Installing the Anjuna Kubernetes Toolset Helm Chart

Set up Helm Chart

Once the Operator is up and running and an Anjuna Config operand has been configured, additional steps are required in order to fully deploy the Anjuna Kubernetes Toolset for OpenShift on GCP.

To help you install these tools, a Helm Chart is provided with the Anjuna Kubernetes Toolset archive you downloaded on the Configuring your local environment page.

Helm Charts are configured via a values.yaml file. To generate a valid values.yaml file for your OpenShift on GCP cluster, use the following:

$ cat << EOF >${ANJ_K8S_TOOLSET_DIR}/iac/values.yaml
cloud: gcp
image: registry.connect.redhat.com/anjuna/anjuna-k8s-sev-tools:2.0.0002
maxConfidentialPodVMs: 20
installOperator: false
nodeSelector:
    key: ${ANJ_NODE_LABEL_KEY}
    value: ${ANJ_NODE_LABEL_VALUE}
gcp:
    project: ${ANJ_PROJ}
    region: ${ANJ_REGION}
    zone: ${ANJ_ZONE}
    network: ${ANJ_VPC}
    subnet: ${ANJ_VPC}
    machine: n2d-standard-2
EOF

The field installOperator must be set to false to avoid conflicts with the Anjuna Seaglass Operator you installed in the previous page.

Since each Anjuna Confidential Pod runs in its own confidential VM, the default configuration for the Anjuna Kubernetes Toolset limits the number of simultaneous Anjuna Confidential Pods to 20 per cluster. If you want to change this number, you can redefine it in the values.yaml file (see line number 14 above) by setting maxConfidentialPodVMs to the desired value.

The Helm Chart offers an extensive number of options. Learn more by reading the contents of the chart’s default values.yaml located at ${ANJ_K8S_TOOLSET_DIR}/iac/k8s/chart/values.yaml.

Install the Helm Chart

For regular Pods, the resources.requests and resources.limits fields of the Pod specification help the Kubernetes scheduler make placement decisions based on the capacity and constraints of each worker Node.

Anjuna Confidential Pods are deployed as standalone Confidential VMs and not as containers on the same worker Node. Therefore, an Anjuna Confidential Pod’s spec.resources could mislead the scheduler regarding the actual capacity of your cluster worker nodes.

To address this issue, the Anjuna Kubernetes Toolset includes a mutating webhook that adjust the resource requests and limits of an Anjuna Confidential Pod. This allows the Pod to report more accurate resource allocation to the Node.

cert-manager is a required cluster component for the mutating webhook, and, if not already installed, the following can be used to install it:

$ oc apply -f https://github.com/jetstack/cert-manager/releases/download/v1.9.1/cert-manager.yaml

The cert-manager installation from the previous step can take 30 seconds or more. If the following helm command is executed before cert-manager is ready, you may encounter certificate errors. If this occurs, the Helm chart will need to be uninstalled by executing helm uninstall anjuna-cc --wait followed by running the install command again.

You should now be ready to install the Anjuna Kubernetes Toolset’s Helm Chart to your cluster:

$ helm install anjuna-cc ${ANJ_K8S_TOOLSET_DIR}/iac/k8s/chart \
  --values ${ANJ_K8S_TOOLSET_DIR}/iac/values.yaml --wait

Verify the Helm Chart installation

All Helm Chart resources will be created in the anjuna-system namespace.

To ensure that all components are running, you can verify the Pods running in the anjuna-system namespace:

$ oc get pods -n anjuna-system

The output should include the following Pods:

NAME                                                    READY   STATUS    RESTARTS   AGE
anjuna-cloud-adaptor-daemonset-z4kmg                    1/1     Running   0          18s
anjuna-extended-resources-updater-7bszc                 1/1     Running   0          19s
anjuna-webhook-controller-manager-5d4675fc4b-6kjnn      2/2     Running   0          19s

Anjuna Kubernetes Toolset Cloud Adaptor DaemonSet runs in every node that matches the node selector you configured.

The output above represents an installation targeting only one Node. If your configured Node Selector resolves to multiple Nodes, expect to see multiple Pods of the Cloud Adaptor DaemonSet running, one per Node.

Your Kubernetes cluster is now ready to deploy applications as Anjuna Confidential Pods. Refer to Deploying Pods as Anjuna Confidential Pods for examples on how to deploy applications.

Upgrade the Anjuna Kubernetes Toolset

To upgrade the installed version of the Anjuna Kubernetes Toolset, first Uninstall the Anjuna Kubernetes Toolset. Then follow the installation instructions in Installing the Anjuna Kubernetes Toolset to OpenShift on GCP again to install the new version.

You do not need to recreate the shared resources or the cluster in order to upgrade.

All Anjuna Confidential Pods must be stopped before an upgrade. After the upgrade, the Anjuna Confidential Pod images need to be rebuilt with an anjuna-k8s-cli that matches the new Anjuna Kubernetes Toolset version.

Uninstall the Anjuna Kubernetes Toolset

To uninstall the Anjuna Kubernetes Toolset, first stop all Anjuna Confidential Pods.

Then, run the following commands:

$ cd "${ANJ_K8S_TOOLSET_DIR}/iac"
$ oc delete crd anjunaconfigs.anjuna.io
$ helm uninstall anjuna-cc --wait

This operation might take about a minute to fully complete.

Navigate to the Installed Operators menu option under Operators and uninstall the Anjuna Seaglass Operator. When prompted, select to delete all operands:

OperatorHubUninstall

uninstallation of the Anjuna Seaglass Operator can also be done via the oc cli utility.

To delete cert-manager, run the following command:

$ oc delete -f https://github.com/jetstack/cert-manager/releases/download/v1.9.1/cert-manager.yaml