TheKoguryo's Tech Blog

Version 2023.10.13

Warning

This content has been generated by machine translation. The translations are automated and have not undergone human review or validation.

6.1 Installing Verrazzano on a Kubernetes cluster

Preparing the Kubernetes cluster

Verrazzano is a way to install on a Kubernetes cluster using the Kubernetes Operator method. In other words, you need a Kubernetes cluster to install on. Here we proceed based on the OKE cluster.

Preparing the Container Engine for Kubernetes (OKE) cluster

Create an OKE cluster with default settings in Quick Create mode.

  • Prepare an environment with sufficient capacity to deploy all components and example applications on Verrazzano.
    • Shape: VM.Standard2.4 or higher or VM.Standard.E2.4 or higher
    • Number of nodes: 3 or more
    • OKE version: 1.19
      • In 1.20 and 1.21, additional work is required for Kibana operation due to FluentD parser issues.

Install Verrazzano

  1. Connect to the OKE cluster created with kubectl in Cloud Shell or in your work environment.

Install Verrazzano platform operator

  1. Install Verrazzano platform operator

    kubectl apply -f https://github.com/verrazzano/verrazzano/releases/download/v1.1.0/operator.yaml
    
  2. Wait until installation is complete.

    kubectl -n verrazzano-install rollout status deployment/verrazzano-platform-operator
    
  3. Successfully rolled out pops up and checks if the installation was successful.

    kubectl -n verrazzano-install get pods
    

Install Verrazzano - Using OCI DNS & Let’s Encrypt

During installation, you can choose between dev, prod, and managed-cluster profiles. Here we use the dev profile. For details, refer to the Installation Profiles page. Installing with the default profile will use a self-signed certificate and free wildcard domains (nip.io, sslip.io). Check out how to use OCI DNS and Let’s Encrypt to use the desired domain and certificate.

Reference

Create OCI DNS Zone

Register your domain as a zone in OCI DNS.

Create OCI API Secret

Register API Private information as Secret information in the target Kubernetes cluster. Here we assume that the OCI CLI is already set up and create a secret via the Verrazzano helper script.

  1. Download helper script

    • If it is not home, it seems to hang when running, so run it from home.
    cd ~
    curl \
        -o ./create_oci_config_secret.sh \
        https://raw.githubusercontent.com/verrazzano/verrazzano/v1.1.0/platform-operator/scripts/install/create_oci_config_secret.sh
    
  2. Setting the KUBECONFIG environment variable and running the script

    chmod +x create_oci_config_secret.sh
    export KUBECONFIG=~/.kube/config
    
    ./create_oci_config_secret.sh
    
  3. Execution example and result confirmation

    [opc@bastion-host ~]$ chmod +x create_oci_config_secret.sh
    [opc@bastion-host ~]$ export KUBECONFIG=~/.kube/config
    [opc@bastion-host ~]$
    [opc@bastion-host ~]$ ./create_oci_config_secret.sh
    secret/oci created
    [opc@bastion-host ~]$ kubectl get secret oci -n verrazzano-install
    NAME   TYPE     DATA   AGE
    oci    Opaque   1      35s
    [opc@bastion-host ~]$ kubectl get secret oci -o jsonpath="{.data['oci\.yaml']}" -n verrazzano-install | base64 -d
    auth:
      region: ap-seoul-1
      tenancy: ocid1.tenancy.oc1..aaaaaaaa~~~
      user: ocid1.user.oc1..aaaaaaaa~~~
      key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbKoBbV+xIDgeA
        ...
        K2jAF6UJZ/+BBKkHRXHSxoI=
        -----END PRIVATE KEY-----
      fingerprint: 99:c9:87:~~~
    

Install Verrazzano

  1. Download the installation yaml sample

    curl \
        -o ./install-oci.yaml \
        https://raw.githubusercontent.com/verrazzano/verrazzano/release-1.1/platform-operator/config/samples/install-oci.yaml
    
  2. Update the install-oci.yaml file

    • spec.environmentName: The name of the installed environment. myenv, and if the zonename is example.com, the ingress domain becomes myenv.example.com.
    • spec.components.dns.oci.ociConfigSecret: oci, the secret name you created earlier
    • spec.components.dns.oci.dnsZoneCompartmentOCID: OCID of Compartment with Zone registered as OCI DNS Zone
    • spec.components.dns.oci.dnsZoneOCID: OCID of the zone registered as OCI DNS Zone
    • spec.components.dns.oci.dnsZoneName: The name of the zone registered as the OCI DNS Zone, ex) example.com
    apiVersion: install.verrazzano.io/v1alpha1
    kind: Verrazzano
    metadata:
      name: my-verrazzano
    spec:
      environmentName: myenv
      profile: dev
      components:
        certManager:
          certificate:
            acme:
              provider: letsEncrypt
              emailAddress: thekoguryo@gmail.com
              environment: staging
        dns:
          oci:
            ociConfigSecret: oci
            dnsZoneCompartmentOCID: ocid1.compartment.oc1..aaaaaaaa~~~
            dnsZoneOCID: ocid1.dns-zone.oc1..7974~~~
            dnsZoneName: thekoguryo.ml
        ingress:
          type: LoadBalancer
    
  3. Deploy install-oci.yaml

    kubectl apply -f install-oci.yaml
    
  4. Confirm installation completion

    kubectl wait \
        --timeout=20m \
        --for=condition=InstallComplete verrazzano/my-verrazzano
    
  5. Check logs

    kubectl logs -n verrazzano-install \
        -f $(kubectl get pod \
        -n verrazzano-install \
        -l app=verrazzano-platform-operator \
        -o jsonpath="{.items[0].metadata.name}") | grep '"operation":"install"'
    
  6. Additional checks during installation

    • Check if the resource shortage problem is caused by the OCI Trial.
    kubectl get events --sort-by=.metadata.creationTimestamp -A
    

Check Verrazzano installation information

  1. Check the console address

    kubectl get verrazzano my-verrazzano -o yaml
    
  2. Example results

      status:
    ...
        instance:
          consoleUrl: https://verrazzano.myenv.thekoguryo.ml
          elasticUrl: https://elasticsearch.vmi.system.myenv.thekoguryo.ml
          grafanaUrl: https://grafana.vmi.system.myenv.thekoguryo.ml
          keyCloakUrl: https://keycloak.myenv.thekoguryo.ml
          kialiUrl: https://kiali.vmi.system.myenv.thekoguryo.ml
          kibanaUrl: https://kibana.vmi.system.myenv.thekoguryo.ml
          prometheusUrl: https://prometheus.vmi.system.myenv.thekoguryo.ml
          rancherUrl: https://rancher.myenv.thekoguryo.ml
        state: Ready
        version: 1.1.0
    

Change Verrazzano User Password

Change password in KeyCloak

  1. Verrazzano administrator user (username: verrazzano) is managed through KeyCloak and single sign-on (SSO) is set, so users of Verrazzano Console, Elasticsearch, Grafana, KeyCloak, Kiali, Kibana, and Prometheus are managed through KeyCloak do.

  2. The initial random number password of user verrazzano can be checked in kubernetes, but can be changed in KeyCloak.

  3. Connect to KeyCloack (eg https://keycloak.myenv.thekoguryo.ml) and go to Administration Console.

  4. Log in as KeyCloak Admin.

    -KeyCloak admin user: keycloakadmin

    • KeyCloak admin password: Confirm with the following command

      kubectl get secret \
          --namespace keycloak keycloak-http \
          -o jsonpath={.data.password} | base64 \
          --decode; echo
      
  5. In the left menu, go to Manage > Users.

  6. Click View all users to find the verrazzano user and click on the ID.

  7. Click the Credentials tab to change your password.

  8. Set Temporary to OFF, enter a new password, and click Reset Password.

    image-20211227145216154

  9. When the pop-up appears, click Reset Password again.

reflected in Kubernetes Secret

  1. Base64 encode the new password.

    Yes)

    echo -n 'MyNewPwd' | base64
    
  2. Change the secret of the kubernetes where verrazzano is installed.

    kubectl edit secret verrazzano -n verrazzano-system
    

console login

  1. Log in to the Verrazzano Console.

    Example) https://verrazzano.myenv.thekoguryo.ml

  2. The tool in the System Telemetry area is configured with SSO and you can access it as a verrazzano user through the corresponding link.

    • Kibana: log monitoring
    • Grafana: Monitoring Metrics
    • Promethues: collect metrics
    • Elasticsearch: log collection
    • Kiali: monitoring the istio service mesh

    image-20211228190921064

  3. KeyCloak: User Management

    • Admin user (KeyCloak Admin) access is the same as before.
    • If you click the link, you can log in as a verrazzano user, a regular KeyCloak user.
  4. Rancher: Monitoring Kubernetes

    • Connect to the URL shown on the screen.

    • User: admin

    • Password: Confirm with the following command

      kubectl get secret \
          --namespace cattle-system rancher-admin-secret \
          -o jsonpath={.data.password} | base64 \
          --decode; echo
      


As an individual, this article was written with my personal time. There may be errors in the content of the article, and the opinions in the article are personal opinions.

Last updated on 28 Dec 2021