Title here
Summary here
Installation
Prerequisite
Cert Manager
XTS depends on cert-manager ↗ to issue certificates.
You’ve probably been using cert-manager. If so, you can skip this section.
cert-manager is a powerful and extensible X.509 certificate controller for Kubernetes and OpenShift workloads. It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry.
Trust Manager
XTS depends on trust-manager ↗ for trusted CAs for validating certificates during TLS handshakes inside-cluster and cross-region as well.
You’ve probably been using trust-manager. If so, you can skip this section.
trust-manager is designed to complement cert-manager and works well when consuming CA certificates from a cert-manager Issuer or ClusterIssuer.
External Load Balancer Provider
XTS depends on External Load Balancer Provider ↗ to allocate an external IP address.
You’ve probably already installed an external load balancer provider,
- if you’re using a cloud provider like GCP, AWS, Azure…
- or if you’re using something like MetalLB ↗ in your private cloud.
Installation/Upgrade
Download a Release
In every release, there’re several docker images and one helm chart.
e.g.
XTS v1.0.0:
xts-1.0.0-amd64.tar # docker image of arch amd64
xts-1.0.0-arm64.tar # docker image of arch arm64
xts-1.0.0.tgz # helm chartUpload Docker Image
Choose a docker images which matches your arch, and upload the docker image to your image registry server.
If none image matches your arch, please contact us, we’ll build a docker image for that arch and add it to the release.
Install for the First Time
helm install xts <path-to-helm-chart> --set namespace=<namespace>,image=<path-to-docker-image>,cert.issuer.name=<issuer>,cert.issuer.kind=<issuer-kind>,trustedCAs.name=<trusted-cas-name>,trustedCAs.key=<trusted-cas-key>,licenseSubject=<license-subject> --set-file license=<path-to-license>e.g.
helm install xts xts-1.0.0.tgz --set namespace=default,image=registry-address/xts:1.0.0-amd64,cert.issuer.name=issuer,cert.issuer.kind=ClusterIssuer,trustedCAs.name=trusted-cas,trustedCAs.key=cas,licenseSubject=your-company --set-file license=your-company.xts.licenseUpgrade
XTS is backward compatible, so you can seamlessly upgrade to a new version.
# mostly the same as installation, except the subcommand install is replaced with upgrade
helm upgrade xts <path-to-helm-chart> ...e.g.
helm upgrade xts xts-1.1.0.tgz ...Because helm upgrade doesn’t update CRDs, please execute the following to update CRDs.
tar -zxvf <path-to-helm-chart> -C /tmp xts/crds
kubectl apply -f /tmp/xts/crds
rm -rf /tmp/xtsComplete List of Options
As follows is the complete list of options of installation and upgrade.
| Required | Option | Default Value | Meaning |
|---|---|---|---|
| namespace | default | The namespace where to install/upgrade XTS | |
| ✓ | image | Path to docker image of XTS | |
| replicas | 2 | Number of replicas of XTS | |
| tz | UTC | Local time zone in containers of XTS | |
| lease | 15s | Lease duration, used in leader election | |
| externalSrvPort | 1058 | XTS external server port | |
| restPort | 1060 | RESTful server port | |
| maxConn | Max number of concurrent connections. Default to no limit. | ||
| idleTimeout | 1m | Idle timeout. If no data is sent from a connection in the specified duration, close the connection. | |
| handshakeTimeout | 10s | Handshake timeout. If handshake does not finish in the specified duration, close the connection. | |
| dialTimeout | 3s | Connection timeout. See also Go DialTimeout ↗ . | |
| tlsHandshakeTimeout | 10s | TLS handshake timeout. If TLS handshake does not finish in the specified duration, close the connection. | |
| maxConReq | Max number of concurrent requests to the RESTful server. Default to no limit. | ||
| enableTc | false | Whether to enable ATC or not | |
| cert.duration | Duration (i.e. lifetime) of Certificate. Default to 90 days as per cert-manager doc. | ||
| cert.renewBefore | How long before expiry a certificate should be renewed. Default to 1⁄3 of cert.duration as per cert-manager doc. | ||
| ✓ | cert.issuer.kind | Kind of cert-manager issuer. Valid values are ClusterIssuer, Issuer. | |
| ✓ | cert.issuer.name | Name of cert-manager issuer. | |
| trustedCAs.kind | ConfigMap | Kind of trust-manager Bundle target. Valid values are ConfigMap, Secret. | |
| ✓ | trustedCAs.name | Name of trust-manager Bundle target | |
| ✓ | trustedCAs.key | Key of trust-manager Bundle target | |
| resource.mem.request | Memory request of a container of XTS | ||
| resource.mem.limit | Memory limit of a container of XTS | ||
| resource.cpu.request | CPU request of a container of XTS | ||
| resource.cpu.limit | CPU limit of a container of XTS | ||
| ✓ | licenseSubject | License subject, usually the name of your company | |
| ✓ | license | Path to license. License subject and license file will be sent to you once you purchase a commercial license. | |
| licenseAddon | Path to license of addon. License subject and license file will be sent to you once you purchase a commercial license. | ||
| log.fileSize | 10 | Max size in MB of a log file. If a file exceeds this size, the file will be rotated. | |
| log.baks | 2 | Max number of old log files. Older files will be removed. |
- For all duration options, the format is defined by Go time.ParseDuration ↗ .
- For all cert-manager options (i.e. cert.*), see also cert-manager API doc ↗ .
- For all trust-manager options (i.e. trustedCAs.*), see also trust-manager doc ↗ .
Log Aggregation
You’ve probably been using a log aggregation system for gathering, querying and displaying logs.
If not, try Loki
↗
.
Prev
Release History