Skip to content

Requirements

For organizations who need to maintain control over their environment, they can run the Self Hosted Controller in a Microsoft Azure Kubernetes Service (AKS). While organizations might use cloud services, like AWS, their organization administrators will be the only ones with access to their Self Hosted Controller.

With the Self Hosted Controller, the organization is responsible for all aspects of the controller. This includes deployment, maintenance, backup procedures, and troubleshooting issues. For organizations that would prefer a SaaS model, there is a service available for that.

Here are the pre-requisites for installation of the self hosted Controller in Azure AKS environments.

Note

If you use Terraform and need reference examples, contact Support at support@rafay.co.

Infrastructure

The Azure AKS requirements for installing the self hosted controller are as follows.

Requirement Description
Operating System CentOS 7
# Instances One (1) for Non-High Availability or three (3) for High Availability
System Specs 16 CPU threads, 64 GB RAM or higher
Root Disk 100 GB or higher
/tmp >30 GB, if not part of root disk
Networking Allow outbound 443/tcp to reach Azure API
Root User Access to switch as root user

Infrastructure Requirements

PFX Certificate

Craete a PFX certificate using the following command. Use the certificate and key from your SSL certificate.

openssl pkcs12 -export -out <pfx cert name.pfx> -inkey <private_key.key> -in <ssl_certificate>

Export Variables

Export the following variables before running the infrastructure creation script. Do this on the node where you will be executing the RADM commands.

export ResourceGroup=aks-rg
export Location=centralindia
export VNET=aks-vnet
export AKSClusterSubnet=aks-cluster-subnet
export AKSClusterName=aks-airgappedConAKSCluster
export K8SVersion=1.20.13
export AppGWNSG=aks-airgappedConAppGWNSG
export AppGWSubnet=aks-airgappedConAppGWSubnet
export AppGWName=aks-airgappedConAppGW
export AppGWPublicIPName=aks-airgappedConAppGWPublicIP
export NetworkLoadBalancer=aks-nlb
export PfxCertFilePath=<Give the Path where pfx file exists>
export PfxCertFilePasswd=<Password that is used while creating the pfx file>
export DNSPrefixName=aks-dns

Connect Microsoft Azure Account

Connect to your Microsoft Azure account using the following command. Running this command will provide a link. Use the link in a web browser and enter the authorization code displayed in the command output.

az login

Download Script

Download the shell script using the following command.

wget https://dev-rafay-controller.s3.us-west-1.amazonaws.com/Publish/aks_shell_script/aks-shell-script.tar.gz

From your home directory, untar the package using the following command.

tar -xf aks*

Bring Up Infrastructure

Use the following command to bring up the Azure infrastructure.

bash ./aks_script.sh -y

DNS Records

Installation of the self hosted controller requires DNS records as mentioned below. In the below examples, replace company.example.com with the desired domain. DNS records for the wildcard FQDN should point to the controller nodes’ IP addresses.

The following is an example of a wildcard FQDN.

*.company.example.com

The following individual records should be allowed. For AWS Cloud DNS, add these as Records.

  1. api.<company.example.com>
  2. console.<company.example.com>
  3. fluentd-aggr.<company.example.com>
  4. ops-console.<company.example.com>
  5. rcr.<company.example.com>
  6. peering.<company.example.com>
  7. regauth.<company.example.com>
  8. *.core.<company.example.com>
  9. *.core-connector.<company.example.com>
  10. *.kubeapi-proxy.<company.example.com>
  11. *.user.<company.example.com>
  12. *.cdrelay.<company.example.com>
  13. ui.<company.example.com>

Logo (optional)

To change the logo displayed in the console, the company logo must be less than 600 KB and in the PNG format. Use this for white labeling and branding purposes.

X.509 Certificates (Optional)

The controller uses TLS for secure communication. As a result, X.509 certificates are required to secure all endpoints. Customers are expected to provide a trusted CA signed wildcard certificate for the target DNS (e.g. *.company.example.com)

For non-production or internal to organization scenarios, if signed certificates are not available, the controller can generate self-signed certificates automatically. This can be achieved by setting the generate-self-signed-certs key to true in config.yaml during installation.

generate-self-signed-certs: true

Email Addresses

The installation also requires below email addresses.

  • An email address for super user authentication to the controller’s admin
  • An email address for receiving support emails from the controller
  • An email address for receiving alerts and notifications (Optional)