable to communicate with the cluster due to a network or firewall issue, the deployment script may appear to become unresponsive. If this happens, end the ./deploy.sh command and run kubectl directly from a terminal to initiate communication with the cluster.

Run the deployment script in silent mode

As an alternative to running the deployment script in interactive mode, you can deploy ArcGIS Enterprise on Kubernetes silently. The deployment script is bundled with a deploy.properties file, which provides a set of parameters prompting for unique input to your ArcGIS Enterprise on Kubernetes deployment.

Note:
It is recommended that you run the password-encrypt.sh tool to generate encrypted passwords for use in the deploy.properties file.

  1. On your Kubernetes client machine, open a terminal as an administrator.
  2. Change directories to where your deployment script and the deploy.properties file are located.
  3. Open the deploy.properties file.
  4. Refer to the descriptive comments in the file for a summary of the user inputs and provide values for each parameter listed in the file.

    The file is divided into the following sections:

    • Deployment platform
    • Namespace
    • Encryption keyfile
    • Container registry
    • Fully Qualified Domain Name (FQDN)
    • TLS certificate
    • Additional properties
  5. Save the file. Optionally, rename the file.
  6. In the terminal, run the deployment script using the following command format:
    ./deploy.sh -f <user_properties>
    

The contents of <user properties> are derived from the deploy.properties file.

Before deploying ArcGIS Enterprise on Kubernetes, the deployment script will validate whether your system meets the minimum system requirements and whether you have provided valid input for each parameter listed in the deploy.properties file.

The final deployment step is to create your ArcGIS Enterprise organization.

Additional silent deployment properties

The deploy.properties file contains additional properties that can be used when deploying silently. The default values for each are provided.

ALLOWED_PRIVILEGED_CONTAINERS=true—If you cannot run a privileged container, set this value to false. When doing so, you'll also need to run the # "sysctl -w vm.max_map_count=262144" command as root to increase vm.max_map_count to 262144 on all nodes in your cluster.

CONTAINER_IMAGE_PULL_POLICY="Always"—When new containers are started, the ImagePullPolicy determines whether a new container image is pulled from the container registry. The default is "Always" and will pull a new image each time a container is started. If you want a new image to be pulled only if one is not already present, set this value to "IfNotPresent".

INGRESS_HSTS_ENABLED=false—HTTP Strict Transport Security (HSTS) adds a layer of security to your organization's web traffic. By default, the HSTS protocol option is set to false. To turn on HSTS, set this value to true.

INGRESS_SSL_PROTOCOLS="TLSv1.2 TLSv1.3"—Sets the SSL protocols to use. The default is "TLSv1.2 TLSv1.3". If additional TLS versions must be allowed, specify them here.

INGRESS_SSL_CIPHERS="ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-CHACHA20-POLY1305:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA"—This property sets the list of SSL ciphers to enable. If additional SSL ciphers are required, specify them here.