Skip to content

Resources and Requirements

Requirements

  • Kubernetes
  • For bare metal/lab installs, we recommend K3s
  • vCenter/Proxmox (for virtualization)

Crucible Applications and GitHub Pages

Crucible Helm Charts

Other Helm Charts

Docker Images

Note

These images mean that there isn't a Helm repository being used to deploy these applications but are currently being used by us. To create a deployment, please view the Kubernetes deployment documentation.

We primarily use these images in setting up a email server. The above Helm charts will pull the correct Docker images. This is completely optional but is what we use during certain exercises.

We prebuild our Dovecot and Postfix Docker images. You can find an image on the Docker repository if needed.

Infrastructure

Not all applications require virtualization. Gallery, CITE, Blueprint, Player and Steamfitter all can be ran without a hypervisor.

You are able to run the full Crucible stack on minimal hardware. We usually run on four nodes: one server and three agents. Each node has around 100-250 GB of storage, 8GB RAM, 2 Cores. This is mainly for Longhorn and Stackstorm which takes a lot of resources even when limiting their availability. This is only what we recommend. As stated before, you can run this on one node outside of production. The only concern would be storage space.

Install Overview

Certificates

This stack is very dependent on TLS. Please create certificates and add them as secrets into the cluster. Down below will create self-signed certificates for testing. If you are going to install this into production, you will have to change these.

Example 
{
  "names": [
    {
      "C": "US"
    }
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "CN": "Foundry Appliance Host",
  "hosts": ["$DOMAIN", "*.$DOMAIN"]
}

cfssl gencert -initca certificates/root-ca.json | cfssljson -bare root-ca
cfssl gencert -ca certificates/root-ca.pem -ca-key certificates/root-ca-key.pem -config certificates/config.json \
            -profile intca certificates/int-ca.json | cfssljson -bare int-ca
cfssl gencert -ca certificates/int-ca.pem -ca-key certificates/int-ca-key.pem -config certificates/config.json \
            -profile server certificates/host.json | cfssljson -bare host

kubectl create secret tls appliance-cert --key certificates/host-key.pem --cert <( cat certificates/host.pem certificates/int-ca.pem ) --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic appliance-root-ca --from-file=appliance-root-ca=certificates/root-ca.pem --dry-run=client -o yaml | kubectl apply -f -

Loadbalancer

If you're using a cloud provider for your Kubernetes cluster, you do not have to worry about supplying your own loadbalancer. If you are installing this on bare metal, which would be a majority of the time if you are testing the software, you will have to provide a loadbalancer. We recommend using MetalLB. The documentation will guide you on how to install this into your cluster.

Example 
helm upgrade -i metallb metallb/metallb --namespace metallb-system --create-namespace

Ingress

In order to access these services, you need to be able to communicate to the cluster. The easiest way to do this is to add ingress-nginx to your cluster. Before you install this, you have to have an active loadbalancer. Here's a one liner using Helm to install ingress-nginx:

Example 
helm upgrade -i nginx ingress-nginx/ingress-nginx --namespace nginx --create-namespace --set controller.watchIngressWithoutClass=true --set controller.kind=Deployment --set controller.ingressClassResource.name=nginx --set controller.ingressClassResource.default=true --set controller.ingressClass=nginx

Rancher

K3s is created by Rancher but Rancher itself is a GUI to help configure your Kubernetes cluster if you are already using K3s. If you are not using K3s, please do not install this application. Rancher will also help you get to and configure Longhorn.

Example 
helm upgrade -i rancher rancher-stable/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=$RANCHER_PASS --set replicas=1 --set auditLog.level=2 --set auditLog.destination=hostPath --set hostname=rancher.$DOMAIN --set ingress.tls.source=secret --set ingress.tls.secretName=name-of-certificate

Longhorn

Longhorn is used to easily manage, create, and backup persistent volumes and persistent volume claims. You do not have to install this but you will have to manage your own PV's and PVC's if you are not using a cloud provider.

Example 
helm upgrade -i longhorn longhorn/longhorn --namespace longhorn-system --create-namespace --set persistance.defaultClassReplicaCount=1 --wait

PostgreSQL and pgAdmin

Majority of the applications above use PostgreSQL. We also use pgAdmin to help manage the database. This may differ if you're using a cloud provider.

Example 
helm upgrade -i postgresql bitnami/postgresql --set global.storageClass=longhorn --set global.postgresql.auth.postgresPassword=$POSTGRES_PASS

Here's the chart for pgAdmin that we use.

Example 
helm upgrade -i pgadmin runix/pgadmin4 -f -

Crucible Installation

All of the Crucible applications have their settings on the GitHub page and can be modified in the values yaml file on the corresponding Helm chart. There are settings within each application you do have to set up in order for communication. We have populated environment files and scripts that help guide you with this part of the installation. These are located at these two GitHub pages:

These contain the necessary values and setup procedures to install the entire Crucible stack. More information on these settings can be located on the individual GitHub pages.