PAM standalone online install

The Puppet Application Manager (PAM) installation process sets up the application manager (with a simple Kubernetes installation for container orchestration) for you and installs the application on the single-node cluster.

Before you begin
  1. Review the Puppet Application Manager system requirements.

    The server must meet the following minimum requirements:

    Memory Storage CPUs Open ports
    2 GB + application requirements

    At least 100 GB for /var/lib and /var/openebs. This is primarily divided among:

    • 2 GB for /var/lib/etcd
    • 32 GB for /var/lib/kubelet
    • 40 GB for /var/lib/containerd
    • 20 GB for /var/openebs + additional application-specific storage.
    2 + application requirements

    TCP: 443, 2379,2380, 6443, 6783, 8800, 9001 (offline only), and 10250

    UDP: 6783, 6784

    Note: Swap is not supported for use with this version of Puppet Application Manager (PAM). The installation script attempts to disable Swap if it is enabled.
  2. (Optional) If necessary, prepare additional steps related to SELinux and Firewalld:

    The PAM installation script disables SELinux and Firewalld by default. If you want to keep SELinux enabled, append the -s preserve-selinux-config switch to the PAM install command. This may require additional configuration to adapt SELinux policy to the installation.

    If you want to keep Firewalld enabled:

    1. Make sure Firewalld is installed on your system.

    2. To prevent the installation from disabling Firewalld, provide a patch file to the PAM install command using -s installer-spec-file=patch.yaml, where patch.yaml is the name of your patch file. For reference, here's an example patch file that enables Firewalld during installation, starts the service if it isn't running, and adds rules to open relevant ports:
      apiVersion: cluster.kurl.sh/v1beta1
      kind: Installer
      metadata:
        name: patch
      spec:
        firewalldConfig:
          firewalld: enabled
          command: ["/bin/bash", "-c"]
          args: ["echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf && sysctl -p"]
          firewalldCmds:
            - ["--permanent", "--zone=trusted", "--add-interface=weave"]
            - ["--zone=external", "--add-masquerade"]
            # SSH port
            - ["--permanent", "--zone=public", "--add-port=22/tcp"]
            # HTTPS port
            - ["--permanent", "--zone=public", "--add-port=443/tcp"]
            # Kubernetes etcd port
            - ["--permanent", "--zone=public", "--add-port=2379-2830/tcp"]
            # Kubernetes API port
            - ["--permanent", "--zone=public", "--add-port=6443/tcp"]
            # Weave Net port
            - ["--permanent", "--zone=public", "--add-port=6783/udp"]
            # Weave Net port
            - ["--permanent", "--zone=public", "--add-port=6783-6874/tcp"]
            # CD4PE Webhook callback port (uncomment line below if needed)
            # - ["--permanent", "--zone=public", "--add-port=8000/tcp"]
            # KOTS UI port
            - ["--permanent", "--zone=public", "--add-port=8800/tcp"]
            # CD4PE Local registry port (offline only, uncomment line below if needed)
            # - ["--permanent", "--zone=public", "--add-port=9001/tcp"]
            # Kubernetes component ports (kubelet, kube-scheduler, kube-controller)
            - ["--permanent", "--zone=public", "--add-port=10250-10252/tcp"]
            # Reload firewall rules
            - ["--reload"]
          bypassFirewalldWarning: true
          disableFirewalld: false
          hardFailOnFirewalld: false
          preserveConfig: false
  3. Ensure that IP address ranges 10.96.0.0/22 and 10.32.0.0/22 are locally accessible. See Resolve IP address range conflicts for instructions.
  4. If you use the puppetlabs/firewall module to manage your cluster's firewall rules with Puppet, be advised that purging unknown rules from changes breaks Kubernetes communication. To avoid this, apply the puppetlabs/pam_firewall module before installing Puppet Application Manager.

This installation process results in a basic Puppet Application Manager instance. Installation takes several (mostly hands-off) minutes to complete.
  1. From the command line of your node, run the installation script:
    curl -sSL https://k8s.kurl.sh/puppet-application-manager-standalone | sudo bash
    1. When the installation script prints the Puppet Application Manager address and password, make a careful note of these credentials:
      ---
      Kotsadm: http://<PUPPET APPLICATION MANAGER ADDRESS>:8800
      Login with password (will not be shown again): <PASSWORD>
      ---
      Note: If you lose this password or wish to change it, see Reset the Puppet Application Manager password for instructions.
    2. When the installation script is complete, run bash -l to reload the shell.
    Tip: If the installation script fails, run the following and upload the results to the Puppet Support team:
    kubectl support-bundle https://kots.io
    If you're installing as the root user, run the command directly:
    /usr/local/bin/kubectl-support_bundle https://kots.io
  2. Navigate to the Puppet Application Manager UI using the address provided by the installation script (http://<PUPPET APPLICATION MANAGER ADDRESS>:8800) and follow the prompts.
    The Puppet Application Manager UI is where you manage Puppet applications. You’ll be guided through the process of setting up SSL certificates, uploading a license, and checking to make sure your infrastructure meets application system requirements.
What to do next

Follow the instructions for configuring and deploying your Puppet applications on Puppet Application Manager.

For more information on installing Continuous Delivery for PE online, see Install Continuous Delivery for PE.

For more information on installing Comply online, see Install Comply online.