Deckhouse Kubernetes Platform in a private environment
This feature is available in Standard and Enterprise Edition only.
The recommended settings for a Deckhouse Kubernetes Platform Community Edition installation are generated below:
config.yml
— a file with the configuration needed to bootstrap the cluster. Contains the installer parameters, access parameters, and the initial cluster parameters.
Please pay attention to:
- highlighted parameters you must define.
- parameters you might want to change.
- The installation must be performed from a personal computer with SSH access to the node, the master node of the future cluster.
Create the config.yml
file.
# General cluster parameters.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#clusterconfiguration
apiVersion: deckhouse.io/v1
kind: ClusterConfiguration
clusterType: Static
# Address space of the cluster's Pods.
podSubnetCIDR: 10.111.0.0/16
# Address space of the cluster's services.
serviceSubnetCIDR: 10.222.0.0/16
kubernetesVersion: "Automatic"
# Cluster domain (used for local routing).
clusterDomain: "cluster.local"
# Proxy server settings. In the exception list (noProxy parameter), also specify the comma-separated IP addresses of cluster nodes, container registry, or proxy server.
proxy:
httpProxy: <HTTP_PROXY_ADDRESS>
httpsProxy: <HTTPS_PROXY_ADDRESS>
noProxy: <NO_PROXY_LIST>
---
# Settings for the bootstrapping the Deckhouse cluster
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#initconfiguration
apiVersion: deckhouse.io/v1
kind: InitConfiguration
deckhouse:
# Address of the Docker registry where the Deckhouse images are located.
imagesRepo: <IMAGES_REPO_URI>
# A special string with your token to access the Docker registry.
registryDockerCfg: <YOUR_PRIVATE_ACCESS_STRING_IS_HERE>
# Registry access scheme (HTTP or HTTPS).
registryScheme: HTTPS
# Root CA certificate to validate the registry’s HTTPS certificate (if self-signed certificates are used).
registryCA: <REGISTRY_CA>
---
# Deckhouse module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/002-deckhouse/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse
spec:
version: 1
enabled: true
settings:
bundle: Default
releaseChannel: Stable
logLevel: Info
---
# Global Deckhouse settings.
# https://deckhouse.ru/products/kubernetes-platform/documentation/v1/deckhouse-configure-global.html#parameters
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: global
spec:
version: 1
settings:
modules:
# Template that will be used for system apps domains within the cluster.
# E.g., Grafana for %s.example.com will be available as 'grafana.example.com'.
# The domain MUST NOT match the one specified in the clusterDomain parameter of the ClusterConfiguration resource.
# You can change it to your own or follow the steps in the guide and change it after installation.
publicDomainTemplate: "%s.example.com"
# The HTTPS implementation used by the Deckhouse modules.
https:
certManager:
# Use self-signed certificates for Deckhouse modules.
clusterIssuerName: selfsigned
---
# user-authn module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: user-authn
spec:
version: 2
enabled: true
settings:
controlPlaneConfigurator:
dexCAMode: FromIngressSecret
# Enabling access to the API server through Ingress.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html#parameters-publishapi
publishAPI:
enabled: true
https:
mode: Global
global:
kubeconfigGeneratorMasterCA: ""
---
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cert-manager
spec:
version: 1
enabled: true
settings:
disableLetsencrypt: true
---
# cni-cilium module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/021-cni-cilium/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cni-cilium
spec:
version: 1
# Enable cni-cilium module
enabled: true
settings:
# cni-cilium module settings
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/021-cni-cilium/configuration.html
tunnelMode: VXLAN
---
# Static cluster settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#staticclusterconfiguration
apiVersion: deckhouse.io/v1
kind: StaticClusterConfiguration
# List of internal cluster networks (e.g., '10.0.4.0/24'), which is
# used for linking Kubernetes components (kube-apiserver, kubelet etc.).
# Specify, if the cluster nodes have more than one network interface or if you are using the virtualization module.
# If only one interface is used on the nodes of the cluster, the StaticClusterConfiguration resource does not need to be created.
internalNetworkCIDRs:
- *!CHANGE_internalNetworkCIDRs*
Enter license key
Have no key?
The recommended settings for a Deckhouse Kubernetes Platform Community Edition installation are generated below:
config.yml
— a file with the configuration needed to bootstrap the cluster. Contains the installer parameters, access parameters, and the initial cluster parameters.
Please pay attention to:
- highlighted parameters you must define.
- parameters you might want to change.
- The installation must be performed from a personal computer with SSH access to the node, the master node of the future cluster.
Create the config.yml
file.
# General cluster parameters.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#clusterconfiguration
apiVersion: deckhouse.io/v1
kind: ClusterConfiguration
clusterType: Static
# Address space of the cluster's Pods.
podSubnetCIDR: 10.111.0.0/16
# Address space of the cluster's services.
serviceSubnetCIDR: 10.222.0.0/16
kubernetesVersion: "Automatic"
# Cluster domain (used for local routing).
clusterDomain: "cluster.local"
# Proxy server settings. In the exception list (noProxy parameter), also specify the comma-separated IP addresses of cluster nodes, container registry, or proxy server.
proxy:
httpProxy: <HTTP_PROXY_ADDRESS>
httpsProxy: <HTTPS_PROXY_ADDRESS>
noProxy: <NO_PROXY_LIST>
---
# Settings for the bootstrapping the Deckhouse cluster
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#initconfiguration
apiVersion: deckhouse.io/v1
kind: InitConfiguration
deckhouse:
# Address of the Docker registry where the Deckhouse images are located.
imagesRepo: <IMAGES_REPO_URI>
# A special string with your token to access the Docker registry.
registryDockerCfg: <YOUR_PRIVATE_ACCESS_STRING_IS_HERE>
# Registry access scheme (HTTP or HTTPS).
registryScheme: HTTPS
# Root CA certificate to validate the registry’s HTTPS certificate (if self-signed certificates are used).
registryCA: <REGISTRY_CA>
---
# Deckhouse module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/002-deckhouse/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse
spec:
version: 1
enabled: true
settings:
bundle: Default
releaseChannel: Stable
logLevel: Info
---
# Global Deckhouse settings.
# https://deckhouse.ru/products/kubernetes-platform/documentation/v1/deckhouse-configure-global.html#parameters
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: global
spec:
version: 1
settings:
modules:
# Template that will be used for system apps domains within the cluster.
# E.g., Grafana for %s.example.com will be available as 'grafana.example.com'.
# The domain MUST NOT match the one specified in the clusterDomain parameter of the ClusterConfiguration resource.
# You can change it to your own or follow the steps in the guide and change it after installation.
publicDomainTemplate: "%s.example.com"
# The HTTPS implementation used by the Deckhouse modules.
https:
certManager:
# Use self-signed certificates for Deckhouse modules.
clusterIssuerName: selfsigned
---
# user-authn module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: user-authn
spec:
version: 2
enabled: true
settings:
controlPlaneConfigurator:
dexCAMode: FromIngressSecret
# Enabling access to the API server through Ingress.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html#parameters-publishapi
publishAPI:
enabled: true
https:
mode: Global
global:
kubeconfigGeneratorMasterCA: ""
---
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cert-manager
spec:
version: 1
enabled: true
settings:
disableLetsencrypt: true
---
# cni-cilium module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/021-cni-cilium/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cni-cilium
spec:
version: 1
# Enable cni-cilium module
enabled: true
settings:
# cni-cilium module settings
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/021-cni-cilium/configuration.html
tunnelMode: VXLAN
---
# Static cluster settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#staticclusterconfiguration
apiVersion: deckhouse.io/v1
kind: StaticClusterConfiguration
# List of internal cluster networks (e.g., '10.0.4.0/24'), which is
# used for linking Kubernetes components (kube-apiserver, kubelet etc.).
# Specify, if the cluster nodes have more than one network interface or if you are using the virtualization module.
# If only one interface is used on the nodes of the cluster, the StaticClusterConfiguration resource does not need to be created.
internalNetworkCIDRs:
- *!CHANGE_internalNetworkCIDRs*
Enter license key
Have no key?
The recommended settings for a Deckhouse Kubernetes Platform Community Edition installation are generated below:
config.yml
— a file with the configuration needed to bootstrap the cluster. Contains the installer parameters, access parameters, and the initial cluster parameters.
Please pay attention to:
- highlighted parameters you must define.
- parameters you might want to change.
- The installation must be performed from a personal computer with SSH access to the node, the master node of the future cluster.
Create the config.yml
file.
# General cluster parameters.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#clusterconfiguration
apiVersion: deckhouse.io/v1
kind: ClusterConfiguration
clusterType: Static
# Address space of the cluster's Pods.
podSubnetCIDR: 10.111.0.0/16
# Address space of the cluster's services.
serviceSubnetCIDR: 10.222.0.0/16
kubernetesVersion: "Automatic"
# Cluster domain (used for local routing).
clusterDomain: "cluster.local"
# Proxy server settings. In the exception list (noProxy parameter), also specify the comma-separated IP addresses of cluster nodes, container registry, or proxy server.
proxy:
httpProxy: <HTTP_PROXY_ADDRESS>
httpsProxy: <HTTPS_PROXY_ADDRESS>
noProxy: <NO_PROXY_LIST>
---
# Settings for the bootstrapping the Deckhouse cluster
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#initconfiguration
apiVersion: deckhouse.io/v1
kind: InitConfiguration
deckhouse:
# Address of the Docker registry where the Deckhouse images are located.
imagesRepo: <IMAGES_REPO_URI>
# A special string with your token to access the Docker registry.
registryDockerCfg: <YOUR_PRIVATE_ACCESS_STRING_IS_HERE>
# Registry access scheme (HTTP or HTTPS).
registryScheme: HTTPS
# Root CA certificate to validate the registry’s HTTPS certificate (if self-signed certificates are used).
registryCA: <REGISTRY_CA>
---
# Deckhouse module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/002-deckhouse/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse
spec:
version: 1
enabled: true
settings:
bundle: Default
releaseChannel: Stable
logLevel: Info
---
# Global Deckhouse settings.
# https://deckhouse.ru/products/kubernetes-platform/documentation/v1/deckhouse-configure-global.html#parameters
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: global
spec:
version: 1
settings:
modules:
# Template that will be used for system apps domains within the cluster.
# E.g., Grafana for %s.example.com will be available as 'grafana.example.com'.
# The domain MUST NOT match the one specified in the clusterDomain parameter of the ClusterConfiguration resource.
# You can change it to your own or follow the steps in the guide and change it after installation.
publicDomainTemplate: "%s.example.com"
# The HTTPS implementation used by the Deckhouse modules.
https:
certManager:
# Use self-signed certificates for Deckhouse modules.
clusterIssuerName: selfsigned
---
# user-authn module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: user-authn
spec:
version: 2
enabled: true
settings:
controlPlaneConfigurator:
dexCAMode: FromIngressSecret
# Enabling access to the API server through Ingress.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html#parameters-publishapi
publishAPI:
enabled: true
https:
mode: Global
global:
kubeconfigGeneratorMasterCA: ""
---
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cert-manager
spec:
version: 1
enabled: true
settings:
disableLetsencrypt: true
---
# cni-cilium module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/021-cni-cilium/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cni-cilium
spec:
version: 1
# Enable cni-cilium module
enabled: true
settings:
# cni-cilium module settings
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/021-cni-cilium/configuration.html
tunnelMode: VXLAN
---
# Static cluster settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#staticclusterconfiguration
apiVersion: deckhouse.io/v1
kind: StaticClusterConfiguration
# List of internal cluster networks (e.g., '10.0.4.0/24'), which is
# used for linking Kubernetes components (kube-apiserver, kubelet etc.).
# Specify, if the cluster nodes have more than one network interface or if you are using the virtualization module.
# If only one interface is used on the nodes of the cluster, the StaticClusterConfiguration resource does not need to be created.
internalNetworkCIDRs:
- *!CHANGE_internalNetworkCIDRs*
Use a Docker image to install the Deckhouse Kubernetes Platform. It is necessary to transfer configuration files to the container as well as SSH keys for accessing the master node (further, it is assumed that the SSH key ~/.ssh/id_rsa
is used).
Log in on the personal computer to the container image registry you specified in the previous step.
Run the installer on the personal computer.
docker run --pull=always -it -v "$PWD/config.yml:/config.yml" -v "$HOME/.ssh/:/tmp/.ssh/" <IMAGES_REPO_URI>/install:stable bash
docker run --pull=always -it -v "%cd%\config.yml:/config.yml" -v "%userprofile%\.ssh\:/tmp/.ssh/" <IMAGES_REPO_URI>/install:stable bash -c "chmod 400 /tmp/.ssh/id_rsa; bash"
Now, to initiate the process of installation, you need to execute inside the container:
dhctl bootstrap --ssh-user=<username> --ssh-host=<master_ip> --ssh-agent-private-keys=/tmp/.ssh/id_rsa \
--config=/config.yml \
--ask-become-pass
The --ssh-user
parameter here refers to the user that generated the SSH key. If a password is required to run sudo on the server, then specify it in response to the request [sudo] Password:
.
The installation process may take about from 5 to 30 minutes, depending on the connection.
Example of output upon successful completion of the installation:
...
│ │ No more converge tasks found in Deckhouse queue.
│ │ Deckhouse pod is Ready!
│ └ Waiting for Deckhouse to become Ready (157.34 seconds)
└ ⛵ ~ Bootstrap: Install Deckhouse (158.47 seconds)
❗ ~ Some resources require at least one non-master node to be added to the cluster.
┌ ⛵ ~ Bootstrap: Clear cache
│ ❗ ~ Next run of "dhctl bootstrap" will create a new Kubernetes cluster.
└ ⛵ ~ Bootstrap: Clear cache (0.00 seconds)
Almost everything is ready for a fully-fledged Deckhouse Kubernetes Platform to work!
Use a Docker image to install the Deckhouse Kubernetes Platform. It is necessary to transfer configuration files to the container as well as SSH keys for accessing the master node (further, it is assumed that the SSH key ~/.ssh/id_rsa
is used).
Log in on the personal computer to the container image registry you specified in the previous step.
Run the installer on the personal computer.
docker run --pull=always -it -v "$PWD/config.yml:/config.yml" -v "$HOME/.ssh/:/tmp/.ssh/" <IMAGES_REPO_URI>/install:stable bash
docker run --pull=always -it -v "%cd%\config.yml:/config.yml" -v "%userprofile%\.ssh\:/tmp/.ssh/" <IMAGES_REPO_URI>/install:stable bash -c "chmod 400 /tmp/.ssh/id_rsa; bash"
Now, to initiate the process of installation, you need to execute inside the container:
dhctl bootstrap --ssh-user=<username> --ssh-host=<master_ip> --ssh-agent-private-keys=/tmp/.ssh/id_rsa \
--config=/config.yml \
--ask-become-pass
The --ssh-user
parameter here refers to the user that generated the SSH key. If a password is required to run sudo on the server, then specify it in response to the request [sudo] Password:
.
The installation process may take about from 5 to 30 minutes, depending on the connection.
Example of output upon successful completion of the installation:
...
│ │ No more converge tasks found in Deckhouse queue.
│ │ Deckhouse pod is Ready!
│ └ Waiting for Deckhouse to become Ready (157.34 seconds)
└ ⛵ ~ Bootstrap: Install Deckhouse (158.47 seconds)
❗ ~ Some resources require at least one non-master node to be added to the cluster.
┌ ⛵ ~ Bootstrap: Clear cache
│ ❗ ~ Next run of "dhctl bootstrap" will create a new Kubernetes cluster.
└ ⛵ ~ Bootstrap: Clear cache (0.00 seconds)
Almost everything is ready for a fully-fledged Deckhouse Kubernetes Platform to work!
Use a Docker image to install the Deckhouse Kubernetes Platform. It is necessary to transfer configuration files to the container as well as SSH keys for accessing the master node (further, it is assumed that the SSH key ~/.ssh/id_rsa
is used).
Log in on the personal computer to the container image registry you specified in the previous step.
Run the installer on the personal computer.
docker run --pull=always -it -v "$PWD/config.yml:/config.yml" -v "$HOME/.ssh/:/tmp/.ssh/" <IMAGES_REPO_URI>/install:stable bash
docker run --pull=always -it -v "%cd%\config.yml:/config.yml" -v "%userprofile%\.ssh\:/tmp/.ssh/" <IMAGES_REPO_URI>/install:stable bash -c "chmod 400 /tmp/.ssh/id_rsa; bash"
Now, to initiate the process of installation, you need to execute inside the container:
dhctl bootstrap --ssh-user=<username> --ssh-host=<master_ip> --ssh-agent-private-keys=/tmp/.ssh/id_rsa \
--config=/config.yml \
--ask-become-pass
The --ssh-user
parameter here refers to the user that generated the SSH key. If a password is required to run sudo on the server, then specify it in response to the request [sudo] Password:
.
The installation process may take about from 5 to 30 minutes, depending on the connection.
Example of output upon successful completion of the installation:
...
│ │ No more converge tasks found in Deckhouse queue.
│ │ Deckhouse pod is Ready!
│ └ Waiting for Deckhouse to become Ready (157.34 seconds)
└ ⛵ ~ Bootstrap: Install Deckhouse (158.47 seconds)
❗ ~ Some resources require at least one non-master node to be added to the cluster.
┌ ⛵ ~ Bootstrap: Clear cache
│ ❗ ~ Next run of "dhctl bootstrap" will create a new Kubernetes cluster.
└ ⛵ ~ Bootstrap: Clear cache (0.00 seconds)
Almost everything is ready for a fully-fledged Deckhouse Kubernetes Platform to work!
Use a Docker image to install the Deckhouse Kubernetes Platform. It is necessary to transfer configuration files to the container as well as SSH keys for accessing the master node (further, it is assumed that the SSH key ~/.ssh/id_rsa
is used).
Log in on the personal computer to the container image registry you specified in the previous step.
Run the installer on the personal computer.
echo <LICENSE_TOKEN> | docker login -u license-token --password-stdin registry.deckhouse.io
docker run --pull=always -it -v "$PWD/config.yml:/config.yml" -v "$HOME/.ssh/:/tmp/.ssh/" registry.deckhouse.io/deckhouse/ee/install:stable bash
Log in on the personal computer to the container image registry by providing the license key as a password:
docker login -u license-token registry.deckhouse.io
Run a container with the installer:
docker run --pull=always -it -v "%cd%\config.yml:/config.yml" -v "%userprofile%\.ssh\:/tmp/.ssh/" registry.deckhouse.io/deckhouse/ee/install:stable bash -c "chmod 400 /tmp/.ssh/id_rsa; bash"
Now, to initiate the process of installation, you need to execute inside the container:
dhctl bootstrap --ssh-user=<username> --ssh-host=<master_ip> --ssh-agent-private-keys=/tmp/.ssh/id_rsa \
--config=/config.yml \
--ask-become-pass
The --ssh-user
parameter here refers to the user that generated the SSH key. If a password is required to run sudo on the server, then specify it in response to the request [sudo] Password:
.
The installation process may take about from 5 to 30 minutes, depending on the connection.
Example of output upon successful completion of the installation:
...
│ │ No more converge tasks found in Deckhouse queue.
│ │ Deckhouse pod is Ready!
│ └ Waiting for Deckhouse to become Ready (157.34 seconds)
└ ⛵ ~ Bootstrap: Install Deckhouse (158.47 seconds)
❗ ~ Some resources require at least one non-master node to be added to the cluster.
┌ ⛵ ~ Bootstrap: Clear cache
│ ❗ ~ Next run of "dhctl bootstrap" will create a new Kubernetes cluster.
└ ⛵ ~ Bootstrap: Clear cache (0.00 seconds)
Almost everything is ready for a fully-fledged Deckhouse Kubernetes Platform to work!