Warning
This content has been generated by machine translation. The translations are automated and have not undergone human review or validation.
6.1 Installing Verrazzano on a Kubernetes cluster
Preparing the Kubernetes cluster
Verrazzano is a way to install on a Kubernetes cluster using the Kubernetes Operator method. In other words, you need a Kubernetes cluster to install on. Here we proceed based on the OKE cluster.
Preparing the Container Engine for Kubernetes (OKE) cluster
Create an OKE cluster with default settings in Quick Create mode.
- Prepare an environment with sufficient capacity to deploy all components and example applications on Verrazzano.
- Shape: VM.Standard2.4 or higher or VM.Standard.E2.4 or higher
- Number of nodes: 3 or more
- OKE version: 1.19
- In 1.20 and 1.21, additional work is required for Kibana operation due to FluentD parser issues.
Install Verrazzano
- Connect to the OKE cluster created with kubectl in Cloud Shell or in your work environment.
Install Verrazzano platform operator
Install Verrazzano platform operator
kubectl apply -f https://github.com/verrazzano/verrazzano/releases/download/v1.1.0/operator.yaml
Wait until installation is complete.
kubectl -n verrazzano-install rollout status deployment/verrazzano-platform-operator
Successfully rolled out pops up and checks if the installation was successful.
kubectl -n verrazzano-install get pods
Install Verrazzano - Using OCI DNS & Let’s Encrypt
During installation, you can choose between dev, prod, and managed-cluster profiles. Here we use the dev profile. For details, refer to the Installation Profiles page. Installing with the default profile will use a self-signed certificate and free wildcard domains (nip.io, sslip.io). Check out how to use OCI DNS and Let’s Encrypt to use the desired domain and certificate.
Reference
- https://verrazzano.io/latest/docs/setup/install/customizing/dns/
- https://verrazzano.io/latest/docs/setup/install/customizing/certificates/
Create OCI DNS Zone
Register your domain as a zone in OCI DNS.
Create OCI API Secret
Register API Private information as Secret information in the target Kubernetes cluster. Here we assume that the OCI CLI is already set up and create a secret via the Verrazzano helper script.
Download helper script
- If it is not home, it seems to hang when running, so run it from home.
cd ~ curl \ -o ./create_oci_config_secret.sh \ https://raw.githubusercontent.com/verrazzano/verrazzano/v1.1.0/platform-operator/scripts/install/create_oci_config_secret.sh
Setting the KUBECONFIG environment variable and running the script
chmod +x create_oci_config_secret.sh export KUBECONFIG=~/.kube/config ./create_oci_config_secret.sh
Execution example and result confirmation
[opc@bastion-host ~]$ chmod +x create_oci_config_secret.sh [opc@bastion-host ~]$ export KUBECONFIG=~/.kube/config [opc@bastion-host ~]$ [opc@bastion-host ~]$ ./create_oci_config_secret.sh secret/oci created [opc@bastion-host ~]$ kubectl get secret oci -n verrazzano-install NAME TYPE DATA AGE oci Opaque 1 35s [opc@bastion-host ~]$ kubectl get secret oci -o jsonpath="{.data['oci\.yaml']}" -n verrazzano-install | base64 -d auth: region: ap-seoul-1 tenancy: ocid1.tenancy.oc1..aaaaaaaa~~~ user: ocid1.user.oc1..aaaaaaaa~~~ key: | -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbKoBbV+xIDgeA ... K2jAF6UJZ/+BBKkHRXHSxoI= -----END PRIVATE KEY----- fingerprint: 99:c9:87:~~~
Install Verrazzano
Download the installation yaml sample
curl \ -o ./install-oci.yaml \ https://raw.githubusercontent.com/verrazzano/verrazzano/release-1.1/platform-operator/config/samples/install-oci.yaml
Update the install-oci.yaml file
- spec.environmentName: The name of the installed environment. myenv, and if the zonename is example.com, the ingress domain becomes myenv.example.com.
- spec.components.dns.oci.ociConfigSecret: oci, the secret name you created earlier
- spec.components.dns.oci.dnsZoneCompartmentOCID: OCID of Compartment with Zone registered as OCI DNS Zone
- spec.components.dns.oci.dnsZoneOCID: OCID of the zone registered as OCI DNS Zone
- spec.components.dns.oci.dnsZoneName: The name of the zone registered as the OCI DNS Zone, ex) example.com
apiVersion: install.verrazzano.io/v1alpha1 kind: Verrazzano metadata: name: my-verrazzano spec: environmentName: myenv profile: dev components: certManager: certificate: acme: provider: letsEncrypt emailAddress: thekoguryo@gmail.com environment: staging dns: oci: ociConfigSecret: oci dnsZoneCompartmentOCID: ocid1.compartment.oc1..aaaaaaaa~~~ dnsZoneOCID: ocid1.dns-zone.oc1..7974~~~ dnsZoneName: thekoguryo.ml ingress: type: LoadBalancer
Deploy install-oci.yaml
kubectl apply -f install-oci.yaml
Confirm installation completion
kubectl wait \ --timeout=20m \ --for=condition=InstallComplete verrazzano/my-verrazzano
Check logs
kubectl logs -n verrazzano-install \ -f $(kubectl get pod \ -n verrazzano-install \ -l app=verrazzano-platform-operator \ -o jsonpath="{.items[0].metadata.name}") | grep '"operation":"install"'
Additional checks during installation
- Check if the resource shortage problem is caused by the OCI Trial.
kubectl get events --sort-by=.metadata.creationTimestamp -A
Check Verrazzano installation information
Check the console address
kubectl get verrazzano my-verrazzano -o yaml
Example results
status: ... instance: consoleUrl: https://verrazzano.myenv.thekoguryo.ml elasticUrl: https://elasticsearch.vmi.system.myenv.thekoguryo.ml grafanaUrl: https://grafana.vmi.system.myenv.thekoguryo.ml keyCloakUrl: https://keycloak.myenv.thekoguryo.ml kialiUrl: https://kiali.vmi.system.myenv.thekoguryo.ml kibanaUrl: https://kibana.vmi.system.myenv.thekoguryo.ml prometheusUrl: https://prometheus.vmi.system.myenv.thekoguryo.ml rancherUrl: https://rancher.myenv.thekoguryo.ml state: Ready version: 1.1.0
Change Verrazzano User Password
Change password in KeyCloak
Verrazzano administrator user (username: verrazzano) is managed through KeyCloak and single sign-on (SSO) is set, so users of Verrazzano Console, Elasticsearch, Grafana, KeyCloak, Kiali, Kibana, and Prometheus are managed through KeyCloak do.
The initial random number password of user
verrazzano
can be checked in kubernetes, but can be changed in KeyCloak.Connect to KeyCloack (eg https://keycloak.myenv.thekoguryo.ml) and go to Administration Console.
Log in as KeyCloak Admin.
-KeyCloak admin user: keycloakadmin
KeyCloak admin password: Confirm with the following command
kubectl get secret \ --namespace keycloak keycloak-http \ -o jsonpath={.data.password} | base64 \ --decode; echo
In the left menu, go to Manage > Users.
Click View all users to find the verrazzano user and click on the ID.
Click the Credentials tab to change your password.
Set Temporary to OFF, enter a new password, and click Reset Password.
When the pop-up appears, click Reset Password again.
reflected in Kubernetes Secret
Base64 encode the new password.
Yes)
echo -n 'MyNewPwd' | base64
Change the secret of the kubernetes where verrazzano is installed.
kubectl edit secret verrazzano -n verrazzano-system
console login
Log in to the Verrazzano Console.
The tool in the System Telemetry area is configured with SSO and you can access it as a verrazzano user through the corresponding link.
- Kibana: log monitoring
- Grafana: Monitoring Metrics
- Promethues: collect metrics
- Elasticsearch: log collection
- Kiali: monitoring the istio service mesh
KeyCloak: User Management
- Admin user (KeyCloak Admin) access is the same as before.
- If you click the link, you can log in as a verrazzano user, a regular KeyCloak user.
Rancher: Monitoring Kubernetes
Connect to the URL shown on the screen.
User: admin
Password: Confirm with the following command
kubectl get secret \ --namespace cattle-system rancher-admin-secret \ -o jsonpath={.data.password} | base64 \ --decode; echo
As an individual, this article was written with my personal time. There may be errors in the content of the article, and the opinions in the article are personal opinions.