Deckhouse Kubernetes Platform on VMware vSphere
Enter license key
Have no key?
The recommended settings for a Deckhouse Kubernetes Platform Enterprise Edition installation are generated below:
config.yml— a file with the configuration needed to bootstrap the cluster. Contains the installer parameters, cloud provider related parameters (such as credentials, instance type, etc), and the initial cluster parameters.resources.yml— description of the resources that must be installed after the installation (nodes description, Ingress controller description, etc).
Please pay attention to:
- highlighted parameters you must define.
- parameters you might want to change.
Create the config.yml file.
# General cluster parameters.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#clusterconfiguration
apiVersion: deckhouse.io/v1
kind: ClusterConfiguration
clusterType: Cloud
cloud:
provider: vSphere
# A prefix of objects that are created in the cloud during the installation.
# You might consider changing this.
prefix: cloud-demo
# Address space of the cluster's Pods.
podSubnetCIDR: 10.111.0.0/16
# Address space of the cluster's services.
serviceSubnetCIDR: 10.222.0.0/16
kubernetesVersion: "Automatic"
clusterDomain: "cluster.local"
---
# Settings for the bootstrapping the Deckhouse cluster
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#initconfiguration
apiVersion: deckhouse.io/v1
kind: InitConfiguration
deckhouse:
imagesRepo: registry.deckhouse.io/deckhouse/ee
# A special string with your token to access Docker registry (generated automatically for your license token).
registryDockerCfg: <YOUR_ACCESS_STRING_IS_HERE>
---
# Deckhouse module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/002-deckhouse/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse
spec:
version: 1
enabled: true
settings:
bundle: Default
releaseChannel: Stable
logLevel: Info
---
# Global Deckhouse settings.
# https://deckhouse.ru/products/kubernetes-platform/documentation/v1/deckhouse-configure-global.html#parameters
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: global
spec:
version: 1
settings:
modules:
# Template that will be used for system apps domains within the cluster.
# E.g., Grafana for %s.example.com will be available as 'grafana.example.com'.
# The domain MUST NOT match the one specified in the clusterDomain parameter of the ClusterConfiguration resource.
# You can change it to your own or follow the steps in the guide and change it after installation.
publicDomainTemplate: "%s.example.com"
---
# user-authn module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: user-authn
spec:
version: 2
enabled: true
settings:
controlPlaneConfigurator:
dexCAMode: DoNotNeed
# Enabling access to the API server through Ingress.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html#parameters-publishapi
publishAPI:
enabled: true
https:
mode: Global
global:
kubeconfigGeneratorMasterCA: ""
---
# Cloud provider settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/030-cloud-provider-vsphere/cluster_configuration.html
apiVersion: deckhouse.io/v1
kind: VsphereClusterConfiguration
layout: Standard
# vCenter API access parameters
provider:
server: *!CHANGE_SERVER*
username: *!CHANGE_USERNAME*
password: *!CHANGE_PASSWORD*
# Set to true if vCenter has a self-signed certificate,
# otherwise set false (or delete the string below with the insecure parameter).
insecure: *!CHANGE_INSECURE*
# Set to false if vSphere DRS is turned off,
# otherwise set true (or delete the string below with the useNestedResourcePool parameter).
useNestedResourcePool: *!CHANGE_INSECURE*
# Path to a Folder in which VirtualMachines will be created.
# The folder itself will be created by the Deckhouse Installer.
vmFolderPath: *!CHANGE_FOLDER*
# Region and zone tag category names.
regionTagCategory: k8s-region
zoneTagCategory: k8s-zone
# Region and zone tag names in which cluster will operate.
region: *!CHANGE_REGION_TAG_NAME*
zones:
- *!CHANGE_ZONE_TAG_NAME*
# Public SSH key for accessing cloud nodes.
# This key will be added to the user on created nodes (the user name depends on the image used).
sshPublicKey: *!CHANGE_SSH_KEY*
# Name of the External Network which has access to the Internet.
# IP addresses from the External Network sets as ExternalIP of Node object.
# Optional parameter.
externalNetworkNames:
- *!CHANGE_NETWORK_NAME*
# Name of the Internal Network that will be used for traffic between nodes.
# IP addresses from the Internal Network sets as InternalIP of Node object.
# Optional parameter.
internalNetworkNames:
- *!CHANGE_NETWORK_NAME*
# Address space of the cluster's nodes.
internalNetworkCIDR: 10.90.0.0/24
masterNodeGroup:
replicas: 1
instanceClass:
numCPUs: 4
memory: 8192
rootDiskSize: 50
# The name of the image, taking into account the vCenter folder path.
# Example: "folder/ubuntu-jammy-22.04".
template: *!CHANGE_TEMPLATE_NAME*
datastore: *!CHANGE_DATASTORE_NAME*
# Main network connected to node.
mainNetwork: *!CHANGE_NETWORK_NAME*
# Additional networks connected to node.
# Optional parameter.
additionalNetworks:
- *!CHANGE_NETWORK_NAME*
# General cluster parameters.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#clusterconfiguration
apiVersion: deckhouse.io/v1
kind: ClusterConfiguration
clusterType: Cloud
cloud:
provider: vSphere
# A prefix of objects that are created in the cloud during the installation.
# You might consider changing this.
prefix: cloud-demo
# Address space of the cluster's Pods.
podSubnetCIDR: 10.111.0.0/16
# Address space of the cluster's services.
serviceSubnetCIDR: 10.222.0.0/16
kubernetesVersion: "Automatic"
clusterDomain: "cluster.local"
---
# Settings for the bootstrapping the Deckhouse cluster
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/installing/configuration.html#initconfiguration
apiVersion: deckhouse.io/v1
kind: InitConfiguration
deckhouse:
imagesRepo: registry.deckhouse.io/deckhouse/ee
# A special string with your token to access Docker registry (generated automatically for your license token).
registryDockerCfg: <YOUR_ACCESS_STRING_IS_HERE>
---
# Deckhouse module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/002-deckhouse/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse
spec:
version: 1
enabled: true
settings:
bundle: Default
releaseChannel: Stable
logLevel: Info
---
# Global Deckhouse settings.
# https://deckhouse.ru/products/kubernetes-platform/documentation/v1/deckhouse-configure-global.html#parameters
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: global
spec:
version: 1
settings:
modules:
# Template that will be used for system apps domains within the cluster.
# E.g., Grafana for %s.example.com will be available as 'grafana.example.com'.
# The domain MUST NOT match the one specified in the clusterDomain parameter of the ClusterConfiguration resource.
# You can change it to your own or follow the steps in the guide and change it after installation.
publicDomainTemplate: "%s.example.com"
---
# user-authn module settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: user-authn
spec:
version: 2
enabled: true
settings:
controlPlaneConfigurator:
dexCAMode: DoNotNeed
# Enabling access to the API server through Ingress.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/configuration.html#parameters-publishapi
publishAPI:
enabled: true
https:
mode: Global
global:
kubeconfigGeneratorMasterCA: ""
---
# Cloud provider settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/030-cloud-provider-vsphere/cluster_configuration.html
apiVersion: deckhouse.io/v1
kind: VsphereClusterConfiguration
layout: Standard
# vCenter API access parameters
provider:
server: *!CHANGE_SERVER*
username: *!CHANGE_USERNAME*
password: *!CHANGE_PASSWORD*
# Set to true if vCenter has a self-signed certificate,
# otherwise set false (or delete the string below with the insecure parameter).
insecure: *!CHANGE_INSECURE*
# Set to false if vSphere DRS is turned off,
# otherwise set true (or delete the string below with the useNestedResourcePool parameter).
useNestedResourcePool: *!CHANGE_INSECURE*
# Path to a Folder in which VirtualMachines will be created.
# The folder itself will be created by the Deckhouse Installer.
vmFolderPath: *!CHANGE_FOLDER*
# Region and zone tag category names.
regionTagCategory: k8s-region
zoneTagCategory: k8s-zone
# Region and zone tag names in which cluster will operate.
region: *!CHANGE_REGION_TAG_NAME*
zones:
- *!CHANGE_ZONE_TAG_NAME*
# Public SSH key for accessing cloud nodes.
# This key will be added to the user on created nodes (the user name depends on the image used).
sshPublicKey: *!CHANGE_SSH_KEY*
# Name of the External Network which has access to the Internet.
# IP addresses from the External Network sets as ExternalIP of Node object.
# Optional parameter.
externalNetworkNames:
- *!CHANGE_NETWORK_NAME*
# Name of the Internal Network that will be used for traffic between nodes.
# IP addresses from the Internal Network sets as InternalIP of Node object.
# Optional parameter.
internalNetworkNames:
- *!CHANGE_NETWORK_NAME*
# Address space of the cluster's nodes.
internalNetworkCIDR: 10.90.0.0/24
masterNodeGroup:
replicas: 1
instanceClass:
numCPUs: 4
memory: 8192
rootDiskSize: 50
# The name of the image, taking into account the vCenter folder path.
# Example: "folder/ubuntu-jammy-22.04".
template: *!CHANGE_TEMPLATE_NAME*
datastore: *!CHANGE_DATASTORE_NAME*
# Main network connected to node.
mainNetwork: *!CHANGE_NETWORK_NAME*
# Additional networks connected to node.
# Optional parameter.
additionalNetworks:
- *!CHANGE_NETWORK_NAME*
Create the resources.yml file.
# Section containing the parameters of instance class for worker nodes.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/030-cloud-provider-vsphere/cr.html
apiVersion: deckhouse.io/v1
kind: VsphereInstanceClass
metadata:
name: worker
spec:
numCPUs: 8
memory: 16384
# VM disk size.
# You might consider changing this.
rootDiskSize: 70
template: *!CHANGE_TEMPLATE_NAME*
mainNetwork: *!CHANGE_NETWORK_NAME*
---
# Section containing the parameters of worker node group.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/040-node-manager/cr.html#nodegroup
apiVersion: deckhouse.io/v1
kind: NodeGroup
metadata:
name: worker
spec:
cloudInstances:
classReference:
kind: VsphereInstanceClass
name: worker
# The maximum number of instances for the group in each zone (used by the autoscaler).
# You might consider changing this.
maxPerZone: 1
# The minimum number of instances for the group in each zone.
minPerZone: 1
# List of availability zones to create instances in.
# You might consider changing this.
zones:
- *!CHANGE_ZONE_TAG_NAME*
disruptions:
approvalMode: Automatic
nodeType: CloudEphemeral
---
# Section containing the parameters of NGINX Ingress controller.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/402-ingress-nginx/cr.html
apiVersion: deckhouse.io/v1
kind: IngressNginxController
metadata:
name: nginx
spec:
ingressClass: nginx
# The way traffic goes to cluster from the outer network.
inlet: HostPort
hostPort:
httpPort: 80
httpsPort: 443
realIPHeader: X-Forwarded-For
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- operator: Exists
---
# RBAC and authorization settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/140-user-authz/cr.html#clusterauthorizationrule
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: admin
spec:
subjects:
- kind: User
name: admin@deckhouse.io
accessLevel: SuperAdmin
portForwarding: true
---
# Parameters of the static user.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/cr.html#user
apiVersion: deckhouse.io/v1
kind: User
metadata:
name: admin
spec:
# User e-mail.
email: admin@deckhouse.io
# This is a hash of the password <GENERATED_PASSWORD>, generated when loading the page of the Getting Started.
# Generate your own or use it at your own risk (for testing purposes)
# echo "<GENERATED_PASSWORD>" | htpasswd -BinC 10 "" | cut -d: -f2 | base64 -w0
# You might consider changing this.
password: <GENERATED_PASSWORD_HASH>
# Section containing the parameters of instance class for worker nodes.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/030-cloud-provider-vsphere/cr.html
apiVersion: deckhouse.io/v1
kind: VsphereInstanceClass
metadata:
name: worker
spec:
numCPUs: 8
memory: 16384
# VM disk size.
# You might consider changing this.
rootDiskSize: 70
template: *!CHANGE_TEMPLATE_NAME*
mainNetwork: *!CHANGE_NETWORK_NAME*
---
# Section containing the parameters of worker node group.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/040-node-manager/cr.html#nodegroup
apiVersion: deckhouse.io/v1
kind: NodeGroup
metadata:
name: worker
spec:
cloudInstances:
classReference:
kind: VsphereInstanceClass
name: worker
# The maximum number of instances for the group in each zone (used by the autoscaler).
# You might consider changing this.
maxPerZone: 1
# The minimum number of instances for the group in each zone.
minPerZone: 1
# List of availability zones to create instances in.
# You might consider changing this.
zones:
- *!CHANGE_ZONE_TAG_NAME*
disruptions:
approvalMode: Automatic
nodeType: CloudEphemeral
---
# Section containing the parameters of NGINX Ingress controller.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/402-ingress-nginx/cr.html
apiVersion: deckhouse.io/v1
kind: IngressNginxController
metadata:
name: nginx
spec:
ingressClass: nginx
# The way traffic goes to cluster from the outer network.
inlet: HostPort
hostPort:
httpPort: 80
httpsPort: 443
realIPHeader: X-Forwarded-For
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- operator: Exists
---
# RBAC and authorization settings.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/140-user-authz/cr.html#clusterauthorizationrule
apiVersion: deckhouse.io/v1
kind: ClusterAuthorizationRule
metadata:
name: admin
spec:
subjects:
- kind: User
name: admin@deckhouse.io
accessLevel: SuperAdmin
portForwarding: true
---
# Parameters of the static user.
# https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/150-user-authn/cr.html#user
apiVersion: deckhouse.io/v1
kind: User
metadata:
name: admin
spec:
# User e-mail.
email: admin@deckhouse.io
# This is a hash of the password <GENERATED_PASSWORD>, generated when loading the page of the Getting Started.
# Generate your own or use it at your own risk (for testing purposes)
# echo "<GENERATED_PASSWORD>" | htpasswd -BinC 10 "" | cut -d: -f2 | base64 -w0
# You might consider changing this.
password: <GENERATED_PASSWORD_HASH>
Use a Docker image to install the Deckhouse Kubernetes Platform. It is necessary to transfer configuration files to the container as well as SSH keys for accessing the master node (further, it is assumed that the SSH key ~/.ssh/id_rsa is used).
Run the installer on the personal computer.
echo <LICENSE_TOKEN> | docker login -u license-token --password-stdin registry.deckhouse.io
docker run --pull=always -it -v "$PWD/config.yml:/config.yml" -v "$HOME/.ssh/:/tmp/.ssh/" \
-v "$PWD/resources.yml:/resources.yml" -v "$PWD/dhctl-tmp:/tmp/dhctl" registry.deckhouse.io/deckhouse/ee/install:stable bash
echo <LICENSE_TOKEN> | docker login -u license-token --password-stdin registry.deckhouse.io
docker run --pull=always -it -v "$PWD/config.yml:/config.yml" -v "$HOME/.ssh/:/tmp/.ssh/" \
-v "$PWD/resources.yml:/resources.yml" -v "$PWD/dhctl-tmp:/tmp/dhctl" registry.deckhouse.io/deckhouse/ee/install:stable bash
Log in on the personal computer to the container image registry by providing the license key as a password:
docker login -u license-token registry.deckhouse.io
docker login -u license-token registry.deckhouse.io
Run a container with the installer:
docker run --pull=always -it -v "%cd%\config.yml:/config.yml" -v "%userprofile%\.ssh\:/tmp/.ssh/" -v "%cd%\resources.yml:/resources.yml" -v "%cd%\dhctl-tmp:/tmp/dhctl" registry.deckhouse.io/deckhouse/ee/install:stable bash -c "chmod 400 /tmp/.ssh/id_rsa; bash"
docker run --pull=always -it -v "%cd%\config.yml:/config.yml" -v "%userprofile%\.ssh\:/tmp/.ssh/" -v "%cd%\resources.yml:/resources.yml" -v "%cd%\dhctl-tmp:/tmp/dhctl" registry.deckhouse.io/deckhouse/ee/install:stable bash -c "chmod 400 /tmp/.ssh/id_rsa; bash"
Now, to initiate the process of installation, you need to execute inside the container:
dhctl bootstrap --ssh-user=ubuntu --ssh-agent-private-keys=/tmp/.ssh/id_rsa --config=/config.yml --config=/resources.yml
dhctl bootstrap --ssh-user=ubuntu --ssh-agent-private-keys=/tmp/.ssh/id_rsa --config=/config.yml --config=/resources.yml
The --ssh-user parameter here refers to the default user for the relevant VM image. It is ubuntu for the image suggested in this guide.
The installation process may take about from 5 to 30 minutes, depending on the connection.
After the installation is complete, the installer will output the IP of the master node (you will need it further). Example output:
...
┌ 🎈 ~ Common: Kubernetes Master Node addresses for SSH
│ cloud-demo-master-0 | ssh ubuntu@1.2.3.4
└ 🎈 ~ Common: Kubernetes Master Node addresses for SSH (0.00 seconds)
Almost everything is ready for a fully-fledged Deckhouse Kubernetes Platform to work!