Installation

Prerequisite

Cert Manager

XTS depends on cert-manager ↗ to issue certificates.

You’ve probably been using cert-manager. If so, you can skip this section.

cert-manager is a powerful and extensible X.509 certificate controller for Kubernetes and OpenShift workloads. It will obtain certificates from a variety of Issuers, both popular public Issuers as well as private Issuers, and ensure the certificates are valid and up-to-date, and will attempt to renew certificates at a configured time before expiry.

  1. Install cert-manager ↗
  2. Config Issuer ↗

Trust Manager

XTS depends on trust-manager ↗ for trusted CAs for validating certificates during TLS handshakes inside-cluster and cross-region as well.

You’ve probably been using trust-manager. If so, you can skip this section.

trust-manager is designed to complement cert-manager and works well when consuming CA certificates from a cert-manager Issuer or ClusterIssuer.

  1. Install trust-manager ↗
  2. Config Bundle ↗

External Load Balancer Provider

XTS depends on External Load Balancer Provider ↗ to allocate an external IP address.

You’ve probably already installed an external load balancer provider,

  • if you’re using a cloud provider like GCP, AWS, Azure…
  • or if you’re using something like MetalLB ↗ in your private cloud.

Installation/Upgrade

Download a Release

In every release, there’re several docker images and one helm chart.

e.g.

XTS v1.0.0:
xts-1.0.0-amd64.tar # docker image of arch amd64
xts-1.0.0-arm64.tar # docker image of arch arm64
xts-1.0.0.tgz # helm chart

Upload Docker Image

Choose a docker images which matches your arch, and upload the docker image to your image registry server.

If none image matches your arch, please contact us, we’ll build a docker image for that arch and add it to the release.

Install for the First Time

helm install xts <path-to-helm-chart> --set namespace=<namespace>,image=<path-to-docker-image>,cert.issuer.name=<issuer>,cert.issuer.kind=<issuer-kind>,trustedCAs.name=<trusted-cas-name>,trustedCAs.key=<trusted-cas-key>,licenseSubject=<license-subject> --set-file license=<path-to-license>

e.g.

helm install xts xts-1.0.0.tgz --set namespace=default,image=registry-address/xts:1.0.0-amd64,cert.issuer.name=issuer,cert.issuer.kind=ClusterIssuer,trustedCAs.name=trusted-cas,trustedCAs.key=cas,licenseSubject=your-company --set-file license=your-company.xts.license

Upgrade

XTS is backward compatible, so you can seamlessly upgrade to a new version.

# mostly the same as installation, except the subcommand install is replaced with upgrade
helm upgrade xts <path-to-helm-chart> ...

e.g.

helm upgrade xts xts-1.1.0.tgz ...

Because helm upgrade doesn’t update CRDs, please execute the following to update CRDs.

tar -zxvf <path-to-helm-chart> -C /tmp xts/crds
kubectl apply -f /tmp/xts/crds
rm -rf /tmp/xts

Complete List of Options

As follows is the complete list of options of installation and upgrade.

RequiredOptionDefault ValueMeaning
namespacedefaultThe namespace where to install/upgrade XTS
imagePath to docker image of XTS
replicas2Number of replicas of XTS
tzUTCLocal time zone in containers of XTS
lease15sLease duration, used in leader election
externalSrvPort1058XTS external server port
restPort1060RESTful server port
maxConnMax number of concurrent connections. Default to no limit.
idleTimeout1mIdle timeout. If no data is sent from a connection in the specified duration, close the connection.
handshakeTimeout10sHandshake timeout. If handshake does not finish in the specified duration, close the connection.
dialTimeout3sConnection timeout. See also Go DialTimeout ↗ .
tlsHandshakeTimeout10sTLS handshake timeout. If TLS handshake does not finish in the specified duration, close the connection.
maxConReqMax number of concurrent requests to the RESTful server. Default to no limit.
enableTcfalseWhether to enable ATC or not
cert.durationDuration (i.e. lifetime) of Certificate. Default to 90 days as per cert-manager doc.
cert.renewBeforeHow long before expiry a certificate should be renewed. Default to 1⁄3 of cert.duration as per cert-manager doc.
cert.issuer.kindKind of cert-manager issuer. Valid values are ClusterIssuer, Issuer.
cert.issuer.nameName of cert-manager issuer.
trustedCAs.kindConfigMapKind of trust-manager Bundle target. Valid values are ConfigMap, Secret.
trustedCAs.nameName of trust-manager Bundle target
trustedCAs.keyKey of trust-manager Bundle target
resource.mem.requestMemory request of a container of XTS
resource.mem.limitMemory limit of a container of XTS
resource.cpu.requestCPU request of a container of XTS
resource.cpu.limitCPU limit of a container of XTS
licenseSubjectLicense subject, usually the name of your company
licensePath to license. License subject and license file will be sent to you once you purchase a commercial license.
licenseAddonPath to license of addon. License subject and license file will be sent to you once you purchase a commercial license.
log.fileSize10Max size in MB of a log file. If a file exceeds this size, the file will be rotated.
log.baks2Max number of old log files. Older files will be removed.

Log Aggregation

You’ve probably been using a log aggregation system for gathering, querying and displaying logs.
If not, try Loki ↗ .