Deckhouse Platform for bare metal

At this point, you have created a basic single-master cluster.

For real-world conditions (production and test environments), you need to add additional nodes to the cluster according to the documentation.

If you install Deckhouse for evaluation purposes and one node in the cluster is enough for you, allow Deckhouse components to work on the master node. To do this, remove the taint from the master node by running the following command:

sudo kubectl patch nodegroup master --type json -p '[{"op": "remove", "path": "/spec/nodeTemplate/taints"}]'
sudo kubectl patch nodegroup master --type json -p '[{"op": "remove", "path": "/spec/nodeTemplate/taints"}]'

After that, there will be three more actions.

  • Setup Ingress controller

    On the master node, create the ingress-nginx-controller.yml file containing the Ingress controller configuration:

    ingress-nginx-controller.ymlCopy filenameCopy content
    # section containing the parameters of nginx ingress controller
    # version of the Deckhouse API
    apiVersion: deckhouse.io/v1
    kind: IngressNginxController
    metadata:
      name: nginx
    spec:
      # the name of the Ingress class to use with the Ingress nginx controller
      ingressClass: nginx
      # Ingress version to use (use version 1.1 with Kubernetes 1.23+)
      controllerVersion: "1.1"
      # the way traffic goes to cluster from the outer network
      inlet: HostPort
      hostPort:
        httpPort: 80
        httpsPort: 443
      # describes on which nodes the component will be located
      # you might consider changing this
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
      tolerations:
      - operator: Exists
    
    # section containing the parameters of nginx ingress controller # version of the Deckhouse API apiVersion: deckhouse.io/v1 kind: IngressNginxController metadata: name: nginx spec: # the name of the Ingress class to use with the Ingress nginx controller ingressClass: nginx # Ingress version to use (use version 1.1 with Kubernetes 1.23+) controllerVersion: "1.1" # the way traffic goes to cluster from the outer network inlet: HostPort hostPort: httpPort: 80 httpsPort: 443 # describes on which nodes the component will be located # you might consider changing this nodeSelector: node-role.kubernetes.io/control-plane: "" tolerations: - operator: Exists

    Apply it using the following command on the master node>:

    sudo kubectl create -f ingress-nginx-controller.yml
    
    sudo kubectl create -f ingress-nginx-controller.yml
  • Create a user to access the cluster web interfaces

    Create on the master node the user.yml file containing the user account data and access rights:

    apiVersion: deckhouse.io/v1
    kind: ClusterAuthorizationRule
    metadata:
      name: admin
    spec:
      # Kubernetes RBAC accounts list
      subjects:
      - kind: User
        name: admin@deckhouse.io
      # pre-defined access template
      accessLevel: SuperAdmin
      # allow user to do kubectl port-forward
      portForwarding: true
    ---
    # section containing the parameters of the static user
    # version of the Deckhouse API
    apiVersion: deckhouse.io/v1
    kind: User
    metadata:
      name: admin
    spec:
      # user e-mail
      email: admin@deckhouse.io
      # this is a hash of the password <GENERATED_PASSWORD>, generated  now
      # generate your own or use it at your own risk (for testing purposes)
      # echo "<GENERATED_PASSWORD>" | htpasswd -BinC 10 "" | cut -d: -f2
      # you might consider changing this
      password: <GENERATED_PASSWORD_HASH>
    
    apiVersion: deckhouse.io/v1 kind: ClusterAuthorizationRule metadata: name: admin spec: # Kubernetes RBAC accounts list subjects: - kind: User name: admin@deckhouse.io # pre-defined access template accessLevel: SuperAdmin # allow user to do kubectl port-forward portForwarding: true --- # section containing the parameters of the static user # version of the Deckhouse API apiVersion: deckhouse.io/v1 kind: User metadata: name: admin spec: # user e-mail email: admin@deckhouse.io # this is a hash of the password <GENERATED_PASSWORD>, generated now # generate your own or use it at your own risk (for testing purposes) # echo "<GENERATED_PASSWORD>" | htpasswd -BinC 10 "" | cut -d: -f2 # you might consider changing this password: <GENERATED_PASSWORD_HASH>

    Apply it using the following command on the master node:

    sudo kubectl create -f user.yml
    
    sudo kubectl create -f user.yml
  • Create DNS records to organize access to the cluster web-interfaces:
    • Discover public IP address of the node where the Ingress controller is running.
    • If you have the DNS server and you can add a DNS records:
      • If your cluster DNS name template is a wildcard DNS (e.g., %s.kube.my), then add a corresponding wildcard A record containing the public IP, you've discovered previously.
      • If your cluster DNS name template is NOT a wildcard DNS (e.g., %s-kube.company.my), then add A or CNAME records containing the public IP, you've discovered previously, for the following Deckhouse service DNS names:
        api.example.com
        argocd.example.com
        cdi-uploadproxy.example.com
        dashboard.example.com
        deckhouse.example.com
        dex.example.com
        grafana.example.com
        hubble.example.com
        istio.example.com
        istio-api-proxy.example.com
        kubeconfig.example.com
        openvpn-admin.example.com
        prometheus.example.com
        status.example.com
        upmeter.example.com
        
    • If you don't have a DNS server: on your PC add static entries (specify your public IP address in the PUBLIC_IPvariable) that match the names of specific services to the public IP to the /etc/hosts file for Linux (%SystemRoot%\system32\drivers\etc\hosts for Windows):

      export PUBLIC_IP="<PUT_PUBLIC_IP_HERE>"
      sudo -E bash -c "cat <<EOF >> /etc/hosts
      $PUBLIC_IP api.example.com
      $PUBLIC_IP argocd.example.com
      $PUBLIC_IP cdi-uploadproxy.example.com
      $PUBLIC_IP dashboard.example.com
      $PUBLIC_IP deckhouse.example.com
      $PUBLIC_IP dex.example.com
      $PUBLIC_IP grafana.example.com
      $PUBLIC_IP hubble.example.com
      $PUBLIC_IP istio.example.com
      $PUBLIC_IP istio-api-proxy.example.com
      $PUBLIC_IP kubeconfig.example.com
      $PUBLIC_IP openvpn-admin.example.com
      $PUBLIC_IP prometheus.example.com
      $PUBLIC_IP status.example.com
      $PUBLIC_IP upmeter.example.com
      EOF
      "
      
      export PUBLIC_IP="<PUT_PUBLIC_IP_HERE>" sudo -E bash -c "cat <<EOF >> /etc/hosts $PUBLIC_IP api.example.com $PUBLIC_IP argocd.example.com $PUBLIC_IP cdi-uploadproxy.example.com $PUBLIC_IP dashboard.example.com $PUBLIC_IP deckhouse.example.com $PUBLIC_IP dex.example.com $PUBLIC_IP grafana.example.com $PUBLIC_IP hubble.example.com $PUBLIC_IP istio.example.com $PUBLIC_IP istio-api-proxy.example.com $PUBLIC_IP kubeconfig.example.com $PUBLIC_IP openvpn-admin.example.com $PUBLIC_IP prometheus.example.com $PUBLIC_IP status.example.com $PUBLIC_IP upmeter.example.com EOF "