Installation on OpenShift

This guide helps you to install Kannika Armory on OpenShift.

Prerequisites

Before continuing with the installation, make sure you have the following tools available:

• oc OpenShift CLI
• OpenShift
• Helm 3.9+
• A valid license key. You can request a free trial license.

See Requirements for system specifications and other requirements.

Installing Kannika Armory

Kannika Armory consists of the following components:

• The operator component, which is responsible for managing the platform.
• The API component, which provides a GraphQL and REST API for managing the platform.
• The console component, which provides a responsive user interface.
• The core component, which does the actual heavy lifting of backing up and restoring data. This does not need to be installed, as it is managed by the operator.

The easiest way to install the platform is by using the Helm chart. This will install all components at once.

Install the Custom Resource Definitions

Before installing the platform itself, you need to install the Custom Resource Definitions (CRDs) first. These are installed separately from the Helm chart to allow for a more flexible upgrade process.

Using oc

$ oc apply -f https://docs.kannika.io/refs/0.12.4/crd/kannika-crd-v1alpha.yml

Using Helm

$ helm install kannika-crd oci://quay.io/kannika/charts/kannika-crd \
  --version 0.12.4

Create a project

Kannika Armory should be installed in its own project. By convention, the project kannika-system is used for this.

$ oc new-project kannika-system

Install the license key

Tip

If you wish to try out Kannika Armory for free, you can request a free trial license.

Kannika Armory requires a valid license to run. You must store the license key in a Kubernetes secret with the type kannika.io/license, using the key license.

Make sure to install it in the same namespace as the platform itself.

$ oc create secret generic kannika-license \
  --namespace kannika-system \
  --from-file=license=<license-key-file> \
  --type=kannika.io/license

The operator will automatically pick up the license key and check its validity.

Define the security settings

Since OpenShift is by default a more secure environment than Kubernetes, you may need to adjust the security settings in the Helm chart.

Here is an example Helm configuration values.yaml that sets the security context for all components, and some other sensible defaults:

values.yaml

operator:
  # Security context for the operator
  securityContext:
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 1001011234 # Different per project (namespace)
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault

    # Resource requirements for the operator
    resources:
      requests:
        cpu: 100m
        memory: 512Mi
      limits:
        # cpu: 1
        memory: 512Mi

    config:
      pod:
        # Default resource requirements for Backup and Restore pods
        resources:
          requests:
            cpu: 100m
            memory: 1Gi
          limits:
            # cpu: 1
            memory: 1Gi
        container:
          # Security context for Backup and Restore containers
          securityContext:
             capabilities:
               drop:
                 - ALL
             readOnlyRootFilesystem: true
             runAsNonRoot: true
             runAsUser: 1001011234 # Different per project (namespace)
             allowPrivilegeEscalation: false
             seccompProfile:
               type: RuntimeDefault


# Security context for the API
api:
  securityContext:
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 1001011234 # Different per project (namespace)
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault

    # Resource requirements for the API
    resources:
      requests:
        cpu: 100m
        memory: 1Gi
      limits:
        # cpu: 1
        memory: 1Gi

# Security context for the console
console:
  securityContext:
    capabilities:
      drop:
        - ALL
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 1001011234 # Different per project (namespace)
    allowPrivilegeEscalation: false
    seccompProfile:
      type: RuntimeDefault

    # Resource requirements for the console
    resources:
      requests:
        cpu: 100m
        memory: 1Gi
      limits:
        # cpu: 1
        memory: 1Gi

Based on the Security Context Constraints of your OpenShift cluster, you may need to adjust these values.

It is also possible to define the settings for each Backup Pod or Restore Pod pod separately.

Install the platform using the Helm chart

Install the chart with the release name kannika in the kannika-system project:

$ helm install kannika oci://quay.io/kannika/charts/kannika \
  --create-namespace \
  --namespace kannika-system \
  --version 0.12.4 \
  -f values.yaml

Verifying the installation

After installing the Helm chart and waiting for a short period of time, verify that the following Deployments are running:

$ oc get deployments --namespace kannika-system

The output should look similar to this:

NAME       READY   UP-TO-DATE   AVAILABLE   AGE
api        1/1     1            1           1m
console    1/1     1            1           1m
operator   1/1     1            1           1m