Palette Management Appliance
This is a Tech Preview feature and is subject to change. Upgrades from a Tech Preview deployment may not be available. Do not use this feature in production workloads.
The Palette Management Appliance is downloadable as an ISO file and is a solution for installing self-hosted Palette on your infrastructure. The ISO file contains all the necessary components needed for Palette to function. The ISO file is used to boot the nodes, which are then clustered to form a Palette management cluster.
Once Palette has been installed, you can download pack bundles and upload them to the internal Zot registry or an external registry. These pack bundles are used to create your cluster profiles. You will then be able to deploy clusters in your environment.
Third Party Packs
There is an additional option to download and install the Third Party packs that provide complementary functionality to Palette. These packs are not required for Palette to function, but they do provide additional features and capabilities as described in the following table.
Feature | Included with Palette Third Party Pack | Included with Palette Third Party Conformance Pack |
---|---|---|
Backup and Restore | ✅ | ❌ |
Configuration Security | ✅ | ❌ |
Penetration Testing | ✅ | ❌ |
Software Bill Of Materials (SBOM) scanning | ✅ | ❌ |
Conformance Testing | ❌ | ✅ |
Architecture
The ISO file is built with the Operating System (OS), Kubernetes distribution, Container Network Interface (CNI), and Container Storage Interface (CSI). A Zot registry is also included in the Appliance Framework ISO. Zot is a lightweight, OCI-compliant container image registry that is used to store the Palette packs needed to create cluster profiles.
The following table displays the infrastructure profile for the self-hosted Palette appliance.
Layer | Component | Version |
---|---|---|
OS | Ubuntu: Immutable Kairos | 22.04 |
Kubernetes | Palette eXtended Kubernetes Edge (PXK-E) | 1.32.3 |
CNI | Calico | 3.29.2 |
CSI | Piraeus | 2.8.1 |
Registry | Zot | 0.1.67 |
Supported Platforms
The Palette Management Appliance can be used on the following infrastructure platforms:
- VMware vSphere
- Bare Metal
- Machine as a Service (MAAS)
Limitations
- Only public image registries are supported if you are choosing to use an external registry for your pack bundles.
Installation Steps
Follow the instructions to install Palette using the Palette Management Appliance on your infrastructure platform.
Prerequisites
-
ISO management software installed on your local machine, such as
mkisofs
orgenisoimage
. -
Access to the Artifact Studio to download the Palette Enterprise ISO.
-
A minimum of three nodes must be provisioned in advance for the Palette installation. We recommended the following resources for each node. Refer to the Palette Size Guidelines for additional sizing information.
-
8 CPUs per node.
-
16 GB memory per node.
-
Two disks per node.
-
The first disk must be at least 250 GB and is used for the ISO stack. You specify the device in the
user-data
file during the ISO creation process in the first few steps. -
The second disk must be at least 500 GB and is used for the storage pool. The default device selected is
/dev/sdb
. You can change the default device during the cluster creation steps in Local UI.dangerThe second disk is wiped as part of the installation process. If using an existing disk, ensure that you back up any important data before proceeding.
-
-
We recommend at least two removable media connections to attach both the Palette Enterprise ISO and the user-data ISO. These can be physical or virtual connections depending on your infrastructure provider.
If your nodes only support a single removable media connection, you can still proceed by following the tips and additional steps mentioned in the Install Palette steps.
-
-
The following network ports must be accessible on each node for Palette to operate successfully.
-
TCP/443: Must be open between all Palette nodes and accessible for user connections to the Palette management cluster.
-
TCP/6443: Outbound traffic from the Palette management cluster to the deployed cluster's Kubernetes API server.
-
-
SSH access must be available to the nodes used for Palette installation.
-
Relevant permissions to install Palette on the nodes including permission to attach or mount an ISO and set nodes to boot from it.
warning- The ISO is only supported on Unified Extensible Firmware Interface (UEFI) systems. Ensure you configure the nodes to boot from the ISO in UEFI mode.
- Palette Management Appliance does not support Secure Boot. Disable it on the nodes before proceeding with the installation.
-
You can choose to use either an internal Zot registry that comes with Palette or an external registry of your choice. If using an external registry, you will need to provide the following information during the Palette installation process.
- The DNS/IP endpoint and port for the external registry.
- Ensure the nodes used to host the Palette management cluster have network access to the external registry server.
- The username for the registry.
- The password for the registry.
- (Optional) The Certificate Authority (CA) certificate that was used to sign the external registry certificate in Base64 format.
How to get Base64 encoded entries for a certificate
You can get the Base64 encoded entry from your certificate by using the following command. Replace
<certificate-file>
with the filename of your certificate file.base64 --wrap 0 <certificate-file>
- The DNS/IP endpoint and port for the external registry.
-
If you have an Ubuntu Pro subscription, you can provide the Ubuntu Pro token during the Palette installation process. This is optional but recommended for security and compliance purposes.
-
A virtual IP address (VIP) must be available for the Palette management cluster. This is assigned during the Palette installation process and is used for load balancing and high availability. The VIP must be accessible to all nodes in the Palette management cluster.
How to discover free IPs in your environment
You can discover free IPs in your environment by using a tool like
arping
ornmap
. For example, you can issue the following command to probe a CIDR block for free IP addresses.nmap --unprivileged -sT -Pn 10.10.200.0/24
This command will scan the CIDR block and output any hosts it finds.
Example nmap outputNmap scan report for test-worker-pool-cluster2-6655ab7a-tyuio.company.dev (10.10.200.2)
Host is up.
All 1000 scanned ports on test-worker-pool-cluster2-6655ab7a-tyuio.company.dev (10.10.200.2) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)For any free IP addresses, you can use
arping
to double-check if the IP is available.Example arping commandarping -D -c 4 10.10.200.101
Example arping outputARPING 10.10.200.101 from 0.0.0.0 ens103
Sent 4 probes (4 broadcast(s))
Received 0 response(s)If you receive no responses like the example output above, the IP address is likely free.
Install Palette
-
Create a file called
user-data
using the following template and replace<storage-drive>
with the drive to use for the Palette ISO stack, such as/dev/sda
.If the device is not specified, the default value is
auto
. This means the installer selects the largest available drive, which may not be the desired behavior, especially in multi-drive environments.tipIf your nodes only support a single removable media connection, skip to step 5.
#cloud-config
install:
reboot: false
poweroff: true
device: <storage-drive>
grub_options:
extra_cmdline: "fips=1 selinux=0"
bind_mounts:
- /etc/lvm
- /var/lib/drbd
- /var/lib/linstor.d
- /var/lib/piraeus-datastore
- /var/lib/calico
stylus:
debug: false
trace: false
installationMode: airgap
skipStylusUpgrade: true
includeTui: true
stages:
after-reset:
- commands:
- |
sudo lvchange -an drbd-vg
sudo lvremove -f drbd-vg
sudo vgremove drbd-vg
if: "vgs drbd-vg >/dev/null 2>&1"
name: Wipe and prepare secondary SSD for CSI...
kairos-install.pre.after:
- commands:
- |
sudo lvchange -an drbd-vg
sudo lvremove -f drbd-vg
sudo vgremove drbd-vg
if: "vgs drbd-vg >/dev/null 2>&1"
name: Wipe and prepare secondary SSD for CSI... -
Create an empty
meta-data
file.touch meta-data
-
Create the user-data ISO using the following command.
mkisofs -output user-data.iso -volid cidata -joliet -rock user-data meta-data
-
Load the user-data ISO to a bootable device, such as a USB stick, or upload the ISO to a datastore in your VMware environment. You can use several software tools to create a bootable USB drive, such as balenaEtcher.
- For VMware vSphere, you can upload the Palette Enterprise ISO to a datastore using the vSphere Client or the
govc
CLI tool. Refer to the vSphere or govc documentation for more information. - For Bare Metal, you can use tools like
scp
orrsync
to transfer the Palette Enterprise ISO to the nodes, or use a USB drive to boot the nodes from the ISO. - For Machine as a Service (MAAS), you can upload and deploy ISOs using Packer. Refer to the MAAS documentation for more information.
Ensure that the user-data ISO is accessible to all nodes that will be part of the Palette management cluster.
infoThe user-data ISO only contains configuration data. If you use a tool like balenaEtcher to write the ISO file to a USB stick, it may display a warning stating that the user-data ISO is not bootable. You can safely ignore this warning and continue writing the image to USB.
- For VMware vSphere, you can upload the Palette Enterprise ISO to a datastore using the vSphere Client or the
-
Download the Palette Enterprise ISO from the Artifact Studio. Refer to the Artifact Studio guide for instructions on how to access and download the ISO.
-
Upload the Palette Enterprise ISO to your infrastructure provider. This can be done using the web interface of your infrastructure provider or using command-line tools.
Ensure that the Palette Enterprise ISO is accessible to all nodes that will be part of the Palette management cluster.
-
Attach the Palette Enterprise ISO and the user-data ISO to the nodes and ensure the boot order is set to boot from the Palette Enterprise ISO first.
For example, in VMware vSphere, the VMs will have the Palette Enterprise ISO in CD/DVD drive 1 and the user-data ISO in CD/DVD drive 2. Refer to the documentation of your infrastructure provider for specific instructions on how to attach and boot from multiple ISOs.
tipIf your nodes only support a single removable media connection, attach the Palette Enterprise ISO only.
-
Restart the nodes to start the installation process.
If your nodes only support a single removable media connection, read and follow the additional steps below before restarting your nodes.
Additional steps for single removable media connections
-
Once the node has rebooted and entered the GRand Unified Bootloader (GRUB) menu, select the Palette eXtended Kubernetes Edge Install (manual) option and press ENTER.
cautionEnsure that you select the option within the first five seconds of the GRUB menu appearing, as it will automatically proceed with the default installation option after this time.
-
Once the node has finished booting, in the terminal, issue the following command to list the block devices.
lsblk --paths
Use the output to identify the correct device name for the installation process. For example,
/dev/sda
.Example outputNAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
/dev/loop0 7:0 0 1G 1 loop /run/rootfsbase
/dev/sda 8:0 0 250G 0 disk
/dev/sdb 8:16 0 5000G 0 disk
/dev/sr0 11:0 1 17.3G 0 rom /run/initramfs/live -
Issue the following command to edit the installation manifest.
vi /oem/stylus_config.yaml
-
Add the following
install.device
section to your manifest, replacing<storage-drive>
with the device name identified in step 2.#cloud-config
cosign: false
verify: false
install:
device: <storage-drive>
grub-entry-name: "Palette eXtended Kubernetes Edge"
system:
size: 8192
... -
Save the changes and exit the editor.
-
Issue the following command to start the installation process.
kairos-agent install
Once the command is issued, proceed to the next step.
-
-
Once the nodes are booted from the ISO, the GRand Unified Bootloader (GRUB) screen may be displayed with selectable options; this should be ignored as the installation will proceed automatically.
Wait for the installation process to complete. This will take at least 15 minutes, depending on the resources available on the nodes. After completion, the nodes will reboot and display the Palette TUI.
-
In the Palette TUI, provide credentials for the initial account. This account will be used to log in to Local UI and for SSH access to the node.
Field Description Username Provide a username to use for the account. Password Enter a password for the account. Confirm Password Re-enter the password for confirmation. Press ENTER to continue.
-
In the Palette TUI, the available configuration options are displayed and are described in the next three steps. Use the TAB key or the up and down arrow keys to switch between fields. When you make a change, press ENTER to apply the change. Use ESC to go back.
-
In Hostname, check the existing hostname and, optionally, change it to a new one.
-
In Host Network Adapters, select a network adapter you would like to configure. By default, the network adapters request an IP automatically from the Dynamic Host Configuration Protocol (DHCP) server. The CIDR block of an adapter's possible IP address is displayed in the Host Network Adapters screen without selecting an individual adapter.
In the configuration page for each adapter, you can change the IP addressing scheme of the adapter and choose a static IP instead of DHCP. In Static IP mode, you will need to provide a static IP address and subnet mask, as well as the address of the default gateway. Specifying a static IP will remove the existing DHCP settings.
You can also specify the Maximum Transmission Unit (MTU) for your network adapter. The MTU defines the largest size, in bytes, of a packet that can be sent over a network interface without needing to be fragmented.
-
In DNS Configuration, specify the IP address of the primary and alternate name servers. You can optionally specify a search domain.
-
After you are satisfied with the configurations, navigate to Quit and press ENTER to finish the configuration. Press ENTER again on the confirmation prompt.
After a few seconds, the terminal displays the Device Info and prompts you to provision the device through Local UI.
tipIf you need to access the Palette TUI again, issue the
palette-tui
command in the terminal. -
Ensure you complete the configuration on each node before proceeding to the next step.
-
Decide on the host that you plan to use as the leader of the group. Refer to Link Hosts for more information about leader hosts.
-
Access the Local UI of the leader host. Local UI is used to manage the Palette nodes and perform administrative tasks. It provides a web-based interface for managing the Palette management cluster.
In your web browser, go to
https://<node-ip>:5080
. Replace<node-ip>
with the IP address of your node. If you have changed the default port of the console, replace5080
with the Local UI port. The address of the Local UI console is also displayed on the terminal screen of the node.If you are accessing Local UI for the first time, a security warning may be displayed in your web browser. This is because Local UI uses a self-signed certificate. You can safely ignore this warning and proceed to Local UI.
-
Log in to Local UI using the credentials you provided in step 10.
-
(Optional) If you need to configure a HTTP proxy server for the node, follow the steps in the Configure HTTP-Proxy in Local UI guide. When done, proceed to the next step.
-
From the left main menu, click Linked Edge Hosts.
-
Click Generate token. The host begins generating tokens that you will use to link this host with other hosts. The Base64 encoded token contains the IP address of the host, as well as an OTP that will expire in two minutes. Once a token expires, the leader generates another token automatically.
-
Click the Copy button to copy the token.
-
Log in to Local UI on the host that you want to link to the leader host.
-
From the left main menu, click Linked Edge Hosts.
-
Click Link this device to another.
-
In the pop-up box that appears, enter the token you copied from the leader host.
-
Click Confirm.
-
Repeat steps 24-28 for every host you want to link to the leader host.
-
Confirm that all linked hosts appear in the Linked Edge Hosts table. The following columns should show the required statuses.
Column Status Status Ready Content Synced Health Healthy Content synchronization will take at least five minutes to complete, depending on your network resources.
-
On the left main menu, click Cluster.
-
Click Create cluster.
-
For Basic Information, provide a name for the cluster and optional tags in
key:value
format. -
In Cluster Profile, the Imported Applications preview section displays the applications that are included with the Palette Management Appliance. These applications are pre-configured and used to deploy your Palette management cluster.
Leave the default options in place and click Next.
-
In Profile Config, configure the cluster profile settings to your requirements. Review the following tables for the available options.
Cluster Profile Options
Option Description Type Default Pod CIDR The CIDR range for the pod network. This is used to allocate IP addresses to pods in the cluster. CIDR notation 100.64.0.0/18
Service CIDR The CIDR range for the service network. This is used to allocate IP addresses to services in the cluster. CIDR notation 100.64.64.0/18
Ubuntu Pro Token (Optional) The token for your Ubuntu Pro subscription. String No default Storage Pool Drive (Optional) The storage pool device to use for the cluster. As mentioned in the Prerequisites, assign this to your second storage device. String /dev/sdb
CSI Placement Count The number of replicas for the Container Storage Interface (CSI) Persistent Volumes (PVs). The accepted values are 1
or3
. We recommend using 3 to provide high availability for the CSI volumes. This value must match the MongoDB Replicas value.Integer 3
Registry Options
Option Description Type Default In Cluster Registry (Optional) - True
- Use internal Zot registry
-False
- Use external registry.Boolean True Registry Endpoint The DNS/IP endpoint for the registry. Leave the default entry if using the internal Zot registry, which is a virtual IP address assigned by kube-vip. Adjust if using an external registry. String {{.spectro.system.cluster.kubevip}}
Registry Port The port for the registry. The default value can be changed for the internal Zot registry. Adjust if using an external registry. Integer 30003
OCI Registry Base Content Path (Optional) The base path for the registry content for the internal or external registry. Palette packs will be stored in this directory. String spectro-content
OCI Pack Registry Username If using the internal Zot registry, leave the default username or adjust to your requirements. If using an external registry, provide the appropriate username. String admin
OCI Pack Registry Password If using the internal Zot registry, enter a password to your requirements. If using an external registry, provide the appropriate password. String No default - must be provided. OCI Registry Storage Size (GiB) (Optional) The size of the storage for the OCI registry. This is used to store the images and packs in the registry. The default value is set to 100 GiB, but this should be increased to at least 250 GiB for production environments. Integer 100
OCI Pack Registry Ca Cert (Optional) - Internal Zot registry - Not required.
- External registry - The CA certificate that was used to sign the external registry certificate.Base64 encoded string No default Image Replacement Rules (Optional) Set rules for replacing image references when using an external registry. For example, all: oci-registry-ip:oci-registry-port/spectro-content
. Leave empty if using the internal Zot registry.String No default Root Domain (Optional) The root domain for the registry. The default is set for the internal Zot registry, which is a virtual IP address assigned by kube-vip. If using an external registry, adjust this to the appropriate domain. String {{.spectro.system.cluster.kubevip}}
Mongo Replicas The number of MongoDB replicas to create for the cluster. The accepted values are 1
or3
. We recommend using 3 to provide high availability for the MongoDB database. This value must match the CSI Placement Count value.Integer 3
-
Click Next when you are done.
-
In Cluster Config, configure the following options.
Cluster Config Options
Option Description Type Default Network Time Protocol (NTP) (Optional) The NTP servers to synchronize time within the cluster. String No default SSH Keys (Optional) The public SSH keys to access the cluster nodes. Add additional keys by clicking Add Item. String No default Virtual IP Address (VIP) The virtual IP address for the cluster. This is used for load balancing and high availability. String No default Click Next when you are done.
-
In Node Config, configure the following options.
importantYou must assign at least three control plane nodes for high availability. You can remove the worker node pool as it is not required for the Palette management cluster. When doing this, ensure that the Allow worker capability option is enabled for the control plane node pool.
Node Pool Options
- Control Plane Pool Options
- Worker Pool Options
Option Description Type Default Node pool name The name of the control plane node pool. This will be used to identify the node pool in Palette. String control-plane-pool
Allow worker capability (Optional) Whether to allow workloads to be scheduled on this control plane node pool. Ensure that this is enabled if no worker pool is assigned to the cluster. Boolean True Additional Kubernetes Node Labels (Optional) Tags for the node pool in key:value
format. These tags can be used to filter and search for node pools in Palette.String No default Taints Taints for the node pool in key=value:effect
format. Taints are used to prevent pods from being scheduled on the nodes in this pool unless they tolerate the taint.- Key = string
- Value = string
- Effect = string (enum)No default Option Description Type Default Node pool name The name of the worker node pool. This will be used to identify the node pool in Palette. String worker-pool
Additional Kubernetes Node Labels (Optional) Tags for the node pool in key:value
format. These tags can be used to filter and search for node pools in Palette.String No default Taints Taints for the node pool in key=value:effect
format. Taints are used to prevent pods from being scheduled on the nodes in this pool unless they tolerate the taint.- Key = string
- Value = string
- Effect = string (enum)No default Pool Configuration
The following options are available for both the control plane and worker node pools. You can configure these options to your requirements. You can also remove worker pools if not needed.
Option Description Type Default Architecture The CPU architecture of the nodes. This is used to ensure compatibility with the applications operating on the nodes. String (enum) amd64
Add Edge Hosts Click Add Item and select the other hosts that you installed using the Palette Management Appliance ISO. These hosts will be added to the node pool. Each pool must contain at least one node. N/A - Control Plane Pool = Current host selected
- Worker Pool = No host selectedNIC Name The name of the network interface card (NIC) to use for the nodes. Leave on Auto to let the system choose the appropriate NIC, or select one manually from the drop-down menu. N/A Auto Host Name (Optional) The hostname for the nodes. This is used to identify the nodes in the cluster. A generated hostname is provided automatically, which you can adjust to your requirements. String edge-*
-
Click Next when you are done.
-
In Review, check that your configuration is correct. If you need to make changes, click on any of the sections in the left sidebar to go back and edit the configuration.
When you are satisfied with your configuration, click Deploy Cluster. This will start the cluster creation process.
The cluster creation process will take 20 to 30 minutes to complete. You can monitor progress from the Overview tab on the Cluster page in the left main menu. The cluster is fully provisioned when the status changes to Running and the health status is Healthy.
-
Once the cluster is provisioned, access the Palette system console using the virtual IP address (VIP) you configured earlier. Open your web browser and go to
https://<vip-address>/system
. Replace<vip-address>
with the VIP you configured for the cluster.The first time you visit the system console, a warning message about an untrusted TLS certificate may appear. This is expected, as you have not yet uploaded your TLS certificate. You can ignore this warning message and proceed.
-
You will be prompted to log in to Palette system console. Use
admin
as the username andadmin
as the password. You will be prompted to change the password after logging in. -
In the Account Info window, provide the following information.
Field Description Email address This is used for notifications and password recovery as well as logging in to the Palette system console. This will not be active until you configure SMTP settings in Palette system console and verify your email address. Current password Use admin
as the current password.New password Enter a new password for the account. Confirm new password Re-enter the new password for confirmation. Refer to Password Requirements and Security to learn about password requirements.
After logging in, a summary page is displayed. You now have access to the Palette system console, where you can manage your Palette environment.
If you are accessing the Palette system console for the first time, a security warning may be displayed in your web browser. This is because Palette is configured with a self-signed certificate. You can replace the self-signed certificate with your own SSL certificates as guided later in Next Steps.
If your installation is not successful, verify that the piraeus-operator
pack was correctly installed. For more
information, refer to the
Self-Hosted Installation - Troubleshooting
guide.
Validate
-
Log in to the Local UI of the leader host using the URL
https://<node-ip>:5080
. Replace<node-ip>
with the IP address of the leader host. If you have changed the default port of the console, replace5080
with the Local UI port. -
In Local UI, click on Cluster in the left main menu.
-
Check that the cluster status is Running and the health status is Healthy. In the Applications section on this page, the listed applications should be in the Running state.
-
On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.
-
On your local machine, open a terminal session and export the
KUBECONFIG
environment variable to point to the downloadedkubeconfig
file.export KUBECONFIG=/path/to/your/downloaded/kubeconfig
-
Issue the following command to verify the Palette installation.
kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \
| grep --extended-regexp '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s'Your output should look similar to the following.
cp-system spectro-cp-ui-5cb6d454f8-bndxb Running
hubble-system auth-5586c867ff-mk6wn Running
hubble-system auth-5586c867ff-xm9mx Running
hubble-system cloud-7bfd6c7f55-bmpkm Running
hubble-system cloud-7bfd6c7f55-tmmjj Running
hubble-system configserver-697cf95f9f-z2tr6 Running
hubble-system event-8566675f7d-l7n8n Running
hubble-system event-8566675f7d-v8cmz Running
hubble-system event-8566675f7d-vtp8m Running
hubble-system foreq-59f8c6c584-47npj Running
hubble-system hashboard-5fcc8f448c-df5rj Running
hubble-system hashboard-5fcc8f448c-xs6mr Running
hubble-system hutil-5b49d6f5bc-5gcqc Running
hubble-system hutil-5b49d6f5bc-plg9j Running
hubble-system memstore-75b7d8bb5b-qtn7w Running
hubble-system mgmt-5874d55cf6-2gh52 Running
hubble-system mongo-0 Running
hubble-system mongo-1 Running
hubble-system mongo-2 Running
hubble-system msgbroker-0 Running
hubble-system msgbroker-1 Running
hubble-system oci-proxy-6bc464cf58-wwksw Running
hubble-system reloader-reloader-59c87c446c-9cvk5 Running
hubble-system specman-0 Running
hubble-system spectro-tunnel-647cf485b-xn87n Running
hubble-system spectrocluster-85bf89dcdb-llsjj Running
hubble-system spectrocluster-85bf89dcdb-m2c8w Running
hubble-system spectrocluster-85bf89dcdb-tp9lk Running
hubble-system spectrocluster-jobs-557bd5b798-fkzbm Running
hubble-system spectrossh-74db5544bf-5t24s Running
hubble-system system-6496bc487-cfchd Running
hubble-system system-6496bc487-mlxjk Running
hubble-system timeseries-7c4d6647b5-ckrnt Running
hubble-system timeseries-7c4d6647b5-jb9tp Running
hubble-system timeseries-7c4d6647b5-nl86q Running
hubble-system user-57f7759745-8fjx8 Running
hubble-system user-57f7759745-hxz4n Running
ingress-nginx ingress-nginx-controller-m5z54 Running
ingress-nginx ingress-nginx-controller-qsf6m Running
ingress-nginx ingress-nginx-controller-w64pz Running
jet-system jet-856db6655-k87k8 Running
ui-system spectro-ui-bcff7f675-lds2l Running -
Log in to the Palette system console using the virtual IP address (VIP) you configured earlier. Open your web browser and go to
https://<vip-address>/system
. Replace<vip-address>
with the VIP you configured for the cluster. -
On the login page, use
admin
as the username and the new password you set during the initial login. -
On the Summary page, check that the On-prem system console is healthy message is displayed.
Upload Packs to Palette
Follow the instructions to upload packs to your Palette instance. Packs are used to create cluster profiles and deploy workload clusters in your environment.
Prerequisites
-
Access to the Artifact Studio to download the Palette Enterprise pack bundles.
-
If using the internal Zot registry, ensure you have access to the Local UI of the leader node of the Palette management cluster. Also, verify that your local machine can access the Local UI, as airgapped environments may have strict network policies preventing direct access.
- (Optional) The Palette CLI installed on your local machine if you prefer to use the command line for uploading packs. Refer to the Palette CLI guide for installation instructions.
-
If using an external registry, the Palette CLI must be installed on your local machine to upload the content to the external registry. Refer to the Palette CLI guide for installation instructions.
- Ensure your local machine has network access to the external registry server and you have the necessary permissions to push images to the registry.
Upload Packs
- Internal Zot Registry
- External Registry
- Local UI Method
- Palette CLI Method
-
Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.
-
Select the Palette Enterprise Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.
Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.
-
Download the pack bundles to your local machine. Each pack is downloaded in
.zst
format. -
Log in to the Local UI of the leader host of the Palette management cluster. By default, Local UI is accessible at
https://<node-ip>:5080
. Replace<node-ip>
with the IP address of the leader host. -
From the left main menu, click Content.
-
Click Actions in the top right and select Upload Content from the drop-down menu.
-
Click the upload icon to open the file selection dialog and select the downloaded pack ZST files from your local machine. You can select multiple files at once. Alternatively, you can drag and drop the files into the upload area.
The upload process starts automatically once the files are selected. You can monitor the upload progress in the Upload Content dialog.
Wait for the File(s) uploaded successfully confirmation message or the green check mark to appear next to the upload progress bar.
-
Log in to the Palette system console.
-
From the left main menu, select Administration, and then select the Pack Registries tab.
-
Select the three-dot menu for the OCI Pack Registry and click Sync.
-
Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.
-
Select the Palette Enterprise Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.
Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.
-
Download the pack bundles to your local machine. Each pack is downloaded in
.zst
format. -
Open a terminal on your local machine and navigate to the directory where the downloaded pack bundles are located.
-
Use the Palette CLI to log in to the internal Zot registry. Replace
<management-vip>
with the VIP address of the Palette management cluster,<username>
with your username, and<password>
with your password. If you have changed the default port for the Zot registry, replace30003
with the correct port number.palette content registry-login \
--registry https://<management-vip>:30003 \
--username <username> \
--password <password> -
Upload the pack bundles to the internal Zot registry using the Palette CLI. Replace
<pack-zst>
with your downloaded pack bundle file and<management-vip>
with the VIP address of the Palette management cluster. If you have changed the default port or the base content path for the Zot registry, replace30003
with the correct port number andspectro-content
with the correct content path.If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.
- Regular TLS Certificate
- Custom TLS Certificate
- Skip TLS
palette content push \
--registry <management-vip>:30003/spectro-content \
--file <pack-zst>palette content push \
--registry <management-vip>:30003/spectro-content \
--file <pack-zst> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>palette content push \
--registry <management-vip>:30003/spectro-content \
--file <pack-zst> \
--insecureThe following example output is expected when the upload is successful.
Example Output...
INFO[0020] successfully copied all artifacts from local bundle /home/ubuntu/palette-cli/bin/tmp/bundle-extract/lb-metallb-helm-0.15.2 to remote bundle 10.11.12.13:30003/spectro-content/bundle-definition:bundle
-----------------------------
Push Summary
-----------------------------
local bundle bundle pushed to 10.11.12.13:30003/spectro-content -
Log in to the Palette system console.
-
From the left main menu, select Administration, and then select the Pack Registries tab.
-
Select the three-dot menu for the OCI Pack Registry and click Sync.
-
Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.
-
Select the Palette Enterprise Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.
Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.
-
Download the pack bundles to your local machine. Each pack is downloaded in
.zst
format. -
Open a terminal on your local machine and navigate to the directory where the downloaded pack bundles are located.
-
Use the Palette CLI to log in to your external registry. Replace
<registry-dns-or-ip>
with the DNS/IP address of your registry,<registry-port>
with the port number of your registry (if applicable),<username>
with your username, and<password>
with your password.palette content registry-login \
--registry https://<registry-dns-or-ip>:<registry-port> \
--username <username> \
--password <password> -
Upload the pack bundles to your external registry using the Palette CLI. Replace
<pack-zst>
with your downloaded pack bundle file,<registry-dns-or-ip>
with the DNS/IP address of your registry, and<registry-port>
with the port number of your registry (if applicable). If you have changed the base content path from the default, replacespectro-content
with the correct content path.If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.
- Regular TLS Certificate
- Custom TLS Certificate
- Skip TLS
palette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <pack-zst>palette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <pack-zst> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>palette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <pack-zst> \
--insecureThe following example output is expected when the upload is successful.
Example Output...
INFO[0020] successfully copied all artifacts from local bundle /home/ubuntu/palette-cli/bin/tmp/bundle-extract/lb-metallb-helm-0.15.2 to remote bundle external.registry.com/spectro-content/bundle-definition:bundle
-----------------------------
Push Summary
-----------------------------
local bundle bundle pushed to external.registry.com/spectro-contenttipBe aware of the timeout period for the authentication token. If the authentication token expires, you will need to re-authenticate to the OCI registry and restart the upload process.
-
Log in to the Palette system console.
-
From the left main menu, select Administration, and then select the Pack Registries tab.
-
Select the three-dot menu for your external registry and click Sync.
Validate
- Internal Zot Registry
- External Registry
-
Log in to the Local UI of the leader host of the Palette management cluster.
-
From the left main menu, click Content.
-
Enter the filename of the uploaded pack in the Filter by name search bar. The pack should appear in the table below. You can repeat this step for each pack you uploaded.
-
Check that the packs have been successfully uploaded to your external registry using the Palette CLI. Replace
<registry-dns-or-ip>
with the DNS/IP address of your registry,<registry-port>
with the port number of your registry (if applicable), and<image-repository>
with the name of the image repository. If you have changed the base content path from the default, replacespectro-content
with the correct content path.If you are using custom TLS certificates or choosing to skip TLS, use the appropriate flags as shown in the following examples.
- Custom TLS Certificate
- Skip TLS
palette content list \
--repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>palette content list \
--repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
--insecure -
Check that the pack images you uploaded are listed in the output as repositories with version tags.
Example commandpalette content list \
--repo external.registry.com/spectro-content/us-docker.pkg.dev/palette-images/packs/metallb/0.15.2/controllerExample outputListing bundles
external.registry.com/spectro-content/us-docker.pkg.dev/palette-images/packs/metallb/0.15.2/controller:v0.15.2
(Optional) Upload Third Party Packs
Follow the instructions to upload the Third Party packs to your Palette instance. The Third Party packs contain additional functionality and capabilities that enhance the Palette experience.
Prerequisites
-
Access to the Artifact Studio to download the Third Party packs.
-
If using the internal Zot registry, ensure you have access to the Local UI of the leader node of the Palette management cluster. Also, verify that your local machine can access the Local UI, as airgapped environments may have strict network policies preventing direct access.
- (Optional) The Palette CLI installed on your local machine if you prefer to use the command line for uploading packs. Refer to the Palette CLI guide for installation instructions.
-
If using an external registry, the Palette CLI must be installed on your local machine to upload the content to the external registry. Refer to the Palette CLI guide for installation instructions.
- Ensure your local machine has network access to the external registry server and you have the necessary permissions to push images to the registry.
Upload Packs
- Internal Zot Registry
- External Registry
- Local UI Method
- Palette CLI Method
-
Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.
-
Select the Palette Enterprise Appliance product on the Product selection step and select your current version on the Version selection step.
-
On the Use case step, select the Add-on only option.
-
On the Configure bundle step, enter
Palette Third Party
in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select them, and click Next Step.
-
On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.
Wait until the packs have been downloaded to your local machine. The packs are downloaded in
.zst
format alongside a signature file insig.bin
format.tipRefer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.
-
Log in to the Local UI of the leader host of the Palette management cluster. By default, Local UI is accessible at
https://<node-ip>:5080
. Replace<node-ip>
with the IP address of the leader host. -
From the left main menu, click Content.
-
Click Actions in the top right and select Upload Content from the drop-down menu.
-
Click the upload icon to open the file selection dialog and select the Third Party ZST files from your local machine. Alternatively, you can drag and drop the files into the upload area.
The upload process starts automatically once the files are selected. You can monitor the upload progress in the Upload Content dialog.
Wait for the File(s) uploaded successfully confirmation message or the green check mark to appear next to the upload progress bar.
-
Log in to the Palette system console.
-
From the left main menu, select Administration, and then select the Pack Registries tab.
-
Select the three-dot menu for the OCI Pack Registry and click Sync.
-
Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.
-
Select the Palette Enterprise Appliance product on the Product selection step and select your current version on the Version selection step.
-
On the Use case step, select the Add-on only option.
-
On the Configure bundle step, enter
Palette Third Party
in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select them, and click Next Step.
-
On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.
Wait until the packs have been downloaded to your local machine. The packs are downloaded in
.zst
format alongside a signature file insig.bin
format.tipRefer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.
-
Open a terminal on your local machine and navigate to the directory where the Third Party ZST files are located.
-
Use the Palette CLI to log in to the internal Zot registry. Replace
<management-vip>
with the VIP address of the Palette management cluster,<username>
with your username, and<password>
with your password. If you have changed the default port for the Zot registry, replace30003
with the correct port number.palette content registry-login \
--registry https://<management-vip>:30003 \
--username <username> \
--password <password> -
Upload the packs to the internal Zot registry using the Palette CLI. Replace
<third-party-zst>
and<third-party-conformance-zst>
with your downloaded Third Party pack ZST files and<management-vip>
with the VIP address of the Palette management cluster. If you have changed the default port or the base content path for the Zot registry, replace30003
with the correct port number andspectro-content
with the correct content path.If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.
- Regular TLS Certificate
- Custom TLS Certificate
- Skip TLS
Upload Third Party Pack with Regular TLS Certificatepalette content push \
--registry <management-vip>:30003/spectro-content \
--file <third-party-zst>Upload Third Party Conformance Pack with Regular TLS Certificatepalette content push \
--registry <management-vip>:30003/spectro-content \
--file <third-party-conformance-zst>Upload Third Party Pack with Custom TLS Certificatepalette content push \
--registry <management-vip>:30003/spectro-content \
--file <third-party-zst> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>Upload Third Party Conformance Pack with Custom TLS Certificatepalette content push \
--registry <management-vip>:30003/spectro-content \
--file <third-party-conformance-zst> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>Upload Third Party Pack skipping TLSpalette content push \
--registry <management-vip>:30003/spectro-content \
--file <third-party-zst> \
--insecureUpload Third Party Conformance Pack skipping TLSpalette content push \
--registry <management-vip>:30003/spectro-content \
--file <third-party-conformance-zst> \
--insecureThe following example output is expected when an upload is successful.
Example Output...
INFO[0020] successfully copied all artifacts from local bundle /home/ubuntu/palette-cli/bin/tmp/bundle-extract/palette-thirdparty-bundle-4.7.3 to remote bundle 10.11.12.13:30003/spectro-content/bundle-definition:bundle
-----------------------------
Push Summary
-----------------------------
local bundle bundle pushed to 10.11.12.13:30003/spectro-content -
Log in to the Palette system console.
-
From the left main menu, select Administration, and then select the Pack Registries tab.
-
Select the three-dot menu for the OCI Pack Registry and click Sync.
-
Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.
-
Select the Palette Enterprise Appliance product on the Product selection step and select your current version on the Version selection step.
-
On the Use case step, select the Add-on only option.
-
On the Configure bundle step, enter
Palette Third Party
in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select it, and click Next Step.
-
On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.
Wait until the packs have been downloaded to your local machine. The packs are downloaded in
.zst
format alongside a signature file insig.bin
format.tipRefer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.
-
Open a terminal on your local machine and navigate to the directory where the Third Party ZST files are located.
-
Use the Palette CLI to log in to your external registry. Replace
<registry-dns-or-ip>
with the DNS/IP address of your registry,<registry-port>
with the port number of your registry (if applicable),<username>
with your username, and<password>
with your password.palette content registry-login \
--registry https://<registry-dns-or-ip>:<registry-port> \
--username <username> \
--password <password> -
Upload the packs to your external registry using the Palette CLI. Replace
<registry-dns-or-ip>
with the DNS/IP address of your registry and<registry-port>
with the port number of your registry (if applicable). If you have changed the base content path from the default, replacespectro-content
with the correct content path.If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.
- Regular TLS Certificate
- Custom TLS Certificate
- Skip TLS
Upload Third Party Pack with Regular TLS Certificatepalette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <third-party-zst>Upload Third Party Conformance Pack with Regular TLS Certificatepalette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <third-party-conformance-zst>Upload Third Party Pack with Custom TLS Certificatepalette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <third-party-zst> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>Upload Third Party Conformance Pack with Custom TLS Certificatepalette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <third-party-conformance-zst> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>Upload Third Party Pack skipping TLSpalette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <third-party-zst> \
--insecureUpload Third Party Conformance Pack skipping TLSpalette content push \
--registry <registry-dns-or-ip>:<registry-port>/spectro-content \
--file <third-party-conformance-zst> \
--insecureThe following example output is expected when an upload is successful.
Example Output...
INFO[0287] successfully copied all artifacts from local bundle /root/tmp/bundle-extract/palette-thirdparty-bundle-4.7.0 to remote bundle external.registry.com/spectro-content/bundle-definition:palette-thirdparty-bundle-4.7.0
-----------------------------
Push Summary
-----------------------------
local bundle palette-thirdparty-bundle-4.7.0 pushed to external.registry.com/spectro-contenttipBe aware of the timeout period for the authentication token. If the authentication token expires, you will need to re-authenticate to the OCI registry and restart the upload process.
-
Log in to the Palette system console.
-
From the left main menu, select Administration, and then select the Pack Registries tab.
-
Select the three-dot menu for your external registry and click Sync.
Validate
- Internal Zot Registry
- External Registry
-
Log in to the Local UI of the leader host of the Palette management cluster. By default, Local UI is accessible at
https://<node-ip>:5080
. Replace<node-ip>
with the IP address of the leader host. -
From the left main menu, click Content.
-
Enter the filename of each Third Party pack in the Filter by name search bar. The packs should appear in the table.
-
Check that the packs have been successfully uploaded to your external registry using the Palette CLI. Replace
<registry-dns-or-ip>
with the DNS/IP address of your registry,<registry-port>
with the port number of your registry (if applicable), and<image-repository>
with the name of the image repository. If you have changed the base content path from the default, replacespectro-content
with the correct content path.If you are using custom TLS certificates or choosing to skip TLS, use the appropriate flags as shown in the following examples.
- Custom TLS Certificate
- Skip TLS
palette content list \
--repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
--ca-cert <path-to-ca-cert> \
--tls-cert <path-to-tls-cert> \
--tls-key <path-to-tls-key>palette content list \
--repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
--insecure -
Check that the Third Party images you uploaded are listed in the output as repositories with version tags.
Example commandpalette content list \
--repo external.registry.com/spectro-content/sonobuoy/sonobuoyExample outputListing bundles
harbor.teams.spectrocloud.com/docs-private/sonobuoy/sonobuoy:v0.57.1
harbor.teams.spectrocloud.com/docs-private/sonobuoy/sonobuoy:v0.57.2
Next Steps
The following actions are recommended after installing Palette to ensure your environment is ready for use:
-
Assign your SSL certificates to Palette. Palette is installed with a self-signed SSL certificate. To assign a different SSL certificate, upload the certificate, key, and certificate authority files to Palette. You can upload the files using the system console. Refer to the Configure HTTPS Encryption page for instructions on how to upload the SSL certificate files to Palette.
-
Create a tenant in Palette to host your users. Refer to the Create a Tenant guide for instructions on how to create a tenant in Palette.
-
Activate your Palette installation before the trial mode expires. Refer to the Activate Installation guide for instructions on how to activate your installation.
-
Create additional system administrator accounts and assign roles to users in the system console. Refer to the Account Management guide for instructions on how to manage user accounts and roles in Palette.
-
Configure SMTP settings to enable email notifications and password recovery. Refer to the Configure SMTP Settings guide for instructions on how to configure SMTP settings in Palette.
For all system management options in Palette, refer to the System Management guide.