From 64cba64b8b33f5dae6096488f7e94157937dfaf8 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 31 Oct 2024 16:15:47 -0600 Subject: [PATCH 1/7] Add missing EC install flags --- docs/reference/embedded-cluster-install.mdx | 27 +++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index 186880225..fe1d34b7e 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -21,6 +21,12 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] Flag Description + + `--admin-console-password` + +

Set the password for the Admin Console. The password must be at least six characters in length.

+ + `--admin-console-port` @@ -72,6 +78,12 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags]

Port on which to run the Local Artifact Mirror (LAM). **Default**: By default, the LAM runs on port 50000.

+ + `--network-interface` + +

The network interface to bind to for the Kubernetes API. If a network interface is not provided, the first valid, non-local network interface is used. Use `--network-interface` for multi-node clusters where node communication should happen on a particular network.

+ + `--no-proxy` @@ -87,6 +99,13 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] + + `--private-ca` + +

The name of a ConfigMap that contains the trusted certificate authority (CA) certificates used by a Man-In-The-Middle (MITM) proxy that intercepts traffic and issues its own certificates. Providing the CA certificates with `--private-ca` ensures that the private CA is trusted by the installation.

+

Note: The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the specified ConfigMap so your containers can access the internet through proxies that issue their own TLS certificates in order to inspect traffic.

+ + ## Examples @@ -122,6 +141,14 @@ Where: * `HOST:PORT` is the host and port of the proxy server * `LIST_OF_HOSTS` is the list of hosts to not proxy. For example, the IP address of the node where you are installing. Or, for multi-node clusters, the list of IP addresses for all nodes in the cluster, typically in CIDR notation. +### Install Behind an MITM Proxy + +```bash +sudo ./APP_SLUG install --license license.yaml \ + --private-ca PRIVATE_CA_CONFIGMAP +``` +Where `PRIVATE_CA_CONFIGMAP` is + ### Set IP Address Range for Pods and Services ```bash From 61d5aed1794fb1444082ab7be7265faeb82f6467 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 31 Oct 2024 16:56:44 -0600 Subject: [PATCH 2/7] edits --- docs/reference/embedded-cluster-install.mdx | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index fe1d34b7e..ca6e018cb 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -81,7 +81,7 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] `--network-interface` -

The network interface to bind to for the Kubernetes API. If a network interface is not provided, the first valid, non-local network interface is used. Use `--network-interface` for multi-node clusters where node communication should happen on a particular network.

+

The name of the network interface to bind to for the Kubernetes API. A common use case of `--network-interface` is for multi-node clusters where node communication should happen on a particular network. **Default**: If a network interface is not provided, the first valid, non-local network interface is used.

@@ -102,8 +102,8 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] `--private-ca` -

The name of a ConfigMap that contains the trusted certificate authority (CA) certificates used by a Man-In-The-Middle (MITM) proxy that intercepts traffic and issues its own certificates. Providing the CA certificates with `--private-ca` ensures that the private CA is trusted by the installation.

-

Note: The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the specified ConfigMap so your containers can access the internet through proxies that issue their own TLS certificates in order to inspect traffic.

+

The path to the trusted certificate authority (CA) certificates used by a Man-In-The-Middle (MITM) proxy that intercepts traffic and issues its own certificates. Using the `--private-ca` flag ensures that the CA is trusted by the installation. KOTS writes the CA bundle provided with the `--private-ca` flag to a ConfigMap in the cluster.

+

Note: The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the ConfigMap so your containers can access the internet through proxies that issue their own TLS certificates in order to inspect traffic.

@@ -145,12 +145,23 @@ Where: ```bash sudo ./APP_SLUG install --license license.yaml \ - --private-ca PRIVATE_CA_CONFIGMAP + --private-ca /path/to/private-ca-bundle ``` -Where `PRIVATE_CA_CONFIGMAP` is ### Set IP Address Range for Pods and Services ```bash sudo ./my-app install --license license.yaml --cidr 172.16.136.0/16 ``` + +### Set Admin Console Password + +```bash +sudo ./my-app install --license license.yaml --admin-console-password password +``` + +### Use a Specific Network Interface + +```bash +sudo ./my-app install --license license.yaml --network-interface eno167777 +``` \ No newline at end of file From 766a3d5bf33ea62470a97fb3cfd217223435e363 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 31 Oct 2024 17:02:00 -0600 Subject: [PATCH 3/7] edits --- docs/reference/embedded-cluster-install.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index ca6e018cb..042bd1d0c 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -24,7 +24,7 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] `--admin-console-password` -

Set the password for the Admin Console. The password must be at least six characters in length.

+

Set the password for the Admin Console. The password must be at least six characters in length. If not set, the user is prompted to provide an Admin Console password in the CLI output of the install command.

@@ -103,7 +103,7 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] `--private-ca`

The path to the trusted certificate authority (CA) certificates used by a Man-In-The-Middle (MITM) proxy that intercepts traffic and issues its own certificates. Using the `--private-ca` flag ensures that the CA is trusted by the installation. KOTS writes the CA bundle provided with the `--private-ca` flag to a ConfigMap in the cluster.

-

Note: The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the ConfigMap so your containers can access the internet through proxies that issue their own TLS certificates in order to inspect traffic.

+

The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the ConfigMap so your containers can access the internet through proxies that issue their own TLS certificates in order to inspect traffic.

From 38397acd52e5821c02e662d9168f3c2c735edcca Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Thu, 31 Oct 2024 17:08:25 -0600 Subject: [PATCH 4/7] edit examples --- docs/reference/embedded-cluster-install.mdx | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index 042bd1d0c..b70c49860 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -119,7 +119,7 @@ sudo ./myapp install --license license.yaml --airgap-bundle myapp.airgap ### Change the Admin Console and LAM Ports ```bash -sudo ./myapp install --admin-console-port=20000 --local-artifact-mirror-port=40000 +sudo ./myapp install --license license.yaml --admin-console-port=20000 --local-artifact-mirror-port=40000 ``` ### Change the Data Directory @@ -131,7 +131,7 @@ sudo ./my-app install --license license.yaml --data-dir /data/embedded-cluster ### Install Behind a Proxy ```bash -sudo ./APP_SLUG install --license LICENSE_FILE \ +sudo ./APP_SLUG install --license license.yaml \ --http-proxy=HOST:PORT \ --https-proxy=HOST:PORT \ --no-proxy=LIST_OF_HOSTS @@ -144,20 +144,19 @@ Where: ### Install Behind an MITM Proxy ```bash -sudo ./APP_SLUG install --license license.yaml \ - --private-ca /path/to/private-ca-bundle +sudo ./APP_SLUG install --license license.yaml --private-ca /path/to/private-ca-bundle ``` -### Set IP Address Range for Pods and Services +### Set Admin Console Password ```bash -sudo ./my-app install --license license.yaml --cidr 172.16.136.0/16 +sudo ./my-app install --license license.yaml --admin-console-password password ``` -### Set Admin Console Password +### Set IP Address Range for Pods and Services ```bash -sudo ./my-app install --license license.yaml --admin-console-password password +sudo ./my-app install --license license.yaml --cidr 172.16.136.0/16 ``` ### Use a Specific Network Interface From 45d1edd47d47e6ad3295f69efec9f16bd8288ae1 Mon Sep 17 00:00:00 2001 From: Alex Parker <7272359+ajp-io@users.noreply.github.com> Date: Fri, 1 Nov 2024 08:59:42 -0400 Subject: [PATCH 5/7] Alex updates --- docs/reference/embedded-cluster-install.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index b70c49860..d86918962 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -24,7 +24,7 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] `--admin-console-password` -

Set the password for the Admin Console. The password must be at least six characters in length. If not set, the user is prompted to provide an Admin Console password in the CLI output of the install command.

+

Set the password for the Admin Console. The password must be at least six characters in length. If not set, the user is prompted to provide an Admin Console password.

@@ -102,8 +102,8 @@ sudo ./APP_SLUG install --license LICENSE_FILE [flags] `--private-ca` -

The path to the trusted certificate authority (CA) certificates used by a Man-In-The-Middle (MITM) proxy that intercepts traffic and issues its own certificates. Using the `--private-ca` flag ensures that the CA is trusted by the installation. KOTS writes the CA bundle provided with the `--private-ca` flag to a ConfigMap in the cluster.

-

The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the ConfigMap so your containers can access the internet through proxies that issue their own TLS certificates in order to inspect traffic.

+

The path to trusted certificate authority (CA) certificates. Using the `--private-ca` flag ensures that the CA is trusted by the installation. KOTS writes the CA certificates provided with the `--private-ca` flag to a ConfigMap in the cluster.

+

The KOTS [PrivateCACert](/reference/template-functions-static-context#privatecacert) template function returns the ConfigMap containing the private CA certificates supplied with the `--private-ca` flag. You can use this template function to mount the ConfigMap so your containers trust the CA too.

From 466cd54fceffb169148237134af56cf69e93098d Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Fri, 1 Nov 2024 09:34:13 -0600 Subject: [PATCH 6/7] update private-ca example with proxy details --- docs/reference/embedded-cluster-install.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index d86918962..427f71813 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -144,7 +144,10 @@ Where: ### Install Behind an MITM Proxy ```bash -sudo ./APP_SLUG install --license license.yaml --private-ca /path/to/private-ca-bundle +sudo ./APP_SLUG install --license license.yaml --private-ca /path/to/private-ca-bundle \ + --http-proxy=HOST:PORT \ + --https-proxy=HOST:PORT \ + --no-proxy=LIST_OF_HOSTS ``` ### Set Admin Console Password From b5162cadf99cd422ec694f0eaee942e78a84b624 Mon Sep 17 00:00:00 2001 From: Paige Calvert Date: Fri, 1 Nov 2024 09:35:50 -0600 Subject: [PATCH 7/7] update private-ca example with proxy details --- docs/reference/embedded-cluster-install.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/embedded-cluster-install.mdx b/docs/reference/embedded-cluster-install.mdx index 427f71813..e3c08a8b7 100644 --- a/docs/reference/embedded-cluster-install.mdx +++ b/docs/reference/embedded-cluster-install.mdx @@ -145,9 +145,9 @@ Where: ```bash sudo ./APP_SLUG install --license license.yaml --private-ca /path/to/private-ca-bundle \ - --http-proxy=HOST:PORT \ - --https-proxy=HOST:PORT \ - --no-proxy=LIST_OF_HOSTS + --http-proxy=http://10.128.0.0:3300 \ + --https-proxy=http://10.128.0.0:3300 \ + --no-proxy=123.89.46.4,10.96.0.0/16,*.example.com ``` ### Set Admin Console Password