Deploying self-hosted Databand with Kubernetes

By deploying self-hosted Databand with Kubernetes, you can integrate with data integration or orchestration tools, scale, and customize the Databand platform to best meet your needs.

To deploy self-hosted Databand with Kubernetes, complete the following tasks:

Prepare your environment.
Install the Databand Helm chart.
Deploy Databand with Red Hat OpenShift Container Platform.
Customize your Databand configuration.
Access the Databand web interface.

Prerequisites

Before you install and deploy self-hosted Databand with Kubernetes, make sure that your system and software meet the following requirements:

Software requirements

Kubernetes version 1.28-1.30.
Red Hat OpenShift version 4.11-4.15.
Helm 3
A Kubernetes command line tool, such as Kubectl for Kubernetes clusters or Red Hat OpenShift command-line interface for Red Hat OpenShift clusters.
A Docker tool, such as Docker, Podman, or Docker CLI.

Capability requirements

You must have two Kubernetes worker nodes for Red Hat OpenShift with at least 4 CPU and at least 16 GB of RAM available.
You must be able to create a Kubernetes service account with both Role and RoleBinding objects.
Your Kubernetes pods must be able to mount a PersistentVolumeClaim (PVC).
You must use either an internal or external PostgreSQL 16.x or later instance.
You must use either an internal or external Redis 6.x instance

Internal PostgreSQL and Redis instances exist by default in Kubernetes deployments. For production, use external PostgreSQL and Redis instances. For more information about creating and using databases, see Storage for Databand metadata.

Important: Red Hat OpenShift licensing: Databand does not bundle Red Hat OpenShift entitlement for customers. Customers who use Red Hat OpenShift with Databand must do so by using a separate entitlement. If you use a Red Hat OpenShift entitlement that is bundled with other IBM products, you might be restricted from using the entitlement for any other product except what the Red Hat OpenShift was originally bundled with. Customers who use an entitlement that is attained from other IBM products to install Databand might be out of compliance based on the terms of that product's license.

Preparing your environment, Docker registry, and value files

Before you can install the Databand Helm chart, you must prepare your environment, your Docker registry, and your value files. To prepare for installation, complete the following steps:

Download databand-version-helm-chart.tar.gz from IBM Passport and extract it with:
```
tar -xvf databand-<version>-helm-chart.tar.gz
```
Upload Docker images from databand-version-images.tar to your private registry by using Docker utility:
```
docker load -i - to load to local docker tag
```
Use Docker push to upload to the registry:
```
docker image push
```
Extract the file from databand-version.tgz with:
```
tar -xvf databand-<version>-helm-chart.tar.gz
```

Copy the user-values.yaml.example file to user-values.yaml. Use user-values.yaml as the main file to override default values from values.yaml. Don't directly edit values.yaml or values-ocp.yaml.

## user-values.yaml
global:
  databand:
    image:
      repository: <YOUR_REPOSITORY_FOR_DATABAND_IMAGES>
      tag: <YOUR_TAG_FOR_DATABAND_IMAGES>
    imageCredentials:
      registry: <YOUR_REGISTRY_FOR_DATABAND_IMAGES>
      username: <YOUR_USERNAME>
      password: <YOUR_PASSWORD>

Set your image properties in user-values.yaml as in the following example:

## user-values.yaml
databand:
  initContainers:
    wait_web:
      image:
        repository: <YOUR_REPOSITORY_FOR_BUSYBOX_IMAGE>
        tag: <YOUR_TAG_FOR_BUSYBOX_IMAGE>

prometheus:
  server:
    image:
      repository: <YOUR_REPOSITORY_FOR_PROMETHEUS_IMAGE>
      tag: <YOUR_TAG_FOR_PROMETHEUS_IMAGE>
  configmapReload:
    image:
      repository: <YOUR_REPOSITORY_FOR_CONFIGMAPRELOAD_IMAGE>
      tag: <YOUR_REPOSITORY_FOR_CONFIGMAPRELOAD_IMAGE>

Generate two Databand secrets and enter them into the user-values.yaml file.
1. For the first secret, generate a fernet key by using the following command:
```
dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64
```
2. Next, override the default fernet key in user-values.yml by using:
```
## user-values.yaml
databand:
  fernetKey: "<GENERATED_FERNET_KEY_FROM_COMMAND_ABOVE>"
```
3. For the second secret, generate a webserver secret by using the following command:
```
head -c 32 /dev/urandom | base64 | tr -d =
```
4. Next, override the default webserver secret in user-values.yaml by using:
```
## user-values.yaml
web:
  secret_key: "<GENERATED_WEBSERVER_SECRET_FROM_COMMAND_ABOVE>"
```

The default username and password are both databand. Use the following sample to create your own username and password:

## user-values.yaml
web:
  default_user:
    disabled: false
    role: "Admin"
    username: "databand"
    email: "support@databand.ai"
    firstname: "databand"
    lastname: "databand"
    password: "databand"

Specifying other environment variables

You can specify more environment variables by using the same format as in the .spec.containers.env file of your pod. These environment variables are mounted on the web, or in scheduler or worker pods. You can use this feature to pass other secret environment variables to Databand.

The following example shows how to pass a fernet key. Make sure to create your first databand secrets before you create other environment variables.

## user-values.yaml

extraEnv:
  - name: DBND__WEBSERVER__FERNET_KEY
    valueFrom:
      secretKeyRef:
        name: databand
        key: fernet-key

Installing the Databand Helm chart on your cluster

Installing and upgrading the Databand Helm chart follows the same process.

To install or upgrade the Databand Helm chart on your Kubernetes Red Hat OpenShift cluster, run the following command:

 helm upgrade databand --install --create-namespace --namespace databand-system --values ./user-values.yaml .

After the installation or update completes successfully, run the following command to get the status of the Helm chart:

helm status databand --namespace databand-system

Installation defaults

Installation of the Databand Helm chart includes the following defaults:

All names are automatically prefixed with the release name to avoid collisions.
A single endpoint for the Databand UI is exposed, which can be placed either at the root of the domain or at the subpath, for example http://mycompany.com/databand/.
The local PostgreSQL database is used as the default database.

High availability mode

By default, Databand installs in a single-mode configuration. To enable high availability (HA) mode for Databand, set the following values in user-values.yaml:

## user-values.yaml
databand:
  ha:
    enabled: true
    replicaCount: 2

Creating users

During the Databand installation, no users are created. Users are automatically provisioned when you log in with SSO. To manually create users, run the following script:

./databand-cmd.sh create-user

Deploying Databand to the Red Hat OpenShift Container Platform

By default, all Databand-related workloads have a disabled securityContext in values-ocp.yaml.

After you install Databand on your machine, choose one of the following options to deploy Databand to your Red Hat OpenShift Container Platform and set Red Hat OpenShift pod and container securityContext values according to the security context constraints (SCCs) of your Red Hat OpenShift cluster.

Option 1: Keep the securityContext disabled, as is the default. When you deploy the chart, the admission controller for the Red Hat OpenShift cluster SCC can dynamically inject securityContext. This injection is based on the configured Red Hat OpenShift SCC values, and provides greater portability between different Red Hat OpenShift versions.
Option 2: Set securityContext values for both the pod and container as desired by the user or cluster administrator. Deploy the chart by using corresponding Helm values in values-ocp.yaml. For more information about the available parameters, see the values-ocp.yaml file.

To upgrade or install the Databand chart in your Red Hat OpenShift cluster, run the following command:

 helm upgrade databand --install --create-namespace --namespace databand-system --values ./values-ocp.yaml --values ./user-values.yaml .

After the installation or upgrade completes successfully, run the following command to get the status of the chart:

helm status databand --namespace databand-system

Customizing your Databand configuration

You can use the Ingress of your choice to customize your Databand configuration. The following sections provide examples of a common Ingress configuration and a Google Kubernetes Engine (GKE) Ingress configuration.

Using a common Ingress configuration

The Helm chart has an Ingress configuration that you can use to customize the installation for your needs. The Ingress controller must be provisioned in your cluster. For more details on how to configure your reverse proxy or load balancer, see the values.yaml file.

## user-values.yaml

ingress:
  enabled: true
  web:
    host: <DATABAND_EXTERNAL_URL>
    ## To enable TLS
    tls:
      ## Set to "true" to enable TLS termination at the Ingress controller level
      enabled: false
      ## If enabled, set "secretName" to the secret containing the TLS private key and certificate
      ## Example:
      ## secretName: example-com-crt

Using a GKE Ingress configuration

The Helm chart contains a local GKE Ingress configuration with BackendConfig object that you can customize with the following values:

## user-values.yaml

## GKE Ingress requires NodePort Service type
databand:
  service:
    type: NodePort

ingress:
  enabled: true
  backendconfig:
    enabled: true
  web:
    host: <DATABAND_EXTERNAL_URL>
    annotations:
      ## Set a GKE Ingress annotation
      ## External Load balancer
      ## To provision internal Load Balancer, set the value of annotation to "gce-internal"
      kubernetes.io/ingress.class: "gce"
      ## Set to false to disable http and use Load Balancer with https only
      kubernetes.io/ingress.allow-http: "true"
    ## To enable TLS
    tls:
      ## Set to "true" to enable TLS termination at the ingress controller level
      enabled: false
      ## If enabled, set "secretName" to the secret containing the TLS private key and certificate
      ## Example:
      ## secretName: example-com-crt

Accessing the Databand web interface

After you install and deploy Databand with Red Hat OpenShift, you can use the following YAML configuration to access the Databand web interface.

Copy the following configuration into the route.yaml file:

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: databand
  namespace: databand
  labels:
    app: databand
    app.kubernetes.io/managed-by: Helm
    chart: databand-<version>
    component: web
    heritage: Helm
    release: databand
  annotations:
    openshift.io/host.generated: 'true'
spec:
  to:
    kind: Service
    name: databand-web
    weight: 100
  port:
    targetPort: web
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None

Next, apply it to your cluster by using:
```
oc apply -f route.yaml
```

You can now access the Databand web interface.