...
The procedure has been tested on a ubuntu 22.04LTS 64GB Ram.
RKE2 install
refer to RKE2 QUICK START
Install multus and calico or CNI
| Code Block | ||||
|---|---|---|---|---|
| ||||
cni: - multus - calico |
1 Install metallb (LoadBalancer)
This pass will be possible to expose some address to the external of the cluster.
Prepare metallb_config.yaml
copy the following content (by using free IP ranges where your cluster uses)
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
namespace: metallb-system
name: default-pool-10-6
spec:
addresses:
- 10.10.6.240-10.10.6.250 # Adjust to your available range
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
namespace: metallb-system
name: l2
spec:
ipAddressPools:
- default-pool-10-6
nodeSelectors:
- matchLabels:
vlan: vlan-10-6
---
## if you have other network to expose
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
namespace: metallb-system
name: default-pool-109
spec:
addresses:
- 192.168.109.240-192.168.109.250 # Adjust to your available range
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
namespace: metallb-system
name: l2
spec:
ipAddressPools:
- default-pool-109
nodeSelectors:
- matchLabels:
vlan: vlan-109
|
Install metallb and configure
| Code Block | ||||
|---|---|---|---|---|
| ||||
## metallb kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.15.2/config/manifests/metallb-native.yaml kubectl apply -f metallb_config.yaml |
2 Install local_path storage class
🛠️ Apply the official manifests
Use this command to install the default local-path-provisioner:
...
A
StorageClassnamedlocal-pathA
local-path-provisionerDaemonSetThe necessary RBAC and helper scripts
...
☑️ Set it as the default (optional)
To make local-path the default StorageClass (so you don’t need to specify it in every PVC):
...
Look for (default) in the local-path row.
3 Install cert-manager
Install cert-manager using the official manifests:
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml |
📄 Create a ClusterIssuer for Let's Encrypt
Create a file named cluster-issuer.yaml:
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: andrea.michelotti@infn.it # 📧 Required
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- http01:
ingress:
class: "nginx" |
4 Install the Kubernetes Dashboard
Apply the official dashboard manifest:
...
This will install the dashboard into the kubernetes-dashboard namespace.
...
🌍 Expose the Dashboard with an Ingress
Option for NGINX
Create a file dashboard-ingress.yaml:
...
🧠 You must configure a DNS entry or
/etc/hostspointingdashboard.dato your ingress controller IP.
...
🔐 Create a ServiceAccount + ClusterRoleBinding
Create an admin user:
| Code Block | ||||
|---|---|---|---|---|
| ||||
# dashboard-admin.yaml apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl apply -f dashboard-admin.yaml |
...
🔑 Get the Login Token
More secure option is to make a token that expires.
The token will expire.
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl -n kubernetes-dashboard create token admin-user |
...
Copy the token and use it to log in at https://dashboard.da
Create a Secret Token (manually)
Create a ServiceAccount
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl create serviceaccount dashboard-sa -n kubernetes-dashboard |
Bind It to the Cluster Role (e.g. cluster-admin)
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl create clusterrolebinding dashboard-sa-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:dashboard-sa |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl apply -f dashboard-token.yaml |
...
Wait & Retrieve the Token
It may take a few seconds for Kubernetes to populate the token. Then:
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl -n kubernetes-dashboard describe secret dashboard-sa-token |
5 Install Argo CD
Install Argo CD in the argocd namespace:
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml |
Expose Argo CD with an Ingress
🔹 Ingress with NGINX
Create a file argocd-ingress.yaml:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl apply -f argocd-ingress.yaml |
Retrieve initial password
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d |
connect to UI (admin and password)
see the address
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl get ingress -n argocd |
...
Change the password! the inital password wont work for long
If you are behind a proxy
replace squid.lnf.infn.it:3128 with your proxy:port
...
kubectl -n argocd set env deployment/argocd-repo-server \
HTTP_PROXY=http://your.proxy.address:port \
HTTPS_PROXY=http://your.proxy.address:port \
NO_PROXY=localhost,127.0.0.1,.cluster.local,.svc,yourcluster.local
6 Install EPIK8S backend services (optional)
The backend services install:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl apply -f epik8s-backend.yaml |
7 Install EPIK8S beamline
A beamline GIT EPIK8s repo must exists.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: rke2-test-deploy-deploy
namespace: argocd
labels:
deploy: eli
spec:
project: default
source:
repoURL: 'https://github.com/infn-epics/epik8s-rke2-test.git'
path: deploy
targetRevision: main
helm:
values: |
namespace: da-test
domain: "da"
ingressClassName: "nginx"
destination:
server: 'https://kubernetes.default.svc'
namespace: eli
syncPolicy:
automated:
prune: true # Optional: Automatically remove resources not specified in Helm chart
selfHeal: true
syncOptions:
- CreateNamespace=true
- Prune=true |
...
The following will install the full beamline control on your cluster:
Apply:
| Code Block | ||||
|---|---|---|---|---|
| ||||
kubectl apply -f epik8s-beamline.yaml |
EPIK8s secrets
is it possible that your system needs to log in machines to start process, or define token to access repositories.
...