Skip to content

Requirements

The pre-requisites for installation of the self hosted controller in Bare Metal/VM environments is described below.


Infrastructure

Requirement Description
Operating System CentOS 7.9, RHEL 8, Ubuntu 22.04 LTS
# Instances One instance for a non high availability controller. For a high availability controller (HA), the minimum is four: three control plane nodes and one worker node.
System Specs 16 CPU threads, 64 GB RAM or higher
Root Disk 100 GB or higher
/tmp >30 GB, if not part of root disk
Data Disk 500 GB formatted. Attached as /data
Networking Inbound 443/tcp allowed to all instances. All localhost ports reachable
DNS If no DNS, ensure 300053/UDP is reachable
Firewall Disabled in all nodes

DNS Records

Installation of the self hosted controller requires wildcard records as described below. In the example below, replace "company.example.com" with the desired domain. DNS records for the wildcard FQDN should point to the controller nodes’ IP addresses.

*.company.example.com

In case, wildcard DNS is not available, individual records as below are needed.

api.company.example.com
backend.company.example.com
console.company.example.com
fluentd-aggr.company.example.com
kibana.company.example.com
ops-console.company.example.com
rcr.company.example.com
regauth.company.example.com
registry.company.example.com
*.connector.cdrelay.company.example.com
*.connector.infrarelay.example.com
*.core.company.example.com
*.core-connector.company.example.com
*.kubeapi-proxy.company.example.com
*.user.company.example.com
*.user.cdrelay.company.example.com
*.user.infrarelay.company.example.com

Logo (Optional)

Provide a company logo of size less than 200KB in png format for white labeling and branding purposes.


X509 Certificates (Optional)

The controller uses TLS for secure communication. As a result, x509 certificates are required to secure all endpoints. Customers are expected to provide a trusted CA signed wildcard certificate for the target DNS (e.g. *.rafay.example.com)

For non-prod/internal to org scenarios, if signed certificates are not available, the controller can generate self-signed certificates automatically. This can be achieved by setting the “generate-self-signed-certs” key to “True” in config.yaml during installation.


Email Addresses

The installation also requires below email addresses.

  • Super user authentication to the controller’s admin
  • Controller support
  • Receive alerts and notifications (Optional)

Note: Although not ideal, it is possible to specify the same email address for all three.


External Load Balancer (Optional)

The controller supports using an external load balancer (LB) for SSL termination. This requires an LB to be used by the frontend services of the controller for TLS traffic termination using SSL certificates, while another LB is used for mTLS endpoints for SSL bypass.

To use an LB, the following override-config must be enabled in the config.yaml file.

override-config.global.external_lb: true

Backup and Restore

Organizations should have a backup and restore process for their existing bare metal and virtual machine environments. It is recommended that users follow their organization's processes.