Install Splunk AppDynamics Services in the Hybrid Deployment

In a hybrid deployment, Splunk AppDynamics On-Premises Virtual Appliance leverages your current Controller, Events Service, and End User Monitoring components from Splunk AppDynamics On-Premises and installs Anomaly Detection and Cisco Secure Application Services in your Kubernetes cluster.

Prepare to Install Splunk AppDynamics Services

Complete the following steps to prepare the environment:

1. Enable SSL on your standalone Controller. See Controller SSL and Certificates. 
2. Log into the console of the primary node using the appduser credentials.
   This node is considered as the primary node after you create a three-node cluster.

3. Navigate to the following folder:

   cd /var/appd/config

   CODE

4. Edit the globals.yaml.gotmpl file with the required configuration.

   vi globals.yaml.gotmpl

   CODE
   1. Specify the Controller key and the account name.
   2. Enable the hybrid mode.
   3. Set the Controller domain name.
   4. Configure the port to access the standalone Controller.
   5. Set the sslEnabled field to true.
   6. Upload the Controller CA certificates for the standalone Controller.
   7. Configure the MySQL host. It is the same host as the Controller domain.
   8. Configure a port for the standalone Controller database.
   9. Update the MySQL CA certificates, which are located in <controller-home>/platform/product/controller/db/data/ca.pem.
   10. (Optional) Update CA certificates for Kafka in the hybrid.kafka section of globals.yaml.gotmpl.
   11. (Optional) Configure a custom ingress certificate (by default the ingress controller installs a fully-configured self-signed certificate). The custom ingress certificate needs certain SANs added to it. Run the following script on the console of your primary node to view a list of SANs. Add those SANs to your custom ingress certificate. See ingress in Customize the Helm File for instructions on how to configure the custom ingress certificate and key. 

       #!/bin/bash
       set -euo pipefail
       TENANT=$(helm secrets decrypt /var/appd/config/secrets.yaml.encrypted  | yq .hybrid.controller.tenantAccountName)
       DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.dnsDomain')
       DNS_NAMES=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.dnsNames|join(" ")')
       echo Verify the Virtual Appliance tenant should be \'${TENANT}\'
       echo Verify the Virtual Appliance domain name should be \'${DNS_DOMAIN}\'
       echo Verify the Virtual Appliance node names are: ${DNS_NAMES}
       
       echo If creating and importing into VA a Custom Ingress Certificate, include the following SANs:
       for server_name in "$DNS_DOMAIN" "${TENANT}.${DNS_DOMAIN}" "*.${DNS_DOMAIN}" "${TENANT}.auth.${DNS_DOMAIN}" "${TENANT}-tnt-authn.${DNS_DOMAIN}" $DNS_NAMES; do
               echo "  ${server_name}"
       done

       BASH
       
       Sample output of the script above: 

       Verify the Virtual Appliance tenant should be 'customer1'
       Verify the Virtual Appliance domain name should be 'va.mycompany.com'
       Verify the Virtual Appliance node names are: localhost vanodename-1
       If creating and importing into VA a Custom Ingress Certificate, include the following SANs:
         va.mycompany.com
         customer1.va.mycompany.com
         *.va.mycompany.com
         customer1.auth.va.mycompany.com
         customer1-tnt-authn.va.mycompany.com
         localhost
         vanodename-1

       BASH
       
       
       
       

5. Edit the/var/appd/config/secrets.yaml file to update the following:

   vi secrets.yaml

   CODE

   1. Update the Controller and MySQL credentials.

      hybrid:
        controller:
          controllerKey: <string>
          tenantAccountName: <tenant-name>
          rootUsername: root
          rootPassword: '<root-password>'
          rootAccountname: system
          adminUsername: admin
          adminPassword: '<admin-password>'
        mysql:
          dbUser: secapp
          dbPassword: '<string>'

      YML
   2. Edit the usernames and passwords of the Splunk AppDynamics services.
      
      

      When you install the Splunk AppDynamics service, the secrets.yaml file becomes encrypted.

      
      See Edit the secrets.yaml.encrypted File.
6. Save the following script on the console of your primary virtual appliance node as hybridinfo.sh and run it. Follow the instructions in its output: 

   #!/bin/bash
   set -euo pipefail
   TENANT=$(helm secrets decrypt /var/appd/config/secrets.yaml.encrypted  | yq .hybrid.controller.tenantAccountName)
   CONTROLLER_DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.hybrid.controller.domainName')
   DNS_DOMAIN=$(grep -v "^ *\t* *{{" /var/appd/config/globals.yaml.gotmpl | yq -r '.dnsDomain')
   echo Verify the Virtual Appliance tenant should be \'${TENANT}\'
   echo Verify the Virtual Appliance domain name should be \'${DNS_DOMAIN}\'
   echo Verify the Controller domain name should be \'${CONTROLLER_DNS_DOMAIN}\'
    
   echo When creating and importing the Controller Server Certificate, include the following SANs:
   for server_name in "${CONTROLLER_DNS_DOMAIN}" "${TENANT}-tnt-con.${DNS_DOMAIN}" "${TENANT}-tnt-con.${CONTROLLER_DNS_DOMAIN}"; do
     echo "  ${server_name}"
   done
   for server_name in "$CONTROLLER_DNS_DOMAIN" "${TENANT}.${CONTROLLER_DNS_DOMAIN}" "${TENANT}-tnt-con.${DNS_DOMAIN}" "${TENANT}-tnt-con.${CONTROLLER_DNS_DOMAIN}"; do
     if ! getent hosts "${server_name}" > /dev/null; then
       echo "Please add DNS entry for ${server_name} for controller host IP, VA is not able to resolve it currently"
     fi
   done
   for server_name in "${TENANT}.auth.${DNS_DOMAIN}" "${TENANT}-tnt-authn.${DNS_DOMAIN}"; do
     if ! getent hosts "${server_name}" > /dev/null; then
       echo "Please double-check on standalone controller that DNS can resolve entry for ${server_name} as VA ingress IP"
     fi
   done

   BASH
   
   Sample script invocation: 

   appduser@nodename-1:~$ bash ./hybridinfo.sh

   BASH
   
   Sample output: 

   Verify the Virtual Appliance tenant should be 'customer1'
   Verify the Virtual Appliance domain name should be 'va.mycompany.com'
   Verify the Controller domain name should be 'controller.mycompany.com' 
   When creating and importing the Controller Server Certificate, include the following SANs:
     controller.mycompany.com
     customer1-tnt-con.va.mycompany.com
     customer1-tnt-con.controller.mycompany.com
   Please add DNS entry for controller.mycompany.com for controller host IP, VA is not able to resolve it currently
   Please add DNS entry for customer1.controller.mycompany.com for controller host IP, VA is not able to resolve it currently
   Please add DNS entry for customer1-tnt-con.va.mycompany.com for controller host IP, VA is not able to resolve it currently
   Please add DNS entry for customer1-tnt-con.controller.mycompany.com for controller host IP, VA is not able to resolve it currently
   Please double-check on standalone controller that DNS can resolve entry for customer1.auth.va.mycompany.com as VA ingress IP
   Please double-check on standalone controller that DNS can resolve entry for customer1-tnt-authn.va.mycompany.com as VA ingress IP 

   BASH
   
   
   

7. Update the firewall rules to allow the standalone Controller to access the Kafka ports in the Kubernetes cluster. Update the firewall rule in each cluster node.

   sudo ufw allow AppdNodePorts

   CODE

Create a Three-Node Cluster

1. Log in to the primary node console.
2. Verify the boot status of each node of the cluster:
   

   appdctl show boot

   CODE
   

   • Ensure the status of the services in each node appears as Success. Else, restart the virtual machine that failed.
     If it is still failing, you might have to redeploy the virtual machine.
   • Ensure to configure the same time on all the cluster nodes.

3. Run the following command in the primary node and specify the IP address of the peer nodes:

   cd /home/appduser
   appdctl cluster init <Node-2-IP> <Node-3-IP>

   CODE

4. Run the following command to verify the node status:

   appdctl show cluster
   microk8s status

   CODE

   Ensure that the output displays the Running status as true for the nodes that are part of the cluster.

   Sample Output

    NODE           | ROLE  | RUNNING 
   ----------------+-------+---------
    10.0.0.1:19001 | voter | true    
    10.0.0.2:19001 | voter | true    
    10.0.0.3:19001 | voter | true 

   CODE
   

   You must re-login to the terminal if the following error appears:

   Insufficient Permissions to Access Microk8s 

   CODE

Configure the Standalone Controller in Splunk AppDynamics On-Premises

1. Log in to the Controller database by using the following path:
   

   <controller-home>/bin/controller.sh login-db

   CODE
2. Connect to the MySQL database.
3. Run this command on the Virtual Appliance primary node to get the value of dbUser: 

   helm secrets decrypt /var/appd/config/secrets.yaml.encrypted | yq .hybrid.mysql.dbUser

   BASH
4. Run this command on the Virtual Appliance primary node to get the value of dbPassword: 

   helm secrets decrypt /var/appd/config/secrets.yaml.encrypted | yq .hybrid.mysql.dbPassword

   BASH
5.  Drop and create the <dbUser> for Cisco Secure Application Services and grant permissions to access the Controller database, replacing <dbUser> and <dbPassword> with the values you retrieved: 

   DROP USER <dbUser>;
   CREATE USER '<dbUser>'@'%' identified by '<dbPassword>' REQUIRE SSL;
   GRANT USAGE ON *.* TO `<dbUser>`@`%`;
   GRANT SELECT  ON `controller`.* TO `<dbUser>`@`%`;  

   BASH

Install Services in the Cluster

1. Log in to the cluster node console.

2. Run the command to install services:

   appdcli start appd small

   CODE

   appdcli start appd medium

   CODE

   
   

   
   

   This command installs the Splunk AppDynamics services. We recommend you to specify the VA profile as same as the profile that you selected to create a virtual machine. See, Virtual Appliance Sizing.

   Sample Output

   NAME               CHART                     VERSION   DURATION
   cert-manager-ext   charts/cert-manager-ext   0.0.1           0s
   ingress-nginx      charts/ingress-nginx      4.8.3           1s
   redis-ext          charts/redis-ext          0.0.1           1s
   ingress            charts/ingress            0.0.1           2s
   cluster            charts/cluster            0.0.1           2s
   reflector          charts/reflector          7.1.216         2s
   monitoring-ext     charts/monitoring-ext     0.0.1           2s
   minio-ext          charts/minio-ext          0.0.1           2s
   eum                charts/eum                0.0.1           2s
   fluent-bit         charts/fluent-bit         0.39.0          2s
   postgres           charts/postgres           0.0.1           2s
   mysql              charts/mysql              0.0.1           3s
   redis              charts/redis              18.1.6          3s
   controller         charts/controller         0.0.1           3s
   events             charts/events             0.0.1           4s
   cluster-agent      charts/cluster-agent      1.16.37         4s
   kafka              charts/kafka              0.0.1           6s
   minio              charts/minio              5.0.14         47s

   CODE
3.  Verify the status of the installed pods and service endpoints:
   • Pods: kubectl get pods --all-namespaces

• When a Virtual Machine restarts, the MySQL service may not automatically restore. To troubleshoot this issue, see Restore the MySQL Service.
• If the EUM Collector, EUM Aggregator, and EUM Screenshot pods are failing even after multiple retries, see EUM Health is Failing After Multiple Retries.

Generate the Hybrid Configuration File

If you skipped updating the CA certificates, you must regenerate hybrid configuration file after restarting a Virtual Appliance service.

1. Run the script to connect the Kafka node ports with the standalone controller:

   appduser@appd-demo-2:~/appd-charts/utils$ bash prepare-hybrid.sh

   CODE

   Sample Output

   Writing Kafka CA Cert
   Writing Schema registry CA Cert
   Writing AnomalyDetectionKafkaSSLProducer
   Writing AnomalyDetectionKafkaConsumerSSL
   Writing configure script
   Creating archive of hybrid config
   hybrid-config/
   hybrid-config/kafka-ca.crt
   hybrid-config/AnomalyDetectionKafkaConsumerSSL
   hybrid-config/configure.sh
   hybrid-config/schema-registry-ca.crt
   hybrid-config/AnomalyDetectionKafkaSSLProducer
   Completed

   CODE

   This script generates the hybrid-config.tar file that includes the required configuration files.

2. Copy the hybrid-config.tar file to your standalone controller instance.
3. Locate and extract the hybrid-config.tar file contents.

Configure the Controller Properties by Using the Kubernetes Cluster CLI

If you skipped updating the CA certificates, you must configure this controller properties using the Kubernetes cluster CLI after restarting a Virtual Appliance service.

1. Log in to your Kubernetes Cluster.

2. Run the command to update the standalone Controller properties:

   appdcli run bootstrap_hybrid

   CODE

   This command configures the following properties in the Controller:

   Key: anomaly.detection.enabled, Value: true
   Key: anomaly.detection.deployed.onprem, Value: true
   Key: controller.id, Value: onprem
   Key: controller.unique.id, Value: onprem
   Key: anomaly.detection.kafka.consumer.group.id, Value: pi-alarmservice-transition-consumer-group-onprem
   Key: anomaly.detection.kafka.consumer.topic, Value: pi-alarmservice-transition-onprem
   Key: anomaly.detection.kafka.producer.topic, Value: metadata-lifecycle-events
   Key: anomaly.detection.onprem.output.topic, Value: blitz-processed-metrics
   Key: anomaly.detection.schema.registry.enabled, Value: true
   Key: anomaly.detection.consumer.schema.registry.url, Value: https://10.0.0.1.nip.io/schemaregistry
   Key: anomaly.detection.producer.schema.registry.url, Value: https://10.0.0.2.nip.io/schemaregistry
   Key: anomaly.detection.kafka.consumer.bootstrap.servers, Value: 10.0.0.1:32101
   Key: anomaly.detection.kafka.producer.bootstrap.servers, Value: 10.0.0.2:32102
   Key: anomaly.detection.kafka.producer.ssl.enabled, Value: true
   Key: anomaly.detection.kafka.consumer.ssl.enabled, Value: true
   Key: anomaly.detection.service.url, Value: https://10.0.0.1.nip.io/pi

   CODE

   Alternatively, you can access the administration console by using the Kubernetes cluster IP address and manually edit each parameter.

3. Run the configure.sh script to provision the controller with certs and secrets to connect to Kubernetes cluster:
   This script is extracted from the hybrid-config.tar file. See, how to obtain hybrid-config.tar file.

   $ bash configure.sh
   Usage: configure.sh <controller-home> <keystore-passwd>
   Using controller home as /opt/appdynamics and keystore password as changeit
   Do you want to proceed? (y/n): y
   Creating Kafka truststore
   Certificate was added to keystore
   Creating schema registry truststore
   Certificate was added to keystore
   Writing obfuscated producer config
   Writing obfuscated consumer config
   Completed

   CODE
4. Restart the Controller using these commands:
   

   cd ~/appdynamics/platform/product/controller/bin/
   ./controller.sh stop
   ./controller.sh start  

   CODE

Install the Anomaly Detection Services in the Cluster

1. Log in to the cluster node console.

2. Run the command to install services:

   appdcli start aiops small

   CODE

   appdcli start aiops medium

   CODE

   
   

3. Verify the status of the installed pods and service endpoints:

   • Pods: kubectl get pods --all-namespaces

   • Service endpoints: appdcli ping

See Anomaly Detection.

Sometimes, IOException error occurs when you access Anomaly Detection in the Controller UI. See Troubleshoot Virtual Appliance Issues.

(Optional) Install Cisco Secure Application 

See Install Cisco Secure Application.

Download Splunk AppDynamics Agents

Splunk AppDynamics On-Premises Virtual Appliance supports you to install the Splunk AppDynamics agents. Download the agents from Download Portal.

For more information, see:

• Install App Server Agents
• End User Monitoring