Installation on Google Cloud Platform via GKE

Overview

This guide covers the installation of CAST Imaging on Google Cloud Platform Google Kubernetes Engine (GKE) using Helm charts.

Requirements

Access to Docker Hub registry - CAST Imaging Docker images are available as listed in the table below
A clone of the latest release branch from the Git repository containing the Helm chart scripts: git clone https://github.com/CAST-Extend/com.castsoftware.castimaging-v3.kubernetessetup (to clone an older release, add the “-b x.x.x” flag with the desired release number).
A valid CAST Imaging License
Optional setup choices:
- Deploy the Kubernetes Dashboard (https://github.com/kubernetes/dashboard ) to troubleshoot containers and manage the cluster resources.

Docker images

CAST Imaging is provided in a set of Docker images as follows:

CAST Imaging component	Image name	URL
`imaging-services`	Gateway	https://hub.docker.com/r/castimaging/gateway
`imaging-services`	Control Panel	https://hub.docker.com/r/castimaging/admin-center
`imaging-services`	SSO Service	https://hub.docker.com/r/castimaging/sso-service
`imaging-services`	Auth Service	https://hub.docker.com/r/castimaging/auth-service
`imaging-services`	Console	https://hub.docker.com/r/castimaging/console
`dashboards`	Dashboards	https://hub.docker.com/r/castimaging/dashboards-v3
`analysis-node`	Analysis Node	https://hub.docker.com/r/castimaging/analysis-node
`imaging-viewer`	ETL	https://hub.docker.com/r/castimaging/etl-service
`imaging-viewer`	AI Service	https://hub.docker.com/r/castimaging/ai-service
`imaging-viewer`	API Service	https://hub.docker.com/r/castimaging/imaging-apis
`imaging-viewer`	Viewer Server	https://hub.docker.com/r/castimaging/viewer
`imaging-viewer`	Neo4j	https://hub.docker.com/r/castimaging/neo4j
`imaging-viewer`	MCP Server	https://hub.docker.com/r/castimaging/imaging-mcp-server
`extend-local-server`	Extend Proxy	https://hub.docker.com/r/castimaging/extend-proxy
`utilities`	Init Container	https://hub.docker.com/r/castimaging/init-util

Installation process

Before starting the installation, ensure that your Kubernetes cluster is running, all the CAST Imaging docker images are available in the registry and that helm and kubectl are installed on your system.

Step 1 - GKE environment setup

Create your GKE environment, see GKE - Cluster Setup. Also refer to the Google documentation
Retrieve the cluster credentials using GCP CLI:

gcloud container clusters get-credentials my-cluster --zone=my-zone

Install kubectl - see https://kubernetes.io/docs/tasks/tools/
Install helm:
- Binary download: https://github.com/helm/helm/releases
- Documentation: https://helm.sh/docs/intro/quickstart/

Step 2 - Prepare and run the CAST Imaging installation

Review and adjust the parameter values in the values.yaml file (located at the root of the cloned Git repository branch) in between the section separated with # marks.
Ensure you set the K8SProvider: option to GKE
Run helm-install.bat|sh (depending on your base OS) located at the root of the cloned Git repository branch

Step 3 - Configure network settings for console-gateway (main entrypoint), mcp-server (optional) and extendproxy (optional) services

To access those 3 services from outside, you will need to setup a reverse proxy such as an Ingress Service.

If you want to use a Kubernetes NGINX Ingress

Set CreateIngress: true in values.yaml:

CreateIngress: true

Install the Ingress driver on the cluster:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update        
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace --set controller.ingressClassResource.controllerValue="k8s.io/ingress-nginx"

Alternate Ingress driver installation - Internal IP: append this option to the command in case you want the Ingress to use Internal IP adresses rather than public ones (Ingress will not be reachable from the internet)

--set controller.service.annotations."networking\.gke\.io/load-balancer-type"="Internal"

Create TLS Secret(s) using the certificate files associated to the DNS name(s) you are planning to use:

kubectl create secret tls tls-secret-cast --cert=my-cert-folder\myhostname.com\fullchain.pem --key=my-cert-folder\myhostname.com\privkey.pem -n castimaging-v3
kubectl create secret tls tls-secret-cast-extend --cert=my-cert-folder\myextendhostname.com\fullchain.pem --key=my-cert-folder\myextendhostname.com\privkey.pem -n castimaging-v3
kubectl create secret tls tls-secret-cast-mcp --cert=my-cert-folder\mymcphostname.com\fullchain.pem --key=my-cert-folder\mymcphostname.com\privkey.pem -n castimaging-v3
# (fullchain.pem <=> tls.crt ; privkey.pem <=> tls.key)

If you want to use the same hostname for the 3 services, just create the 3 secrets using the same certificate files.

If you want to use an Istio Ingress Gateway

Set CreateIstioGateway: true in values.yaml:

CreateIstioGateway: true

Install Istio on the cluster (Linux/Mac):

curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
istioctl install --set profile=default -y

Install Istio on the cluster (Windows - PowerShell using Chocolatey):

choco install istioctl
istioctl install --set profile=default -y

Install Istio on the cluster (Windows - PowerShell using manual download and install of a specific version)

$ISTIO_VERSION="1.28.0"  # Check https://github.com/istio/istio/releases for latest
Invoke-WebRequest -Uri "https://github.com/istio/istio/releases/download/$ISTIO_VERSION/istio-$ISTIO_VERSION-win.zip" -OutFile "istio.zip"
Expand-Archive -Path "istio.zip" -DestinationPath "." -Force
cd "istio-$ISTIO_VERSION"
$env:PATH = "$PWD\bin;$env:PATH"
istioctl install --set profile=default -y

Important note: istio-injection should not be enabled on CAST Imaging namespace

Create TLS Secret(s) using the certificate files associated to the DNS name(s) you are planning to use (to be created in the istio-system namespace):

kubectl create secret tls tls-secret-cast --cert=my-cert-folder\myhostname.com\fullchain.pem --key=my-cert-folder\myhostname.com\privkey.pem -n istio-system
kubectl create secret tls tls-secret-cast-extend --cert=my-cert-folder\myextendhostname.com\fullchain.pem --key=my-cert-folder\myextendhostname.com\privkey.pem -n istio-system
kubectl create secret tls tls-secret-cast-mcp \--cert=my-cert-folder\mymcphostname.com\fullchain.pem --key=my-cert-folder\mymcphostname.com\privkey.pem -n istio-system
# (fullchain.pem <=> tls.crt ; privkey.pem <=> tls.key)

If you want to use the same hostname for the 3 services, just create the 3 secrets using the same certificate files.

Optional - When Istio or NGINX Ingress is implemented to access the console-gateway service with a certificate that cannot be verified (e.g., self-signed certificate or internal CA), the certificate will need to be stored in CAST auth-service to avoid certificate validation errors:

set: UseCustomTrustStore: true in values.yaml
Insert the encoded certificate:
- directly inside the auth.caCertificate variable in values.yaml
- or using helm upgrade ... --set-file auth.caCertificate=ca.crt ... to override the variable value with the ca.crt file content

UseCustomTrustStore: true
auth:
  caCertificate: |
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    -----END CERTIFICATE-----

Final steps (Istio or NGINX Ingress):

Set hostnames in values.yaml - Option A: use same hostname for all 3 services

FrontEndHost: https://myhostname.com 
ExtendProxy
  enable: true
  exthostname: myhostname.com
McpServer
  enable: true
  exthostname: myhostname.com

Exposed URLs will be:
https://myhostname.com (or https://myhostname.com/mycontext if ContextUrl is enabled)
https://myhostname.com/mcp
https://myhostname.com/extendproxy

Set hostnames in values.yaml - OPTION B: use different hostname is used for each service in values.yaml:

FrontEndHost: https://myhostname.com 
ExtendProxy
  enable: true
  exthostname: myextendhostname.com
McpServer
  enable: true
  exthostname: mymcphostname.com

Exposed URLs will be:
https://myhostname.com (or https://myhostname.com/mycontext if ContextUrl is enabled)
https://mymcphostname.com/mcp
https://myextendhostname.com/extendproxy

Apply the helm chart changes by running helm-upgrade.bat|sh (depending on your base OS) located at the root of the cloned Git repository branch.
Create a DNS record pointing at the reverse proxy external IP address.
To retrieve the external IP:

# For an NGINX Ingress, use this command:
kubectl get ingress -n castimaging-v3
#
# For an Istio Ingress, use this command:
kubectl get service istio-ingressgateway -n istio-system

Step 4 - Install Extend Local Server (optional)

If you need to install Extend Local Server as an intermediary placed between CAST Imaging and CAST’s publicly available “Extend” ecosystem https://extend.castsoftware.com , follow the instructions below. This step is optional and if not completed, CAST Imaging will access https://extend.castsoftware.com to obtain required resources.

Retrieve the Extend Local Server external IP address by running kubectl get service -n castimaging-v3 extendproxy
In values.yaml (located at the root of the cloned Git repository branch), set ExtendProxy.enable to true and update the ExtendProxy.exthostname variable with the external IP address:

ExtendProxy:
    enable: true
    exthostname:  myextendhost.com

Run helm-upgrade.bat|sh (depending on your base OS) located at the root of the cloned Git repository branch.
Review the log of the extendproxy pod to find the Extend Local Server administration URL and API key (these are required for managing Extend Local Server and configuring CAST Imaging to use it - you can find out more about this in Extend Local Server). You can open the log file from the Kubernetes Dashboard (if you have chosen to install it). Alternatively, you can get the extendproxy pod name by running kubectl get pods -n castimaging-v3 then run kubectl logs -n castimaging-v3 castextend-xxxxxxxx to display the log.

Step 5 - Initial start up configuration

When the install is complete, browse to the public/external URL and login using the default local admin/admin credentials. You will be prompted to configure:

your licensing strategy. Choose either a Named Application strategy (where each application you onboard requires a dedicated license key entered when you perform the onboarding), or a Contributing Developers strategy (a global license key based on the number of users):

License key

CAST Extend settings / Proxy settings (if you chose to install Extend Local Server (see Step 4 above) then you now need to input the URL and API key so that CAST Imaging uses it).

CAST Extend settings

As a final check, browse to the URL below and ensure that you have at least one CAST Imaging Node Service, the CAST Dashboards and the CAST Imaging Viewer components listed:

https://<public or external URL>/admin/services

Services

Step 6 - Configure authentication

Out-of-the-box, CAST Imaging is configured to use Local Authentication via a simple username/password system. Default login credentials are provided (admin/admin) with the global ADMIN profile so that installation can be set up initially.

CAST recommends configuring CAST Imaging to use your enterprise authentication system such as LDAP or SAML Single Sign-on instead before you start to onboard applications. See Authentication for more information.

How to start and stop CAST Imaging

Use the following script files (located at the root of the cloned Git repository branch) to stop and start CAST Imaging:

Util-ScaleDownAll.bat|sh
Util-ScaleUpAll.bat|sh

Optional setup choices

Install Kubernetes Dashboard

Please refer to the Kubernetes Dashboard documentation at https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ .