diff --git a/docs/docs-content/enterprise-version/install-palette/airgap/airgap.md b/docs/docs-content/enterprise-version/install-palette/airgap/airgap.md index 9700f67f32..3137b7d9ad 100644 --- a/docs/docs-content/enterprise-version/install-palette/airgap/airgap.md +++ b/docs/docs-content/enterprise-version/install-palette/airgap/airgap.md @@ -1,7 +1,7 @@ --- -sidebar_label: "Airgap" -title: "Airgap" -description: "Learn about Palette in an airgap environment and how to install Palette in an airgap environment." +sidebar_label: "Airgap Resources" +title: "Airgap Resources" +description: "Airgap installation resources for Palette." icon: "" sidebar_position: 10 hide_table_of_contents: false @@ -55,13 +55,11 @@ following diagram outlines the major pre-install steps for an airgap installatio To get started with an airgap Palette installation, check out the respective platform guide. -- [Kubernetes Airgap Instructions](kubernetes-airgap-instructions.md) +- [Kubernetes Airgap Instructions](../install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md) -- [VMware vSphere Airgap Instructions](vmware-vsphere-airgap-instructions.md) +- [VMware vSphere Airgap Instructions](../install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md) -Each platform guide provides detailed instructions on how to complete the pre-install steps. We also recommend you -review the [Checklist](checklist.md) to ensure you have completed all the required steps before deploying the airgap -Palette installation. +Each platform guide provides detailed instructions on how to complete the pre-install steps. ## Supported Platforms @@ -76,10 +74,4 @@ The following table outlines the platforms supported for airgap VerteX installat ## Resources -- [Kubernetes Airgap Instructions](kubernetes-airgap-instructions.md) - -- [VMware vSphere Airgap Instructions](vmware-vsphere-airgap-instructions.md) - -- [Checklist](checklist.md) - -- [Additional Packs](supplemental-packs.md) +- [Additional Packs](../airgap/supplemental-packs.md) diff --git a/docs/docs-content/enterprise-version/install-palette/airgap/kubernetes-airgap-instructions.md b/docs/docs-content/enterprise-version/install-palette/airgap/kubernetes-airgap-instructions.md deleted file mode 100644 index c17e757d12..0000000000 --- a/docs/docs-content/enterprise-version/install-palette/airgap/kubernetes-airgap-instructions.md +++ /dev/null @@ -1,363 +0,0 @@ ---- -sidebar_label: "Kubernetes Airgap Instructions" -title: "Kubernetes Airgap Instructions" -description: "Learn how to install Palette in an air gap environment." -icon: "" -hide_table_of_contents: false -sidebar_position: 20 -tags: ["self-hosted", "enterprise", "airgap", "kubernetes"] -keywords: ["self-hosted", "enterprise"] ---- - -![Overview diagram of the pre-install steps eager-load](/enterprise-version_air-gap-repo_overview-order-diagram-focus.webp) - -This guide provides instructions to prepare your airgap environment for a Palette installation by completing the -required preparatory steps 1 through 4 shown in the diagram. The respective installation guides for each platform cover -the remaining installation process. - -## Prepare Airgap Installation - -Use the following steps to prepare your airgap environment for a Palette installation. - -:::tip - -Carefully review the [prerequisites](#prerequisites) section before proceeding. This will save you time and frustration. -Each prerequisite listed is required for a successful installation. - -::: - -## Prerequisites - -- An x86 Linux jumpbox or bastion host with connectivity to the target platform where you are installing Palette. - -- 30 GB of disk space available for the airgap setup binary and temporary files. The uncompressed airgap content is - approximately 20 GB. - -- An OCI registry such as [Harbor](https://goharbor.io/) or [AWS ECR](https://aws.amazon.com/ecr/) to store Palette - images and packages. The OCI registry must be accessible from the Kubernetes cluster. We have verified the - installation against Harbor and AWS ECR. Other OCI registries may work but have not been tested. - - :::warning - - Ensure the OCI registries are set up with HTTPS. AWS ECR is enabled with HTTPS by default. Harbor requires you to - enable HTTPS. If you are using Harbor, you must enable HTTPS to authenticate with the registry. Refer to the - [Harbor](https://goharbor.io/docs/2.9.0/install-config/configure-https) documentation for guidance. - - ::: - -- An HTTP file server to host the Palette manifest. The file server must be accessible from the target environment where - Palette will be installed. Below is a list of common file servers: - - - [Apache HTTP Server](https://httpd.apache.org/) - - - [Nginx](https://www.nginx.com/) - - - [Caddy](https://caddyserver.com/) - - :::warning - - Take the necessary steps to secure your file server and ensure it can automatically recover from a failure. The file - server is a critical component of the airgap installation and must be available post-install for Palette to function - properly. - - ::: - -- To interact with the OCI registry, you must have the following tools installed and available. - - - [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) - Required for AWS ECR. - - [Oras](https://oras.land/docs/installation.html) CLI v1.0.0 - This version is explicitly required for the setup - script. - - [zip](https://linux.die.net/man/3/zip) - Required for the setup script. - - [unzip](https://linux.die.net/man/1/unzip) - or equivalent for extracting the manifest content from the airgap setup - binary. - - [jq](https://jqlang.github.io/jq/download/) - Command-line JSON processor installed and available. - - [Docker](https://docs.docker.com/get-docker/) - The airgap setup binary requires Docker to be installed and - available. - -## Instructions - -Complete the following steps before deploying the airgap Palette installation. - -1. Log in to the OCI registry where you will host the Palette images and packages. - -2. Create a repository with the name `spectro-packs` and ensure the repository is private. This repository will host the - Palette Packs. - - - Refer to the [Create Projects](https://goharbor.io/docs/2.0.0/working-with-projects/create-projects/) guide for - information about creating a repository in Harbor. - - Refer to the [Create a repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html) - guide for information about creating a repository in AWS ECR. - -3. In your OCI registry, create another repository with the name `spectro-images` and ensure the repository is public. - The public repositry will host the images required by Palette. - -4. Log in to the Linux environment where you will download the airgap binaries and complete the remaining steps, - including the Palette installation. - -5. Authenticate with your OCI registry and acquire credentials to both repositories you created earlier. You will need - these credentials when deploying the airgap Palette installation. - - - - -Use `oras` to log in to your OCI registry. Replace the values below with your environment configuration values. Check -out the [oras login](https://oras.land/docs/commands/oras_login) documentation for information about additional CLI -flags and examples. - -```shell -oras login X.X.X.X --user 'yourUserNameHere' --password 'yourPasswordHere' -``` - -If you are using a Harbor registry with a self-signed certificate, you will need to add the `--insecure` flag to the -`oras` command. - -```shell -oras login X.X.X.X --insecure --user 'yourUserNameHere' --password 'yourPasswordHere' -``` - - - - -You can acquire the AWS ECR authentication command from the AWS ECR console. From the ECR repository details page, click -on the **View push commands** button to access the command. Refer to the -[AWS ECR Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html#cli-authenticate-registry) -documentation for more information. - -Below is the command you will use to authenticate to AWS ECR. The output of the `aws` command is passed to `oras` to -authenticate with the ECR registry. Replace the values below with your environment configuration values. - -```shell -aws ecr get-login-password --region xxxxx | oras login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com -``` - -For the public image repository, use the `docker` CLI instead of using `oras`. Replace the values below with your -environment configuration values. - -```shell -aws ecr-public get-login-password --region xxxxx | docker login --username AWS --password-stdin public.ecr.aws/xxxxxxx -``` - - - - -:::tip - -Be aware of the timeout period for the authentication token. The process of uploading images and packages to the OCI -registry can take a approximately an hour. If the authentication token expires, you will need to re-authenticate to the -OCI registry and restart the upload process. - -::: - ---- - -6. The airgap setup binary requires a set of environment variables to be available and populated. Depending on what OCI - registry you are using, the environment variables will be different. Select the OCI registry you are using and - populate the environment variables accordingly. - - - - -
- - - `OCI_IMAGE_REGISTRY`: The IP address or domain name of the OCI registry. - - `OCI_PACK_BASE`: The namespace or repository name that hosts the Palette packs. - - `OCI_PACK_REGISTRY`: The IP address or domain name of the OCI registry. - - `OCI_IMAGE_BASE`: The namespace or repository name that hosts the Palette images. - - ```shell - export OCI_IMAGE_REGISTRY= - export OCI_PACK_BASE=spectro-packs - export OCI_PACK_REGISTRY= - export OCI_IMAGE_BASE=spectro-images - ``` - - Example - - ```shell hideClipboard - export OCI_IMAGE_REGISTRY=example.internal.com - export OCI_PACK_BASE=spectro-packs - export OCI_PACK_REGISTRY=10.10.100.48 - export OCI_IMAGE_BASE=spectro-images - ``` - - - - -
- - - `ECR_IMAGE_REGISTRY`: The IP address or domain name of the public OCI registry for images. - - `ECR_IMAGE_BASE`: The namespace or repository name that hosts the Palette images. - - `ECR_IMAGE_REGISTRY_REGION`: The AWS region where the ECR registry is located. - - `ECR_PACK_BASE`: The namespace or repository name that hosts the Palette packs. - - `ECR_PACK_REGISTRY`: The IP address or domain name of the OCI registry. - - `ECR_PACK_REGISTRY_REGION`: The AWS region where the ECR registry is located. - - ```shell - export ECR_IMAGE_REGISTRY= - export ECR_IMAGE_BASE=spectro-images - export ECR_IMAGE_REGISTRY_REGION=us-east-1 - export ECR_PACK_REGISTRY= - export ECR_PACK_BASE=spectro-packs - export ECR_PACK_REGISTRY_REGION=us-east-1 - ``` - - Example - - ```shell hideClipboard - export ECR_IMAGE_REGISTRY=public.ecr.aws/1234567890 - export ECR_IMAGE_BASE=spectro-images - export ECR_IMAGE_REGISTRY_REGION=us-east-1 - export ECR_PACK_REGISTRY=123456789.dkr.ecr.us-east-1.amazonaws.com - export ECR_PACK_BASE=spectro-packs - export ECR_PACK_REGISTRY_REGION=us-east-1 - ``` - - - - ---- - -7. Download the airgap setup binary. Our support team will provide you with the proper version and the necessary - credentials. Replace the commands below with the recommended version and credentials provided by our support team. - -```shell -VERSION=X.X.X -``` - -```shell -curl --user XXXXX:YYYYYYY https://software-private.spectrocloud.com/airgap/$VERSION/airgap-v$VERSION.bin \ ---output airgap-v$VERSION.bin -``` - -8. Update the airgap setup binary permissions to allow execution. Replace the file name below with the name of the - airgap setup binary you downloaded. - -```shell -chmod +x airgap-v$VERSION.bin -``` - -9. Start the airgap setup binary. Replace the file name below with the name of the airgap setup binary you downloaded. - -```shell -./airgap-v$VERSION.bin -``` - -Upon completion, a success message will be displayed. The output in the example below is condensed for brevity. - - ```shell hideClipboard {10} - Verifying archive integrity... 100% MD5 checksums are OK. All good. - Uncompressing Airgap Setup - Version 4.0.17 100% - Setting up Packs - - Pushing Pack cni-calico:3.25.1 - ... - Setting up Images - - Pushing image docker.io/kindest/kindnetd:v20230227-15197099 - - Pushing image gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.22.8 - ..... - Preparing Manifests Archive - Manifests are available in /tmp/spectro-manifests-1696971110.zip. Extract the archive to a file server to serve as a Spectro Cloud Repository - Setup Completed - ``` - -:::info - -If you encounter an error during the airgap setup process, verify the required environment variables are set and -populated correctly. If you are still having issues, reach out to our support team for assistance. - -::: - -10. Move the manifest file located in your temporary directory to the location of your file server. Unzip the manifest - file to a folder accessible by the file server. Replace the file name below with the name of the manifest file - provided to you by the airgap setup. - - ```shell - unzip spectro-manifests-XXXXXXXXXXXX.zip -d /target/folder - ``` - - :::tip - - If you want to get started quickly with a file server, install - [Caddy](https://caddyserver.com/docs/quick-starts/static-files) or use Python3's - [http sever](https://docs.python.org/3/library/http.server.html) and issue one of the following commands in the - folder where you unzipped the manifest content. Each command will start a file server on port 2015. - - ```shell - caddy file-server --listen :2015 --browse - ``` - - ```shell - python3 -m http.server 2015 - ``` - - We do not recommend serving the manifest content over HTTP, but it is an option if you want to get started quickly. - For production workloads, enable HTTPS on your file server. - - ::: - -11. Review the additional packs available for download. The supplemental packs are optional and not required for a - successful installation. However, to create cluster profiles you may require several of the packs available for - download. Refer to the [Additional Packs](supplemental-packs.md) resource for a list of available packs. - -12. Once you select the packs you want to install, download the pack binaries and start the binary to initiate the - upload process. - -In the example below, the `airgap-pack-aws-alb-2.5.1.bin` binary is downloaded and started. - -```shell -chmod +x airgap-pack-aws-alb-2.5.1.bin && \ -./airgap-pack-aws-alb-2.5.1.bin -``` - -```shell hideClipboard - Verifying archive integrity... 100% MD5 checksums are OK. All good. - Uncompressing Airgap Pack - aws-alb Version 4.0.17 100% - Setting up Packs - - Pushing Pack aws-alb:2.5.1 - Setting up Images - Setup Completed -``` - -13. Repeat step 12 for each pack you want to install. - -You have now completed the preparation steps for an airgap installation. Check out the [Validate](#validate) section to -ensure the airgap setup process completed successfully. - -## Validate - -Use the following steps to validate the airgap setup process completed successfully. - -1. Log in to your OCI registry and verify the Palette images and packs are available. - -2. Verify the manifest file is accessible from the file server. The manifest file is required for the Palette - installation process. The screenshot below is an example of a file server hosting the unzipped manifest content. The - example shows Caddy as the file server. - -![Example of a file server hosting the unzipped manifest content](/enterprise-version_airgap_airgap-instructions_file-server-caddy.webp) - -3. Ensure your file server is accessible from the environment in which you are installing Palette. Use the following - command to verify the file server can access the manifest content. Replace the hostname or IP address below with your - file server hostname or IP address. - -```shell -curl http://:/roar/nickfury/versions.yaml -``` - -```yaml hideClipboard -versions: - - version: "3.3" - filepath: "/roar/nickfury/3.3/version.yaml" - patchVersionsFilepath: "/roar/nickfury/3.3/versions.yaml" - - version: "3.4" - filepath: "/roar/nickfury/3.4/version.yaml" - patchVersionsFilepath: "/roar/nickfury/3.4/versions.yaml" - - version: "4.0" - filepath: "/roar/nickfury/4.0/version.yaml" - patchVersionsFilepath: "/roar/nickfury/4.0/versions.yaml" -``` - -## Next Steps - -You are now ready to deploy the airgap Palette installation. You will specify your OCI registry and file server during -the installation process. Refer to the -[Kubernetes Install Instructions](../install-on-kubernetes/install-on-kubernetes.md) guide for detailed guidance on -installing Palette. diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/_category_.json b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/_category_.json new file mode 100644 index 0000000000..455b8e4969 --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 20 +} diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/airgap-install.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/airgap-install.md new file mode 100644 index 0000000000..d88010c869 --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/airgap-install.md @@ -0,0 +1,65 @@ +--- +sidebar_label: "Airgap Installation" +title: "Airgap Installation" +description: "Learn how to deploy self-hosted Palette to a Kubernetes cluster using a Helm Chart." +icon: "" +hide_table_of_contents: false +sidebar_position: 0 +tags: ["self-hosted", "enterprise", "airgap"] +keywords: ["self-hosted", "enterprise"] +--- + +You can install self-hosted Palette in an airgap Kubernetes environment. An airgap environment lacks direct access to +the internet and is intended for environments with strict security requirements. + +The installation process for an airgap environment is different due to the lack of internet access. Before the primary +Palette installation steps, you must download the following artifacts: + +- Palette platform manifests and required platform packages. + +- Container images for core platform components and third-party dependencies. + +- Palette packs. + +The other significant change is that Palette's default public OCI registry is not used. Instead, a private OCI registry +is utilized to store images and packs. + +## Overview + +Before you can install Palette in an airgap environment, you must first set up your environment as outlined in the +following diagram. + +![An architecture diagram outlining the five different installation phases](/enterprise-version_air-gap-repo_overview-order-diagram.webp) + +1. In an environment with internet access, download the airgap setup binary from the URL provided by our support team. + The airgap setup binary is a self-extracting archive that contains the Palette platform manifests, images, and + required packs. The airgap setup binary is a single-use binary for uploading Palette images and packs to your OCI + registry. You will not use the airgap setup binary again after the initial installation. + +2. Move the airgap setup binary to the airgap environment. The airgap setup binary is used to extract the manifest + content and upload the required images and packs to your private OCI registry. Start the airgap setup binary in a + Linux Virtual Machine (VM). + +3. The airgap script will push the required images and packs to your private OCI registry. + +4. Extract the manifest content from the airgap setup binary. The manifest content must be hosted on a web server that + is accessible from the airgap environment. You can use the same Linux VM from step two to host the manifest content + or use a different web server. + +5. Install Palette using the Kubernetes Helm chart. + +## Get Started + +To get started with the airgap Palette installation, review the [Environment Setup](./kubernetes-airgap-instructions.md) +page. The environment setup guide provides detailed instructions on how to prepare your airgap environment. After you +have completed the environment setup, you can proceed with the [Install Palette](./install.md) guide. + +## Resources + +- [Environment Setup](kubernetes-airgap-instructions.md) + +- [Install Palette](./install.md) + +- [Checklist](checklist.md) + +- [Additional Packs](../../airgap/supplemental-packs.md) diff --git a/docs/docs-content/enterprise-version/install-palette/airgap/checklist.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/checklist.md similarity index 70% rename from docs/docs-content/enterprise-version/install-palette/airgap/checklist.md rename to docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/checklist.md index 26f7ecdba2..8bc6f5ec83 100644 --- a/docs/docs-content/enterprise-version/install-palette/airgap/checklist.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/checklist.md @@ -1,11 +1,11 @@ --- sidebar_label: "Checklist" -title: "Checklist" +title: "Airgap Installation Checklist" description: "An airgap installation of Palette requires a few steps to be completed before the installation can begin. This checklist will help you prepare for the installation." icon: "" -sidebar_position: 40 +sidebar_position: 10 hide_table_of_contents: false tags: ["palette", "self-hosted", "airgap"] keywords: ["self-hosted", "enterprise"] @@ -14,10 +14,6 @@ keywords: ["self-hosted", "enterprise"] Use the following checklist to ensure you have completed all the required steps before deploying the airgap Palette installation. - - - - - [ ] `oras` CLI v1.0.0 is installed and available. - [ ] `aws` CLI v2 or greater CLI is installed and available. @@ -47,22 +43,3 @@ installation. - [ ] Ensure the manifest content is hosted on an HTTP file server accessible from the environment to which you are installing Palette. - - - - - -- [ ] Create a vSphere VM and Template folder named `spectro-templates`. - -- [ ] Import the Operating System and Kubernetes distribution OVA required for the installation and place the OVA in the - `spectro-templates` folder. - -- [ ] Append the `r_` prefix and remove the `.ova` suffix from the OVA name after the import. - -- [ ] Start the airgap setup binary and verify the setup is completed successfully. - -- [ ] Review the list of [pack binaries](./supplemental-packs.md) to download and upload to your OCI registry. - - - - diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/install.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/install.md new file mode 100644 index 0000000000..c73e92bccd --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/install.md @@ -0,0 +1,877 @@ +--- +sidebar_label: "Install Palette" +title: "Install Airgap Self-Hosted Palette" +description: "Learn how to deploy self-hosted Palette to a Kubernetes cluster using a Helm Chart." +icon: "" +hide_table_of_contents: false +sidebar_position: 30 +tags: ["self-hosted", "enterprise", "airgap"] +keywords: ["self-hosted", "enterprise"] +--- + +You can use the Palette Helm Chart to install Palette in a multi-node Kubernetes cluster in your airgap production +environment. + +This installation method is common in secure environments with restricted network access that prohibits using Palette +SaaS. Review our [architecture diagrams](../../../../architecture/networking-ports.md) to ensure your Kubernetes cluster +has the necessary network connectivity for self-hosted Palette to operate successfully. + +:::warning + +Complete the [Environment Setup](./kubernetes-airgap-instructions.md) steps before proceeding with the installation. + +::: + +## Prerequisites + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. + +- [Helm](https://helm.sh/docs/intro/install/) is installed and available. + +- Access to the target Kubernetes cluster's kubeconfig file. You must be able to interact with the cluster using + `kubectl` commands and have sufficient permissions to install Palette. We recommend using a role with `cluster-admin` + permissions to install Palette. + +- Ensure `unzip` or a similar extraction utility is installed on your system. + +- The Kubernetes cluster must be set up on a supported version of Kubernetes, which includes versions v1.25 to v1.27. + +- Ensure the Kubernetes cluster does not have Cert Manager installed. Palette requires a unique Cert Manager + configuration to be installed as part of the installation process. If Cert Manager is already installed, you must + uninstall it before installing Palette. + +- The Kubernetes cluster must have a Container Storage Interface (CSI) installed and configured. Palette requires a CSI + to store persistent data. You may install any CSI that is compatible with your Kubernetes cluster. + +- We recommended the following resources for Palette. Refer to the + [Palette size guidelines](../../install-palette.md#size-guidelines) for additional sizing information. + + - 8 CPUs per node. + + - 16 GB Memory per node. + + - 100 GB Disk Space per node. + - A Container Storage Interface (CSI) for persistent data. + + - A minimum of three worker nodes or three untainted control plane nodes. + +- The following network ports must be accessible for Palette to operate successfully. + + - TCP/443: Inbound and outbound to and from the Palette management cluster. + + - TCP/6443: Outbound traffic from the Palette management cluster to the deployed clusters' Kubernetes API server. + +- Ensure you have an SSL certificate that matches the domain name you will assign to Palette. You will need this to + enable HTTPS encryption for Palette. Reach out to your network administrator or security team to obtain the SSL + certificate. You need the following files: + + - x509 SSL certificate file in the base64 format. + + - x509 SSL certificate key file in the base64 format. + + - x509 SSL certificate authority file in the base64 format. + +- An Nginx controller will be installed by default. If you already have an Nginx controller deployed in the cluster, you + must set the `ingress.enabled` parameter to `false` in the **values.yaml** file. + +- A custom domain and the ability to update Domain Name System (DNS) records. You will need this to enable HTTPS + encryption for Palette. + +- If you are installing Palette behind a network proxy server, ensure you have the Certificate Authority (CA) + certificate file in the base64 format. You will need this to enable Palette to communicate with the network proxy + server. + +- Access to the Palette Helm Charts. Refer to the [Access Palette](../../../enterprise-version.md#access-palette) for + instructions on how to request access to the Helm Chart. + +:::warning + +Do not use a Palette-managed Kubernetes cluster when installing Palette. Palette-managed clusters contain the Palette +agent and Palette-created Kubernetes resources that will interfere with the installation. + +::: + +## Install Palette + +The following instructions are agnostic to the Kubernetes distribution you are using. Depending on the underlying +infrastructure provider and your Kubernetes distribution, you may need to modify the instructions to match your +environment. Reach out to our support team if you need assistance. + +1. Open a terminal session and navigate to the directory where you downloaded the Palette installation zip file + provided by our support. Unzip the file to a directory named **palette-install**. + + ```shell + unzip release-*.zip -d palette-install + ``` + +2. Navigate to the release folder inside the **palette-install** directory. + + ```shell + cd palette-install/charts/release-* + ``` + +3. Open the file **extras/cert-manager/values.yaml** in a text editor and append the URL to your OCI registry, which + also includes the namespace or project that is hosting the Spectro Cloud images. The URL should be in the format + `/`. In the example configuration below, the value `my-oci-registry.com/spectro-images` is + prefixed to each URL. Save the file after you have appended the URL. + + ```yaml hideClipboard + image: + cainjectorImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-cainjector:spectro-v1.11.0-20230427" + controllerImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-controller:spectro-v1.11.0-20230427" + webhookImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-webhook:spectro-v1.11.0-20230808" + amceResolverImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-acmesolver:spectro-v1.11.0-20230427" + ``` + +4. Install Cert Manager using the following command. Replace the actual file name of the Cert Manager Helm Chart with + the one you downloaded, as the version number may be different. + + ```shell + helm upgrade --values extras/cert-manager/values.yaml \ + cert-manager extras/cert-manager/cert-manager-*.tgz --install + ``` + + ```shell hideClipboard + Release "cert-manager" does not exist. Installing it now. + NAME: cert-manager + LAST DEPLOYED: Mon Jan 29 16:32:33 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +5. Open the file **extras/image-swap/values.yaml** in a text editor and append the URL to your OCI registry that also + includes the namespace or project that is hosting the Spectro Cloud images. + + ```yaml hideClipboard + config: + imageSwapImages: + imageSwapInitImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release/thewebroot/imageswap-init:v1.5.2-spectro-4.1.1" + imageSwapImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release/thewebroot/imageswap:v1.5.2-spectro-4.1.1" + ``` + +6. Update the `ociImageRegistry` section with the proper configuration values to your OCI registry. The + `ociImageRegistry` section should look similar to the following example. + + :::info + + Use the following `mirrorRegistries`placeholder string to replace the respective values of your OCI registry. + + ```yaml + docker.io::OCI_URL/IMAGE_PROJECT,gcr.io::OCI_URL/IMAGE_PROJECT,ghcr.io::OCI_URL/IMAGE_PROJECT,k8s.gcr.io::OCI_URL/IMAGE_PROJECT,registry.k8s.io::OCI_URL/IMAGE_PROJECT,quay.io::OCI_URL/IMAGE_PROJECT" + ``` + + ::: + + ```yaml hideClipboard + ociImageRegistry: + endpoint: "my-oci-registry.com" + name: "Airgap Images OCI" + password: "" + username: "" + baseContentPath: "spectro-images" # + insecureSkipVerify: true + caCert: "" + mirrorRegistries: "docker.io::my-oci-registry.com/spectro-images,gcr.io::my-oci-registry.com/spectro-images,ghcr.io::my-oci-registry.com/spectro-images,k8s.gcr.io::my-oci-registry.com/spectro-images,registry.k8s.io::my-oci-registry.com/spectro-images,quay.io::my-oci-registry.com/spectro-images" + ``` + +7. Go ahead and install the image-swap chart using the following command. Point to the **values.yaml** file you + configured in steps five through six. + + ```shell + helm upgrade --values extras/image-swap/values.yaml \ + image-swap extras/image-swap/image-swap-*.tgz --install + ``` + + ```shell hideClipboard + Release "image-swap" does not exist. Installing it now. + NAME: image-swap + LAST DEPLOYED: Mon Jan 29 17:04:23 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + + :::tip + + If you need to override the image-swap registry configuration post-deployment, refer to the + [Override Registry Configuration](../../../system-management/registry-override.md) page for instructions. + + ::: + +8. Open the **values.yaml** file in the **spectro-mgmt-plane** folder with a text editor of your choice. The + **values.yaml** file contains the default values for the Palette installation parameters. However, you must populate + the following parameters before installing Palette. You can learn more about the parameters on the **values.yaml** + file on the [Helm Configuration Reference](../palette-helm-ref.md) page. + + Ensure you provide the proper `ociImageRegistry.mirrorRegistries` values if you are using a self-hosted OCI + registry. You can find the placeholder string in the `ociImageRegistry` section of the **values.yaml** file. + + | **Parameter** | **Description** | **Type** | + | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | + | `env.rootDomain` | The URL name or IP address you will use for the Palette installation. | string | + | `config.installationMode` | The installation mode for Palette. The values can be `connected` or `airgap`. Set this value to `airgap`. | string | + | `ociPackEcrRegistry` | The OCI registry credentials for the Palette FIPS packs repository. | object | + | `ociImageRegistry` | The OCI registry credentials for the Palette images repository. | object | + | `ociImageRegistry.mirrorRegistries` | Replace the placeholder string with the respective values of your OCI registry repository that is hosting the images. Do not use the same values you provided to the image-swap **values.yaml**. The placeholders require a `/v2/` endpoint if your OCI registry supports the Docker Registry protocol v2, otherwise container pull images will fail. | + | `imageSwapImages` | The image swap configuration for Palette. If you are using an OCI registry, such as Harbor. Replace the prefix URLs with your OCI registry URL that includes the image namespace or project: `/`. | object | + | `imageSwapConfig.isEKSCluster` | If you are NOT installing Palette on an EKS cluster, set this value to `false`. | boolean | + | `scar` | Specify your HTTP file server values. If your HTTP file server requires credentials ensure the provided values are base64-encoded. Example of the string "admin" encoded in base64 - `YWRtaW4=`. | object | + | `ingress.enabled` | Whether to install the Nginx ingress controller. Set this to `false` if you already have an Nginx controller deployed in the cluster. | boolean | + | `reach-system` | Set `reach-system.enabled` to `true` and configure the `reach-system.proxySettings` parameters for Palette to use a network proxy in your environment. | object | + + Save the **values.yaml** file after you have populated the required parameters mentioned in the table. Select one of + the following tabs to review an example of the **values.yaml** file with the required parameters highlighted. + + + + + + + ```yaml {23,53,87-95,97-102,104-106,109} + ######################### + # Spectro Cloud Palette # + ######################### + # MongoDB Configuration + mongo: + # Whether to deploy MongoDB in-cluster (internal == true) or use Mongo Atlas + internal: true + + # Mongodb URL. Only change if using Mongo Atlas. + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + # Mongo Atlas password, base64 encoded. Only enter if using Mongo Atlas. + databasePassword: "" + + # No. of mongo replicas to run, default is 3 + replicas: 3 + # The following only apply if mongo.internal == true + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" # leave empty to use the default storage class + + config: + installationMode: "airgap" # values can be connected or airgap. + + # SSO SAML Configuration (Optional for self-hosted type) + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" + + # Email Configurations. (Optional for self-hosted type) + email: + enabled: false + emailId: "noreply@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" # base64 encoded SMTP password + + env: + # rootDomain is a DNS record which will be mapped to the ingress-nginx-controller load balancer + # E.g., myfirstpalette.spectrocloud.com + # - Mandatory if ingress.internal == false + # - Optional if ingress.internal == true (leave empty) + # + # IMPORTANT: a DNS record must be created separately and it must be a wildcard to account for Organization prefixes + # E.g., *.myfirstpalette.spectrocloud.com + rootDomain: "palette.example.com" + + # stableEndpointAccess is used when deploying EKS clusters in Private network type. + # When your Saas installed instance have connectivity to the private VPC where you want to launch the cluster set the stableEndpointAccess to true + cluster: + stableEndpointAccess: false + + # registry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # insecureSkipVerify: false + # caCert: "" + + # ociPackRegistry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # baseContentPath: "" # + # insecureSkipVerify: false + # caCert: "" + + # ociPackEcrRegistry: + # endpoint: "" # + # name: "" # + # accessKey: "" # + # secretKey: "" # + # baseContentPath: "" # + # isPrivate: true + # insecureSkipVerify: false + # caCert: "" + + ociImageRegistry: + endpoint: "my-oci-registry.com" # + name: "Airgap Image OCI" # + password: "" # + username: "" # + baseContentPath: "spectro-images" # + insecureSkipVerify: true + caCert: "" + mirrorRegistries: "docker.io::my-oci-registry.com/v2/spectro-images,gcr.io::my-oci-registry.com/v2/spectro-images,ghcr.io::my-oci-registry.com/v2/spectro-images,k8s.gcr.io::my-oci-registry.com/v2/spectro-images,registry.k8s.io::my-oci-registry.com/v2/spectro-images,quay.io::my-oci-registry.com/v2/spectro-images" + + scar: + endpoint: "http://10.15.20.15:2015" + username: "YWRtaW4=" + password: "YWRtaW4=" + insecureSkipVerify: true + caCert: "" + + imageSwapImages: + imageSwapInitImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap-init:v1.5.2" + imageSwapImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap:v1.5.2" + + imageSwapConfig: + isEKSCluster: true #If the Cluster you are trying to install is EKS cluster set value to true else set to false + + nats: + # Should we install nats as part of the nats chart bundled with hubble charts + # If not enabled NATS service should be installed as a separate service. + + enabled: true + + # Whether to front NATS with a cloud load balancer (internal == false) or + # either share the ingress load balancer or use hostNetwork (internal == true). + # See nats.natsUrl comments for further detail. + internal: true + + # NATS URL + # Comma separated list of mappings for nats load balancer service + # E.g., "message1.dev.spectrocloud.com:4222,message2.dev.spectrocloud.com:4222" + # + # Mandatory if nats.internal == false + # Otherwise, if nats.internal == true: + # - If ingress.ingress.internal == true: leave empty (use hostNetwork) + # - If ingress.ingress.internal == false: use ":4222" (share ingress lb) + natsUrl: "" + + # *********************** IMPORTANT NOTE ****************************** + # * if nats.internal == true, ignore all of the following NATS config * + # ********************************************************************* + + # NATS load balancer annotations + annotations: {} + + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "server-port" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the nats loadbalancer service. If empty, a dynamic IP will be generated. + natsStaticIP: "" + grpc: + external: false + endpoint: "" # Please provide DNS endpoint with the port eg: msg.spectrocloud.com:443 + caCertificateBase64: "" # Please provide caCertificate for the grpc server Cert + serverCrtBase64: "" + serverKeyBase64: "" + insecureSkipVerify: false + + ingress: + # When enabled nginx ingress controller would be installed + enabled: true + + ingress: + # Whether to front NGINX Ingress Controller with a cloud + # load balancer (internal == false) or use host network + internal: false + + # Default SSL certificate and key for NGINX Ingress Controller (Optional) + # A wildcard cert for config.env.rootDomain, e.g., *.myfirstpalette.spectrocloud.com + # If left blank, the NGINX ingress controller will generate a self-signed cert (when terminating TLS upstream of ingress-nginx-controller) + certificate: "" + key: "" + + #If ACM is enabled please use grpc as a non internal and bring grpc on different LB. Provide certificate and dns for it. + annotations: {} + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the Ingress load balancer service. If empty, a dynamic IP will be generated. + ingressStaticIP: "" + + # For Service like AWS Load Balancer using https we would want to terminate the HTTPS at Load Balancer. + terminateHTTPSAtLoadBalancer: false + nats: + enabled: true + + frps: + frps: + enabled: false + frpHostURL: proxy.sample.spectrocloud.com + server: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lVZTVMdXBBZGljd0Z1SFJpWWMyWEgzNTFEUzJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk1qY3hNREV6TVRNeU5ERXlXakI3TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHCkExVUVDQk1DUTBFeEV6QVJCZ05WQkFjVENsTmhiblJoUTJ4aGNtRXhGVEFUQmdOVkJBb1RERk53WldOMGNtOUQKYkc5MVpERUxNQWtHQTFVRUN4TUNTVlF4SmpBa0JnTlZCQU1USFhCeWIzaDVMbk5oYlhCc1pTNXpjR1ZqZEhKdgpZMnh2ZFdRdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXd5bEt3MmlxClBXM2JrQU0wV3RhaEFLbEppcWFHd05LUDVRRTZ6ZW5NM2FURko3TjIwN0dWcUNGYzJHTDNodmNhTDFranZjeEkKK2lybHpkbm9hcVhUSmV3ZkJiTGs2SGVhZmdXUVp3NHNNeE5QRUVYYlNXYm54Mm03Y2FlbVJiUWZSQWhPWXRvWgpIWG1IMzQ1Q25mNjF0RnhMeEEzb0JRNm1yb0JMVXNOOUh2WWFzeGE5QUFmZUNNZm5sYWVBWE9CVmROalJTN1VzCkN5NmlSRXpEWFgvem1nOG5WWFUwemlrcXdoS3pqSlBJd2FQa2ViaXVSdUJYdEZ0VlQwQmFzS3VqbURzd0lsRFQKVmR4SHRRQUVyUmM4Q2Nhb20yUkpZbTd1aHNEYlo2WVFzS3JiMmhIbU5rNENVWUd5eUJPZnBwbzR2bFd1S2FEcgpsVFNYUXlPN0M0ejM1d0lEQVFBQm8xNHdYREJhQmdOVkhSRUVVekJSZ2dsc2IyTmhiR2h2YzNTSEJIOEFBQUdDCkhYQnliM2g1TG5OaGJYQnNaUzV6Y0dWamRISnZZMnh2ZFdRdVkyOXRnaDhxTG5CeWIzaDVMbk5oYlhCc1pTNXoKY0dWamRISnZZMnh2ZFdRdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUEvRFJFVm54SWJRdi9uMDEvSQpJd1d0ekhKNGNHOUp6UlB6dmszNUcvRGJOVzZYZ0M3djBoWlFIVHg5bzMrckxoSUFiWTNmbjc1VEtlN3hMRWpiCkI3M3pGWURJSStkYzM5NkQzZU51M2NxRGIvY01kYmlFalhod2ttZk9NRm9qMnpOdHJIdzFsSjA0QlNFMWw1YWgKMDk0Vy9aaEQ2YTVLU3B0cDh1YUpKVmNrejRYMEdRWjVPYjZadGdxZVVxNytqWVZOZ0tLQzJCMW1SNjMyMDNsZwozVFZmZEkrdmI3b292dVdOOFRBVG9qdXNuS25WMmRMeTFBOWViWXYwMEM3WWZ6Q0NhODgrN2dzTGhJaUJjRHBPClJkWjU3QStKanJmSU5IYy9vNm5YWFhDZ2h2YkFwUVk1QnFnMWIzYUpUZERNWThUY0hoQVVaQzB5eU04bXcwMnQKWHRRQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd3lsS3cyaXFQVzNia0FNMFd0YWhBS2xKaXFhR3dOS1A1UUU2emVuTTNhVEZKN04yCjA3R1ZxQ0ZjMkdMM2h2Y2FMMWtqdmN4SStpcmx6ZG5vYXFYVEpld2ZCYkxrNkhlYWZnV1FadzRzTXhOUEVFWGIKU1dibngybTdjYWVtUmJRZlJBaE9ZdG9aSFhtSDM0NUNuZjYxdEZ4THhBM29CUTZtcm9CTFVzTjlIdllhc3hhOQpBQWZlQ01mbmxhZUFYT0JWZE5qUlM3VXNDeTZpUkV6RFhYL3ptZzhuVlhVMHppa3F3aEt6akpQSXdhUGtlYml1ClJ1Qlh0RnRWVDBCYXNLdWptRHN3SWxEVFZkeEh0UUFFclJjOENjYW9tMlJKWW03dWhzRGJaNllRc0tyYjJoSG0KTms0Q1VZR3l5Qk9mcHBvNHZsV3VLYURybFRTWFF5TzdDNHozNXdJREFRQUJBb0lCQUFPVVZFeTFOTG9mczdFMgpmZFZVcm10R3I1U2RiVWRJRlYrTDREbzZtWWxQSmxhT0VoWGI0ZlROZDloNEtEWVBmaWwwSnhXcUU0U1RHTmZuCnNUMlRnUVhuQ01LZi8xYk1Lc2M0N3VjVStYYU9XaHJnVFI5UmhkckFjN0duODRLL3hQc0ljL2VZTEhHLzh1QUUKeWUvLzVmRkM2QmpXY0hUM1NkTlZnd3duamJudG5XTXIzTFJBVnJBamZBckxveWUwS0F2YytYdXJLTEVCcmMyVQpjaHlDbitZemJKN0VlSG44UXdQNGdBNXVSK0NCMFJPeFErYXIzS3M5YUhkZTQ1OEVNNEtLMnpUOXA4RWZRc1lFCkFtNUpxWjliR0JEVHV1dEkyNm9GK0pLQ1IzZzhXNERRcHVYRUZoVjlya0pMSm13RDhQb0JaclF6UzZvdmJhdkkKRk42QVM4RUNnWUVBOEcxQzFxZVh4dTQ4aEYxak5MTCswRmxkeWdFem9SMmFoRGJCai8weUZkQVVjU2pYTzk0NAozN1dORTBUUG10WG1Vc3NZTlBTR21XaWI2OUhicEFoMTY3SWVwNE9LaVlZdkozYm1oUC9WNzFvK3M0SWJlSHh1CkVJbWVVckFOZWRoQURVQnZ4c1lXRWxlVlVJSFFRcjY1VHM2ZjIrWkpTKzg4TU05bUorL3BmcmNDZ1lFQXo4MXgKR3JiSE5oak56RjhZMjhiK0hMNW5rdDR0SUdkU3hnbW9PMFFJeGkrQVNZTzB0WW42VFk0ZHI5ZXErMzE3b21ZawpMbDNtNENORDhudG1vYzRvWnM4SUpDQ0IrZjNqcTY4OHdoQU9vVHZ4dDhjZVJqOFRhRHl1SHZwS043OVNsVVd2CjBJd2ZRNDNIemd3SWJiSWhjcTRJVGswanI0VHdWbThia283VElGRUNnWUJoNnUzVXhHN0JHeGZVaE1BNW4waSsKREJkeGhPbkZEV3gzdW1FOHhrN1dxV2NaNnhzMWk3eTRCNVhNS2pNdkNUeURyYWxQTCtOOXFTZ1BjK216TmFybwo4aU1mOENmRStMeE5vMVFoQ0p6Vm5YaDUzVnhZeHJ5QXlidU1TNTFCYVh3MHFYQ2NrT0krV0NNOHBaSHZEUVFsCmYydUZ3SlZMY3NTZDBHbjNpL01ab3dLQmdBY1BzUjg2Uk15MnpROTd6OGx3R3FSNVorV2F2U2ZUdXdGVnhLeTIKNUNGdjdja1J1NnRMbEFEY3FtK1dRWTRvTm5KUFREMXpIV3hTWm5XdjhjM2Z4b212MFZRQThzbSs4ZVNjb05EcgpZTVBqMkpQcEpVTTMwMzRBU2Q1dG5PWUdEMVZaTjk4N1U3aWs4Ynd6dG5tYnl2MHRvc1NlWkc4TGNtdE5mVDllCnNSZnhBb0dCQUpTV1lDellyTlRMNnRUSnh5M2FqWm5jZkxrMEV0eWNCd05FRXZHVzVSVE9LOUFYTE96RzN0eHUKajZqWlRpaUFRU09aaVd0clJHU0U0bEkyQ1MvcjNjd3VuSGlnZlovd1dKZldkZ0JpRnZqOTVFbUVQWUZaRDRobQpkT3l5UHhRRXFTRmprQ21BS2plOFBpTDdpU01GbGhBZTZQWFljQlExdCtzd01UeXBnY3RrCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVSHhWK0ljVGZHUElzdW8yY3dqQ0Q0Z2RSTFFRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk16WXdOakl5TVRNeU5ERXlXakFvTVNZd0pBWURWUVFEREIxd2NtOTRlUzV6CllXMXdiR1V1YzNCbFkzUnliMk5zYjNWa0xtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBSy90WXBHVi9HRURUWnZzL25QQ2lOK0U3K1dOQ21GeU1NQjdkazVOT3JzQWZIaVVvZ1JRVUo0WQptSjhwVmYrSzhTRFBsdGNYcW40WVVTbmxiUERsVlBkWU5zOTEwT3RaS1EwNW96aUtGV2pNbS85NHlLSjVyVzNsCndDNEN0ayttUm9Ib0ZQQS81dmFVbVZHdlVadjlGY0JuL0pKN2F4WnRIQk1PRiticXQ0Zmd0ci9YMWdOeWhPVzUKZTVScGpESkozRjJTVnc5NUpBQSt4a3V3UitFSmVseEtnQVpxdDc0ejB4U2ROODZ0QzNtK0wxRGs2WVVlQWEzZApvM3Rsa3ZkeDV6dUJvSmI2QmpZWEV4UE1PbThRcHFNVWRLK3lDZUdrem9XQStDOUtFdGtVaERCWktENStNWXRZCktVMUh1RXJCbmw2Z3BuWTRlbzJjVTRxdkNwZzZ4S3NDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRklKMkRkTjgKc2ZtVjRCT1ZFL0FjZ0VEejArNmlNQjhHQTFVZEl3UVlNQmFBRklKMkRkTjhzZm1WNEJPVkUvQWNnRUR6MCs2aQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQWhQVi9RMVl1YWVTOTZVCmhjVGQ4RWdJaHhpbHFiTWlTQm5WaVdrdlJzWk94UUIwNTFScWtwT3g0UTRsckdaOGVJWWc3T0trTTdzejhuTVQKL2pxS21sZDY0MzJCcURCMlNkNVp5ZFdReHAwU1laRTlnVWszYk9KRGtZVXQ4b1cvZDBWeG9uU05LQVN3QmZKaApWV1VZUUlpNm55K0ZZZmtuRFNvRnFlY2Z3SDBQQVUraXpnMkI3KzFkbko5YisyQ21IOUVCallOZ2hoNlFzVlFQCkh2SkdQQURtandPNkJOam5HK0Z3K0Z6cmFXUTNCTjAwb08zUjF6UmgxZERmTTQzR3oxRmZGRW5GSXI5aGFuUnQKWHJFZm8vZWU5bjBLWUFESEJnV1g4dlhuNHZrRmdWRjgwYW9MUUJSQTBxWXErcW1pVlp6YnREeE9ldFEyRWFyTQpyNmVWL0lZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + annotations: {} + + ui-system: + enabled: true + ui: + nocUI: + enable: true + mapBoxAccessToken: "" # Leave Empty to use Default Access Token from Palette + mapBoxStyledLayerID: "" # Leave Empty to use Default Style Layer ID + + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. + scheduleOnControlPlane: true + ``` + + + + + + ```yaml {23,53,77-85,87-95,110-115} + ######################### + # Spectro Cloud Palette # + ######################### + # MongoDB Configuration + mongo: + # Whether to deploy MongoDB in-cluster (internal == true) or use Mongo Atlas + internal: true + + # Mongodb URL. Only change if using Mongo Atlas. + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + # Mongo Atlas password, base64 encoded. Only enter if using Mongo Atlas. + databasePassword: "" + + # No. of mongo replicas to run, default is 3 + replicas: 3 + # The following only apply if mongo.internal == true + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" # leave empty to use the default storage class + + config: + installationMode: "airgap" # values can be connected or airgap. + + # SSO SAML Configuration (Optional for self-hosted type) + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" + + # Email Configurations. (Optional for self-hosted type) + email: + enabled: false + emailId: "noreply@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" # base64 encoded SMTP password + + env: + # rootDomain is a DNS record which will be mapped to the ingress-nginx-controller load balancer + # E.g., myfirstpalette.spectrocloud.com + # - Mandatory if ingress.internal == false + # - Optional if ingress.internal == true (leave empty) + # + # IMPORTANT: a DNS record must be created separately and it must be a wildcard to account for Organization prefixes + # E.g., *.myfirstpalette.spectrocloud.com + rootDomain: "palette.example.com" + + # stableEndpointAccess is used when deploying EKS clusters in Private network type. + # When your Saas installed instance have connectivity to the private VPC where you want to launch the cluster set the stableEndpointAccess to true + cluster: + stableEndpointAccess: false + + # registry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # insecureSkipVerify: false + # caCert: "" + + # ociPackRegistry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # baseContentPath: "" # + # insecureSkipVerify: false + # caCert: "" + + ociPackEcrRegistry: + endpoint: "123456789.dkr.ecr.us-east-1.amazonaws.com" # + name: "Airgap Packs OCI" # + accessKey: "*************" # + secretKey: "*************" # + baseContentPath: "spectro-packs" # + isPrivate: true + insecureSkipVerify: true + caCert: "" + + ociImageRegistry: + endpoint: "public.ecr.aws/123456789" # + name: "Airgap Images OCI" # + password: "" # + username: "" # + baseContentPath: "spectro-images" # + insecureSkipVerify: false + caCert: "" + mirrorRegistries: "docker.io::public.ecr.aws/123456789/v2/spectr-images,gcr.io::public.ecr.aws/123456789/v2/spectro-images,ghcr.io::public.ecr.aws/123456789/v2/spectro-images,k8s.gcr.io::public.ecr.aws/123456789/v2/spectro-images,registry.k8s.io::public.ecr.aws/123456789/v2/spectro-images,quay.io::public.ecr.aws/123456789/v2/spectro-imagesßßß" + # + # Instruction for mirrorRegistries. + # ---------------------------------- + # Please provide the registry endpoint for the following registries, separated by double colons (::): + # docker.io + # gcr.io + # ghcr.io + # k8s.gcr.io + # registry.k8s.io + # quay.io + # For each registry, follow this example format: + # docker.io::/v2/,gcr.io::/v2/,ghcr.io::/v2/,k8s.gcr.io::/v2/,registry.k8s.io::/v2/,quay.io::/v2/ + # Replace with your actual registry endpoint and , , , , , and with the specific endpoint details for each registry. + + scar: + endpoint: "http://10.15.20.15:2015" + username: "YWRtaW4=" + password: "YWRtaW4=" + insecureSkipVerify: true + caCert: "" + + imageSwapImages: + imageSwapInitImage: "public.ecr.aws/123456789/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap-init:v1.5.2" + imageSwapImage: "public.ecr.aws/123456789/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap:v1.5.2" + + imageSwapConfig: + isEKSCluster: true # If the Cluster you are trying to install is EKS cluster set value to true else set to false + + nats: + # Should we install nats as part of the nats chart bundled with hubble charts + # If not enabled NATS service should be installed as a separate service. + + enabled: true + + # Whether to front NATS with a cloud load balancer (internal == false) or + # either share the ingress load balancer or use hostNetwork (internal == true). + # See nats.natsUrl comments for further detail. + internal: true + + # NATS URL + # Comma separated list of mappings for nats load balancer service + # E.g., "message1.dev.spectrocloud.com:4222,message2.dev.spectrocloud.com:4222" + # + # Mandatory if nats.internal == false + # Otherwise, if nats.internal == true: + # - If ingress.ingress.internal == true: leave empty (use hostNetwork) + # - If ingress.ingress.internal == false: use ":4222" (share ingress lb) + natsUrl: "" + + # *********************** IMPORTANT NOTE ****************************** + # * if nats.internal == true, ignore all of the following NATS config * + # ********************************************************************* + + # NATS load balancer annotations + annotations: {} + + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "server-port" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the nats loadbalancer service. If empty, a dynamic IP will be generated. + natsStaticIP: "" + grpc: + external: false + endpoint: "" #Please provide DNS endpoint with the port eg: msg.spectrocloud.com:443 + caCertificateBase64: "" #Please provide caCertificate for the grpc server Cert + serverCrtBase64: "" + serverKeyBase64: "" + insecureSkipVerify: false + + ingress: + # When enabled nginx ingress controller would be installed + enabled: true + + ingress: + # Whether to front NGINX Ingress Controller with a cloud + # load balancer (internal == false) or use host network + internal: false + + # Default SSL certificate and key for NGINX Ingress Controller (Optional) + # A wildcard cert for config.env.rootDomain, e.g., *.myfirstpalette.spectrocloud.com + # If left blank, the NGINX ingress controller will generate a self-signed cert (when terminating TLS upstream of ingress-nginx-controller) + certificate: "" + key: "" + + # If ACM is enabled please use grpc as a non internal and bring grpc on different LB. Provide certificate and dns for it. + annotations: {} + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the Ingress load balancer service. If empty, a dynamic IP will be generated. + ingressStaticIP: "" + + # For Service like AWS Load Balancer using https we would want to terminate the HTTPS at Load Balancer. + terminateHTTPSAtLoadBalancer: false + nats: + enabled: true + + frps: + frps: + enabled: false + frpHostURL: proxy.sample.spectrocloud.com + server: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lVZTVMdXBBZGljd0Z1SFJpWWMyWEgzNTFEUzJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk1qY3hNREV6TVRNeU5ERXlXakI3TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHCkExVUVDQk1DUTBFeEV6QVJCZ05WQkFjVENsTmhiblJoUTJ4aGNtRXhGVEFUQmdOVkJBb1RERk53WldOMGNtOUQKYkc5MVpERUxNQWtHQTFVRUN4TUNTVlF4SmpBa0JnTlZCQU1USFhCeWIzaDVMbk5oYlhCc1pTNXpjR1ZqZEhKdgpZMnh2ZFdRdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXd5bEt3MmlxClBXM2JrQU0wV3RhaEFLbEppcWFHd05LUDVRRTZ6ZW5NM2FURko3TjIwN0dWcUNGYzJHTDNodmNhTDFranZjeEkKK2lybHpkbm9hcVhUSmV3ZkJiTGs2SGVhZmdXUVp3NHNNeE5QRUVYYlNXYm54Mm03Y2FlbVJiUWZSQWhPWXRvWgpIWG1IMzQ1Q25mNjF0RnhMeEEzb0JRNm1yb0JMVXNOOUh2WWFzeGE5QUFmZUNNZm5sYWVBWE9CVmROalJTN1VzCkN5NmlSRXpEWFgvem1nOG5WWFUwemlrcXdoS3pqSlBJd2FQa2ViaXVSdUJYdEZ0VlQwQmFzS3VqbURzd0lsRFQKVmR4SHRRQUVyUmM4Q2Nhb20yUkpZbTd1aHNEYlo2WVFzS3JiMmhIbU5rNENVWUd5eUJPZnBwbzR2bFd1S2FEcgpsVFNYUXlPN0M0ejM1d0lEQVFBQm8xNHdYREJhQmdOVkhSRUVVekJSZ2dsc2IyTmhiR2h2YzNTSEJIOEFBQUdDCkhYQnliM2g1TG5OaGJYQnNaUzV6Y0dWamRISnZZMnh2ZFdRdVkyOXRnaDhxTG5CeWIzaDVMbk5oYlhCc1pTNXoKY0dWamRISnZZMnh2ZFdRdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUEvRFJFVm54SWJRdi9uMDEvSQpJd1d0ekhKNGNHOUp6UlB6dmszNUcvRGJOVzZYZ0M3djBoWlFIVHg5bzMrckxoSUFiWTNmbjc1VEtlN3hMRWpiCkI3M3pGWURJSStkYzM5NkQzZU51M2NxRGIvY01kYmlFalhod2ttZk9NRm9qMnpOdHJIdzFsSjA0QlNFMWw1YWgKMDk0Vy9aaEQ2YTVLU3B0cDh1YUpKVmNrejRYMEdRWjVPYjZadGdxZVVxNytqWVZOZ0tLQzJCMW1SNjMyMDNsZwozVFZmZEkrdmI3b292dVdOOFRBVG9qdXNuS25WMmRMeTFBOWViWXYwMEM3WWZ6Q0NhODgrN2dzTGhJaUJjRHBPClJkWjU3QStKanJmSU5IYy9vNm5YWFhDZ2h2YkFwUVk1QnFnMWIzYUpUZERNWThUY0hoQVVaQzB5eU04bXcwMnQKWHRRQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd3lsS3cyaXFQVzNia0FNMFd0YWhBS2xKaXFhR3dOS1A1UUU2emVuTTNhVEZKN04yCjA3R1ZxQ0ZjMkdMM2h2Y2FMMWtqdmN4SStpcmx6ZG5vYXFYVEpld2ZCYkxrNkhlYWZnV1FadzRzTXhOUEVFWGIKU1dibngybTdjYWVtUmJRZlJBaE9ZdG9aSFhtSDM0NUNuZjYxdEZ4THhBM29CUTZtcm9CTFVzTjlIdllhc3hhOQpBQWZlQ01mbmxhZUFYT0JWZE5qUlM3VXNDeTZpUkV6RFhYL3ptZzhuVlhVMHppa3F3aEt6akpQSXdhUGtlYml1ClJ1Qlh0RnRWVDBCYXNLdWptRHN3SWxEVFZkeEh0UUFFclJjOENjYW9tMlJKWW03dWhzRGJaNllRc0tyYjJoSG0KTms0Q1VZR3l5Qk9mcHBvNHZsV3VLYURybFRTWFF5TzdDNHozNXdJREFRQUJBb0lCQUFPVVZFeTFOTG9mczdFMgpmZFZVcm10R3I1U2RiVWRJRlYrTDREbzZtWWxQSmxhT0VoWGI0ZlROZDloNEtEWVBmaWwwSnhXcUU0U1RHTmZuCnNUMlRnUVhuQ01LZi8xYk1Lc2M0N3VjVStYYU9XaHJnVFI5UmhkckFjN0duODRLL3hQc0ljL2VZTEhHLzh1QUUKeWUvLzVmRkM2QmpXY0hUM1NkTlZnd3duamJudG5XTXIzTFJBVnJBamZBckxveWUwS0F2YytYdXJLTEVCcmMyVQpjaHlDbitZemJKN0VlSG44UXdQNGdBNXVSK0NCMFJPeFErYXIzS3M5YUhkZTQ1OEVNNEtLMnpUOXA4RWZRc1lFCkFtNUpxWjliR0JEVHV1dEkyNm9GK0pLQ1IzZzhXNERRcHVYRUZoVjlya0pMSm13RDhQb0JaclF6UzZvdmJhdkkKRk42QVM4RUNnWUVBOEcxQzFxZVh4dTQ4aEYxak5MTCswRmxkeWdFem9SMmFoRGJCai8weUZkQVVjU2pYTzk0NAozN1dORTBUUG10WG1Vc3NZTlBTR21XaWI2OUhicEFoMTY3SWVwNE9LaVlZdkozYm1oUC9WNzFvK3M0SWJlSHh1CkVJbWVVckFOZWRoQURVQnZ4c1lXRWxlVlVJSFFRcjY1VHM2ZjIrWkpTKzg4TU05bUorL3BmcmNDZ1lFQXo4MXgKR3JiSE5oak56RjhZMjhiK0hMNW5rdDR0SUdkU3hnbW9PMFFJeGkrQVNZTzB0WW42VFk0ZHI5ZXErMzE3b21ZawpMbDNtNENORDhudG1vYzRvWnM4SUpDQ0IrZjNqcTY4OHdoQU9vVHZ4dDhjZVJqOFRhRHl1SHZwS043OVNsVVd2CjBJd2ZRNDNIemd3SWJiSWhjcTRJVGswanI0VHdWbThia283VElGRUNnWUJoNnUzVXhHN0JHeGZVaE1BNW4waSsKREJkeGhPbkZEV3gzdW1FOHhrN1dxV2NaNnhzMWk3eTRCNVhNS2pNdkNUeURyYWxQTCtOOXFTZ1BjK216TmFybwo4aU1mOENmRStMeE5vMVFoQ0p6Vm5YaDUzVnhZeHJ5QXlidU1TNTFCYVh3MHFYQ2NrT0krV0NNOHBaSHZEUVFsCmYydUZ3SlZMY3NTZDBHbjNpL01ab3dLQmdBY1BzUjg2Uk15MnpROTd6OGx3R3FSNVorV2F2U2ZUdXdGVnhLeTIKNUNGdjdja1J1NnRMbEFEY3FtK1dRWTRvTm5KUFREMXpIV3hTWm5XdjhjM2Z4b212MFZRQThzbSs4ZVNjb05EcgpZTVBqMkpQcEpVTTMwMzRBU2Q1dG5PWUdEMVZaTjk4N1U3aWs4Ynd6dG5tYnl2MHRvc1NlWkc4TGNtdE5mVDllCnNSZnhBb0dCQUpTV1lDellyTlRMNnRUSnh5M2FqWm5jZkxrMEV0eWNCd05FRXZHVzVSVE9LOUFYTE96RzN0eHUKajZqWlRpaUFRU09aaVd0clJHU0U0bEkyQ1MvcjNjd3VuSGlnZlovd1dKZldkZ0JpRnZqOTVFbUVQWUZaRDRobQpkT3l5UHhRRXFTRmprQ21BS2plOFBpTDdpU01GbGhBZTZQWFljQlExdCtzd01UeXBnY3RrCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVSHhWK0ljVGZHUElzdW8yY3dqQ0Q0Z2RSTFFRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk16WXdOakl5TVRNeU5ERXlXakFvTVNZd0pBWURWUVFEREIxd2NtOTRlUzV6CllXMXdiR1V1YzNCbFkzUnliMk5zYjNWa0xtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBSy90WXBHVi9HRURUWnZzL25QQ2lOK0U3K1dOQ21GeU1NQjdkazVOT3JzQWZIaVVvZ1JRVUo0WQptSjhwVmYrSzhTRFBsdGNYcW40WVVTbmxiUERsVlBkWU5zOTEwT3RaS1EwNW96aUtGV2pNbS85NHlLSjVyVzNsCndDNEN0ayttUm9Ib0ZQQS81dmFVbVZHdlVadjlGY0JuL0pKN2F4WnRIQk1PRiticXQ0Zmd0ci9YMWdOeWhPVzUKZTVScGpESkozRjJTVnc5NUpBQSt4a3V3UitFSmVseEtnQVpxdDc0ejB4U2ROODZ0QzNtK0wxRGs2WVVlQWEzZApvM3Rsa3ZkeDV6dUJvSmI2QmpZWEV4UE1PbThRcHFNVWRLK3lDZUdrem9XQStDOUtFdGtVaERCWktENStNWXRZCktVMUh1RXJCbmw2Z3BuWTRlbzJjVTRxdkNwZzZ4S3NDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRklKMkRkTjgKc2ZtVjRCT1ZFL0FjZ0VEejArNmlNQjhHQTFVZEl3UVlNQmFBRklKMkRkTjhzZm1WNEJPVkUvQWNnRUR6MCs2aQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQWhQVi9RMVl1YWVTOTZVCmhjVGQ4RWdJaHhpbHFiTWlTQm5WaVdrdlJzWk94UUIwNTFScWtwT3g0UTRsckdaOGVJWWc3T0trTTdzejhuTVQKL2pxS21sZDY0MzJCcURCMlNkNVp5ZFdReHAwU1laRTlnVWszYk9KRGtZVXQ4b1cvZDBWeG9uU05LQVN3QmZKaApWV1VZUUlpNm55K0ZZZmtuRFNvRnFlY2Z3SDBQQVUraXpnMkI3KzFkbko5YisyQ21IOUVCallOZ2hoNlFzVlFQCkh2SkdQQURtandPNkJOam5HK0Z3K0Z6cmFXUTNCTjAwb08zUjF6UmgxZERmTTQzR3oxRmZGRW5GSXI5aGFuUnQKWHJFZm8vZWU5bjBLWUFESEJnV1g4dlhuNHZrRmdWRjgwYW9MUUJSQTBxWXErcW1pVlp6YnREeE9ldFEyRWFyTQpyNmVWL0lZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + annotations: {} + + ui-system: + enabled: true + ui: + nocUI: + enable: true + mapBoxAccessToken: "" # Leave Empty to use Default Access Token from Palette + mapBoxStyledLayerID: "" # Leave Empty to use Default Style Layer ID + + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. + scheduleOnControlPlane: true + ``` + + + + + + :::warning + + Ensure you have configured the **values.yaml** file with the required parameters before proceeding to the next + steps. + + ::: + +9. This step is only required if you are installing Palette in an environment where a network proxy must be configured + for Palette to access the internet. If you are not using a network proxy, skip to the next step. + + Install the reach-system chart using the following command. Point to the **values.yaml** file you configured in step + eight. + + ```shell + helm upgrade --values palette/values.yaml \ + reach-system extras/reach-system/reach-system-*.tgz --install + ``` + + ```shell hideClipboard + Release "reach-system" does not exist. Installing it now. + NAME: reach-system + LAST DEPLOYED: Mon Jan 29 17:04:23 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +10. Install the Palette Helm Chart using the following command. + + ```shell + helm upgrade --values palette/values.yaml \ + hubble palette/spectro-mgmt-plane-*.tgz --install + ``` + + ```shell hideClipboard + Release "hubble" does not exist. Installing it now. + NAME: hubble + LAST DEPLOYED: Mon Jan 29 17:07:51 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +11. Track the installation process using the command below. Palette is ready when the deployments in the namespaces + `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system`, and `ui-system` reach the _Ready_ state. The + installation takes two to three minutes to complete. + + ```shell + kubectl get pods --all-namespaces --watch + ``` + + :::tip + + For a more user-friendly experience, use the open-source tool [k9s](https://k9scli.io/) to monitor the installation + process. + + ::: + +12. Create a DNS CNAME record that is mapped to the Palette `ingress-nginx-controller` load balancer. You can use the + following command to retrieve the load balancer IP address. You may require the assistance of your network + administrator to create the DNS record. + + ```shell + kubectl get service ingress-nginx-controller --namespace ingress-nginx \ + --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` + + :::info + + As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For + example, if you create a tenant named `tenant1` and the domain name you assigned to Palette is + `palette.example.com`, the tenant URL will be `tenant1.palette.example.com`. You can create an additional wildcard + DNS record to map all tenant URLs to the Palette load balancer. + + ::: + +13. Use the custom domain name or the IP address of the load balancer to visit the Palette system console. To access the + system console, open a web browser, paste the custom domain URL in the address bar, and append the value `/system`. + + The first time you visit the Palette system console, a warning message about a not-trusted SSL certificate may + appear. This is expected, as you have not yet uploaded your SSL certificate to Palette. You can ignore this warning + message and proceed. + + ![Screenshot of the Palette system console showing Username and Password fields.](/palette_installation_install-on-vmware_palette-system-console.webp) + +14. Log in to the system console using the following default credentials. + + | **Parameter** | **Value** | + | ------------- | --------- | + | Username | `admin` | + | Password | `admin` | + + After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be + redirected to the Palette system console. + +15. After login, a summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a + different SSL certificate, you must upload the SSL certificate, SSL certificate key, and SSL certificate authority + files to Palette. You can upload the files using the Palette system console. Refer to the + [Configure HTTPS Encryption](../../../system-management/ssl-certificate-management.md) page for instructions on how + to upload the SSL certificate files to Palette. + + :::warning + + If you plan to deploy host clusters into different networks, you may require a reverse proxy. Check out the + [Configure Reverse Proxy](../../../system-management/reverse-proxy.md) guide for instructions on how to configure a + reverse proxy for Palette. + + ::: + +You now have a self-hosted instance of Palette installed in a Kubernetes cluster. Make sure you retain the +**values.yaml** file, as you may need it for future upgrades. + +## Validate + +Use the following steps to validate the Palette installation. + +1. Open up a web browser and navigate to the Palette system console. To access the system console, open a web browser, + paste the `env.rootDomain` value you provided in the address bar, and append the value `/system` in the following + format: `/system`. You can also use the IP address of the load balancer. + +2. Log in using the credentials you received from our support team. After login, you will be prompted to create a new + password. Enter a new password and save your changes. You will be redirected to the Palette system console. + +3. Open a terminal session and issue the following command to verify the Palette installation. The command should return + a list of deployments in the `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system`, and `ui-system` namespaces. + + ```shell + kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \ + | grep -E '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s' + ``` + + Your output should look similar to the following. + + ```shell hideClipboard + cp-system spectro-cp-ui-689984f88d-54wsw Running + hubble-system auth-85b748cbf4-6drkn Running + hubble-system auth-85b748cbf4-dwhw2 Running + hubble-system cloud-fb74b8558-lqjq5 Running + hubble-system cloud-fb74b8558-zkfp5 Running + hubble-system configserver-685fcc5b6d-t8f8h Running + hubble-system event-68568f54c7-jzx5t Running + hubble-system event-68568f54c7-w9rnh Running + hubble-system foreq-6b689f54fb-vxjts Running + hubble-system hashboard-897bc9884-pxpvn Running + hubble-system hashboard-897bc9884-rmn69 Running + hubble-system hutil-6d7c478c96-td8q4 Running + hubble-system hutil-6d7c478c96-zjhk4 Running + hubble-system mgmt-85dbf6bf9c-jbggc Running + hubble-system mongo-0 Running + hubble-system mongo-1 Running + hubble-system mongo-2 Running + hubble-system msgbroker-6c9b9fbf8b-mcsn5 Running + hubble-system oci-proxy-7789cf9bd8-qcjkl Running + hubble-system packsync-28205220-bmzcg Succeeded + hubble-system spectrocluster-6c57f5775d-dcm2q Running + hubble-system spectrocluster-6c57f5775d-gmdt2 Running + hubble-system spectrocluster-6c57f5775d-sxks5 Running + hubble-system system-686d77b947-8949z Running + hubble-system system-686d77b947-cgzx6 Running + hubble-system timeseries-7865bc9c56-5q87l Running + hubble-system timeseries-7865bc9c56-scncb Running + hubble-system timeseries-7865bc9c56-sxmgb Running + hubble-system user-5c9f6c6f4b-9dgqz Running + hubble-system user-5c9f6c6f4b-hxkj6 Running + ingress-nginx ingress-nginx-controller-2txsv Running + ingress-nginx ingress-nginx-controller-55pk2 Running + ingress-nginx ingress-nginx-controller-gmps9 Running + jet-system jet-6599b9856d-t9mr4 Running + ui-system spectro-ui-76ffdf67fb-rkgx8 Running + ``` + +## Next Steps + +You have successfully installed Palette in a Kubernetes cluster. Your next steps are to configure Palette for your +organization. Start by creating the first tenant to host your users. Use the +[Create a Tenant](../../../system-management/tenant-management.md) page for instructions on how to create a tenant. diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md new file mode 100644 index 0000000000..c02afb7085 --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md @@ -0,0 +1,369 @@ +--- +sidebar_label: "Environment Setup" +title: "Environment Setup" +description: "Learn how to prepare Palette for an airgap install" +icon: "" +hide_table_of_contents: false +sidebar_position: 20 +tags: ["self-hosted", "enterprise", "airgap", "kubernetes"] +keywords: ["self-hosted", "enterprise"] +--- + +![Overview diagram of the pre-install steps eager-load](/enterprise-version_air-gap-repo_overview-order-diagram-focus.webp) + +This guide provides instructions on how to prepare your airgap environment before installing self-hosted Palette by +completing the required preparatory steps one through four, as shown in the diagram. + +## Prepare for Airgap Installation + +Use the following steps to prepare your airgap environment for a Palette installation. + +:::tip + +Carefully review the [prerequisites](#prerequisites) section before proceeding with the environment setup. Each +prerequisite listed is required for a successful installation. + +::: + +## Prerequisites + +- An x86 Linux jumpbox or bastion host with connectivity to the target platform where you are installing Palette. + +- 30 GB of disk space available for the airgap setup binary and temporary files. The uncompressed airgap content is + approximately 20 GB. + +- An OCI registry such as [Harbor](https://goharbor.io/) or [AWS ECR](https://aws.amazon.com/ecr/) to store Palette + images and packages. The OCI registry must be accessible from the Kubernetes cluster. We have verified the + installation against Harbor and AWS ECR. Other OCI registries may work but have not been tested. + + :::warning + + Ensure the OCI registries are set up with HTTPS. AWS ECR is enabled with HTTPS by default. Harbor requires you to + enable HTTPS. If you are using Harbor, you must enable HTTPS to authenticate with the registry. Refer to the + [Harbor](https://goharbor.io/docs/2.9.0/install-config/configure-https) documentation for guidance. + + ::: + +- An HTTP file server to host the Palette manifest. The file server must be accessible from the target environment where + Palette will be installed. Below is a list of common file servers: + + - [Apache HTTP Server](https://httpd.apache.org/) + + - [Nginx](https://www.nginx.com/) + + - [Caddy](https://caddyserver.com/) + + :::warning + + Take the necessary steps to secure your file server and ensure it can automatically recover from failure. The file + server is a critical component of the airgap installation and must be available post-install for Palette to function + properly. + + ::: + +- To interact with the OCI registry, you must have the following tools installed and available. + + - [AWS CLI v2](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) - Required for AWS ECR. + - [Oras](https://oras.land/docs/installation.html) CLI v1.0.0 - This version is explicitly required for the setup + script. + - [zip](https://linux.die.net/man/3/zip) - Required for the setup script. + - [unzip](https://linux.die.net/man/1/unzip) - Or equivalent for extracting the manifest content from the airgap setup + binary. + - [jq](https://jqlang.github.io/jq/download/) - Command-line JSON processor installed and available. + - [Docker](https://docs.docker.com/get-docker/) - The airgap setup binary requires Docker to be installed and + available. + +## Instructions + +Complete the following steps before deploying the airgap Palette installation. + +1. Log in to the OCI registry where you will host the Palette images and packages. + +2. Create a private repository named `spectro-packs`. This repository will host the Palette Packs. + + - Refer to the [Create Projects](https://goharbor.io/docs/2.0.0/working-with-projects/create-projects/) guide for + information about creating a repository in Harbor. + - Refer to the [Create a repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html) + guide for information about creating a repository in AWS ECR. + +3. In your OCI registry, create a public repository named `spectro-images`. The public repositry will host the images + required by Palette. + +4. Download the Certificate Authority (CA) for your OCI registry. You will need to provide the installation process the + CA, otherwise you may encounter errors when authenticating with the OCI registry which could result in an incomplete + install. Skip this step if you are using AWS ECR. + +5. Log in to the Linux environment where you will download the airgap binaries. This step requires internet access. + +6. Download the airgap setup binary. Our support team will provide you with the proper version and the necessary + credentials. Replace the commands below with the recommended version and credentials provided by our support team. + + ```shell + VERSION=X.X.X + ``` + + ```shell + curl --user XXXXX:YYYYYYY https://software-private.spectrocloud.com/airgap/$VERSION/airgap-v$VERSION.bin \ + --output airgap-v$VERSION.bin + ``` + +7. Update the airgap setup binary permissions to allow execution. Replace the file name below with the name of the + airgap setup binary you downloaded. + + ```shell + chmod +x airgap-v$VERSION.bin + ``` + +8. Copy or move the airgap binary to another Linux environment inside your airgap environment. Use any approved method + to transfer the binary to the airgap environment. + +9. Log in to the Linux environment inside your airgap environment where you copied the airgap setup binary. + +10. Authenticate with your OCI registry and acquire credentials to both repositories you created earlier. You will need + these credentials when deploying the airgap Palette installation. + + + + + + Use `oras` to log in to your OCI registry. Replace the values below with your environment configuration values. + Check out the [oras login](https://oras.land/docs/commands/oras_login) documentation for information about + additional CLI flags and examples. + + ```shell + oras login X.X.X.X --user 'yourUserNameHere' --password 'yourPasswordHere' + ``` + + If you are using a Harbor registry with a self-signed certificate, you will need to add the `--insecure` flag to the + `oras` command. + + ```shell + oras login X.X.X.X --insecure --user 'yourUserNameHere' --password 'yourPasswordHere' + ``` + + + + + + You can acquire the AWS ECR authentication command from the AWS ECR console. From the ECR repository details page, + click on the **View push commands** button to access the command. Refer to the + [AWS ECR Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html#cli-authenticate-registry) + documentation for more information. + + Use the following command to authenticate with AWS ECR. The output of the `aws` command is passed to `oras` to + authenticate with the ECR registry. Replace the values below with your environment configuration values. + + ```shell + aws ecr get-login-password --region xxxxx | oras login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com + ``` + + For the public image repository, use the `docker` CLI instead of using `oras`. Replace the values below with your + environment configuration values. + + ```shell + aws ecr-public get-login-password --region xxxxx | docker login --username AWS --password-stdin public.ecr.aws/xxxxxxx + ``` + + + + + + :::tip + + Be aware of the timeout period for the authentication token. The process of uploading images and packages to the OCI + registry can take a approximately an hour. If the authentication token expires, you will need to re-authenticate to + the OCI registry and restart the upload process. + + ::: + +11. The airgap setup binary requires a set of environment variables to be available and populated. Depending on what OCI + registry you are using, the environment variables will be different. Select the OCI registry you are using and + populate the environment variables accordingly. + + + + + + - `OCI_IMAGE_REGISTRY`: The IP address or domain name of the OCI registry. + - `OCI_PACK_BASE`: The namespace or repository name that hosts the Palette packs. + - `OCI_PACK_REGISTRY`: The IP address or domain name of the OCI registry. + - `OCI_IMAGE_BASE`: The namespace or repository name that hosts the Palette images. + + ```shell + export OCI_IMAGE_REGISTRY= + export OCI_PACK_BASE=spectro-packs + export OCI_PACK_REGISTRY= + export OCI_IMAGE_BASE=spectro-images + ``` + + Consider the following example. + + ```shell hideClipboard + export OCI_IMAGE_REGISTRY=example.internal.com + export OCI_PACK_BASE=spectro-packs + export OCI_PACK_REGISTRY=10.10.100.48 + export OCI_IMAGE_BASE=spectro-images + ``` + + + + + + - `ECR_IMAGE_REGISTRY`: The IP address or domain name of the public OCI registry for images. + - `ECR_IMAGE_BASE`: The namespace or repository name that hosts the Palette images. + - `ECR_IMAGE_REGISTRY_REGION`: The AWS region where the ECR registry is located. + - `ECR_PACK_BASE`: The namespace or repository name that hosts the Palette packs. + - `ECR_PACK_REGISTRY`: The IP address or domain name of the OCI registry. + - `ECR_PACK_REGISTRY_REGION`: The AWS region where the ECR registry is located. + + ```shell + export ECR_IMAGE_REGISTRY= + export ECR_IMAGE_BASE=spectro-images + export ECR_IMAGE_REGISTRY_REGION= + export ECR_PACK_REGISTRY= + export ECR_PACK_BASE=spectro-packs + export ECR_PACK_REGISTRY_REGION= + ``` + + Consider the following example. + + ```shell hideClipboard + export ECR_IMAGE_REGISTRY=public.ecr.aws/1234567890 + export ECR_IMAGE_BASE=spectro-images + export ECR_IMAGE_REGISTRY_REGION=us-east-1 + export ECR_PACK_REGISTRY=123456789.dkr.ecr.us-east-1.amazonaws.com + export ECR_PACK_BASE=spectro-packs + export ECR_PACK_REGISTRY_REGION=us-east-1 + ``` + + + + + +12. Start the airgap setup binary. Replace the file name below with the name of the airgap setup binary you downloaded. + + ```shell + ./airgap-v$VERSION.bin + ``` + + Upon completion, a success message will be displayed. The output in the example below is condensed for brevity. + + ```shell hideClipboard {10} + Verifying archive integrity... 100% MD5 checksums are OK. All good. + Uncompressing Airgap Setup - Version 4.0.17 100% + Setting up Packs + - Pushing Pack cni-calico:3.25.1 + ... + Setting up Images + - Pushing image docker.io/kindest/kindnetd:v20230227-15197099 + - Pushing image gcr.io/cloud-provider-vsphere/cpi/release/manager:v1.22.8 + ..... + Preparing Manifests Archive + Manifests are available in /tmp/spectro-manifests-1696971110.zip. Extract the archive to a file server to serve as a Spectro Cloud Repository + Setup Completed + ``` + + :::info + + If you encounter an error during the airgap setup process, verify the required environment variables are set and + populated correctly. If you are still having issues, reach out to our support team for assistance. + + ::: + +13. Move the manifest file located in your temporary directory to the location of your file server. Unzip the manifest + file to a folder accessible by the file server. Replace the file name below with the name of the manifest file + provided to you by the airgap setup. + + ```shell + unzip spectro-manifests-XXXXXXXXXXXX.zip -d /target/folder + ``` + + :::tip + + If you want to get started quickly with a file server, install + [Caddy](https://caddyserver.com/docs/quick-starts/static-files) or use Python3's + [http sever](https://docs.python.org/3/library/http.server.html) and issue one of the following commands in the + folder where you unzipped the manifest content. Each command will start a file server on port 2015. + + ```shell + caddy file-server --listen :2015 --browse + ``` + + ```shell + python3 -m http.server 2015 + ``` + + We do not recommend serving the manifest content over HTTP, but it is an option if you want to get started quickly. + For production workloads, enable HTTPS on your file server. + + ::: + +14. Review the additional packs available for download. The supplemental packs are optional and not required for a + successful installation. However, to create cluster profiles you may require several of the packs available for + download. Refer to the [Additional Packs](../../airgap/supplemental-packs.md) resource for a list of available + packs. + +15. Once you select the packs you want to install, download the pack binaries and start the binary to initiate the + upload process. This step requires internet access, so you may have to download the binaries on a separate machine + outside the airgap environment and transfer them to the airgap environment using an approved method. + + In the example below, the `airgap-pack-aws-alb-2.5.1.bin` binary permissions are updated to allow execution and the + binary is started. + + ```shell + chmod +x airgap-pack-aws-alb-2.5.1.bin && \ + ./airgap-pack-aws-alb-2.5.1.bin + ``` + + ```shell hideClipboard + Verifying archive integrity... 100% MD5 checksums are OK. All good. + Uncompressing Airgap Pack - aws-alb Version 4.0.17 100% + Setting up Packs + - Pushing Pack aws-alb:2.5.1 + Setting up Images + Setup Completed + ``` + +16. Repeat step 14 for each pack you want to install. + +You have now completed the preparation steps for an airgap installation. Check out the [Validate](#validate) section to +ensure the airgap setup process completed successfully. + +## Validate + +Use the following steps to validate the airgap setup process completed successfully. + +1. Log in to your OCI registry and verify the Palette images and packs are available. + +2. Verify the manifest file is accessible from the file server. The manifest file is required for the Palette + installation process. The screenshot below is an example of a file server hosting the unzipped manifest content. The + example shows Caddy as the file server. + +![Example of a file server hosting the unzipped manifest content](/enterprise-version_airgap_airgap-instructions_file-server-caddy.webp) + +3. Ensure your file server is accessible from the environment in which you are installing Palette. Use the following + command to verify the file server can access the manifest content. Replace the hostname or IP address below with your + file server hostname or IP address. + + ```shell + curl http://:/roar/nickfury/versions.yaml + ``` + + ```yaml hideClipboard + versions: + - version: "3.3" + filepath: "/roar/nickfury/3.3/version.yaml" + patchVersionsFilepath: "/roar/nickfury/3.3/versions.yaml" + - version: "3.4" + filepath: "/roar/nickfury/3.4/version.yaml" + patchVersionsFilepath: "/roar/nickfury/3.4/versions.yaml" + - version: "4.0" + filepath: "/roar/nickfury/4.0/version.yaml" + patchVersionsFilepath: "/roar/nickfury/4.0/versions.yaml" + ``` + +## Next Steps + +You are now ready to install the airgap self-hosted Palette. You will specify your OCI registry and file server during +the installation process. Refer to the [Install Palette](./airgap-install.md) guide for detailed guidance on installing +Palette. diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md index 5b53071d75..9bed8b5b29 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md @@ -14,8 +14,20 @@ three-node cluster is created. You use a Helm chart our support team provides to To get started with Palette on Kubernetes, refer to the [Install Instructions](install.md) guide. +## Get Started + +Select the scenario and the corresponding guide to install Palette on Kubernetes. If you are installing Palette in an +airgap environment, refer to the environment preparation guide before installing Palette. + +| Scenario | Environment Preparation Guide | Install Guide | +| -------------------------------------------------------- | ----------------------------------------------------------------------- | ---------------------------------------------------------- | +| Install Palette on Kubernetes with internet connectivity | None | [Install Instructions](install.md) | +| Install Palette on Kubernetes in an airgap environment | [Environment Setup](./airgap-install/kubernetes-airgap-instructions.md) | [Airgap Install Instructions](./airgap-install/install.md) | + ## Resources -- [Install Instructions](install.md) +- [Non-Airgap Install Instructions](install.md) + +- [Airgap Install Instructions](./airgap-install/install.md) - [Helm Configuration Reference](palette-helm-ref.md) diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md index 821be447f5..fedba846da 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md @@ -1,6 +1,6 @@ --- -sidebar_label: "Instructions" -title: "Instructions" +sidebar_label: "Non-Airgap Installation" +title: "Install Non-Airgap Self-Hosted Palette" description: "Learn how to deploy self-hosted Palette to a Kubernetes cluster using a Helm Chart." icon: "" hide_table_of_contents: false @@ -11,20 +11,8 @@ keywords: ["self-hosted", "enterprise"] You can use the Palette Helm Chart to install Palette in a multi-node Kubernetes cluster in your production environment. -This installation method is common in secure environments with restricted network access that prohibits using Palette -SaaS. Review our [architecture diagrams](../../../architecture/networking-ports.md) to ensure your Kubernetes cluster -has the necessary network connectivity for Palette to operate successfully. - ## Prerequisites -:::warning - -If you are installing an airgap Palette, ensure you complete all the airgap pre-install steps before proceeding with the -installation. Refer to the [Kubernetes Airgap Instructions](../airgap/kubernetes-airgap-instructions.md) guide for more -information. - -::: - - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. - [Helm](https://helm.sh/docs/intro/install/) is installed and available. @@ -85,8 +73,6 @@ information. - Access to the Palette Helm Charts. Refer to the [Access Palette](../../enterprise-version.md#access-palette) for instructions on how to request access to the Helm Chart -
- :::warning Do not use a Palette-managed Kubernetes cluster when installing Palette. Palette-managed clusters contain the Palette @@ -136,10 +122,6 @@ your environment. Reach out to our support team if you need assistance. parameters before installing Palette. You can learn more about the parameters in the **values.yaml** file in the [Helm Configuration Reference](palette-helm-ref.md) page. - - - - | **Parameter** | **Description** | **Type** | | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | `env.rootDomain` | The URL name or IP address you will use for the Palette installation. | string | @@ -151,9 +133,10 @@ your environment. Reach out to our support team if you need assistance. Save the **values.yaml** file after you have populated the required parameters mentioned in the table. Expand the following sections to review an example of the **values.yaml** file with the required parameters highlighted. -
+ + - Example - values.yaml + ```yaml {53,77-85,97-102} ######################### @@ -378,32 +361,11 @@ your environment. Reach out to our support team if you need assistance. scheduleOnControlPlane: true ``` -
- - + - | **Parameter** | **Description** | **Type** | - | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | - | `env.rootDomain` | The URL name or IP address you will use for the Palette installation. | string | - | `config.installationMode` | The installation mode for Palette. The values can be `connected` or `airgap`. Set this value to `airgap`. | string | - | `ociPackEcrRegistry` | The OCI registry credentials for the Palette FIPS packs repository. | object | - | `ociImageRegistry` | The OCI registry credentials for the Palette images repository. | object | - | `ociImageRegistry.mirrorRegistries` | Replace the placeholder string with the respective values of your OCI registry repository that is hosting the images. | - | `imageSwapConfig.isEKSCluster` | Set this value to `false` if you are NOT installing Palette on an EKS cluster. | boolean | - | `scar` | Specify your HTTP file server values. If your HTTP file server requires credentials ensure the provided values are base64 encoded. Example of the string "admin" in base64 encoding - `YWRtaW4=`. | object | - | `ingress.enabled` | Whether to install the Nginx ingress controller. Set this to `false` if you already have an Nginx controller deployed in the cluster. | boolean | - | `reach-system` | Set `reach-system.enabled` to `true` and configure the `reach-system.proxySettings` parameters for Palette to use a network proxy in your environment | object | - - Save the **values.yaml** file after you have populated the required parameters mentioned in the table. Expand the - following sections to review an example of the **values.yaml** file with the required parameters highlighted. - -
- - Example - values.yaml - - ```yaml {23,53,77-85,87-95,97-102,109} + ```yaml {53,68-75,110-115} ######################### # Spectro Cloud Palette # ######################### @@ -426,7 +388,7 @@ your environment. Reach out to our support team if you need assistance. storageClass: "" # leave empty to use the default storage class config: - installationMode: "airgap" #values can be connected or airgap. + installationMode: "connected" #values can be connected or airgap. # SSO SAML Configuration (Optional for self-hosted type) sso: @@ -463,47 +425,60 @@ your environment. Reach out to our support team if you need assistance. cluster: stableEndpointAccess: false - # registry: - # endpoint: "" # - # name: "" # - # password: "" # - # username: "" # - # insecureSkipVerify: false - # caCert: "" + # registry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # insecureSkipVerify: false + # caCert: "" + + ociPackRegistry: + endpoint: "example.harbor.org" # + name: "Palette Packs OCI" # + password: "**************" # + username: "**************" # + baseContentPath: "spectro-packs" # + insecureSkipVerify: false + caCert: "" + + # ociPackEcrRegistry: + # endpoint: "" # + # name: "" # + # accessKey: "" # + # secretKey: "" # + # baseContentPath: "" # + # isPrivate: true + # insecureSkipVerify: false + # caCert: "" - # ociPackRegistry: - # endpoint: "" # - # name: "" # - # password: "" # - # username: "" # - # baseContentPath: "" # - # insecureSkipVerify: false - # caCert: "" + # ociImageRegistry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # baseContentPath: "" # + # insecureSkipVerify: false + # caCert: "" + # mirrorRegistries: "" - ociPackEcrRegistry: - endpoint: "123456789.dkr.ecr.us-east-1.amazonaws.com" # - name: "Airgap Packs OCI" # - accessKey: "*************" # - secretKey: "*************" # - baseContentPath: "spectro-packs" # - isPrivate: true - insecureSkipVerify: true - caCert: "" - - ociImageRegistry: - endpoint: "public.ecr.aws/123456789" # - name: "Airgap Image OCI" # - password: "" # - username: "" # - baseContentPath: "spectro-images" # - insecureSkipVerify: true - caCert: "" - mirrorRegistries: "docker.io::public.ecr.aws/v2/123456789/spectro-images,gcr.io::public.ecr.aws/v2/123456789/spectro-images,ghcr.io::public.ecr.aws/v2/123456789/spectro-images,k8s.gcr.io::public.ecr.aws/v2/123456789/spectro-images,registry.k8s.io::public.ecr.aws/v2/123456789/spectro-images,quay.io::public.ecr.aws/v2/123456789/spectro-images" + # Instruction for mirrorRegistries. + # ---------------------------------- + # Please provide the registry endpoint for the following registries, separated by double colons (::): + # docker.io + # gcr.io + # ghcr.io + # k8s.gcr.io + # registry.k8s.io + # quay.io + # For each registry, follow this example format: + # docker.io::/v2/,gcr.io::/v2/,ghcr.io::/v2/,k8s.gcr.io::/v2/,registry.k8s.io::/v2/,quay.io::/v2/ + # Replace with your actual registry endpoint and , , , , , and with the specific endpoint details for each registry. scar: - endpoint: "http://10.15.20.15:2015" - username: "YWRtaW4=" - password: "YWRtaW4=" + endpoint: "https://saas-repo.console.spectrocloud.com" + username: "**********" + password: "**********" insecureSkipVerify: true caCert: "" @@ -622,115 +597,72 @@ your environment. Reach out to our support team if you need assistance. http_proxy: "" https_proxy: "" no_proxy: "" - ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. This file should contain the Proxy CA Certificate, in case the Proxy being used requires a certificate. scheduleOnControlPlane: true ``` -
- -:::warning - -Ensure you have configured the **values.yaml** file with the required parameters before proceeding to the next steps. - -::: - -5. This step only applies to those who are installing an airgap Palette or who are using a self-hosted OCI registry with - registry caching enabled. Otherwise, skip to the next step. - - Go ahead and install the image-swap chart using the following command. Point to the **values.yaml** file you - configured in the previous step. - - ```shell - helm upgrade --values palette/values.yaml \ - image-swap extras/image-swap/image-swap-*.tgz --install - ``` - - ```shell hideClipboard - Release "image-swap" does not exist. Installing it now. - NAME: image-swap - LAST DEPLOYED: Mon Jan 29 17:04:23 2024 - NAMESPACE: default - STATUS: deployed - REVISION: 1 - TEST SUITE: None - ``` - -6. This step is only required if you are installing Palette in an environment where a network proxy must be configured - for Palette to access the internet. If you are not using a network proxy, skip to the next step. - - Install the reach-system chart using the following command. Point to the **values.yaml** file you configured in the - previous step. + :::warning - ```shell - helm upgrade --values palette/values.yaml \ - reach-system extras/reach-system/reach-system-*.tgz --install - ``` + Ensure you have configured the **values.yaml** file with the required parameters before proceeding to the next + steps. - ```shell hideClipboard - Release "reach-system" does not exist. Installing it now. - NAME: reach-system - LAST DEPLOYED: Mon Jan 29 17:04:23 2024 - NAMESPACE: default - STATUS: deployed - REVISION: 1 - TEST SUITE: None - ``` + ::: -7. Install the Palette Helm Chart using the following command. +5. Install the Palette Helm Chart using the following command. - ```shell - helm upgrade --values palette/values.yaml \ - hubble palette/spectro-mgmt-plane-*.tgz --install - ``` + ```shell + helm upgrade --values palette/values.yaml \ + hubble palette/spectro-mgmt-plane-*.tgz --install + ``` - ```shell hideClipboard - Release "hubble" does not exist. Installing it now. - NAME: hubble - LAST DEPLOYED: Mon Jan 29 17:07:51 2024 - NAMESPACE: default - STATUS: deployed - REVISION: 1 - TEST SUITE: None - ``` + ```shell hideClipboard + Release "hubble" does not exist. Installing it now. + NAME: hubble + LAST DEPLOYED: Mon Jan 29 17:07:51 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` -8. Track the installation process using the command below. Palette is ready when the deployments in the namespaces - `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` reach the _Ready_ state. The - installation takes between two to three minutes to complete. +6. Track the installation process using the command below. Palette is ready when the deployments in the namespaces + `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` reach the _Ready_ state. The + installation takes between two to three minutes to complete. - ```shell - kubectl get pods --all-namespaces --watch - ``` + ```shell + kubectl get pods --all-namespaces --watch + ``` - :::tip + :::tip - For a more user-friendly experience, use the open-source tool [k9s](https://k9scli.io/) to monitor the installation - process. + For a more user-friendly experience, use the open-source tool [k9s](https://k9scli.io/) to monitor the installation + process. - ::: + ::: -9. Create a DNS CNAME record that is mapped to the Palette `ingress-nginx-controller` load balancer. You can use the - following command to retrieve the load balancer IP address. You may require the assistance of your network - administrator to create the DNS record. +7. Create a DNS CNAME record that is mapped to the Palette `ingress-nginx-controller` load balancer. You can use the + following command to retrieve the load balancer IP address. You may require the assistance of your network + administrator to create the DNS record. - ```shell - kubectl get service ingress-nginx-controller --namespace ingress-nginx \ - --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' - ``` + ```shell + kubectl get service ingress-nginx-controller --namespace ingress-nginx \ + --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` - :::info + :::info - As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For - example, if you create a tenant named `tenant1` and the domain name you assigned to Palette is `palette.example.com`, - the tenant URL will be `tenant1.palette.example.com`. You can create an additional wildcard DNS record to map all - tenant URLs to the Palette load balancer. + As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For + example, if you create a tenant named `tenant1` and the domain name you assigned to Palette is + `palette.example.com`, the tenant URL will be `tenant1.palette.example.com`. You can create an additional wildcard + DNS record to map all tenant URLs to the Palette load balancer. - ::: + ::: -10. Use the custom domain name or the IP address of the load balancer to visit the Palette system console. To access the +8. Use the custom domain name or the IP address of the load balancer to visit the Palette system console. To access the system console, open a web browser and paste the custom domain URL in the address bar and append the value `/system`. Replace the domain name in the URL with your custom domain name or the IP address of the load balancer. Alternatively, you can use the load balancer IP address with the appended value `/system` to access the system @@ -742,17 +674,17 @@ Ensure you have configured the **values.yaml** file with the required parameters ![Screenshot of the Palette system console showing Username and Password fields.](/palette_installation_install-on-vmware_palette-system-console.webp) -11. Log in to the system console using the following default credentials. +9. Log in to the system console using the following default credentials. | **Parameter** | **Value** | | ------------- | --------- | | Username | `admin` | | Password | `admin` | -After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be -redirected to the Palette system console. + After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be + redirected to the Palette system console. -11. After login, a summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a +10. After login, a summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a different SSL certificate you must upload the SSL certificate, SSL certificate key, and SSL certificate authority files to Palette. You can upload the files using the Palette system console. Refer to the [Configure HTTPS Encryption](../../system-management/ssl-certificate-management.md) page for instructions on how to diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md index 861eee919c..9dda4d0d9d 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md @@ -1,6 +1,6 @@ --- -sidebar_label: "Helm Chart Install Reference" -title: "Helm Chart Install References" +sidebar_label: "Helm Configuration Reference" +title: "Helm Chart Configuration Reference" description: "Reference for Palette Helm Chart installation parameters." icon: "" hide_table_of_contents: false @@ -14,8 +14,6 @@ The Helm chart allows you to customize values in the **values.yaml** file. This available in the **values.yaml** file from the Helm Chart for your installation. To learn how to install Palette using the Helm Chart, refer to the [Palette Helm install](install.md) guide. -
- ### Required Parameters The following parameters are required for a successful installation of Palette. @@ -35,7 +33,7 @@ information, refer to the [Image Swap Configuration](#image-swap-configuration) ### MongoDB -Palette uses MongoDB Enterprise as its internal database and supports two modes of deployment:

+Palette uses MongoDB Enterprise as its internal database and supports two modes of deployment: - MongoDB Enterprise deployed and active inside the cluster. @@ -158,8 +156,6 @@ config: rootDomain: "" ``` -
- :::warning As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For example, @@ -190,8 +186,6 @@ Palette to download the required images. You must configure at least one Open Co Palette. You must also provide the credentials for the Spectro Cloud Artifact Repository (SCAR) to download the required FIPS images. -
- #### OCI Registry Palette requires access to an OCI registry that contains all the required FIPS packs. You can host your own OCI registry @@ -290,8 +284,6 @@ SCAR credentials are required to download the necessary FIPS manifests. Our supp | `scar.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the SCAR connection. | Boolean | `false` | | `scar.caCert` | The base64-encoded certificate authority (CA) certificate for SCAR. | String | `""` | -
- ```yaml config: scar: @@ -315,8 +307,6 @@ option, otherwise, Palette will ignore the configuration. | `imageSwapConfig` | The image swap configuration for specific environments. | String | `""` | | `imageSwapConfig.isEKSCluster` | Specifies whether the cluster is an Amazon EKS cluster. Set to `false` if the Kubernetes cluster is not an EKS cluster. | Boolean | `true` | -
- ```yaml config: imageSwapImages: @@ -342,8 +332,6 @@ and is not required for most deployments. Speak with your support representative | `nats.annotations` | A map of key-value pairs that specifies load balancer annotations for NATS. You can use annotations to change the behavior of the load balancer and the Nginx configuration. This is an advanced setting. We recommend you consult with your assigned support team representative prior to modification. | Object | `{}` | | `nats.natsStaticIP` | Specify a static IP address for the NATS load balancer service. If empty, a dynamic IP address will be assigned to the load balancer. | String | `""` | -
- ```yaml nats: enabled: true diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/_category_.json b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/_category_.json new file mode 100644 index 0000000000..c3460c6dbd --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 30 +} diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/airgap-install.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/airgap-install.md new file mode 100644 index 0000000000..8bdeb67848 --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/airgap-install.md @@ -0,0 +1,67 @@ +--- +sidebar_label: "Airgap Installation" +title: "Airgap Installation" +description: "Learn how to deploy self-hosted Palette in an airgapped environment." +icon: "" +hide_table_of_contents: false +sidebar_position: 0 +tags: ["self-hosted", "enterprise", "airgap"] +keywords: ["self-hosted", "enterprise"] +--- + +You can install Palette in an airgap VMware vSphere environment. An airgap environment lacks direct access to the +internet and is intended for environments with strict security requirements. + +The installation process for an airgap environment is different due to the lack of internet access. Before the primary +Palette installation steps, you must download the following artifacts. + +- Palette platform manifests and required platform packages. + +- Container images for core platform components and third-party dependencies. + +- Palette packs. + +The other significant change is that Palette's default public OCI registry is not used. Instead, a private OCI registry +is utilized for storing images and packs. + +## Overview + +Before you can install Palette in an airgap environment, you must complete all the required pre-installation steps. The +following diagram outlines the major pre-installation steps for an airgap installation. + +![An architecture diagram outlining the five different installation phases](/enterprise-version_air-gap-repo_overview-order-diagram.webp) + +1. Download the airgap setup binary from the URL provided by the support team. The airgap setup binary is a + self-extracting archive that contains the Palette platform manifests, images, and required packs. The airgap setup + binary is a one-time use binary for uploading Palette images and packs to your OCI registry. You will not use the + airgap setup binary again after the initial installation. This step must be completed in an environment with internet + access. + +2. Move the airgap setup binary to the airgap environment. The airgap setup binary is used to extract the manifest + content and upload the required images and packs to your private OCI registry. Start the airgap setup binary in a + Linux Virtual Machine (VM). + +3. The airgap script will push the required images and packs to your private OCI registry. + +4. Extract the manifest content from the airgap setup binary. The manifest content must be hosted on a web server that + is accessible from the airgap environment. You can use the same Linux VM from step 2 to host the manifest content or + use a different web server. + +5. Install Palette using the Palette CLI or the Kubernetes Helm chart. + +Configure your Palette environment + +## Get Started + +To get started with an airgap Palette installation, begin by reviewing the +[Environment Setup](./vmware-vsphere-airgap-instructions.md) guide. + +## Resources + +- [Environment Setup](./vmware-vsphere-airgap-instructions.md) + +- [Airgap Install Checklist](./checklist.md) + +- [Airgap Install](./airgap-install.md) + +- [Additional Packs](../../airgap/supplemental-packs.md) diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/checklist.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/checklist.md new file mode 100644 index 0000000000..1bc8bed37d --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/checklist.md @@ -0,0 +1,27 @@ +--- +sidebar_label: "Checklist" +title: "Checklist" +description: + "An airgap installation of Palette requires a few steps to be completed before the installation can begin. This + checklist will help you prepare for the installation." +icon: "" +sidebar_position: 10 +hide_table_of_contents: false +tags: ["palette", "self-hosted", "airgap"] +keywords: ["self-hosted", "enterprise"] +--- + +Use the following checklist to ensure you have completed all the required steps before deploying the airgap Palette +installation. + +- [ ] Create a vSphere VM and Template folder named `spectro-templates`. + +- [ ] Import the Operating System and Kubernetes distribution OVA required for the installation and place the OVA in the + `spectro-templates` folder. + +- [ ] Append the `r_` prefix and remove the `.ova` suffix from the OVA name after the import. + +- [ ] Start the airgap setup binary and verify the setup is completed successfully. + +- [ ] Review the list of [pack binaries](../../airgap/supplemental-packs.md) to download and upload to your OCI + registry. diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/install.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/install.md new file mode 100644 index 0000000000..db92a3a87f --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/install.md @@ -0,0 +1,395 @@ +--- +sidebar_label: "Install Palette" +title: "Install Palette" +description: "Learn how to install Palette on VMware." +icon: "" +sidebar_position: 30 +hide_table_of_contents: false +tags: ["palette", "self-hosted", "vmware"] +keywords: ["self-hosted", "enterprise"] +--- + +Palette can be installed on VMware vSphere in an airgap environment. When you install Palette, a three-node cluster is +created. You use the interactive Palette CLI to install Palette on VMware vSphere. Refer to +[Access Palette](../../../enterprise-version.md#access-palette) for instructions on requesting the required credentials +and assets. + +:::warning + +Complete the [Environment Setup](./vmware-vsphere-airgap-instructions.md) steps before proceeding with the installation. + +::: + +## Prerequisites + +- An AMD64 Linux environment with connectivity to the VMware vSphere environment. + +- [Docker](https://docs.docker.com/engine/install/) or equivalent container runtime installed and available on the Linux + host. + +- Palette CLI installed and available. Refer to the Palette CLI + [Install](../../../../palette-cli/install-palette-cli.md#download-and-setup) page for guidance. + +- Review the required VMware vSphere [permissions](../vmware-system-requirements.md). Ensure you have created the proper + custom roles and zone tags. + +- We recommended the following resources for Palette. Refer to the + [Palette size guidelines](../../install-palette.md#size-guidelines) for additional sizing information. + + - 8 CPUs per VM. + + - 16 GB Memory per VM. + + - 100 GB Disk Space per VM. + +- The following network ports must be accessible for Palette to operate successfully. + + - TCP/443: Inbound to and outbound from the Palette management cluster. + + - TCP/6443: Outbound traffic from the Palette management cluster to the deployed cluster's Kubernetes API server. + +- The network IP address range you specify during the installation must not overlap with any existing IP addresses in + your environment. The IP address range must also have connectivity to the VMware vSphere environment. + +- Ensure you have an SSL certificate that matches the domain name you will assign to Palette. You will need this to + enable HTTPS encryption for Palette. Reach out to your network administrator or security team to obtain the SSL + certificate. You need the following files: + + - x509 SSL certificate file in base64 format. + + - x509 SSL certificate key file in base64 format. + + - x509 SSL certificate authority file in base64 format. This file is optional. + +- Zone tagging is required for dynamic storage allocation across fault domains when provisioning workloads that require + persistent storage. Refer to [Zone Tagging](../../install-on-vmware/vmware-system-requirements.md) for information. + +- Assigned IP addresses for application workload services, such as Load Balancer services. + +- Shared Storage between VMware vSphere hosts. + +:::info + +Self-hosted Palette installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do not +require a separate, user-installed PCG. However, you can create additional PCGs as needed to support provisioning into +remote data centers that do not have a direct incoming connection from the Palette console. To learn how to install a +PCG on VMware, check out the [VMware](../../../../clusters/pcg/deploy-pcg/vmware.md) guide. + +::: + +## Deployment + +The video below demonstrates the installation wizard and the prompts you will encounter. Take a moment to watch the +video before you begin the installation process. Make sure to use values that are appropriate for your environment. Use +the **three-dots Menu** in the lower right corner of the video to expand the video to full screen and to change the +playback speed. + + + +Use the following steps to install Palette. + +1. Log in to your vCenter environment. + +2. Create a vSphere VM and Template folder with the name `spectro-templates`. Ensure this folder is accessible by the + user account you will use to deploy the airgap VerteX installation. + +3. Use the URL below to import the Operating System and Kubernetes distribution OVA required for the install. Place the + OVA in the `spectro-templates` folder. + + ```url + https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12711-0.ova + ``` + +4. Append an `r_` prefix to the OVA name and remove the `.ova` suffix after the import. For example, the final output + should look like `r_u-2204-0-k-12711-0`. This naming convention is required for the install process to identify the + OVA. Refer to the [Supplement Packs](../../airgap/supplemental-packs.md#additional-ovas) page for a list of + additional OVAs you can download and upload to your vCenter environment. + + :::tip + + You can also use the **Deploy OVF Template** wizard in vSphere to make the OVA available in the `spectro-templates` + folder. Append the `r_` prefix, and remove the `.ova` suffix when assigning a name and target location. You can + terminate the deployment after the OVA is available in the `spectro-templates` folder. Refer to the + [Deploy an OVF or OVA Template](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-AFEDC48B-C96F-4088-9C1F-4F0A30E965DE.html) + guide for more information about deploying an OVA in vCenter. + + ::: + +5. Open a terminal window and invoke the Palette CLI by using the `ec` command to install the enterprise cluster. The + interactive CLI prompts you for configuration details and then initiates the installation. For more information + about the `ec` subcommand, refer to [Palette Commands](../../../../palette-cli/commands/commands.md). + + ```bash + palette ec install + ``` + +6. At the **Enterprise Cluster Type** prompt, choose **Palette**. + +7. Type `y` if you want to use Ubuntu Pro. Otherwise, type `n`. If you choose to use Ubuntu Pro, you will be prompted + to enter your Ubuntu Pro token. + +8. Provide the URL or IP address of the Spectro Cloud Repository that is provided to you by the airgap setup script + +
+ + :::info + + If you are using the Palette CLI from inside an airgap support VM, the CLI will automatically detect the airgap + environment and prompt you to **Use local, air-gapped Spectro Cloud Artifact Repository (SCAR) configuration**. Type + `y` to use the local resources and skip filling in the repository URL and credentials. + + ::: + +9. Enter the repository credentials. Our support team provides the credentials you need to access the public Spectro + Cloud repository. Airgap installations, provide the credentials to your private repository provided to you by the + airgap setup script . + +10. Choose `VMware vSphere` as the cloud type. This is the default. + +11. Type an enterprise cluster name, or use the default value. Your VM instances will use this name as a prefix. + +12. When prompted, enter the information listed in each of the following tables. + + #### Environment Configuration + + | **Parameter** | **Description** | + | :-------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **HTTPS Proxy** | Leave this blank unless you are using an HTTPS Proxy. This setting will be propagated to all EC nodes and all of its target cluster nodes. Example: `https://USERNAME:PASSWORD@PROXYIP:PROXYPORT`. | + | **HTTP Proxy** | Leave this blank unless you are using an HTTP Proxy. This setting will be propagated to all EC nodes and all of its target cluster nodes. Example: `http://USERNAME:PASSWORD@PROXYIP:PROXYPORT`. | + | **No Proxy** | You will be prompted to provide a list of local network CIDR addresses, hostnames, and domain names that should be excluded from being a proxy. This setting will be propagated to all the nodes to bypass the proxy server. Example if you have a self-hosted environment: `my.company.com,10.10.0.0/16` | + | **Proxy CA Certificate Filepath** | The default is blank. You can provide the filepath of a CA certificate on the installer host. If provided, this CA certificate will be copied to each host in the PCG cluster during deployment. The provided path will be used on the PCG cluster hosts. Example: `/usr/local/share/ca-certificates/ca.crt`. | + | **Pod CIDR** | Enter the CIDR pool IP that will be used to assign IP addresses to pods in the EC cluster. The pod IP addresses should be unique and not overlap with any machine IPs in the environment. | + | **Service IP Range** | Enter the IP address range that will be used to assign IP addresses to services in the EC cluster. The service IP addresses should be unique and not overlap with any machine IPs in the environment. | + +13. Fill out the registry configuration details. If you are using the Palette CLI from inside an airgap support VM, the + CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Pack Registry?** Type + `y` to use the local resources and skip filling in the OCI registry URL and credentials. Otherwise, you will need to + provide the OCI registry configuration values for your pack and image registry. + + :::warning + + For self-hosted OCI registries, ensure you have the server Certificate Authority (CA) certificate file available on + the host where you are using the Palette CLI. You will be prompted to provide the file path to the OCI CA + certificate. Failure to provide the OCI CA certificate will result in self-linking errors. Refer to the + [Self-linking Error](../../../../troubleshooting/enterprise-install.md#scenario---self-linking-error) + troubleshooting guide for more information. + + ::: + + #### Pack & Image Registry Configuration + + | **Parameter** | **Description** | + | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Registry Type** | Specify the type of registry. Allowed values are `OCI` or `OCI ECR`. Airgap users, select `OCI`. | + | **Registry Name** | Enter the name of the registry. | + | **Registry Endpoint** | Enter the registry endpoint. Airgap users, provide the **Spectro Cloud Repository** URL or hostname shared by the airgap setup script. | + | **Registry Base Path** | Enter the registry base path. | + | **Allow Insecure Connection** | Bypasses x509 verification. Type `n` to specify a certificate authority in the follow-up prompt. Airgap user, ensure you select `n`. | + | **Registry CA certificate filepath** | Specify the file path to the certificate authority. Use absolute paths. Airgap users, provide the filepath displayed by the aurgap setup script. | + | **Registry Username** or **Registry Access Key** | Enter the registry username or the access key if using `OCI ECR`. | + | **Registry Password** or **Registry Secret Key** | Enter the registry password or the secret key if using `OCI ECR`. | + | **Registry Region** | Enter the registry region. This option is only available if you are using `OCI ECR`. | + | **ECR Registry Private** | Type `y` if the registry is private. Otherwise, type `n`. | + | **Use Public Registry for Images** | Type `y` to use a public registry for images. Type `n` to a different registry for images. If you are using another registry for images, you will be prompted to enter the registry URL, base path, username, and password. Airgap users, select `n` so that you can specify the values for the OCI registry that contains all the required images. | + + When prompted to **Pull images from public registry**, type `n` and specify the OCI registry configuration values for + your image registry. If you are an airgap support VM, the CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Image Registry?** Type `y` to use the local resources and skip filling in the OCI registry URL and credentials. + Refer to the table above for more information. + + :::info + + You will be provided with an opportunity to update the mirror registries values. To exit `vi` press the `Escape` key + and type `:wq` to save and exit. + + ::: + +14. The next set of prompts is for the VMware vSphere account information. Enter the information listed in the following + table. + + #### VMware vSphere Account Information + + | **Parameter** | **Description** | + | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **vSphere Endpoint** | VMware vSphere endpoint. Must be a fully qualified domain name (FQDN) or IP address without a scheme - that is, without an IP protocol, such as `https://`. Example: `vcenter.mycompany.com`. | + | **vSphere Username** | VMware vSphere account username. | + | **vSphere Password** | VMware vSphere account password. | + | **Allow Insecure Connection** | Bypasses x509 verification. Type `Y` if using a VMware vSphere instance with self-signed Transport Layer Security (TLS) certificates. Otherwise, type `n`. | + + #### VMware vSphere Cluster Configuration + + This information determines where Palette will be deployed in your VMware vSphere environment. The Palette CLI will + use the provided VMware credentials to retrieve information from your VMware vSphere environment and present options + for you to select from. + + | **Parameter** | **Description** | + | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Datacenter** | The installer retrieves the Datacenter automatically. | + | **Folder** | Select the folder that contains the VM instance. | + | **Cluster** | Select the cluster where you want to deploy Palette. | + | **Network** | Select the network where you want to deploy Palette. | + | **Resource Pool** | Select the resource pool where you want to deploy Palette. | + | **Datastore** | Select the datastore where you want to deploy Palette. | + | **Fault Domains** | Configure one or more fault domains by selecting values for these properties: Cluster, Network (with network connectivity), Resource Pool, and Storage Type (Datastore or VM Storage Policy). Note that when configuring the Network, if you are using a distributed switch, choose the network that contains the switch. | + | **NTP Servers** | You can provide a list of Network Time Protocol (NTP) servers. | + | **SSH Public Keys** | Provide any public SSH keys to access your Palette VMs. This option opens up your system's default text editor. Vi is the default text editor for most Linux distributions. To review basic vi commands, check out the [vi Commands](https://www.cs.colostate.edu/helpdocs/vi.html) reference. | + +15. Specify the IP pool configuration. The placement type can be Static or Dynamic Domain Name Server (DDNS). Choosing + static placement creates an IP pool from which VMs are assigned IP addresses. Choosing DDNS assigns IP addresses + using DNS. + + #### Static Placement Configuration + + | **Parameter** | **Description** | + | ------------------------------- | ------------------------------------------------------------------------------------------- | + | **IP Start range** | Enter the first address in the EC IP pool range. | + | **IP End range** | Enter the last address in the EC IP pool range. | + | **Network Prefix** | Enter the network prefix for the IP pool range. Valid values are in [0, 32]. Example: `18`. | + | **Gateway IP Address** | Enter the IP address of the static IP gateway. | + | **Name servers** | Comma-separated list of DNS name server IP addresses. | + | **Name server search suffixes** | An optional comma-separated list of DNS search domains. | + +16. The last set of prompts are for the vSphere machine and database configuration. Use the following table for + guidance. + + #### vSphere Machine Configuration + + | **Parameter** | **Description** | + | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Small** | Deploy VM nodes with 8 CPU, 16 GB memory, 60 GB storage. The database specs are 20 GB database with 2 CPU limit and 4 GB memory limit. | + | **Medium** | Deploy VM nodes with 16 CPU, 32 GB memory, 100 GB storage. The database specs are 60 GB database with 4 cpu limit and 8 GB memory limit. | + | **Large** | Deploy VM nodes with 32 CPU, 64 GB memory, 120 GB storage. The database specs are 80 GB database with 8 CPU limit and 16 GB memory limit. | + | **Custom** | Deploy VM nodes with custom CPU, memory, storage, database size, CPU limit, and memory limit. If you specify custom, you will be prompted for the CPU, memory, and storage. | + + #### Additional vSphere Machine Configuration + + | **Parameter** | **Description** | + | ----------------- | ---------------------------------------------------------------------------------------- | + | **Node Affinity** | Select the node affinity. Enter `y` to schedule all Palette pods on control plane nodes. | + + The installation process stands up a [kind](https://kind.sigs.k8s.io/) cluster locally that will orchestrate the + remainder of the installation. The installation takes some time to complete. + + The Palette CLI creates a file named `ec.yaml` that contains the information you provided the wizard, and its + location is displayed in the terminal. Credentials and tokens are encrypted in the YAML file. + + ```bash hideClipboard + ==== Enterprise Cluster config saved ==== + Location: :/home/spectro/.palette/ec/ec-20230706150945/ec.yaml + ``` + + :::tip + + If an error occurs during installation, remove the `kind` cluster that was created and restart the installation. To + remove the `kind` cluster, issue the following command. Replace `spectro-mgmt-cluster` with the name of your cluster + if you used a different name. + + ```bash + kind delete cluster spectro-mgmt-cluster + ``` + + Restart the install process by referencing the `ec.yaml` file that was created during the first installation + attempt. For example: + + ```bash + palette ec install --config /home/spectro/.palette/ec/ec-20230706150945/ec.yaml + ``` + + ::: + + When the installation is complete, Enterprise Cluster Details that include a URL and default credentials are + displayed in the terminal. You will use these to access the Palette system console. + + ```bash hideClipboard + =========================================== + ==== Enterprise Cluster System Console ==== + =========================================== + Console URL: https://10.10.100.0/system + Username: ************ + Password: ************ + + The first of three Enterprise Cluster nodes is online and will now provision nodes two and three. + + It will take another ~30-45 minutes for the installation to complete. + + You can monitor its progress via kubectl/k9s or by viewing the System Console. + + export KUBECONFIG=/ubuntu/.palette/ec/ec-20231012215923/spectro_mgmt.conf + ``` + +17. Copy the URL to the browser to access the system console. You will be prompted to reset the password. + + :::info + + The first time you visit the Palette system console, a warning message about an untrusted SSL certificate may + appear. This is expected, as you have not yet uploaded your SSL certificate to Palette. You can ignore this warning + message and proceed. + + ::: + + ![Screenshot of the Palette system console showing Username and Password fields.](/palette_installation_install-on-vmware_palette-system-console.webp) + +18. Copy the URL and paste it in your browser's URL field to access the system console. You will be prompted to reset + the password. + + :::info + + The first time you visit the Palette VerteX system console, a warning message about an untrusted SSL certificate may + appear. This is expected, as you have not yet uploaded your SSL certificate to Palette VerteX. You can ignore this + warning message and proceed. + + ::: + +19. Log in to the system console using the credentials provided in the Enterprise Cluster Details output. After login, + you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to + the Palette system console. + +20. After login, a Summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a + different SSL certificate you must upload the SSL certificate, SSL certificate key, and SSL certificate authority + files to Palette. You can upload the files using the Palette system console. Refer to the + [Configure HTTPS Encryption](../../../system-management/ssl-certificate-management.md) page for instructions on how + to upload the SSL certificate files to Palette. + +21. The last step is to start setting up a tenant. To learn how to create a tenant, check out the + [Tenant Management](../../../system-management/tenant-management.md) guide. + + ![Screenshot of the Summary page showing where to click Go to Tenant Management button.](/palette_installation_install-on-vmware_goto-tenant-management.webp) + +## Validate + +You can verify the installation is successful if you can access the system console using the IP address provided in +Enterprise Cluster Details and if the Summary page displays the **Go to Tenant Management** button. + +You can also validate that a three-node Kubernetes cluster is launched and Palette is deployed on it. + +1. Log in to the vCenter Server by using vSphere Client. + +2. Navigate to your vSphere Datacenter and locate your Palette VM instances. The VMs are prefixed with the name you + provided during the installation. For example, if you provided `spectro-mgmt-cluster` as the name, the VMs are named + `spectro-mgmt-cluster-`, followed by a unique set of alphanumeric values. Verify three nodes are available. + +3. Open a web browser session, and use the IP address provided in Enterprise Cluster Details at the completion of the + installation to connect to the Palette system console. Copy the IP address to the address bar and append `/system`. + +4. Log in using your credentials. + +5. A **Summary** page will be displayed that contains a tile with a **Go to Tenant Management** button. After initial + installation, the **Summary** page shows there are zero tenants. + +## Next Steps + +You have successfully installed Palette in vSphere. Your next steps are to configure Palette for your organization. +Start by creating the first tenant to host your users. Refer +to [Create a Tenant](../../../system-management/tenant-management.md) for instructions. + +After you create the tenant, you are ready to configure authentication types in tenant settings and create users and +teams. + +## Resources + +- [Palette CLI](../../../../palette-cli/install-palette-cli.md#download-and-setup) + +- [VMware System Requirements](../vmware-system-requirements.md) + +- [System Management](../../../system-management/system-management.md) + +- [Enterprise Install Troubleshooting](../../../../troubleshooting/enterprise-install.md) diff --git a/docs/docs-content/enterprise-version/install-palette/airgap/vmware-vsphere-airgap-instructions.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md similarity index 90% rename from docs/docs-content/enterprise-version/install-palette/airgap/vmware-vsphere-airgap-instructions.md rename to docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md index 8ad0e97fa0..5dd7944970 100644 --- a/docs/docs-content/enterprise-version/install-palette/airgap/vmware-vsphere-airgap-instructions.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md @@ -1,10 +1,10 @@ --- -sidebar_label: "VMware vSphere Airgap Instructions" -title: "VMware vSphere Airgap Instructions" +sidebar_label: "Environment Setup" +title: "Environment Setup" description: "Learn how to install Palette in an air gap environment." icon: "" hide_table_of_contents: false -sidebar_position: 30 +sidebar_position: 20 tags: ["self-hosted", "enterprise", "airgap", "vmware", "vsphere"] keywords: ["self-hosted", "enterprise"] --- @@ -14,8 +14,7 @@ This guide helps you to prepare your airgap environment for Palette installation :::info This guide is for preparing your airgap environment only. For instructions on installing Palette on -[VMware](../install-on-vmware/install.md) or [Kubernetes](../install-on-kubernetes/install.md), refer to their -respective guides. A checklist of the steps you will complete to prepare your airgap environment for Palette is +[VMware](./install.md). A checklist of the steps you will complete to prepare your airgap environment for Palette is available in the [Checklist](./checklist.md) page. ::: @@ -49,24 +48,20 @@ Palette. - Configure the Dynamic Host Configuration Protocol (DHCP) to access the airgap support VM via SSH. You can disable DHCP or modify the IP address after deploying the airgap support VM. -- Review the required vSphere [permissions](../install-on-vmware/vmware-system-requirements.md) and ensure you've +- Review the required vSphere [permissions](../../install-on-vmware/vmware-system-requirements.md) and ensure you've created the proper custom roles and zone tags. Zone tagging enables dynamic storage allocation across fault domains when provisioning workloads that require persistent storage. Refer to - [Zone Tagging](../install-on-vmware/vmware-system-requirements.md#zone-tagging) for information. - -
+ [Zone Tagging](../../install-on-vmware/vmware-system-requirements.md#zone-tagging) for information. :::info Self-hosted Palette installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do not require a separate, user-installed PCG. However, you can deploy additional PCG instances to support provisioning into remote data centers without a direct incoming connection to Palette. To learn how to install a PCG on VMware, check out -the [VMware](../../../clusters/pcg/deploy-pcg/vmware.md) guide. +the [VMware](../../../../clusters/pcg/deploy-pcg/vmware.md) guide. ::: -
- ## Prepare for Airgap Installation Complete the following steps to prepare your airgap environment for Palette installation. @@ -88,13 +83,13 @@ The default container runtime for OVAs is [Podman](https://podman.io/), not Dock distribution OVA required for the installation. ```url - https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12610-0.ova + https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12610-0.ova ``` Place the OVA in the **spectro-templates** folder. Append the `r_` prefix, and remove the `.ova` suffix when assigning its name and target location. For example, the final output should look like `r_u-2004-0-k-12610`. This naming convention is required for the installation process to identify the OVA. Refer to the - [Supplement Packs](./supplemental-packs.md#additional-ovas) page for a list of additional OS OVAs. + [Supplement Packs](../../airgap/supplemental-packs.md#additional-ovas) page for a list of additional OS OVAs. You can terminate the deployment after the OVA is available in the `spectro-templates` folder. Refer to the [Deploy an OVF or OVA Template](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-AFEDC48B-C96F-4088-9C1F-4F0A30E965DE.html) @@ -180,8 +175,9 @@ The default container runtime for OVAs is [Podman](https://podman.io/), not Dock 17. If you want to assign a static IP address to the airgap support VM, you can do so now. Click on the box below to expand the instructions. Otherwise, proceed to the next step. -
- Assign a static IP address +
+ + Assign a static IP address Create an empty file to disable cloud-init from overriding the new network configurations you will add. @@ -189,7 +185,8 @@ The default container runtime for OVAs is [Podman](https://podman.io/), not Dock sudo touch /etc/cloud/cloud-init.disabled ``` - Issue the following command to update cloud-init. Select **VMware** from the wizard Menu when prompted. The command will disable cloud-init from managing the network configuration. + Issue the following command to update cloud-init. Select **VMware** from the wizard Menu when prompted. The command + will disable cloud-init from managing the network configuration. ```shell sudo dpkg-reconfigure cloud-init @@ -201,7 +198,8 @@ The default container runtime for OVAs is [Podman](https://podman.io/), not Dock sudo vi /etc/netplan/01-netcfg.yaml ``` - Modify the file to look like the example below. Replace the IP address, gateway, and DNS server with your network settings. Save the file and exit the text editor. + Modify the file to look like the example below. Replace the IP address, gateway, and DNS server with your network + settings. Save the file and exit the text editor. ```yaml network: @@ -214,15 +212,15 @@ The default container runtime for OVAs is [Podman](https://podman.io/), not Dock - 10.1.1.0/18 gateway4: 2.2.2.2 nameservers: - addresses: [1.1.1.1] + addresses: [1.1.1.1] ``` -:::tip + :::tip -If you are working in Vim, press `i` to enter insert mode in the text editor. Press `esc` to exit insert mode. Type -`:wq` to save the file and exit the text editor. + If you are working in Vim, press `i` to enter insert mode in the text editor. Press `esc` to exit insert mode. Type + `:wq` to save the file and exit the text editor. -::: + ::: Issue the following command to apply the changes. @@ -230,7 +228,7 @@ If you are working in Vim, press `i` to enter insert mode in the text editor. Pr sudo netplan apply ``` -
+
18. Switch to the `root` user account. You will need to use the `root` user account to complete the remaining steps. @@ -322,8 +320,8 @@ If you are working in Vim, press `i` to enter insert mode in the text editor. Pr 20. The output of the script contains credentials and values you will need when completing the installation with the Palette CLI. If you need to review this information in the future, invoke the script again. -21. Review the [Additional Packs](./supplemental-packs.md) page and identify any additional packs you want to add to - your OCI registry. By default, the installation includes only the minimum required packs. You can also add +21. Review the [Additional Packs](../../airgap/supplemental-packs.md) page and identify any additional packs you want to + add to your OCI registry. By default, the installation includes only the minimum required packs. You can also add additional packs after the installation is complete. You have now completed the preparation steps for an airgap installation. Check out the [Validate](#validate) section to @@ -401,8 +399,7 @@ installed in the airgap support VM and ready to use. palette ec install ``` -Complete all the Palette CLI steps outlined in the [VMware Install Instructions](../install-on-vmware/install.md) guide -from the airgap support VM. +Complete all the Palette CLI steps outlined in the [Install Palette](./install.md) guide from the airgap support VM. :::info diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install-on-vmware.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install-on-vmware.md index f6cd5368ca..7345e0f14b 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install-on-vmware.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install-on-vmware.md @@ -14,6 +14,8 @@ Refer to [Access Palette](../../enterprise-version.md#access-palette) for instru ## Resources -- [Install on VMware](install.md) +- [Non-Airgap Install on VMware](install.md) + +- [Airgap Install](./airgap-install/airgap-install.md) - [VMware System Requirements](vmware-system-requirements.md) diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install.md index 20ad4cb81f..73f7570700 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/install.md @@ -1,9 +1,9 @@ --- -sidebar_label: "Instructions" +sidebar_label: "Non-Airgap Installation" title: "Install Palette on VMware" description: "Learn how to install Palette on VMware." icon: "" -sidebar_position: 10 +sidebar_position: 20 hide_table_of_contents: false tags: ["palette", "self-hosted", "vmware"] keywords: ["self-hosted", "enterprise"] @@ -19,7 +19,8 @@ Refer to [Access Palette](../../enterprise-version.md#access-palette) for instru If you are installing Palette in an airgap environment, ensure you complete all the airgap pre-install steps before proceeding with the installation. Refer to the -[VMware vSphere Airgap Instructions](../airgap/vmware-vsphere-airgap-instructions.md) guide for more information. +[VMware vSphere Airgap Instructions](../install-on-vmware//airgap-install/vmware-vsphere-airgap-instructions.md) guide +for more information. ::: @@ -69,8 +70,6 @@ proceeding with the installation. Refer to the - Shared Storage between VMware vSphere hosts. -
- :::info Self-hosted Palette installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do not @@ -80,8 +79,6 @@ PCG on VMware, check out the [VMware](../../../clusters/pcg/deploy-pcg/vmware.md ::: -
- ## Deployment The video below demonstrates the installation wizard and the prompts you will encounter. Take a moment to watch the @@ -89,20 +86,8 @@ video before you begin the installation process. Make sure to use values that ar the **three-dots Menu** in the lower right corner of the video to expand the video to full screen and to change the playback speed. - - - - - - - - - - - - Use the following steps to install Palette. 1. Log in to your vCenter environment. @@ -114,11 +99,11 @@ Use the following steps to install Palette. OVA in the `spectro-templates` folder. ```url - https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12610-0.ova + https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12711-0.ova ``` 4. Append an `r_` prefix to the OVA name and remove the `.ova` suffix after the import. For example, the final output - should look like `r_u-2004-0-k-12610`. This naming convention is required for the install process to identify the + should look like `r_u-2204-0-k-12711-0`. This naming convention is required for the install process to identify the OVA. Refer to the [Supplement Packs](../airgap/supplemental-packs.md#additional-ovas) page for a list of additional OVAs you can download and upload to your vCenter environment. @@ -151,12 +136,14 @@ Use the following steps to install Palette. - Non-Airgap: `https://saas-repo.console.spectrocloud.com` - Airgap: The URL or IP address of the Spectro Cloud Repository that is provided to you by the airgap setup script +
+ :::info - If you are using the Palette CLI from inside an - [airgap support VM](../airgap/vmware-vsphere-airgap-instructions.md), the CLI will automatically detect the airgap - environment and prompt you to **Use local, air-gapped Spectro Cloud Artifact Repository (SCAR) configuration**. Type - `y` to use the local resources and skip filling in the repository URL and credentials. + If you are using the Palette CLI from inside an [airgap support VM](./airgap-install/airgap-install.md), the CLI + will automatically detect the airgap environment and prompt you to **Use local, air-gapped Spectro Cloud Artifact + Repository (SCAR) configuration**. Type `y` to use the local resources and skip filling in the repository URL and + credentials. ::: @@ -183,8 +170,9 @@ Use the following steps to install Palette. 13. Select the tab below that matches your installation type for further guidance. - - + + + Select `y` to use the Spectro Cloud repository and proceed to the next step. @@ -192,58 +180,57 @@ Use the following steps to install Palette. -:::info + :::info -If you are using the Palette CLI from inside an [airgap support VM](../airgap/vmware-vsphere-airgap-instructions.md), -the CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Pack Registry?** Type -`y` to use the local resources and skip filling in the OCI registry URL and credentials. + If you are using the Palette CLI from inside an + [airgap support VM](./airgap-install/vmware-vsphere-airgap-instructions.md), the CLI will automatically detect the + airgap environment and prompt you to **Use local, air-gapped Pack Registry?** Type `y` to use the local resources + and skip filling in the OCI registry URL and credentials. -::: + ::: Select the OCI registry type and provide the configuration values. Review the following table for more information. -:::warning + :::warning -For self-hosted OCI registries, ensure you have the server Certificate Authority (CA) certificate file available on the -host where you are using the Palette CLI. You will be prompted to provide the file path to the OCI CA certificate. -Failure to provide the OCI CA certificate will result in self-linking errors. Refer to the -[Self-linking Error](../../../troubleshooting/enterprise-install.md#scenario---self-linking-error) troubleshooting guide -for more information. + For self-hosted OCI registries, ensure you have the server Certificate Authority (CA) certificate file available on + the host where you are using the Palette CLI. You will be prompted to provide the file path to the OCI CA + certificate. Failure to provide the OCI CA certificate will result in self-linking errors. Refer to the + [Self-linking Error](../../../troubleshooting/enterprise-install.md#scenario---self-linking-error) troubleshooting + guide for more information. -::: + ::: - #### Pack & Image Registry Configuration - - | **Parameter** | **Description** | - | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Registry Type** | Specify the type of registry. Allowed values are `OCI` or `OCI ECR`. Airgap users, select `OCI`. | - | **Registry Name** | Enter the name of the registry. | - | **Registry Endpoint** | Enter the registry endpoint. Airgap users, provide the **Spectro Cloud Repository** URL or hostname shared by the airgap setup script. | - | **Registry Base Path** | Enter the registry base path. | - | **Allow Insecure Connection** | Bypasses x509 verification. Type `n` to specify a certificate authority in the follow-up prompt. Airgap user, ensure you select `n`. | - | **Registry CA certificate filepath** | Specify the file path to the certificate authority. Use absolute paths. Airgap users, provide the filepath displayed by the aurgap setup script. | - | **Registry Username** or **Registry Access Key** | Enter the registry username or the access key if using `OCI ECR`. | - | **Registry Password** or **Registry Secret Key** | Enter the registry password or the secret key if using `OCI ECR`. | - | **Registry Region** | Enter the registry region. This option is only available if you are using `OCI ECR`. | - | **ECR Registry Private** | Type `y` if the registry is private. Otherwise, type `n`. | - | **Use Public Registry for Images** | Type `y` to use a public registry for images. Type `n` to a different registry for images. If you are using another registry for images, you will be prompted to enter the registry URL, base path, username, and password. Airgap users, select `n` so that you can specify the values for the OCI registry that contains all the required images. | - - When prompted to **Pull images from public registry**, type `n` and specify the OCI registry configuration values for - your image registry. If you are an [airgap support VM](../airgap/vmware-vsphere-airgap-instructions.md), the CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Image Registry?** Type `y` to use the local resources and skip filling in the OCI registry URL and credentials. + #### Pack & Image Registry Configuration + + | **Parameter** | **Description** | + | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Registry Type** | Specify the type of registry. Allowed values are `OCI` or `OCI ECR`. Airgap users, select `OCI`. | + | **Registry Name** | Enter the name of the registry. | + | **Registry Endpoint** | Enter the registry endpoint. Airgap users, provide the **Spectro Cloud Repository** URL or hostname shared by the airgap setup script. | + | **Registry Base Path** | Enter the registry base path. | + | **Allow Insecure Connection** | Bypasses x509 verification. Type `n` to specify a certificate authority in the follow-up prompt. Airgap user, ensure you select `n`. | + | **Registry CA certificate filepath** | Specify the file path to the certificate authority. Use absolute paths. Airgap users, provide the filepath displayed by the aurgap setup script. | + | **Registry Username** or **Registry Access Key** | Enter the registry username or the access key if using `OCI ECR`. | + | **Registry Password** or **Registry Secret Key** | Enter the registry password or the secret key if using `OCI ECR`. | + | **Registry Region** | Enter the registry region. This option is only available if you are using `OCI ECR`. | + | **ECR Registry Private** | Type `y` if the registry is private. Otherwise, type `n`. | + | **Use Public Registry for Images** | Type `y` to use a public registry for images. Type `n` to a different registry for images. If you are using another registry for images, you will be prompted to enter the registry URL, base path, username, and password. Airgap users, select `n` so that you can specify the values for the OCI registry that contains all the required images. | + + When prompted to **Pull images from public registry**, type `n` and specify the OCI registry configuration values for + your image registry. If you are an airgap support VM, the CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Image Registry?** Type `y` to use the local resources and skip filling in the OCI registry URL and credentials. Refer to the table above for more information. -:::info + :::info -You will be provided with an opportunity to update the mirror registries values. To exit `vi` press the `Escape` key and -type `:wq` to save and exit. + You will be provided with an opportunity to update the mirror registries values. To exit `vi` press the `Escape` key + and type `:wq` to save and exit. -::: + ::: - - ---- + 14. The next set of prompts is for the VMware vSphere account information. Enter the information listed in the following table. diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/vmware-system-requirements.md b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/vmware-system-requirements.md index 278a75509f..72d9c6c744 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-on-vmware/vmware-system-requirements.md +++ b/docs/docs-content/enterprise-version/install-palette/install-on-vmware/vmware-system-requirements.md @@ -4,7 +4,7 @@ title: "VMware System and Permission Requirements" description: "Review VMware system requirements and cloud account permissions." icon: "" hide_table_of_contents: false -sidebar_position: 30 +sidebar_position: 10 tags: ["palette", "self-hosted", "vmware"] keywords: ["self-hosted", "enterprise"] --- diff --git a/docs/docs-content/enterprise-version/install-palette/install-palette.md b/docs/docs-content/enterprise-version/install-palette/install-palette.md index f5c83371cc..5593adfa2c 100644 --- a/docs/docs-content/enterprise-version/install-palette/install-palette.md +++ b/docs/docs-content/enterprise-version/install-palette/install-palette.md @@ -17,13 +17,15 @@ the following modes: | VMware | Install Palette in VMware environment. | [Install on VMware](install-on-vmware/install.md) | | Kubernetes | Install Palette using a Helm Chart in an existing Kubernetes cluster. | [Install on Kubernetes](install-on-kubernetes/install.md) | +## Airgap Installation + You can also install Palette in an airgap environment. For more information, refer to the [Airgap Installation](airgap/airgap.md) section. -| **Supported Airgap Platform** | **Description** | -| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------- | -| VMware | Install Palette in VMware environment using your own OCI registry server. | -| Kubernetes | Install Palette using a Helm Chart in an existing Kubernetes cluster with your own OCI registry server OR use AWS ECR. | +| **Supported Airgap Platform** | **Description** | **Install Guide** | +| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | +| VMware | Install Palette in VMware environment using your own OCI registry server. | [VMware Airgap Install](./install-on-vmware/airgap-install/airgap-install.md) | +| Kubernetes | Install Palette using a Helm Chart in an existing Kubernetes cluster with your own OCI registry server OR use AWS ECR. | [Kubernetes Airgap Install](./install-on-kubernetes/airgap-install/airgap-install.md) | The next sections provide sizing guidelines we recommend you review before installing Palette in your environment. diff --git a/docs/docs-content/enterprise-version/system-management/registry-override.md b/docs/docs-content/enterprise-version/system-management/registry-override.md index 295174c202..c528b78e85 100644 --- a/docs/docs-content/enterprise-version/system-management/registry-override.md +++ b/docs/docs-content/enterprise-version/system-management/registry-override.md @@ -57,8 +57,21 @@ Select the appropriate tab below based on the environment in which your VertX cl 3. Navigate to the folder where you have the image-swap Helm chart available. You may have to extract the Helm chart if it is in a compressed format to access the **values.yaml** file. -4. Open the **values.yaml** file and populate the `ociImageRegistry` section with your OCI registry values. Refer to the - table below for a description of each parameter. +4. Open the file **values.yaml** in a text editor and append the URL to your OCI registry that also includes the + namespace or project that is hosting the Spectro Cloud images. The URL should be in the format + `/`. In the example configuration below, the value `my-oci-registry.com/spectro-images` is + prefixed to each URL. Save the file after you have appended the URL. + + ```yaml hideClipboard + image: + cainjectorImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-cainjector:spectro-v1.11.0-20230427" + controllerImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-controller:spectro-v1.11.0-20230427" + webhookImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-webhook:spectro-v1.11.0-20230808" + amceResolverImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-acmesolver:spectro-v1.11.0-20230427" + ``` + +5. Next, update the`ociImageRegistry` section with your OCI registry values. Refer to the table below for a description + of each parameter. ```yaml ociImageRegistry: @@ -90,8 +103,8 @@ Select the appropriate tab below based on the environment in which your VertX cl ```yaml config: imageSwapImages: - imageSwapInitImage: "gcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2" - imageSwapImage: "gcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2" + imageSwapInitImage: "harbor.example.org/airgap-images/gcr.io/spectro-images-public/release/thewebroot/imageswap-init:v1.5.2-spectro-4.1.1" + imageSwapImage: "harbor.example.org/airgap-images/gcr.io/spectro-images-public/release/thewebroot/imageswap:v1.5.2-spectro-4.1.1" imageSwapConfig: isEKSCluster: true #If the Cluster you are trying to install is EKS cluster set value to true else set to false @@ -109,7 +122,7 @@ Select the appropriate tab below based on the environment in which your VertX cl -5. Once you have configured the `ociImageRegistry` section, issue the following command from the folder where you have +6. Once you have configured the `ociImageRegistry` section, issue the following command from the folder where you have the image-swap Helm chart available to deploy the image-swap Helm chart. You may have to modify the command below based on the location of **values.yaml** file and the compressed Helm chart file. @@ -127,13 +140,13 @@ Select the appropriate tab below based on the environment in which your VertX cl TEST SUITE: None ``` -6. Create an empty YAML file with the name **registry-secret.yaml**. Use the following command to create the file. +7. Create an empty YAML file with the name **registry-secret.yaml**. Use the following command to create the file. ```shell touch registry-secret.yaml ``` -7. Open the **registry-secret.yaml** file and copy the placeholder configuration below. +8. Open the **registry-secret.yaml** file and copy the placeholder configuration below. ```yaml --- @@ -161,7 +174,7 @@ Select the appropriate tab below based on the environment in which your VertX cl ::: -8. Replace the placeholder values with the actual values for your custom image registry. Use the same values that you +9. Replace the placeholder values with the actual values for your custom image registry. Use the same values that you used in the `ociImageRegistry` section of the **values.yaml** file for the image-swap Helm chart. Refer to the table below for a description of each parameter. @@ -200,12 +213,12 @@ Select the appropriate tab below based on the environment in which your VertX cl -9. Once you have created the YAML file and configured the parameter values, issue the following command to create the - Kubernetes secret containing the image registry configuration. +10. Once you have created the YAML file and configured the parameter values, issue the following command to create the + Kubernetes secret containing the image registry configuration. - ```shell - kubectl create --filename registry-secret.yaml - ``` + ```shell + kubectl create --filename registry-secret.yaml + ``` diff --git a/docs/docs-content/vertex/install-palette-vertex/airgap/airgap.md b/docs/docs-content/vertex/install-palette-vertex/airgap/airgap.md index cf38e1c6d0..17e7faa15e 100644 --- a/docs/docs-content/vertex/install-palette-vertex/airgap/airgap.md +++ b/docs/docs-content/vertex/install-palette-vertex/airgap/airgap.md @@ -1,7 +1,7 @@ --- -sidebar_label: "Airgap" -title: "Airgap" -description: "Learn about Palette VerteX in an airgap environment and how to install Palette in an airgap environment." +sidebar_label: "Airgap Resources" +title: "Airgap Resources" +description: "Airgap installation resources for Palette VerteX." icon: "" sidebar_position: 10 hide_table_of_contents: false @@ -55,13 +55,11 @@ following diagram outlines the major pre-install steps for an airgap installatio To get started with an airgap VerteX installation, check out the respective platform guide. -- [Kubernetes Airgap Instructions](kubernetes-airgap-instructions.md) +- [Kubernetes Airgap Instructions](../install-on-kubernetes/airgap-install/airgap-install.md) -- [VMware vSphere Airgap Instructions](vmware-vsphere-airgap-instructions.md) +- [VMware vSphere Airgap Instructions](../install-on-vmware/airgap-install/airgap-install.md) -Each platform guide provides detailed instructions on how to complete the pre-install steps. We also recommend you -review the [Checklist](checklist.md) to ensure you have completed all the required steps before deploying the airgap -VerteX installation. +Each platform guide provides detailed instructions on how to complete the pre-install steps. ## Supported Platforms @@ -76,12 +74,6 @@ The following table outlines the supported platforms for an airgap VerteX instal ## Resources -- [Kubernetes Airgap Instructions](kubernetes-airgap-instructions.md) - -- [VMware vSphere Airgap Instructions](vmware-vsphere-airgap-instructions.md) - -- [Checklist](checklist.md) - - [Additional Packs](supplemental-packs.md) - [Offline Documentation](offline-docs.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/_category_.json b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/_category_.json new file mode 100644 index 0000000000..455b8e4969 --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 20 +} diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/airgap-install.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/airgap-install.md new file mode 100644 index 0000000000..ebe38fd58c --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/airgap-install.md @@ -0,0 +1,66 @@ +--- +sidebar_label: "Airgap Installation" +title: "Airgap Installation" +description: "Learn how to deploy VerteX to a Kubernetes cluster using a Helm Chart." +icon: "" +hide_table_of_contents: false +sidebar_position: 0 +tags: ["vertex", "enterprise", "airgap", "kubernetes"] +keywords: ["self-hosted", "vertex"] +--- + +You can install VerteX in an airgap Kubernetes environment. An airgap environment lacks direct access to the internet +and is intended for environments with strict security requirements. + +The installation process for an airgap environment is different due to the lack of internet access. Before the primary +Palette installation steps, you must download the following artifacts: + +- Palette platform manifests and required platform packages. + +- Container images for core platform components and third-party dependencies. + +- Palette packs. + +The other significant change is that VerteX's default public OCI registry is not used. Instead, a private OCI registry +is utilized to store images and packs. + +## Overview + +Before you can install Palette VerteX in an airgap environment, you must first set up your environment as outlined in +the following diagram. + +![An architecture diagram outlining the five different installation phases](/enterprise-version_air-gap-repo_overview-order-diagram.webp) + +1. In an environment with internet access, download the airgap setup binary from the URL provided by our support team. + The airgap setup binary is a self-extracting archive that contains the Palette platform manifests, images, and + required packs. The airgap setup binary is a single-use binary for uploading Palette images and packs to your OCI + registry. You will not use the airgap setup binary again after the initial installation. + +2. Move the airgap setup binary to the airgap environment. The airgap setup binary is used to extract the manifest + content and upload the required images and packs to your private OCI registry. Start the airgap setup binary in a + Linux Virtual Machine (VM). + +3. The airgap script will push the required images and packs to your private OCI registry. + +4. Extract the manifest content from the airgap setup binary. The manifest content must be hosted on a web server that + is accessible from the airgap environment. You can use the same Linux VM from step two to host the manifest content + or use a different web server. + +5. Install Palette using the Kubernetes Helm chart. + +## Get Started + +To get started with the airgap Palette installation, start by reviewing the +[Environment Setup](./kubernetes-airgap-instructions.md) page. The environment setup guide provides detailed +instructions on how to prepare your airgap environment. After you have completed the environment setup, you can proceed +with the [Install VerteX](./install.md) guide. + +## Resources + +- [Environment Setup](kubernetes-airgap-instructions.md) + +- [Install VerteX](./install.md) + +- [Airgap Installation Checklist](checklist.md) + +- [Additional Packs](../../airgap/supplemental-packs.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/airgap/checklist.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/checklist.md similarity index 58% rename from docs/docs-content/vertex/install-palette-vertex/airgap/checklist.md rename to docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/checklist.md index 42981d3521..08e7646a73 100644 --- a/docs/docs-content/vertex/install-palette-vertex/airgap/checklist.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/checklist.md @@ -1,22 +1,18 @@ --- sidebar_label: "Checklist" -title: "Checklist" +title: "Airgap VerteX Installation Checklist" description: - "An airgap installation of VerteX requires a few steps to be completed before the installation can begin. This + "An airgap installation of Palette requires a few steps to be completed before the installation can begin. This checklist will help you prepare for the installation." icon: "" -sidebar_position: 40 +sidebar_position: 10 hide_table_of_contents: false -tags: ["vertex", "self-hosted", "airgap"] +tags: ["vertex", "enterprise", "airgap", "kubernetes"] keywords: ["self-hosted", "vertex"] --- Use the following checklist to ensure you have completed all the required steps before deploying the airgap Palette -VerteX installation. - - - - +installation. - [ ] `oras` CLI v1.0.0 is installed and available. @@ -39,30 +35,11 @@ VerteX installation. - [ ] Set the required environment variables for the airgap setup binary. The values are different depending on what type of OCI registry you use. -- [ ] Start the airgap setup binary and verify the setup is completed successfully. +- [ ] Start the airgap setup binary and verified the setup completed successfully. - [ ] Review the list of pack binaries to download and upload to your OCI registry. - [ ] Extract the manifest content from the airgap setup binary to an HTTP file server. - [ ] Ensure the manifest content is hosted on an HTTP file server accessible from the environment to which you are - installing VerteX. - - - - - -- [ ] Create a vSphere VM and Template folder named `spectro-templates`. - -- [ ] Import the Operating System and Kubernetes distribution OVA required for the installation and place the OVA in the - `spectro-templates` folder. - -- [ ] Append an `r_` prefix and remove the `.ova` suffix from the OVA name after the import. - -- [ ] Start the airgap setup binary and verify the setup is completed successfully. - -- [ ] Reviewe the list of [pack binaries](./supplemental-packs.md) to download and upload to your OCI registry. - - - - + installing Palette. diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/install.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/install.md new file mode 100644 index 0000000000..c01fa944c2 --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/install.md @@ -0,0 +1,887 @@ +--- +sidebar_label: "Install VerteX" +title: "Install VerteX" +description: "Learn how to deploy airgap VerteX to a Kubernetes cluster using a Helm Chart." +icon: "" +hide_table_of_contents: false +sidebar_position: 30 +tags: ["vertex", "enterprise"] +keywords: ["self-hosted", "vertex"] +--- + +You can use the Palette VerteX Helm Chart to install VerteX in a multi-node Kubernetes cluster in your airgap production +environment. + +This installation method is common in secure environments with restricted network access that prohibits using VerteX +SaaS. Review our [architecture diagrams](../../../../architecture/networking-ports.md) to ensure your Kubernetes cluster +has the necessary network connectivity for VerteX to operate successfully. + +:::warning + +Complete the [Environment Setup](./kubernetes-airgap-instructions.md) steps before proceeding with the installation. + +::: + +## Prerequisites + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. + +- [Helm](https://helm.sh/docs/intro/install/) is installed and available. + +- Access to the target Kubernetes cluster's kubeconfig file. You must be able to interact with the cluster using + `kubectl` commands and have sufficient permissions to install VerteX. We recommend using a role with `cluster-admin` + permissions to install VerteX. + +- Ensure `unzip` or a similar extraction utility is installed on your system. + +- The Kubernetes cluster must be set up on a supported version of Kubernetes, which includes versions v1.25 to v1.27. + +- Ensure the Kubernetes cluster does not have Cert Manager installed. VerteX requires a unique Cert Manager + configuration to be installed as part of the installation process. If Cert Manager is already installed, you must + uninstall it before installing VerteX. + +- The Kubernetes cluster must have a Container Storage Interface (CSI) installed and configured. VerteX requires a CSI + to store persistent data. You may install any CSI that is compatible with your Kubernetes cluster. + +- We recommended the following resources for VerteX. Refer to the + [VerteX size guidelines](../../../install-palette-vertex/install-palette-vertex.md#size-guidelines) for additional + sizing information. + + - 8 CPUs per node. + + - 16 GB Memory per node. + + - 100 GB Disk Space per node. + - A Container Storage Interface (CSI) for persistent data. + + - A minimum of three worker nodes or three untainted control plane nodes. + +- The following network ports must be accessible for VerteX to operate successfully. + + - TCP/443: Inbound and outbound to and from the VerteX management cluster. + + - TCP/6443: Outbound traffic from the VerteX management cluster to the deployed clusters' Kubernetes API server. + +- Ensure you have an SSL certificate that matches the domain name you will assign to VerteX. You will need this to + enable HTTPS encryption for VerteX. Reach out to your network administrator or security team to obtain the SSL + certificate. You need the following files: + + - x509 SSL certificate file in the base64 format. + + - x509 SSL certificate key file in the base64 format. + + - x509 SSL certificate authority file in the base64 format. + +- An Nginx controller will be installed by default. If you already have an Nginx controller deployed in the cluster, you + must set the `ingress.enabled` parameter to `false` in the **values.yaml** file. + +- A custom domain and the ability to update Domain Name System (DNS) records. You will need this to enable HTTPS + encryption for VerteX. + +- If you are installing VerteX behind a network proxy server, ensure you have the Certificate Authority (CA) certificate + file in the base64 format. You will need this to enable VerteX to communicate with the network proxy server. + +- Access to the VerteX Helm Charts. Refer to the [Access VerteX](../../../vertex.md#access-palette-vertex) for + instructions on how to request access to the Helm Chart. + +:::warning + +Do not use a VerteX-managed Kubernetes cluster when installing VerteX. VerteX-managed clusters contain the VerteX agent +and VerteX-created Kubernetes resources that will interfere with the installation. + +::: + +## Install VerteX + +The following instructions are agnostic to the Kubernetes distribution you are using. Depending on the underlying +infrastructure provider and your Kubernetes distribution, you may need to modify the instructions to match your +environment. Reach out to our support team if you need assistance. + +1. Open a terminal session and navigate to the directory where you downloaded the VerteX installation zip file provided + by our support. Unzip the file to a directory named **vertex-install**. + + ```shell + unzip release-*.zip -d vertex-install + ``` + +2. Navigate to the release folder inside the **vertex-install** directory. + + ```shell + cd vertex-install/charts/release-* + ``` + +3. Open the file **extras/cert-manager/values.yaml** in a text editor and append the URL to your OCI registry, which + also includes the namespace or project that is hosting the Spectro Cloud images. The URL should be in the format + `/`. In the example configuration below, the value `my-oci-registry.com/spectro-images` is + prefixed to each URL. Save the file after you have appended the URL. + + ```yaml hideClipboard + image: + cainjectorImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-cainjector:spectro-v1.11.0-20230427" + controllerImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-controller:spectro-v1.11.0-20230427" + webhookImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-webhook:spectro-v1.11.0-20230808" + amceResolverImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/jetstack/cert-manager-acmesolver:spectro-v1.11.0-20230427" + ``` + +4. Install Cert Manager using the following command. Replace the actual file name of the Cert Manager Helm Chart with + the one you downloaded, as the version number may be different. + + ```shell + helm upgrade --values extras/cert-manager/values.yaml \ + cert-manager extras/cert-manager/cert-manager-*.tgz --install + ``` + + ```shell hideClipboard + Release "cert-manager" does not exist. Installing it now. + NAME: cert-manager + LAST DEPLOYED: Mon Jan 29 16:32:33 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +5. Open the file **extras/image-swap/values.yaml** in a text editor and append the URL to your OCI registry that also + includes the namespace or project that is hosting the Spectro Cloud images. + + ```yaml hideClipboard + config: + imageSwapImages: + imageSwapInitImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release/thewebroot/imageswap-init:v1.5.2-spectro-4.1.1" + imageSwapImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release/thewebroot/imageswap:v1.5.2-spectro-4.1.1" + ``` + +6. Update the `ociImageRegistry` section with the proper configuration values to your OCI registry. The + `ociImageRegistry` section should look similar to the following example. + + :::info + + Use the following `mirrorRegistries`placeholder string to replace the respective values of your OCI registry. + + ```yaml + docker.io::OCI_URL/IMAGE_PROJECT,gcr.io::OCI_URL/IMAGE_PROJECT,ghcr.io::OCI_URL/IMAGE_PROJECT,k8s.gcr.io::OCI_URL/IMAGE_PROJECT,registry.k8s.io::OCI_URL/IMAGE_PROJECT,quay.io::OCI_URL/IMAGE_PROJECT" + ``` + + ::: + + ```yaml hideClipboard + ociImageRegistry: + endpoint: "my-oci-registry.com" + name: "Airgap Images OCI" + password: "" + username: "" + baseContentPath: "spectro-images" # + insecureSkipVerify: true + caCert: "" + mirrorRegistries: "docker.io::my-oci-registry.com/spectro-images,gcr.io::my-oci-registry.com/spectro-images,ghcr.io::my-oci-registry.com/spectro-images,k8s.gcr.io::my-oci-registry.com/spectro-images,registry.k8s.io::my-oci-registry.com/spectro-images,quay.io::my-oci-registry.com/spectro-images" + ``` + +7. Go ahead and install the image-swap chart using the following command. Point to the **values.yaml** file you + configured in steps five through six. + + ```shell + helm upgrade --values extras/image-swap/values.yaml \ + image-swap extras/image-swap/image-swap-*.tgz --install + ``` + + ```shell hideClipboard + Release "image-swap" does not exist. Installing it now. + NAME: image-swap + LAST DEPLOYED: Mon Jan 29 17:04:23 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + + :::tip + + If you need to override the image-swap registry configuration post-deployment, refer to the + [Override Registry Configuration](../../../system-management/registry-override.md) page for instructions. + + ::: + +8. Open the **values.yaml** file in the **spectro-mgmt-plane** folder with a text editor of your choice. The + **values.yaml** file contains the default values for the Palette installation parameters. However, you must populate + the following parameters before installing Palette. You can learn more about the parameters on the **values.yaml** + file on the [Helm Configuration Reference](../vertex-helm-ref.md) page. + + Ensure you provide the proper `ociImageRegistry.mirrorRegistries` values if you are using a self-hosted OCI + registry. You can find the placeholder string in the `ociImageRegistry` section of the **values.yaml** file. + + | **Parameter** | **Description** | **Type** | + | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | + | `env.rootDomain` | The URL name or IP address you will use for the VerteX installation. | string | + | `config.installationMode` | The installation mode for VerteX. The values can be `connected` or `airgap`. Set this value to `airgap`. | string | + | `ociPackEcrRegistry` | The OCI registry credentials for the VerteX FIPS packs repository. | object | + | `ociImageRegistry` | The OCI registry credentials for the VerteX images repository. | object | + | `ociImageRegistry.mirrorRegistries` | Replace the placeholder string with the respective values of your OCI registry repository that is hosting the images. Do not use the same values you provided to the image-swap **values.yaml**. The placeholders require a `/v2/` endpoint if your OCI registry supports the Docker Registry protocol v2, otherwise container pull images will fail. | + | `imageSwapImages` | The image swap configuration for VerteX. If you are using an OCI registry, such as Harbor. Replace the prefix URLs with your OCI registry URL that includes the image namespace or project: `/`. | object | + | `imageSwapConfig.isEKSCluster` | If you are NOT installing VerteX on an EKS cluster, set this value to `false`. | boolean | + | `scar` | Specify your HTTP file server values. If your HTTP file server requires credentials ensure the provided values are base64-encoded. Example of the string "admin" encoded in base64 - `YWRtaW4=`. | object | + | `ingress.enabled` | Whether to install the Nginx ingress controller. Set this to `false` if you already have an Nginx controller deployed in the cluster. | boolean | + | `reach-system` | Set `reach-system.enabled` to `true` and configure the `reach-system.proxySettings` parameters for VerteX to use a network proxy in your environment. | object | + + Save the **values.yaml** file after you have populated the required parameters mentioned in the table. + + :::warning + + VerteX VerteX does not support insecure connections. Ensure you have the Certificate Authority (CA) available, in + PEM format, when using a custom packs and image registry. Otherwise, VerteX will not be able to pull packs and + images from the registry. Use the `caCert` parameter to provide the base64-encoded CA certificate. + + ::: + + Select one of the following tabs to review an example of the **values.yaml** file with the required parameters + highlighted. + + + + + + + ```yaml {23,53,87-95,97-102,104-106,109} + ######################### + # Spectro Cloud VerteX # + ######################### + # MongoDB Configuration + mongo: + # Whether to deploy MongoDB in-cluster (internal == true) or use Mongo Atlas + internal: true + + # Mongodb URL. Only change if using Mongo Atlas. + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + # Mongo Atlas password, base64 encoded. Only enter if using Mongo Atlas. + databasePassword: "" + + # No. of mongo replicas to run, default is 3 + replicas: 3 + # The following only apply if mongo.internal == true + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" # leave empty to use the default storage class + + config: + installationMode: "airgap" # values can be connected or airgap. + + # SSO SAML Configuration (Optional for self-hosted type) + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" + + # Email Configurations. (Optional for self-hosted type) + email: + enabled: false + emailId: "noreply@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" # base64 encoded SMTP password + + env: + # rootDomain is a DNS record which will be mapped to the ingress-nginx-controller load balancer + # E.g., myfirstpalette.spectrocloud.com + # - Mandatory if ingress.internal == false + # - Optional if ingress.internal == true (leave empty) + # + # IMPORTANT: a DNS record must be created separately and it must be a wildcard to account for Organization prefixes + # E.g., *.myfirstpalette.spectrocloud.com + rootDomain: "vertex.example.com" + + # stableEndpointAccess is used when deploying EKS clusters in Private network type. + # When your Saas installed instance have connectivity to the private VPC where you want to launch the cluster set the stableEndpointAccess to true + cluster: + stableEndpointAccess: false + + # registry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # insecureSkipVerify: false + # caCert: "" + + # ociPackRegistry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # baseContentPath: "" # + # insecureSkipVerify: false + # caCert: "" + + # ociPackEcrRegistry: + # endpoint: "" # + # name: "" # + # accessKey: "" # + # secretKey: "" # + # baseContentPath: "" # + # isPrivate: true + # insecureSkipVerify: false + # caCert: "" + + ociImageRegistry: + endpoint: "my-oci-registry.com" # + name: "Airgap Image OCI" # + password: "" # + username: "" # + baseContentPath: "spectro-images" # + insecureSkipVerify: true + caCert: "" + mirrorRegistries: "docker.io::my-oci-registry.com/v2/spectro-images,gcr.io::my-oci-registry.com/v2/spectro-images,ghcr.io::my-oci-registry.com/v2/spectro-images,k8s.gcr.io::my-oci-registry.com/v2/spectro-images,registry.k8s.io::my-oci-registry.com/v2/spectro-images,quay.io::my-oci-registry.com/v2/spectro-images" + + scar: + endpoint: "http://10.15.20.15:2015" + username: "YWRtaW4=" + password: "YWRtaW4=" + insecureSkipVerify: true + caCert: "" + + imageSwapImages: + imageSwapInitImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap-init:v1.5.2" + imageSwapImage: "my-oci-registry.com/spectro-images/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap:v1.5.2" + + imageSwapConfig: + isEKSCluster: true #If the Cluster you are trying to install is EKS cluster set value to true else set to false + + nats: + # Should we install nats as part of the nats chart bundled with hubble charts + # If not enabled NATS service should be installed as a separate service. + + enabled: true + + # Whether to front NATS with a cloud load balancer (internal == false) or + # either share the ingress load balancer or use hostNetwork (internal == true). + # See nats.natsUrl comments for further detail. + internal: true + + # NATS URL + # Comma separated list of mappings for nats load balancer service + # E.g., "message1.dev.spectrocloud.com:4222,message2.dev.spectrocloud.com:4222" + # + # Mandatory if nats.internal == false + # Otherwise, if nats.internal == true: + # - If ingress.ingress.internal == true: leave empty (use hostNetwork) + # - If ingress.ingress.internal == false: use ":4222" (share ingress lb) + natsUrl: "" + + # *********************** IMPORTANT NOTE ****************************** + # * if nats.internal == true, ignore all of the following NATS config * + # ********************************************************************* + + # NATS load balancer annotations + annotations: {} + + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "server-port" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the nats loadbalancer service. If empty, a dynamic IP will be generated. + natsStaticIP: "" + grpc: + external: false + endpoint: "" # Please provide DNS endpoint with the port eg: msg.spectrocloud.com:443 + caCertificateBase64: "" # Please provide caCertificate for the grpc server Cert + serverCrtBase64: "" + serverKeyBase64: "" + insecureSkipVerify: false + + ingress: + # When enabled nginx ingress controller would be installed + enabled: true + + ingress: + # Whether to front NGINX Ingress Controller with a cloud + # load balancer (internal == false) or use host network + internal: false + + # Default SSL certificate and key for NGINX Ingress Controller (Optional) + # A wildcard cert for config.env.rootDomain, e.g., *.myfirstpalette.spectrocloud.com + # If left blank, the NGINX ingress controller will generate a self-signed cert (when terminating TLS upstream of ingress-nginx-controller) + certificate: "" + key: "" + + #If ACM is enabled please use grpc as a non internal and bring grpc on different LB. Provide certificate and dns for it. + annotations: {} + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the Ingress load balancer service. If empty, a dynamic IP will be generated. + ingressStaticIP: "" + + # For Service like AWS Load Balancer using https we would want to terminate the HTTPS at Load Balancer. + terminateHTTPSAtLoadBalancer: false + nats: + enabled: true + + frps: + frps: + enabled: false + frpHostURL: proxy.sample.spectrocloud.com + server: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lVZTVMdXBBZGljd0Z1SFJpWWMyWEgzNTFEUzJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk1qY3hNREV6TVRNeU5ERXlXakI3TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHCkExVUVDQk1DUTBFeEV6QVJCZ05WQkFjVENsTmhiblJoUTJ4aGNtRXhGVEFUQmdOVkJBb1RERk53WldOMGNtOUQKYkc5MVpERUxNQWtHQTFVRUN4TUNTVlF4SmpBa0JnTlZCQU1USFhCeWIzaDVMbk5oYlhCc1pTNXpjR1ZqZEhKdgpZMnh2ZFdRdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXd5bEt3MmlxClBXM2JrQU0wV3RhaEFLbEppcWFHd05LUDVRRTZ6ZW5NM2FURko3TjIwN0dWcUNGYzJHTDNodmNhTDFranZjeEkKK2lybHpkbm9hcVhUSmV3ZkJiTGs2SGVhZmdXUVp3NHNNeE5QRUVYYlNXYm54Mm03Y2FlbVJiUWZSQWhPWXRvWgpIWG1IMzQ1Q25mNjF0RnhMeEEzb0JRNm1yb0JMVXNOOUh2WWFzeGE5QUFmZUNNZm5sYWVBWE9CVmROalJTN1VzCkN5NmlSRXpEWFgvem1nOG5WWFUwemlrcXdoS3pqSlBJd2FQa2ViaXVSdUJYdEZ0VlQwQmFzS3VqbURzd0lsRFQKVmR4SHRRQUVyUmM4Q2Nhb20yUkpZbTd1aHNEYlo2WVFzS3JiMmhIbU5rNENVWUd5eUJPZnBwbzR2bFd1S2FEcgpsVFNYUXlPN0M0ejM1d0lEQVFBQm8xNHdYREJhQmdOVkhSRUVVekJSZ2dsc2IyTmhiR2h2YzNTSEJIOEFBQUdDCkhYQnliM2g1TG5OaGJYQnNaUzV6Y0dWamRISnZZMnh2ZFdRdVkyOXRnaDhxTG5CeWIzaDVMbk5oYlhCc1pTNXoKY0dWamRISnZZMnh2ZFdRdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUEvRFJFVm54SWJRdi9uMDEvSQpJd1d0ekhKNGNHOUp6UlB6dmszNUcvRGJOVzZYZ0M3djBoWlFIVHg5bzMrckxoSUFiWTNmbjc1VEtlN3hMRWpiCkI3M3pGWURJSStkYzM5NkQzZU51M2NxRGIvY01kYmlFalhod2ttZk9NRm9qMnpOdHJIdzFsSjA0QlNFMWw1YWgKMDk0Vy9aaEQ2YTVLU3B0cDh1YUpKVmNrejRYMEdRWjVPYjZadGdxZVVxNytqWVZOZ0tLQzJCMW1SNjMyMDNsZwozVFZmZEkrdmI3b292dVdOOFRBVG9qdXNuS25WMmRMeTFBOWViWXYwMEM3WWZ6Q0NhODgrN2dzTGhJaUJjRHBPClJkWjU3QStKanJmSU5IYy9vNm5YWFhDZ2h2YkFwUVk1QnFnMWIzYUpUZERNWThUY0hoQVVaQzB5eU04bXcwMnQKWHRRQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd3lsS3cyaXFQVzNia0FNMFd0YWhBS2xKaXFhR3dOS1A1UUU2emVuTTNhVEZKN04yCjA3R1ZxQ0ZjMkdMM2h2Y2FMMWtqdmN4SStpcmx6ZG5vYXFYVEpld2ZCYkxrNkhlYWZnV1FadzRzTXhOUEVFWGIKU1dibngybTdjYWVtUmJRZlJBaE9ZdG9aSFhtSDM0NUNuZjYxdEZ4THhBM29CUTZtcm9CTFVzTjlIdllhc3hhOQpBQWZlQ01mbmxhZUFYT0JWZE5qUlM3VXNDeTZpUkV6RFhYL3ptZzhuVlhVMHppa3F3aEt6akpQSXdhUGtlYml1ClJ1Qlh0RnRWVDBCYXNLdWptRHN3SWxEVFZkeEh0UUFFclJjOENjYW9tMlJKWW03dWhzRGJaNllRc0tyYjJoSG0KTms0Q1VZR3l5Qk9mcHBvNHZsV3VLYURybFRTWFF5TzdDNHozNXdJREFRQUJBb0lCQUFPVVZFeTFOTG9mczdFMgpmZFZVcm10R3I1U2RiVWRJRlYrTDREbzZtWWxQSmxhT0VoWGI0ZlROZDloNEtEWVBmaWwwSnhXcUU0U1RHTmZuCnNUMlRnUVhuQ01LZi8xYk1Lc2M0N3VjVStYYU9XaHJnVFI5UmhkckFjN0duODRLL3hQc0ljL2VZTEhHLzh1QUUKeWUvLzVmRkM2QmpXY0hUM1NkTlZnd3duamJudG5XTXIzTFJBVnJBamZBckxveWUwS0F2YytYdXJLTEVCcmMyVQpjaHlDbitZemJKN0VlSG44UXdQNGdBNXVSK0NCMFJPeFErYXIzS3M5YUhkZTQ1OEVNNEtLMnpUOXA4RWZRc1lFCkFtNUpxWjliR0JEVHV1dEkyNm9GK0pLQ1IzZzhXNERRcHVYRUZoVjlya0pMSm13RDhQb0JaclF6UzZvdmJhdkkKRk42QVM4RUNnWUVBOEcxQzFxZVh4dTQ4aEYxak5MTCswRmxkeWdFem9SMmFoRGJCai8weUZkQVVjU2pYTzk0NAozN1dORTBUUG10WG1Vc3NZTlBTR21XaWI2OUhicEFoMTY3SWVwNE9LaVlZdkozYm1oUC9WNzFvK3M0SWJlSHh1CkVJbWVVckFOZWRoQURVQnZ4c1lXRWxlVlVJSFFRcjY1VHM2ZjIrWkpTKzg4TU05bUorL3BmcmNDZ1lFQXo4MXgKR3JiSE5oak56RjhZMjhiK0hMNW5rdDR0SUdkU3hnbW9PMFFJeGkrQVNZTzB0WW42VFk0ZHI5ZXErMzE3b21ZawpMbDNtNENORDhudG1vYzRvWnM4SUpDQ0IrZjNqcTY4OHdoQU9vVHZ4dDhjZVJqOFRhRHl1SHZwS043OVNsVVd2CjBJd2ZRNDNIemd3SWJiSWhjcTRJVGswanI0VHdWbThia283VElGRUNnWUJoNnUzVXhHN0JHeGZVaE1BNW4waSsKREJkeGhPbkZEV3gzdW1FOHhrN1dxV2NaNnhzMWk3eTRCNVhNS2pNdkNUeURyYWxQTCtOOXFTZ1BjK216TmFybwo4aU1mOENmRStMeE5vMVFoQ0p6Vm5YaDUzVnhZeHJ5QXlidU1TNTFCYVh3MHFYQ2NrT0krV0NNOHBaSHZEUVFsCmYydUZ3SlZMY3NTZDBHbjNpL01ab3dLQmdBY1BzUjg2Uk15MnpROTd6OGx3R3FSNVorV2F2U2ZUdXdGVnhLeTIKNUNGdjdja1J1NnRMbEFEY3FtK1dRWTRvTm5KUFREMXpIV3hTWm5XdjhjM2Z4b212MFZRQThzbSs4ZVNjb05EcgpZTVBqMkpQcEpVTTMwMzRBU2Q1dG5PWUdEMVZaTjk4N1U3aWs4Ynd6dG5tYnl2MHRvc1NlWkc4TGNtdE5mVDllCnNSZnhBb0dCQUpTV1lDellyTlRMNnRUSnh5M2FqWm5jZkxrMEV0eWNCd05FRXZHVzVSVE9LOUFYTE96RzN0eHUKajZqWlRpaUFRU09aaVd0clJHU0U0bEkyQ1MvcjNjd3VuSGlnZlovd1dKZldkZ0JpRnZqOTVFbUVQWUZaRDRobQpkT3l5UHhRRXFTRmprQ21BS2plOFBpTDdpU01GbGhBZTZQWFljQlExdCtzd01UeXBnY3RrCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVSHhWK0ljVGZHUElzdW8yY3dqQ0Q0Z2RSTFFRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk16WXdOakl5TVRNeU5ERXlXakFvTVNZd0pBWURWUVFEREIxd2NtOTRlUzV6CllXMXdiR1V1YzNCbFkzUnliMk5zYjNWa0xtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBSy90WXBHVi9HRURUWnZzL25QQ2lOK0U3K1dOQ21GeU1NQjdkazVOT3JzQWZIaVVvZ1JRVUo0WQptSjhwVmYrSzhTRFBsdGNYcW40WVVTbmxiUERsVlBkWU5zOTEwT3RaS1EwNW96aUtGV2pNbS85NHlLSjVyVzNsCndDNEN0ayttUm9Ib0ZQQS81dmFVbVZHdlVadjlGY0JuL0pKN2F4WnRIQk1PRiticXQ0Zmd0ci9YMWdOeWhPVzUKZTVScGpESkozRjJTVnc5NUpBQSt4a3V3UitFSmVseEtnQVpxdDc0ejB4U2ROODZ0QzNtK0wxRGs2WVVlQWEzZApvM3Rsa3ZkeDV6dUJvSmI2QmpZWEV4UE1PbThRcHFNVWRLK3lDZUdrem9XQStDOUtFdGtVaERCWktENStNWXRZCktVMUh1RXJCbmw2Z3BuWTRlbzJjVTRxdkNwZzZ4S3NDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRklKMkRkTjgKc2ZtVjRCT1ZFL0FjZ0VEejArNmlNQjhHQTFVZEl3UVlNQmFBRklKMkRkTjhzZm1WNEJPVkUvQWNnRUR6MCs2aQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQWhQVi9RMVl1YWVTOTZVCmhjVGQ4RWdJaHhpbHFiTWlTQm5WaVdrdlJzWk94UUIwNTFScWtwT3g0UTRsckdaOGVJWWc3T0trTTdzejhuTVQKL2pxS21sZDY0MzJCcURCMlNkNVp5ZFdReHAwU1laRTlnVWszYk9KRGtZVXQ4b1cvZDBWeG9uU05LQVN3QmZKaApWV1VZUUlpNm55K0ZZZmtuRFNvRnFlY2Z3SDBQQVUraXpnMkI3KzFkbko5YisyQ21IOUVCallOZ2hoNlFzVlFQCkh2SkdQQURtandPNkJOam5HK0Z3K0Z6cmFXUTNCTjAwb08zUjF6UmgxZERmTTQzR3oxRmZGRW5GSXI5aGFuUnQKWHJFZm8vZWU5bjBLWUFESEJnV1g4dlhuNHZrRmdWRjgwYW9MUUJSQTBxWXErcW1pVlp6YnREeE9ldFEyRWFyTQpyNmVWL0lZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + annotations: {} + + ui-system: + enabled: true + ui: + nocUI: + enable: true + mapBoxAccessToken: "" # Leave Empty to use Default Access Token from Palette + mapBoxStyledLayerID: "" # Leave Empty to use Default Style Layer ID + + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. + scheduleOnControlPlane: true + ``` + + + + + + ```yaml {23,53,77-85,87-95,110-115} + ######################### + # Spectro Cloud VerteX # + ######################### + # MongoDB Configuration + mongo: + # Whether to deploy MongoDB in-cluster (internal == true) or use Mongo Atlas + internal: true + + # Mongodb URL. Only change if using Mongo Atlas. + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + # Mongo Atlas password, base64 encoded. Only enter if using Mongo Atlas. + databasePassword: "" + + # No. of mongo replicas to run, default is 3 + replicas: 3 + # The following only apply if mongo.internal == true + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" # leave empty to use the default storage class + + config: + installationMode: "airgap" # values can be connected or airgap. + + # SSO SAML Configuration (Optional for self-hosted type) + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" + + # Email Configurations. (Optional for self-hosted type) + email: + enabled: false + emailId: "noreply@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" # base64 encoded SMTP password + + env: + # rootDomain is a DNS record which will be mapped to the ingress-nginx-controller load balancer + # E.g., myfirstpalette.spectrocloud.com + # - Mandatory if ingress.internal == false + # - Optional if ingress.internal == true (leave empty) + # + # IMPORTANT: a DNS record must be created separately and it must be a wildcard to account for Organization prefixes + # E.g., *.myfirstpalette.spectrocloud.com + rootDomain: "vertex.example.com" + + # stableEndpointAccess is used when deploying EKS clusters in Private network type. + # When your Saas installed instance have connectivity to the private VPC where you want to launch the cluster set the stableEndpointAccess to true + cluster: + stableEndpointAccess: false + + # registry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # insecureSkipVerify: false + # caCert: "" + + # ociPackRegistry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # baseContentPath: "" # + # insecureSkipVerify: false + # caCert: "" + + ociPackEcrRegistry: + endpoint: "123456789.dkr.ecr.us-east-1.amazonaws.com" # + name: "Airgap Packs OCI" # + accessKey: "*************" # + secretKey: "*************" # + baseContentPath: "production-fips" # + isPrivate: true + insecureSkipVerify: true + caCert: "" + + ociImageRegistry: + endpoint: "public.ecr.aws/123456789" # + name: "Airgap Images OCI" # + password: "" # + username: "" # + baseContentPath: "spectro-images" # + insecureSkipVerify: false + caCert: "" + mirrorRegistries: "docker.io::public.ecr.aws/123456789/v2/spectr-images,gcr.io::public.ecr.aws/123456789/v2/spectro-images,ghcr.io::public.ecr.aws/123456789/v2/spectro-images,k8s.gcr.io::public.ecr.aws/123456789/v2/spectro-images,registry.k8s.io::public.ecr.aws/123456789/v2/spectro-images,quay.io::public.ecr.aws/123456789/v2/spectro-imagesßßß" + # + # Instruction for mirrorRegistries. + # ---------------------------------- + # Please provide the registry endpoint for the following registries, separated by double colons (::): + # docker.io + # gcr.io + # ghcr.io + # k8s.gcr.io + # registry.k8s.io + # quay.io + # For each registry, follow this example format: + # docker.io::/v2/,gcr.io::/v2/,ghcr.io::/v2/,k8s.gcr.io::/v2/,registry.k8s.io::/v2/,quay.io::/v2/ + # Replace with your actual registry endpoint and , , , , , and with the specific endpoint details for each registry. + + scar: + endpoint: "http://10.15.20.15:2015" + username: "YWRtaW4=" + password: "YWRtaW4=" + insecureSkipVerify: true + caCert: "" + + imageSwapImages: + imageSwapInitImage: "public.ecr.aws/123456789/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap-init:v1.5.2" + imageSwapImage: "public.ecr.aws/123456789/gcr.io/spectro-images-public/release-fips/thewebroot/imageswap:v1.5.2" + + imageSwapConfig: + isEKSCluster: true # If the Cluster you are trying to install is EKS cluster set value to true else set to false + + nats: + # Should we install nats as part of the nats chart bundled with hubble charts + # If not enabled NATS service should be installed as a separate service. + + enabled: true + + # Whether to front NATS with a cloud load balancer (internal == false) or + # either share the ingress load balancer or use hostNetwork (internal == true). + # See nats.natsUrl comments for further detail. + internal: true + + # NATS URL + # Comma separated list of mappings for nats load balancer service + # E.g., "message1.dev.spectrocloud.com:4222,message2.dev.spectrocloud.com:4222" + # + # Mandatory if nats.internal == false + # Otherwise, if nats.internal == true: + # - If ingress.ingress.internal == true: leave empty (use hostNetwork) + # - If ingress.ingress.internal == false: use ":4222" (share ingress lb) + natsUrl: "" + + # *********************** IMPORTANT NOTE ****************************** + # * if nats.internal == true, ignore all of the following NATS config * + # ********************************************************************* + + # NATS load balancer annotations + annotations: {} + + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "server-port" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the nats loadbalancer service. If empty, a dynamic IP will be generated. + natsStaticIP: "" + grpc: + external: false + endpoint: "" #Please provide DNS endpoint with the port eg: msg.spectrocloud.com:443 + caCertificateBase64: "" #Please provide caCertificate for the grpc server Cert + serverCrtBase64: "" + serverKeyBase64: "" + insecureSkipVerify: false + + ingress: + # When enabled nginx ingress controller would be installed + enabled: true + + ingress: + # Whether to front NGINX Ingress Controller with a cloud + # load balancer (internal == false) or use host network + internal: false + + # Default SSL certificate and key for NGINX Ingress Controller (Optional) + # A wildcard cert for config.env.rootDomain, e.g., *.myfirstpalette.spectrocloud.com + # If left blank, the NGINX ingress controller will generate a self-signed cert (when terminating TLS upstream of ingress-nginx-controller) + certificate: "" + key: "" + + # If ACM is enabled please use grpc as a non internal and bring grpc on different LB. Provide certificate and dns for it. + annotations: {} + # AWS example + # service.beta.kubernetes.io/aws-load-balancer-internal: "true" + # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + # service.beta.kubernetes.io/aws-load-balancer-ssl-cert: + # service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + + # Azure example + # service.beta.kubernetes.io/azure-load-balancer-internal: "true" + # service.beta.kubernetes.io/azure-dns-label-name: myserviceuniquelabel + + # Static IP for the Ingress load balancer service. If empty, a dynamic IP will be generated. + ingressStaticIP: "" + + # For Service like AWS Load Balancer using https we would want to terminate the HTTPS at Load Balancer. + terminateHTTPSAtLoadBalancer: false + nats: + enabled: true + + frps: + frps: + enabled: false + frpHostURL: proxy.sample.spectrocloud.com + server: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lVZTVMdXBBZGljd0Z1SFJpWWMyWEgzNTFEUzJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk1qY3hNREV6TVRNeU5ERXlXakI3TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHCkExVUVDQk1DUTBFeEV6QVJCZ05WQkFjVENsTmhiblJoUTJ4aGNtRXhGVEFUQmdOVkJBb1RERk53WldOMGNtOUQKYkc5MVpERUxNQWtHQTFVRUN4TUNTVlF4SmpBa0JnTlZCQU1USFhCeWIzaDVMbk5oYlhCc1pTNXpjR1ZqZEhKdgpZMnh2ZFdRdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXd5bEt3MmlxClBXM2JrQU0wV3RhaEFLbEppcWFHd05LUDVRRTZ6ZW5NM2FURko3TjIwN0dWcUNGYzJHTDNodmNhTDFranZjeEkKK2lybHpkbm9hcVhUSmV3ZkJiTGs2SGVhZmdXUVp3NHNNeE5QRUVYYlNXYm54Mm03Y2FlbVJiUWZSQWhPWXRvWgpIWG1IMzQ1Q25mNjF0RnhMeEEzb0JRNm1yb0JMVXNOOUh2WWFzeGE5QUFmZUNNZm5sYWVBWE9CVmROalJTN1VzCkN5NmlSRXpEWFgvem1nOG5WWFUwemlrcXdoS3pqSlBJd2FQa2ViaXVSdUJYdEZ0VlQwQmFzS3VqbURzd0lsRFQKVmR4SHRRQUVyUmM4Q2Nhb20yUkpZbTd1aHNEYlo2WVFzS3JiMmhIbU5rNENVWUd5eUJPZnBwbzR2bFd1S2FEcgpsVFNYUXlPN0M0ejM1d0lEQVFBQm8xNHdYREJhQmdOVkhSRUVVekJSZ2dsc2IyTmhiR2h2YzNTSEJIOEFBQUdDCkhYQnliM2g1TG5OaGJYQnNaUzV6Y0dWamRISnZZMnh2ZFdRdVkyOXRnaDhxTG5CeWIzaDVMbk5oYlhCc1pTNXoKY0dWamRISnZZMnh2ZFdRdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUEvRFJFVm54SWJRdi9uMDEvSQpJd1d0ekhKNGNHOUp6UlB6dmszNUcvRGJOVzZYZ0M3djBoWlFIVHg5bzMrckxoSUFiWTNmbjc1VEtlN3hMRWpiCkI3M3pGWURJSStkYzM5NkQzZU51M2NxRGIvY01kYmlFalhod2ttZk9NRm9qMnpOdHJIdzFsSjA0QlNFMWw1YWgKMDk0Vy9aaEQ2YTVLU3B0cDh1YUpKVmNrejRYMEdRWjVPYjZadGdxZVVxNytqWVZOZ0tLQzJCMW1SNjMyMDNsZwozVFZmZEkrdmI3b292dVdOOFRBVG9qdXNuS25WMmRMeTFBOWViWXYwMEM3WWZ6Q0NhODgrN2dzTGhJaUJjRHBPClJkWjU3QStKanJmSU5IYy9vNm5YWFhDZ2h2YkFwUVk1QnFnMWIzYUpUZERNWThUY0hoQVVaQzB5eU04bXcwMnQKWHRRQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd3lsS3cyaXFQVzNia0FNMFd0YWhBS2xKaXFhR3dOS1A1UUU2emVuTTNhVEZKN04yCjA3R1ZxQ0ZjMkdMM2h2Y2FMMWtqdmN4SStpcmx6ZG5vYXFYVEpld2ZCYkxrNkhlYWZnV1FadzRzTXhOUEVFWGIKU1dibngybTdjYWVtUmJRZlJBaE9ZdG9aSFhtSDM0NUNuZjYxdEZ4THhBM29CUTZtcm9CTFVzTjlIdllhc3hhOQpBQWZlQ01mbmxhZUFYT0JWZE5qUlM3VXNDeTZpUkV6RFhYL3ptZzhuVlhVMHppa3F3aEt6akpQSXdhUGtlYml1ClJ1Qlh0RnRWVDBCYXNLdWptRHN3SWxEVFZkeEh0UUFFclJjOENjYW9tMlJKWW03dWhzRGJaNllRc0tyYjJoSG0KTms0Q1VZR3l5Qk9mcHBvNHZsV3VLYURybFRTWFF5TzdDNHozNXdJREFRQUJBb0lCQUFPVVZFeTFOTG9mczdFMgpmZFZVcm10R3I1U2RiVWRJRlYrTDREbzZtWWxQSmxhT0VoWGI0ZlROZDloNEtEWVBmaWwwSnhXcUU0U1RHTmZuCnNUMlRnUVhuQ01LZi8xYk1Lc2M0N3VjVStYYU9XaHJnVFI5UmhkckFjN0duODRLL3hQc0ljL2VZTEhHLzh1QUUKeWUvLzVmRkM2QmpXY0hUM1NkTlZnd3duamJudG5XTXIzTFJBVnJBamZBckxveWUwS0F2YytYdXJLTEVCcmMyVQpjaHlDbitZemJKN0VlSG44UXdQNGdBNXVSK0NCMFJPeFErYXIzS3M5YUhkZTQ1OEVNNEtLMnpUOXA4RWZRc1lFCkFtNUpxWjliR0JEVHV1dEkyNm9GK0pLQ1IzZzhXNERRcHVYRUZoVjlya0pMSm13RDhQb0JaclF6UzZvdmJhdkkKRk42QVM4RUNnWUVBOEcxQzFxZVh4dTQ4aEYxak5MTCswRmxkeWdFem9SMmFoRGJCai8weUZkQVVjU2pYTzk0NAozN1dORTBUUG10WG1Vc3NZTlBTR21XaWI2OUhicEFoMTY3SWVwNE9LaVlZdkozYm1oUC9WNzFvK3M0SWJlSHh1CkVJbWVVckFOZWRoQURVQnZ4c1lXRWxlVlVJSFFRcjY1VHM2ZjIrWkpTKzg4TU05bUorL3BmcmNDZ1lFQXo4MXgKR3JiSE5oak56RjhZMjhiK0hMNW5rdDR0SUdkU3hnbW9PMFFJeGkrQVNZTzB0WW42VFk0ZHI5ZXErMzE3b21ZawpMbDNtNENORDhudG1vYzRvWnM4SUpDQ0IrZjNqcTY4OHdoQU9vVHZ4dDhjZVJqOFRhRHl1SHZwS043OVNsVVd2CjBJd2ZRNDNIemd3SWJiSWhjcTRJVGswanI0VHdWbThia283VElGRUNnWUJoNnUzVXhHN0JHeGZVaE1BNW4waSsKREJkeGhPbkZEV3gzdW1FOHhrN1dxV2NaNnhzMWk3eTRCNVhNS2pNdkNUeURyYWxQTCtOOXFTZ1BjK216TmFybwo4aU1mOENmRStMeE5vMVFoQ0p6Vm5YaDUzVnhZeHJ5QXlidU1TNTFCYVh3MHFYQ2NrT0krV0NNOHBaSHZEUVFsCmYydUZ3SlZMY3NTZDBHbjNpL01ab3dLQmdBY1BzUjg2Uk15MnpROTd6OGx3R3FSNVorV2F2U2ZUdXdGVnhLeTIKNUNGdjdja1J1NnRMbEFEY3FtK1dRWTRvTm5KUFREMXpIV3hTWm5XdjhjM2Z4b212MFZRQThzbSs4ZVNjb05EcgpZTVBqMkpQcEpVTTMwMzRBU2Q1dG5PWUdEMVZaTjk4N1U3aWs4Ynd6dG5tYnl2MHRvc1NlWkc4TGNtdE5mVDllCnNSZnhBb0dCQUpTV1lDellyTlRMNnRUSnh5M2FqWm5jZkxrMEV0eWNCd05FRXZHVzVSVE9LOUFYTE96RzN0eHUKajZqWlRpaUFRU09aaVd0clJHU0U0bEkyQ1MvcjNjd3VuSGlnZlovd1dKZldkZ0JpRnZqOTVFbUVQWUZaRDRobQpkT3l5UHhRRXFTRmprQ21BS2plOFBpTDdpU01GbGhBZTZQWFljQlExdCtzd01UeXBnY3RrCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVSHhWK0ljVGZHUElzdW8yY3dqQ0Q0Z2RSTFFRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk16WXdOakl5TVRNeU5ERXlXakFvTVNZd0pBWURWUVFEREIxd2NtOTRlUzV6CllXMXdiR1V1YzNCbFkzUnliMk5zYjNWa0xtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBSy90WXBHVi9HRURUWnZzL25QQ2lOK0U3K1dOQ21GeU1NQjdkazVOT3JzQWZIaVVvZ1JRVUo0WQptSjhwVmYrSzhTRFBsdGNYcW40WVVTbmxiUERsVlBkWU5zOTEwT3RaS1EwNW96aUtGV2pNbS85NHlLSjVyVzNsCndDNEN0ayttUm9Ib0ZQQS81dmFVbVZHdlVadjlGY0JuL0pKN2F4WnRIQk1PRiticXQ0Zmd0ci9YMWdOeWhPVzUKZTVScGpESkozRjJTVnc5NUpBQSt4a3V3UitFSmVseEtnQVpxdDc0ejB4U2ROODZ0QzNtK0wxRGs2WVVlQWEzZApvM3Rsa3ZkeDV6dUJvSmI2QmpZWEV4UE1PbThRcHFNVWRLK3lDZUdrem9XQStDOUtFdGtVaERCWktENStNWXRZCktVMUh1RXJCbmw2Z3BuWTRlbzJjVTRxdkNwZzZ4S3NDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRklKMkRkTjgKc2ZtVjRCT1ZFL0FjZ0VEejArNmlNQjhHQTFVZEl3UVlNQmFBRklKMkRkTjhzZm1WNEJPVkUvQWNnRUR6MCs2aQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQWhQVi9RMVl1YWVTOTZVCmhjVGQ4RWdJaHhpbHFiTWlTQm5WaVdrdlJzWk94UUIwNTFScWtwT3g0UTRsckdaOGVJWWc3T0trTTdzejhuTVQKL2pxS21sZDY0MzJCcURCMlNkNVp5ZFdReHAwU1laRTlnVWszYk9KRGtZVXQ4b1cvZDBWeG9uU05LQVN3QmZKaApWV1VZUUlpNm55K0ZZZmtuRFNvRnFlY2Z3SDBQQVUraXpnMkI3KzFkbko5YisyQ21IOUVCallOZ2hoNlFzVlFQCkh2SkdQQURtandPNkJOam5HK0Z3K0Z6cmFXUTNCTjAwb08zUjF6UmgxZERmTTQzR3oxRmZGRW5GSXI5aGFuUnQKWHJFZm8vZWU5bjBLWUFESEJnV1g4dlhuNHZrRmdWRjgwYW9MUUJSQTBxWXErcW1pVlp6YnREeE9ldFEyRWFyTQpyNmVWL0lZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + service: + annotations: {} + + ui-system: + enabled: true + ui: + nocUI: + enable: true + mapBoxAccessToken: "" # Leave Empty to use Default Access Token from Palette + mapBoxStyledLayerID: "" # Leave Empty to use Default Style Layer ID + + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. + scheduleOnControlPlane: true + ``` + + + + + + :::warning + + Ensure you have configured the **values.yaml** file with the required parameters before proceeding to the next + steps. + + ::: + +9. This step is only required if you are installing VerteX in an environment where a network proxy must be configured + for VerteX to access the internet. If you are not using a network proxy, skip to the next step. + + Install the reach-system chart using the following command. Point to the **values.yaml** file you configured in the + step eight. + + ```shell + helm upgrade --values vertex/values.yaml \ + reach-system extras/reach-system/reach-system-*.tgz --install + ``` + + ```shell hideClipboard + Release "reach-system" does not exist. Installing it now. + NAME: reach-system + LAST DEPLOYED: Mon Jan 29 17:04:23 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +10. Install the VerteX Helm Chart using the following command. + + ```shell + helm upgrade --values vertex/values.yaml \ + hubble vertex/spectro-mgmt-plane-*.tgz --install + ``` + + ```shell hideClipboard + Release "hubble" does not exist. Installing it now. + NAME: hubble + LAST DEPLOYED: Mon Jan 29 17:07:51 2024 + NAMESPACE: default + STATUS: deployed + REVISION: 1 + TEST SUITE: None + ``` + +11. Track the installation process using the command below. VerteX is ready when the deployments in the namespaces + `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system`, and `ui-system` reach the _Ready_ state. The + installation takes between two to three minutes to complete. + + ```shell + kubectl get pods --all-namespaces --watch + ``` + + :::tip + + For a more user-friendly experience, use the open-source tool [k9s](https://k9scli.io/) to monitor the installation + process. + + ::: + +12. Create a DNS CNAME record that is mapped to the VerteX `ingress-nginx-controller` load balancer. You can use the + following command to retrieve the load balancer IP address. You may require the assistance of your network + administrator to create the DNS record. + + ```shell + kubectl get service ingress-nginx-controller --namespace ingress-nginx \ + --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` + + :::info + + As you create tenants in VerteX, the tenant name is prefixed to the domain name you assigned to VerteX. For example, + if you create a tenant named `tenant1` and the domain name you assigned to VerteX is `vertex.example.com`, the + tenant URL will be `tenant1.vertex.example.com`. You can create an additional wildcard DNS record to map all tenant + URLs to the VerteX load balancer. + + ::: + +13. Use the custom domain name or the IP address of the load balancer to visit the VerteX system console. To access the + system console, open a web browser, paste the custom domain URL in the address bar, and append the value `/system`. + + The first time you visit the VerteX system console, a warning message about a not-trusted SSL certificate may + appear. This is expected, as you have not yet uploaded your SSL certificate to VerteX. You can ignore this warning + message and proceed. + + ![Screenshot of the VerteX system console showing Username and Password fields.](/vertex_install-on-kubernetes_install_system-console.webp) + +14. Log in to the system console using the following default credentials. + + | **Parameter** | **Value** | + | ------------- | --------- | + | Username | `admin` | + | Password | `admin` | + + After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be + redirected to the VerteX system console. + +15. After login, a summary page is displayed. VerteX is installed with a self-signed SSL certificate. To assign a + different SSL certificate, you must upload the SSL certificate, SSL certificate key, and SSL certificate authority + files to VerteX. You can upload the files using the VerteX system console. Refer to the + [Configure HTTPS Encryption](../../../system-management/ssl-certificate-management.md) page for instructions on how + to upload the SSL certificate files to Palette. + + :::warning + + If you plan to deploy host clusters into different networks, you may require a reverse proxy. Check out the + [Configure Reverse Proxy](../../../system-management/reverse-proxy.md) guide for instructions on how to configure a + reverse proxy for VerteX. + + ::: + +You now have a self-hosted instance of VerteX installed in a Kubernetes cluster. Make sure you retain the +**values.yaml** file, as you may need it for future upgrades. + +## Validate + +Use the following steps to validate the VerteX installation. + +1. Open up a web browser and navigate to the VerteX system console. To access the system console, open a web browser, + paste the `env.rootDomain` value you provided in the address bar, and append the value `/system` in the following + format: `/system`. You can also use the IP address of the load balancer. + +2. Log in using the credentials you received from our support team. After login, you will be prompted to create a new + password. Enter a new password and save your changes. You will be redirected to the VerteX system console. + +3. Open a terminal session and issue the following command to verify the VerteX installation. The command should return + a list of deployments in the `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system`, and `ui-system` namespaces. + + ```shell + kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \ + | grep -E '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s' + ``` + + Your output should look similar to the following. + + ```shell hideClipboard + cp-system spectro-cp-ui-689984f88d-54wsw Running + hubble-system auth-85b748cbf4-6drkn Running + hubble-system auth-85b748cbf4-dwhw2 Running + hubble-system cloud-fb74b8558-lqjq5 Running + hubble-system cloud-fb74b8558-zkfp5 Running + hubble-system configserver-685fcc5b6d-t8f8h Running + hubble-system event-68568f54c7-jzx5t Running + hubble-system event-68568f54c7-w9rnh Running + hubble-system foreq-6b689f54fb-vxjts Running + hubble-system hashboard-897bc9884-pxpvn Running + hubble-system hashboard-897bc9884-rmn69 Running + hubble-system hutil-6d7c478c96-td8q4 Running + hubble-system hutil-6d7c478c96-zjhk4 Running + hubble-system mgmt-85dbf6bf9c-jbggc Running + hubble-system mongo-0 Running + hubble-system mongo-1 Running + hubble-system mongo-2 Running + hubble-system msgbroker-6c9b9fbf8b-mcsn5 Running + hubble-system oci-proxy-7789cf9bd8-qcjkl Running + hubble-system packsync-28205220-bmzcg Succeeded + hubble-system spectrocluster-6c57f5775d-dcm2q Running + hubble-system spectrocluster-6c57f5775d-gmdt2 Running + hubble-system spectrocluster-6c57f5775d-sxks5 Running + hubble-system system-686d77b947-8949z Running + hubble-system system-686d77b947-cgzx6 Running + hubble-system timeseries-7865bc9c56-5q87l Running + hubble-system timeseries-7865bc9c56-scncb Running + hubble-system timeseries-7865bc9c56-sxmgb Running + hubble-system user-5c9f6c6f4b-9dgqz Running + hubble-system user-5c9f6c6f4b-hxkj6 Running + ingress-nginx ingress-nginx-controller-2txsv Running + ingress-nginx ingress-nginx-controller-55pk2 Running + ingress-nginx ingress-nginx-controller-gmps9 Running + jet-system jet-6599b9856d-t9mr4 Running + ui-system spectro-ui-76ffdf67fb-rkgx8 Running + ``` + +## Next Steps + +You have successfully installed VerteX in a Kubernetes cluster. Your next steps are to configure VerteX for your +organization. Start by creating the first tenant to host your users. Use the +[Create a Tenant](../../../system-management/tenant-management.md) page for instructions on how to create a tenant. diff --git a/docs/docs-content/vertex/install-palette-vertex/airgap/kubernetes-airgap-instructions.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md similarity index 57% rename from docs/docs-content/vertex/install-palette-vertex/airgap/kubernetes-airgap-instructions.md rename to docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md index 51ebfb138d..1cb8838d07 100644 --- a/docs/docs-content/vertex/install-palette-vertex/airgap/kubernetes-airgap-instructions.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions.md @@ -1,7 +1,7 @@ --- -sidebar_label: "Kubernetes Airgap Instructions" -title: "Kubernetes Airgap Instructions" -description: "Learn how to install VerteX into an air gap environment." +sidebar_label: "Environment Setup" +title: "Environment Setup" +description: "Learn how to prepare VerteX for an airgap install" icon: "" hide_table_of_contents: false sidebar_position: 20 @@ -12,8 +12,8 @@ keywords: ["self-hosted", "vertex"] ![Overview diagram of the pre-install steps eager-load](/enterprise-version_air-gap-repo_overview-order-diagram-focus.webp) This guide provides instructions to prepare your airgap environment for a Palette VerteX installation by completing the -required preparatory steps 1 through 4 shown in the diagram. The respective installation guides for each platform cover -the remaining installation process +required preparatory steps one through four shown in the diagram. The respective installation guides for each platform +cover the remaining installation process. ## Prepare Airgap Installation @@ -68,7 +68,7 @@ Each prerequisite is required for a successful installation. - [Oras](https://oras.land/docs/installation.html) CLI v1.0.0 - This version is explicitly required for the setup script. - [zip](https://linux.die.net/man/3/zip) - Required for the setup script. - - [unzip](https://linux.die.net/man/1/unzip) - or equivalent for extracting the manifest content from the airgap setup + - [unzip](https://linux.die.net/man/1/unzip) - Or equivalent for extracting the manifest content from the airgap setup binary. - [jq](https://jqlang.github.io/jq/download/) - Command-line JSON processor installed and available. - [Docker](https://docs.docker.com/get-docker/) - The airgap setup binary requires Docker to be installed and @@ -80,88 +80,111 @@ Complete the following steps before deploying the airgap VerteX installation. 1. Log in to the OCI registry where you will host the VerteX images and packages. -2. Create a repository with the name `spectro-packs` and ensure the repository is private. This repository will host the - VerteX packs. +2. Create a private repository named `spectro-packs`. This repository will host the VerteX packs. - Refer to the [Create Projects](https://goharbor.io/docs/2.0.0/working-with-projects/create-projects/) guide for information about creating a repository in Harbor. - Refer to the [Create a repository](https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html) guide for information about creating a repository in AWS ECR. -3. In your OCI registry, create another repository with the name `spectro-images` and ensure the repository is public. - The public repositry will host the images required by VerteX. +3. In your OCI registry, create a public repository named `spectro-images`. The public repositry will host the images + required by VerteX. 4. Download the Certificate Authority (CA) for your OCI registry. You will need to provide the installation process the CA, otherwise you may encounter errors when authenticating with the OCI registry which could result in an incomplete - install. + install. Skip this step if you are using AWS ECR. -5. Log in to the Linux environment where you will download the airgap binaries and complete the remaining steps, - including the VerteX installation. +5. Log in to the Linux environment where you will download the airgap binaries. This steps requires internet access to + download the airgap setup binary. -6. Authenticate with your OCI registry and acquire credentials to both repositories you created earlier. You will need - these credentials when deploying the airgap VerteX installation. +6. Download the airgap setup binary. Our support team will provide you with the proper version and credentials. Replace + the values in the commands below with our support team's recommended version and credentials. - - + ```shell + VERSION=X.X.X + ``` -Use `oras` to log in to your OCI registry. Replace the values below with your environment configuration values. Check -out the [oras login](https://oras.land/docs/commands/oras_login) documentation for information about additional CLI -flags and examples. + ```shell + curl --user XXXXX:YYYYYYY https://software-private.spectrocloud.com/airgap-fips/$VERSION/airgap-fips-v$VERSION.bin \ + --output airgap-fips-v$VERSION.bin + ``` -```shell -oras login X.X.X.X --user 'yourUserNameHere' --password 'yourPasswordHere' -``` +7. Update the airgap setup binary permissions to allow execution. Replace the file name below with the name of the + airgap setup binary you downloaded. -If you are using a Harbor registry with a self-signed certificate, you will need to add the `--insecure` flag to the -`oras` command. + ```shell + chmod +x airgap-fips-v$VERSION.bin + ``` -```shell -oras login X.X.X.X --insecure --user 'yourUserNameHere' --password 'yourPasswordHere' -``` +8. Copy or move the airgap binary to another Linux environment inside your airgap environment. Use any approved method + to transfer the binary to the airgap environment. - - +9. Log in to the Linux environment inside your airgap environment where you copied the airgap setup binary. -You can acquire the AWS ECR authentication command from the AWS ECR console. From the ECR repository details page, click -on the **View push commands** button to access the command. Refer to the -[AWS ECR Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html#cli-authenticate-registry) -documentation for more information. +10. Authenticate with your OCI registry and acquire credentials to both repositories you created earlier. You will need + these credentials when deploying the airgap VerteX installation. -Below is the command you will use to authenticate to AWS ECR. The output of the `aws` command is passed to `oras` to -authenticate with the ECR registry. Replace the values below with your environment configuration values. + -```shell -aws ecr get-login-password --region xxxxx | oras login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com -``` + -For the public image repository, use the `docker` CLI instead of using `oras`. Replace the values below with your -environment configuration values. + Use `oras` to log in to your OCI registry. Replace the values below with your environment configuration values. + Check out the [oras login](https://oras.land/docs/commands/oras_login) documentation for information about + additional CLI flags and examples. -```shell -aws ecr-public get-login-password --region xxxxx | docker login --username AWS --password-stdin public.ecr.aws/xxxxxxx -``` + ```shell + oras login X.X.X.X --user 'yourUserNameHere' --password 'yourPasswordHere' + ``` - - + If you are using a Harbor registry with a self-signed certificate, you will need to add the `--insecure` flag to the + `oras` command. -:::tip + ```shell + oras login X.X.X.X --insecure --user 'yourUserNameHere' --password 'yourPasswordHere' + ``` -Be aware of the timeout period for the authentication token. The process of uploading images and packages to the OCI -registry can take a approximately an hour. If the authentication token expires, you will need to re-authenticate to the -OCI registry and restart the upload process. + -::: + ---- + You can acquire the AWS ECR authentication command from the AWS ECR console. From the ECR repository details page, + click on the **View push commands** button to access the command. Refer to the + [AWS ECR Authentication](https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html#cli-authenticate-registry) + documentation for more information. + + Use the following command to authenticate with AWS ECR. The output of the `aws` command is passed to `oras` to + authenticate with the ECR registry. Replace the values below with your environment configuration values. + + ```shell + aws ecr get-login-password --region xxxxx | oras login --username AWS --password-stdin 1234567890.dkr.ecr.us-east-1.amazonaws.com + ``` + + For the public image repository, use the `docker` CLI instead of using `oras`. Replace the values below with your + environment configuration values. + + ```shell + aws ecr-public get-login-password --region xxxxx | docker login --username AWS --password-stdin public.ecr.aws/xxxxxxx + ``` + + + + + + :::tip -7. The airgap setup binary requires a set of environment variables to be available and populated. The environment - variables will be different depending on the OCI registry you are using. Select the OCI registry and populate the - environment variables accordingly. + Be aware of the timeout period for the authentication token. The process of uploading images and packages to the OCI + registry can take a approximately an hour. If the authentication token expires, you will need to re-authenticate to + the OCI registry and restart the upload process. - - + ::: + +11. The airgap setup binary requires a set of environment variables to be available and populated. The environment + variables will be different depending on the OCI registry you are using. Select the OCI registry and populate the + environment variables accordingly. + + -
+ - `OCI_IMAGE_REGISTRY`: The IP address or domain name of the OCI registry. - `OCI_PACK_BASE`: The namespace or repository name that hosts the VerteX Packs. @@ -175,7 +198,7 @@ OCI registry and restart the upload process. export OCI_IMAGE_BASE=spectro-images ``` - Example + Example: ```shell hideClipboard export OCI_IMAGE_REGISTRY=example.internal.com @@ -184,10 +207,9 @@ OCI registry and restart the upload process. export OCI_IMAGE_BASE=spectro-images ``` - - + -
+ - `ECR_IMAGE_REGISTRY`: The IP address or domain name of the public OCI registry for images. - `ECR_IMAGE_BASE`: The namespace or repository name that hosts the VerteX images. @@ -199,13 +221,13 @@ OCI registry and restart the upload process. ```shell export ECR_IMAGE_REGISTRY= export ECR_IMAGE_BASE=spectro-images - export ECR_IMAGE_REGISTRY_REGION=us-east-1 + export ECR_IMAGE_REGISTRY_REGION= export ECR_PACK_REGISTRY= export ECR_PACK_BASE=spectro-packs - export ECR_PACK_REGISTRY_REGION=us-east-1 + export ECR_PACK_REGISTRY_REGION= ``` - Example + Example: ```shell hideClipboard export ECR_IMAGE_REGISTRY=public.ecr.aws/1234567890 @@ -216,37 +238,17 @@ OCI registry and restart the upload process. export ECR_PACK_REGISTRY_REGION=us-east-1 ``` - - + ---- + -8. Download the airgap setup binary. Our support team will provide you with the proper version and credentials. Replace - the values in the commands below with our support team's recommended version and credentials. - -```shell -VERSION=X.X.X -``` - -```shell -curl --user XXXXX:YYYYYYY https://software-private.spectrocloud.com/airgap-fips/$VERSION/airgap-fips-v$VERSION.bin \ ---output airgap-fips-v$VERSION.bin -``` - -9. Update the airgap setup binary permissions to allow execution. Replace the file name below with the name of the - airgap setup binary you downloaded. +12. Start the airgap setup binary. Replace the file name below with the name of the airgap setup binary you downloaded. -```shell -chmod +x airgap-fips-v$VERSION.bin -``` - -10. Start the airgap setup binary. Replace the file name below with the name of the airgap setup binary you downloaded. - -```shell -./airgap-fips-v$VERSION.bin -``` + ```shell + ./airgap-fips-v$VERSION.bin + ``` -Upon completion, a success message will be displayed. The output is condensed for brevity. + Upon completion, a success message will be displayed. The output is condensed for brevity. ```shell hideClipboard {10} Verifying archive integrity... 100% MD5 checksums are OK. All good. @@ -263,14 +265,14 @@ Upon completion, a success message will be displayed. The output is condensed fo Setup Completed ``` -:::info + :::info -If you encounter an error during the airgap setup process, verify the required environment variables are set and -populated correctly. If you are still having issues, reach out to our support team for assistance. + If you encounter an error during the airgap setup process, verify the required environment variables are set and + populated correctly. If you are still having issues, reach out to our support team for assistance. -::: + ::: -11. Move the manifest file located in your temporary directory to the location of your file server. Unzip the manifest +13. Move the manifest file located in your temporary directory to the location of your file server. Unzip the manifest file to a folder accessible by the file server. Replace the file name below with the name of the manifest file provided to you by the airgap setup. @@ -298,29 +300,32 @@ populated correctly. If you are still having issues, reach out to our support te ::: -12. Review the additional packs available for download. The supplemental packs are optional and not required for a +14. Review the additional packs available for download. The supplemental packs are optional and not required for a successful installation. However, to create cluster profiles you may require several of the packs available for - download. Refer to the [Additional Packs](supplemental-packs.md) resource for a list of available packs. + download. Refer to the [Additional Packs](../../airgap/supplemental-packs.md) resource for a list of available + packs. -13. Once you select the packs you want to install, download the pack binaries and start the binary to initiate the - upload process. +15. Once you select the packs you want to install, download the pack binaries and start the binary to initiate the + upload process. This step requires internet access, so you may have to download the binaries on a separate machine + outside the airgap environment and transfer them to the airgap environment using an approved method. -In the example below, the `airgap-fips-pack-amazon-linux-eks-1.0.0.bin` binary is downloaded and started. + In the example below, the `airgap-fips-pack-amazon-linux-eks-1.0.0.bin` binary permissions are updated to allow + execution and the binary is started. -```shell -chmod +x airgap-fips-pack-amazon-linux-eks-1.0.0.bin && \ -./airgap-fips-pack-amazon-linux-eks-1.0.0.bin -``` + ```shell + chmod +x airgap-fips-pack-amazon-linux-eks-1.0.0.bin && \ + ./airgap-fips-pack-amazon-linux-eks-1.0.0.bin + ``` -```shell hideClipboard - Verifying archive integrity... 100% MD5 checksums are OK. All good. - Uncompressing Airgap Pack - amazon-linux-eks Version 4.0.17 100% - Setting up Packs - - Pushing Pack amazon-linux-eks:1.0.0 - Setup Completed -``` + ```shell hideClipboard + Verifying archive integrity... 100% MD5 checksums are OK. All good. + Uncompressing Airgap Pack - amazon-linux-eks Version 4.0.17 100% + Setting up Packs + - Pushing Pack amazon-linux-eks:1.0.0 + Setup Completed + ``` -14. Repeat step 13 for each pack you want to install. +16. Repeat step 13 for each pack you want to install. You now have completed the preparation steps for an airgap installation. Check out the [Validate](#validate) section to ensure the airgap setup process completed successfully. @@ -335,32 +340,31 @@ Use the following steps to validate the airgap setup process completed successfu installation process. The screenshot below is an example of a file server hosting the unzipped manifest content. The example is using Caddy as the file server. -![Example of a file server hosting the unzipped manifest content](/enterprise-version_airgap_airgap-instructions_file-server-caddy.webp) + ![Example of a file server hosting the unzipped manifest content](/enterprise-version_airgap_airgap-instructions_file-server-caddy.webp) 3. Ensure your file server is accessible from the environment you are installing VerteX. Use the following command to verify the manifest content is accessible from the file server. Replace the hostname or IP address below with your file server hostname or IP address. -```shell -curl http://:/roar/nickfury/versions.yaml -``` - -```yaml hideClipboard -versions: - - version: "3.3" - filepath: "/roar/nickfury/3.3/version.yaml" - patchVersionsFilepath: "/roar/nickfury/3.3/versions.yaml" - - version: "3.4" - filepath: "/roar/nickfury/3.4/version.yaml" - patchVersionsFilepath: "/roar/nickfury/3.4/versions.yaml" - - version: "4.0" - filepath: "/roar/nickfury/4.0/version.yaml" - patchVersionsFilepath: "/roar/nickfury/4.0/versions.yaml" -``` + ```shell + curl http://:/roar/nickfury/versions.yaml + ``` + + ```yaml hideClipboard + versions: + - version: "3.3" + filepath: "/roar/nickfury/3.3/version.yaml" + patchVersionsFilepath: "/roar/nickfury/3.3/versions.yaml" + - version: "3.4" + filepath: "/roar/nickfury/3.4/version.yaml" + patchVersionsFilepath: "/roar/nickfury/3.4/versions.yaml" + - version: "4.0" + filepath: "/roar/nickfury/4.0/version.yaml" + patchVersionsFilepath: "/roar/nickfury/4.0/versions.yaml" + ``` ## Next Steps You are now ready to deploy the airgap VerteX installation. The important difference is that you will specify your OCI -registry and file server during the installation process. Refer to the -[Kubernetes Install Instructions](../install-on-kubernetes/install-on-kubernetes.md) guide for detailed guidance on -installing VerteX. +registry and file server during the installation process. Refer to the [VerteX Install](./install.md) guide for detailed +guidance on installing VerteX. diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install-on-kubernetes.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install-on-kubernetes.md index a88de5d0a8..313600dba4 100644 --- a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install-on-kubernetes.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install-on-kubernetes.md @@ -9,14 +9,24 @@ keywords: ["self-hosted", "vertex"] --- Palette VerteX can be installed on Kubernetes with internet connectivity or an airgap environment. When you install -Palette VerteX, a three-node cluster is created. You use a Helm chart our support team provides to install Palette -VerteX on Kubernetes. Refer to [Access Palette VerteX](../../vertex.md#access-palette-vertex) for instructions on -requesting access to the Helm Chart. +VerteX, a three-node cluster is created. You use a Helm chart our support team provides to install VerteX on Kubernetes. +Refer to [Access Palette VerteX](../../vertex.md#access-palette-vertex) for instructions on requesting access to the +Helm Chart. -To get started with Palette VerteX on Kubernetes, refer to the [Install Instructions](install.md) guide. +## Get Started + +Select the scenario and the corresponding guide to install VerteX on Kubernetes. If you are installing VerteX in an +airgap environment, refer to the environment preparation guide before installing VerteX. + +| Scenario | Environment Preparation Guide | Install Guide | +| ------------------------------------------------------- | ----------------------------------------------------------------------- | ---------------------------------------------------------- | +| Install VerteX on Kubernetes with internet connectivity | None | [Install Instructions](install.md) | +| Install VerteX on Kubernetes in an airgap environment | [Environment Setup](./airgap-install/kubernetes-airgap-instructions.md) | [Airgap Install Instructions](./airgap-install/install.md) | ## Resources -- [Install Instructions](install.md) +- [Non-Airgap Install Instructions](install.md) + +- [Airgap Install Instructions](./airgap-install/install.md) -- [Helm Configuration Reference](vertex-helm-ref.md) +- [Helm Configuration Reference](./vertex-helm-ref.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install.md index 2a578be9b4..3a4e2727b6 100644 --- a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/install.md @@ -1,6 +1,6 @@ --- -sidebar_label: "Instructions" -title: "Instructions" +sidebar_label: "Non-Airgap Installation" +title: "Install Non-Airgap Self-Hosted Palette VerteX" description: "Learn how to deploy self-hosted VerteX to a Kubernetes cluster using a Helm Chart." icon: "" hide_table_of_contents: false @@ -18,14 +18,6 @@ has the necessary network connectivity for VerteX to operate successfully. ## Prerequisites -:::warning - -If you are installing VerteX in an airgap environment, ensure you complete all the airgap pre-install steps before -proceeding with the installation. Refer to the -[Kubernetes Airgap Instructions](../airgap/kubernetes-airgap-instructions.md) guide for more information. - -::: - - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. - [Helm](https://helm.sh/docs/intro/install/) is installed and available. @@ -139,10 +131,6 @@ your environment. Reach out to our support team if you need assistance. parameters before installing VerteX. You can learn more about the parameters in the **values.yaml** file in the [Helm Configuration Reference](vertex-helm-ref.md) page. - - - - | **Parameter** | **Description** | **Type** | | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | | `env.rootDomain` | The URL name or IP address you will use for the VerteX installation. | string | @@ -151,16 +139,19 @@ your environment. Reach out to our support team if you need assistance. | `ingress.enabled` | Whether to install the Nginx ingress controller. Set this to `false` if you already have an Nginx controller deployed in the cluster. | boolean | | `reach-system` | Set `reach-system.enabled` to `true` and configure the `reach-system.proxySettings` parameters to configure VerteX to use a network proxy in your environment | object | - Save the **values.yaml** file after you have populated the required parameters mentioned in the table. Expand the - following sections to review an example of the **values.yaml** file with the required parameters highlighted. + Save the **values.yaml** file after you have populated the required parameters mentioned in the table. + + Select one of the following tabs to review an example of the **values.yaml** file with the required parameters + highlighted. -
+ + - Example - values.yaml + ```yaml {53,77-85,97-102} ######################### - # Spectro Cloud VerteX # + # Spectro Cloud Palette # ######################### # MongoDB Configuration mongo: @@ -243,7 +234,7 @@ your environment. Reach out to our support team if you need assistance. baseContentPath: "production-fips" # isPrivate: true insecureSkipVerify: false - caCert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lVZTVMdXBBZGljd0Z1SFJpWWMyWEgzNTFEUzJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk1qY3hNREV6TVRNeU5ERXlXakI3TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHCkExVUVDQk1DUTBFeEV6QVJCZ05WQkFjVENsTmhiblJoUTJ4aGNtRXhGVEFUQmdOVkJBb1RERk53WldOMGNtOUQKYkc5MVpERUxNQWtHQTFVRUN4TUNTVlF4SmpBa0JnTlZCQU1USFhCeWIzaDVMbk5oYlhCc1pTNXpjR1ZqZEhKdgpZMnh2ZFdRdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQV" + caCert: "" # ociImageRegistry: # endpoint: "" # @@ -368,54 +359,24 @@ your environment. Reach out to our support team if you need assistance. ui: nocUI: enable: true - mapBoxAccessToken: "" # Leave Empty to use Default Access Token from VerteX + mapBoxAccessToken: "" # Leave Empty to use Default Access Token from Palette mapBoxStyledLayerID: "" # Leave Empty to use Default Style Layer ID - reach-system: - reachSystem: - enabled: false - proxySettings: - http_proxy: "" - https_proxy: "" - no_proxy: "" - ca_crt_path: "" + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. This file should contain the Proxy CA Certificate, in case the Proxy being used requires a certificate. + scheduleOnControlPlane: true ``` -
- - - - | **Parameter** | **Description** | **Type** | - | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | - | `env.rootDomain` | The URL name or IP address you will use for the VerteX installation. | string | - | `config.installationMode` | The installation mode for VerteX. The values can be `connected` or `airgap`. Set this value to `airgap`. | string | - | `ociPackEcrRegistry` or `ociPackRegistry` | The OCI registry credentials for the VerteX FIPS packs repository. If you are using a Harbor registry, use the `ociPackRegistry` parameter block but ensure you have the OCI registry CA available. | object | - | `ociImageRegistry` | The OCI registry credentials for the VerteX images repository. | object | - | `ociImageRegistry.ca` | If you are using a self-hosted OCI, such as Harbor, ensure you provide the CA in PEM format. If you are using AWS ECR, you can leave this parameter empty. | string | - | `ociImageRegistry.mirrorRegistries` | Replace the placeholder string with the respective values of your OCI registry repository that is hosting the images. | - | `imageSwapConfig.isEKSCluster` | Set this value to `false` if you are NOT installing VerteX on an EKS cluster. | boolean | - | `scar` | Specify your HTTP file server values. If your HTTP file server requires credentials ensure the provided values are base64 encoded. Example of the string "admin" in base64 encoding - `YWRtaW4=`. | object | - | `ingress.enabled` | Whether to install the Nginx ingress controller. Set this to `false` if you already have an Nginx controller deployed in the cluster. | boolean | - | `reach-system` | Set `reach-system.enabled` to `true` and configure the `reach-system.proxySettings` parameters for VerteX to use a network proxy in your environment | object | - - Save the **values.yaml** file after you have populated the required parameters mentioned in the table. Expand the - following sections to review an example of the **values.yaml** file with the required parameters highlighted. - - :::warning - - Palette VerteX does not support insecure connections. Ensure you have the Certificate Authority (CA) available, in - PEM format, when using a custom packs and image registry. Otherwise, VerteX will not be able to pull packs and - images from the registry. Use the `caCert` parameter to provide the base64-encoded CA certificate. - - ::: + -
- - Example - values.yaml - - ```yaml {23,53,77-85,87-95,97-102,109} + ```yaml {53,68-75,110-115} ######################### # Spectro Cloud VerteX # ######################### @@ -438,7 +399,7 @@ your environment. Reach out to our support team if you need assistance. storageClass: "" # leave empty to use the default storage class config: - installationMode: "airgap" #values can be connected or airgap. + installationMode: "connected" #values can be connected or airgap. # SSO SAML Configuration (Optional for self-hosted type) sso: @@ -475,47 +436,60 @@ your environment. Reach out to our support team if you need assistance. cluster: stableEndpointAccess: false - # registry: - # endpoint: "" # - # name: "" # - # password: "" # - # username: "" # - # insecureSkipVerify: false - # caCert: "" + # registry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # insecureSkipVerify: false + # caCert: "" + + ociPackRegistry: + endpoint: "example.harbor.org" # + name: "VerteX Packs OCI" # + password: "**************" # + username: "**************" # + baseContentPath: "spectro-packs" # + insecureSkipVerify: false + caCert: "" + + # ociPackEcrRegistry: + # endpoint: "" # + # name: "" # + # accessKey: "" # + # secretKey: "" # + # baseContentPath: "" # + # isPrivate: true + # insecureSkipVerify: false + # caCert: "" - # ociPackRegistry: - # endpoint: "" # - # name: "" # - # password: "" # - # username: "" # - # baseContentPath: "" # - # insecureSkipVerify: false - # caCert: "" - - ociPackEcrRegistry: - endpoint: "123456789.dkr.ecr.us-east-1.amazonaws.com" # - name: "Airgap Packs OCI" # - accessKey: "*************" # - secretKey: "*************" # - baseContentPath: "spectro-packs" # - isPrivate: true - insecureSkipVerify: false - caCert: "" + # ociImageRegistry: + # endpoint: "" # + # name: "" # + # password: "" # + # username: "" # + # baseContentPath: "" # + # insecureSkipVerify: false + # caCert: "" + # mirrorRegistries: "" - ociImageRegistry: - endpoint: "public.ecr.aws/123456789" # - name: "Airgap Image OCI" # - password: "" # - username: "" # - baseContentPath: "spectro-images" # - insecureSkipVerify: true - caCert: "" - mirrorRegistries: "docker.io::public.ecr.aws/v2/123456789/spectro-images,gcr.io::public.ecr.aws/v2/123456789/spectro-images,ghcr.io::public.ecr.aws/v2/123456789/spectro-images,k8s.gcr.io::public.ecr.aws/v2/123456789/spectro-images,registry.k8s.io::public.ecr.aws/v2/123456789/spectro-images,quay.io::public.ecr.aws/v2/123456789/spectro-images" + # Instruction for mirrorRegistries. + # ---------------------------------- + # Please provide the registry endpoint for the following registries, separated by double colons (::): + # docker.io + # gcr.io + # ghcr.io + # k8s.gcr.io + # registry.k8s.io + # quay.io + # For each registry, follow this example format: + # docker.io::/v2/,gcr.io::/v2/,ghcr.io::/v2/,k8s.gcr.io::/v2/,registry.k8s.io::/v2/,quay.io::/v2/ + # Replace with your actual registry endpoint and , , , , , and with the specific endpoint details for each registry. scar: - endpoint: "http://10.15.20.15:2015" - username: "YWRtaW4=" - password: "YWRtaW4=" + endpoint: "https://saas-repo-fips.console.spectrocloud.com" + username: "**********" + password: "**********" insecureSkipVerify: true caCert: "" @@ -625,47 +599,31 @@ your environment. Reach out to our support team if you need assistance. ui: nocUI: enable: true - mapBoxAccessToken: "" # Leave Empty to use Default Access Token from VerteX + mapBoxAccessToken: "" # Leave Empty to use Default Access Token from Palette mapBoxStyledLayerID: "" # Leave Empty to use Default Style Layer ID - reach-system: - reachSystem: - enabled: false - proxySettings: - http_proxy: "" - https_proxy: "" - no_proxy: "" - ca_crt_path: "" + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: "" + ca_crt_path: "" # Set the 'ca_crt_path' parameter to the location of the certificate file on each node. This file should contain the Proxy CA Certificate, in case the Proxy being used requires a certificate. + scheduleOnControlPlane: true ``` -
- -5. This step only applies to those who are installing an airgap VerteX or who are using a self-hosted OCI registry with - registry caching enabled. Otherwise, skip to the next step. - - Go ahead and install the image-swap chart using the following command. Point to the **values.yaml** file you - configured in the previous step. + :::warning - ```shell - helm upgrade --values vertex/values.yaml \ - image-swap extras/image-swap/image-swap-*.tgz --install - ``` + Ensure you have configured the **values.yaml** file with the required parameters before proceeding to the next + steps. - ```shell hideClipboard - Release "image-swap" does not exist. Installing it now. - NAME: image-swap - LAST DEPLOYED: Mon Jan 29 17:04:23 2024 - NAMESPACE: default - STATUS: deployed - REVISION: 1 - TEST SUITE: None - ``` + ::: -6. This step is only required if you are installing Palette in an environment where a network proxy must be configured +5. This step is only required if you are installing Palette in an environment where a network proxy must be configured for Palette to access the internet. If you are not using a network proxy, skip to the next step. Install the reach-system chart using the following command. Point to the **values.yaml** file you configured in the @@ -686,7 +644,7 @@ your environment. Reach out to our support team if you need assistance. TEST SUITE: None ``` -7. Install the Palette Helm Chart using the following command. +6. Install the Palette Helm Chart using the following command. ```shell helm upgrade --values vertex/values.yaml \ @@ -703,7 +661,7 @@ your environment. Reach out to our support team if you need assistance. TEST SUITE: None ``` -8. Track the installation process using the command below. VerteX is ready when the deployments in the namespaces +7. Track the installation process using the command below. VerteX is ready when the deployments in the namespaces `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` reach the _Ready_ state. The installation takes between two to three minutes to complete. @@ -718,7 +676,7 @@ your environment. Reach out to our support team if you need assistance. ::: -9. Create a DNS CNAME record that is mapped to the VerteX `ingress-nginx-controller` load balancer. You can use the +8. Create a DNS CNAME record that is mapped to the VerteX `ingress-nginx-controller` load balancer. You can use the following command to retrieve the load balancer IP address. You may require the assistance of your network administrator to create the DNS record. @@ -736,7 +694,7 @@ your environment. Reach out to our support team if you need assistance. ::: -10. Use the custom domain name or the IP address of the load balancer to visit the VerteX system console. To access the +9. Use the custom domain name or the IP address of the load balancer to visit the VerteX system console. To access the system console, open a web browser and paste the custom domain URL in the address bar and append the value `/system`. Replace the domain name in the URL with your custom domain name or the IP address of the load balancer. Alternatively, you can use the load balancer IP address with the appended value `/system` to access the system @@ -748,7 +706,7 @@ your environment. Reach out to our support team if you need assistance. ![Screenshot of the VerteX system console showing Username and Password fields.](/vertex_install-on-kubernetes_install_system-console.webp) -11. Log in to the system console using the following default credentials. +10. Log in to the system console using the following default credentials. | **Parameter** | **Value** | | ------------- | --------- | diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/vertex-helm-ref.md b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/vertex-helm-ref.md index 9dd7cc31cb..f6cd1c5584 100644 --- a/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/vertex-helm-ref.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-kubernetes/vertex-helm-ref.md @@ -4,7 +4,7 @@ title: "Helm Configuration Reference" description: "Reference resource for the Palette VerteX Helm Chart installation parameters." icon: "" hide_table_of_contents: false -sidebar_position: 10 +sidebar_position: 20 tags: ["vertex", "helm"] keywords: ["self-hosted", "vertex"] --- @@ -34,7 +34,7 @@ information, refer to the [Image Swap Configuration](#image-swap-configuration) ## MongoDB -Palette VerteX uses MongoDB Enterprise as its internal database and supports two modes of deployment:

+Palette VerteX uses MongoDB Enterprise as its internal database and supports two modes of deployment: - MongoDB Enterprise deployed and active inside the cluster. @@ -157,8 +157,6 @@ config: rootDomain: "" ``` -
- :::warning As you create tenants in Palette VerteX, the tenant name is prefixed to the domain name you assigned to Palette VerteX. @@ -204,8 +202,6 @@ registry and configure Palette VerteX to reference the registry. Alternatively, provided by us, refer to the [`ociPackEcrRegistry`](#oci-ecr-registry) section to learn more about the publicly available OCI registry. -
- :::warning If you are using a self-hosted OCI registry, you must provide the required FIPS packs to the registry. Contact support @@ -305,8 +301,6 @@ SCAR credentials are required to download the necessary FIPS manifests. Our supp | `scar.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the SCAR connection. | Boolean | `false` | | `scar.caCert` | The base64-encoded certificate authority (CA) certificate for SCAR. | String | `""` | -
- ```yaml config: scar: @@ -330,8 +324,6 @@ chart to use this option, otherwise, Palette VerteX will ignore the configuratio | `imageSwapConfig` | The image swap configuration for specific environments. | String | `""` | | `imageSwapConfig.isEKSCluster` | Specifies whether the cluster is an Amazon EKS cluster. Set to `false` if the Kubernetes cluster is not an EKS cluster. | Boolean | `true` | -
- ```yaml config: imageSwapImages: diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/_category_.json b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/_category_.json new file mode 100644 index 0000000000..455b8e4969 --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 20 +} diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/airgap-install.md b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/airgap-install.md new file mode 100644 index 0000000000..af36199b16 --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/airgap-install.md @@ -0,0 +1,67 @@ +--- +sidebar_label: "Airgap Installation" +title: "Airgap Installation" +description: "Learn how to deploy VerteX in an airgapped environment." +icon: "" +hide_table_of_contents: false +sidebar_position: 0 +tags: ["vertex", "enterprise", "airgap", "vmware", "vsphere"] +keywords: ["self-hosted", "vertex"] +--- + +You can install Palette VerteX in an airgap VMware vSphere environment. An airgap environment lacks direct access to the +internet and is intended for environments with strict security requirements. + +The installation process for an airgap environment is different due to the lack of internet access. Before the primary +Palette installation steps, you must download the following artifacts. + +- VerteX platform manifests and required platform packages. + +- Container images for core platform components and third-party dependencies. + +- VerteX packs. + +The other significant change is that VerteX's default public OCI registry is not used. Instead, a private OCI registry +is utilized for storing images and packs. + +## Overview + +Before you can install VerteX in an airgap environment, you must complete all the required pre-installation steps. The +following diagram outlines the major pre-installation steps for an airgap installation. + +![An architecture diagram outlining the five different installation phases](/enterprise-version_air-gap-repo_overview-order-diagram.webp) + +1. Download the airgap setup binary from the URL provided by the support team. The airgap setup binary is a + self-extracting archive that contains the Palette platform manifests, images, and required packs. The airgap setup + binary is a one-time use binary for uploading Palette images and packs to your OCI registry. You will not use the + airgap setup binary again after the initial installation. This step must be completed in an environment with internet + access. + +2. Move the airgap setup binary to the airgap environment. The airgap setup binary is used to extract the manifest + content and upload the required images and packs to your private OCI registry. Start the airgap setup binary in a + Linux Virtual Machine (VM). + +3. The airgap script will push the required images and packs to your private OCI registry. + +4. Extract the manifest content from the airgap setup binary. The manifest content must be hosted on a web server that + is accessible from the airgap environment. You can use the same Linux VM from step 2 to host the manifest content or + use a different web server. + +5. Install Palette using the Palette CLI or the Kubernetes Helm chart. + +Configure your Palette environment + +## Get Started + +To get started with an airgap Palette installation, begin by reviewing the +[Environment Setup](./vmware-vsphere-airgap-instructions.md) guide. + +## Resources + +- [Environment Setup](./vmware-vsphere-airgap-instructions.md) + +- [Airgap Install Checklist](./checklist.md) + +- [Airgap Install](./install.md) + +- [Additional Packs](../../airgap/supplemental-packs.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/checklist.md b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/checklist.md new file mode 100644 index 0000000000..1bc8bed37d --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/checklist.md @@ -0,0 +1,27 @@ +--- +sidebar_label: "Checklist" +title: "Checklist" +description: + "An airgap installation of Palette requires a few steps to be completed before the installation can begin. This + checklist will help you prepare for the installation." +icon: "" +sidebar_position: 10 +hide_table_of_contents: false +tags: ["palette", "self-hosted", "airgap"] +keywords: ["self-hosted", "enterprise"] +--- + +Use the following checklist to ensure you have completed all the required steps before deploying the airgap Palette +installation. + +- [ ] Create a vSphere VM and Template folder named `spectro-templates`. + +- [ ] Import the Operating System and Kubernetes distribution OVA required for the installation and place the OVA in the + `spectro-templates` folder. + +- [ ] Append the `r_` prefix and remove the `.ova` suffix from the OVA name after the import. + +- [ ] Start the airgap setup binary and verify the setup is completed successfully. + +- [ ] Review the list of [pack binaries](../../airgap/supplemental-packs.md) to download and upload to your OCI + registry. diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/install.md b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/install.md new file mode 100644 index 0000000000..28326d48c0 --- /dev/null +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/install.md @@ -0,0 +1,412 @@ +--- +sidebar_label: "Install VerteX" +title: "Install VerteX" +description: "Learn how to install VerteX in an airgap VMware environment." +icon: "" +sidebar_position: 30 +hide_table_of_contents: false +tags: ["vertex", "enterprise", "airgap", "vmware", "vsphere"] +keywords: ["self-hosted", "vertex"] +--- + +You install Palette VerteX in an airgap environment through the Palette Command Line Interface (CLI). The CLI provides +you with an interactive experience that guides you through the installation process. You can invoke the Palette CLI on +any Linux x86-64 system with the Docker daemon installed and connectivity to the VMware vSphere environment where +Palette VerteX will be deployed. + +## Prerequisites + +:::warning + +If you are installing Palette VerteX in an airgap environment, ensure you complete all the airgap pre-install steps +before proceeding with the installation. Refer to the +[VMware vSphere Airgap Instructions](./vmware-vsphere-airgap-instructions.md) guide for more information. + +::: + +- An AMD64 Linux environment with connectivity to the VMware vSphere environment. + +- [Docker](https://docs.docker.com/engine/install/) or equivalent container runtime installed and available on the Linux + host. + +- Palette CLI installed and available. Refer to the Palette CLI + [Install](../../../../palette-cli/install-palette-cli.md#download-and-setup) page for guidance. + +- An Ubuntu Pro Subscription and token. Ubuntu Pro provides access to FIPS 140-2 certified cryptographic packages. + +- Review the required VMware vSphere [permissions](../vmware-system-requirements.md). Ensure you have created the proper + custom roles and zone tags. + +- We recommended the following resources for Palette VerteX. Refer to the + [Palette VerteX size guidelines](../../install-palette-vertex.md#instance-sizing) for additional sizing information. + + - 8 CPUs per VM. + + - 16 GB Memory per VM. + + - 100 GB Disk Space per VM. + +- The following network ports must be accessible for Palette VerteX to operate successfully. + + - TCP/443: Inbound to and outbound from the Palette VerteX management cluster. + + - TCP/6443: Outbound traffic from the Palette VerteX management cluster to the deployed cluster's Kubernetes API + server. + +- The network IP address range you specify during the installation must not overlap with any existing IP addresses in + your environment. The IP address range must also have connectivity to the VMware vSphere environment. + +- Ensure you have an SSL certificate that matches the domain name you will assign to Palette VerteX. You will need this + to enable HTTPS encryption for Palette VerteX. Reach out to your network administrator or security team to obtain the + SSL certificate. You need the following files: + + - x509 SSL certificate file in base64 format. + + - x509 SSL certificate key file in base64 format. + + - x509 SSL certificate authority file in base64 format. This file is optional. + +- Zone tagging is required for dynamic storage allocation across fault domains when provisioning workloads that require + persistent storage. Refer to [Zone Tagging](../vmware-system-requirements.md#zone-tagging) for information. + +- Assigned IP addresses for application workload services, such as Load Balancer services. + +- Shared Storage between VMware vSphere hosts. + +:::info + +Self-hosted Palette VerteX installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do +not require a separate, user-installed PCG. However, you can create additional PCGs as needed to support provisioning +into remote data centers that do not have a direct incoming connection from the Palette console. To learn how to install +a PCG on VMware, check out the [Deploy to VMware vSphere](../../../../clusters/pcg/deploy-pcg/vmware.md) guide. + +::: + +:::warning + +Palette VerteX does not support insecure connections. Ensure you have the Certificate Authority (CA) available, in PEM +format, when using a custom packs and image registry. Otherwise, VerteX will not be able to pull packs and images from +the registry. The Palette CLI will prompt you to provide the CA certificate file path when necessary. + +::: + +## Deployment + +The video below demonstrates the installation wizard and the prompts you will encounter. Take a moment to watch the +video before you begin the installation process. Make sure to use values that are appropriate for your environment. Use +the **three-dots Menu** in the lower right corner of the video to expand the video to full screen and to change the +playback speed. + + + +Use the following steps to install Palette VerteX. + +1. Log in to your vCenter environment. + +2. Create a vSphere VM and Template folder with the name `spectro-templates`. Ensure this folder is accessible by the + user account you will use to deploy the airgap VerteX installation. + +3. Use the URL below to import the Operating System and Kubernetes distribution OVA required for the install. Place the + OVA in the `spectro-templates` folder. Refer to the + [Import Items to a Content Library](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-B413FBAE-8FCB-4598-A3C2-8B6DDA772D5C.html?hWord=N4IghgNiBcIJYFsAOB7ATgFwAQYKbIjDwGcQBfIA) + guide for information about importing an OVA in vCenter. + + ```url + https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12711-0.ova + ``` + +4. Append an `r_` prefix to the OVA name and remove the `.ova` suffix after the import. For example, the final output + should look like `r_u-2204-0-k-12711-0`. This naming convention is required for the install process to identify the + OVA. Refer to the [Supplement Packs](../../airgap/supplemental-packs.md#additional-ovas) page for a list of + additional OVAs you can download and upload to your vCenter environment. + + :::tip + + You can also use the **Deploy OVF Template** wizard in vSphere to make the OVA available in the `spectro-templates` + folder. Append the `r_` prefix, and remove the `.ova` suffix when assigning a name and target location. You can + terminate the deployment after the OVA is available in the `spectro-templates` folder. Refer to the + [Deploy an OVF or OVA Template](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-AFEDC48B-C96F-4088-9C1F-4F0A30E965DE.html) + guide for more information about deploying an OVA in vCenter. + + ::: + +5. Open a terminal window and invoke the Palette CLI by using the `ec` command to install the enterprise cluster. The + interactive CLI prompts you for configuration details and then initiates the installation. For more information + about the `ec` subcommand, refer to [Palette Commands](../../../../palette-cli/commands/ec.md). + + ```bash + palette ec install + ``` + +6. At the **Enterprise Cluster Type** prompt, choose **Palette VerteX**. + +7. Type `y` to enable Ubuntu Pro, and provide your Ubuntu Pro token when prompted. + + :::warning + + To ensure FIPS compliance, be sure to enter your Ubuntu Pro token. + + ::: + +8. Specify the URL or IP address of the Spectro Cloud Repository that is provided to you by the airgap setup script. + Make sure to specify the file path to the CA certificate when prompted. + + :::info + + If you are using the Palette CLI from inside an [airgap support VM](./vmware-vsphere-airgap-instructions.md), the + CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Spectro Cloud + Artifact Repository (SCAR) configuration**. Type `y` to use the local resources and skip filling in the repository + URL and credentials. + + ::: + +9. Enter the repository credentials. Our support team provides the credentials you need to access the public Spectro + Cloud repository. Airgap installations, provide the credentials to your private repository provided to you by the + airgap setup script . + +10. Choose `VMware vSphere` as the cloud type. This is the default. + +11. Type an enterprise cluster name. Your VM instances will use this name as a prefix. + +12. When prompted, enter the information listed in each of the following tables. + + #### Environment Configuration + + | **Parameter** | **Description** | + | :-------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | + | **HTTPS Proxy** | Leave this blank unless you are using an HTTPS Proxy. This setting will be propagated to all EC nodes and all of its target cluster nodes. Example: `https://USERNAME:PASSWORD@PROXYIP:PROXYPORT`. | + | **HTTP Proxy** | Leave this blank unless you are using an HTTP Proxy. This setting will be propagated to all EC nodes and all of its target cluster nodes. Example: `http://USERNAME:PASSWORD@PROXYIP:PROXYPORT`. | + | **No Proxy** | The default is blank. You can add a comma-separated list of local network CIDR addresses, hostnames, and domain names that should be excluded from being a proxy. This setting will be propagated to all the nodes to bypass the proxy server. Example if you have a self-hosted environment: `maas.company.com,10.10.0.0/16`. | + | **Proxy CA Certificate Filepath** | The default is blank. You can provide the filepath of a CA certificate on the installer host. If provided, this CA certificate will be copied to each host in the PCG cluster during deployment. The provided path will be used on the PCG cluster hosts. Example: `/usr/local/share/ca-certificates/ca.crt`. | + | **Pod CIDR** | Enter the CIDR pool IP that will be used to assign IP addresses to pods in the EC cluster. The pod IP addresses should be unique and not overlap with any machine IPs in the environment. | + | **Service IP Range** | Enter the IP address range that will be used to assign IP addresses to services in the EC cluster. The service IP addresses should be unique and not overlap with any machine IPs in the environment. | + +13. Select the OCI registry type and provide the configuration values. Review the following table for more information. + If you are using the Palette CLI from inside an [airgap support VM](./vmware-vsphere-airgap-instructions.md), the + CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Pack Registry?** Type + `y` to use the local resources and skip filling in the OCI registry URL and credentials. + + :::warning + + For self-hosted OCI registries, ensure you have the server Certificate Authority (CA) certificate file available on + the host where you are using the Palette CLI. You will be prompted to provide the file path to the OCI CA + certificate. Failure to provide the OCI CA certificate will result in self-linking errors. Refer to the + [Self-linking Error](../../../../troubleshooting/enterprise-install.md#scenario---self-linking-error) + troubleshooting guide for more information. + + ::: + + #### Pack & Image Registry Configuration + + | **Parameter** | **Description** | + | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Registry Type** | Specify the type of registry. Allowed values are `OCI` or `OCI ECR`. Airgap users, select `OCI`. | + | **Registry Name** | Enter the name of the registry. | + | **Registry Endpoint** | Enter the registry endpoint. Airgap users, provide the **Spectro Cloud Repository** URL or hostname shared by the airgap setup script. | + | **Registry Base Path** | Enter the registry base path. | + | **Allow Insecure Connection** | Bypasses x509 verification. Type `n` to specify a certificate authority in the follow-up prompt. Airgap user, ensure you select `n`. | + | **Registry CA certificate filepath** | Specify the file path to the certificate authority. Use absolute paths. Airgap users, provide the filepath displayed by the aurgap setup script. | + | **Registry Username** or **Registry Access Key** | Enter the registry username or the access key if using `OCI ECR`. | + | **Registry Password** or **Registry Secret Key** | Enter the registry password or the secret key if using `OCI ECR`. | + | **Registry Region** | Enter the registry region. This option is only available if you are using `OCI ECR`. | + | **ECR Registry Private** | Type `y` if the registry is private. Otherwise, type `n`. | + | **Use Public Registry for Images** | Type `y` to use a public registry for images. Type `n` to a different registry for images. If you are using another registry for images, you will be prompted to enter the registry URL, base path, username, and password. Airgap users, select `n` so that you can specify the values for the OCI registry that contains all the required images. | + + When prompted to **Pull images from public registry**, type `n` and specify the OCI registry configuration values + for your image registry. If you are an [airgap support VM](./vmware-vsphere-airgap-instructions.md), the CLI will + automatically detect the airgap environment and prompt you to **Use local, air-gapped Image Registry?**. Type `y` to + use the local resources and skip filling in the OCI registry URL and credentials. Refer to the table above for more + information. + + :::info + + You will be provided with an opportunity to update the mirror registries values. To exit `vi` press the `Escape` key + and type `:wq` to save and exit. + + ::: + +14. The next set of prompts is for the VMware vSphere account information. Enter the information listed in the following + table. + + #### VMware vSphere Account Information + + | **Parameter** | **Description** | + | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **vSphere Endpoint** | VMware vSphere endpoint. Must be a fully qualified domain name (FQDN) or IP address without a scheme - that is, without an IP protocol, such as `https://`. Example: `vcenter.mycompany.com`. | + | **vSphere Username** | VMware vSphere account username. | + | **vSphere Password** | VMware vSphere account password. | + | **Allow Insecure Connection** | Bypasses x509 verification. Type `Y` if using a VMware vSphere instance with self-signed Transport Layer Security (TLS) certificates. Otherwise, type `n`. | + + #### VMware vSphere Cluster Configuration + + This information determines where Palette will be deployed in your VMware vSphere environment. The Palette CLI will use + the provided VMware credentials to retrieve information from your VMware vSphere environment and present options for you + to select from. + + | **Parameter** | **Description** | + | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Datacenter** | The installer retrieves the Datacenter automatically. | + | **Folder** | Select the folder that contains the VM instance. | + | **Cluster** | Select the cluster where you want to deploy Palette. | + | **Network** | Select the network where you want to deploy Palette. | + | **Resource Pool** | Select the resource pool where you want to deploy Palette. | + | **Datastore** | Select the datastore where you want to deploy Palette. | + | **Fault Domains** | Configure one or more fault domains by selecting values for these properties: Cluster, Network (with network connectivity), Resource Pool, and Storage Type (Datastore or VM Storage Policy). Note that when configuring the Network, if you are using a distributed switch, choose the network that contains the switch. | + | **NTP Servers** | You can provide a list of Network Time Protocol (NTP) servers, such as `pool.ntp.org`. | + | **SSH Public Keys** | Provide any public SSH keys to access your Palette VMs. This option opens up your system's default text editor. Vi is the default text editor for most Linux distributions. To review basic vi commands, check out the [vi Commands](https://www.cs.colostate.edu/helpdocs/vi.html) reference. | + +15. Specify the IP pool configuration. The placement type can be Static or Dynamic Domain Name Server (DDNS). Choosing + static placement creates an IP pool from which VMs are assigned IP addresses. Choosing DDNS assigns IP addresses + using DNS. + + #### Static Placement Configuration + + | **Parameter** | **Description** | + | ------------------------------- | ------------------------------------------------------------------------------------------- | + | **IP Start range** | Enter the first address in the EC IP pool range. | + | **IP End range** | Enter the last address in the EC IP pool range. | + | **Network Prefix** | Enter the network prefix for the IP pool range. Valid values are in [0, 32]. Example: `18`. | + | **Gateway IP Address** | Enter the IP address of the static IP gateway. | + | **Name servers** | Comma-separated list of DNS name server IP addresses. | + | **Name server search suffixes** | An optional comma-separated list of DNS search domains. | + +16. The last set of prompts are for the vSphere machine and database configuration. Use the following table for + guidance. + + #### vSphere Machine Configuration + + | **Parameter** | **Description** | + | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | + | **Small** | Deploy VM nodes with 8 CPU, 16 GB memory, 60 GB storage. The database specs are 20 GB database with 2 CPU limit and 4 GB memory limit. | + | **Medium** | Deploy VM nodes with 16 CPU, 32 GB memory, 100 GB storage. The database specs are 60 GB database with 4 CPU limit and 8 GB memory limit. | + | **Large** | Deploy VM nodes with 32 CPU, 64 GB memory, 120 GB storage. The database specs are 80 GB database with 8 CPU limit and 16 GB memory limit. | + | **Custom** | Deploy VM nodes with custom CPU, memory, storage, database size, CPU limit, and memory limit. If you specify custom, you will be prompted for the CPU, memory, and storage. | + + #### Additional vSphere Machine Configuration + + | **Parameter** | **Description** | + | ----------------- | ---------------------------------------------------------------------------------------- | + | **Node Affinity** | Select the node affinity. Enter `y` to schedule all Palette pods on control plane nodes. | + + The installation process stands up a [kind](https://kind.sigs.k8s.io/) cluster locally that will orchestrate the + remainder of the installation. The installation takes some time. + + Upon completion, the enterprise cluster configuration file named `ec.yaml` contains the information you provided, + and its location is displayed in the terminal. Credentials and tokens are encrypted in the YAML file. + + ```bash hideClipboard + ==== Enterprise Cluster config saved ==== + Location: :/home/spectro/.palette/ec/ec-20230706150945/ec.yaml + ``` + + :::tip + + If an error occurs during installation, remove the `kind` cluster that was created and restart the installation. To + remove the `kind` cluster, issue the following command. Replace `spectro-mgmt-cluster` with the name of your cluster + if you used a different name. + + ```bash + kind delete cluster spectro-mgmt-cluster + ``` + + Restart the install process by referencing the `ec.yaml` file that was created during the first installation + attempt. For example: + + ```bash + palette ec install --config /home/spectro/.palette/ec/ec-20230706150945/ec.yaml + ``` + + ::: + + When the installation is complete, Enterprise Cluster Details that include a URL and default credentials are + displayed in the terminal. You will use these to access the Palette VerteX System Console. The Palette CLI has the + kubectl CLI included. You can find the kubectl binary in the **bin** directory of the Palette CLI configuration + directory, located at **~/.palette/bin/kubectl**. + + ```bash hideClipboard + =========================================== + ==== Enterprise Cluster System Console ==== + =========================================== + Console URL: https://10.10.100.0/system + Username: ************ + Password: ************ + + The first of three Enterprise Cluster nodes is online and will now provision nodes two and three. + + It will take another ~30-45 minutes for the installation to complete. + + You can monitor its progress via kubectl/k9s or by viewing the system console. + + export KUBECONFIG=/ubuntu/.palette/ec/ec-20231012215923/spectro_mgmt.conf + ``` + +17. Copy the URL and paste it in your browser's URL field to access the system console. You will be prompted to reset. + + :::info + + The first time you visit the Palette VerteX system console, a warning message about an untrusted SSL certificate may + appear. This is expected, as you have not yet uploaded your SSL certificate to Palette VerteX. You can ignore this + warning message and proceed. + + ::: + + ![Screenshot of the Palette VerteX system console showing Username and Password fields.](/vertex_installation_install-on-vmware_vertex-system-console.webp) + +18. Log in to the System Console using the credentials provided in the Enterprise Cluster Details output. After login, + you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to + the Palette VerteX system console. + +19. After login, a Summary page is displayed. Palette VerteX is installed with a self-signed SSL certificate. To assign + a different SSL certificate you must upload the SSL certificate, SSL certificate key, and SSL certificate authority + files to Palette VerteX. You can upload the files using the Palette VerteX system console. Refer to the + [Configure HTTPS Encryption](/vertex/system-management/ssl-certificate-management) page for instructions on how to + upload the SSL certificate files to Palette VerteX. + +20. The last step is to start setting up a tenant. To learn how to create a tenant, check out the + [Tenant Management](../../../system-management/tenant-management.md) guide. + + ![Screenshot of the Summary page showing where to click Go to Tenant Management button.](/vertex_installation_install-on-vmware_goto-tenant-management.webp) + +## Validate + +You can verify the installation is successful if you can access the system console using the IP address provided in +Enterprise Cluster Details and if the Summary page displays the **Go to Tenant Management** button. + +You can also validate that a three-node Kubernetes cluster is launched and Palette VerteX is deployed on it. + +1. Log in to the vCenter Server by using vSphere Client. + +2. Navigate to your vSphere Datacenter and locate your Palette VM instances. The VMs are prefixed with the name you + provided during the installation. For example, if you provided `spectro-mgmt-cluster` as the name, the VMs are named + `spectro-mgmt-cluster-`, followed by a unique set of alphanumeric values. Verify three nodes are available. + +3. Open a web browser session, and use the IP address provided in Enterprise Cluster Details at the completion of the + installation to connect to the Palette system console. Copy the IP address to the address bar and append `/system`. + +4. Log in using your credentials. + +5. A **Summary** page will be displayed that contains a tile with a **Go to Tenant Management** button. After initial + installation, the **Summary** page shows there are zero tenants. + +## Next Steps + +You have successfully installed Palette VerteX in vSphere. Your next steps are to configure Palette VerteX for your +organization. Start by creating the first tenant to host your users. Refer +to [Create a Tenant](../../../system-management/tenant-management.md) for instructions. + +After you create the tenant, you are ready to configure authentication types in tenant settings and create users and +teams. + +## Resources + +- [Environment Setup](./vmware-vsphere-airgap-instructions.md) + +- [Create a Tenant](../../../system-management/tenant-management.md) + +- [Enterprise Install Troubleshooting](../../../../troubleshooting/enterprise-install.md) + +- [Palette CLI](../../../../palette-cli/install-palette-cli.md#download-and-setup) + +- [System Management](../../../system-management/system-management.md) + +- [VMware System Requirements](../vmware-system-requirements.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/airgap/vmware-vsphere-airgap-instructions.md b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md similarity index 91% rename from docs/docs-content/vertex/install-palette-vertex/airgap/vmware-vsphere-airgap-instructions.md rename to docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md index 79a4fb3888..c9671a4b32 100644 --- a/docs/docs-content/vertex/install-palette-vertex/airgap/vmware-vsphere-airgap-instructions.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions.md @@ -1,10 +1,10 @@ --- -sidebar_label: "VMware vSphere Airgap Instructions" -title: "VMware vSphere Airgap Instructions" +sidebar_label: "Environment Setup" +title: "Environment Setup" description: "Learn how to install VerteX in an air gap environment." icon: "" hide_table_of_contents: false -sidebar_position: 30 +sidebar_position: 20 tags: ["vertex", "enterprise", "airgap", "vmware", "vsphere"] keywords: ["self-hosted", "vertex"] --- @@ -13,10 +13,9 @@ This guide helps you to prepare your airgap environment for Palette VerteX insta :::info -This guide is for preparing your airgap environment only. For instructions on installing VerteX on -[VMware](../install-on-vmware/install.md) or [Kubernetes](../install-on-kubernetes/install.md), refer to their -respective guides. A checklist of the steps you will complete to prepare your airgap environment for VerteX is available -in the [Checklist](./checklist.md) page. +This guide is for preparing your airgap environment only. For instructions on installing Palette on +[VMware](./install.md). A checklist of the steps you will complete to prepare your airgap environment for Palette is +available in the [Checklist](./checklist.md) page. ::: @@ -49,10 +48,10 @@ VerteX. - Configure the Dynamic Host Configuration Protocol (DHCP) to access the airgap support VM via SSH. You can disable DHCP or modify the IP address after deploying the airgap support VM. -- Review the required vSphere [permissions](../install-on-vmware/vmware-system-requirements.md) and ensure you've - created the proper custom roles and zone tags. Zone tagging enables dynamic storage allocation across fault domains - when provisioning workloads that require persistent storage. Refer to - [Zone Tagging](../install-on-vmware/vmware-system-requirements.md#zone-tagging) for information. +- Review the required vSphere [permissions](../vmware-system-requirements.md) and ensure you've created the proper + custom roles and zone tags. Zone tagging enables dynamic storage allocation across fault domains when provisioning + workloads that require persistent storage. Refer to [Zone Tagging](../vmware-system-requirements.md#zone-tagging) for + information.
@@ -61,7 +60,7 @@ VerteX. Self-hosted VerteX installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do not require a separate, user-installed PCG. However, you can deploy additional PCG instances to support provisioning into remote data centers without a direct incoming connection to VerteX. To learn how to install a PCG on VMware, check out -the [VMware](../../../clusters/data-center/vmware/vmware.md) guide. +the [VMware](../../../../clusters/pcg/deploy-pcg/vmware.md) guide. ::: @@ -88,13 +87,13 @@ The default container runtime for OVAs is [Podman](https://podman.io/), not Dock distribution OVA required for the installation. ```url - https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12610-0.ova + https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12711-0.ova ``` Place the OVA in the **spectro-templates** folder. Append the `r_` prefix, and remove the `.ova` suffix when - assigning its name and target location. For example, the final output should look like `r_u-2004-0-k-12610`. This + assigning its name and target location. For example, the final output should look like `r_u-2204-0-k-12711-0`. This naming convention is required for the installation process to identify the OVA. Refer to the - [Supplement Packs](./supplemental-packs.md#additional-ovas) page for a list of additional OS OVAs. + [Supplement Packs](../../airgap/supplemental-packs.md) page for a list of additional OS OVAs. You can terminate the deployment after the OVA is available in the `spectro-templates` folder. Refer to the [Deploy an OVF or OVA Template](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-AFEDC48B-C96F-4088-9C1F-4F0A30E965DE.html) @@ -322,8 +321,8 @@ If you are working in Vim, press `i` to enter insert mode in the text editor. Pr 20. The output of the script contains credentials and values you will need when completing the installation with the Palette CLI. If you need to review this information in the future, invoke the script again. -21. Review the [Additional Packs](./supplemental-packs.md) page and identify any additional packs you want to add to - your OCI registry. By default, the installation includes only the minimum required packs. You can also add +21. Review the [Additional Packs](../../airgap/supplemental-packs.md) page and identify any additional packs you want to + add to your OCI registry. By default, the installation includes only the minimum required packs. You can also add additional packs after the installation is complete. You have now completed the preparation steps for an airgap installation. Check out the [Validate](#validate) section to @@ -401,8 +400,7 @@ installed in the airgap support VM and ready to use. palette ec install ``` -Complete all the Palette CLI steps outlined in the [VMware Install Instructions](../install-on-vmware/install.md) guide -from the airgap support VM. +Complete all the Palette CLI steps outlined in the [Install VerteX](./install.md) guide from the airgap support VM. :::info @@ -421,5 +419,3 @@ example values are for reference only. When prompted for **Allow Insecure Connection (Bypass x509 Verification)?**, enter `n` to continue and specify the server certificate filepath from the script output. - -::: diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install-on-vmware.md b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install-on-vmware.md index 7ce0104cbd..5a001b8dea 100644 --- a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install-on-vmware.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install-on-vmware.md @@ -15,6 +15,8 @@ repository access. ## Resources -- [Install on VMware](install.md) +- [Non-Airgap Install on VMware](install.md) + +- [Airgap Installation](./airgap-install/airgap-install.md) - [VMware System Requirements](vmware-system-requirements.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install.md b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install.md index 51b96e6f37..cc52daba89 100644 --- a/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-on-vmware/install.md @@ -1,6 +1,6 @@ --- -sidebar_label: "Instructions" -title: "Install Palette VerteX on VMware" +sidebar_label: "Non-Airgap Install" +title: "Non-Airgap Install" description: "Learn how to deploy Palette VerteX on VMware." icon: "" hide_table_of_contents: false @@ -9,21 +9,13 @@ tags: ["vertex", "vmware"] keywords: ["self-hosted", "vertex"] --- -You install Palette VerteX using the Palette Command Line Interface (CLI) that guides you for details to create a -configuration file and a three-node enterprise cluster for high availability (HA). You can invoke the Palette CLI on any -Linux x86-64 system with the Docker daemon installed and connectivity to the VMware vSphere environment where Palette -VerteX will be deployed. +You install Palette VerteX in an airgap environment through the Palette Command Line Interface (CLI). The CLI provides +you with an interactive experience that guides you through the installation process. You can invoke the Palette CLI on +any Linux x86-64 system with the Docker daemon installed and connectivity to the VMware vSphere environment where +Palette VerteX will be deployed. ## Prerequisites -:::warning - -If you are installing Palette VerteX in an airgap environment, ensure you complete all the airgap pre-install steps -before proceeding with the installation. Refer to the -[VMware vSphere Airgap Instructions](../airgap/vmware-vsphere-airgap-instructions.md) guide for more information. - -::: - - An AMD64 Linux environment with connectivity to the VMware vSphere environment. - [Docker](https://docs.docker.com/engine/install/) or equivalent container runtime installed and available on the Linux @@ -66,6 +58,14 @@ before proceeding with the installation. Refer to the - x509 SSL certificate authority file in base64 format. This file is optional. + :::warning + + Palette VerteX does not support insecure connections. Ensure you have the Certificate Authority (CA) available, in + PEM format, when using a custom packs and image registry. Otherwise, VerteX will not be able to pull packs and + images from the registry. The Palette CLI will prompt you to provide the CA certificate file path when necessary. + + ::: + - Zone tagging is required for dynamic storage allocation across fault domains when provisioning workloads that require persistent storage. Refer to [Zone Tagging](vmware-system-requirements.md#zone-tagging) for information. @@ -82,14 +82,6 @@ a PCG on VMware, check out the [Deploy to VMware vSphere](../../../clusters/pcg/ ::: -:::warning - -Palette VerteX does not support insecure connections. Ensure you have the Certificate Authority (CA) available, in PEM -format, when using a custom packs and image registry. Otherwise, VerteX will not be able to pull packs and images from -the registry. The Palette CLI will prompt you to provide the CA certificate file path when necessary. - -::: - ## Deployment The video below demonstrates the installation wizard and the prompts you will encounter. Take a moment to watch the @@ -97,20 +89,8 @@ video before you begin the installation process. Make sure to use values that ar the **three-dots Menu** in the lower right corner of the video to expand the video to full screen and to change the playback speed. - - - - - - - - - - - - Use the following steps to install Palette VerteX. 1. Log in to your vCenter environment. @@ -124,11 +104,11 @@ Use the following steps to install Palette VerteX. guide for information about importing an OVA in vCenter. ```url - https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12610-0.ova + https://vmwaregoldenimage-console.s3.us-east-2.amazonaws.com/u-2204-0-k-12711-0.ova ``` 4. Append an `r_` prefix to the OVA name and remove the `.ova` suffix after the import. For example, the final output - should look like `r_u-2004-0-k-12610`. This naming convention is required for the install process to identify the + should look like `r_u-2204-0-k-12711-0`. This naming convention is required for the install process to identify the OVA. Refer to the [Supplement Packs](../airgap/supplemental-packs.md#additional-ovas) page for a list of additional OVAs you can download and upload to your vCenter environment. @@ -160,21 +140,7 @@ Use the following steps to install Palette VerteX. ::: -8. Depending on that type of install of Palette you are using, the Spectro Cloud repository URL value will be - different. - - - Non-Airgap: `https://saas-repo-fips.console.spectrocloud.com` - - Airgap: The URL or IP address of the Spectro Cloud Repository that is provided to you by the airgap setup script. - Make sure to specify the file path to the CA certificate when prompted. - - :::info - - If you are using the Palette CLI from inside an - [airgap support VM](../airgap/vmware-vsphere-airgap-instructions.md), the CLI will automatically detect the airgap - environment and prompt you to **Use local, air-gapped Spectro Cloud Artifact Repository (SCAR) configuration**. Type - `y` to use the local resources and skip filling in the repository URL and credentials. - - ::: +8. The Spectro Cloud repository URL is `https://saas-repo-fips.console.spectrocloud.com`. 9. Enter the repository credentials. Our support team provides the credentials you need to access the public Spectro Cloud repository. Airgap installations, provide the credentials to your private repository provided to you by the @@ -186,7 +152,7 @@ Use the following steps to install Palette VerteX. 12. When prompted, enter the information listed in each of the following tables. - #### Environment Configuration + #### Environment Configuration | **Parameter** | **Description** | | :-------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -197,69 +163,7 @@ Use the following steps to install Palette VerteX. | **Pod CIDR** | Enter the CIDR pool IP that will be used to assign IP addresses to pods in the EC cluster. The pod IP addresses should be unique and not overlap with any machine IPs in the environment. | | **Service IP Range** | Enter the IP address range that will be used to assign IP addresses to services in the EC cluster. The service IP addresses should be unique and not overlap with any machine IPs in the environment. | -13. Select the tab below that matches your installation type for further guidance. - - - - - Select `y` to use the Spectro Cloud FIPS repository and proceed to the next step. - - - - - -:::info - -If you are using the Palette CLI from inside an [airgap support VM](../airgap/vmware-vsphere-airgap-instructions.md), -the CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Pack Registry?** Type -`y` to use the local resources and skip filling in the OCI registry URL and credentials. - -::: - - Select the OCI registry type and provide the configuration values. Review the following table for more information. - -:::warning - -For self-hosted OCI registries, ensure you have the server Certificate Authority (CA) certificate file available on the -host where you are using the Palette CLI. You will be prompted to provide the file path to the OCI CA certificate. -Failure to provide the OCI CA certificate will result in self-linking errors. Refer to the -[Self-linking Error](../../../troubleshooting/enterprise-install.md#scenario---self-linking-error) troubleshooting guide -for more information. - -::: - - #### Pack & Image Registry Configuration - - | **Parameter** | **Description** | - | ------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - | **Registry Type** | Specify the type of registry. Allowed values are `OCI` or `OCI ECR`. Airgap users, select `OCI`. | - | **Registry Name** | Enter the name of the registry. | - | **Registry Endpoint** | Enter the registry endpoint. Airgap users, provide the **Spectro Cloud Repository** URL or hostname shared by the airgap setup script. | - | **Registry Base Path** | Enter the registry base path. | - | **Allow Insecure Connection** | Bypasses x509 verification. Type `n` to specify a certificate authority in the follow-up prompt. Airgap user, ensure you select `n`. | - | **Registry CA certificate filepath** | Specify the file path to the certificate authority. Use absolute paths. Airgap users, provide the filepath displayed by the aurgap setup script. | - | **Registry Username** or **Registry Access Key** | Enter the registry username or the access key if using `OCI ECR`. | - | **Registry Password** or **Registry Secret Key** | Enter the registry password or the secret key if using `OCI ECR`. | - | **Registry Region** | Enter the registry region. This option is only available if you are using `OCI ECR`. | - | **ECR Registry Private** | Type `y` if the registry is private. Otherwise, type `n`. | - | **Use Public Registry for Images** | Type `y` to use a public registry for images. Type `n` to a different registry for images. If you are using another registry for images, you will be prompted to enter the registry URL, base path, username, and password. Airgap users, select `n` so that you can specify the values for the OCI registry that contains all the required images. | - - When prompted to **Pull images from public registry**, type `n` and specify the OCI registry configuration values for - your image registry. If you are an [airgap support VM](../airgap/vmware-vsphere-airgap-instructions.md), the CLI will automatically detect the airgap environment and prompt you to **Use local, air-gapped Image Registry?**. Type `y` to use the local resources and skip filling in the OCI registry URL and credentials. - Refer to the table above for more information. - -:::info - -You will be provided with an opportunity to update the mirror registries values. To exit `vi` press the `Escape` key and -type `:wq` to save and exit. - -::: - - - - - ---- +13. Select `y` to use the Spectro Cloud FIPS repository and proceed to the next step. 14. The next set of prompts is for the VMware vSphere account information. Enter the information listed in the following table. @@ -435,7 +339,7 @@ teams. ## Resources -- [Airgap Instructions](../airgap/vmware-vsphere-airgap-instructions.md) +- [Airgap Instructions](./airgap-install/vmware-vsphere-airgap-instructions.md) - [Create a Tenant](../../system-management/tenant-management.md) diff --git a/docs/docs-content/vertex/install-palette-vertex/install-palette-vertex.md b/docs/docs-content/vertex/install-palette-vertex/install-palette-vertex.md index 342d3c678b..baefe2015a 100644 --- a/docs/docs-content/vertex/install-palette-vertex/install-palette-vertex.md +++ b/docs/docs-content/vertex/install-palette-vertex/install-palette-vertex.md @@ -17,13 +17,15 @@ VerteX is available in the following modes: | VMware | Install Palette VerteX in VMware environment. | [Install on VMware](./install-on-vmware/install.md) | | Kubernetes | Install Palette VerteX using a Helm Chart in an existing Kubernetes cluster. | [Install on Kubernetes](./install-on-kubernetes/install.md) | +## Airgap Installation + You can also install Palette VerteX in an airgap environment. For more information, refer to the [Airgap Installation](airgap/airgap.md) section. -| **Supported Airgap Platform** | **Description** | -| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| **Supported Airgap Platform** | **Description** | **Install Guide** | +| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------- | | VMware | Install Palette VerteX in VMware environment using your own OCI registry server. | -| Kubernetes | Install Palette VerteX using a Helm Chart in an existing Kubernetes cluster with your own OCI registry server OR use AWS ECR. | +| Kubernetes | Install Palette VerteX using a Helm Chart in an existing Kubernetes cluster with your own OCI registry server OR use AWS ECR. | [Airgap Install](./install-on-kubernetes/airgap-install/airgap-install.md) | The next sections describe specific requirements for installing Palette VerteX. diff --git a/redirects.js b/redirects.js index 4cd30f6d04..0d775c5c87 100644 --- a/redirects.js +++ b/redirects.js @@ -408,6 +408,30 @@ const redirects = [ from: "/projects/", to: "/tenant-settings/projects/", }, + { + from: "/enterprise-version/install-palette/airgap/checklist/", + to: "/enterprise-version/install-palette/airgap/", + }, + { + from: "/enterprise-version/install-palette/airgap/kubernetes-airgap-instructions/", + to: "/enterprise-version/install-palette/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions/", + }, + { + from: "/enterprise-version/install-palette/airgap/vmware-vsphere-airgap-instructions/", + to: "/enterprise-version/install-palette/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions/", + }, + { + from: "/vertex/install-palette-vertex/airgap/kubernetes-airgap-instructions/", + to: "/vertex/install-palette-vertex/install-on-kubernetes/airgap-install/kubernetes-airgap-instructions/", + }, + { + from: "/vertex/install-palette-vertex/airgap/vmware-vsphere-airgap-instructions/", + to: "/vertex/install-palette-vertex/install-on-vmware/airgap-install/vmware-vsphere-airgap-instructions/", + }, + { + from: "/vertex/install-palette-vertex/airgap/checklist/", + to: "/vertex/install-palette-vertex/airgap/", + }, ]; module.exports = redirects;