Cloud-Native Install

Tangram Pro™ is a cloud-native application designed to work in any modern cloud environment capable of hosting a Kubernetes cluster. If you wish to self-host Tangram Pro™, please ensure your deployment matches the following profile:

• a modern cloud designed to host sensitive data, up to DoD Impact Level 5 (IL5), such as:
  • AWS GovCloud US
  • Azure for US Government
  • Google Cloud for DoD
• capable of running Kubernetes v1.24 or above
  • this can be deployed via a managed service, such as AWS EKS, Azure AKS, or GKE
  • or customer-deployed via tools like kOps or RKE 2
• fault-redundant, high-speed Internet connectivity
  • ability to resolve DNS, 1000 Mbps down/up is expected
  • if the installation needs to be air-gapped, our team can help evaluate how to accomplish deployment

Getting Started

Tangram Pro™ is deployed via a Helm chart. Helm is essentially a package manager for Kubernetes. It allows you to quickly deploy an application in Kubernetes by specifying only the configuration that is unique to your instance.

You can install Helm by following the installation guide.

Before installing the Tangram Pro™ Helm chart, you will need the following:

• An ingress controller
• A TLS solution

We support NGINX Ingress Controller for ingress solution, and Cert Manager for TLS management.

Ingress (NGINX)

In order for Tangram Pro™ to work properly, your Kubernetes cluster needs an ingress class. Ingresses allow web traffic to access the application, and usually provide services like load balancing and TLS/SSL termination for your cluster. We support the NGINX Ingress Controller but other ingress classes may work as well.

Installing the NGINX Ingress Controller

Create a namespace in which NGINX will be installed.

export nginx="your_nginx_namespace"  # set this value to your desired nginx namespace
kubectl create ns $nginx

Add the NGINX Ingress chart repo to Helm and update it.

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

Create a Helm values file to configure how NGINX is installed to your cluster.

cat <<EOF >> nginx-values.yaml
controller:
  allowSnippetAnnotations: false
  config:
    proxy-read-timeout: "3600"
    proxy-send-timeout: "3600"
    real-ip-header: proxy_protocol
    set-real-ip-from: 0.0.0.0/0
    use-proxy-protocol: true
    use-forwarded-headers: true
    use-gzip: true
EOF

For the full set of values options look here.

Install the ingress controller in the namespace you made above:

helm install -n $nginx nginx -f nginx-values.yaml ingress-nginx/ingress-nginx

Verify the ingress controller is running:

kubectl get deploy/nginx-ingress-nginx-controller -n $nginx -w

Review the NGINX Ingress Controller docs for more info.

TLS (cert-manager)

In order for Tangram Pro™ to work properly, you will need TLS certificates. There are a few options to create and use TLS certificates depending on the use case.

We support cert-manager which by default uses Let's Encrypt as the certificate issuer to create TLS certificates for Tangram Pro™.

Alternatively, if you would rather provide TLS certificates for Tangram Pro™, either use the set-file flags for Helm or create a secret in your cluster and reference it in your values file. You can see examples of the manual methods here

Installing cert-manager

Create a namespace in which cert-manager will be installed.

export certmanager="certmanager_namespace"  # set this value to your desired certmanager namespace
kubectl create ns $certmanager

Add the cert-manager chart repo to helm and update it.

helm repo add certmanager https://charts.jetstack.io
helm repo update

Create a helm values file so you can modify how you want cert-manager installed to your cluster.

cat <<EOF >> cert-manager-values.yaml
installCRDs: true

ingressShim:
  defaultIssuerName: "letsencrypt-prod"
  defaultIssuerKind: "ClusterIssuer"
  defaultIssuerGroup: "cert-manager.io"
EOF

For the full set of values options look here.

Install cert-manager to the namespace above:

helm install -n $certmanager cert-manager -f cert-manager-values.yaml certmanager/cert-manager

Check that cert-manager is running with the following command:

kubectl get po -n $certmanager -w

After installing cert-manager, create an issuer configuration to tell cert-manager how to generate new TLS certificates.

NOTE: you will need to provide an email address to Let's Encrypt to receive notifications about your certificate status.

Create your issuer manifest.

cat <<EOF >> cluster-issuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: <org email>
    privateKeySecretRef:
      name: letsencrypt-private-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

Apply your manifest to the cluster.

kubectl create -f cluster-issuer-prod.yaml -n $certmanager

Check that your email was successfully registered with LetsEncrypt.

kubectl get clusterissuer/letsencrypt-prod -o wide  -n $certmanager

Review the cert-manager docs for more info.

Deploying Tangram Pro™

Now that you have your supporting software installed, you're ready to install the Tangram Pro™ Helm chart.

Prerequisites

Before you can install the Tangram Pro™ Helm chart, you need to add our repository. Run these commands in your terminal:

helm repo add tangram https://charts.tangramflex.io
helm repo update

Ensure that the proper version of Tangram Pro™ is available via helm search repo tangram and check the desired application version.

Before install, you will need three files which will be provided by Tangram Flex:

• Your license public key
• Your license private key
• Your custom values file

Contact your Tangram customer support contact for more details.

Install and Upgrade

Create a namespace in which Tangram Pro will be installed.

export tangram="tangram_namespace"  # set this value to your desired tangram namespace
kubectl create ns $tangram

If not using cert-manager, you will need to provide TLS certificates manually

kubectl create secret tls tangram-tls \
  --cert="/path/to/tangram.crt" \
  --key="/path/to/tangram.key" \
  -n $tangram

Then you can reference this secret in your values file:

tls:
  existingSecret: tangram-tls

You can also pass the license files from an existing secret if you prefer this method to using set-file in your helm calls:

kubectl create secret generic license \
  --from-file=tangram_id_rsa.pub="/path/to/tangram_id_rsa.pub" \
  --from-file=id_rsa="/path/to/id_rsa"

Then you can reference this secret in your values file:

license:
  existingSecret: license

Install Tangram Pro™:

helm upgrade <name> -n <namespace> tangram/pro \
  --install \
  --wait --timeout 10m \
  # this should be the values.yaml file provided by Tangram Flex
  -f values.yaml \
  --set-file license.publicKeyFile=[license public key file] \
  --set-file license.privateKeyFile=[license private key file] \

If you are not using cert-manager and wish to provide the TLS certificate and key at installation, add the following commands:

  --set-file tls.certFile=[your file] \
  --set-file tls.keyFile=[your file]

You can watch the installation progress via kubectl get pods -n $tangram to view the status of the pods created by the installation.

Configure DNS

Depending on your cluster configuration, you may need to manually create DNS records to allow traffic to your Tangram Pro™ instance. If your ingress solution automatically provisions a load balancer, as with AWS ELBs for instance, you can obtain the hostname:

kubectl get ingress frontend -n $tangram -o=jsonpath="{.status.loadBalancer.ingress[0].hostname}"

Using your domain provider, create a CNAME record for your designated domain with a value set to the result from the above command.

See Also

• Velero: a Kubernetes cluster backup tool