From eecf731008b962d7f5aefbeb6cfee251147b92b9 Mon Sep 17 00:00:00 2001 From: Karl Cardenas Date: Thu, 21 Sep 2023 16:01:08 -0700 Subject: [PATCH] docs: updated palette content --- .../enterprise-version-bkup/_category_.json | 3 + .../enterprise-version-bkup/air-gap-repo.md | 716 +++++++++++++++ .../deploying-an-enterprise-cluster.md | 388 ++++++++ .../deploying-palette-with-helm.md | 669 ++++++++++++++ .../deploying-the-platform-installer.md | 90 ++ .../enterprise-cluster-management.md | 237 +++++ .../enterprise-version-bkup.md | 90 ++ .../helm-chart-install-reference.md | 720 +++++++++++++++ .../enterprise-version-bkup/monitoring.md | 56 ++ .../on-prem-system-requirements.md | 850 ++++++++++++++++++ .../enterprise-version-bkup/reverse-proxy.md | 252 ++++++ .../ssl-certificate-management.md | 81 ++ .../system-console-dashboard.md | 43 + .../enterprise-version-bkup/upgrade.md | 81 ++ .../install-palette/_category_.json | 3 + .../install-on-kubernetes/_category_.json | 3 + .../install-on-kubernetes.md | 21 + .../install-on-kubernetes/install.md | 308 +++++++ .../install-on-kubernetes/palette-helm-ref.md | 451 ++++++++++ .../install-palette/install-palette.md | 79 ++ .../system-management/_category_.json | 3 + .../system-management/reverse-proxy.md | 255 ++++++ .../ssl-certificate-management.md | 85 ++ .../system-management/system-management.md | 30 + .../system-management/tenant-management.md | 119 +++ 25 files changed, 5633 insertions(+) create mode 100644 docs/docs-content/enterprise-version-bkup/_category_.json create mode 100644 docs/docs-content/enterprise-version-bkup/air-gap-repo.md create mode 100644 docs/docs-content/enterprise-version-bkup/deploying-an-enterprise-cluster.md create mode 100644 docs/docs-content/enterprise-version-bkup/deploying-palette-with-helm.md create mode 100644 docs/docs-content/enterprise-version-bkup/deploying-the-platform-installer.md create mode 100644 docs/docs-content/enterprise-version-bkup/enterprise-cluster-management.md create mode 100644 docs/docs-content/enterprise-version-bkup/enterprise-version-bkup.md create mode 100644 docs/docs-content/enterprise-version-bkup/helm-chart-install-reference.md create mode 100644 docs/docs-content/enterprise-version-bkup/monitoring.md create mode 100644 docs/docs-content/enterprise-version-bkup/on-prem-system-requirements.md create mode 100644 docs/docs-content/enterprise-version-bkup/reverse-proxy.md create mode 100644 docs/docs-content/enterprise-version-bkup/ssl-certificate-management.md create mode 100644 docs/docs-content/enterprise-version-bkup/system-console-dashboard.md create mode 100644 docs/docs-content/enterprise-version-bkup/upgrade.md create mode 100644 docs/docs-content/enterprise-version/install-palette/_category_.json create mode 100644 docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/_category_.json create mode 100644 docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md create mode 100644 docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md create mode 100644 docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md create mode 100644 docs/docs-content/enterprise-version/install-palette/install-palette.md create mode 100644 docs/docs-content/enterprise-version/system-management/_category_.json create mode 100644 docs/docs-content/enterprise-version/system-management/reverse-proxy.md create mode 100644 docs/docs-content/enterprise-version/system-management/ssl-certificate-management.md create mode 100644 docs/docs-content/enterprise-version/system-management/system-management.md create mode 100644 docs/docs-content/enterprise-version/system-management/tenant-management.md diff --git a/docs/docs-content/enterprise-version-bkup/_category_.json b/docs/docs-content/enterprise-version-bkup/_category_.json new file mode 100644 index 0000000000..75bb21d32a --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 161 +} diff --git a/docs/docs-content/enterprise-version-bkup/air-gap-repo.md b/docs/docs-content/enterprise-version-bkup/air-gap-repo.md new file mode 100644 index 0000000000..82c0d88ea7 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/air-gap-repo.md @@ -0,0 +1,716 @@ +--- +sidebar_label: "Install in an Air Gap Environment" +title: "Install in an Air Gap Environment" +description: "Learn how to install Palette into an air gap environment." +icon: "" +hide_table_of_contents: false +sidebar_position: 70 +tags: ["self-hosted", "enterprise", "air-gap"] +--- + +You can install a self-hosted version of Palette into a VMware environment without direct internet access. This type of installation is referred to as an *air gap* installation. + +In a standard Palette installation, the following artifacts are downloaded by default from the public Palette repository. + +* Palette platform manifests and required platform packages. + + +* Container images for core platform components and 3rd party dependencies. + + +* Palette Packs. + + +The installation process changes a bit in an air gap environment due to the lack of internet access. Before the primary Palette installation step, you must download the three required Palette artifacts mentioned above. The other significant change is that Palette's default public repository is not used. Instead, a private repository supports all Palette operations pertaining to storing images and packages. + +The following diagram is a high-level overview of the order of operations required to deploy a self-hosted instance of Palette in an airgap environment. + + +![An architecture diagram outlining the five different install phases](/enterprise-version_air-gap-repo_overview-order-diagram.png) + + +The airgap installation can be simplified into five major phases. + + +1. Download the Open Virtual Appliance (OVA) image and deploy the instance hosting the private repository that supports the airgap environment. + + +2. The private Spectro Cloud repository is initialized, and all the Palette-required artifacts are downloaded and available. + + +3. The Palette Install OVA is deployed, configured, and initialized. + + +4. The scale-up process to a highly available three-node installation begins. + + +5. Palette is ready for usage. + + +This guide focuses on the first two installation phases, as the remaining ones are covered in the [Migrate Cluster to Enterprise](deploying-an-enterprise-cluster.md) guide and the [Install Using Quick-Start Mode](deploying-the-platform-installer.md) guide. + + +## Prerequisites + +* The following minimum resources are required to deploy Palette. + * 2 vCPU + * 4 GB of Memory + * 100 GB of Storage. Storage sizing depends on your intended update frequency and data retention model.

+ +* Ensure the following ports allow inbound network traffic. + * 80 + * 443 + * 5000 + * 8000 + + +* Request the Palette self-hosted installer image and the Palette air gap installer image. To request the installer images, please contact our support team by sending an email to support@spectrocloud.com. Kindly provide the following information in your email: + + - Your full name + - Organization name (if applicable) + - Email address + - Phone number (optional) + - A brief description of your intended use for the Palette Self-host installer image. + +Our dedicated support team will promptly get in touch with you to provide the necessary assistance and share the installer image. + +If you have any questions or concerns, please feel free to contact support@spectrocloud.com. + + +## Deploy Air Gapped Appliance + + +1. Log in to vCenter Server by using the vSphere Client. + + +2. Navigate to the Datacenter and select the cluster you want to use for the installation. Right-click on the cluster and select **Deploy OVF Template**. + + +3. Select the airgap OVA installer image you downloaded after receiving guidance from our support team. + + +4. Select the folder where you want to install the Virtual Machine (VM) and assign a name to the VM. + + +5. Next, select the compute resource. + + +6. Review the details page. You may get a warning message stating the certificate is not trusted. You can ignore the message and click **Next**. + + +7. Select your storage device and storage policy. Click on **Next** to proceed. + + +8. Choose a network for your appliance and select **Next**. + + +9. Fill out the remaining template customization options. You can modify the following input fields.

+ + | Parameter | Description | Default Value | + | --- | --- | -- | + | **Encoded user-data** | In order to fit into an XML attribute, this value is base64 encoded. This value will be decoded, and then processed normally as user-data. | - | + | **ssh public keys** | This field is optional but indicates that the instance should populate the default user's `authorized_keys` with the provided public key. | -| + | **Default User's password** | Setting this value allows password-based login. The password will be good for only a single login. If set to the string `RANDOM` then a random password will be generated, and written to the console. | - | + | **A Unique Instance ID for this instance** | Specifies the instance id. This is required and used to determine if the machine should take "first boot" actions| `id-ovf`| + | **Hostname** | Specifies the hostname for the appliance. | `ubuntuguest` | + | **URL to seed instance data from** | This field is optional but indicates that the instance should 'seed' user-data and meta-data from the given URL.| -| + +10. Click on **Next** to complete the deployment wizard. Upon completion, the cloning process will begin. The cloning process takes a few minutes to complete. + + +11. Power on the VM and click on the **Launch Web Console** button to access the instance's terminal. + + +12. Configure a static IP address on the node by editing **/etc/netplan/50-cloud-init.yaml**. + + ```shell + sudo vi /etc/netplan/50-cloud-init.yaml + ``` + + Use the following sample configuration as a starting point but feel free to change the configuration file as required for your environment. To learn more about Netplan, check out the [Netplan configuration examples](https://netplan.io/examples) from Canonical. + +
+ + ```yaml + network: + version: 2 + renderer: networkd + ethernets: + ens192: + dhcp4: false + addresses: + - 10.10.244.9/18 # your static IP and subnet mask + gateway4: 10.10.192.1 # your gateway IP + nameservers: + addresses: [10.10.128.8] # your DNS nameserver IP address. + ``` + + To exit Vi, press the **ESC** key and type `:wq` followed by the **Enter** key.

+ +13. Issue the `netplan` command to update the network settings. + +
+ + ```shell + sudo netplan apply + ``` + +14. Give the instance one to two minutes before issuing the following command. The next step is to start the airgap setup script that stands up the Spectro Repository. Issue the command below and replace `X.X.X.X` with the static IP you provided to the Netplan configuration file. + +
+ + ```shell + sudo /opt/spectro/airgap-setup.sh X.X.X.X + ``` + + Record the output of the setup command as you will use it when deploying the Quick Start appliance later on in the installation process. + + Example Output: + ```shell hideClipboard + Setting up Manifests + Setting up Manifests + Setting up SSL Certs + Setup Completed + + Details: + ------- + Spectro Cloud Repository + UserName: XXXXXXXXX + Password: XXXXXXXXXX + Location: https://10.10.249.12 + Artifact Repo Certificate: + LS0tLS1CRUdJ............. + + Pack Registry + URL: https://10.10.249.12:5000 + Username: XXXXXXXXX + Password: XXXXXXXXX + ``` + +15. If you need to configure the instance with proxy settings, go ahead and do so now. You can configure proxy settings by using environment variables. Replace the values with your environment's respective values. + +
+ + ```shell + export http_proxy=http://10.1.1.1:8888 + export https_proxy=https://10.1.1.1:8888 + export no_proxy=.example.dev,10.0.0.0/8 + ``` + +16. The next set of steps will download the required binaries to support a Palette installation, such as the Palette Installer, required Kubernetes packages, and kubeadm packages. You can download these artifacts from the instance, or externally and transfer them to the instance. Click on each tab for further guidance. + +
+ + :::caution + + You must download the following three resources. Our support team will provide you with the credentials and download URL. + Click on each tab to learn more about each resource and steps for downloading. + + ::: + +
+ + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/airgap-v3.3.15.bin \ + --output airgap-k8s-v3.3.15.bin + ``` + +:::tip + + If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-k8s-v3.3.15.bin && sudo ./airgap-k8s-v3.3.15.bin + ``` + + Example Output: + ```shell + sudo ./airgap-k8s-v3.3.15.bin + Verifying archive integrity... 100% MD5 checksums are OK. All good. + Uncompressing Airgap K8S Images Setup - Version 3.3.15 100% + Setting up Packs + Setting up Images + - Pushing image k8s.gcr.io/kube-controller-manager:v1.22.10 + - Pushing image k8s.gcr.io/kube-proxy:v1.22.10 + - Pushing image k8s.gcr.io/kube-apiserver:v1.22.10 + - Pushing image k8s.gcr.io/kube-scheduler:v1.22.10 + … + Setup Completed + ``` + + + + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/airgap-k8s-v3.3.15.bin \ + --output airgap-k8s-v3.3.15.bin + ``` + + +:::tip + + If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-k8s-v3.3.15.bin && sudo ./airgap-k8s-v3.3.15.bin + ``` + + Example Output: + ```shell + sudo ./airgap-k8s-v3.3.15.bin + Verifying archive integrity... 100% MD5 checksums are OK. All good. + Uncompressing Airgap K8S Images Setup - Version 3.3.15 100% + Setting up Packs + Setting up Images + - Pushing image k8s.gcr.io/kube-controller-manager:v1.22.10 + - Pushing image k8s.gcr.io/kube-proxy:v1.22.10 + - Pushing image k8s.gcr.io/kube-apiserver:v1.22.10 + - Pushing image k8s.gcr.io/kube-scheduler:v1.22.10 + … + Setup Completed + ``` + + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-kubeadm.bin \ + --output airgap-edge-kubeadm.bin + ``` + +:::tip + + If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-kubeadm.bin && sudo ./airgap-edge-kubeadm.bin + ``` + + Example Output: + ```shell + sudo ./airgap-edge-kubeadm.bin + Verifying archive integrity... 100% MD5 checksums are OK. All good. + Uncompressing Airgap Edge Packs - Kubeadm Images 100% + Setting up Images + - Skipping image k8s.gcr.io/coredns/coredns:v1.8.6 + - Pushing image k8s.gcr.io/etcd:3.5.1-0 + - Pushing image k8s.gcr.io/kube-apiserver:v1.23.12 + - Pushing image k8s.gcr.io/kube-controller-manager:v1.23.12 + - Pushing image k8s.gcr.io/kube-proxy:v1.23.12 + … + Setup Completed + ``` + + + + + + +
+ +17. If you will be using Edge deployments, go ahead and download the packages your Edge deployments will need. If you are not planning to use Edge, skip to end. You can come back to this step in the future and add the packages if needed. Click on the `...` tab for additional options. + + +
+ + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-ubuntu22-k3s.bin \ + --output airgap-edge-ubuntu22-k3s.bin + ``` + +:::tip + + If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-ubuntu22-k3s.bin && sudo ./airgap-edge-ubuntu22-k3s.bin + ``` + + + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-ubuntu22-rke.bin \ + --output airgap-edge-ubuntu22-rke.bin + ``` + +:::tip + + If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-ubuntu22-rke.bin && sudo ./airgap-edge-ubuntu22-rke.bin + ``` + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-ubuntu22-kubeadm.bin \ + --output airgap-edge-ubuntu22-kubeadm.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-ubuntu22-kubeadm.bin && sudo ./airgap-edge-ubuntu22-kubeadm.bin + ``` + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-ubuntu20-k3s.bin \ + --output airgap-edge-ubuntu20-k3s.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-ubuntu20-k3s.bin && sudo ./airgap-edge-ubuntu20-k3s.bin + ``` + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-ubuntu20-rke.bin \ + --output airgap-edge-ubuntu20-rke.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-ubuntu20-rke.bin && sudo ./airgap-edge-ubuntu20-rke.bin + ``` + + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-ubuntu20-kubeadm.bin \ + --output airgap-edge-ubuntu20-kubeadm.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-ubuntu20-kubeadm.bin && sudo ./airgap-edge-ubuntu20-kubeadm.bin + ``` + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-opensuse-k3s.bin \ + --output airgap-edge-opensuse-k3s.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-opensuse-k3s.bin && sudo ./airgap-edge-opensuse-k3s.bin + ``` + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-opensuse-rke.bin \ + --output airgap-edge-opensuse-rke.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-opensuse-rke.bin && sudo ./airgap-edge-opensuse-rke.bin + ``` + + + + + + Download the binary by using the URL provided by the Palette support team. Change the version number as needed. + +
+ + ```shell + curl --user XXXX:YYYYY https:///airgap/packs/3.3/airgap-edge-opensuse-kubeadm.bin \ + --output airgap-edge-opensuse-kubeadm.bin + ``` + +:::tip + +If you receive a certificate error, use the `-k` or `--insecure` flag. + +::: + + Assign the proper permissions and start the download script. + +
+ + ```shell + sudo chmod 755 ./airgap-edge-opensuse-kubeadm.bin && sudo ./airgap-edge-opensuse-kubeadm.bin + ``` + + + + + + + +---- + + +The next step of the installation process is to begin the deployment of an appliance using the instructions in the [Migrate Cluster to Enterprise Mode](deploying-an-enterprise-cluster.md). If you need to review the Spectro Cloud Repository details, issue the following command for detailed output. + +
+ +```shell +sudo /bin/airgap-setup.sh +``` + +
+ +:::info + +You can review all the logs related to the setup of the private Spectro repository in **/tmp/airgap-setup.log**. + +::: + + +## Validate + +You can validate that the Spectro Repository you deployed is available and ready for the next steps of the installation process. If you provided the appliance with an SSH key then you can skip to step five. + +
+1. Log in to vCenter Server by using the vSphere Client. + + +2. Navigate to your Datacenter and locate your VM. Click on the VM to access its details page. + + +3. Power on the VM. + + +4. Click on **Launch Web Console** to access the terminal. + + +5. Log in with the user `ubuntu` and the user password you specified during the installation. If you are using SSH, use the following command, and ensure you specify the path to your SSH private key and replace the IP address with your appliance's static IP. + +
+ + ```shell + ssh --identity_file ~/path/to/your/file ubuntu@10.1.1.1 + ``` + + +6. Verify the registry server is up and available. Replace the `10.1.1.1` value with your appliance's IP address. + +
+ + ```shell + curl --insecure https://10.1.1.1:5000/health + ``` + + Example Output: + ```shell + {"status":"UP"} + ``` + +7. Ensure you can log into your registry server. Use the credentials provided to you by the `airgap-setup.sh` script. Replace the `10.1.1.1` value with your appliance's IP address. + +
+ + ```shell + curl --insecure --user admin:admin@airgap https://10.1.1.1:5000/v1/_catalog + ``` + + Example Output: + ``` + {"metadata":{"lastUpdatedTime":"2023-04-11T21:12:09.647295105Z"},"repositories":[{"name":"amazon-linux-eks","tags":[]},{"name":"aws-efs","tags":[]},{"name":"centos-aws","tags":[]},{"name":"centos-azure","tags":[]},{"name":"centos-gcp","tags":[]},{"name":"centos-libvirt","tags":[]},{"name":"centos-vsphere","tags":[]},{"name":"cni-aws-vpc-eks","tags":[]},{"name":"cni-aws-vpc-eks-helm","tags":[]},{"name":"cni-azure","tags":[]},{"name":"cni-calico","tags":[]},{"name":"cni-calico-azure","tags":[]},{"name":"cni-cilium-oss","tags":[]},{"name":"cni-custom","tags":[]},{"name":"cni-kubenet","tags":[]},{"name":"cni-tke-global-router","tags":[]},{"name":"csi-aws","tags":[]},{"name":"csi-aws-ebs","tags":[]},{"name":"csi-aws-efs","tags":[]},{"name":"csi-azure","tags":[]},{"name":"csi-gcp","tags":[]},{"name":"csi-gcp-driver","tags":[]},{"name":"csi-longhorn","tags":[]},{"name":"csi-longhorn-addon","tags":[]},{"name":"csi-maas-volume","tags":[]},{"name":"csi-nfs-subdir-external","tags":[]},{"name":"csi-openstack-cinder","tags":[]},{"name":"csi-portworx-aws","tags":[]},{"name":"csi-portworx-gcp","tags":[]},{"name":"csi-portworx-generic","tags":[]},{"name":"csi-portworx-vsphere","tags":[]},{"name":"csi-rook-ceph","tags":[]},{"name":"csi-rook-ceph-addon","tags":[]},{"name":"csi-tke","tags":[]},{"name":"csi-topolvm-addon","tags":[]},{"name":"csi-vsphere-csi","tags":[]},{"name":"csi-vsphere-volume","tags":[]},{"name":"edge-k3s","tags":[]},{"name":"edge-k8s","tags":[]},{"name":"edge-microk8s","tags":[]},{"name":"edge-native-byoi","tags":[]},{"name":"edge-native-opensuse","tags":[]},{"name":"edge-native-ubuntu","tags":[]},{"name":"edge-rke2","tags":[]},{"name":"external-snapshotter","tags":[]},{"name":"generic-byoi","tags":[]},{"name":"kubernetes","tags":[]},{"name":"kubernetes-aks","tags":[]},{"name":"kubernetes-coxedge","tags":[]},{"name":"kubernetes-eks","tags":[]},{"name":"kubernetes-eksd","tags":[]},{"name":"kubernetes-konvoy","tags":[]},{"name":"kubernetes-microk8s","tags":[]},{"name":"kubernetes-rke2","tags":[]},{"name":"kubernetes-tke","tags":[]},{"name":"portworx-add-on","tags":[]},{"name":"spectro-mgmt","tags":[]},{"name":"tke-managed-os","tags":[]},{"name":"ubuntu-aks","tags":[]},{"name":"ubuntu-aws","tags":[]},{"name":"ubuntu-azure","tags":[]},{"name":"ubuntu-coxedge","tags":[]},{"name":"ubuntu-edge","tags":[]},{"name":"ubuntu-gcp","tags":[]},{"name":"ubuntu-libvirt","tags":[]},{"name":"ubuntu-maas","tags":[]},{"name":"ubuntu-openstack","tags":[]},{"name":"ubuntu-vsphere","tags":[]},{"name":"volume-snapshot-controller","tags":[]}],"listMeta":{"continue":""}} + ``` + + +8. Next, validate the Spectro repository is available. Replace the IP with your appliance's IP address. + +
+ + ```shell + curl --insecure --user spectro:admin@airgap https://10.1.1.1 + ``` + + Output: + ```html hideClipboard + + + + Welcome to nginx! + + + +

Welcome to nginx!

+

If you see this page, the nginx web server is successfully installed and + working. Further configuration is required.

+ +

For online documentation and support please refer to + nginx.org.
+ Commercial support is available at + nginx.com.

+ +

Thank you for using nginx.

+ + + ``` diff --git a/docs/docs-content/enterprise-version-bkup/deploying-an-enterprise-cluster.md b/docs/docs-content/enterprise-version-bkup/deploying-an-enterprise-cluster.md new file mode 100644 index 0000000000..81b04f91ed --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/deploying-an-enterprise-cluster.md @@ -0,0 +1,388 @@ +--- +sidebar_label: "Install Enterprise Cluster" +title: "Install Enterprise Cluster" +description: "Learn how to install self-hosted Palette or convert a self-hosted single node cluster to a highly available three node cluster." +icon: "" +hide_table_of_contents: false +sidebar_position: 20 +tags: ["self-hosted", "enterprise"] +--- + +You have two options for installing Palette. You can use the Palette CLI to install a new self-hosted Palette instance or convert an existing single-node cluster (Quick-Start Mode) to a highly available three-node cluster. Select the method below that corresponds to your installation type. + +- [Install With CLI](#install-with-cli) + +- [Install With OVA](#install-with-ova) + + +
+ +:::caution + + +Starting with Palette 4.0.0, the Palette CLI, and the Helm Chart, are the only supported methods for installing Palette. The Palette OVA installation method is only available for versions 3.4 and earlier. Refer to the CLI tab below, or the [Kubernetes Install Helm Chart](deploying-palette-with-helm.md) guide for additional guidance on how to install Palette. + +::: + + +
+ + + +## Install With CLI + +You install Palette using the Palette Command Line Interface (CLI) that guides you for details to create a configuration file and a three-node enterprise cluster for high availability (HA). You can invoke the Palette CLI on any Linux x86-64 system with the Docker daemon installed and connectivity to VMware vSphere where Palette will be deployed. + + +### Prerequisites + + +- An AMD64 Linux environment with connectivity to the VMware vSphere environment. + + + +- [Docker](https://docs.docker.com/engine/install/) or equivalent container runtime installed and available on the Linux host. + + + +- Palette CLI installed and available. Refer to the Palette CLI [Install](../palette-cli/install-palette-cli.md#download-and-setup) page for guidance. + + + +- Review required VMware vSphere [permissions](on-prem-system-requirements.md#vmware-privileges). + + + +- We recommended the following resources for Palette. Refer to the [Palette size guidelines](on-prem-system-requirements.md#self-hosted-configuration) for additional sizing information. + + - 8 CPUs per VM. + + - 16 GB Memory per VM. + + - 100 GB Disk Space per VM. + + +- The following network ports must be accessible for Palette to operate successfully. + + - TCP/443: Inbound to and outbound from the Palette management cluster. + + - TCP/6443: Outbound traffic from the Palette management cluster to the deployed cluster's Kubernetes API server. + + +- Ensure you have an SSL certificate that matches the domain name you will assign to Palette. You will need this to enable HTTPS encryption for Palette. Reach out to your network administrator or security team to obtain the SSL certificate. You need the following files: + + - x509 SSL certificate file in base64 format. + + - x509 SSL certificate key file in base64 format. + + - x509 SSL certificate authority file in base64 format. This file is optional. + + +- Zone tagging is required for dynamic storage allocation across fault domains when provisioning workloads that require persistent storage. Refer to [Zone Tagging](on-prem-system-requirements.md#zone-tagging) for information. + + +- Assigned IP addresses for application workload services, such as Load Balancer services. + + +- Shared Storage between VMware vSphere hosts. + +
+ +:::info + +Self-hosted Palette installations provide a system Private Cloud Gateway (PCG) out-of-the-box and typically do not require a separate, user-installed PCG. However, you can create additional PCGs as needed to support provisioning into remote data centers that do not have a direct incoming connection from the Palette console. To learn how to install a PCG on VMware, check out the [VMware](../clusters/data-center/vmware.md) guide. + +::: + +
+ +### Deployment + + +The video below provides a demonstration of the installation wizard and the prompts you will encounter. Take a moment to watch the video before you begin the installation process. Make sure to use values that are appropriate for your environment. Use the **three-dots Menu** in the lower right corner of the video to expand the video to full screen and to change the playback speed. + +
+ + + + +Use the following steps to install Palette. + + +1. Open a terminal window and invoke the Palette CLI by using the `ec` command to install the enterprise cluster. The interactive CLI prompts you for configuration details and then initiates the installation. For more information about the `ec` subcommand, refer to [Palette Commands](../palette-cli/commands.md#ec). + + ```bash + palette ec install + ``` + +2. At the **Enterprise Cluster Type** prompt, choose **Palette**. + + +3. Type `y` if you want to use Ubuntu Pro. Otherwise, type `n`. If you choose to use Ubuntu Pro, you will be prompted to enter your Ubuntu Pro token. + + +4. Provide the repository URL you received from our support team. + + +5. Enter the repository credentials. + + +6. Choose `VMware vSphere` as the cloud type. This is the default. + + +7. Type an enterprise cluster name. + + +8. When prompted, enter the information listed in each of the following tables. + +
+ + #### Environment Configuration + + |**Parameter**| **Description**| + |:-------------|----------------| + |**HTTPS Proxy**|Leave this blank unless you are using an HTTPS Proxy. This setting will be propagated to all EC nodes and all of its target cluster nodes. Example: `https://USERNAME:PASSWORD@PROXYIP:PROXYPORT`.| + |**HTTP Proxy**|Leave this blank unless you are using an HTTP Proxy. This setting will be propagated to all EC nodes and all of its target cluster nodes. Example: `http://USERNAME:PASSWORD@PROXYIP:PROXYPORT`.| + |**No Proxy**|The default is blank. You can add a comma-separated list of local network CIDR addresses, hostnames, and domain names that should be excluded from being a proxy. This setting will be propagated to all the nodes to bypass the proxy server. Example if you have a self-hosted environment: `maas.company.com,10.10.0.0/16`.| + |**Proxy CA Certificate Filepath**|The default is blank. You can provide the filepath of a CA certificate on the installer host. If provided, this CA certificate will be copied to each host in the PCG cluster during deployment. The provided path will be used on the PCG cluster hosts. Example: `/usr/local/share/ca-certificates/ca.crt`.| + |**Pod CIDR**|Enter the CIDR pool IP that will be used to assign IP addresses to pods in the EC cluster. The pod IP addresses should be unique and not overlap with any machine IPs in the environment.| + |**Service IP Range**|Enter the IP address range that will be used to assign IP addresses to services in the EC cluster. The service IP addresses should be unique and not overlap with any machine IPs in the environment.| + +
+ + +9. Select the OCI registry type and provide the configuration values. Review the following table for more information. + +
+ + #### Pack & Image Registry Configuration + + | **Parameter** | **Description** | + |---------------------------|-----------------------------------------| + | **Registry Type** | Specify the type of registry. Allowed values are `OCI` or `OCI ECR`. | + | **Registry Name** | Enter the name of the registry. | + | **Registry Endpoint** | Enter the registry endpoint. | + | **Registry Base Path** | Enter the registry base path. | + |**Allow Insecure Connection** | Bypasses x509 verification. Type `Y` if using a vSphere instance with self-signed Transport Layer Security (TLS) certificates. Otherwise, type `n`.| + | **Registry Username** or **Registry Access Key** | Enter the registry username or the access key if using `OCI ECR`. | + | **Registry Password** or **Registry Secret Key** | Enter the registry password or the secret key if using `OCI ECR`. | + | **Registry Region** | Enter the registry region. This option is only available if you are using `OCI ECR`. | + | **ECR Registry Private** | Type `y` if the registry is private. Otherwise, type `n`. | + | **Use Public Registry for Images** | Type `y` to use a public registry for images. Type `n` to a different registry for images. If you are using another registry for images, you will be prompted to enter the registry URL, base path, username, and password. | + +
+ +10. Next, specify the database storage size to allocate for Palette. The default is 20 GB. Refer to the [size guidelines](on-prem-system-requirements.md#system-requirements) for additional information. + + + +11. The next set of prompts is for the VMware vSphere account information. Enter the information listed in the following table. + +
+ + #### VMware vSphere Account Information + + |**Parameter** | **Description**| + |-----------------------------------------|----------------| + |**vSphere Endpoint** | VMware vSphere endpoint. Must be a fully qualified domain name (FQDN) or IP address without a scheme - that is, without an IP protocol, such as `https://`. Example: `vcenter.mycompany.com`.| + |**vSphere Username** | VMware vSphere account username.| + |**vSphere Password**| VMware vSphere account password.| + |**Allow Insecure Connection** | Bypasses x509 verification. Type `Y` if using a VMware vSphere instance with self-signed Transport Layer Security (TLS) certificates. Otherwise, type `n`.| + +
+ + #### VMware vSphere Cluster Configuration + + This information determines where Palette will be deployed in your VMware vSphere environment. The Palette CLI will use the provided VMware credentials to retrieve information from your VMware vSphere environment and present options for you to select from. + +
+ + |**Parameter** | **Description**| + |-----------------------------------------|----------------| + |**Datacenter**| The installer retrieves the Datacenter automatically. | + |**Folder** | Select the folder that contains the VM instance. | + | **Cluster** | Select the cluster where you want to deploy Palette. | + | **Network** | Select the network where you want to deploy Palette. | + | **Resource Pool** | Select the resource pool where you want to deploy Palette. | + | **Datastore** | Select the datastore where you want to deploy Palette. | + |**Fault Domains** | Configure one or more fault domains by selecting values for these properties: Cluster, Network (with network connectivity), Resource Pool, and Storage Type (Datastore or VM Storage Policy). Note that when configuring the Network, if you are using a distributed switch, choose the network that contains the switch. | + |**NTP Servers** | You can provide a list of Network Time Protocol (NTP) servers. | + |**SSH Public Keys** | Provide any public SSH keys to access your Palette VMs. This option opens up your system's default text editor. Vi is the default text editor for most Linux distributions. To review basic vi commands, check out the [vi Commands](https://www.cs.colostate.edu/helpdocs/vi.html) reference. | + + +12. Specify the IP pool configuration. The placement type can be Static or Dynamic Domain Name Server (DDNS). Choosing static placement creates an IP pool from which VMs are assigned IP addresses. Choosing DDNS assigns IP addresses using DNS. + +
+ + #### Static Placement Configuration + | **Parameter** | **Description** | + |---------------------------|-----------------------------------------| + | **IP Start range** | Enter the first address in the EC IP pool range. | + | **IP End range** | Enter the last address in the EC IP pool range. | + | **Network Prefix** | Enter the network prefix for the IP pool range. Valid values are in [0, 32]. Example: `18`. | + | **Gateway IP Address** | Enter the IP address of the static IP gateway. | + | **Name servers** | Comma-separated list of DNS name server IP addresses. | + | **Name server search suffixes** | An optional comma-separated list of DNS search domains. | + + +
+ + +13. The last set of prompts is for the vSphere machine configuration. Enter the information listed in the following table. + +
+ + #### vSphere Machine Configuration + + |**Parameter** | **Description**| + |-----------------------------------------|----------------| + | **Number of CPUs** | The number of CPUs allocated to each VM node instance.| + | **Memory** | The amount of memory allocated to each VM node instance.| + | **Disk Size** | The size of the disk allocated to each VM node instance.| + + +
+ + + The installation process stands up a [kind](https://kind.sigs.k8s.io/) cluster locally that will orchestrate the remainder of the installation. The installation takes some time. + +
+ + Upon completion, the enterprise cluster configuration file named `ec.yaml` contains the information you provided, and its location is displayed in the terminal. Credentials and tokens are encrypted in the YAML file. + +
+ + ```bash hideClipboard + ==== Enterprise Cluster config saved ==== + Location: :/home/spectro/.palette/ec/ec-20230706150945/ec.yaml + ``` + +
+ + When the installation is complete, Enterprise Cluster Details that include a URL and default credentials are displayed in the terminal. You will use these to access the Palette system console. + +
+ + ```bash hideClipboard + ==================================== + ==== Enterprise Cluster Details ==== + ==================================== + Console URL: https://10.10.189.100/system + Username: ********** + Password: ********** + ``` + + +14. Copy the URL to the browser to access the system console. You will be prompted to reset the password. + +
+ + :::info + + The first time you visit the Palette system console, a warning message about an untrusted SSL certificate may appear. This is expected, as you have not yet uploaded your SSL certificate to Palette. You can ignore this warning message and proceed. + + ::: + +
+ + ![Screenshot of the Palette system console showing Username and Password fields.](/palette_installation_install-on-vmware_palette-system-console.png) + +
+ + +15. Log in to the system console using the credentials provided in the Enterprise Cluster Details output. After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to the Palette system console. + + +16. After login, a Summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a different SSL certificate you must upload the SSL certificate, SSL certificate key, and SSL certificate authority files to Palette. You can upload the files using the Palette system console. Refer to the [Configure HTTPS Encryption](/vertex/system-management/ssl-certificate-management) page for instructions on how to upload the SSL certificate files to Palette. + + +17. The last step is to start setting up a tenant. To learn how to create a tenant, check out the [Tenant Management](../vertex/system-management/tenant-management.md) guide. + +
+ + ![Screenshot of the Summary page showing where to click Go to Tenant Management button.](/palette_installation_install-on-vmware_goto-tenant-management.png) + + +### Validate + +You can verify the installation is successful if you can access the system console using the IP address provided in Enterprise Cluster Details and if the Summary page displays the **Go to Tenant Management** button. + +You can also validate that a three-node Kubernetes cluster is launched and Palette is deployed on it. + +
+ +1. Log in to the vCenter Server by using vSphere Client. + + +2. Navigate to the Datacenter and locate your VM instance. + + +3. Select the VM to access its details page, and verify three nodes are listed. + + +4. Open a web browser session, and use the IP address provided in Enterprise Cluster Details at the completion of the installation to connect to the Palette system console. Copy the IP address to the address bar and append `/system`. + + +5. Log in using your credentials. + + +6. A **Summary** page will be displayed that contains a tile with a **Go to Tenant Management** button. After initial installation, the **Summary** page shows there are zero tenants. + + + + +## Install With OVA + +### Enterprise Mode + +The Palette Enterprise Mode is a multi-node, highly-available installation of the Palette platform suitable for production purposes. Installation involves instantiating the on-prem platform installer VM and invoking the "Enterprise Cluster Migration" wizard. Please follow [these](deploying-the-platform-installer.md) steps to deploy the installer VM and observe the [monitoring console](deploying-the-platform-installer.md#monitor-installation) to ensure installation is successful. After a successful installation of the platform installer, proceed to enterprise cluster migration. + +
+ +:::info + +Deployment of an enterprise cluster is a migration process from the quick start mode. You may choose to deploy the enterprise cluster on day 1 right after instantiating the platform installer VM, or use the system in the quick start mode initially and at a later point invoke the enterprise cluster migration wizard to deploy the enterprise cluster. All the data from the quick start mode is migrated to the enterprise cluster as part of this migration process. + +::: + + + +1. Open the On-Prem system console from a browser window by navigating to https://<VM IP Address>/system and log in. + + +2. Navigate to the Enterprise Cluster Migration wizard from the menu on the left-hand side. + + +3. Enter the vCenter credentials to be used to launch the enterprise cluster. Provide the vCenter server, username, and password. Check the `Use self-signed certificates` if applicable. Validate your credentials and click on `Next` button to proceed to IP Pool Configuration. + + +4. Enter the IPs to be used for Enterprise Cluster VMs as a `Range` or a `Subnet`. At least 5 IP addresses should be required in the range for the installation and the ongoing management. Provide the details of the `Gateway` and the `Nameserver addresses`. Any search suffixes being used can be entered in the `Nameserver search suffix` box. Click on `Next` to proceed to Cloud Settings. + + +5. Select the datacenter and the folder to be used for the enterprise cluster VMs. Select the desired compute cluster, resource pools, datastore, and network. For high availability purposes, you may choose to distribute the three VMs across multiple compute clusters. If this is desired, invoke the "Add Domain" option to enter multiple sets of properties. + + +6. Add SSH Public key and optionally NTP servers and click "Confirm". + + +7. The Enterprise cluster deployment will proceed through the following three steps: + * Deployment - A 3 node Kubernetes cluster is launched and Palette Platform is deployed on it. This typically takes 10 mins. + * Data Migration - Data from the installer VM is migrated to the newly created enterprise cluster. + * Tenant Migration - If any tenants were created prior to the enterprise cluster migration, which would typically be the case if the system was used in the quick start mode initially, all those tenants, as well as the management of any such tenant clusters previously deployed, will be migrated to the enterprise cluster. + + +8. Once Enterprise Cluster is fully deployed, the On-Prem System and Management Console should be accessed on this new cluster. The platform installer VM can be safely powered off at this point. + + + + +
+ +## Resources + +- [Palette CLI](../palette-cli/install-palette-cli.md#download-and-setup) + + +- [Airgap Install Instructions](air-gap-repo.md) \ No newline at end of file diff --git a/docs/docs-content/enterprise-version-bkup/deploying-palette-with-helm.md b/docs/docs-content/enterprise-version-bkup/deploying-palette-with-helm.md new file mode 100644 index 0000000000..f8f210a724 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/deploying-palette-with-helm.md @@ -0,0 +1,669 @@ +--- +sidebar_label: "Install using Helm Chart" +title: "Install using Helm Chart" +description: "Learn how to deploy self-hosted Palette to a Kubernetes cluster using a Helm Chart." +icon: "" +hide_table_of_contents: false +sidebar_position: 30 +tags: ["self-hosted", "enterprise"] +--- + + +You can use the Palette Helm Chart to install Palette in a multi-node Kubernetes cluster in your production environment. + +This installation method is common in secure environments with restricted network access that prohibits using Palette SaaS. Review our [architecture diagrams](../architecture/networking-ports.md) to ensure your Kubernetes cluster has the necessary network connectivity for Palette to operate successfully. + + +Depending on what version of Palette you are using, the available parameters will be different. Select the tab below that corresponds to the version of Palette you are using. + +
+ + + + +## Prerequisites + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. + + +- [Helm](https://helm.sh/docs/intro/install/) is installed and available. + + +- Access to the target Kubernetes cluster's kubeconfig file. You must be able to interact with the cluster using `kubectl` commands and have sufficient permissions to install Palette. We recommend using a role with cluster-admin permissions to install Palette. + + +- The Kubernetes cluster must be set up on a supported version of Kubernetes, which includes versions v1.25 to v1.27. + + + +- Ensure the Kubernetes cluster does not have Cert Manager installed. Palette requires a unique Cert Manager configuration to be installed as part of the installation process. If Cert Manager is already installed, you must uninstall it before installing Palette. + + +- The Kubernetes cluster must have a Container Storage Interface (CSI) installed and configured. Palette requires a CSI to store persistent data. You may install any CSI that is compatible with your Kubernetes cluster. + + + +- We recommended the following resources for Palette. Refer to the [Palette size guidelines](on-prem-system-requirements.md#system-requirements) for additional sizing information. + + - 8 CPUs per node. + + - 16 GB Memory per node. + + - 100 GB Disk Space per node. + + - A Container Storage Interface (CSI) for persistent data. + + - A minimum of three worker nodes or three untainted control plane nodes. + + +- The following network ports must be accessible for Palette to operate successfully. + + - TCP/443: Inbound and outbound to and from the Palette management cluster. + + - TCP/6443: Outbound traffic from the Palette management cluster to the deployed clusters' Kubernetes API server. + + +- Ensure you have an SSL certificate that matches the domain name you will assign to Palette. You will need this to enable HTTPS encryption for Palette. Reach out to your network administrator or security team to obtain the SSL certificate. You need the following files: + + - x509 SSL certificate file in base64 format. + + - x509 SSL certificate key file in base64 format. + + - x509 SSL certificate authority file in base64 format. + + +- Ensure the OS and Kubernetes cluster you are installing Palette onto is FIPS-compliant. Otherwise, Palette and its operations will not be FIPS-compliant. + + +- A custom domain and the ability to update Domain Name System (DNS) records. You will need this to enable HTTPS encryption for Palette. + + +- Access to the Palette Helm Charts. Refer to the [Access Palette](enterprise-version.md#download-palette-installer) for instructions on how to request access to the Helm Chart + + + +
+ +:::caution + +Do not use a Palette-managed Kubernetes cluster when installing Palette. Palette-managed clusters contain the Palette agent and Palette-created Kubernetes resources that will interfere with the installation of Palette. + +::: + + +## Install Palette + +Use the following steps to install Palette on Kubernetes. + + +:::info + +The following instructions are written agnostic to the Kubernetes distribution you are using. Depending on the underlying infrastructure provider and your Kubernetes distribution, you may need to modify the instructions to match your environment. Reach out to our support team if you need assistance. + +::: + + +1. Open a terminal session and navigate to the directory where you downloaded the Palette Helm Charts provided by our support. We recommend you place all the downloaded files into the same directory. You should have the following Helm Charts: + + - Spectro Management Plane Helm Chart. + + - Cert Manager Helm Chart. + + +2. Extract each Helm Chart into its directory. Use the commands below as a reference. Do this for all the provided Helm Charts. + +
+ + ```shell + tar xzvf spectro-mgmt-plane-*.tgz + ``` + +
+ + ```yaml + tar xzvf cert-manager-*.tgz + ``` + + +3. Install Cert Manager using the following command. Replace the actual file name of the Cert Manager Helm Chart with the one you downloaded, as the version number may be different. + +
+ + ```shell + helm upgrade --values cert-manager/values.yaml cert-manager cert-manager-1.11.0.tgz --install + ``` + +
+ + :::info + + The Cert Manager Helm Chart provided by our support team is configured for Palette. Do not modify the **values.yaml** file unless instructed to do so by our support team. + + ::: + + +4. Open the **values.yaml** in the **spectro-mgmt-plane** folder with a text editor of your choice. The **values.yaml** contains the default values for the Palette installation parameters, however, you must populate the following parameters before installing Palette. + +
+ + | **Parameter** | **Description** | **Type** | + | --- | --- | --- | + | `env.rootDomain` | The URL name or IP address you will use for the Palette installation. | string | + | `ociPackRegistry` or `ociPackEcrRegistry` | The OCI registry credentials for Palette FIPS packs.| object | + | `scar` | The Spectro Cloud Artifact Repository (SCAR) credentials for Palette FIPS images. These credentials are provided by our support team. | object | + + + Save the **values.yaml** file after you have populated the required parameters mentioned in the table. + +
+ + :::info + + You can learn more about the parameters in the **values.yaml** file in the [Helm Configuration Reference](deploying-palette-with-helm.md) page. + + ::: + + + +5. Install the Palette Helm Chart using the following command. + +
+ + ```shell + helm upgrade --values spectro-mgmt-plane/values.yaml hubble spectro-mgmt-plane-0.0.0.tgz --install + ``` + + +6. Track the installation process using the command below. Palette is ready when the deployments in the namespaces `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` reach the *Ready* state. The installation takes between two to three minutes to complete. + +
+ + ```shell + kubectl get pods --all-namespaces --watch + ``` + + +7. Create a DNS CNAME record that is mapped to the Palette `ingress-nginx-controller` load balancer. You can use the following command to retrieve the load balancer IP address. You may require the assistance of your network administrator to create the DNS record. + +
+ + ```shell + kubectl get service ingress-nginx-controller --namespace ingress-nginx --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` + +
+ + :::info + + As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For example, if you create a tenant named `tenant1` and the domain name you assigned to Palette is `palette.example.com`, the tenant URL will be `tenant1.palette.example.com`. You can create an additional wildcard DNS record to map all tenant URLs to the Palette load balancer. + + ::: + + +8. Use the custom domain name or the IP address of the load balancer to visit the Palette system console. To access the system console, open a web browser and paste the custom domain URL in the address bar and append the value `/system`. Replace the domain name in the URL with your custom domain name or the IP address of the load balancer. Alternatively, you can use the load balancer IP address with the appended value `/system` to access the system console. + +
+ + :::info + + The first time you visit the Palette system console, a warning message about an untrusted SSL certificate may appear. This is expected, as you have not yet uploaded your SSL certificate to Palette. You can ignore this warning message and proceed. + + ::: + +
+ + ![Screenshot of the Palette system console showing Username and Password fields.](/palette_installation_install-on-vmware_palette-system-console.png) + + +9. Log in to the system console using the following default credentials. + +
+ + | **Parameter** | **Value** | + | --- | --- | + | Username | `admin` | + | Password | `admin` | + +
+ + After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to the Palette system console. + +
+ +10. After login, a summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a different SSL certificate you must upload the SSL certificate, SSL certificate key, and SSL certificate authority files to Palette. You can upload the files using the Palette system console. Refer to the [Configure HTTPS Encryption](../vertex/system-management/ssl-certificate-management.md) page for instructions on how to upload the SSL certificate files to Palette. + + +
+ +:::caution + +If you plan to deploy host clusters into different networks, you may require a reverse proxy. Check out the [Configure Reverse Proxy](reverse-proxy.md) guide for instructions on how to configure a reverse proxy for Palette VerteX. + +::: + + +You now have a self-hosted instance of Palette installed in a Kubernetes cluster. Make sure you retain the **values.yaml** file as you may need it for future upgrades. + + +## Validate + +Use the following steps to validate the Palette installation. + +
+ + +1. Open up a web browser and navigate to the Palette system console. To access the system console, open a web browser and paste the following URL in the address bar and append the value `/system`. Replace the domain name in the URL with your custom domain name or the IP address of the load balancer. + + + +2. Log in using the credentials you received from our support team. After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to the Palette system console. + + +3. Open a terminal session and issue the following command to verify the Palette installation. The command should return a list of deployments in the `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` namespaces. + +
+ + ```shell + kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \ + | grep -E '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s' + ``` + + Your output should look similar to the following. + + ```shell hideClipboard + cp-system spectro-cp-ui-689984f88d-54wsw Running + hubble-system auth-85b748cbf4-6drkn Running + hubble-system auth-85b748cbf4-dwhw2 Running + hubble-system cloud-fb74b8558-lqjq5 Running + hubble-system cloud-fb74b8558-zkfp5 Running + hubble-system configserver-685fcc5b6d-t8f8h Running + hubble-system event-68568f54c7-jzx5t Running + hubble-system event-68568f54c7-w9rnh Running + hubble-system foreq-6b689f54fb-vxjts Running + hubble-system hashboard-897bc9884-pxpvn Running + hubble-system hashboard-897bc9884-rmn69 Running + hubble-system hutil-6d7c478c96-td8q4 Running + hubble-system hutil-6d7c478c96-zjhk4 Running + hubble-system mgmt-85dbf6bf9c-jbggc Running + hubble-system mongo-0 Running + hubble-system mongo-1 Running + hubble-system mongo-2 Running + hubble-system msgbroker-6c9b9fbf8b-mcsn5 Running + hubble-system oci-proxy-7789cf9bd8-qcjkl Running + hubble-system packsync-28205220-bmzcg Succeeded + hubble-system spectrocluster-6c57f5775d-dcm2q Running + hubble-system spectrocluster-6c57f5775d-gmdt2 Running + hubble-system spectrocluster-6c57f5775d-sxks5 Running + hubble-system system-686d77b947-8949z Running + hubble-system system-686d77b947-cgzx6 Running + hubble-system timeseries-7865bc9c56-5q87l Running + hubble-system timeseries-7865bc9c56-scncb Running + hubble-system timeseries-7865bc9c56-sxmgb Running + hubble-system user-5c9f6c6f4b-9dgqz Running + hubble-system user-5c9f6c6f4b-hxkj6 Running + ingress-nginx ingress-nginx-controller-2txsv Running + ingress-nginx ingress-nginx-controller-55pk2 Running + ingress-nginx ingress-nginx-controller-gmps9 Running + jet-system jet-6599b9856d-t9mr4 Running + ui-system spectro-ui-76ffdf67fb-rkgx8 Running + ``` + + +## Next Steps + +You have successfully installed Palette in a Kubernetes cluster. Your next steps are to configure Palette for your organization. Start by creating the first tenant to host your users. Use the [Create a Tenant](../vertex/system-management/tenant-management.md#create-a-tenant) page for instructions on how to create a tenant. + + + + + + + +## Prerequisites + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed. + + +- Configure a Container Storage Interface (CSI) for persistent data. + + +- Have at least three worker nodes or three untainted control plane nodes. + + +- [Cert Manager](https://cert-manager.io/docs) v1.11.0 or greater installed in the Kubernetes cluster. Use the official Cert Manager [installation guide](https://cert-manager.io/docs/installation/) for additional guidance. + + + +- Allocate a minimum of 4 CPUs and 12 GB of Memory per node. + + +- A custom domain and the ability to update Domain Name System (DNS) records. + + + +- Access to the Palette Helm Chart. Contact support@spectrocloud.com to gain access to the Helm Chart. + + +- For AWS EKS, ensure you have the [AWS CLI](https://aws.amazon.com/cli/) and the [kubectl CLI](https://github.com/weaveworks/eksctl#installation) installed. + +
+ +:::caution + +Palette cannot manage the cluster that it is installed onto due to component conflicts. Consider using a managed Kubernetes service to minimize management overhead. The Palette Helm Chart is not tied to any particular managed Kubernetes service. + + +::: + + +## Install Palette + +Choose the installation steps for your target environment. The steps in the generic tab apply to all Kubernetes clusters. Steps in other tabs have instructions explicitly tailored to the target environment. + +
+ + + + + +1. Download the kubeconfig file for the Kubernetes cluster where you will deploy Palette. Ensure you can interact with the target cluster. You can validate by issuing a `kubectl` command. + +
+ + ```shell + kubectl get pods -A + ``` + + +2. Extract the **values.yaml** from the Helm Chart with the following command: + +
+ + ```shell + tar xzvf /path/to/chart.tgz spectro-mgmt-plane/values.yaml + ``` + + +3. Review the **values.yaml** . You must populate the `env.rootDomain` parameter to the domain you will use for the installation. All other parameter values are optional, and you can reset or change them with a Helm upgrade operation. + +
+ + :::caution + + Do not use a wildcard in the root domain value for the `env.rootDomain` parameter. Use a complete domain name when assigning a root domain name value. + + ::: + + +4. Install the Helm Chart using the following command. Replace the path in the command to match your local path of the Palette Helm Chart. + +
+ + ```shell + helm install palette /path/to/chart.tgz -f /path/to/values.yaml + ``` + + +5. Monitor the deployment using the command below. Palette is ready when the deployments in namespaces `cp-system`, `hubble-system`, `jet-system` , and `ui-system` reach the *Ready* state. + +
+ + ```shell + kubectl get pods --all-namespaces --watch + ``` + +6. Create a DNS record that is mapped to the Palette `ingress-nginx-controller` load balancer. You can use the following command to retrieve the load balancer IP address. + +
+ + ```shell + kubectl get service ingress-nginx-controller --namespace nginx --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` + +You now have a self-hosted instance of Palette installed in a Kubernetes cluster. Make sure you retain the **values.yaml** file as you will need it for future upgrades. + +
+ + + + + +1. Ensure the AWS CLI is configured with your credentials. You can use the following command to configure your credentials. Refer to the [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) guide for additional help. + +
+ + ```shell + aws configure + ``` + +2. Next, create an EKS cluster. + +
+ + ```shell + eksctl create cluster \ + --name palette-selfhost \ + --node-type m5.xlarge \ + --nodes 3 \ + --nodes-min 3 \ + --nodes-max 4 \ + --region eu-west-2 \ + --kubeconfig ~/Downloads/palette-selfhost.kubeconfig + ``` + + Change `--region` and `--nodes` as required. You can also change the instance size. + + Note that the [minimum instance requirement](https://aws.amazon.com/ec2/instance-types/) is three nodes with a least 4 CPUs and 12 GB of Memory per node. + + +3. When the cluster is available, go ahead and configure the OpenID Connect (OIDC) for the cluster to use Palette as the Identity Provider (IDP). + +
+ + ```shell + eksctl utils associate-iam-oidc-provider --cluster=palette-selfhost --approve + ``` + +4. Next, add the EBS Container Storage Interface (CSI) driver IAM role. Replace the `` with your AWS account ID. + +
+ + ```shell + eksctl create addon --name aws-ebs-csi-driver \ + --cluster palette-selfhost \ + --service-account-role-arn arn:aws:iam:::role/AmazonEKS_EBS_CSI_DriverRole \ + --force + ``` + +5. Log in to the [AWS console](https://console.aws.amazon.com) and navigate to the EKS Dashboard. + + + +6. Select the **palette-selfhost** cluster to access its details page. + + + +7. From the cluster details page, click on **Compute** > **Node Group**. Next, click on **Node IAM role ARN link**. + + ![A view of the cluster details page with the Node IAM role ARN highlighted](/enterprise-version_deploying-palette-with-helm_aws-iam-role.png) + + +8. From the **Permissions** tab, click on the **Add Permissions** button, and select **Attach Policies**. + + +9. Search for the **AmazonEBSCSIDriverPolicy** policy and add it to the role. + +
+ + :::info + + You can find additional guidance about Amazon EBS CSI drivers and requirements by reviewing the [EBS User Guide](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html) and the [Manage EBS with EKS](https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/managing-ebs-csi.md) guide. + + ::: + +10. Extract the Helm Chart files from the compressed asset we provided to you. Replace the file path and version placeholder as needed. + +
+ + ```shell + tar xzvf path/to-file/spectro-mgmt-helm-charts-X.X.tar.gz + ``` + +11. Navigate to the **spectro-mgmt-helm-charts-X.X** folder. + +
+ + ```shell + cd spectro-mgmt-helm-charts-X.X + ``` + +12. Review the **values.yaml** . You must populate the `env.rootDomain` parameter to the domain you will use for the installation. In addition, add the same `rootDomain` with port `:4222` to the `natsUrl` in the `nats` section of the YAML. Example: `env.rootDomain: my-domain.com:4222`. All other parameter values are optional, and you can reset or change them with the Palette API. + +
+ + :::caution + + Do not use a wildcard in the root domain value for the `env.rootDomain` parameter. Use a complete domain name when assigning a root domain name value. + + ::: + + 13. If you wish to use [AWS ACM for SSL Certs](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html), instead of the default self-signed certificate that the Nginx *ingress controller* generates, you can add it to the `annotations` under `ingress`. + +
+ + ```yaml + ingress: + ingress: + # Whether to front NGINX Ingress Controller with a cloud + # load balancer (internal == false) or use host network + internal: false + + # Default SSL certificate and key for NGINX Ingress Controller (Optional) + # A wildcard cert for config.env.rootDomain, e.g., *.myfirstpalette.spectrocloud.com + # If left blank, the NGINX ingress controller will generate a self-signed cert (when terminating TLS upstream of ingress-nginx-controller) + # certificate: "" + # key: "" + + annotations: + # AWS example + service.beta.kubernetes.io/aws-load-balancer-internal: "true" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "" + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https" + ingressStaticIP: "" + # Used to terminate HTTPS traffic at the load balancer versus passing through the load balancer. This parameter is available in Palette 3.3 or greater. + terminateHTTPSAtLoadBalancer: true + ``` + + 14. Download the kubeconfig file for the EKS cluster. Ensure you can interact with the target cluster. You can validate by issuing a `kubectl` command. For additional guidance, refer to the [kubeconfig file for an Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/create-kubeconfig.html) guide. + + + +15. Install the Helm Chart using the following command. Replace the path in the command to match your local path of the Palette Helm Chart. + +
+ + ```shell + helm install palette /path/to/chart.tgz -f /path/to/values.yaml + ``` + +16. Monitor the deployment using the command below. Palette is ready when the deployments in namespaces `cp-system`, `hubble-system`, `jet-system` , and `ui-system` reach the *Ready* state. + +
+ + ```shell + kubectl get pods --all-namespaces --watch + ``` + +17. Create a DNS record mapped to the load balancer created by the Palette service `ingress-nginx-controller` . You can use the following command to retrieve the load balancer IP address. + +
+ + ```shell + kubectl get service ingress-nginx-controller --namespace nginx --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` + +You now have a self-hosted instance of Palette installed in a Kubernetes cluster. Make sure you retain the **values.yaml** file as you will need it for future upgrades. + +
+ + + + + + +# Validate + +You can validate that the installation of Palette is successful by visiting the custom domain you assigned to the +`env.rootDomain` parameter in the **values.yaml**. + +
+ + +:::caution + +If you notice that the pods in the `hubble-system` namespace are not initializing as expected, it might be due to a delay in adding the DNS records for the rootDomain. The workaround is to terminate all pods except the pods related to `mongo-db` in the `hubble-system` namespace to trigger a redeployment of the pods. + +
+ + ```shell + kubectl delete pods --namespace hubble-system --selector=role!=mongo + ``` + +::: + + +## Upgrade Palette + + + +To upgrade Palette with a new Helm release, use the following steps.

+ +1. Download the new version of the Helm Chart. + + + +2. Extract the new **values.yaml** file from the Helm Chart with the following command: + +
+ + ```shell + tar xzvf /path/to/chart.tgz spectro-mgmt-plane/values.yaml + ``` + + +3. Compare the new **values.yaml** against the original **values.yaml** you used for the initial Palette installation. Address any new parameters added to the values file. + + + + +4. Issue the following command to upgrade Palette. Use the same **values.yaml** file you used for the Palette installation. + +
+ + ```shell + helm upgrade palette /path/to/chart.tgz --file /path/to/orginal_values.yaml + ``` + + +### Post-Install Configuration Values + +The values you specified in the **values.yaml** file all fall under the parameter section `values.config` and are stored in the `configserver-cm` ConfigMap. + +After the installation, if you need to change any configuration values under `values.config` in the **values.yaml** file, you must use the Palette API. +When you use the `helm upgrade` command, internal system configurations stored in the Kubernetes ConfigMap `configserver-cm` will display as updated, but Palette will not apply the new values. Palette only accepts changes to these configuration values if they are submitted via API. + +If you find yourself in this scenario, contact our support team by emailing us at support@spectrocloud.com for additional guidance. + + + +## Next Steps + +Start exploring the Palette system dashboard so that you become familiar with the available actions you can take as an administrator. Check out the [System Console Dashboard](system-console-dashboard.md) resource to learn more. + + +
+ + + + \ No newline at end of file diff --git a/docs/docs-content/enterprise-version-bkup/deploying-the-platform-installer.md b/docs/docs-content/enterprise-version-bkup/deploying-the-platform-installer.md new file mode 100644 index 0000000000..6b9fe8faa0 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/deploying-the-platform-installer.md @@ -0,0 +1,90 @@ +--- +sidebar_label: "Install Using Quick-Start Mode" +title: "VMware Quick Start Installatio" +description: "Learn how to install self-hosted Palette by deploying a single node instance." +icon: "" +hide_table_of_contents: false +sidebar_position: 10 +tags: ["self-hosted", "enterprise"] +--- + + +The Palette On-Prem Quick Start Mode is a single node installation of the Palette platform, used for PoC environments to quickly understand the capabilities of the Palette platform. We do not recommended for Production deployments as it does not provide high availability or scalability. + +As a prerequisite, download the platform installer OVA using the link}>Please contact us to receive download instructions. provided, and upload it into vCenter. + + +:::caution + + +Starting with Palette 4.0.0, the Palette CLI, and the Helm Chart, are the only supported methods for installing Palette. The Palette OVA installation method is only available for versions 3.4 and earlier. Refer to the [Install Enterprise Cluster](deploying-an-enterprise-cluster.md), or the [Kubernetes Install Helm Chart](deploying-palette-with-helm.md) guides for additional guidance on how to install Palette. + +::: + +## Deploy Platform Installer + +1. Log in to the vSphere console and navigate to VMs and Templates. +2. Navigate to the Datacenter and folder you would like to use for the installation. +3. Right-click on the folder and invoke the VM creation wizard by selecting the option to Deploy OVF Template. +4. Complete all the steps of the OVF deployment wizard. Provide values for various fields as follows: + * URL: <Location of the platform installer> + * Virtual Machine Name: <vm name> + * Folder: <Select desired folder> + * Select the desired Datacenter, Storage, and Network for the platform installer VM as you proceed through the next steps. The Platform installer VM requires an outgoing internet connection. Select a network that provides this access directly, or via a proxy. + * Customize the template as follows: + * Name: <The name to identify the platform installer> + * SSH Public Keys: Create a new SSH key pair (or pick an existing one). Enter the public key in this field. The public key will be installed in the installer VM to provide SSH access, as the user `ubuntu`. This is useful for troubleshooting purposes. + * Monitoring Console Password: A monitoring console is deployed in the platform installer VM to provide detailed information about the installation progress as well as to provide access to various logs. This console can be accessed after the VM is powered on at https://<VM IP Address>:5080. The default monitoring console credentials are: + + * User Name: admin + * Password: admin + + Provide a different password for the monitoring console if desired. Leave the field blank to accept the default password. + * Pod CIDR: Optional - provide an IP range exclusive to pods. This range should be different to prevent an overlap with your network CIDR. (e.g: 192.168.0.0/16) + * Service cluster IP range: Optional - assign an IP range in the CIDR format exclusive to the service clusters. This range also must not overlap with either the pod CIDR range or your network CIDR. (e.g: 10.96.0.0/12) + * Static IP Address: <VM IP Address> Optional IP address (e.g: 192.168.10.15) to be specified only if static IP allocation is desired. DHCP is used by default. + * Static IP subnet prefix: <Network Prefix> Static IP subnet prefix (e.g: 18), required only for static IP allocation. + * Static IP gateway: <Gateway IP Address> (e.g: 192.168.0.1) required only for static IP allocation. + * Static IP DNS: <Name servers> Comma separated DNS addresses (e.g: 8.8.8.8, 192.168.0.8), required only for static IP allocation. + * HTTP Proxy: <endpoint for the http proxy server>, e.g: _http://USERNAME:PASSWORD@PROXYIP:PROXYPORT_. An optional setting, required only if a proxy is used for outbound connections. + * HTTPS Proxy: <endpoint for the https proxy server>, e.g: _http://USERNAME:PASSWORD@PROXYIP:PROXYPORT_. An optional setting, required only if a proxy is used for outbound connections. + * NO Proxy: <comma-separated list of vCenter server, local network CIDR, hostnames, domain names that should be excluded from proxying>, e.g: _vcenter.company.com_,10.10.0.0/16. + * Spectro Cloud Repository settings: The platform installer downloads various platform artifacts from a repository. Currently, this repository is hosted by Palette and the installer VM needs to have an outgoing internet connection to the repository. Upcoming releases will enable the option to privately host a dedicated repository to avoid having to connect outside. This option is currently unavailable. Leave all the fields under Palette Repository settings blank + * Finish the OVF deployment wizard and wait for the template to be created. This may take a few minutes as the template is initially downloaded. +5. Power on the VM. + +## Monitor Installation + +The platform installer contains a web application called the Supervisor, to provide detailed progress of the installation. After the VM is powered on, perform the following steps to ensure installation is completed successfully. + +1. Open the Supervisor application in a browser window by navigating to https://<VM IP Address>:5080. +2. Observe the installation status in the Status tab. The page auto-refreshes to provide updated installation progress. +3. Once the final installation step is complete, you will see URLs to navigate to the On-Prem System Console as well as the Management Console. + * On-Prem System Console: Initial login:admin/admin + * Management Console: Tenant credentials to be created and used [Configure System for First Time](#initial-configuration). +4. Navigate to the On-Prem System Console to perform the initial configuration. Additional administration tasks like SMTP setup, certificate management, etc. can also be performed from the On-Prem System Console. + +:::info +Typically, the installation takes around 10 mins after powering on the virtual machine. If the installation fails or takes an unusually long time, please look for failure messages in the install status page, or access system logs from the "Logs" tab to get detailed information about the failure. +::: + +## Initial Configuration + +The On-Prem System Console provides options for performing various administrative setup tasks. Most of these are optional and can be performed at any later time. To quickly start using the platform's functionality, all that is needed is to create the first tenant and activate it. + +1. Open the system console. You can access the system console by opening a browser window and typing in the IP address of the platform installer VM or the custom domain name if configured. Append `/system` to the URL to access the system console. Example `https://10.10.10.100/system`. + +2. Log in using username: 'admin' and password: 'admin'. + +3. Reset the default password. + +4. Choose "Quick Start" when prompted for a choice for the startup mode. + +5. Navigate to the Tenant Management section and create your first tenant. + +6. Copy the tenant activation link and invoke it in a browser window to activate the newly created tenant. + +7. Enter the desired password and proceed and login as a tenant into the Management Console. + + +Next, continue to perform various tasks as desired from the management console like creating gateways, cloud accounts, cluster profiles, and launching of clusters. diff --git a/docs/docs-content/enterprise-version-bkup/enterprise-cluster-management.md b/docs/docs-content/enterprise-version-bkup/enterprise-cluster-management.md new file mode 100644 index 0000000000..fe243653ce --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/enterprise-cluster-management.md @@ -0,0 +1,237 @@ +--- +sidebar_label: "Enterprise Management" +title: "Enterprise Management" +description: "Learn how to manage your enterprise clusters." +icon: "" +hide_table_of_contents: false +sidebar_position: 60 +tags: ["self-hosted", "enterprise"] +--- + + + +Palette supports several Day-2 operations to manage the end-to-end lifecycle of the Kubernetes clusters launched through Palette On-Premises Enterprise Mode. It provides several capabilities across clusters to keep your clusters secure, compliant, up-to-date, and perform ongoing management operations like backup/restore and cluster migration across Private Cloud Gateway (PCGs). + + + + + + + +## Palette PCG Migration + +Palette enables PCG migration to route the traffic between PCGs to ensure uninterrupted PCG service availability. If a PCG goes unhealthy, it can be deleted after migrating the clusters launched through that PCG to another healthy PCG. This ensures that cluster operations such as deletion are carried out without interruption. + +## When Will You Migrate + +The possible conditions of PCG migration are: + +* Unhealthy PCG to healthy PCG + + +* Healthy PCG to healthy PCG + + +## How to Migrate a PCG Traffic + +To migrate the traffic from a PCG: +
+ +1. Log in as **Tenant Admin** to the Palette Console. + + +2. From the **Tenant Settings**, go to the **Private Cloud Gateways** tab to list all PCGs. + + +3. Click the 'Kebab' menu (three-dot ellipsis) towards the PCG to be migrated to see the drop-down option of **Migrate**. + + +4. Click the **Migrate** option to open the wizard to select your destination PCG. + + +5. The wizard will display the drop-down list of all healthy PCGs to which traffic can be migrated. Select the PCG of your choice from the drop-down. + + +6. Confirm the migration operation to get a UI confirmation of the successful migration. + + +7. Once the migration is completed, the unhealthy/source PCG can be deleted successfully. Clear the residual resources manually to complete the deletion process. + + +8. The **Audit Logs** gives the migration update. + + + + + +## Backup and Restore for Enterprise Clusters + +Palette provides convenient backup options to backup the Enterprise Kubernetes cluster state into object storage. It restores it at a later point in time if required to the same or a different cluster. Besides backing up Kubernetes native objects like Pods, DaemonSets, Services, etc., a snapshot of the persistent volume is taken and maintained as part of the backup. The two options of backup creation are: + +* FTP + + +* S3 + +FTP mode backup is sending the backup data of your enterprise cluster to a dedicated FTP server using the File Transfer Protocol (FTP). + +S3 buckets for backup make it trivial for everyone to use Amazon’s infrastructure for remote backups and secure cluster objects online. In addition, this feature provides the advantages of scheduling, strong encryption, compression, easy access to your backup files. + +### Instructions + +1. Log in to enterprise mode as administrator: + + * https://system_IP/system + * Username: admin + * Password: custom password + + +2. Select **Administration** from left panel. + + +3. On the **Administration** page, select **Backup/Restore** from the top ribbon. + + +4. Complete the backup configuration wizard to complete the mode of backup creation. + + +5. Select the mode of backup from the two available options: + * FTP + * S3 + + +### FTP + +The following information is filled to create a backup location in FTP mode: + +1. Provide the ftp:// server details. + + +2. The directory name for the backup storage. + + +3. Username and Password to log in to the server. + + +4. Scheduling details of the backup. + * **Interval** specifies the number of days between two consecutive backups. + * **Retention period** for backup in days. + * **Hours of the day** (UTC 0 to 23 hours) specifies the time of the specified day to take the backup. + + +5. This configuration is saved and used for creating an FTP backup by clicking the **+Create FTP backup** button on the top-right corner of the page. + + +6. The configuration can be edited as per the requirements. + + +7. Delete/Restore a specific backup from the actions panel. + +:::info +The saved configuration details can be used to create multiple backup locations. +Any changes can be made to the existing configuration and saved for reuse. +::: + +### S3 Backup Location + +:::caution + +An AWS S3 bucket created is a prerequisite. + +The following permissions need to be enabled. + +::: + +#### Permission Sets +Ensure that the IAM user or the `root` user role created should have the following two IAM policies included: + +**EC2-Policy** + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:DeleteObject", + "s3:PutObject", + "s3:AbortMultipartUpload", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + ";" + ] + } + ] +} +``` + + +**S3-Policy** + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ec2:CreateTags", + "ec2:CreateVolume", + "ec2:CreateSnapshot", + "ec2:DeleteSnapshot" + ], + "Resource": "" + } + ] +} +``` + +The following information is needed: + + +* AWS Account Access key + + +* AWS Account Secret Key + + +* AWS Region + + +* AWS Bucket name + + +* Folder name to which the backup is stored in the S3 bucket + + +* Scheduling details of the backup, + * **Interval** specifies the number of days between two consecutive backups. + * **Retention period** of backup in days. + * **Hours of the day** (UTC 0 to 23 hours) specifies the time of the specified day to take the backup. + + +* Validate the information and save the configurations. + + +* The saved configuration is used for creating an S3 backup by clicking the **+Create S3 backup** button on the top-right corner of the page. + + +* Once the backup is created, the details such as Backup uid, Mode, Status, Finish Time, and Actions is viewed from the console for the individual backup. + + +* Delete/Restore a specific backup from the actions panel. + + +:::info +The saved configuration details can be used to create multiple backup locations. Any changes can be made to the existing configuration and saved for reuse. +::: + + + + + diff --git a/docs/docs-content/enterprise-version-bkup/enterprise-version-bkup.md b/docs/docs-content/enterprise-version-bkup/enterprise-version-bkup.md new file mode 100644 index 0000000000..3be8d81046 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/enterprise-version-bkup.md @@ -0,0 +1,90 @@ +--- +sidebar_label: "Self-Hosted Installation" +title: "Self-Hosted Installation" +description: "Understanding, installing and operating Spectro Cloud's Enterprise Self-Hosted variant." +hide_table_of_contents: false +sidebar_custom_props: + icon: "cat" +tags: ["self-hosted", "enterprise"] +--- + + +Palette is available as a self-hosted platform offering. You can install the self-hosted version of Palette in your data centers or public cloud providers to manage Kubernetes clusters. + + +## VMware Quick Start + +A single-node Palette installation that is ideal for Proof of Concept (PoC) environments. Refer to the [Quick Start Installation](deploying-the-platform-installer.md) guide for more details. + +## VMware Enterprise + +A highly available multi-node Palette installation that is typically used for production purposes. Check out the [Enterprise Mode](deploying-an-enterprise-cluster.md) guide to get started. + +## Kubernetes Install Helm Chart + +Install Palette onto a Kubernetes cluster using a Helm Chart. Review the [Helm Chart Mode](deploying-palette-with-helm.md) guide to learn more. + + +## Airgap Install + +Palette can be installed in a VMware environment without internet access, known as an air gap installation, requiring pre-download of platform manifests, required platform packages, container images for core components, third-party dependencies, and Palette Packs, all sourced from a private rather than the default public Palette repository. + +## Download Palette Installer + +To request the Palette Self-hosted installer image, please contact our support team by sending an email to support@spectrocloud.com. Kindly provide the following information in your email: + +- Your full name +- Organization name (if applicable) +- Email address +- Phone number (optional) +- A brief description of your intended use for the Palette Self-host installer image. + +Our dedicated support team will promptly get in touch with you to provide the necessary assistance and share the installer image. + +If you have any questions or concerns, please feel free to contact support@spectrocloud.com. + + +## Upgrade Notes + +Review the [Upgrade Notes](upgrade.md) before attempting to upgrade Palette. + + +
+ +## Resources + + +* [System Requirements](on-prem-system-requirements.md) + + +* [Quick Start Mode](deploying-the-platform-installer.md) + + +* [Enterprise Mode](deploying-an-enterprise-cluster.md) + + +* [Helm Chart Mode](deploying-palette-with-helm.md) + + +* [System Console Dashboard](system-console-dashboard.md) + + +* [Creating a VMware Cloud Gateway](../clusters/data-center/vmware.md#install-pcg) + + +* [Create VMware Cloud Account](../clusters/data-center/vmware.md#create-vmware-cloud-gateway) + + +* [Deploy a VMware Cluster](../clusters/data-center/vmware#deploy-a-vmware-cluster) + + +* [PCG Troubleshooting](../troubleshooting/pcg.md) + + +* [Upgrade Notes](upgrade.md) + + +
+ +
+ diff --git a/docs/docs-content/enterprise-version-bkup/helm-chart-install-reference.md b/docs/docs-content/enterprise-version-bkup/helm-chart-install-reference.md new file mode 100644 index 0000000000..4e6ce5f0eb --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/helm-chart-install-reference.md @@ -0,0 +1,720 @@ +--- +sidebar_label: "Helm Chart Install Reference" +title: "Helm Chart Install References" +description: "Reference for Palette Helm Chart installation parameters." +icon: "" +hide_table_of_contents: false +sidebar_position: 40 +tags: ["self-hosted", "enterprise"] +--- + + +You can use the Palette Helm Chart to install Palette in a multi-node Kubernetes cluster in your production environment. The Helm chart allows you to customize values in the **values.yaml** file. This reference lists and describes parameters available in the **values.yaml** file from the Helm Chart for your installation. To learn how to install Palette using the Helm Chart, refer to [Helm Chart Mode](deploying-palette-with-helm.md). + + +Depending on what version of Palette you are using, the available parameters will be different. Select the version below that corresponds to the version of Palette you are using. + +- [4.0.0 or greater](#400-or-greater) + +- [3.4.0 or earlier](#340-or-earlier) + +
+ + + +## 4.0.0 or Greater + +### Required Parameters + +The following parameters are required for a successful installation of Palette. + + +| **Parameters** | **Description** | **Type** | +| --- | --- | --- | +| `config.env.rootDomain` | Used to configure the domain for the Palette installation. We recommend you create a CNAME DNS record that supports multiple subdomains. You can achieve this using a wild card prefix, `*.palette.abc.com`. Review the [Environment parameters](#environment) to learn more. | String | +| `config.env.ociRegistry` or `config.env.ociEcrRegistry`| Specifies the FIPS image registry for Palette. You can use an a self-hosted OCI registry or a public OCI registry we maintain and support. For more information, refer to the [Registry](#registries) section. | Object | +| `scar`| The Spectro Cloud Artifact Repository (SCAR) credentials for Palette FIPS images. Our support team provides these credentials. For more information, refer to the [Registry](#registries) section. | Object | + + +:::caution + +If you are installing an air-gapped version of Palette, you must provide the image swap configuration. For more information, refer to the [Image Swap Configuration](#image-swap-configuration) section. + + +::: + + +### MongoDB + +Palette uses MongoDB Enterprise as its internal database and supports two modes of deployment:

+ +- MongoDB Enterprise deployed and active inside the cluster. + + +- MongoDB Enterprise is hosted on a software-as-a-service (SaaS) platform, such as MongoDB Atlas. + +The table below lists the parameters used to configure a MongoDB deployment. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `internal` | Specifies the MongoDB deployment either in-cluster or using Mongo Atlas. | Boolean | `true` | +| `databaseUrl`| The URL for MongoDB Enterprise. If using a remote MongoDB Enterprise instance, provide the remote URL. This parameter must be updated if `mongo.internal` is set to `false`. | String | `mongo-0.mongo,mongo-1.mongo,mongo-2.mongo` | +| `databasePassword`| The base64-encoded MongoDB Enterprise password. If you don't provide a value, a random password will be auto-generated. | String | `""` | +| `replicas`| The number of MongoDB replicas to start. | Integer | `3` | +| `memoryLimit`| Specifies the memory limit for each MongoDB Enterprise replica.| String | `4Gi` | +| `cpuLimit` | Specifies the CPU limit for each MongoDB Enterprise member.| String | `2000m` | +| `pvcSize`| The storage settings for the MongoDB Enterprise database. Use increments of `5Gi` when specifying the storage size. The storage size applies to each replica instance. The total storage size for the cluster is `replicas` * `pvcSize`. | string | `20Gi`| +| `storageClass`| The storage class for the MongoDB Enterprise database. | String | `""` | + + +```yaml +mongo: + internal: true + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + databasePassword: "" + replicas: 3 + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" +``` + +### Config + +Review the following parameters to configure Palette for your environment. The `config` section contains the following subsections: + + +#### Install Mode + +You can install Palette in connected or air-gapped mode. The table lists the parameters to configure the installation mode. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `installMode` | Specifies the installation mode. Allowed values are `connected` or `airgap`. Set the value to `airgap` when installing in an air-gapped environment. | String | `connected` | + +```yaml +config: + installationMode: "connected" +``` + +#### SSO + +You can configure Palette to use Single Sign-On (SSO) for user authentication. Configure the SSO parameters to enable SSO for Palette. You can also configure different SSO providers for each tenant post-install, check out the [SAML & SSO Setup](../user-management/saml-sso/saml-sso.md) documentation for additional guidance. + +To configure SSO, you must provide the following parameters. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | --- | +| `saml.enabled` | Specifies whether to enable SSO SAML configuration by setting it to true. | Boolean | `false` | +| `saml.acsUrlRoot` | The root URL of the Assertion Consumer Service (ACS).| String | `myfirstpalette.spectrocloud.com`| +| `saml.acsUrlScheme` | The URL scheme of the ACS: `http` or `https`. | String | `https` | +| `saml.audienceUrl` | The URL of the intended audience for the SAML response.| String| `https://www.spectrocloud.com` | +| `saml.entityID` | The Entity ID of the Service Provider.| String | `https://www.spectrocloud.com`| +| `saml.apiVersion` | Specify the SSO SAML API version to use.| String | `v1` | + +```yaml +config: + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" +``` + +#### Email + +Palette uses email to send notifications to users. The email notification is used when inviting new users to the platform, password resets, and when [webhook alerts](../clusters/cluster-management/health-alerts.md) are triggered. Use the following parameters to configure email settings for Palette. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `enabled` | Specifies whether to enable email configuration. | Boolean| `false`| +| `emailID ` | The email address for sending mail.| String| `noreply@spectrocloud.com` | +| `smtpServer` | Simple Mail Transfer Protocol (SMTP) server used for sending mail. | String | `smtp.gmail.com` | +| `smtpPort` | SMTP port used for sending mail.| Integer | `587` | +| `insecureSkipVerifyTLS` | Specifies whether to skip Transport Layer Security (TLS) verification for the SMTP connection.| Boolean | `true` | +| `fromEmailID` | Email address of the ***From*** address.| String | `noreply@spectrocloud.com` | +| `password` | The base64-encoded SMTP password when sending emails.| String | `""` | + +```yaml +config: + email: + enabled: false + emailId: "noreply@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" +``` + +#### Environment + +The following parameters are used to configure the environment. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `env.rootDomain` | Specifies the URL name assigned to Palette Vertex. The value assigned should have a Domain Name System (DNS) CNAME record mapped to exposed IP address or the load balancer URL of the service *ingress-nginx-controller*. Optionally, if `ingress.ingressStaticIP` is provided with a value you can use same assigned static IP address as the value to this parameter.| String| `""` | +| `env.installerMode` | Specifies the installer mode. Do not modify the value.| String| `self-hosted` | +| `env.installerCloud` | Specifies the cloud provider. Leave this parameter empty if you are installing a self-hosted Palette. | String | `""` | + +```yaml +config: + env: + rootDomain: "" +``` +
+ +:::caution + +As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For example, if you create a tenant named tenant1 and the domain name you assigned to Palette is `palette.example.com`, the tenant URL will be `tenant1.palette.example.com`. We recommend you create an additional wildcard DNS record to map all tenant URLs to the Palette load balancer. For example, `*.palette.example.com`. + +::: + +#### Cluster + +Use the following parameters to configure the Kubernetes cluster. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `stableEndpointAccess` | Set to `true` if the Kubernetes cluster is deployed in a public endpoint. If the cluster is deployed in a private network through a stable private endpoint, set to `false`. | Boolean | `false` | + +```yaml +config: + cluster: + stableEndpointAccess: false +``` + +### Registries + +Palette requires credentials to access the required Palette images. You can configure different types of registries for Palette to download the required images. You must configure at least one Open Container Initiative (OCI) registry for Palette. You must also provide the credentials for the Spectro Cloud Artifact Repository (SCAR) to download the required FIPS images. + +
+ +#### OCI Registry + + +Palette requires access to an OCI registry that contains all the required FIPS packs. You can host your own OCI registry and configure Palette to reference the registry. Alternatively, you can use the public OCI registry that we provide. Refer to the [`ociPackEcrRegistry`](#oci-ecr-registry) section to learn more about the publicly available OCI registry. + + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `ociPackRegistry.endpoint` | The endpoint URL for the registry. | String| `""` | +| `ociPackRegistry.name` | The name of the registry. | String| `""` | +| `ociPackRegistry.password` | The base64-encoded password for the registry. | String| `""` | +| `ociPackRegistry.username` | The username for the registry. | String| `""` | +| `ociPackRegistry.baseContentPath`| The base path for the registry. | String | `""` | +| `ociPackRegistry.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the registry connection. | Boolean | `false` | +| `ociPackRegistry.caCert` | The registry's base64-encoded certificate authority (CA) certificate. | String | `""` | + + +```yaml +config: + ociPackRegistry: + endpoint: "" + name: "" + password: "" + username: "" + baseContentPath: "" + insecureSkipVerify: false + caCert: "" +``` + +#### OCI ECR Registry + +We expose a public OCI ECR registry that you can configure Palette to reference. If you want to host your own OCI registry, refer to the [OCI Registry](#oci-registry) section. +The OCI Elastic Container Registry (ECR) is hosted in an AWS ECR registry. Our support team provides the credentials for the OCI ECR registry. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `ociPackEcrRegistry.endpoint` | The endpoint URL for the registry. | String| `""` | +| `ociPackEcrRegistry.name` | The name of the registry. | String| `""` | +| `ociPackEcrRegistry.accessKey` | The base64-encoded access key for the registry. | String| `""` | +| `ociPackEcrRegistry.secretKey` | The base64-encoded secret key for the registry. | String| `""` | +| `ociPackEcrRegistry.baseContentPath`| The base path for the registry. | String | `""` | +| `ociPackEcrRegistry.isPrivate` | Specifies whether the registry is private. | Boolean | `true` | +| `ociPackEcrRegistry.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the registry connection. | Boolean | `false` | +| `ociPackEcrRegistry.caCert` | The registry's base64-encoded certificate authority (CA) certificate. | String | `""` | + +```yaml +config: + ociPackEcrRegistry: + endpoint: "" + name: "" + accessKey: "" + secretKey: "" + baseContentPath: "" + isPrivate: true + insecureSkipVerify: false + caCert: "" +``` + +#### Spectro Cloud Artifact Repository (SCAR) + +SCAR credentials are required to download the necessary FIPS manifests. Our support team provides the SCAR credentials. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `scar.endpoint` | The endpoint URL of SCAR. | String| `""` | +| `scar.username` |The username for SCAR. | String| `""` | +| `scar.password` | The base64-encoded password for the SCAR. | String| `""` | +| `scar.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the SCAR connection. | Boolean | `false` | +| `scar.caCert` | The base64-encoded certificate authority (CA) certificate for SCAR. | String | `""` | + +
+ + ```yaml + config: + scar: + endpoint: "" + username: "" + password: "" + insecureSkipVerify: false + caCert: "" + ``` + +#### Image Swap Configuration + +You can configure Palette to use image swap to download the required images. This is an advanced configuration option, and it is only required for air-gapped deployments. You must also install the Palette Image Swap Helm chart to use this option, otherwise, Palette will ignore the configuration. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `imageSwapInitImage` | The image swap init image. | String | `gcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2` | +| `imageSwapImage` | The image swap image. | String | `gcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2` | +| `imageSwapConfig`| The image swap configuration for specific environments. | String | `""` | +| `imageSwapConfig.isEKSCluster` | Specifies whether the cluster is an Amazon EKS cluster. Set to `false` if the Kubernetes cluster is not an EKS cluster. | Boolean | `true` | + +
+ + ```yaml + config: + imageSwapImages: + imageSwapInitImage: "gcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2" + imageSwapImage: "gcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2" + + imageSwapConfig: + isEKSCluster: true + ``` + +### NATS + +Palette uses [NATS](https://nats.io) and gRPC for communication between Palette components. Dual support for NATS and gRPC is available. You can enable the deployment of an additional load balancer for NATS. Host clusters deployed by Palette use the load balancer to communicate with the Palette control plane. This is an advanced configuration option and is not required for most deployments. Speak with your support representative before enabling this option. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `nats.enabled`| Specifies whether to enable the deployment of a NATS load balancer. | Boolean | `true` | +| `nats.internal`| Specifies whether to deploy a load balancer or use the host network. If this value is set to `true`, then the remaining NATS parameters are ignored. | Boolean | `true` | +| `nats.natsUrl`| The NATS URL. This can be a comma separated list of mappings for the NATS load balancer service. For example, "message1.dev.spectrocloud.com:4222,message2.dev.spectrocloud.com:4222". This parameter is mandatory if `nats.internal` is set to `false`. If `nats.internal` is set to `true`, you can leave this parameter empty. | String | `""` | +| `nats.annotations`| A map of key-value pairs that specifies load balancer annotations for NATS. You can use annotations to change the behavior of the load balancer and the Nginx configuration. This is an advanced setting. We recommend you consult with your assigned support team representative prior to modification. | Object | `{}` | +| `nats.natsStaticIP`| Specify a static IP address for the NATS load balancer service. If empty, a dynamic IP address will be assigned to the load balancer. | String | `""` | + + +
+ + ```yaml + nats: + enabled: true + internal: true + natsUrl: "" + annotations: {} + natsStaticIP: +``` + + + + +### gRPC + +gRPC is used for communication between Palette components. You can enable the deployment of an additional load balancer for gRPC. Host clusters deployed by Palette use the load balancer to communicate with the Palette control plane. This is an advanced configuration option, and it is not required for most deployments. Speak with your support representative before enabling this option. Dual support for NATS and gRPC is available. + +If you want to use an external gRPC endpoint, you must provide a domain name for the gRPC endpoint and a valid x509 certificate. Additionally, you must provide a custom domain name for the endpoint. A CNAME DNS record must point to the IP address of the gRPC load balancer. For example, if your Palette domain name is `palette.example.com`, you could create a CNAME DNS record for `grpc.palette.example.com` that points to the IP address of the load balancer dedicated to gRPC. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `external`| Specifies whether to use an external gRPC endpoint. | Boolean | `false` | +| `endpoint`| The gRPC endpoint. | String | `""` | +| `caCertificateBase64`| The base64-encoded certificate authority (CA) certificate for the gRPC endpoint. | String | `""` | +| `serverCrtBase64`| The base64-encoded server certificate for the gRPC endpoint. | String | `""` | +| `serverKeyBase64`| The base64-encoded server key for the gRPC endpoint. | String | `""` | +| `insecureSkipVerify`| Specifies whether to skip Transport Layer Security (TLS) verification for the gRPC endpoint. | Boolean | `false` | + + + + +```yaml +grpc: + external: false + endpoint: "" + caCertificateBase64: "" + serverCrtBase64: "" + serverKeyBase64: "" + insecureSkipVerify: false +``` + +### Ingress + +Palette deploys an Nginx Ingress Controller. This controller is used to route traffic to the Palette control plane. You can change the default behavior and omit the deployment of an Nginx Ingress Controller. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `enabled`| Specifies whether to deploy an Nginx controller. Set to `false` if you do not want an Nginx controller deployed. | Boolean | `true` | +| `ingress.internal`| Specifies whether to deploy a load balancer or use the host network. | Boolean | `false` | +| `ingress.certificate`| Specify the base64-encoded x509 SSL certificate for the Nginx Ingress Controller. If left blank, the Nginx Ingress Controller will generate a self-signed certificate. | String | `""` | +| `ingress.key`| Specify the base64-encoded x509 SSL certificate key for the Nginx Ingress Controller. | String | `""` | +| `ingress.annotations`| A map of key-value pairs that specifies load balancer annotations for ingress. You can use annotations to change the behavior of the load balancer and the Nginx configuration. This is an advanced setting. We recommend you consult with your assigned support team representative prior to modification. | Object | `{}` | +| `ingress.ingressStaticIP`| Specify a static IP address for the ingress load balancer service. If empty, a dynamic IP address will be assigned to the load balancer. | String | `""` | +| `ingress.terminateHTTPSAtLoadBalancer`| Specifies whether to terminate HTTPS at the load balancer. | Boolean | `false` | + + +```yaml +ingress: + enabled: true + ingress: + internal: false + certificate: "" + key: "" + annotations: {} + ingressStaticIP: "" + terminateHTTPSAtLoadBalancer: false +``` + +### Spectro Proxy + +You can specify a reverse proxy server that clusters deployed through Palette can use to facilitate network connectivity to the cluster's Kubernetes API server. Host clusters deployed in private networks can use the [Spectro Proxy pack](../integrations/frp.md) to expose the cluster's Kubernetes API to downstream clients that are not in the same network. Check out the [Reverse Proxy](reverse-proxy.md) documentation to learn more about setting up a reverse proxy server for Palette. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `frps.enabled`| Specifies whether to enable the Spectro server-side proxy. | Boolean | `false` | +| `frps.frpHostURL`| The Spectro server-side proxy URL. | String | `""` | +| `frps.server.crt`| The base64-encoded server certificate for the Spectro server-side proxy. | String | `""` | +| `frps.server.key`| The base64-encoded server key for the Spectro server-side proxy. | String | `""` | +| `frps.ca.crt`| The base64-encoded certificate authority (CA) certificate for the Spectro server-side proxy. | String | `""` | + +```yaml +frps: + frps: + enabled: false + frpHostURL: "" + server: + crt: "" + key: "" + ca: + crt : "" +``` + +### UI System + +The table lists parameters to configure the Palette User Interface (UI) behavior. You can disable the UI or the Network Operations Center (NOC) UI. You can also specify the MapBox access token and style layer ID for the NOC UI. MapBox is a third-party service that provides mapping and location services. To learn more about MapBox and how to obtain an access token, refer to the [MapBox Access tokens](https://docs.mapbox.com/help/getting-started/access-tokens) guide. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `enabled`| Specifies whether to enable the Palette UI. | Boolean | `true` | +| `ui.nocUI.enable`| Specifies whether to enable the Palette Network Operations Center (NOC) UI. Enabling this parameter requires the `ui.nocUI.mapBoxAccessToken`. Once enabled, all cluster locations will be reported to MapBox. This feature is not FIPS compliant. | Boolean | `false` | +| `ui.nocUI.mapBoxAccessToken`| The MapBox access token for the Palette NOC UI. | String | `""` | +| `ui.nocUI.mapBoxStyledLayerID`| The MapBox style layer ID for the Palette NOC UI. | String | `""` | + + + +```yaml +ui-system: + enabled: true + ui: + nocUI: + enable: false + mapBoxAccessToken: "" + mapBoxStyledLayerID: "" +``` + + + + +### Reach System + +You can configure Palette to use a proxy server to access the internet. Set the parameter `reach-system.reachSystem.enabled` to `true` to enable the proxy server. Proxy settings are configured in the `reach-system.reachSystem.proxySettings` section. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `reachSystem.enabled`| Specifies whether to enable the usage of a proxy server for Palette. | Boolean | `false` | +| `reachSystem.proxySettings.http_proxy`| The HTTP proxy server URL. | String | `""` | +| `reachSystem.proxySettings.https_proxy`| The HTTPS proxy server URL. | String | `""` | +| `reachSystem.proxySettings.no_proxy`| A list of hostnames or IP addresses that should not be proxied. | String | `""` | + + + ```yaml + reach-system: + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: + ``` + +--- + +
+ +## 3.4.0 or Earlier + +### Required Parameters + +The following parameters in the **values.yaml** file are required:

+ +- **env.rootDomain** - Used to configure the domain for the Palette installation. You should create a CNAME DNS record separately, and it should be a wildcard to account for Organization prefixes. Review the [Environment parameters](helm-chart-install-reference.md#environment) to learn more.

+ +- **natsUrl** - The URL format specifies how to configure NATS servers to the IP address and port. Review the [Network Address Translation (NATS) parameters](helm-chart-install-reference.md#network-address-translation-nats) to learn more.

+ + + +- **Registry and Palette Artifact Repository** - Specifies the Docker registry where chart images are stored and the Palette Artifact Repository (PAR). Refer to the [Registry and Palette Artifact Repository parameters](helm-chart-install-reference.md#registry-and-palette-artifact-repository-par). + +### MongoDB + +Palette uses MongoDB as its database and supports two modes of deployment:

+ +- MongoDB deployed and active inside the cluster. + + +- MongoDB hosted on a software as a service (SaaS) platform, such as Atlas. + +The table lists the parameters used to configure a MongoDB deployment. + +| **Parameters** | **Default value** | **Type** | **Description** | **Required/Optional** | +| --- | --- | --- | --- | --- | +| `internal` | `n/a` | Boolean | Specifies the MongoDB deployment either in-cluster or using Mongo Atlas. | Required | +| `databaseUrl` | `mongo-0.mongo,mongo-1.mongo,mongo-2.mongo` | String | URL for MongoDB. Change the URL if you are using Mongo Atlas.| Required| +| `databasePassword` | `""` | String | The base64 encoded MongoDB password. | Optional | +| `replicas` | `3` | Integer | Specifies the number of MongoDB replicas to start.| Required | +| `cpuLimit` | `2000m` | String | Specifies the CPU limit for each MongoDB replica.| Optional | +| `memorylimit` | `4Gi` | String |Specifies the memory limit for each MongoDB replica.| Optional | +| `pvcSize` | `20Gi` | String | Specifies the Persistent Volume Claim (PVC) size for each MongoDB replica.|Optional | +| `storageClass` | `""` | String | Storage class for the PVC. Leave this empty to use the default storage class. |Optional | + + +```yaml +mongo: + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + replicas: 3 + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" +``` + +### Config + +The configuration file contains the following sections. + +#### SSO + +The table lists parameters to configure SSO SAML authentication in Palette. + +| **Parameters** | **Default value** | **Type** | **Description** | **Required/Optional** | +| --- | --- | --- | --- | --- | +| `saml.enabled` | `false` | Boolean | Specifies whether to enable SSO SAML configuration by setting it to true. | Optional| +| `saml.acsUrlRoot` | `myfirstpalette.spectrocloud.com` | String | Root URL of the Assertion Consumer Service (ACS).| Optional| +| `saml.acsUrlScheme` | `https` | String | URL scheme of the ACS either http or https. | Optional | +| `saml.audienceUrl` | `https://www.spectrocloud.com` | String | URL of the intended audience for the SAML response.| Optional| +| `saml.entityID` | `https://www.spectrocloud.com` | String | Entity ID of the Service Provider.| Optional | +| `saml.apiVersion` | `v1` | String |SSO SAML API version to use.| Optional | + +```yaml +config: + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" +``` + +#### Email + +The table lists the parameters to configure email settings in Palette's self-hosted mode. + +| **Parameters** | **Default value** | **Type** | **Description** | **Required/Optional** | +| --- | --- | --- | --- | --- | +| `enabled` | `false` | Boolean | Specifies whether to enable email configuration. | Optional| +| `emailID ` | `""` | String | Email address for sending mail.| Optional| +| `smtpServer` | `smtp.gmail.com` | String | Simple Mail Transfer Protocol (SMTP) server used for sending mail. | Optional | +| `smtpPort` | `587` | Integer | SMTP port used for sending mail.| Optional| +| `insecureSkipVerifyTIs` | `true` | Boolean | Specifies whether to skip Transport Layer Security (TLS) verification for the SMTP connection.| Optional | +| `fromEmailID` | `noreply@spectrocloud.com` | String |Email address of the ***From*** address.| Optional | +| `password` | `""` | String |The base64-encoded SMTP password when sending emails.| Optional | + +```yaml +config: + email: + enabled: false + emailId: "@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" +``` + +#### Environment + +The table lists environment variables required to deploy Palette. + +| **Parameters** | **Default value** | **Type** | **Description** | **Required/Optional** | +| --- | --- | --- | --- | --- | +| `env.rootDomain` | `""` | String | Specifies the default Domain Name System (DNS) record mapped to the *ingress-nginx-controller* load balancer. It is required if false. Otherwise, leave it empty. | Required| +| `env.installerMode` | `self-hosted` | String | Specifies the installer mode. Do not modify the value.| Required| +| `env.installerCloud` | `""` | String | Specifies the cloud provider. It should be left empty. | Optional | + +```yaml +config: + env: + rootDomain: "" + installerMode: "self-hosted" + installerCloud: "" +``` + +#### Cluster + +The cluster parameter specifies how the Kubernetes cluster is deployed. + + +| **Parameters** | **Default value** | **Type** | **Description** | **Required/Optional** | +| --- | --- | --- | --- | --- | +| `stableEndpointAccess` | `false` | Boolean | False indicates the Kubernetes cluster is deployed in a private network through a stable private endpoint. True indicates the cluster is deployed through a public endpoint. | Optional| + +```yaml +config: + cluster: + stableEndpointAccess: false +``` + +#### Registry and Palette Artifact Repository (PAR) + +The table lists Registry and Palette Artifact Repository (PAR) parameters to install Palette using Helm Chart. + +| **Parameters** | **Default value** | **Type** | **Description** | **Required/Optional** | +| --- | --- | --- | --- | --- | +| `registry.endpoint` | `""` | String | The endpoint URL for the registry. | Required| +| `registry.name` | `""` | String | The name of the registry. | Required| +| `registry.password` | `""` | String | The password for the registry. | Required| +| `registry.username` | `""` | String | The username for the registry. | Required| +| `scar.endpoint` | `""` | String | The endpoint URL of the PAR. | Required| +| `scar.username` | `""` | String | The username for the PAR. | Required| +| `scar.password` | `""` | String | The password for the PAR. | Required| + +```yaml +config: + registry: + endpoint: "" + name: "" + password: "" + username: "" + + scar: + endpoint: "" + username: "" + password: "" +``` + +Contact support@spectrocloud.com to gain access to the Helm Chart. + +### Network Address Translation (NATS) + +The table lists Network Address Translation (NATS) parameters that Palette uses for communication between the tenant and management clusters. The internal flag determines whether NATS uses a new load balancer or the existing ingress service. To learn about NATS cluster configuration map properties, refer to [NATS clustering configuration.](https://docs.nats.io/running-a-nats-service/configuration/clustering/cluster_config) + +| **Parameters ** | **Default Value** | **Type ** | **Description** | **Required/Optional** | +| ------------ | ------------- | ------- | ------------------------------------------------------------------------------------------------------------------------- | ------------------ | +| `internal` | `true` | Boolean | `true` means NATS shares the ingress load balancer or uses hostNetwork. `false` means a cloud load balancer is used. | Optional | +| `natsUrl` | `""` | String | Comma-separated list of mappings for NATS load balancer service. Required if `nats.internal` is false. | Required | +| `annotations`| `{}` | Map | A map of key-value pairs that specify the load balancer annotations for NATS. These annotations vary depending on the cloud provider. | Optional | +| `routes` | `[]` | List | List of server URLs for clustering (excluding self-routes) that can include authentication via token or username/password in the URL. | Optional | +| `natsStaticIP`| `""` | String | Static IP for the NATS load balancer service. If empty, a dynamic IP address will be generated. | Optional | + +```yaml +nats: + internal: true + natsUrl: "" + annotations: {} + routes: [] + natsStaticIP: "" +``` + +### Ingress + +The table lists parameters used to configure the NGINX Ingress Controller, which provides an external HTTP load balancer for Kubernetes services. Refer to [Set Up Ingress](../clusters/cluster-groups/ingress-cluster-group.md) for more guidance. + +| **Parameters** | **Default Value** | **Type** | **Description** | **Required/Optional** | +|--------------------------------|---------------|---------|---------------------------------------------------------------------------------------------------------------------------------------------------|--------------------| +| `Internal` | `false` | Boolean |Specify whether to use a cloud load balancer or host network. | Required | +| `certificate` | `""` | String | Default SSL certificate for NGINX Ingress Controller. If left blank, the NGINX Ingress Controller will generate a self-signed certificate. | Optional | +| `key` | `""` | String | Default SSL key for the NGINX Ingress Controller. | Optional | +| `annotations` | `{}` | Map | A map of key-value pairs that specifies load balancer annotations for ingress. | Optional | +| `ingressStaticIP` | `""` | String | Static IP for the ingress load balancer service. If empty, a dynamic IP address will be generated. | Optional | +| `terminateHTTPSAtLoadBalancer` | `false` | Boolean | Specify whether to terminate HTTPS at the load balancer. | Optional | + +```yaml +ingress: + ingress: + internal: false + certificate: "" + key: "" + annotations: {} + ingressStaticIP: "" + terminateHTTPSAtLoadBalancer: false +``` + +### Spectro Proxy + +The table lists parameters to configure the Spectro server-side proxy. + +| **Parameters** | **Default Value** | **Type** | **Description** | **Required/Optional** | +|---------------------|------------------------------|---------|---------------------------------------------------------------|--------------------| +| `enabled` | `false` | Boolean | Specifies whether Spectro Proxy is enabled or not. | Optional | +| `frpHostURL` | `proxy.sample.spectrocloud.com` | String | The URL of the Spectro proxy host. | Optional | +| `server.crt` | `"LS0..."` | String | Specifies the certificate file for the Spectro Proxy server. | Optional | +| `server.key` | `"LS0..."` | String | Specifies the private key file for the Spectro Proxy server. | Optional | +| `ca` | `"LS0..."` | String | Specifies the Certificate Authority (CA) for the Spectro Proxy server. | Optional | +| `ca.crt` | `"LS0..."` | String | Specifies the CA certificate file for the Spectro Proxy server. | Optional | + +```yaml +frps: + frps: + enabled: false + frpHostURL: proxy.sample.spectrocloud.com + server: + crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURqekNDQW5lZ0F3SUJBZ0lVZTVMdXBBZGljd0Z1SFJpWWMyWEgzNTFEUzJJd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk1qY3hNREV6TVRNeU5ERXlXakI3TVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHCkExVUVDQk1DUTBFeEV6QVJCZ05WQkFjVENsTmhiblJoUTJ4aGNtRXhGVEFUQmdOVkJBb1RERk53WldOMGNtOUQKYkc5MVpERUxNQWtHQTFVRUN4TUNTVlF4SmpBa0JnTlZCQU1USFhCeWIzaDVMbk5oYlhCc1pTNXpjR1ZqZEhKdgpZMnh2ZFdRdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXd5bEt3MmlxClBXM2JrQU0wV3RhaEFLbEppcWFHd05LUDVRRTZ6ZW5NM2FURko3TjIwN0dWcUNGYzJHTDNodmNhTDFranZjeEkKK2lybHpkbm9hcVhUSmV3ZkJiTGs2SGVhZmdXUVp3NHNNeE5QRUVYYlNXYm54Mm03Y2FlbVJiUWZSQWhPWXRvWgpIWG1IMzQ1Q25mNjF0RnhMeEEzb0JRNm1yb0JMVXNOOUh2WWFzeGE5QUFmZUNNZm5sYWVBWE9CVmROalJTN1VzCkN5NmlSRXpEWFgvem1nOG5WWFUwemlrcXdoS3pqSlBJd2FQa2ViaXVSdUJYdEZ0VlQwQmFzS3VqbURzd0lsRFQKVmR4SHRRQUVyUmM4Q2Nhb20yUkpZbTd1aHNEYlo2WVFzS3JiMmhIbU5rNENVWUd5eUJPZnBwbzR2bFd1S2FEcgpsVFNYUXlPN0M0ejM1d0lEQVFBQm8xNHdYREJhQmdOVkhSRUVVekJSZ2dsc2IyTmhiR2h2YzNTSEJIOEFBQUdDCkhYQnliM2g1TG5OaGJYQnNaUzV6Y0dWamRISnZZMnh2ZFdRdVkyOXRnaDhxTG5CeWIzaDVMbk5oYlhCc1pTNXoKY0dWamRISnZZMnh2ZFdRdVkyOXRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUEvRFJFVm54SWJRdi9uMDEvSQpJd1d0ekhKNGNHOUp6UlB6dmszNUcvRGJOVzZYZ0M3djBoWlFIVHg5bzMrckxoSUFiWTNmbjc1VEtlN3hMRWpiCkI3M3pGWURJSStkYzM5NkQzZU51M2NxRGIvY01kYmlFalhod2ttZk9NRm9qMnpOdHJIdzFsSjA0QlNFMWw1YWgKMDk0Vy9aaEQ2YTVLU3B0cDh1YUpKVmNrejRYMEdRWjVPYjZadGdxZVVxNytqWVZOZ0tLQzJCMW1SNjMyMDNsZwozVFZmZEkrdmI3b292dVdOOFRBVG9qdXNuS25WMmRMeTFBOWViWXYwMEM3WWZ6Q0NhODgrN2dzTGhJaUJjRHBPClJkWjU3QStKanJmSU5IYy9vNm5YWFhDZ2h2YkFwUVk1QnFnMWIzYUpUZERNWThUY0hoQVVaQzB5eU04bXcwMnQKWHRRQwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBd3lsS3cyaXFQVzNia0FNMFd0YWhBS2xKaXFhR3dOS1A1UUU2emVuTTNhVEZKN04yCjA3R1ZxQ0ZjMkdMM2h2Y2FMMWtqdmN4SStpcmx6ZG5vYXFYVEpld2ZCYkxrNkhlYWZnV1FadzRzTXhOUEVFWGIKU1dibngybTdjYWVtUmJRZlJBaE9ZdG9aSFhtSDM0NUNuZjYxdEZ4THhBM29CUTZtcm9CTFVzTjlIdllhc3hhOQpBQWZlQ01mbmxhZUFYT0JWZE5qUlM3VXNDeTZpUkV6RFhYL3ptZzhuVlhVMHppa3F3aEt6akpQSXdhUGtlYml1ClJ1Qlh0RnRWVDBCYXNLdWptRHN3SWxEVFZkeEh0UUFFclJjOENjYW9tMlJKWW03dWhzRGJaNllRc0tyYjJoSG0KTms0Q1VZR3l5Qk9mcHBvNHZsV3VLYURybFRTWFF5TzdDNHozNXdJREFRQUJBb0lCQUFPVVZFeTFOTG9mczdFMgpmZFZVcm10R3I1U2RiVWRJRlYrTDREbzZtWWxQSmxhT0VoWGI0ZlROZDloNEtEWVBmaWwwSnhXcUU0U1RHTmZuCnNUMlRnUVhuQ01LZi8xYk1Lc2M0N3VjVStYYU9XaHJnVFI5UmhkckFjN0duODRLL3hQc0ljL2VZTEhHLzh1QUUKeWUvLzVmRkM2QmpXY0hUM1NkTlZnd3duamJudG5XTXIzTFJBVnJBamZBckxveWUwS0F2YytYdXJLTEVCcmMyVQpjaHlDbitZemJKN0VlSG44UXdQNGdBNXVSK0NCMFJPeFErYXIzS3M5YUhkZTQ1OEVNNEtLMnpUOXA4RWZRc1lFCkFtNUpxWjliR0JEVHV1dEkyNm9GK0pLQ1IzZzhXNERRcHVYRUZoVjlya0pMSm13RDhQb0JaclF6UzZvdmJhdkkKRk42QVM4RUNnWUVBOEcxQzFxZVh4dTQ4aEYxak5MTCswRmxkeWdFem9SMmFoRGJCai8weUZkQVVjU2pYTzk0NAozN1dORTBUUG10WG1Vc3NZTlBTR21XaWI2OUhicEFoMTY3SWVwNE9LaVlZdkozYm1oUC9WNzFvK3M0SWJlSHh1CkVJbWVVckFOZWRoQURVQnZ4c1lXRWxlVlVJSFFRcjY1VHM2ZjIrWkpTKzg4TU05bUorL3BmcmNDZ1lFQXo4MXgKR3JiSE5oak56RjhZMjhiK0hMNW5rdDR0SUdkU3hnbW9PMFFJeGkrQVNZTzB0WW42VFk0ZHI5ZXErMzE3b21ZawpMbDNtNENORDhudG1vYzRvWnM4SUpDQ0IrZjNqcTY4OHdoQU9vVHZ4dDhjZVJqOFRhRHl1SHZwS043OVNsVVd2CjBJd2ZRNDNIemd3SWJiSWhjcTRJVGswanI0VHdWbThia283VElGRUNnWUJoNnUzVXhHN0JHeGZVaE1BNW4waSsKREJkeGhPbkZEV3gzdW1FOHhrN1dxV2NaNnhzMWk3eTRCNVhNS2pNdkNUeURyYWxQTCtOOXFTZ1BjK216TmFybwo4aU1mOENmRStMeE5vMVFoQ0p6Vm5YaDUzVnhZeHJ5QXlidU1TNTFCYVh3MHFYQ2NrT0krV0NNOHBaSHZEUVFsCmYydUZ3SlZMY3NTZDBHbjNpL01ab3dLQmdBY1BzUjg2Uk15MnpROTd6OGx3R3FSNVorV2F2U2ZUdXdGVnhLeTIKNUNGdjdja1J1NnRMbEFEY3FtK1dRWTRvTm5KUFREMXpIV3hTWm5XdjhjM2Z4b212MFZRQThzbSs4ZVNjb05EcgpZTVBqMkpQcEpVTTMwMzRBU2Q1dG5PWUdEMVZaTjk4N1U3aWs4Ynd6dG5tYnl2MHRvc1NlWkc4TGNtdE5mVDllCnNSZnhBb0dCQUpTV1lDellyTlRMNnRUSnh5M2FqWm5jZkxrMEV0eWNCd05FRXZHVzVSVE9LOUFYTE96RzN0eHUKajZqWlRpaUFRU09aaVd0clJHU0U0bEkyQ1MvcjNjd3VuSGlnZlovd1dKZldkZ0JpRnZqOTVFbUVQWUZaRDRobQpkT3l5UHhRRXFTRmprQ21BS2plOFBpTDdpU01GbGhBZTZQWFljQlExdCtzd01UeXBnY3RrCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== + ca: + crt : LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVSHhWK0ljVGZHUElzdW8yY3dqQ0Q0Z2RSTFFRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RjSEp2ZUhrdWMyRnRjR3hsTG5Od1pXTjBjbTlqYkc5MVpDNWpiMjB3SGhjTgpNakl4TURFME1UTXlOREV5V2hjTk16WXdOakl5TVRNeU5ERXlXakFvTVNZd0pBWURWUVFEREIxd2NtOTRlUzV6CllXMXdiR1V1YzNCbFkzUnliMk5zYjNWa0xtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBSy90WXBHVi9HRURUWnZzL25QQ2lOK0U3K1dOQ21GeU1NQjdkazVOT3JzQWZIaVVvZ1JRVUo0WQptSjhwVmYrSzhTRFBsdGNYcW40WVVTbmxiUERsVlBkWU5zOTEwT3RaS1EwNW96aUtGV2pNbS85NHlLSjVyVzNsCndDNEN0ayttUm9Ib0ZQQS81dmFVbVZHdlVadjlGY0JuL0pKN2F4WnRIQk1PRiticXQ0Zmd0ci9YMWdOeWhPVzUKZTVScGpESkozRjJTVnc5NUpBQSt4a3V3UitFSmVseEtnQVpxdDc0ejB4U2ROODZ0QzNtK0wxRGs2WVVlQWEzZApvM3Rsa3ZkeDV6dUJvSmI2QmpZWEV4UE1PbThRcHFNVWRLK3lDZUdrem9XQStDOUtFdGtVaERCWktENStNWXRZCktVMUh1RXJCbmw2Z3BuWTRlbzJjVTRxdkNwZzZ4S3NDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRklKMkRkTjgKc2ZtVjRCT1ZFL0FjZ0VEejArNmlNQjhHQTFVZEl3UVlNQmFBRklKMkRkTjhzZm1WNEJPVkUvQWNnRUR6MCs2aQpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQWhQVi9RMVl1YWVTOTZVCmhjVGQ4RWdJaHhpbHFiTWlTQm5WaVdrdlJzWk94UUIwNTFScWtwT3g0UTRsckdaOGVJWWc3T0trTTdzejhuTVQKL2pxS21sZDY0MzJCcURCMlNkNVp5ZFdReHAwU1laRTlnVWszYk9KRGtZVXQ4b1cvZDBWeG9uU05LQVN3QmZKaApWV1VZUUlpNm55K0ZZZmtuRFNvRnFlY2Z3SDBQQVUraXpnMkI3KzFkbko5YisyQ21IOUVCallOZ2hoNlFzVlFQCkh2SkdQQURtandPNkJOam5HK0Z3K0Z6cmFXUTNCTjAwb08zUjF6UmgxZERmTTQzR3oxRmZGRW5GSXI5aGFuUnQKWHJFZm8vZWU5bjBLWUFESEJnV1g4dlhuNHZrRmdWRjgwYW9MUUJSQTBxWXErcW1pVlp6YnREeE9ldFEyRWFyTQpyNmVWL0lZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +``` + +### UI System + +The table lists parameters for the Network Operations Center User Interface (NOC UI). Palette's NOC UI enables easy location monitoring of multi-location clusters through an intuitive UI. + +| **Parameters ** | **Default Value** | **Type** | **Description** | **Required/Optional** | +|---------------------|---------------|---------|------------------------------------------------------|--------------------| +| `enabled` | `false` | Boolean | Specifies whether to enable the Palette Network Operations Center (NOC) UI. Enabling this parameter requires the `ui.nocUI.mapBoxAccessToken`. Once enabled, all cluster locations will be reported to MapBox. | Optional | +| `mapBoxAccessToken` | `""` | String | Access token for the MapBox API. | Optional | +| `mapBoxStyledLayerID`| `""` | String | ID for the MapBox style layer. | Optional | + +```yaml +ui-system: + ui: + nocUI: + enable: false + mapBoxAccessToken: "" + mapBoxStyledLayerID: "" +``` + + + + diff --git a/docs/docs-content/enterprise-version-bkup/monitoring.md b/docs/docs-content/enterprise-version-bkup/monitoring.md new file mode 100644 index 0000000000..55020a9dc0 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/monitoring.md @@ -0,0 +1,56 @@ +--- +sidebar_label: "Cluster Monitoring Metrics" +title: "Enterprise Cluster Monitoring Metrics" +description: "Enterprise Cluster Monitoring Metrics for Palette's Enterprise (on-premises) variant." +icon: "" +hide_table_of_contents: false +sidebar_position: 60 +tags: ["self-hosted", "enterprise", "monitoring"] +--- + +## Pods Monitoring Metrics +### Namespaces to Monitor Pods + +|**Namespaces** |**Interpretation**| +|-----------|--------------| +|**ui-system** |Palette Management UI| +|**cp-system** |System Management UI| +|**nats-system**| Message System| +|**ingress-nginx**| Ingress services| +|**hubble-system**|Core backend services| +|**jet-system**|Pivot Tenant Clusters| + +### Exceptions + +The below pods are dynamically created from jobs and can be excluded from monitoring. + + +|**Pods Prefix** |**Namespace**| +|-----------|--------------| +|ingress-nginx-admission-patch- |ingress-nginx| +|ingress-nginx-admission-create- |ingress-nginx| +|packsync- |hubble-system| +|cleanup- |hubble-system| + + + +## CPU and Memory Monitoring Metrics + +### Default Specifications +* CPU: 4 vCPU +* RAM: 8 GB RAM +* CP Nodes: 3 + +### Thresholds +* CPU warn [per node ] > 70% +* CPU alert [per node] > 80% +* Memory Warn [per node] > 80% +* Memory Alert [per node] > 90% + +### Node Monitoring Metrics + #### Number of Nodes: 3 + #### Node Alerts +* Node up +* Node down +* Node unreachable + diff --git a/docs/docs-content/enterprise-version-bkup/on-prem-system-requirements.md b/docs/docs-content/enterprise-version-bkup/on-prem-system-requirements.md new file mode 100644 index 0000000000..7e1a6b532f --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/on-prem-system-requirements.md @@ -0,0 +1,850 @@ +--- +sidebar_label: "System Requirements" +title: "System Requirements" +description: "An overview of the self-hosted Palette system requirements." +icon: "" +hide_table_of_contents: false +toc_min_heading_level: 2 +toc_max_heading_level: 3 +sidebar_position: 0 +tags: ["self-hosted", "enterprise"] +--- + + + +## System Requirements + +Palette is available as a self-hosted application that you install in your environment. The self-hosted version is a dedicated Palette environment hosted on VMware instances or in an existing Kubernetes cluster. Self-hosted Palette is available in the following three modes: + +| **Self-Hosted Modes** | **Description** | +| --------------------- | --------------------------------------------------------------------------------- | +| **VMWare Enterprise Mode** | A multi-node, highly available version for production purposes. | +| **VMWare Quick Start Mode** | A single VM deployment of the platform that is ideal for use in Proofs of Concept (PoCs). | +| **Helm Chart Mode** | Install Palette in an existing Kubernetes cluster using a Helm Chart. | + +The next sections describe specific requirements for all modes. + +
+ +## Prerequisites + +The following are prerequisites for deploying a Kubernetes cluster in VMware: +* vSphere version 7.0 or above. vSphere 6.7 is supported but not recommended as it reached end of general support in 2022. + + +* Configuration Requirements - A Resource Pool needs to be configured across the hosts, onto which the workload clusters will be provisioned. Every host in the Resource Pool will need access to shared storage, such as vSAN, to use high-availability control planes. Network Time Protocol (NTP) must be configured on each ESXi host. + + +* You need an active vCenter account with all the permissions listed below in the VMware Cloud Account Permissions section. + + +* Install a Private Cloud Gateway for VMware as described in the Creating a VMware Cloud Gateway section. Installing the Private Cloud Gateway automatically registers a cloud account for VMware in Palette. You can register additional VMware cloud accounts in Palette as described in the Creating a VMware Cloud account section. + +* Kubernetes version 1.19 minimum when installing Palette in a cluster using a Helm Chart. We recommend using managed Kubernetes, such as Amazon EKS and Azure EKS. + +* Subnet with egress access to the internet (direct or via proxy): + * For proxy: HTTP_PROXY, HTTPS_PROXY (both are required). + * Outgoing internet connection on port 443 to api.spectrocloud.com. + + +* The Private cloud gateway IP requirements are: + * One (1) node - one (1) IP or three (3) nodes - three (3) IPs. + * One (1) Kubernetes control-plane VIP. + * One (1) Kubernetes control-plane extra. + + +* Assign IPs for application workload services (e.g., Load Balancer services). + + +* A DNS to resolve public internet names (e.g., api.spectrocloud.com). + + +* Shared Storage between vSphere hosts. + + +* A cluster profile created in Palette for VMware. + + +* Zone Tagging: A dynamic storage allocation for persistent storage. + + +### Zone Tagging + + Zone tagging is required for dynamic storage allocation, across fault domains, when provisioning workloads that require persistent storage. This is required for the installation of the Palette platform itself and is also useful for Workloads deployed in the Tenant Clusters, if they have persistent storage needs. Use vSphere tags on data centers (kubernetes-region) and compute clusters (kubernetes-zone) to create distinct zones in your environment. + + As an example, assume your vCenter environment includes three compute clusters: *cluster-1*, *cluster-2*, and *cluster-3* as part of data center dc-1. You can tag them as follows: + +| **vSphere Object** | **Tag Category** | **Tag Value** | +| ------------------ | ---------------- | ------------- | +| dc-1 | k8s-region | region1 | +| cluster-1 | k8s-zone | az1 | +| cluster-2 | k8s-zone | az2 | +| cluster-3 | k8s-zone | az3 | + + +:::info + +The exact values for the kubernetes-region and kubernetes-zone tags can be different from the ones described in the example above, as long as these are unique. + +::: + +
+ +### Tag Requirements +The following points needs to be taken care while creating the Tags: +* A valid tag must consist of alphanumeric characters +* The tag must start and end with an alphanumeric characters +* The regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?') + +**Example Tags:** +* MyValue +* my_value +* 12345 + + + + + +## VMware Privileges + +The vSphere user account that is deploying Palette must have the following minimum vSphere privileges. The **Administrator** role provides super-user access to all vSphere objects. For users without the **Administrator** role, one or more custom roles can be created based on the tasks being performed by the user. +Permissions and privilieges vary depending on the vSphere version you are using. + +Select the tab that corresponds with your vSphere versions. + +
+ + + + + + +#### Root-Level Role Privileges + +
+ +The root-level role privileges are applied to root object and Datacenter objects only. + +|**vSphere Object**|**Privileges**| +|---------------|----------| +|**Cns**|Searchable| +|**Datastore**|Browse datastore +|**Host**|Configuration +|| Storage partition configuration +|**vSphere** **Tagging**|Create vSphere Tag| +||Edit vSphere Tag| +|**Network**|Assign network| +|**Sessions**|Validate session| +|**VM Storage Policies**|View VM storage policies| +|**Storage views**|View| + +
+ +#### Spectro Role Privileges + + + + + + +##### Cns Privileges + - Searchable + + + + + +##### Datastore Privileges + - Allocate Space + - Browse Datastore + - Low level file operations + - Remove file + - Update virtual machine files + - Update virtual machine metadata + + + + + + + ##### Folder Privileges + - Create folder + - Delete folder + - Move folder + - Rename folder + + + + + + #### Host Privileges + - Local Operations + * Reconfigure virtual machine + + + + + +
+ +:::info + +If the network is a Distributed Port Group under a vSphere Distributed Switch (VDS), ReadOnly access to the VDS without “Propagate to children” needs to be provided. + +::: + +
+ + #### Network Privileges + + - Assign Network + + + + + + #### Resource Privileges + + - Apply recommendation + - Assign virtual machine to resource pool + - Migrate powered off virtual machine + - Migrate powered on virtual machine + - Query vMotion + + + + + + #### Sessions Privileges + - Validate session + + + + + + #### VM Storage Policies Privileges + + - View access for VM storage policies is required. Ensure the privilege `StorageProfile.View` is available. Refer to the [VM Storage Policies Privileges](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-DECEAE60-58CB-4B30-8874-FA273573E6B5.html) resource to learn more. + + + + + + #### Storage Views Privileges + - View + + + + + + + #### Task Privileges + + - Create task + - Update task + + + + + + #### vApp Privileges + + - Import + - View OVF environment + - vApp application configuration + - vApp instance configuration + + + + + + #### vSphere Tagging + + - Create vSphere Tag + - Edit vSphere Tag + + + + + + + #### Virtual Machines Privileges + + +
+ +| | | | +| ------------------------- | ------------------------------------------- | ------------------------------------- | +| **Change Configuration** | | | +| | Change Settings | Extend virtual disk | +| | Change Swapfile Placement | Modify device settings | +| | Configure host USB device | Query Fault Tolerance compatibility | +| | Configure raw device | Query unowned files | +| | Add existing disk | Reload from path | +| | Add new disk | Remove disk | +| | Add or remove device | Rename | +| | Change resource | Reset guest information | +| | Configure managedBy | Set annotation | +| | Display connection settings | Toggle fork parent | +| | Advanced configuration | Upgrade virtual machine compatibility | +| | Change CPU count | | +| **Guest operations** | | | +| | Guest operation alias modification | Guest operation alias query | +| | Guest operation modifications | Guest operation queries | +| | Guest operation program execution | | +| **Interaction** | | | +| | Power off | Power on | +| **Inventory** | | | +| | Create from existing | Move | +| | Create new | Remove | +| **Provisioning** | | | +| | Allow disk access | Customize guest | +| | Allow file access | Deploy template | +| | Allow read-only disk access | Mark as template | +| | Allow virtual machine download | Mark as virtual machine | +| | Allow virtual machine files upload | Modify customization specification | +| | Clone template | Promote disks | +| | Clone virtual machine | Read customization specifications | +| | Create template from virtual machine | | +| **Service Configuration** | | | +| | Allow notifications | Modify service configuration | +| | Allow polling of global event notifications | Query service configurations | +| | Manage service configurations | Read service configuration | +| **Snapshot Management** | | | +| | Create snapshot | Remove snapshot | +| | Rename snapshot | Revert to snapshot | +| **vSphere Replication** | | | +| | Configure replication | Monitor replication | +| | Monitor replication | | + + + + + + + #### vSAN + + - Cluster + * ShallowRekey + + + + + + + + + + +#### Root-Level Role Privileges + +
+ +The root-level role privileges are applied to root object and Datacenter objects only. + +|**vSphere Object**|**Privileges**| +|---------------|----------| +|**Cns**|Searchable| +|**Datastore**|Browse datastore +|**Host**|Configuration +|| Storage partition configuration +|**vSphere** **Tagging**|Create vSphere Tag| +||Edit vSphere Tag| +|**Network**|Assign network| +|**Sessions**|Validate session| +|**Profile-driven storage**|Profile-driven storage view| +|**Storage views**|View| + +
+ +#### Spectro Role Privileges + + + + + + +#### Cns Privileges + - Searchable + + + + + +#### Datastore Privileges + - Allocate Space + - Browse Datastore + - Low level file operations + - Remove file + - Update virtual machine files + - Update virtual machine metadata + + + + + + + #### Folder Privileges + - Create folder + - Delete folder + - Move folder + - Rename folder + + + + + + #### Host Privileges + - Local Operations + * Reconfigure virtual machine + + + + + +
+ + +:::info + +If the network is a Distributed Port Group under a vSphere Distributed Switch (VDS), ReadOnly access to the VDS without “Propagate to children” needs to be provided. + +::: + + #### Network Privileges + + - Assign Network + + + + + + #### Resource Privileges + + - Apply recommendation + - Assign virtual machine to resource pool + - Migrate powered off virtual machine + - Migrate powered on virtual machine + - Query vMotion + + + + + + #### Sessions Privileges + - Validate session + + + + + + #### Profile Driven Storage + - Profile-driven storage view + + + + + + #### Storage Views Privileges + - View + + + + + + + #### Task Privileges + + - Create task + - Update task + + + + + + #### vApp Privileges + + - Import + - View OVF environment + - vApp application configuration + - vApp instance configuration + + + + + + #### vSphere Tagging + + - Create vSphere Tag + - Edit vSphere Tag + + + + + + + #### Virtual Machines Privileges + + +
+ +| | | | +| ------------------------- | ------------------------------------------- | ------------------------------------- | +| **Change Configuration** | | | +| | Change Settings | Extend virtual disk | +| | Change Swapfile Placement | Modify device settings | +| | Configure host USB device | Query Fault Tolerance compatibility | +| | Configure raw device | Query unowned files | +| | Add existing disk | Reload from path | +| | Add new disk | Remove disk | +| | Add or remove device | Rename | +| | Change resource | Reset guest information | +| | Configure managedBy | Set annotation | +| | Display connection settings | Toggle fork parent | +| | Advanced configuration | Upgrade virtual machine compatibility | +| | Change CPU count | | +| **Guest operations** | | | +| | Guest operation alias modification | Guest operation alias query | +| | Guest operation modifications | Guest operation queries | +| | Guest operation program execution | | +| **Interaction** | | | +| | Power off | Power on | +| **Inventory** | | | +| | Create from existing | Move | +| | Create new | Remove | +| **Provisioning** | | | +| | Allow disk access | Customize guest | +| | Allow file access | Deploy template | +| | Allow read-only disk access | Mark as template | +| | Allow virtual machine download | Mark as virtual machine | +| | Allow virtual machine files upload | Modify customization specification | +| | Clone template | Promote disks | +| | Clone virtual machine | Read customization specifications | +| | Create template from virtual machine | | +| **Service Configuration** | | | +| | Allow notifications | Modify service configuration | +| | Allow polling of global event notifications | Query service configurations | +| | Manage service configurations | Read service configuration | +| **Snapshot Management** | | | +| | Create snapshot | Remove snapshot | +| | Rename snapshot | Revert to snapshot | +| **vSphere Replication** | | | +| | Configure replication | Monitor replication | +| | Monitor replication | | + + + + + + + #### vSAN + + - Cluster + * ShallowRekey + + + + + + + + + + + + +#### Root-Level Role Privileges + +
+ +The root-level role privileges are applied to root object and Datacenter objects only. + +|**vSphere Object**|**Privileges**| +|---------------|----------| +|**Cns**|Searchable| +|**Datastore**|Browse datastore +|**Host**|Configuration +|| Storage partition configuration +|**vSphere** **Tagging**|Create vSphere Tag| +||Edit vSphere Tag| +|**Network**|Assign network| +|**Sessions**|Validate session| +|**Profile-driven storage**|Profile-driven storage view| +|**Storage views**|View| + +
+ +#### Spectro Role Privileges + + + + + + +#### Cns Privileges + - Searchable + + + + + +#### Datastore Privileges + - Allocate Space + - Browse Datastore + - Low level file operations + - Remove file + - Update virtual machine files + - Update virtual machine metadata + + + + + + + #### Folder Privileges + - Create folder + - Delete folder + - Move folder + - Rename folder + + + + + + #### Host Privileges + - Local Operations + * Reconfigure virtual machine + + + + + +
+ +:::info + +If the network is a Distributed Port Group under a vSphere Distributed Switch (VDS), ReadOnly access to the VDS without “Propagate to children” needs to be provided. + +::: + + #### Network Privileges + + - Assign Network + + + + + + #### Resource Privileges + + - Apply recommendation + - Assign virtual machine to resource pool + - Migrate powered off virtual machine + - Migrate powered on virtual machine + - Query vMotion + + + + + + #### Sessions Privileges + - Validate session + + + + + + #### Profile Driven Storage + - Profile-driven storage view + + + + + + #### Storage Views Privileges + - View + + + + + + + #### Task Privileges + + - Create task + - Update task + + + + + + #### vApp Privileges + + - Import + - View OVF environment + - vApp application configuration + - vApp instance configuration + + + + + + #### vSphere Tagging + + - Create vSphere Tag + - Edit vSphere Tag + + + + + + + #### Virtual Machines Privileges + + +
+ +| | | | +| ------------------------- | ------------------------------------------- | ------------------------------------- | +| **Change Configuration** | | | +| | Change Settings | Extend virtual disk | +| | Change Swapfile Placement | Modify device settings | +| | Configure host USB device | Query Fault Tolerance compatibility | +| | Configure raw device | Query unowned files | +| | Add existing disk | Reload from path | +| | Add new disk | Remove disk | +| | Add or remove device | Rename | +| | Change resource | Reset guest information | +| | Configure managedBy | Set annotation | +| | Display connection settings | Toggle fork parent | +| | Advanced configuration | Upgrade virtual machine compatibility | +| | Change CPU count | | +| **Guest operations** | | | +| | Guest operation alias modification | Guest operation alias query | +| | Guest operation modifications | Guest operation queries | +| | Guest operation program execution | | +| **Interaction** | | | +| | Power off | Power on | +| **Inventory** | | | +| | Create from existing | Move | +| | Create new | Remove | +| **Provisioning** | | | +| | Allow disk access | Customize guest | +| | Allow file access | Deploy template | +| | Allow read-only disk access | Mark as template | +| | Allow virtual machine download | Mark as virtual machine | +| | Allow virtual machine files upload | Modify customization specification | +| | Clone template | Promote disks | +| | Clone virtual machine | Read customization specifications | +| | Create template from virtual machine | | +| **Service Configuration** | | | +| | Allow notifications | Modify service configuration | +| | Allow polling of global event notifications | Query service configurations | +| | Manage service configurations | Read service configuration | +| **Snapshot Management** | | | +| | Create snapshot | Remove snapshot | +| | Rename snapshot | Revert to snapshot | +| **vSphere Replication** | | | +| | Configure replication | Monitor replication | +| | Monitor replication | | + + + + + + + #### vSAN + + - Cluster + * ShallowRekey + + + + + + + + + + + + +
+ + +--- + +## Network Requirements + +* Outgoing access from the platform VMs to the internet either directly or via a proxy. + + +* An IP Address (static or DHCP) for the quick start virtual machine (also used as an installer for enterprise version). + + +* A block of five (5) IP addresses reserved for an enterprise cluster: One IP address for each of the three enterprise cluster VMs, an IP to be used as a VIP, and an additional IP reserved for rolling upgrades. + + +* Interconnectivity across all the three (3) VMs on all ports. + + +* Connectivity from the Virtual Machines to the vCenter. + + +:::info +Ensure your data center CIDR IP address does not overlap with the Kubernetes PodCIDR range. During installation, you can change the Kubernetes PodCIDR range settings. +::: + + +## Proxy Requirements +* If a proxy is used for outgoing connections, it must support both HTTPS and HTTP traffic. All Palette components communicate over HTTPS by default. An HTTP proxy can be used when HTTP is the only supported protocol, such as connecting to a private image registry that only supports HTTP. + +* Connectivity to all [Proxy Whitelist](../architecture/palette-public-ips.md#palette-domains) domains must be allowed + + +## Self-Hosted Configuration + +This section lists resource requirements for Palette VerteX for various capacity levels. In Palette VerteX, the terms *small*, *medium*, and *large* are used to describe the instance size of worker pools that Palette VerteX is installed on. The following table lists the resource requirements for each size. + + +
+ +:::caution + +The recommended maximum number of deployed nodes and clusters in the environment should not be exceeded. We have tested the performance of Palette VerteX with the recommended maximum number of deployed nodes and clusters. Exceeding these limits can negatively impact performance and result in instability. The active workload limit refers to the maximum number of active nodes and pods at any given time. + +::: + +
+ + + +| **Size** | **Nodes**| **CPU**| **Memory**| **Storage**| **MongoDB Storage Limit**| **MongoDB Memory Limit**| **MongoDB CPU Limit** |**Total Deployed Nodes**| **Deployed Clusters with 10 Nodes**| +|----------|----------|--------|-----------|------------|--------------------|-------------------|------------------|----------------------------|----------------------| +| Small | 3 | 8 | 16 GB | 60 GB | 20 GB | 4 GB | 2 | 1000 | 100 | +| Medium (Recommended) | 3 | 16 | 32 GB | 100 GB | 60 GB | 8 GB | 4 | 3000 | 300 | +| Large | 3 | 32 | 64 GB | 120 GB | 80 GB | 12 GB | 6 | 5000 | 500 | + + +#### Instance Sizing + +| **Configuration** | **Active Workload Limit** | +|---------------------|---------------------------------------------------| +| Small | Up to 1000 Nodes each with 30 Pods (30,000 Pods) | +| Medium (Recommended) | Up to 3000 Nodes each with 30 Pods (90,000 Pods)| +| Large | Up to 5000 Nodes each with 30 Pods (150,000 Pods) | + +
+ + +## Best Practices + +The following steps are optional but recommended for production environments. + + +| | | +| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| **DNS Mapping** | A DNS is used to access the Palette Management Console. While the Virtual IP Address (VIP), configured on the platform can be used
to access the platform, it is recommended that you reserve a DNS for this purpose and map it to the VIP after installation. | +| **SMTP Setting**s | Configure the SMTP settings to enable the Palette platform to send out email notifications. Email notifications are sent out to new
users, when they are initially onboarded onto the platform, so they can activate their accounts and reset their password at a later time. | +| **Trusted Certificate** | Configure your platform with a trusted CA certificates. | +| **FTP Location for backups** | Configure an FTP location for platform backups and schedule daily backups. | \ No newline at end of file diff --git a/docs/docs-content/enterprise-version-bkup/reverse-proxy.md b/docs/docs-content/enterprise-version-bkup/reverse-proxy.md new file mode 100644 index 0000000000..438fc5311e --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/reverse-proxy.md @@ -0,0 +1,252 @@ +--- +sidebar_label: "Configure Reverse Proxy" +title: "Configure Reverse Proxy" +description: "Learn how to configure a reverse proxy for Palette." +icon: "" +hide_table_of_contents: false +sidebar_position: 80 +--- + +You can configure a reverse proxy for Palette. The reverse proxy can be used by host clusters deployed in a private network. Host clusters deployed in a private network are not accessible from the public internet or by users in different networks. You can use a reverse proxy to access the cluster's Kubernetes API server from a different network. + +When you configure reverse proxy server for Palette, clusters that use the [Spectro Proxy pack](../integrations/frp.md) will use the reverse proxy server address in the kubeconfig file. Clusters not using the Spectro Proxy pack will use the default cluster address in the kubeconfig file. + + +Use the following steps to configure a reverse proxy server for Palette. + +## Prerequisites + + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. + + +- [Helm](https://helm.sh/docs/intro/install/) is installed and available. + + +- Access to the kubeconfig file of the Palette Kubernetes cluster. You can download the kubeconfig file from the Palette system console. Navigate to **Enterprise System Migration**, select the Palette cluster, and click the **Download Kubeconfig** button for the cluster. + + +- A domain name that you can use for the reverse proxy server. You will also need access to the DNS records for the domain so that you can create a CNAME DNS record for the reverse proxy server load balancer. + + +- Ensure you have an SSL certificate that matches the domain name you will assign to Spectro Proxy. You will need this to enable HTTPS encryption for the Spectro Proxy. Contact your network administrator or security team to obtain the SSL certificate. You need the following files: + - x509 SSL certificate file in base64 format + + - x509 SSL certificate key file in base64 format + + - x509 SSL certificate authority file in base64 format + + +- The Spectro Proxy server must have internet access and network connectivity to the private network where the Kubernetes clusters are deployed. + + +## Enablement + +1. Open a terminal session and navigate to the directory where you stored the **values.yaml** for the Palette installation. + + +2. Use a text editor and open the **values.yaml** file. Locate the `frps` section and update the following values in the **values.yaml** file. Refer to the [Spectro Proxy Helm Configuration](helm-chart-install-reference.md#spectro-proxy) to learn more about the configuration options. + + | **Parameter** | **Description** | **Type** | + | --- | --- | ---| + | `enabled`| Set to `true` to enable the Spectro Proxy server. | boolean | + | `frps.frpHostURL`| The domain name you will use for the Spectro Proxy server. For example, `frps.example.com`. | + | `server.crt`| The x509 SSL certificate file in base64 format. | + | `server.key`| The x509 SSL certificate key file in base64 format. | + | `ca.crt`| The x509 SSL certificate authority file in base64 format. | + +
+ + The following is an example of the `frps` section in the **values.yaml** file. The SSL certificate files are truncated for brevity. + +
+ + ```yaml + frps: + frps: + enabled: true + frpHostURL: "frps.palette.example.com" + server: + crt: "LS0tLS1CRU...........tCg==" + key: "LS0tLS1CRU...........tCg==" + ca: + crt : "LS0tLS1CRU...........tCg==" + ``` + + +3. Issue the `helm upgrade` command to update the Palette Kubernetes configuration. The command below assumes you are in the folder that contains the **values.yaml** file and the Palette Helm chart. Change the directory path if needed. + +
+ + ```bash + helm upgrade --values values.yaml hubble spectro-mgmt-plane-0.0.0.tgz --install + ``` + + +4. After the new configurations are accepted, use the following command to get the IP address of the Spectro Proxy server's load balancer. + +
+ + ```bash + kubectl get svc --namespace proxy-system spectro-proxy-svc + ``` +5. Update the DNS records for the domain name you used for the Spectro Proxy server. Create a CNAME record that points to the IP address of the Spectro Proxy server's load balancer. + + +6. Log in to the Palette System API by using the `/v1/auth/syslogin` endpoint. Use the `curl` command below and replace the URL with the custom domain URL you assigned to Palette, or use the IP address. Ensure you replace the credentials below with your system console credentials. + +
+ + ```bash + curl --insecure --location 'https://palette.example.com/v1/auth/syslogin' \ + --header 'Content-Type: application/json' \ + --data '{ + "password": "**********", + "username": "**********" + }' + ``` + Output + ```json hideClipboard + { + "Authorization": "**********.", + "IsPasswordReset": true + } + ``` + +7. Using the output you received, copy the authorization value to your clipboard and assign it to a shell variable. Replace the authorization value below with the value from the output. + +
+ + ```shell hideClipboard + TOKEN=********** + ``` + +8. Next, prepare a payload for the`/v1/system/config/` endpoint. This endpoint is used to configure Palette to use a reverse proxy. The payload requires the following parameters: + +
+ + | **Parameter** | **Description** | **Type** | + | --- | --- | --- | + | `caCert`| The x509 SSL certificate authority file in base64 format. | string | + | `clientCert`| The x509 SSL certificate file in base64 format. | string | + | `clientKey`| The x509 SSL certificate key file in base64 format. | string | + | `port` | The port number for the reverse proxy server. We recommend using port `443`. | integer | + | `protocol` | The protocol to use for the reverse proxy server. We recommend using `https`. | string | + | `server`| The domain name you will use for the Spectro Proxy server. For example, `frps.example.com`. Do not include the HTTP schema in the value. | string | + + The following is an example payload. The SSL certificate files are truncated for brevity. + +
+ + ```json hideClipboard + { + "caCert": "-----BEGIN CERTIFICATE-----\n.............\n-----END CERTIFICATE-----", + "clientCert": "-----BEGIN CERTIFICATE-----\n..........\n-----END CERTIFICATE-----", + "clientKey": "-----BEGIN RSA PRIVATE KEY-----\n........\n-----END RSA PRIVATE KEY-----", + "port": 443, + "protocol": "https", + "server": "frps.palette.example.com.com" + } + ``` + +
+ + :::info + + You can save the payload to a file and use the `cat` command to read the file contents into the `curl` command. For example, if you save the payload to a file named `payload.json`, you can use the following command to read the file contents into the `curl` command. You can also save the payload as a shell variable and use the variable in the `curl` command. + + ::: + + +
+ +9. Issue a PUT request using the following `curl` command. Replace the URL with the custom domain URL you assigned to Palette or use the IP address. You can use the `TOKEN` variable you created earlier for the authorization header. Ensure you replace the payload below with the payload you created in the previous step. + +
+ + ```bash + curl --insecure --silent --include --output /dev/null -w "%{http_code}" --location --request PUT 'https://palette.example.com/v1/system/config/reverseproxy' \ + --header "Authorization: $TOKEN" \ + --header 'Content-Type: application/json' \ + --data ' { + "caCert": "-----BEGIN CERTIFICATE-----\n................\n-----END CERTIFICATE-----\n", + "clientCert": "-----BEGIN CERTIFICATE-----\n.............\n-----END CERTIFICATE-----", + "clientKey": "-----BEGIN RSA PRIVATE KEY-----\n............\n-----END RSA PRIVATE KEY-----\n", + "port": 443, + "protocol": "https", + "server": "frps.palette.example.com.com" + }' + ``` + + A successful response returns a `204` status code. + + Output + ```shell hideClipboard + 204 + ``` + +You now have a Spectro Proxy server that you can use to access Palette clusters deployed in a different network. Make sure you add the [Spectro Proxy pack](../integrations/frp.md) to the clusters you want to access using the Spectro Proxy server. + + +## Validate + +Use the following command to validate that the Spectro Proxy server is active. + +
+ + + +1. Open a terminal session. + + +2. Log in to the Palette System API by using the `/v1/auth/syslogin` endpoint. Use the `curl` command below and replace the URL with the custom domain URL you assigned to Palette or use the IP address. Ensure you replace the credentials below with your system console credentials. + +
+ + ```bash + curl --insecure --location 'https://palette.example.com/v1/auth/syslogin' \ + --header 'Content-Type: application/json' \ + --data '{ + "password": "**********", + "username": "**********" + }' + ``` + Output + ```json hideClipboard + { + "Authorization": "**********.", + "IsPasswordReset": true + } + ``` + +3. Using the output you received, copy the authorization value to your clipboard and assign it to a shell variable. Replace the authorization value below with the value from the output. + +
+ + ```shell hideClipboard + TOKEN=********** + ``` + +4. Query the system API endpoint `/v1/system/config/reverseproxy` to verify the current reverse proxy settings applied to Palette. Use the `curl` command below and replace the URL with the custom domain URL you assigned to Palette, or use the IP address. You can use the `TOKEN` variable you created earlier for the authorization header. + +
+ + ```bash + curl --location --request GET 'https://palette.example.com/v1/system/config/reverseproxy' \ + --header "Authorization: $TOKEN" + ``` + + If the proxy server is configured correctly, you will receive an output similar to the following that contains your settings. The SSL certificate outputs are truncated for brevity. + +
+ + ```json hideClipboard + { + "caCert": "-----BEGIN CERTIFICATE-----\n...............\n-----END CERTIFICATE-----\n", + "clientCert": "-----BEGIN CERTIFICATE-----\n...........\n-----END CERTIFICATE-----", + "clientKey": "-----BEGIN RSA PRIVATE KEY-----\n........\n-----END RSA PRIVATE KEY-----\n", + "port": 443, + "protocol": "https", + "server": "frps.palette.example.com" + } + ``` \ No newline at end of file diff --git a/docs/docs-content/enterprise-version-bkup/ssl-certificate-management.md b/docs/docs-content/enterprise-version-bkup/ssl-certificate-management.md new file mode 100644 index 0000000000..d4d48c6a74 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/ssl-certificate-management.md @@ -0,0 +1,81 @@ +--- +sidebar_label: "SSL Certificate Management" +title: "SSL Certificate Management" +description: "Upload and manage SSL certificates in Palette." +icon: "" +hide_table_of_contents: false +sidebar_position: 90 +--- + + +When you install Palette, a self-signed certificate is generated and used by default. You can upload your own SSL certificate to replace the default certificate. + +Palette uses SSL certificates to secure external communication. Palette's internal communication is default secured by default and uses HTTPS. External communication with Palette, such as the system console, gRPC endpoint, and API endpoint, requires you to upload an SSL certificate to enable HTTPS. + + +:::info + +Enabling HTTPS is a non-disruptive operation. You can enable HTTPS at any time without affecting the system's functionality. + +::: + + +## Upload an SSL Certificate + +You can upload an SSL certificate in Palette by using the following steps. + + +### Prerequisites + +- Access to the Palette system console. + + +- You need to have an x509 certificate and a key file in PEM format. The certificate file must contain the full certificate chain. Reach out to your network administrator or security team if you do not have these files. + + +- Ensure the certificate is created for the custom domain name you specified for your Palette installation. If you did not specify a custom domain name, the certificate must be created for the Palette system console's IP address. You can also specify a load balancer's IP address if you are using a load balancer to access Palette. + + +### Enablement + +1. Log in to the Palette system console. + + +2. Navigate to the left **Main Menu** and select **Administration**. + + +3. Select the tab titled **Certificates**. + + +4. Copy and paste the certificate into the **Certificate** field. + + +5. Copy and paste the certificate key into the **Key** field. + + +6. Copy and paste the certificate authority into the **Certificate authority** field. + + +
+ + ![A view of the certificate upload screen](/enterprise-version_ssl-certificate-upload.png) + +
+ +7. Save your changes. + +If the certificate is invalid, you will receive an error message. Once the certificate is uploaded successfully, Palette will refresh its listening ports and start using the new certificate. + + +### Validate + +You can validate that your certificate is uploaded correctly by using the following steps. + + +1. Log out of the Palette system console. If you are already logged in, log out and close your browser session. Browsers cache connections and may not use the newly enabled HTTPS connection. Closing your existing browser session avoids issues related to your browser caching an HTTP connection. + + +2. Log back into the Palette system console. Ensure the connection is secure by checking the URL. The URL should start with `https://`. + + +Palette is now using your uploaded certificate to create a secure HTTPS connection with external clients. Users can now securely access the system console, gRPC endpoint, and API endpoint. \ No newline at end of file diff --git a/docs/docs-content/enterprise-version-bkup/system-console-dashboard.md b/docs/docs-content/enterprise-version-bkup/system-console-dashboard.md new file mode 100644 index 0000000000..a283317407 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/system-console-dashboard.md @@ -0,0 +1,43 @@ +--- +sidebar_label: "System Console Dashboard" +title: "System Console Dashboard" +description: "Understanding the super-admin settings in Palette's Enterprise (on-premise) variant." +icon: "" +hide_table_of_contents: false +sidebar_position: 50 +tags: ["self-hosted", "enterprise"] +--- + + +The self-hosted system console enables an initial setup and onboarding, administration, as well as upgrade management of the Palette Platform. The on-prem system console is available in a "quick start" mode and an "enterprise" mode. + +Platform administrators can use this console to perform the following operations: + +| Setting | Function | +| --- | --- | +| Tenant Management | Create and activate tenants | +| Update Management | Upgrade Spectro Cloud platform to newer versions | +| Administration | Configure platform settings like SMTP, Certificates, etc. | +| Migrate quick start mode cluster to enterprise | Available in quick start mode to install an enterprise cluster | + +## Tenant Management + +Create new tenants and their initial tenant admin accounts. Optionally, activate new tenants to enable tenant administrators to log in and access the tenant management console. + +## Update Management + +Apply Palette platform upgrades. Upgrades to the Palette platform are published to the Palette repository and a notification is displayed on the console when new versions are available. Platform administrators can apply platform upgrades directly from the on-prem system console. + +## Administration + +### SMTP + +Configure SMTP settings to enable the Palette platform to send out email notifications. Email Notifications are sent out to new users when they are onboarded to the platform to activate their accounts. + +### Certificates + +Provide the desired SSL/TLS server certificates to support external access to valid HTTPs. + +## Cluster Management + +Enterprise clusters are created and deployed from this section. The layers and/or pack integrations constituting a cluster can also be configured and updated. diff --git a/docs/docs-content/enterprise-version-bkup/upgrade.md b/docs/docs-content/enterprise-version-bkup/upgrade.md new file mode 100644 index 0000000000..a13a1bc889 --- /dev/null +++ b/docs/docs-content/enterprise-version-bkup/upgrade.md @@ -0,0 +1,81 @@ +--- +sidebar_label: "Upgrade Notes" +title: "Upgrade Notes" +description: "Spectro Cloud upgrade notes for specific Palette versions." +icon: "" +hide_table_of_contents: false +sidebar_position: 100 +--- + +This page is a reference resource to help you better prepare for a Palette upgrade. Review each version's upgrade notes for more information about required actions and other important messages to be aware of. If you have questions or concerns, reach out to our support team by opening up a ticket through our [support page](http://support.spectrocloud.io/). + +## Palette 4.0 + +Palette 4.0 includes the following major enhancements that require user intervention to facilitate the upgrade process. + +- **Enhanced security for Palette microservices** - To enhance security, all microservices within Palette now use `insecure-skip-tls-verify` set to `false`. When upgrading to Palette 4.0, you must provide a valid SSL certificate in the system console. + + If you already have an SSL certificate, key, and Certificate Authority (CA) certificate, you can use them when upgrading to Palette 4.0.0. To learn how to upload SSL certificates to Palette, refer to [SSL Certificate Management](ssl-certificate-management.md). + + +- **Self-hosted Palette Kubernetes Upgrade** - If you installed Palette using the Helm Chart method, the Kubernetes version used for Palette is upgraded from version 1.24 to 1.25. You will need to copy the new Kubernetes YAML to the Kubernetes layer in the Enterprise cluster profile. If you have customized your Kubernetes configuration, you will need to manually adjust custom values and include any additional configuration in the upgraded YAML that we provide. Refer to [Upgrade Kubernetes](upgrade.md#upgrade-kubernetes). + +### Upgrade from Palette 3.x to 4.0 + +From the Palette system console, click the **Update version** button. Palette will be temporarily unavailable while system services update. + +![Screenshot of the "Update version" button in the system consoles.](/enterprise-version_sys-console-update-palette-version.png) + +#### Upgrade Kubernetes + +Follow the steps below to upgrade Kubernetes. + +
+ +1. To obtain the upgraded Kubernetes YAML file for Palette 4.0, contact our support team by sending an email to support@spectrocloud.com. + + +2. In the system console, click on **Enterprise Cluster Migration**. + + +3. Click on the **Profiles** tab, and select the Kubernetes layer. The Kubernetes YAML is displayed in the editor at right. + + +4. If the existing Kubernetes YAML has been customized or includes additional configuration, we suggest you create a backup of it by copying it to another location. + + +5. Copy the Kubernetes YAML you received from our support team and paste it into the editor. + +
+ + ![Screenshot of the Kubernetes YAML editor.](/enterprise-version_upgrade_ec-cluster-profile.png) + + +6. If you have made any additional configuration changes or additions, add your customizations to the new YAML. + + +7. Save your changes. + +The Enterprise cluster initiates the Kubernetes upgrade process and leads to the reconciliation of all three nodes. + + +## Palette 3.4 + +Prior versions of Palette installed internal Palette components' ingress resources in the default namespace. The new version of the Helm Chart ensures all Palette required ingress resources are installed in the correct namespace. Self-hosted Palette instances deployed to Kubernetes and upgrading from Palette versions 3.3.X or older must complete the following action. + + +1. Connect to the cluster using the cluster's kubeconfig file. + + + +2. Identify all Ingress resources that belong to *Hubble* - an internal Palette component. + + ```shell + kubectl get ingress --namespace default + ``` + +3. Remove each Ingress resource listed in the output that starts with the name Hubble. Use the following command to delete an Ingress resource. Replace `REPLACE_ME` with the name of the Ingress resource you are removing. + + ```shell + kubectl delete ingress --namespace default + ``` \ No newline at end of file diff --git a/docs/docs-content/enterprise-version/install-palette/_category_.json b/docs/docs-content/enterprise-version/install-palette/_category_.json new file mode 100644 index 0000000000..094470741d --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 10 +} diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/_category_.json b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/_category_.json new file mode 100644 index 0000000000..094470741d --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 10 +} diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md new file mode 100644 index 0000000000..6a8b3c5b9d --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install-on-kubernetes.md @@ -0,0 +1,21 @@ +--- +sidebar_label: "Kubernetes" +title: "Kubernetes" +description: "Learn how to install Palette on Kubernetes." +icon: "" +hide_table_of_contents: false +tags: ["palette", "self-hosted", "kubernetes"] +--- + + +Palette can be installed on Kubernetes with internet connectivity or an airgap environment. When you install Palette, a three-node cluster is created. You use a Helm chart our support team provides to install Palette on Kubernetes. Refer to [Access Palette](../../enterprise-version.md#access-palette) for instructions on requesting access to the Helm Chart. + + +To get started with Palette on Kubernetes, refer to the [Install Instructions](install.md) guide. + +## Resources + +- [Install Instructions](install.md) + + +- [Helm Configuration Reference](palette-helm-ref.md) diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md new file mode 100644 index 0000000000..fb7d75fa7f --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/install.md @@ -0,0 +1,308 @@ +--- +sidebar_label: "Install using Helm Chart" +title: "Install using Helm Chart" +description: "Learn how to deploy self-hosted Palette to a Kubernetes cluster using a Helm Chart." +icon: "" +hide_table_of_contents: false +sidebar_position: 30 +tags: ["self-hosted", "enterprise"] +--- + + +You can use the Palette Helm Chart to install Palette in a multi-node Kubernetes cluster in your production environment. + +This installation method is common in secure environments with restricted network access that prohibits using Palette SaaS. Review our [architecture diagrams](../../../architecture/networking-ports.md) to ensure your Kubernetes cluster has the necessary network connectivity for Palette to operate successfully. + + + +## Prerequisites + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. + + +- [Helm](https://helm.sh/docs/intro/install/) is installed and available. + + +- Access to the target Kubernetes cluster's kubeconfig file. You must be able to interact with the cluster using `kubectl` commands and have sufficient permissions to install Palette. We recommend using a role with cluster-admin permissions to install Palette. + + +- The Kubernetes cluster must be set up on a supported version of Kubernetes, which includes versions v1.25 to v1.27. + + + +- Ensure the Kubernetes cluster does not have Cert Manager installed. Palette requires a unique Cert Manager configuration to be installed as part of the installation process. If Cert Manager is already installed, you must uninstall it before installing Palette. + + +- The Kubernetes cluster must have a Container Storage Interface (CSI) installed and configured. Palette requires a CSI to store persistent data. You may install any CSI that is compatible with your Kubernetes cluster. + + + +- We recommended the following resources for Palette. Refer to the [Palette size guidelines](../install-palette.md#size-guidelines) for additional sizing information. + + - 8 CPUs per node. + + - 16 GB Memory per node. + + - 100 GB Disk Space per node. + + - A Container Storage Interface (CSI) for persistent data. + + - A minimum of three worker nodes or three untainted control plane nodes. + + +- The following network ports must be accessible for Palette to operate successfully. + + - TCP/443: Inbound and outbound to and from the Palette management cluster. + + - TCP/6443: Outbound traffic from the Palette management cluster to the deployed clusters' Kubernetes API server. + + +- Ensure you have an SSL certificate that matches the domain name you will assign to Palette. You will need this to enable HTTPS encryption for Palette. Reach out to your network administrator or security team to obtain the SSL certificate. You need the following files: + + - x509 SSL certificate file in base64 format. + + - x509 SSL certificate key file in base64 format. + + - x509 SSL certificate authority file in base64 format. + + +- Ensure the OS and Kubernetes cluster you are installing Palette onto is FIPS-compliant. Otherwise, Palette and its operations will not be FIPS-compliant. + + +- A custom domain and the ability to update Domain Name System (DNS) records. You will need this to enable HTTPS encryption for Palette. + + +- Access to the Palette Helm Charts. Refer to the [Access Palette](../../enterprise-version.md#access-palette) for instructions on how to request access to the Helm Chart + + + +
+ +:::caution + +Do not use a Palette-managed Kubernetes cluster when installing Palette. Palette-managed clusters contain the Palette agent and Palette-created Kubernetes resources that will interfere with the installation of Palette. + +::: + + +## Install Palette + +Use the following steps to install Palette on Kubernetes. + + +:::info + +The following instructions are written agnostic to the Kubernetes distribution you are using. Depending on the underlying infrastructure provider and your Kubernetes distribution, you may need to modify the instructions to match your environment. Reach out to our support team if you need assistance. + +::: + + +1. Open a terminal session and navigate to the directory where you downloaded the Palette Helm Charts provided by our support. We recommend you place all the downloaded files into the same directory. You should have the following Helm Charts: + + - Spectro Management Plane Helm Chart. + + - Cert Manager Helm Chart. + + +2. Extract each Helm Chart into its directory. Use the commands below as a reference. Do this for all the provided Helm Charts. + +
+ + ```shell + tar xzvf spectro-mgmt-plane-*.tgz + ``` + +
+ + ```yaml + tar xzvf cert-manager-*.tgz + ``` + + +3. Install Cert Manager using the following command. Replace the actual file name of the Cert Manager Helm Chart with the one you downloaded, as the version number may be different. + +
+ + ```shell + helm upgrade --values cert-manager/values.yaml cert-manager cert-manager-1.11.0.tgz --install + ``` + +
+ + :::info + + The Cert Manager Helm Chart provided by our support team is configured for Palette. Do not modify the **values.yaml** file unless instructed to do so by our support team. + + ::: + + +4. Open the **values.yaml** in the **spectro-mgmt-plane** folder with a text editor of your choice. The **values.yaml** contains the default values for the Palette installation parameters, however, you must populate the following parameters before installing Palette. + +
+ + | **Parameter** | **Description** | **Type** | + | --- | --- | --- | + | `env.rootDomain` | The URL name or IP address you will use for the Palette installation. | string | + | `ociPackRegistry` or `ociPackEcrRegistry` | The OCI registry credentials for Palette FIPS packs.| object | + | `scar` | The Spectro Cloud Artifact Repository (SCAR) credentials for Palette FIPS images. These credentials are provided by our support team. | object | + + + Save the **values.yaml** file after you have populated the required parameters mentioned in the table. + +
+ + :::info + + You can learn more about the parameters in the **values.yaml** file in the [Helm Configuration Reference](palette-helm-ref.md) page. + + ::: + + + +5. Install the Palette Helm Chart using the following command. + +
+ + ```shell + helm upgrade --values spectro-mgmt-plane/values.yaml hubble spectro-mgmt-plane-0.0.0.tgz --install + ``` + + +6. Track the installation process using the command below. Palette is ready when the deployments in the namespaces `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` reach the *Ready* state. The installation takes between two to three minutes to complete. + +
+ + ```shell + kubectl get pods --all-namespaces --watch + ``` + + +7. Create a DNS CNAME record that is mapped to the Palette `ingress-nginx-controller` load balancer. You can use the following command to retrieve the load balancer IP address. You may require the assistance of your network administrator to create the DNS record. + +
+ + ```shell + kubectl get service ingress-nginx-controller --namespace ingress-nginx --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' + ``` + +
+ + :::info + + As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For example, if you create a tenant named `tenant1` and the domain name you assigned to Palette is `palette.example.com`, the tenant URL will be `tenant1.palette.example.com`. You can create an additional wildcard DNS record to map all tenant URLs to the Palette load balancer. + + ::: + + +8. Use the custom domain name or the IP address of the load balancer to visit the Palette system console. To access the system console, open a web browser and paste the custom domain URL in the address bar and append the value `/system`. Replace the domain name in the URL with your custom domain name or the IP address of the load balancer. Alternatively, you can use the load balancer IP address with the appended value `/system` to access the system console. + +
+ + :::info + + The first time you visit the Palette system console, a warning message about an untrusted SSL certificate may appear. This is expected, as you have not yet uploaded your SSL certificate to Palette. You can ignore this warning message and proceed. + + ::: + +
+ + ![Screenshot of the Palette system console showing Username and Password fields.](/palette_installation_install-on-vmware_palette-system-console.png) + + +9. Log in to the system console using the following default credentials. + +
+ + | **Parameter** | **Value** | + | --- | --- | + | Username | `admin` | + | Password | `admin` | + +
+ + After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to the Palette system console. + +
+ +10. After login, a summary page is displayed. Palette is installed with a self-signed SSL certificate. To assign a different SSL certificate you must upload the SSL certificate, SSL certificate key, and SSL certificate authority files to Palette. You can upload the files using the Palette system console. Refer to the [Configure HTTPS Encryption](../../system-management/ssl-certificate-management.md) page for instructions on how to upload the SSL certificate files to Palette. + + +
+ +:::caution + +If you plan to deploy host clusters into different networks, you may require a reverse proxy. Check out the [Configure Reverse Proxy](../../system-management/reverse-proxy.md) guide for instructions on how to configure a reverse proxy for Palette. + +::: + + +You now have a self-hosted instance of Palette installed in a Kubernetes cluster. Make sure you retain the **values.yaml** file as you may need it for future upgrades. + + +## Validate + +Use the following steps to validate the Palette installation. + +
+ + +1. Open up a web browser and navigate to the Palette system console. To access the system console, open a web browser and paste the following URL in the address bar and append the value `/system`. Replace the domain name in the URL with your custom domain name or the IP address of the load balancer. + + + +2. Log in using the credentials you received from our support team. After login, you will be prompted to create a new password. Enter a new password and save your changes. You will be redirected to the Palette system console. + + +3. Open a terminal session and issue the following command to verify the Palette installation. The command should return a list of deployments in the `cp-system`, `hubble-system`, `ingress-nginx`, `jet-system` , and `ui-system` namespaces. + +
+ + ```shell + kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \ + | grep -E '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s' + ``` + + Your output should look similar to the following. + + ```shell hideClipboard + cp-system spectro-cp-ui-689984f88d-54wsw Running + hubble-system auth-85b748cbf4-6drkn Running + hubble-system auth-85b748cbf4-dwhw2 Running + hubble-system cloud-fb74b8558-lqjq5 Running + hubble-system cloud-fb74b8558-zkfp5 Running + hubble-system configserver-685fcc5b6d-t8f8h Running + hubble-system event-68568f54c7-jzx5t Running + hubble-system event-68568f54c7-w9rnh Running + hubble-system foreq-6b689f54fb-vxjts Running + hubble-system hashboard-897bc9884-pxpvn Running + hubble-system hashboard-897bc9884-rmn69 Running + hubble-system hutil-6d7c478c96-td8q4 Running + hubble-system hutil-6d7c478c96-zjhk4 Running + hubble-system mgmt-85dbf6bf9c-jbggc Running + hubble-system mongo-0 Running + hubble-system mongo-1 Running + hubble-system mongo-2 Running + hubble-system msgbroker-6c9b9fbf8b-mcsn5 Running + hubble-system oci-proxy-7789cf9bd8-qcjkl Running + hubble-system packsync-28205220-bmzcg Succeeded + hubble-system spectrocluster-6c57f5775d-dcm2q Running + hubble-system spectrocluster-6c57f5775d-gmdt2 Running + hubble-system spectrocluster-6c57f5775d-sxks5 Running + hubble-system system-686d77b947-8949z Running + hubble-system system-686d77b947-cgzx6 Running + hubble-system timeseries-7865bc9c56-5q87l Running + hubble-system timeseries-7865bc9c56-scncb Running + hubble-system timeseries-7865bc9c56-sxmgb Running + hubble-system user-5c9f6c6f4b-9dgqz Running + hubble-system user-5c9f6c6f4b-hxkj6 Running + ingress-nginx ingress-nginx-controller-2txsv Running + ingress-nginx ingress-nginx-controller-55pk2 Running + ingress-nginx ingress-nginx-controller-gmps9 Running + jet-system jet-6599b9856d-t9mr4 Running + ui-system spectro-ui-76ffdf67fb-rkgx8 Running + ``` + + +## Next Steps + +You have successfully installed Palette in a Kubernetes cluster. Your next steps are to configure Palette for your organization. Start by creating the first tenant to host your users. Use the [Create a Tenant](../../system-management/tenant-management.md) page for instructions on how to create a tenant. diff --git a/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md new file mode 100644 index 0000000000..eb77c12a53 --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-on-kubernetes/palette-helm-ref.md @@ -0,0 +1,451 @@ +--- +sidebar_label: "Helm Chart Install Reference" +title: "Helm Chart Install References" +description: "Reference for Palette Helm Chart installation parameters." +icon: "" +hide_table_of_contents: false +sidebar_position: 40 +tags: ["self-hosted", "enterprise"] +--- + + +You can use the Palette Helm Chart to install Palette in a multi-node Kubernetes cluster in your production environment. The Helm chart allows you to customize values in the **values.yaml** file. This reference lists and describes parameters available in the **values.yaml** file from the Helm Chart for your installation. To learn how to install Palette using the Helm Chart, refer to the[Palette Helm install](install.md) guide. + + +
+ + + + +### Required Parameters + +The following parameters are required for a successful installation of Palette. + + +| **Parameters** | **Description** | **Type** | +| --- | --- | --- | +| `config.env.rootDomain` | Used to configure the domain for the Palette installation. We recommend you create a CNAME DNS record that supports multiple subdomains. You can achieve this using a wild card prefix, `*.palette.abc.com`. Review the [Environment parameters](#environment) to learn more. | String | +| `config.env.ociRegistry` or `config.env.ociEcrRegistry`| Specifies the FIPS image registry for Palette. You can use an a self-hosted OCI registry or a public OCI registry we maintain and support. For more information, refer to the [Registry](#registries) section. | Object | +| `scar`| The Spectro Cloud Artifact Repository (SCAR) credentials for Palette FIPS images. Our support team provides these credentials. For more information, refer to the [Registry](#registries) section. | Object | + + +:::caution + +If you are installing an air-gapped version of Palette, you must provide the image swap configuration. For more information, refer to the [Image Swap Configuration](#image-swap-configuration) section. + + +::: + + +### MongoDB + +Palette uses MongoDB Enterprise as its internal database and supports two modes of deployment:

+ +- MongoDB Enterprise deployed and active inside the cluster. + + +- MongoDB Enterprise is hosted on a software-as-a-service (SaaS) platform, such as MongoDB Atlas. + +The table below lists the parameters used to configure a MongoDB deployment. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `internal` | Specifies the MongoDB deployment either in-cluster or using Mongo Atlas. | Boolean | `true` | +| `databaseUrl`| The URL for MongoDB Enterprise. If using a remote MongoDB Enterprise instance, provide the remote URL. This parameter must be updated if `mongo.internal` is set to `false`. | String | `mongo-0.mongo,mongo-1.mongo,mongo-2.mongo` | +| `databasePassword`| The base64-encoded MongoDB Enterprise password. If you don't provide a value, a random password will be auto-generated. | String | `""` | +| `replicas`| The number of MongoDB replicas to start. | Integer | `3` | +| `memoryLimit`| Specifies the memory limit for each MongoDB Enterprise replica.| String | `4Gi` | +| `cpuLimit` | Specifies the CPU limit for each MongoDB Enterprise member.| String | `2000m` | +| `pvcSize`| The storage settings for the MongoDB Enterprise database. Use increments of `5Gi` when specifying the storage size. The storage size applies to each replica instance. The total storage size for the cluster is `replicas` * `pvcSize`. | string | `20Gi`| +| `storageClass`| The storage class for the MongoDB Enterprise database. | String | `""` | + + +```yaml +mongo: + internal: true + databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo" + databasePassword: "" + replicas: 3 + cpuLimit: "2000m" + memoryLimit: "4Gi" + pvcSize: "20Gi" + storageClass: "" +``` + +### Config + +Review the following parameters to configure Palette for your environment. The `config` section contains the following subsections: + + +#### Install Mode + +You can install Palette in connected or air-gapped mode. The table lists the parameters to configure the installation mode. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `installMode` | Specifies the installation mode. Allowed values are `connected` or `airgap`. Set the value to `airgap` when installing in an air-gapped environment. | String | `connected` | + +```yaml +config: + installationMode: "connected" +``` + +#### SSO + +You can configure Palette to use Single Sign-On (SSO) for user authentication. Configure the SSO parameters to enable SSO for Palette. You can also configure different SSO providers for each tenant post-install, check out the [SAML & SSO Setup](../../../user-management/saml-sso/saml-sso.md) documentation for additional guidance. + +To configure SSO, you must provide the following parameters. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | --- | +| `saml.enabled` | Specifies whether to enable SSO SAML configuration by setting it to true. | Boolean | `false` | +| `saml.acsUrlRoot` | The root URL of the Assertion Consumer Service (ACS).| String | `myfirstpalette.spectrocloud.com`| +| `saml.acsUrlScheme` | The URL scheme of the ACS: `http` or `https`. | String | `https` | +| `saml.audienceUrl` | The URL of the intended audience for the SAML response.| String| `https://www.spectrocloud.com` | +| `saml.entityID` | The Entity ID of the Service Provider.| String | `https://www.spectrocloud.com`| +| `saml.apiVersion` | Specify the SSO SAML API version to use.| String | `v1` | + +```yaml +config: + sso: + saml: + enabled: false + acsUrlRoot: "myfirstpalette.spectrocloud.com" + acsUrlScheme: "https" + audienceUrl: "https://www.spectrocloud.com" + entityId: "https://www.spectrocloud.com" + apiVersion: "v1" +``` + +#### Email + +Palette uses email to send notifications to users. The email notification is used when inviting new users to the platform, password resets, and when [webhook alerts](../../../clusters/cluster-management/health-alerts.md) are triggered. Use the following parameters to configure email settings for Palette. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `enabled` | Specifies whether to enable email configuration. | Boolean| `false`| +| `emailID ` | The email address for sending mail.| String| `noreply@spectrocloud.com` | +| `smtpServer` | Simple Mail Transfer Protocol (SMTP) server used for sending mail. | String | `smtp.gmail.com` | +| `smtpPort` | SMTP port used for sending mail.| Integer | `587` | +| `insecureSkipVerifyTLS` | Specifies whether to skip Transport Layer Security (TLS) verification for the SMTP connection.| Boolean | `true` | +| `fromEmailID` | Email address of the ***From*** address.| String | `noreply@spectrocloud.com` | +| `password` | The base64-encoded SMTP password when sending emails.| String | `""` | + +```yaml +config: + email: + enabled: false + emailId: "noreply@spectrocloud.com" + smtpServer: "smtp.gmail.com" + smtpPort: 587 + insecureSkipVerifyTls: true + fromEmailId: "noreply@spectrocloud.com" + password: "" +``` + +#### Environment + +The following parameters are used to configure the environment. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `env.rootDomain` | Specifies the URL name assigned to Palette. The value assigned should have a Domain Name System (DNS) CNAME record mapped to exposed IP address or the load balancer URL of the service *ingress-nginx-controller*. Optionally, if `ingress.ingressStaticIP` is provided with a value you can use same assigned static IP address as the value to this parameter.| String| `""` | +| `env.installerMode` | Specifies the installer mode. Do not modify the value.| String| `self-hosted` | +| `env.installerCloud` | Specifies the cloud provider. Leave this parameter empty if you are installing a self-hosted Palette. | String | `""` | + +```yaml +config: + env: + rootDomain: "" +``` +
+ +:::caution + +As you create tenants in Palette, the tenant name is prefixed to the domain name you assigned to Palette. For example, if you create a tenant named tenant1 and the domain name you assigned to Palette is `palette.example.com`, the tenant URL will be `tenant1.palette.example.com`. We recommend you create an additional wildcard DNS record to map all tenant URLs to the Palette load balancer. For example, `*.palette.example.com`. + +::: + +#### Cluster + +Use the following parameters to configure the Kubernetes cluster. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `stableEndpointAccess` | Set to `true` if the Kubernetes cluster is deployed in a public endpoint. If the cluster is deployed in a private network through a stable private endpoint, set to `false`. | Boolean | `false` | + +```yaml +config: + cluster: + stableEndpointAccess: false +``` + +### Registries + +Palette requires credentials to access the required Palette images. You can configure different types of registries for Palette to download the required images. You must configure at least one Open Container Initiative (OCI) registry for Palette. You must also provide the credentials for the Spectro Cloud Artifact Repository (SCAR) to download the required FIPS images. + +
+ +#### OCI Registry + + +Palette requires access to an OCI registry that contains all the required FIPS packs. You can host your own OCI registry and configure Palette to reference the registry. Alternatively, you can use the public OCI registry that we provide. Refer to the [`ociPackEcrRegistry`](#oci-ecr-registry) section to learn more about the publicly available OCI registry. + + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `ociPackRegistry.endpoint` | The endpoint URL for the registry. | String| `""` | +| `ociPackRegistry.name` | The name of the registry. | String| `""` | +| `ociPackRegistry.password` | The base64-encoded password for the registry. | String| `""` | +| `ociPackRegistry.username` | The username for the registry. | String| `""` | +| `ociPackRegistry.baseContentPath`| The base path for the registry. | String | `""` | +| `ociPackRegistry.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the registry connection. | Boolean | `false` | +| `ociPackRegistry.caCert` | The registry's base64-encoded certificate authority (CA) certificate. | String | `""` | + + +```yaml +config: + ociPackRegistry: + endpoint: "" + name: "" + password: "" + username: "" + baseContentPath: "" + insecureSkipVerify: false + caCert: "" +``` + +#### OCI ECR Registry + +We expose a public OCI ECR registry that you can configure Palette to reference. If you want to host your own OCI registry, refer to the [OCI Registry](#oci-registry) section. +The OCI Elastic Container Registry (ECR) is hosted in an AWS ECR registry. Our support team provides the credentials for the OCI ECR registry. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `ociPackEcrRegistry.endpoint` | The endpoint URL for the registry. | String| `""` | +| `ociPackEcrRegistry.name` | The name of the registry. | String| `""` | +| `ociPackEcrRegistry.accessKey` | The base64-encoded access key for the registry. | String| `""` | +| `ociPackEcrRegistry.secretKey` | The base64-encoded secret key for the registry. | String| `""` | +| `ociPackEcrRegistry.baseContentPath`| The base path for the registry. | String | `""` | +| `ociPackEcrRegistry.isPrivate` | Specifies whether the registry is private. | Boolean | `true` | +| `ociPackEcrRegistry.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the registry connection. | Boolean | `false` | +| `ociPackEcrRegistry.caCert` | The registry's base64-encoded certificate authority (CA) certificate. | String | `""` | + +```yaml +config: + ociPackEcrRegistry: + endpoint: "" + name: "" + accessKey: "" + secretKey: "" + baseContentPath: "" + isPrivate: true + insecureSkipVerify: false + caCert: "" +``` + +#### Spectro Cloud Artifact Repository (SCAR) + +SCAR credentials are required to download the necessary FIPS manifests. Our support team provides the SCAR credentials. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `scar.endpoint` | The endpoint URL of SCAR. | String| `""` | +| `scar.username` |The username for SCAR. | String| `""` | +| `scar.password` | The base64-encoded password for the SCAR. | String| `""` | +| `scar.insecureSkipVerify` | Specifies whether to skip Transport Layer Security (TLS) verification for the SCAR connection. | Boolean | `false` | +| `scar.caCert` | The base64-encoded certificate authority (CA) certificate for SCAR. | String | `""` | + +
+ + ```yaml + config: + scar: + endpoint: "" + username: "" + password: "" + insecureSkipVerify: false + caCert: "" + ``` + +#### Image Swap Configuration + +You can configure Palette to use image swap to download the required images. This is an advanced configuration option, and it is only required for air-gapped deployments. You must also install the Palette Image Swap Helm chart to use this option, otherwise, Palette will ignore the configuration. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `imageSwapInitImage` | The image swap init image. | String | `gcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2` | +| `imageSwapImage` | The image swap image. | String | `gcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2` | +| `imageSwapConfig`| The image swap configuration for specific environments. | String | `""` | +| `imageSwapConfig.isEKSCluster` | Specifies whether the cluster is an Amazon EKS cluster. Set to `false` if the Kubernetes cluster is not an EKS cluster. | Boolean | `true` | + +
+ + ```yaml + config: + imageSwapImages: + imageSwapInitImage: "gcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2" + imageSwapImage: "gcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2" + + imageSwapConfig: + isEKSCluster: true + ``` + +### NATS + +Palette uses [NATS](https://nats.io) and gRPC for communication between Palette components. Dual support for NATS and gRPC is available. You can enable the deployment of an additional load balancer for NATS. Host clusters deployed by Palette use the load balancer to communicate with the Palette control plane. This is an advanced configuration option and is not required for most deployments. Speak with your support representative before enabling this option. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `nats.enabled`| Specifies whether to enable the deployment of a NATS load balancer. | Boolean | `true` | +| `nats.internal`| Specifies whether to deploy a load balancer or use the host network. If this value is set to `true`, then the remaining NATS parameters are ignored. | Boolean | `true` | +| `nats.natsUrl`| The NATS URL. This can be a comma separated list of mappings for the NATS load balancer service. For example, "message1.dev.spectrocloud.com:4222,message2.dev.spectrocloud.com:4222". This parameter is mandatory if `nats.internal` is set to `false`. If `nats.internal` is set to `true`, you can leave this parameter empty. | String | `""` | +| `nats.annotations`| A map of key-value pairs that specifies load balancer annotations for NATS. You can use annotations to change the behavior of the load balancer and the Nginx configuration. This is an advanced setting. We recommend you consult with your assigned support team representative prior to modification. | Object | `{}` | +| `nats.natsStaticIP`| Specify a static IP address for the NATS load balancer service. If empty, a dynamic IP address will be assigned to the load balancer. | String | `""` | + + +
+ + ```yaml + nats: + enabled: true + internal: true + natsUrl: "" + annotations: {} + natsStaticIP: +``` + + + + +### gRPC + +gRPC is used for communication between Palette components. You can enable the deployment of an additional load balancer for gRPC. Host clusters deployed by Palette use the load balancer to communicate with the Palette control plane. This is an advanced configuration option, and it is not required for most deployments. Speak with your support representative before enabling this option. Dual support for NATS and gRPC is available. + +If you want to use an external gRPC endpoint, you must provide a domain name for the gRPC endpoint and a valid x509 certificate. Additionally, you must provide a custom domain name for the endpoint. A CNAME DNS record must point to the IP address of the gRPC load balancer. For example, if your Palette domain name is `palette.example.com`, you could create a CNAME DNS record for `grpc.palette.example.com` that points to the IP address of the load balancer dedicated to gRPC. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `external`| Specifies whether to use an external gRPC endpoint. | Boolean | `false` | +| `endpoint`| The gRPC endpoint. | String | `""` | +| `caCertificateBase64`| The base64-encoded certificate authority (CA) certificate for the gRPC endpoint. | String | `""` | +| `serverCrtBase64`| The base64-encoded server certificate for the gRPC endpoint. | String | `""` | +| `serverKeyBase64`| The base64-encoded server key for the gRPC endpoint. | String | `""` | +| `insecureSkipVerify`| Specifies whether to skip Transport Layer Security (TLS) verification for the gRPC endpoint. | Boolean | `false` | + + + + +```yaml +grpc: + external: false + endpoint: "" + caCertificateBase64: "" + serverCrtBase64: "" + serverKeyBase64: "" + insecureSkipVerify: false +``` + +### Ingress + +Palette deploys an Nginx Ingress Controller. This controller is used to route traffic to the Palette control plane. You can change the default behavior and omit the deployment of an Nginx Ingress Controller. + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `enabled`| Specifies whether to deploy an Nginx controller. Set to `false` if you do not want an Nginx controller deployed. | Boolean | `true` | +| `ingress.internal`| Specifies whether to deploy a load balancer or use the host network. | Boolean | `false` | +| `ingress.certificate`| Specify the base64-encoded x509 SSL certificate for the Nginx Ingress Controller. If left blank, the Nginx Ingress Controller will generate a self-signed certificate. | String | `""` | +| `ingress.key`| Specify the base64-encoded x509 SSL certificate key for the Nginx Ingress Controller. | String | `""` | +| `ingress.annotations`| A map of key-value pairs that specifies load balancer annotations for ingress. You can use annotations to change the behavior of the load balancer and the Nginx configuration. This is an advanced setting. We recommend you consult with your assigned support team representative prior to modification. | Object | `{}` | +| `ingress.ingressStaticIP`| Specify a static IP address for the ingress load balancer service. If empty, a dynamic IP address will be assigned to the load balancer. | String | `""` | +| `ingress.terminateHTTPSAtLoadBalancer`| Specifies whether to terminate HTTPS at the load balancer. | Boolean | `false` | + + +```yaml +ingress: + enabled: true + ingress: + internal: false + certificate: "" + key: "" + annotations: {} + ingressStaticIP: "" + terminateHTTPSAtLoadBalancer: false +``` + +### Spectro Proxy + +You can specify a reverse proxy server that clusters deployed through Palette can use to facilitate network connectivity to the cluster's Kubernetes API server. Host clusters deployed in private networks can use the [Spectro Proxy pack](../../../integrations/frp.md) to expose the cluster's Kubernetes API to downstream clients that are not in the same network. Check out the [Reverse Proxy](../../system-management/reverse-proxy.md) documentation to learn more about setting up a reverse proxy server for Palette. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `frps.enabled`| Specifies whether to enable the Spectro server-side proxy. | Boolean | `false` | +| `frps.frpHostURL`| The Spectro server-side proxy URL. | String | `""` | +| `frps.server.crt`| The base64-encoded server certificate for the Spectro server-side proxy. | String | `""` | +| `frps.server.key`| The base64-encoded server key for the Spectro server-side proxy. | String | `""` | +| `frps.ca.crt`| The base64-encoded certificate authority (CA) certificate for the Spectro server-side proxy. | String | `""` | + +```yaml +frps: + frps: + enabled: false + frpHostURL: "" + server: + crt: "" + key: "" + ca: + crt : "" +``` + +### UI System + +The table lists parameters to configure the Palette User Interface (UI) behavior. You can disable the UI or the Network Operations Center (NOC) UI. You can also specify the MapBox access token and style layer ID for the NOC UI. MapBox is a third-party service that provides mapping and location services. To learn more about MapBox and how to obtain an access token, refer to the [MapBox Access tokens](https://docs.mapbox.com/help/getting-started/access-tokens) guide. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `enabled`| Specifies whether to enable the Palette UI. | Boolean | `true` | +| `ui.nocUI.enable`| Specifies whether to enable the Palette Network Operations Center (NOC) UI. Enabling this parameter requires the `ui.nocUI.mapBoxAccessToken`. Once enabled, all cluster locations will be reported to MapBox. This feature is not FIPS compliant. | Boolean | `false` | +| `ui.nocUI.mapBoxAccessToken`| The MapBox access token for the Palette NOC UI. | String | `""` | +| `ui.nocUI.mapBoxStyledLayerID`| The MapBox style layer ID for the Palette NOC UI. | String | `""` | + + + +```yaml +ui-system: + enabled: true + ui: + nocUI: + enable: false + mapBoxAccessToken: "" + mapBoxStyledLayerID: "" +``` + + + + +### Reach System + +You can configure Palette to use a proxy server to access the internet. Set the parameter `reach-system.reachSystem.enabled` to `true` to enable the proxy server. Proxy settings are configured in the `reach-system.reachSystem.proxySettings` section. + + +| **Parameters** | **Description** | **Type** | **Default value** | +| --- | --- | --- | --- | +| `reachSystem.enabled`| Specifies whether to enable the usage of a proxy server for Palette. | Boolean | `false` | +| `reachSystem.proxySettings.http_proxy`| The HTTP proxy server URL. | String | `""` | +| `reachSystem.proxySettings.https_proxy`| The HTTPS proxy server URL. | String | `""` | +| `reachSystem.proxySettings.no_proxy`| A list of hostnames or IP addresses that should not be proxied. | String | `""` | + + + ```yaml + reach-system: + reachSystem: + enabled: false + proxySettings: + http_proxy: "" + https_proxy: "" + no_proxy: + ``` \ No newline at end of file diff --git a/docs/docs-content/enterprise-version/install-palette/install-palette.md b/docs/docs-content/enterprise-version/install-palette/install-palette.md new file mode 100644 index 0000000000..865053ec9d --- /dev/null +++ b/docs/docs-content/enterprise-version/install-palette/install-palette.md @@ -0,0 +1,79 @@ +--- +sidebar_label: "Installation" +title: "Installation" +description: "Review Palette system requirements and learn more about the various install methods." +icon: "" +hide_table_of_contents: false +tags: ["palette", "self-hosted"] +--- + + +Palette is available as a self-hosted application that you install in your environment. The self-hosted version is a dedicated Palette environment hosted on VMware instances or in an existing Kubernetes cluster. Palette is available in the following modes: + +| **Supported Platform** | **Description** | +|------------------------|------------------------------------| +| VMware | Install Palette in VMware environment. | +| Kubernetes | Install Palette using a Helm Chart in an existing Kubernetes cluster. | + +The next sections describe specific requirements for installing Palette. + +## Proxy Requirements + +- A proxy used for outgoing connections should support both HTTP and HTTPS traffic. + + +- Allow connectivity to domains and ports in the table. + +
+ + | **Top-Level Domain** | **Port** | **Description** | + |----------------------------|----------|-------------------------------------------------| + | spectrocloud.com | 443 | Spectro Cloud content repository and pack registry | + | s3.amazonaws.com | 443 | Spectro Cloud VMware OVA files | + | gcr.io | 443 | Spectro Cloud and common third party container images | + | ghcr.io | 443 | Kubernetes VIP images | + | docker.io | 443 | Common third party content | + | googleapis.com | 443 | For pulling Spectro Cloud images | + | docker.com | 443 | Common third party container images | + | raw.githubusercontent.com | 443 | Common third party content | + | projectcalico.org | 443 | Calico container images | + | quay.io | 443 | Common 3rd party container images | + | grafana.com | 443 | Grafana container images and manifests | + | github.com | 443 | Common third party content | + + +## Size Guidelines + +This section lists resource requirements for Palette for various capacity levels. In Palette VerteX, the terms *small*, *medium*, and *large* are used to describe the instance size of worker pools that Palette is installed on. The following table lists the resource requirements for each size. + + +
+ +:::caution + +The recommended maximum number of deployed nodes and clusters in the environment should not be exceeded. We have tested the performance of Palette with the recommended maximum number of deployed nodes and clusters. Exceeding these limits can negatively impact performance and result in instability. The active workload limit refers to the maximum number of active nodes and pods at any given time. + +::: + +
+ + + +| **Size** | **Nodes**| **CPU**| **Memory**| **Storage**| **MongoDB Storage Limit**| **MongoDB Memory Limit**| **MongoDB CPU Limit** |**Total Deployed Nodes**| **Deployed Clusters with 10 Nodes**| +|----------|----------|--------|-----------|------------|--------------------|-------------------|------------------|----------------------------|----------------------| +| Small | 3 | 8 | 16 GB | 60 GB | 20 GB | 4 GB | 2 | 1000 | 100 | +| Medium (Recommended) | 3 | 16 | 32 GB | 100 GB | 60 GB | 8 GB | 4 | 3000 | 300 | +| Large | 3 | 32 | 64 GB | 120 GB | 80 GB | 12 GB | 6 | 5000 | 500 | + + +#### Instance Sizing + +| **Configuration** | **Active Workload Limit** | +|---------------------|---------------------------------------------------| +| Small | Up to 1000 Nodes each with 30 Pods (30,000 Pods) | +| Medium (Recommended) | Up to 3000 Nodes each with 30 Pods (90,000 Pods)| +| Large | Up to 5000 Nodes each with 30 Pods (150,000 Pods) | + + + +## Resources diff --git a/docs/docs-content/enterprise-version/system-management/_category_.json b/docs/docs-content/enterprise-version/system-management/_category_.json new file mode 100644 index 0000000000..455b8e4969 --- /dev/null +++ b/docs/docs-content/enterprise-version/system-management/_category_.json @@ -0,0 +1,3 @@ +{ + "position": 20 +} diff --git a/docs/docs-content/enterprise-version/system-management/reverse-proxy.md b/docs/docs-content/enterprise-version/system-management/reverse-proxy.md new file mode 100644 index 0000000000..cb78e9c5ef --- /dev/null +++ b/docs/docs-content/enterprise-version/system-management/reverse-proxy.md @@ -0,0 +1,255 @@ +--- +sidebar_label: "Configure Reverse Proxy" +title: "Configure Reverse Proxy" +description: "Learn how to configure a reverse proxy for Palette." +icon: "" +hide_table_of_contents: false +sidebar_position: 40 +tags: ["palette", "management"] +--- + + + +You can configure a reverse proxy for Palette. The reverse proxy can be used by host clusters deployed in a private network. Host clusters deployed in a private network are not accessible from the public internet or by users in different networks. You can use a reverse proxy to access the cluster's Kubernetes API server from a different network. + +When you configure reverse proxy server for Palette, clusters that use the [Spectro Proxy pack](../../integrations/frp.md) will use the reverse proxy server address in the kubeconfig file. Clusters not using the Spectro Proxy pack will use the default cluster address in the kubeconfig file. + + +Use the following steps to configure a reverse proxy server for Palette. + +## Prerequisites + + +- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) is installed and available. + + +- [Helm](https://helm.sh/docs/intro/install/) is installed and available. + + +- Access to the kubeconfig file of the Palette Kubernetes cluster. You can download the kubeconfig file from the Palette system console. Navigate to **Enterprise System Migration**, select the Palette cluster, and click the **Download Kubeconfig** button for the cluster. + + +- A domain name that you can use for the reverse proxy server. You will also need access to the DNS records for the domain so that you can create a CNAME DNS record for the reverse proxy server load balancer. + + +- Ensure you have an SSL certificate that matches the domain name you will assign to Spectro Proxy. You will need this to enable HTTPS encryption for the Spectro Proxy. Contact your network administrator or security team to obtain the SSL certificate. You need the following files: + - x509 SSL certificate file in base64 format. + + - x509 SSL certificate key file in base64 format. + + - x509 SSL certificate authority file in base64 format. + + +- The Spectro Proxy server must have internet access and network connectivity to the private network where the Kubernetes clusters are deployed. + + +## Enablement + +1. Open a terminal session and navigate to the directory where you stored the **values.yaml** for the Palette installation. + + +2. Use a text editor and open the **values.yaml** file. Locate the `frps` section and update the following values in the **values.yaml** file. Refer to the [Spectro Proxy Helm Configuration](../install-palette/install-on-kubernetes/palette-helm-ref.md#spectro-proxy) to learn more about the configuration options. + +
+ + | **Parameter** | **Description** | **Type** | + | --- | --- | ---| + | `enabled`| Set to `true` to enable the Spectro Proxy server. | boolean | + | `frps.frpHostURL`| The domain name you will use for the Spectro Proxy server. For example, `frps.example.com`. | + | `server.crt`| The x509 SSL certificate file in base64 format. | + | `server.key`| The x509 SSL certificate key file in base64 format. | + | `ca.crt`| The x509 SSL certificate authority file in base64 format. | + +
+ + The following is an example of the `frps` section in the **values.yaml** file. The SSL certificate files are truncated for brevity. + +
+ + ```yaml + frps: + frps: + enabled: true + frpHostURL: "frps..example.com" + server: + crt: "LS0tLS1CRU...........tCg==" + key: "LS0tLS1CRU...........tCg==" + ca: + crt : "LS0tLS1CRU...........tCg==" + ``` + + +3. Issue the `helm upgrade` command to update the Palette Kubernetes configuration. The command below assumes you in the folder that contains the **values.yaml** file and the Palette Helm chart. Change the directory path if needed. + +
+ + ```bash + helm upgrade --values values.yaml hubble spectro-mgmt-plane-0.0.0.tgz --install + ``` + + +4. After the new configurations are accepted, use the following command to get the Spectro Proxy server's load balancer IP address. + +
+ + ```bash + kubectl get svc --namespace proxy-system spectro-proxy-svc + ``` +5. Update the DNS records for the domain name you used for the Spectro Proxy server. Create a CNAME record that points to the Spectro Proxy server's load balancer IP address. + + +6. Log in to the Palette System API by using the `/v1/auth/syslogin` endpoint. Use the `curl` command below and replace the URL with the custom domain URL you assigned to Palette or use the IP address. Ensure you replace the credentials below with your system console credentials. + +
+ + ```bash + curl --insecure --location 'https://.example.com/v1/auth/syslogin' \ + --header 'Content-Type: application/json' \ + --data '{ + "password": "**********", + "username": "**********" + }' + ``` + Output + ```json hideClipboard + { + "Authorization": "**********.", + "IsPasswordReset": true + } + ``` + +7. Using the output you received, copy the authorization value to your clipboard and assign it to a shell variable. Replace the authorization value below with the value from the output. + +
+ + ```shell hideClipboard + TOKEN=********** + ``` + +8. Next, prepare a payload for the`/v1/system/config/` endpoint. This endpoint is used to configure Palette to use a reverse proxy. The payload requires the following parameters: + +
+ + | **Parameter** | **Description** | **Type** | + | --- | --- | --- | + | `caCert`| The x509 SSL certificate authority file in base64 format. | string | + | `clientCert`| The x509 SSL certificate file in base64 format. | string | + | `clientKey`| The x509 SSL certificate key file in base64 format. | string | + | `port` | The port number for the reverse proxy server. We recommend using port `443`. | integer | + | `protocol` | The protocol to use for the reverse proxy server. We recommend using `https`. | string | + | `server`| The domain name you will use for the Spectro Proxy server. For example, `frps.example.com`. Don't include the HTTP schema in the value. | string | + + The following is an example payload. The SSL certificate files are truncated for brevity. + +
+ + ```json hideClipboard + { + "caCert": "-----BEGIN CERTIFICATE-----\n.............\n-----END CERTIFICATE-----", + "clientCert": "-----BEGIN CERTIFICATE-----\n..........\n-----END CERTIFICATE-----", + "clientKey": "-----BEGIN RSA PRIVATE KEY-----\n........\n-----END RSA PRIVATE KEY-----", + "port": 443, + "protocol": "https", + "server": "frps..example.com.com" + } + ``` + + :::info + + You can save the payload to a file and use the `cat` command to read the file contents into the `curl` command. For example, if you save the payload to a file named `payload.json`, you can use the following command to read the file contents into the `curl` command. You can also save the payload as a shell variable and use the variable in the `curl` command. + + ::: + + +
+ +9. Issue a PUT request using the following `curl` command. Replace the URL with the custom domain URL you assigned to Palette or use the IP address. You can use the `TOKEN` variable you created earlier for the authorization header. Ensure you replace the payload below with the payload you created in the previous step. + +
+ + ```bash + curl --insecure --silent --include --output /dev/null -w "%{http_code}" --location --request PUT 'https://.example.com/v1/system/config/reverseproxy' \ + --header "Authorization: $TOKEN" \ + --header 'Content-Type: application/json' \ + --data ' { + "caCert": "-----BEGIN CERTIFICATE-----\n................\n-----END CERTIFICATE-----\n", + "clientCert": "-----BEGIN CERTIFICATE-----\n.............\n-----END CERTIFICATE-----", + "clientKey": "-----BEGIN RSA PRIVATE KEY-----\n............\n-----END RSA PRIVATE KEY-----\n", + "port": 443, + "protocol": "https", + "server": "frps..example.com.com" + }' + ``` + + A successful response returns a `204` status code. + + Output + ```shell hideClipboard + 204 + ``` + +You now have a Spectro Proxy server that you can use to access Palette clusters deployed in a different network. Make sure you add the [Spectro Proxy pack](../../integrations/frp.md) to the clusters you want to access using the Spectro Proxy server. + + +## Validate + +Use the following command to validate that the Spectro Proxy server is active. + +
+ + + +1. Open a terminal session. + + +2. Log in to the Palette System API by using the `/v1/auth/syslogin` endpoint. Use the `curl` command below and replace the URL with the custom domain URL you assigned to Palette or use the IP address. Ensure you replace the credentials below with your system console credentials. + +
+ + ```bash + curl --insecure --location 'https://palette.example.com/v1/auth/syslogin' \ + --header 'Content-Type: application/json' \ + --data '{ + "password": "**********", + "username": "**********" + }' + ``` + Output + ```json hideClipboard + { + "Authorization": "**********.", + "IsPasswordReset": true + } + ``` + +3. Using the output you received, copy the authorization value to your clipboard and assign it to a shell variable. Replace the authorization value below with the value from the output. + +
+ + ```shell hideClipboard + TOKEN=********** + ``` + +4. Query the system API endpoint `/v1/system/config/reverseproxy` to verify the current reverse proxy settings applied to Palette. Use the `curl` command below and replace the URL with the custom domain URL you assigned to Palette or use the IP address. You can use the `TOKEN` variable you created earlier for the authorization header. + +
+ + ```bash + curl --location --request GET 'https://palette.example.com/v1/system/config/reverseproxy' \ + --header "Authorization: $TOKEN" + ``` + + If the proxy server is configured correctly, you will receive an output similar to the following containing your settings. The SSL certificate outputs are truncated for brevity. + +
+ + ```json hideClipboard + { + "caCert": "-----BEGIN CERTIFICATE-----\n...............\n-----END CERTIFICATE-----\n", + "clientCert": "-----BEGIN CERTIFICATE-----\n...........\n-----END CERTIFICATE-----", + "clientKey": "-----BEGIN RSA PRIVATE KEY-----\n........\n-----END RSA PRIVATE KEY-----\n", + "port": 443, + "protocol": "https", + "server": "frps.palette.example.com" + } + ``` \ No newline at end of file diff --git a/docs/docs-content/enterprise-version/system-management/ssl-certificate-management.md b/docs/docs-content/enterprise-version/system-management/ssl-certificate-management.md new file mode 100644 index 0000000000..fda0f65183 --- /dev/null +++ b/docs/docs-content/enterprise-version/system-management/ssl-certificate-management.md @@ -0,0 +1,85 @@ +--- +sidebar_label: "SSL Certificate Management" +title: "SSL Certificate" +description: "Upload and manage SSL certificates in Palette." +icon: "" +hide_table_of_contents: false +sidebar_position: 30 +tags: ["palette", "management"] +--- + + +When you install Palette, a self-signed certificate is generated and used by default. You can upload your own SSL certificate to replace the default certificate. + +Palette uses SSL certificates to secure external communication. Palette 's internal communication is default secured by default and uses HTTPS. External communication with Palette , such as the system console, gRPC endpoint, and API endpoint, requires you to upload an SSL certificate to enable HTTPS. + +
+ +:::info + +Enabling HTTPS is a non-disruptive operation. You can enable HTTPS at any time without affecting the system's functionality. + +::: + + +## Upload an SSL Certificate + +You can upload an SSL certificate in Palette by using the following steps. + + +## Prerequisites + +- Access to the Palette system console. + + +- You need to have an x509 certificate and a key file in PEM format. The certificate file must contain the full certificate chain. Reach out to your network administrator or security team if you do not have these files. + + +- Ensure the certificate is created for the custom domain name you specified for your Palette installation. If you did not specify a custom domain name, the certificate must be created for the Palette system console's IP address. You can also specify a load balancer's IP address if you are using a load balancer to access Palette . + + +## Enablement + +1. Log in to the Palette system console. + + +2. Navigate to the left **Main Menu** and select **Administration**. + + +3. Select the tab titled **Certificates**. + + +4. Copy and paste the certificate into the **Certificate** field. + + +5. Copy and paste the certificate key into the **Key** field. + + +6. Copy and paste the certificate authority into the **Certificate authority** field. + + +
+ + ![A view of the certificate upload screen](/vertex_system-management_ssl-certifiacte-management_certificate-upload.png) + +
+ +7. Save your changes. + +If the certificate is invalid, you will receive an error message. Once the certificate is uploaded successfully, Palette will refresh its listening ports and start using the new certificate. + + +## Validate + +You can validate that your certificate is uploaded correctly by using the following steps. + +
+ + +1. Log out of the Palette system console. If you are already logged in, log out and close your browser session. Browsers cache connections and may not use the newly enabled HTTPS connection. Closing your existing browser session avoids issues related to your browser caching an HTTP connection. + + +2. Log back into the Palette system console. Ensure the connection is secure by checking the URL. The URL should start with `https://`. + + +Palette is now using your uploaded certificate to create a secure HTTPS connection with external clients. Users can now securely access the system console, gRPC endpoint, and API endpoint. \ No newline at end of file diff --git a/docs/docs-content/enterprise-version/system-management/system-management.md b/docs/docs-content/enterprise-version/system-management/system-management.md new file mode 100644 index 0000000000..65c571db19 --- /dev/null +++ b/docs/docs-content/enterprise-version/system-management/system-management.md @@ -0,0 +1,30 @@ +--- +sidebar_label: "System Management" +title: "System Management" +description: "Manage your Palette system settings." +icon: "" +hide_table_of_contents: false +sidebar_position: 20 +tags: ["palette", "self-hosted", "management"] +--- + +Palette contains many system settings you can configure to meet your organization's needs. These settings are available at the system level and are applied to all [tenants](../../glossary-all.md#tenant) in the system. + +You can access the system setting by visiting the IP address or the custom domain name assigned to your Palette cluster and appending the `/system` path to the URL. For example, if your Palette cluster is hosted at `https://palette.abc.com`, you can access the system settings at `https://palette.abc.com/system`. + + + +:::caution + +Exercise caution when changing system settings as the changes will be applied to all tenants in the system. + +::: + + +## Resources + + +* [Tenant Management](../system-management/tenant-management.md) + + +* [SSL Certificate Management](../system-management/ssl-certificate-management.md) diff --git a/docs/docs-content/enterprise-version/system-management/tenant-management.md b/docs/docs-content/enterprise-version/system-management/tenant-management.md new file mode 100644 index 0000000000..94e744c210 --- /dev/null +++ b/docs/docs-content/enterprise-version/system-management/tenant-management.md @@ -0,0 +1,119 @@ +--- +sidebar_label: "Tenant Management" +title: "Tenant Management" +description: "Learn how to create and remove tenants in Palette." +icon: "" +hide_table_of_contents: false +sidebar_position: 10 +tags: ["palette", "self-hosted", "management"] +--- + + +Tenants are isolated environments in Palette that contain their own clusters, users, and resources. You can create multiple tenants in Palette to support multiple teams or projects. Instructions for creating and removing tenants are provided below. + + +
+ +## Create a Tenant + +You can create a tenant in Palette by following these steps. + + +## Prerequisites + +* Access to the Palette system console. + + +## Enablement + +1. Log in to the Palette system console. + + +2. Navigate to the left **Main Menu** and select **Tenant Management**. + + +3. Click **Create New Tenant**. + + +4. Fill out the **Org Name** and the properties of the admin user by providing the **First Name**, **Last Name**, and **Email**. + + +5. Confirm your changes. + + +6. From the tenant list view, find your newly created tenant and click on the **three dots Menu**. Select **Activate** to activate the tenant. + +
+ + ![View of a tenant activation option](/vertex_system-management_tenant-management_activate-tenant.png) + +
+ +7. A pop-up box will present you with an activation URL. Copy the URL and paste it into your browser to activate the tenant. + + +8. Provide the admin user with a new password. + + +9. Log in to the tenant console using the admin user credentials. + + +## Validate + +1. Log in to Palette . + + +2. Verify you can access the tenant as the admin user. + + + +## Remove a Tenant + +You can remove a tenant in Palette using the following steps. + +## Prerequisites + +* Access to the Palette system console. + +## Removal + +1. Log in to the Palette system console. + + +2. Navigate to the left **Main Menu** and select **Tenant Management**. + + +3. From the tenant list view, select the tenant you want to remove and click on the **three dots Menu**. + + +4. Select **Delete** to prepare the tenant for removal. + + +5. Click on your tenant's **three dots Menu** and select **Clean up** to remove all the tenant's resources. + +
+ + ![View of a tenant deletion option](/vertex_system-management_tenant-management_remove-tenant.png) + + +
+ + :::caution + + If you do not clean up the tenant's resources, such as clusters and Private Cloud Gateways (PCGs), the tenant will remain in a **Deleting** state. You can use **Force Cleanup & Delete** to proceed with deletion without manually cleaning up tenant resources. + + ::: + + +After the cleanup process completes, the tenant will be removed from the tenant list view. + +## Validate + + +1. Log in to the Palette system console. + + +2. Navigate to the left **Main Menu** and select **Tenant Management**. + + +3. Validate that the tenant was removed by checking the tenant list view. \ No newline at end of file