Home
MATRIXX Installation and Upgrade
The Admin Service
Operations teams can use the Admin Service to administer a MATRIXX deployment with domain-specific commands based on the components that are installed. It allows administration of the installation without providing unrestricted direct access to the Kubernetes cluster. You can secure commands based on user roles and audit command usage.
Role-Based Access Control
The Admin Service permissions to run commands in the Kubernetes cluster across all namespaces must be limited to necessary permissions.
Command Discovery Permissions
The Admin Service uses Custom Resource Definitions (CRDs) to discover executable commands. Permissions are required to use these resources across all namespaces in the cluster.

Welcome
MATRIXX Release Notes
MATRIXX Architecture
MATRIXX Installation and Upgrade
- About MATRIXX Installation and Upgrade
  MATRIXX Installation and Upgrade describes the tasks required to install MATRIXX components as containers using Kubernetes and Helm.
- Cloud Native Infrastructure Requirements
  Cloud native MATRIXX deployments have infrastructure requirements for third-party software versions, Kubernetes pod characteristics, and container characteristics. Nodes running MATRIXX components have operating system, memory, networking, and storage requirements.
- Topology Operator and Engine Operator Feature Differences
  Different MATRIXX features are supported depending on whether your installation is based on Topology Operator or Engine Operator.
- Installing MATRIXX
  A cloud native MATRIXX installation consists of containers installed with the MATRIXX Helm chart in a multi-node Kubernetes cluster (or clusters), requiring MATRIXX images and MATRIXX Engine custom resource definitions and controllers.
- Topology Operator Installation and Upgrade Examples
  These examples show how you can configure the installation of multiple MATRIXX Engines in a single namespace, multiple namespaces in a single cluster, and multiple clusters.
- Configuring MATRIXX
  MATRIXX is configured using Helm properties. Questions and answers in create_config.info files can also provide configuration using configuration sources. For information about how to configure MATRIXX, see the discussions of those topics in MATRIXX Configuration.
- Topology Operator
  The Topology Operator method of MATRIXX Engine pod management utilizes multiple custom resources (CRs) and operator pods working together to manage the installation and upgrade of multiple sub-domains and engines across Kubernetes clusters, including the loading of pricing and taxation data.
- Scaling MATRIXX
  Use Helm and Kubernetes to manually add or remove pods as necessary. You can also use Kubernetes to manage resources available to MATRIXX Engine pods.
- Network Enablers in a Kubernetes Cluster
  For Call Control Framework (CCF), only the deployment of Network Enablers (NEs) in a Kubernetes cluster is different from a standard deployment.
- Deploying Cloud Native CAMEL Gateway
  When deploying CAMEL Gateway as part of the reference architecture, you can use any namespace within the Kubernetes clusters. You can make multiple deployments into multiple namespaces, for example, to have different environments for testing and production.
- Enabling MEF Publishing
  An SSH key, used for password-less SSH login, is required to enable _glossary/mef.html publishing in Kubernetes. A secret holds the SSH private key, and the key is specified in Helm values. The SSH key allows administrators to write to a target directory in a secure manner without having to enter a passphrase.
- Encrypted Interface Engine Replay Overview
  Transport-layer security (TLS) encryption can be enabled for replay between processing and publishing pods and between engines.
- MATRIXX Reference for MongoDB
  Cloud native MATRIXX deployments support MongoDB as an event store using the MongoDB Enterprise Operator for Kubernetes.
- MATRIXX Reference for Apache Kafka
  The Event Streaming Framework provides a connector for sending event stream data to Apache Kafka. Using 5G event streaming also requires Apache Kafka, which is not provided with MATRIXX. You can use a Helm chart to install and configure Apache Kafka.
- MATRIXX Reference for Ingress
  A Kubernetes Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster.
- Debugging and Failure Recovery
  MATRIXX components store log files in persistent storage on the node by default, in a persistent volume (PV) at the location specified in global.storage.localStorageDir property (/home/data by default).
- Upgrading Engine Operator-Based MATRIXX Installations
  Upgrading cloud native MATRIXX has several stages.
- Migrating to Topology Operator
  This example shows migration from a MATRIXX version XXXX deployment managed by Engine Operator to a deployment managed by Topology Operator. The same approach applies when migrating from Engine Controller.
- Migration from a Bare Metal to a Cloud Native Deployment
  Migrating from a bare metal MATRIXX deployment to a cloud native deployment (from the same MATRIXX version) requires temporarily using a hybrid platform made up of components from both deployments. This hybrid environment allows migration to the cloud native deployment without disruption of services.
- The Admin Service
  Operations teams can use the Admin Service to administer a MATRIXX deployment with domain-specific commands based on the components that are installed. It allows administration of the installation without providing unrestricted direct access to the Kubernetes cluster. You can secure commands based on user roles and audit command usage.
  - Installation and Configuration
    Install, upgrade, and apply configuration for the Admin Service using Helm commands.
  - General Configuration Properties
    admin_service/r_as_helm_properties.html#reference_wvt_ywj_4bc__table_ijl_fhr_4bc describes the properties available for configuring the Admin Service as installed in your Kubernetes cluster.
  - Application Configuration Properties
    admin_service/r_as_app_properties.html#reference_vrd_ztx_qbc__table_c3c_l5x_qbc describes the properties available for configuring Admin Service as an application.
  - Role-Based Access Control
    The Admin Service permissions to run commands in the Kubernetes cluster across all namespaces must be limited to necessary permissions.
    - Command Discovery Permissions
      The Admin Service uses Custom Resource Definitions (CRDs) to discover executable commands. Permissions are required to use these resources across all namespaces in the cluster.
    - Distributed Cache Permissions
      When deployed in a single cluster, the Admin Service uses the Kubernetes API to discover other pods to configure the distributed cache, necessitating permission to list the pods in the same namespace.
    - Execution Namespace Permissions
      The Admin Service can discover commands in namespaces where it is not deployed. These are known as execution namespaces.
  - Required Roles
    If the Admin Service has been secured with OAuth 2.0 authorization, for example with Keycloak, the user roles described in admin_service/c_as_required_roles.html#concept_umg_tjq_jcc__table_kpq_nkq_jcc must be created and assigned to the appropriate users.
  - Admin Service Data Handling
    The Admin Service retains data from commands and performs related housekeeping and sizing tasks.
  - Metrics
    Admin Service exposes metrics to Prometheus if the monitoring.enabled property is set to true. These include the standard Kubernetes and Go metrics as well as some additional application-specific metrics.
  - Admin Service in the MATRIXX Deployment
    Install the Admin Service before you install MATRIXX, or run helm upgrade of the MATRIXX Helm chart after installing the Admin Service. The MATRIXX Helm chart creates AdminCommand custom resources as long as the Admin Service CRDs have been installed first.
  - Commands
    An Admin Service command performs an action in a MATRIXX deployment. Command definitions describe how a command can be called, where it can be executed, and what actions it takes there. Commands discovered in a namespace can vary depending on what is installed in that namespace.
  - Security
    The Admin Service manages access to a MATRIXX installation. Users are restricted to well-defined commands, based on both what the commands do and the role of the user in your organization.
  - Admin Service Command Line Tool
    You run Admin Service commands using a command line interface (CLI).
  - Troubleshooting
    If something goes wrong with Admin Service, the problem is likely to be either at the level of the command or the larger Admin Service application.
- Uninstall MATRIXX Engine with Helm
  Use the helm uninstall command to uninstall MATRIXX Engine components installed from the Helm chart.
- Appendixes
MATRIXX Configuration
MATRIXX Security
MATRIXX Integration
MATRIXX Diameter Integration
MATRIXX Call Control Framework Integration
MATRIXX TM Forum Integration
MATRIXX 5G Integration
MATRIXX 5G Event Streaming
MATRIXX Event Streaming
MATRIXX Administration
MATRIXX Web App Administration
MATRIXX Monitoring and Logging
MATRIXX Policy
MATRIXX Kafka CDR Consumer
MATRIXX Pricing and Rating
MATRIXX Pay Now
MATRIXX Subscriber Management
MATRIXX Subscriber Management API
MATRIXX Business API SDK
My MATRIXX Help
MATRIXX Backoffice Customer Tool Help
MATRIXX Third-Party Licenses
Glossary

Command Discovery Permissions

The Admin Service uses Custom Resource Definitions (CRDs) to discover executable commands. Permissions are required to use these resources across all namespaces in the cluster.

The Helm chart adds the following permissions to the Admin Service service account:

rules:
  - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
    - patch
  - apiGroups:
    - matrixx.matrixx.com
    resources:
    - admincommanddiscoveryendpoints
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - matrixx.matrixx.com
    resources:
    - admincommanddiscoveryendpoints/finalizers
    verbs:
    - update
  - apiGroups:
    - matrixx.matrixx.com
    resources:
    - admincommanddiscoveryendpoints/status
    verbs:
    - get
    - patch
    - update
  - apiGroups:
    - matrixx.matrixx.com
    resources:
    - admincommands
    verbs:
    - create
    - delete
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - matrixx.matrixx.com
    resources:
    - admincommands/finalizers
    verbs:
    - update
  - apiGroups:
    - matrixx.matrixx.com
    resources:
    - admincommands/status
    verbs:
    - get
    - patch
    - update

Discovery must be performed by one instance of the Admin Service at a time. The Admin Service elects a leader that takes responsibility for this task. Leader election is implemented using a Kubernetes lease, which the Admin Service requires permission to create and view. This is only required within the deployment namespace.

The Helm chart adds the following leader election permissions to the service account used by the Admin Service:

rules:
  - apiGroups:
    - ""
    resources:
    - configmaps
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
  - apiGroups:
    - coordination.k8s.io
    resources:
    - leases
    verbs:
    - get
    - list
    - watch
    - create
    - update
    - patch
    - delete
  - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
    - patch