Palette Management Appliance

tech preview

This is a Tech Preview feature and is subject to change. Upgrades from a Tech Preview deployment may not be available. Do not use this feature in production workloads.

The Palette Management Appliance is downloadable as an ISO file and is a solution for installing self-hosted Palette on your infrastructure. The ISO file contains all the necessary components needed for Palette to function. The ISO file is used to boot the nodes, which are then clustered to form a Palette management cluster.

Once Palette has been installed, you can download pack bundles and upload them to the internal Zot registry or an external registry. These pack bundles are used to create your cluster profiles. You will then be able to deploy clusters in your environment.

Third Party Packs

There is an additional option to download and install the Third Party packs that provide complementary functionality to Palette. These packs are not required for Palette to function, but they do provide additional features and capabilities as described in the following table.

Feature	Included with Palette Third Party Pack	Included with Palette Third Party Conformance Pack
Backup and Restore	✅	❌
Configuration Security	✅	❌
Penetration Testing	✅	❌
Software Bill Of Materials (SBOM) scanning	✅	❌
Conformance Testing	❌	✅

Architecture

The ISO file is built with the Operating System (OS), Kubernetes distribution, Container Network Interface (CNI), and Container Storage Interface (CSI). A Zot registry is also included in the Appliance Framework ISO. Zot is a lightweight, OCI-compliant container image registry that is used to store the Palette packs needed to create cluster profiles.

The following table displays the infrastructure profile for the self-hosted Palette appliance.

Layer	Component	Version
OS	Ubuntu: Immutable Kairos	22.04
Kubernetes	Palette eXtended Kubernetes Edge (PXK-E)	1.32.3
CNI	Calico	3.29.2
CSI	Piraeus	2.8.1
Registry	Zot	0.1.67

Supported Platforms

The Palette Management Appliance can be used on the following infrastructure platforms:

• VMware vSphere
• Bare Metal
• Machine as a Service (MAAS)

Limitations

• Only public image registries are supported if you are choosing to use an external registry for your pack bundles.

Installation Steps

Follow the instructions to install Palette using the Palette Management Appliance on your infrastructure platform.

Prerequisites

• ISO management software installed on your local machine, such as mkisofs or genisoimage.

• Access to the Artifact Studio to download the Palette Enterprise ISO.

• Palette can be installed on a single node or on three nodes. For production environments, we recommend that three nodes be provisioned in advance for the Palette installation. We recommended the following resources for each node. Refer to the Palette Size Guidelines for additional sizing information.

  • 8 CPUs per node.

  • 16 GB memory per node.

  • Two disks per node.

    • The first disk must be at least 250 GB and is used for the Palette ISO stack. You specify the device in the stylus_config.yaml file during the initial Install Palette steps.

      If the device is not specified, the default value is auto. This means the installer selects the largest available drive, which may not be the desired behavior, especially in multi-drive environments.

    • The second disk must be at least 500 GB and is used for the storage pool. The default device selected is /dev/sdb. You can change the default device during the cluster creation steps in Local UI.

      danger

      The second disk is wiped as part of the installation process. If using an existing disk, ensure that you back up any important data before proceeding.

  • At least one removable media connection must be available to attach the Palette Enterprise ISO. This can be a physical or virtual connection depending on your infrastructure provider.

• The following network ports must be accessible on each node for Palette to operate successfully.

  • TCP/443: Must be open between all Palette nodes and accessible for user connections to the Palette management cluster.

  • TCP/6443: Outbound traffic from the Palette management cluster to the deployed cluster's Kubernetes API server.

• SSH access must be available to the nodes used for Palette installation.

• Relevant permissions to install Palette on the nodes including permission to attach or mount an ISO and set nodes to boot from it.

  warning

  The ISO is only supported on Unified Extensible Firmware Interface (UEFI) systems. Ensure you configure the nodes to boot from the ISO in UEFI mode.

• Palette Management Appliance supports Secure Boot for Dell servers with UEFI and Hewlett Packard Enterprise iLO5. Learn how to configure and install Secure Boot for Palette Management Appliance below.

  How to install Secure Boot on Hewlett Packard Enterprise iLO 5

  Before you begin, ensure that you have iLO 5 access with privileges to launch the remote console and change BIOS settings. You also need the MOK.der certificate file on your local computer. Skip to step 4 if you have already downloaded the certificate file.

  1. Navigate to Artifact Studio.
  2. Select the version corresponding to your Palette installer. Then, select Show Artifacts. The artifact list appears.
  3. Download the MOK Key for Secure Boot file.
  4. Power on or reboot the server. When prompted during Power-On Self-Test (POST), press F9 to enter System Utilities.
  5. Select System Configuration and press ENTER.
  6. Select BIOS/Platform Configuration (RBSU) > Server Security > Secure Boot Settings > Advanced Secure Boot Options.
  7. Select DB – Allowed Signatures Database > Enroll Signature. If Secure Boot is currently enabled, the Enroll Signature option will be unavailable. Temporarily disable Secure Boot and repeat the process.
  8. Drag the MOK.der file from your desktop onto the iLO Remote Console window. iLO mounts it as a virtual USB device automatically.
  9. Confirm any prompts.
  10. Verify that the new entry appears under DB – Allowed Signatures Database > View Signatures.
  11. Press ESC to exit the menus until the Save and Exit option is available.
  12. Save your changes. Exit the menu and reboot the server.
  How to install Secure Boot on Dell servers with UEFI

  Before you begin, you need the MOK.der certificate file on your local computer. Skip to step 4 if you have already downloaded the certificate file.

  1. Navigate to Artifact Studio.

  2. Select the version corresponding to your Palette installer. Then, select Show Artifacts. The artifact list appears.

  3. Download the MOK Key for Secure Boot file.

  4. Power on the server. Execute the following command to create a virtual CD/DVD drive containing an ISO file with the MOK.der certificate. Alternatively, you can save the file to a FAT32-formatted USB drive.

     mkisofs -output key.iso -volid cidata -joliet -rock MOK.der

  5. Reboot the server. When the Dell logo appears, press F2. The System Setup menu opens.

  6. Select System BIOS > Boot Settings.

  7. Ensure that the Boot Mode is set to UEFI.

  8. Press ESC to return to Boot Settings.

  9. Select System Security > Secure Boot Settings.

  10. Toggle Secure Boot to Enabled and Secure Boot Policy to Custom.

  11. Select Secure Boot Custom Policy Settings > Authorized Signature Database (db).

  12. Select Import New Entry. Then, select the virtual CD/DVD drive or USB drive containing the MOK.der file.

  13. Save your changes. Press ESC to return to Authorized Signature Database (db).

  14. Select View Entries. The MOK.der file shows in the database as DRBD Module Signing.

  15. Save your changes. Exit the menu and reboot the server.

• You can choose to use either an internal Zot registry that comes with Palette or an external registry of your choice. If using an external registry, you will need to provide the following information during the Palette installation process.

  • The DNS/IP endpoint and port for the external registry.
    • Ensure the nodes used to host the Palette management cluster have network access to the external registry server.
  • The username for the registry.
  • The password for the registry.
  • (Optional) The Certificate Authority (CA) certificate that was used to sign the external registry certificate in Base64 format.
  
  
  How to get Base64 encoded entries for a certificate

  You can get the Base64 encoded entry from your certificate by using the following command. Replace <certificate-file> with the filename of your certificate file.

  base64 --wrap 0 <certificate-file>

• If you have an Ubuntu Pro subscription, you can provide the Ubuntu Pro token during the Palette installation process. This is optional but recommended for security and compliance purposes.

• A virtual IP address (VIP) must be available for the Palette management cluster. This is assigned during the Palette installation process and is used for load balancing and high availability. The VIP must be accessible to all nodes in the Palette management cluster.

  How to discover free IPs in your environment

  You can discover free IPs in your environment by using a tool like arping or nmap. For example, you can issue the following command to probe a CIDR block for free IP addresses.

  nmap --unprivileged -sT -Pn 10.10.200.0/24

  This command will scan the CIDR block and output any hosts it finds.

  Example nmap output

  Nmap scan report for test-worker-pool-cluster2-6655ab7a-tyuio.company.dev (10.10.200.2)
  Host is up.
  All 1000 scanned ports on test-worker-pool-cluster2-6655ab7a-tyuio.company.dev (10.10.200.2) are in ignored states.
  Not shown: 1000 filtered tcp ports (no-response)

  For any free IP addresses, you can use arping to double-check if the IP is available.

  Example arping command

  arping -D -c 4 10.10.200.101

  Example arping output

  ARPING 10.10.200.101 from 0.0.0.0 ens103
  Sent 4 probes (4 broadcast(s))
  Received 0 response(s)

  If you receive no responses like the example output above, the IP address is likely free.

Install Palette

1. Download the Palette Enterprise ISO from the Artifact Studio. Refer to the Artifact Studio guide for instructions on how to access and download the ISO.

2. Load the Palette Enterprise ISO to a bootable device, such as a USB stick, or upload the ISO to a datastore in your VMware environment. You can use several software tools to create a bootable USB drive, such as balenaEtcher.

   • For VMware vSphere, you can upload the Palette Enterprise ISO to a datastore using the vSphere Client or the govc CLI tool. Refer to the vSphere or govc documentation for more information.
   • For Bare Metal, you can use tools like scp or rsync to transfer the Palette Enterprise ISO to the nodes, or use a USB drive to boot the nodes from the ISO.
   • For Machine as a Service (MAAS), you can upload and deploy ISOs using Packer. Refer to the MAAS documentation for more information.

   Ensure that the Palette Enterprise ISO is accessible to all nodes that will be part of the Palette management cluster.

3. Attach the Palette Enterprise ISO to the nodes and ensure the boot order is set to boot from the Palette Enterprise ISO first.

   For example, in VMware vSphere, the VMs will have the Palette Enterprise ISO in CD/DVD drive 1. Refer to the documentation of your infrastructure provider for specific instructions on how to attach and boot from an ISO.

4. Restart the nodes to start the installation process.

5. Once the nodes have rebooted and entered the GRand Unified Bootloader (GRUB) menu, select the Palette eXtended Kubernetes Edge Install (manual) option and press ENTER.

   caution

   Ensure that you select the option within the first five seconds of the GRUB menu appearing, as it will automatically proceed with the default installation option after this time.

6. Once the nodes have finished booting, in the terminal, issue the following command to list the block devices.

   lsblk --paths

   Use the output to identify the device name to use for the Palette ISO stack. For example, /dev/sda.

   Example output

   NAME       MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
   /dev/loop0   7:0    0     1G  1 loop /run/rootfsbase
   /dev/sda     8:0    0   250G  0 disk
   /dev/sdb     8:16   0  5000G  0 disk
   /dev/sr0    11:0    1  17.3G  0 rom  /run/initramfs/live

7. If there are any partitions on the device you plan to use for the installation, you must delete them before proceeding. For example, if the device is /dev/sda, issue the following command to delete all partitions on the device.

   wipefs --all /dev/sda
   danger

   Deleting partitions will erase all data on the device. Ensure that you back up any important data before proceeding.

8. Issue the following command to edit the installation manifest.

   vi /oem/stylus_config.yaml

9. Add the following install.device section to your manifest, replacing <storage-drive> with the device name identified in step 6.

   #cloud-config
   
   cosign: false
   verify: false
   install:
     device: <storage-drive>
     grub-entry-name: "Palette eXtended Kubernetes Edge"
     system:
       size: 8192
   ...

10. Save the changes and exit the editor.

11. Issue the following command to start the installation process.

    kairos-agent install

12. Wait for the installation process to complete. This will take at least 15 minutes, depending on the resources available on the nodes. After completion, the nodes will reboot and display the Palette TUI.

13. In the Palette TUI, provide credentials for the initial account. This account will be used to log in to Local UI and for SSH access to the node.

    Field	Description
    Username	Provide a username to use for the account.
    Password	Enter a password for the account.
    Confirm Password	Re-enter the password for confirmation.

    Press ENTER to continue.

14. In the Palette TUI, the available configuration options are displayed and are described in the next three steps. Use the TAB key or the up and down arrow keys to switch between fields. When you make a change, press ENTER to apply the change. Use ESC to go back.

15. In Hostname, check the existing hostname and, optionally, change it to a new one.

16. In Host Network Adapters, select a network adapter you would like to configure. By default, the network adapters request an IP automatically from the Dynamic Host Configuration Protocol (DHCP) server. The CIDR block of an adapter's possible IP address is displayed in the Host Network Adapters screen without selecting an individual adapter.

    In the configuration page for each adapter, you can change the IP addressing scheme of the adapter and choose a static IP instead of DHCP. In Static IP mode, you will need to provide a static IP address and subnet mask, as well as the address of the default gateway. Specifying a static IP will remove the existing DHCP settings.

    You can also specify the Maximum Transmission Unit (MTU) for your network adapter. The MTU defines the largest size, in bytes, of a packet that can be sent over a network interface without needing to be fragmented.

17. In DNS Configuration, specify the IP address of the primary and alternate name servers. You can optionally specify a search domain.

18. After you are satisfied with the configurations, navigate to Quit and press ENTER to finish the configuration. Press ENTER again on the confirmation prompt.

    After a few seconds, the terminal displays the Device Info and prompts you to provision the device through Local UI.

    tip

    If you need to access the Palette TUI again, issue the palette-tui command in the terminal.

19. Ensure you complete the configuration on each node before proceeding to the next step.

20. Decide on the host that you plan to use as the leader of the group. Refer to Link Hosts for more information about leader hosts.

21. Access the Local UI of the leader host. Local UI is used to manage the Palette nodes and perform administrative tasks. It provides a web-based interface for managing the Palette management cluster.

    In your web browser, go to https://<node-ip>:5080. Replace <node-ip> with the IP address of your node. If you have changed the default port of the console, replace 5080 with the Local UI port. The address of the Local UI console is also displayed on the terminal screen of the node.

    If you are accessing Local UI for the first time, a security warning may be displayed in your web browser. This is because Local UI uses a self-signed certificate. You can safely ignore this warning and proceed to Local UI.

22. Log in to Local UI using the credentials you provided in step 10.

23. (Optional) If you need to configure a HTTP proxy server for the node, follow the steps in the Configure HTTP-Proxy in Local UI guide. When done, proceed to the next step.

24. From the left main menu, click Linked Edge Hosts.

25. Click Generate token. The host begins generating tokens that you will use to link this host with other hosts. The Base64 encoded token contains the IP address of the host, as well as an OTP that will expire in two minutes. Once a token expires, the leader generates another token automatically.

26. Click the Copy button to copy the token.

27. Log in to Local UI on the host that you want to link to the leader host.

28. From the left main menu, click Linked Edge Hosts.

29. Click Link this device to another.

30. In the pop-up box that appears, enter the token you copied from the leader host.

31. Click Confirm.

32. Repeat steps 27-31 for every host you want to link to the leader host.

33. Confirm that all linked hosts appear in the Linked Edge Hosts table. The following columns should show the required statuses.

    Column	Status
    Status	Ready
    Content	Synced
    Health	Healthy

    Content synchronization will take at least five minutes to complete, depending on your network resources.

34. On the left main menu, click Cluster.

35. Click Create cluster.

36. For Basic Information, provide a name for the cluster and optional tags in key:value format.

37. In Cluster Profile, the Imported Applications preview section displays the applications that are included with the Palette Management Appliance. These applications are pre-configured and used to deploy your Palette management cluster.

    Leave the default options in place and click Next.

38. In Profile Config, configure the cluster profile settings to your requirements. Review the following tables for the available options.

    Cluster Profile Options

    Option	Description	Type	Default
    Pod CIDR	The CIDR range for the pod network. This is used to allocate IP addresses to pods in the cluster.	CIDR notation	100.64.0.0/18
    Service CIDR	The CIDR range for the service network. This is used to allocate IP addresses to services in the cluster.	CIDR notation	100.64.64.0/18
    Ubuntu Pro Token (Optional)	The token for your Ubuntu Pro subscription.	String	No default
    Storage Pool Drive (Optional)	The storage pool device to use for the cluster. As mentioned in the Prerequisites, assign this to your second storage device.	String	/dev/sdb
    CSI Placement Count	The number of replicas for the Container Storage Interface (CSI) Persistent Volumes (PVs). The accepted values are 1 or 3. We recommend using 3 to provide high availability for the CSI volumes. This value must match the MongoDB Replicas value.	Integer	3

    Registry Options

    Option	Description	Type	Default
    In Cluster Registry (Optional)	- True - Use internal Zot registry - False - Use external registry.	Boolean	True
    Registry Endpoint	The DNS/IP endpoint for the registry. Leave the default entry if using the internal Zot registry, which is a virtual IP address assigned by kube-vip. Adjust if using an external registry.	String	{{.spectro.system.cluster.kubevip}}
    Registry Port	The port for the registry. The default value can be changed for the internal Zot registry. Adjust if using an external registry.	Integer	30003
    OCI Registry Base Content Path (Optional)	The base path for the registry content for the internal or external registry. Palette packs will be stored in this directory.	String	spectro-content
    OCI Pack Registry Username	If using the internal Zot registry, leave the default username or adjust to your requirements. If using an external registry, provide the appropriate username.	String	admin
    OCI Pack Registry Password	If using the internal Zot registry, enter a password to your requirements. If using an external registry, provide the appropriate password.	String	No default - must be provided.
    OCI Registry Storage Size (GiB) (Optional)	The size of the storage for the OCI registry. This is used to store the images and packs in the registry. The default value is set to 100 GiB, but this should be increased to at least 250 GiB for production environments.	Integer	100
    OCI Pack Registry Ca Cert (Optional)	- Internal Zot registry - Not required. - External registry - The CA certificate that was used to sign the external registry certificate.	Base64 encoded string	No default
    Image Replacement Rules (Optional)	Set rules for replacing image references when using an external registry. For example, all: oci-registry-ip:oci-registry-port/spectro-content. Leave empty if using the internal Zot registry.	String	No default
    Root Domain (Optional)	The root domain for the registry. The default is set for the internal Zot registry, which is a virtual IP address assigned by kube-vip. If using an external registry, adjust this to the appropriate domain.	String	{{.spectro.system.cluster.kubevip}}
    Mongo Replicas	The number of MongoDB replicas to create for the cluster. The accepted values are 1 or 3. We recommend using 3 to provide high availability for the MongoDB database. This value must match the CSI Placement Count value.	Integer	3

39. Click Next when you are done.

40. In Cluster Config, configure the following options.

    Cluster Config Options

    Option	Description	Type	Default
    Network Time Protocol (NTP) (Optional)	The NTP servers to synchronize time within the cluster.	String	No default
    SSH Keys (Optional)	The public SSH keys to access the cluster nodes. Add additional keys by clicking Add Item.	String	No default
    Virtual IP Address (VIP)	The virtual IP address for the cluster. This is used for load balancing and high availability.	String	No default

    Click Next when you are done.

41. In Node Config, configure the following options.

    important

    You must assign at least three control plane nodes for high availability. You can remove the worker node pool as it is not required for the Palette management cluster. When doing this, ensure that the Allow worker capability option is enabled for the control plane node pool.

    Node Pool Options

    Control Plane Pool Options

    Option	Description	Type	Default
    Node pool name	The name of the control plane node pool. This will be used to identify the node pool in Palette.	String	control-plane-pool
    Allow worker capability (Optional)	Whether to allow workloads to be scheduled on this control plane node pool. Ensure that this is enabled if no worker pool is assigned to the cluster.	Boolean	True
    Additional Kubernetes Node Labels (Optional)	Tags for the node pool in key:value format. These tags can be used to filter and search for node pools in Palette.	String	No default
    Taints	Taints for the node pool in key=value:effect format. Taints are used to prevent pods from being scheduled on the nodes in this pool unless they tolerate the taint.	- Key = string - Value = string - Effect = string (enum)	No default

    Worker Pool Options

    Option	Description	Type	Default
    Node pool name	The name of the worker node pool. This will be used to identify the node pool in Palette.	String	worker-pool
    Additional Kubernetes Node Labels (Optional)	Tags for the node pool in key:value format. These tags can be used to filter and search for node pools in Palette.	String	No default
    Taints	Taints for the node pool in key=value:effect format. Taints are used to prevent pods from being scheduled on the nodes in this pool unless they tolerate the taint.	- Key = string - Value = string - Effect = string (enum)	No default

    Pool Configuration

    The following options are available for both the control plane and worker node pools. You can configure these options to your requirements. You can also remove worker pools if not needed.

    Option	Description	Type	Default
    Architecture	The CPU architecture of the nodes. This is used to ensure compatibility with the applications operating on the nodes.	String (enum)	amd64
    Add Edge Hosts	Click Add Item and select the other hosts that you installed using the Palette Management Appliance ISO. These hosts will be added to the node pool. Each pool must contain at least one node.	N/A	- Control Plane Pool = Current host selected - Worker Pool = No host selected
    NIC Name	The name of the network interface card (NIC) to use for the nodes. Leave on Auto to let the system choose the appropriate NIC, or select one manually from the drop-down menu.	N/A	Auto
    Host Name (Optional)	The hostname for the nodes. This is used to identify the nodes in the cluster. A generated hostname is provided automatically, which you can adjust to your requirements.	String	edge-*

42. Click Next when you are done.

43. In Review, check that your configuration is correct. If you need to make changes, click on any of the sections in the left sidebar to go back and edit the configuration.

    When you are satisfied with your configuration, click Deploy Cluster. This will start the cluster creation process.

    The cluster creation process will take 20 to 30 minutes to complete. You can monitor progress from the Overview tab on the Cluster page in the left main menu. The cluster is fully provisioned when the status changes to Running and the health status is Healthy.

44. Once the cluster is provisioned, access the Palette system console using the virtual IP address (VIP) you configured earlier. Open your web browser and go to https://<vip-address>/system. Replace <vip-address> with the VIP you configured for the cluster.

    The first time you visit the system console, a warning message about an untrusted TLS certificate may appear. This is expected, as you have not yet uploaded your TLS certificate. You can ignore this warning message and proceed.

45. You will be prompted to log in to Palette system console. Use admin as the username and admin as the password. You will be prompted to change the password after logging in.

46. In the Account Info window, provide the following information.

    Field	Description
    Email address	This is used for notifications and password recovery as well as logging in to the Palette system console. This will not be active until you configure SMTP settings in Palette system console and verify your email address.
    Current password	Use admin as the current password.
    New password	Enter a new password for the account.
    Confirm new password	Re-enter the new password for confirmation.

    Refer to Password Requirements and Security to learn about password requirements.

After logging in, a summary page is displayed. You now have access to the Palette system console, where you can manage your Palette environment.

If you are accessing the Palette system console for the first time, a security warning may be displayed in your web browser. This is because Palette is configured with a self-signed certificate. You can replace the self-signed certificate with your own SSL certificates as guided later in Next Steps.

warning

If your installation is not successful, verify that the piraeus-operator pack was correctly installed. For more information, refer to the Self-Hosted Installation - Troubleshooting guide.

Validate

1. Log in to the Local UI of the leader host using the URL https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host. If you have changed the default port of the console, replace 5080 with the Local UI port.

2. In Local UI, click on Cluster in the left main menu.

3. Check that the cluster status is Running and the health status is Healthy. In the Applications section on this page, the listed applications should be in the Running state.

4. On the Cluster page, under Environment, click on the Admin Kubeconfig File to download it to your local machine.

5. On your local machine, open a terminal session and export the KUBECONFIG environment variable to point to the downloaded kubeconfig file.

   export KUBECONFIG=/path/to/your/downloaded/kubeconfig

6. Issue the following command to verify the Palette installation.

   kubectl get pods --all-namespaces --output custom-columns="NAMESPACE:metadata.namespace,NAME:metadata.name,STATUS:status.phase" \
   | grep --extended-regexp '^(cp-system|hubble-system|ingress-nginx|jet-system|ui-system)\s'

   Your output should look similar to the following.

   cp-system        spectro-cp-ui-5cb6d454f8-bndxb          Running
   hubble-system    auth-5586c867ff-mk6wn                   Running
   hubble-system    auth-5586c867ff-xm9mx                   Running
   hubble-system    cloud-7bfd6c7f55-bmpkm                  Running
   hubble-system    cloud-7bfd6c7f55-tmmjj                  Running
   hubble-system    configserver-697cf95f9f-z2tr6           Running
   hubble-system    event-8566675f7d-l7n8n                  Running
   hubble-system    event-8566675f7d-v8cmz                  Running
   hubble-system    event-8566675f7d-vtp8m                  Running
   hubble-system    foreq-59f8c6c584-47npj                  Running
   hubble-system    hashboard-5fcc8f448c-df5rj              Running
   hubble-system    hashboard-5fcc8f448c-xs6mr              Running
   hubble-system    hutil-5b49d6f5bc-5gcqc                  Running
   hubble-system    hutil-5b49d6f5bc-plg9j                  Running
   hubble-system    memstore-75b7d8bb5b-qtn7w               Running
   hubble-system    mgmt-5874d55cf6-2gh52                   Running
   hubble-system    mongo-0                                 Running
   hubble-system    mongo-1                                 Running
   hubble-system    mongo-2                                 Running
   hubble-system    msgbroker-0                             Running
   hubble-system    msgbroker-1                             Running
   hubble-system    oci-proxy-6bc464cf58-wwksw              Running
   hubble-system    reloader-reloader-59c87c446c-9cvk5      Running
   hubble-system    specman-0                               Running
   hubble-system    spectro-tunnel-647cf485b-xn87n          Running
   hubble-system    spectrocluster-85bf89dcdb-llsjj         Running
   hubble-system    spectrocluster-85bf89dcdb-m2c8w         Running
   hubble-system    spectrocluster-85bf89dcdb-tp9lk         Running
   hubble-system    spectrocluster-jobs-557bd5b798-fkzbm    Running
   hubble-system    spectrossh-74db5544bf-5t24s             Running
   hubble-system    system-6496bc487-cfchd                  Running
   hubble-system    system-6496bc487-mlxjk                  Running
   hubble-system    timeseries-7c4d6647b5-ckrnt             Running
   hubble-system    timeseries-7c4d6647b5-jb9tp             Running
   hubble-system    timeseries-7c4d6647b5-nl86q             Running
   hubble-system    user-57f7759745-8fjx8                   Running
   hubble-system    user-57f7759745-hxz4n                   Running
   ingress-nginx    ingress-nginx-controller-m5z54          Running
   ingress-nginx    ingress-nginx-controller-qsf6m          Running
   ingress-nginx    ingress-nginx-controller-w64pz          Running
   jet-system       jet-856db6655-k87k8                     Running
   ui-system        spectro-ui-bcff7f675-lds2l              Running

7. Log in to the Palette system console using the virtual IP address (VIP) you configured earlier. Open your web browser and go to https://<vip-address>/system. Replace <vip-address> with the VIP you configured for the cluster.

8. On the login page, use admin as the username and the new password you set during the initial login.

9. On the Summary page, check that the On-prem system console is healthy message is displayed.

Upload Packs to Palette

Follow the instructions to upload packs to your Palette instance. Packs are used to create cluster profiles and deploy workload clusters in your environment.

Prerequisites

• Access to the Artifact Studio to download the Palette Enterprise pack bundles.

• If using the internal Zot registry, ensure you have access to the Local UI of the leader node of the Palette management cluster. Also, verify that your local machine can access the Local UI, as airgapped environments may have strict network policies preventing direct access.

  • (Optional) The Palette CLI installed on your local machine if you prefer to use the command line for uploading packs. Refer to the Palette CLI guide for installation instructions.

• If using an external registry, the Palette CLI must be installed on your local machine to upload the content to the external registry. Refer to the Palette CLI guide for installation instructions.

  • Ensure your local machine has network access to the external registry server and you have the necessary permissions to push images to the registry.

Upload Packs

Internal Zot Registry

Local UI Method

1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

2. Select the Palette Enterprise Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.

   Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.

3. Download the pack bundles to your local machine. Each pack is downloaded in .zst format.

4. Log in to the Local UI of the leader host of the Palette management cluster. By default, Local UI is accessible at https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host.

5. From the left main menu, click Content.

6. Click Actions in the top right and select Upload Content from the drop-down menu.

7. Click the upload icon to open the file selection dialog and select the downloaded pack ZST files from your local machine. You can select multiple files at once. Alternatively, you can drag and drop the files into the upload area.

   The upload process starts automatically once the files are selected. You can monitor the upload progress in the Upload Content dialog.

   Wait for the File(s) uploaded successfully confirmation message or the green check mark to appear next to the upload progress bar.

8. Log in to the Palette system console.

9. From the left main menu, select Administration, and then select the Pack Registries tab.

10. Select the three-dot menu for the OCI Pack Registry and click Sync.

Palette CLI Method

1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

2. Select the Palette Enterprise Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.

   Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.

3. Download the pack bundles to your local machine. Each pack is downloaded in .zst format.

4. Open a terminal on your local machine and navigate to the directory where the downloaded pack bundles are located.

5. Use the Palette CLI to log in to the internal Zot registry. Replace <management-vip> with the VIP address of the Palette management cluster, <username> with your username, and <password> with your password. If you have changed the default port for the Zot registry, replace 30003 with the correct port number.

   palette content registry-login \
   --registry https://<management-vip>:30003 \
   --username <username> \
   --password <password>

6. Upload the pack bundles to the internal Zot registry using the Palette CLI. Replace <pack-zst> with your downloaded pack bundle file and <management-vip> with the VIP address of the Palette management cluster. If you have changed the default port or the base content path for the Zot registry, replace 30003 with the correct port number and spectro-content with the correct content path.

   If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.

   Regular TLS Certificate

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <pack-zst>

   Custom TLS Certificate

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <pack-zst> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Skip TLS

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <pack-zst> \
   --insecure

   The following example output is expected when the upload is successful.

   Example Output

   ...
   INFO[0020] successfully copied all artifacts from local bundle /home/ubuntu/palette-cli/bin/tmp/bundle-extract/lb-metallb-helm-0.15.2 to remote bundle 10.11.12.13:30003/spectro-content/bundle-definition:bundle
   -----------------------------
   Push Summary
   -----------------------------
   local bundle bundle pushed to 10.11.12.13:30003/spectro-content

7. Log in to the Palette system console.

8. From the left main menu, select Administration, and then select the Pack Registries tab.

9. Select the three-dot menu for the OCI Pack Registry and click Sync.

External Registry

1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

2. Select the Palette Enterprise Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.

   Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.

3. Download the pack bundles to your local machine. Each pack is downloaded in .zst format.

4. Open a terminal on your local machine and navigate to the directory where the downloaded pack bundles are located.

5. Use the Palette CLI to log in to your external registry. Replace <registry-dns-or-ip> with the DNS/IP address of your registry, <registry-port> with the port number of your registry (if applicable), <username> with your username, and <password> with your password.

   palette content registry-login \
   --registry https://<registry-dns-or-ip>:<registry-port> \
   --username <username> \
   --password <password>

6. Upload the pack bundles to your external registry using the Palette CLI. Replace <pack-zst> with your downloaded pack bundle file, <registry-dns-or-ip> with the DNS/IP address of your registry, and <registry-port> with the port number of your registry (if applicable). If you have changed the base content path from the default, replace spectro-content with the correct content path.

   If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.

   Regular TLS Certificate

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <pack-zst>

   Custom TLS Certificate

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <pack-zst> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Skip TLS

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <pack-zst> \
   --insecure

   The following example output is expected when the upload is successful.

   Example Output

   ...
   INFO[0020] successfully copied all artifacts from local bundle /home/ubuntu/palette-cli/bin/tmp/bundle-extract/lb-metallb-helm-0.15.2 to remote bundle external.registry.com/spectro-content/bundle-definition:bundle
   -----------------------------
   Push Summary
   -----------------------------
   local bundle bundle pushed to external.registry.com/spectro-content
   tip

   Be aware of the timeout period for the authentication token. If the authentication token expires, you will need to re-authenticate to the OCI registry and restart the upload process.

7. Log in to the Palette system console.

8. From the left main menu, select Administration, and then select the Pack Registries tab.

9. Select the three-dot menu for your external registry and click Sync.

Validate

Internal Zot Registry

1. Log in to the Local UI of the leader host of the Palette management cluster.

2. From the left main menu, click Content.

3. Enter the filename of the uploaded pack in the Filter by name search bar. The pack should appear in the table below. You can repeat this step for each pack you uploaded.

External Registry

1. Check that the packs have been successfully uploaded to your external registry using the Palette CLI. Replace <registry-dns-or-ip> with the DNS/IP address of your registry, <registry-port> with the port number of your registry (if applicable), and <image-repository> with the name of the image repository. If you have changed the base content path from the default, replace spectro-content with the correct content path.

   If you are using custom TLS certificates or choosing to skip TLS, use the appropriate flags as shown in the following examples.

   Custom TLS Certificate

   palette content list \
   --repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Skip TLS

   palette content list \
   --repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
   --insecure

2. Check that the pack images you uploaded are listed in the output as repositories with version tags.

   Example command

   palette content list \
   --repo external.registry.com/spectro-content/us-docker.pkg.dev/palette-images/packs/metallb/0.15.2/controller
   Example output

   Listing bundles
   external.registry.com/spectro-content/us-docker.pkg.dev/palette-images/packs/metallb/0.15.2/controller:v0.15.2

(Optional) Upload Third Party Packs

Follow the instructions to upload the Third Party packs to your Palette instance. The Third Party packs contain additional functionality and capabilities that enhance the Palette experience.

Prerequisites

• Access to the Artifact Studio to download the Third Party packs.

• If using the internal Zot registry, ensure you have access to the Local UI of the leader node of the Palette management cluster. Also, verify that your local machine can access the Local UI, as airgapped environments may have strict network policies preventing direct access.

  • (Optional) The Palette CLI installed on your local machine if you prefer to use the command line for uploading packs. Refer to the Palette CLI guide for installation instructions.

• If using an external registry, the Palette CLI must be installed on your local machine to upload the content to the external registry. Refer to the Palette CLI guide for installation instructions.

  • Ensure your local machine has network access to the external registry server and you have the necessary permissions to push images to the registry.

Upload Packs

Internal Zot Registry

Local UI Method

1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

2. Select the Palette Enterprise Appliance product on the Product selection step and select your current version on the Version selection step.

3. On the Use case step, select the Add-on only option.

4. On the Configure bundle step, enter Palette Third Party in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.

   Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select them, and click Next Step.

5. On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.

   Wait until the packs have been downloaded to your local machine. The packs are downloaded in .zst format alongside a signature file in sig.bin format.

   tip

   Refer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.

6. Log in to the Local UI of the leader host of the Palette management cluster. By default, Local UI is accessible at https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host.

7. From the left main menu, click Content.

8. Click Actions in the top right and select Upload Content from the drop-down menu.

9. Click the upload icon to open the file selection dialog and select the Third Party ZST files from your local machine. Alternatively, you can drag and drop the files into the upload area.

   The upload process starts automatically once the files are selected. You can monitor the upload progress in the Upload Content dialog.

   Wait for the File(s) uploaded successfully confirmation message or the green check mark to appear next to the upload progress bar.

10. Log in to the Palette system console.

11. From the left main menu, select Administration, and then select the Pack Registries tab.

12. Select the three-dot menu for the OCI Pack Registry and click Sync.

Palette CLI Method

1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

2. Select the Palette Enterprise Appliance product on the Product selection step and select your current version on the Version selection step.

3. On the Use case step, select the Add-on only option.

4. On the Configure bundle step, enter Palette Third Party in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.

   Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select them, and click Next Step.

5. On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.

   Wait until the packs have been downloaded to your local machine. The packs are downloaded in .zst format alongside a signature file in sig.bin format.

   tip

   Refer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.

6. Open a terminal on your local machine and navigate to the directory where the Third Party ZST files are located.

7. Use the Palette CLI to log in to the internal Zot registry. Replace <management-vip> with the VIP address of the Palette management cluster, <username> with your username, and <password> with your password. If you have changed the default port for the Zot registry, replace 30003 with the correct port number.

   palette content registry-login \
   --registry https://<management-vip>:30003 \
   --username <username> \
   --password <password>

8. Upload the packs to the internal Zot registry using the Palette CLI. Replace <third-party-zst> and <third-party-conformance-zst> with your downloaded Third Party pack ZST files and <management-vip> with the VIP address of the Palette management cluster. If you have changed the default port or the base content path for the Zot registry, replace 30003 with the correct port number and spectro-content with the correct content path.

   If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.

   Regular TLS Certificate

   Upload Third Party Pack with Regular TLS Certificate

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <third-party-zst>

   Upload Third Party Conformance Pack with Regular TLS Certificate

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <third-party-conformance-zst>

   Custom TLS Certificate

   Upload Third Party Pack with Custom TLS Certificate

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <third-party-zst> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Upload Third Party Conformance Pack with Custom TLS Certificate

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <third-party-conformance-zst> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Skip TLS

   Upload Third Party Pack skipping TLS

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <third-party-zst> \
   --insecure

   Upload Third Party Conformance Pack skipping TLS

   palette content push \
   --registry <management-vip>:30003/spectro-content \
   --file <third-party-conformance-zst> \
   --insecure

   The following example output is expected when an upload is successful.

   Example Output

   ...
   INFO[0020] successfully copied all artifacts from local bundle /home/ubuntu/palette-cli/bin/tmp/bundle-extract/palette-thirdparty-bundle-4.7.3 to remote bundle 10.11.12.13:30003/spectro-content/bundle-definition:bundle
   -----------------------------
   Push Summary
   -----------------------------
   local bundle bundle pushed to 10.11.12.13:30003/spectro-content

9. Log in to the Palette system console.

10. From the left main menu, select Administration, and then select the Pack Registries tab.

11. Select the three-dot menu for the OCI Pack Registry and click Sync.

External Registry

1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

2. Select the Palette Enterprise Appliance product on the Product selection step and select your current version on the Version selection step.

3. On the Use case step, select the Add-on only option.

4. On the Configure bundle step, enter Palette Third Party in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.

   Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select it, and click Next Step.

5. On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.

   Wait until the packs have been downloaded to your local machine. The packs are downloaded in .zst format alongside a signature file in sig.bin format.

   tip

   Refer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.

6. Open a terminal on your local machine and navigate to the directory where the Third Party ZST files are located.

7. Use the Palette CLI to log in to your external registry. Replace <registry-dns-or-ip> with the DNS/IP address of your registry, <registry-port> with the port number of your registry (if applicable), <username> with your username, and <password> with your password.

   palette content registry-login \
   --registry https://<registry-dns-or-ip>:<registry-port> \
   --username <username> \
   --password <password>

8. Upload the packs to your external registry using the Palette CLI. Replace <registry-dns-or-ip> with the DNS/IP address of your registry and <registry-port> with the port number of your registry (if applicable). If you have changed the base content path from the default, replace spectro-content with the correct content path.

   If you are using regular TLS certificates, custom TLS certificates, or choosing to skip TLS, use the appropriate flags as shown in the following examples.

   Regular TLS Certificate

   Upload Third Party Pack with Regular TLS Certificate

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <third-party-zst>

   Upload Third Party Conformance Pack with Regular TLS Certificate

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <third-party-conformance-zst>

   Custom TLS Certificate

   Upload Third Party Pack with Custom TLS Certificate

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <third-party-zst> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Upload Third Party Conformance Pack with Custom TLS Certificate

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <third-party-conformance-zst> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Skip TLS

   Upload Third Party Pack skipping TLS

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <third-party-zst> \
   --insecure

   Upload Third Party Conformance Pack skipping TLS

   palette content push \
   --registry <registry-dns-or-ip>:<registry-port>/spectro-content \
   --file <third-party-conformance-zst> \
   --insecure

   The following example output is expected when an upload is successful.

   Example Output

   ...
   INFO[0287] successfully copied all artifacts from local bundle /root/tmp/bundle-extract/palette-thirdparty-bundle-4.7.0 to remote bundle external.registry.com/spectro-content/bundle-definition:palette-thirdparty-bundle-4.7.0
   -----------------------------
   Push Summary
   -----------------------------
   local bundle palette-thirdparty-bundle-4.7.0 pushed to external.registry.com/spectro-content
   tip

   Be aware of the timeout period for the authentication token. If the authentication token expires, you will need to re-authenticate to the OCI registry and restart the upload process.

9. Log in to the Palette system console.

10. From the left main menu, select Administration, and then select the Pack Registries tab.

11. Select the three-dot menu for your external registry and click Sync.

Validate

Internal Zot Registry

1. Log in to the Local UI of the leader host of the Palette management cluster. By default, Local UI is accessible at https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host.

2. From the left main menu, click Content.

3. Enter the filename of each Third Party pack in the Filter by name search bar. The packs should appear in the table.

External Registry

1. Check that the packs have been successfully uploaded to your external registry using the Palette CLI. Replace <registry-dns-or-ip> with the DNS/IP address of your registry, <registry-port> with the port number of your registry (if applicable), and <image-repository> with the name of the image repository. If you have changed the base content path from the default, replace spectro-content with the correct content path.

   If you are using custom TLS certificates or choosing to skip TLS, use the appropriate flags as shown in the following examples.

   Custom TLS Certificate

   palette content list \
   --repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
   --ca-cert <path-to-ca-cert> \
   --tls-cert <path-to-tls-cert> \
   --tls-key <path-to-tls-key>

   Skip TLS

   palette content list \
   --repo <registry-dns-or-ip>:<registry-port>/spectro-content/<image-repository> \
   --insecure

2. Check that the Third Party images you uploaded are listed in the output as repositories with version tags.

   Example command

   palette content list \
   --repo external.registry.com/spectro-content/sonobuoy/sonobuoy
   Example output

   Listing bundles
   harbor.teams.spectrocloud.com/docs-private/sonobuoy/sonobuoy:v0.57.1
   harbor.teams.spectrocloud.com/docs-private/sonobuoy/sonobuoy:v0.57.2

Next Steps

The following actions are recommended after installing Palette to ensure your environment is ready for use:

• Assign your SSL certificates to Palette. Palette is installed with a self-signed SSL certificate. To assign a different SSL certificate, upload the certificate, key, and certificate authority files to Palette. You can upload the files using the system console. Refer to the Configure HTTPS Encryption page for instructions on how to upload the SSL certificate files to Palette.

• Create a tenant in Palette to host your users. Refer to the Create a Tenant guide for instructions on how to create a tenant in Palette.

• Activate your Palette installation before the trial mode expires. Refer to the Activate Installation guide for instructions on how to activate your installation.

• Create additional system administrator accounts and assign roles to users in the system console. Refer to the Account Management guide for instructions on how to manage user accounts and roles in Palette.

• Configure SMTP settings to enable email notifications and password recovery. Refer to the Configure SMTP Settings guide for instructions on how to configure SMTP settings in Palette.

For all system management options in Palette, refer to the System Management guide.