Install KubeLB CCM and setup Tenant Cluster

Requirements

  • KubeLB management cluster kubernetes API access.
  • Registered as a tenant in the KubeLB management cluster.

Pre-requisites

  • Create a namespace kubelb for the CCM to be deployed in.

  • The agent expects a Secret with a kubeconf file named kubelb to access the management/load balancing cluster.

    • First register the tenant in LB cluster by following tenant registration guidelines.
    • Fetch the generated kubeconfig and create a secret by using the command:
    kubectl --namespace kubelb create secret generic kubelb-cluster --from-file=<path to kubelb kubeconf file>

  • The name of secret can be overridden using .Values.kubelb.clusterSecretName

  • Update the tenantName in the values.yaml to a unique identifier for the tenant. This is used to identify the tenant in the manager cluster. Tenants are registered in the management cluster by the Platform Provider and the name is prefixed with tenant-. So for example, a tenant named my-tenant will be registered as tenant-my-tenant.

At this point a minimal values.yaml should look like this:

kubelb:
    clusterSecretName: kubelb-cluster
    tenantName: <unique-identifier-for-tenant>

Installation for KubeLB CCM

In case if Gateway API needs to be enabled for the cluster. Please set kubelb.enableGatewayAPI to true in the values.yaml. This is required otherwise due to missing CRDs, kubelb will not be able to start.

Prerequisites

  • Create a namespace kubelb for the CCM to be deployed in.
  • Create imagePullSecrets for the chart to pull the image from the registry in kubelb namespace.

At this point a minimal values.yaml should look like this:

imagePullSecrets:
  - name: <imagePullSecretName>
kubelb:
    clusterSecretName: kubelb-cluster
    tenantName: <unique-identifier-for-tenant>

Install the helm chart

helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm-ee --version=v1.1.1 --untardir "." --untar
## Create and update values.yaml with the required values.
helm upgrade --install kubelb-ccm kubelb-ccm-ee --namespace kubelb -f kubelb-ccm-ee/values.yaml

KubeLB CCM EE Values

KeyTypeDefaultDescription
affinityobject{}
autoscaling.enabledboolfalse
autoscaling.maxReplicasint10
autoscaling.minReplicasint1
autoscaling.targetCPUUtilizationPercentageint80
autoscaling.targetMemoryUtilizationPercentageint80
extraVolumeMountslist[]
extraVolumeslist[]
fullnameOverridestring""
image.pullPolicystring"IfNotPresent"
image.repositorystring"quay.io/kubermatic/kubelb-ccm-ee"
image.tagstring"v1.1.1"
imagePullSecrets[0].namestring"kubermatic-quay.io"
kubelb.clusterSecretNamestring"kubelb-cluster"Name of the secret that contains kubeconfig for the loadbalancer cluster
kubelb.disableGRPCRouteControllerboolfalsedisableGRPCRouteController specifies whether to disable the GRPCRoute Controller.
kubelb.enableGatewayAPIboolfalseenableGatewayAPI specifies whether to enable the Gateway API and Gateway Controllers. By default Gateway API is disabled since without Gateway APIs installed the controller cannot start.
kubelb.disableGatewayControllerboolfalsedisableGatewayController specifies whether to disable the Gateway Controller.
kubelb.disableHTTPRouteControllerboolfalsedisableHTTPRouteController specifies whether to disable the HTTPRoute Controller.
kubelb.disableIngressControllerboolfalsedisableIngressController specifies whether to disable the Ingress Controller.
kubelb.disableTCPRouteControllerboolfalsedisableTCPRouteController specifies whether to disable the TCPRoute Controller.
kubelb.disableTLSRouteControllerboolfalsedisableTLSRouteController specifies whether to disable the TLSRoute Controller.
kubelb.disableUDPRouteControllerboolfalsedisableUDPRouteController specifies whether to disable the UDPRoute Controller.
kubelb.enableLeaderElectionbooltrueEnable the leader election.
kubelb.enableSecretSynchronizerboolfalseEnable to automatically convert Secrets labelled with kubelb.k8c.io/managed-by: kubelb to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
kubelb.nodeAddressTypestring"ExternalIP"Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP.
kubelb.tenantNamestringnilName of the tenant, must be unique against a load balancer cluster.
kubelb.useGatewayClassbooltrueuseGatewayClass specifies whether to target resources with kubelb gateway class or all resources.
kubelb.useIngressClassbooltrueuseIngressClass specifies whether to target resources with kubelb ingress class or all resources.
kubelb.useLoadBalancerClassboolfalseuseLoadBalancerClass specifies whether to target services of type LoadBalancer with kubelb load balancer class or all services of type LoadBalancer.
nameOverridestring""
nodeSelectorobject{}
podAnnotationsobject{}
podLabelsobject{}
podSecurityContext.runAsNonRootbooltrue
podSecurityContext.seccompProfile.typestring"RuntimeDefault"
rbac.allowLeaderElectionRolebooltrue
rbac.allowMetricsReaderRolebooltrue
rbac.allowProxyRolebooltrue
rbac.enabledbooltrue
replicaCountint1
resources.limits.cpustring"500m"
resources.limits.memorystring"512Mi"
resources.requests.cpustring"100m"
resources.requests.memorystring"128Mi"
securityContext.allowPrivilegeEscalationboolfalse
securityContext.capabilities.drop[0]string"ALL"
securityContext.runAsUserint65532
service.portint8443
service.protocolstring"TCP"
service.typestring"ClusterIP"
serviceAccount.annotationsobject{}
serviceAccount.createbooltrue
serviceAccount.namestring""
serviceMonitor.enabledboolfalse
tolerationslist[]

Install the helm chart

helm pull oci://quay.io/kubermatic/helm-charts/kubelb-ccm --version=v1.1.1 --untardir "." --untar
## Create and update values.yaml with the required values.
helm upgrade --install kubelb-ccm kubelb-ccm --namespace kubelb -f kubelb-ccm/values.yaml

KubeLB CCM Values

KeyTypeDefaultDescription
affinityobject{}
autoscaling.enabledboolfalse
autoscaling.maxReplicasint10
autoscaling.minReplicasint1
autoscaling.targetCPUUtilizationPercentageint80
autoscaling.targetMemoryUtilizationPercentageint80
extraVolumeMountslist[]
extraVolumeslist[]
fullnameOverridestring""
image.pullPolicystring"IfNotPresent"
image.repositorystring"quay.io/kubermatic/kubelb-ccm"
image.tagstring"v1.1.1"
imagePullSecretslist[]
kubelb.clusterSecretNamestring"kubelb-cluster"Name of the secret that contains kubeconfig for the loadbalancer cluster
kubelb.disableGRPCRouteControllerboolfalsedisableGRPCRouteController specifies whether to disable the GRPCRoute Controller.
kubelb.enableGatewayAPIboolfalseenableGatewayAPI specifies whether to enable the Gateway API and Gateway Controllers. By default Gateway API is disabled since without Gateway APIs installed the controller cannot start.
kubelb.disableGatewayControllerboolfalsedisableGatewayController specifies whether to disable the Gateway Controller.
kubelb.disableHTTPRouteControllerboolfalsedisableHTTPRouteController specifies whether to disable the HTTPRoute Controller.
kubelb.disableIngressControllerboolfalsedisableIngressController specifies whether to disable the Ingress Controller.
kubelb.enableLeaderElectionbooltrueEnable the leader election.
kubelb.enableSecretSynchronizerboolfalseEnable to automatically convert Secrets labelled with kubelb.k8c.io/managed-by: kubelb to Sync Secrets. This is used to sync secrets from tenants to the LB cluster in a controlled and secure way.
kubelb.nodeAddressTypestring"ExternalIP"Address type to use for routing traffic to node ports. Values are ExternalIP, InternalIP.
kubelb.tenantNamestringnilName of the tenant, must be unique against a load balancer cluster.
kubelb.useGatewayClassbooltrueuseGatewayClass specifies whether to target resources with kubelb gateway class or all resources.
kubelb.useIngressClassbooltrueuseIngressClass specifies whether to target resources with kubelb ingress class or all resources.
kubelb.useLoadBalancerClassboolfalseuseLoadBalancerClass specifies whether to target services of type LoadBalancer with kubelb load balancer class or all services of type LoadBalancer.
nameOverridestring""
nodeSelectorobject{}
podAnnotationsobject{}
podLabelsobject{}
podSecurityContext.runAsNonRootbooltrue
podSecurityContext.seccompProfile.typestring"RuntimeDefault"
rbac.allowLeaderElectionRolebooltrue
rbac.allowMetricsReaderRolebooltrue
rbac.allowProxyRolebooltrue
rbac.enabledbooltrue
replicaCountint1
resources.limits.cpustring"500m"
resources.limits.memorystring"512Mi"
resources.requests.cpustring"100m"
resources.requests.memorystring"128Mi"
securityContext.allowPrivilegeEscalationboolfalse
securityContext.capabilities.drop[0]string"ALL"
securityContext.runAsUserint65532
service.portint8443
service.protocolstring"TCP"
service.typestring"ClusterIP"
serviceAccount.annotationsobject{}
serviceAccount.createbooltrue
serviceAccount.namestring""
serviceMonitor.enabledboolfalse
tolerationslist[]

Setup the tenant cluster

Install Gateway API CRDs

At this point, the KubeLB CCM should be installed and running in the tenant cluster. Next steps are to install the Gateway API CRDs in the cluster. This is required to use the Gateway API resources in the tenant cluster.

Use the Experimental channel to install the CRDs:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml

For more details: Experimental Install

Use the Standard channel to install the CRDs:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

For more details: Standard Install

Due to the following reasons this has been left as a manual step and we haven’t added these CRDs to the KubeLB Manager chart, for automated installation:

  • We can’t have optional CRDs in a helm chart.
  • Installing it through the helm chart would result in the existing CRDs in the tenant cluster to be overwritten. Which is not the desired behavior.