Skip to main content

Cloud-Native Install

Tangram Pro™ is a cloud-native application designed to work in any modern cloud environment capable of hosting a Kubernetes cluster. If you wish to self-host Tangram Pro™, please ensure your deployment matches the following profile:

  • a modern cloud designed to host sensitive data, up to DoD Impact Level 5 (IL5), such as:
  • capable of running Kubernetes v1.24 or above
  • fault-redundant, high-speed Internet connectivity
    • ability to resolve DNS, 1000 Mbps down/up is expected
    • if the installation needs to be air-gapped, our team can help evaluate how to accomplish deployment

Getting Started

Tangram Pro™ is deployed via a Helm chart. Helm is a package manager for Kubernetes that generates manifests (YAML files specifying Kubernetes resources) from templates that reference the values file. The values file holds several fields that you can override to configure the Tangram Pro™ installation.

You can install Helm by following the installation guide.

Before installing the Tangram Pro™ Helm chart, you will need the following:

  • A RWX compatible storage class
  • An ingress controller
  • A TLS solution

Internally we support and use OpenEBS for RWX PVCs, NGINX Ingress Controller for our ingress solution, and Cert Manager for our TLS management.

RWX Storage (OpenEBS)

A requirement for running Tangram Pro™ is that you will need to have a storage class in your Kubernetes cluster that supports RWX (Read-Write-Many) Persistent Volumes. This means multiple nodes in your cluster can mount your Persistent Volumes to Pods simultaneously with Read-Write permissions. Internally we support and use OpenEBS for our RWX storage class; however, you could use other RWX compatible storage classes like Rancher's Longhorn, AWS EFS, or Azure Files for this task if you prefer.

note

If you use a storage class other than OpenEBS you will need to change the values at flexModules.storageClassName, docker-registry.persistence.storageClass, and dependencies.pvc.storageClassName in the Tangram Pro™ helm chart values file.

Installing the OpenEBS Dynamic NFS Provisioner

Create a namespace to install OpenEBS to.

bash
kubectl create ns <namespace name>

Add the OpenEBS Dynamic NFS Provisioner chart repo to helm and update it.

bash
helm repo add openebs-nfs https://openebs.github.io/dynamic-nfs-provisioner
helm repo update

Create a helm values file so you can modify how you want OpenEBS installed to your cluster.

yaml
cat <<EOF >> openebs-values.yaml
nfsProvisioner:
  enabled: true
  privileged: false
nfsStorageClass:
  # this is the class name that the Tangram Pro™ Helm chart will expect
  name: openebs-nfs
  backendStorageClass: "<supply your underlying storage class here>"
analytics:
  enabled: "false"
EOF

For the full set of values options look here.

Install the provisioner to the namespace you made with the custom values file you made.

bash
helm install -n <namespace name> openebs-nfs -f openebs-values.yaml openebs-nfs/nfs-provisioner

Check that the provisioner is running with the following command:

bash
kubectl get deploy/openebs-nfs-nfs-provisioner -n <namespace name> -w

For more info on the OpenEBS Dynamic NFS Provisioner read the docs here.

Ingress (NGINX)

In order for Tangram Pro™ to work properly, you will need an ingress class set up in Kubernetes. Ingresses provide services like load balancing, proxying, and SSL termination for your cluster. Internally we use and support the NGINX Ingress Controller but with some additional configuration other ingress classes may work.

Installing the NGINX Ingress Controller

Create a namespace to install NGINX to.

bash
kubectl create ns <namespace name>

Add the NGINX Ingress chart repo to helm and update it.

bash
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

Create a helm values file so you can modify how you want NGINX installed to your cluster.

yaml
cat <<EOF >> nginx-values.yaml
controller:
  allowSnippetAnnotations: false
  config:
    proxy-read-timeout: "3600"
    proxy-send-timeout: "3600"
    real-ip-header: proxy_protocol
    set-real-ip-from: 0.0.0.0/0
    use-proxy-protocol: true
    use-forwarded-headers: true
    use-gzip: true
EOF

For the full set of values options look here.

Install the ingress controller to the namespace you made before with the values file you created.

bash
helm install -n <namespace name> nginx -f nginx-values.yaml ingress-nginx/ingress-nginx

Check that the ingress controller is running with the following command:

bash
kubectl get deploy/nginx-ingress-nginx-controller -n <namespace name> -w

For more info on the NGINX Ingress Controller read the docs here.

TLS (Cert-Manager)

In order for Tangram Pro™ to work properly, you will need TLS certificates. There are a few options to create and use TLS certificates depending on the use case for them. Internally we support and use cert-manager which can use Let's Encrypt to automatically create and use trusted certificates on our instances of Tangram Pro™. If you would rather manually add your own TLS certificates for Tangram Pro™ to use you can make use of either the set-file flags for helm or create a secret in your cluster and reference it in your values file. You can see examples of the manual methods here

Installing Cert-Manager

Create a namespace to install Cert-Manager to.

bash
kubectl create ns <namespace name>

Add the cert-manager chart repo to helm and update it.

bash
helm repo add certmanager https://charts.jetstack.io
helm repo update

Create a helm values file so you can modify how you want cert-manager installed to your cluster.

yaml
cat <<EOF >> cert-manager-values.yaml
installCRDs: true
ingressShim:
  defaultIssuerName: "letsencrypt-prod"
  defaultIssuerKind: "ClusterIssuer"
  defaultIssuerGroup: "cert-manager.io"
EOF

For the full set of values options look here.

Install cert-manager to the namespace you made before with the values file you created.

bash
helm install -n <namespace name> cert-manager -f cert-manager-values.yaml certmanager/cert-manager

Check that cert-manager is running with the following command:

bash
kubectl get po -n <namespace name> -w

After installing cert-manager you will need to create an issuer configuration to tell cert-manager the method you want it to use to generate new SSL certificates.

Create your issuer manifest.

yaml
cat <<EOF >> cluster-issuer-prod.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: <org email>
    privateKeySecretRef:
      name: letsencrypt-private-key
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

Apply your manifest to the cluster.

bash
kubectl create -f cluster-issuer-prod.yaml

Check that your email was successfully registered with LetsEncrypt.

bash
kubectl get clusterissuer/letsencrypt-prod -o wide

For more info on Cert-Manager read the docs here.

Installing Tangram Pro™

Now that you have your supporting software installed, you're ready to install the Tangram Pro™ helm chart.

Add the Tangram Pro™ Repository

Before you can install the Tangram Pro™ Helm chart, you need to add our repository. Run these commands in your terminal:

bash
helm repo add tangram https://charts.tangramflex.io
helm repo update

Install the Tangram Pro™ Helm Chart

Now you are ready to install Tangram Pro™. There are a few files that you will need to have handy during this installation process:

  • Your license files given to you by Tangram Flex
  • Your custom values file given to you by Tangram Flex
  • Your TLS certificates which will be used for HTTPS, unless you use cert-manager in your Kubernetes cluster
note

If you are manually passing TLS files and you don't want to pass the files with set-file you can also create a secret containing your files:

bash
kubectl create secret tls tangram-tls \
  --cert="/path/to/tangram.crt" \
  --key="/path/to/tangram.key"

Then you can reference this secret in your values file:

yaml
tls:
  existingSecret: tangram-tls

You can also pass the license files from an existing secret if you prefer this method to using set-file in your helm calls:

bash
kubectl create secret generic license \
  --from-file=tangram_id_rsa.pub="/path/to/tangram_id_rsa.pub" \
  --from-file=id_rsa="/path/to/id_rsa"

Then you can reference this secret in your values file:

yaml
license:
  existingSecret: license

Run this command to install Tangram Pro™ to your cluster:

bash
helm upgrade [installation name] -n <tangram-namespace> tangram/pro \
  --install \
  --wait --timeout 10m \
  -f [your values file] \
  --set-file license.publicKeyFile=[license public key file] \
  --set-file license.privateKeyFile=[license private key file] \
  # add these flags only if you are using TLS certificates without cert-manager:
  --set-file tls.certFile=[your file] \
  --set-file tls.keyFile=[your file]
note

You can name the installation whatever you want.

With that, you should be all set! You can run kubectl get pods -n <tangram-namespace> to view the status of the pods created by the installation. You can also now set up DNS records to point to your Tangram Pro™ instance.

See Also

  • Velero: a Kubernetes cluster backup tool