Installing the Instana Enterprise operator
Install the Instana Enterprise operator by using the kubectl plug-in. You must configure a set of secrets to install the Instana Enterprise operator.
This topic uses Kubernetes and Red Hat OpenShift interchangeably. The references of Kubernetes objects are also applicable to Red Hat OpenShift.
Creating image pull secrets
Unless you have your own Docker registry that mirrors
artifact-public.instana.io and don't require pull
secrets, you need to create an image pull secret for the namespace
where the Instana Enterprise operator will be installed. Follow the
steps:
-
Create a namespace where the Instana Enterprise operator will be installed.
kubectl create ns <namespace_name>Replace <namespace_name> with the namespace name that you want, such as
instana-operator. -
Install the secret in the namespace that you created by using either of the following ways:
-
Create the secret directly.
kubectl create secret docker-registry <secret-name> \ --namespace=<namespace_name> \ --docker-username=_ \ --docker-password=<agent_key> \ --docker-server=artifact-public.instana.io- Replace <namespace_name> with the namespace name where the Instana Enterprise operator will be installed.
- Replace <agent_key> with your agent key.
- Replace <secret-name> with a secret name that you want.
-
Create the YAML for the secret without applying the YAML. The secret is printed without creation.
kubectl create secret docker-registry <secret-name> \ --namespace=<namespace_name> \ --docker-username=_ \ --docker-password=<agent_key> \ --docker-server=artifact-public.instana.io \ --dry-run=client \ --output=yamlThen, create the secret.
kubectl create -f <secret-file-name.yaml> --namespace <namespace> -
Optional: Create an image pull secret if your internal image registry needs authentication.
kubectl create secret docker-registry <secret_name> --namespace <namespace> \ --docker-username=<registry_username> \ --docker-password=<registry_password> \ --docker-server=<internal-image-registry>:<internal-image-registry-port> \ --docker-email=<registry_email>
-
Creating TLS secrets for admission webhook
The operator comes with an admission webhook for defaulting, validation, and version conversion. TLS is required for an admission webhook, that is, TLS certificates need to be in place.
Ensure that the TLS secret instana-operator-webhook
of type kubernetes.io/tls is present. You can select
to use either cert-manager or custom certificates.
Using cert-manager
By default, cert-manager is used to automatically provision the secret. This works out-of-the-box if cert-manager is installed on the cluster. In this case, Issuer and Certificate objects are created upon installation, which causes cert-manager to provision and inject the certificates.
For more information about cert-manager installation, see cert-manager documentation.
Using custom certificates
You are recommended to use cert-manager. However, if you prefer to provision the certificates yourself, you can do so. The secret must contain the following entries:
-
ca.crt -
tls.crt -
tls.key
The certificate (tls.crt) must contain the
following DNS names:
-
instana-operator.<namespace>.svc -
instana-operator.<namespace>.svc.<clusterDomain>
- Replace <namespace> with the namespace name where the Instana Enterprise operator will be installed.
- Replace <clusterDomain> with the domain name of the cluster where the Instana Enterprise operator will be installed.
To create a TLS secret instana-operator-webhook of
type kubernetes.io/tls, use either of the following
ways:
-
Create the secret directly.
kubectl create secret generic instana-operator-webhook \ --type=kubernetes.io/tls \ --from-file=tls.key=path/to/tls.key \ --from-file=tls.crt=path/to/tls.crt \ --from-file=ca.crt=path/to/ca.crt -
Create the YAML for the secret without applying. The secret is printed without creation.
kubectl create secret generic instana-operator-webhook \ --type=kubernetes.io/tls \ --from-file=tls.key=path/to/tls.key \ --from-file=tls.crt=path/to/tls.crt \ --from-file=ca.crt=path/to/ca.crt \ --dry-run=client \ --output=yamlThen, create the secret.
kubectl create -f <secret-file-name.yaml>
Creating the values file
The values file contains the configurations of the
Instana Enterprise operator. The mechanism is the same as is used
by Helm.
The available options that you can configure are listed in the Instana Enterprise operator configuration options table.
In addition to the default configurations in the
values file, you need to update the
imagePullSecrets field with the image pull secret that
you created in the Creating
image pull secrets section.
Create a values.yaml file in the working directory
and add the following lines:
imagePullSecrets:
- name: <image_pull_secret>
See the following example values file:
operator:
image:
registry: my.registry.com
webhook:
image:
registry: my.registry.com
imagePullSecrets:
- name: my-registry-secret
Updating the values file for IBM Z® and LinuxONE (s390x)
Ensure that the system requirements for self-hosted Custom Edition on IBM Z® and LinuxONE (s390x) are met. For more information, see System requirements for Custom Edition on IBM Z® and LinuxONE (s390x).
To install Custom Edition on IBM Z® and LinuxONE (s390x), add
the following lines in the operator values.yaml
file:
operator:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/monitor
operator: In
values:
- "true"
tolerations:
- key: node.instana.io/monitor
operator: "Exists"
effect: "NoSchedule"
webhook:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/monitor
operator: In
values:
- "true"
tolerations:
- key: node.instana.io/monitor
operator: "Exists"
effect: "NoSchedule"
Installing the data stores
You must install data stores for metrics, traces, logs, and other data. For more information, see Setting up data stores.
Installing the Instana Enterprise operator
You can now proceed to install the Instana Enterprise operator by using either of the following two options.
Applying manifests directly
This option creates CRDs and installs the Operator deployment and associated resources on the Kubernetes cluster.
cluster.local) or if you generated certificates
yourself.-
To install the Instana Enterprise operator in a specified namespace such as
instana-operator, run the following command:kubectl instana operator apply --values values.yaml --namespace=instana-operator -
To install the Instana Enterprise operator in a specified namespace by using custom certificates, run the following command:
kubectl instana operator apply --values values.yaml --ca-bundle-base64=<base64-encoded ca.crt file> --namespace=instana-operatorReplace <base64-encoded ca.crt file> with the base64-encoded CA bundle file name.
Rendering manifests first and applying manifests next
Render the manifests and write them to either standard output (STDOUT) or to files in a specific directory first. To render manifests, perform on of the following steps:
-
To render the YAML files with a specified namespace and write them to a specified directory:
kubectl instana operator template --values values.yaml --namespace=instana-operator --output-dir <dir> -
To render YAML files with a specified namespace and write them to a specified directory by using a custom cluster domain:
kubectl instana operator template --values values.yaml --cluster-domain=my-domain.local --namespace=instana-operator --output-dir <dir> -
To render YAML files with a specified namespace and write them to a specified directory by using custom certificates:
kubectl instana operator template --values values.yaml --ca-bundle-base64=<base64-encoded ca.crt file> --namespace=instana-operator --output-dir <dir>Replace <base64-encoded ca.crt file> with the base64-encoded CA bundle file name.
Then, you can apply the manifests by using the commands in the Applying manifests directly.
Updating the backend version
The Instana backend is deployed with a default release version. Ideally, use the latest patch release or update to an available higher Instana backend version.
You can use the instana-kubectl
versions commands to upgrade the Instana backend. For
more information, see upgrade procedure.
Checking Instana Enterprise operator status
To look for issues on the pods, check at the events on the pods.
To search for all the events, run one of the following commands:
oc/kubectl get events -n instana-core
oc/kubectl get events -n instana-units
If you see any errors, check the operator logs.
To check the operator logs, complete the following steps:
-
Check the names and status of the operator:
oc get pods -n instana-operator -
Check the logs of the operator
oc logs -f -n instana-operator <Pod name>
Optional: Using advanced Operator configuration
After you install the Instana Enterprise operator, you can
configure the Instana Enterprise operator by updating the
values YAML file that you created in the Creating the values file
section.
For the available options that you can configure, see the Instana Enterprise operator configuration options section.
After you update the values YAML file, apply the
changes in a specified namespace as follows:
kubectl instana operator apply --values values.yaml --namespace=instana-operator
Instana Enterprise operator configuration options
The available options that you can configure are listed in the Instana Enterprise operator configuration options table.
| Key | Type | Default | Description |
|---|---|---|---|
| fullnameOverride | string |
""
|
Overrides the chart's full name (instana-enterprise-operator). |
| imagePullPolicy | string |
"IfNotPresent"
|
The image pull policy. |
| imagePullSecrets | list |
[{"name":"instana-registry"}]
|
A list of image pull secrets. |
| installCRDs | bool |
true
|
Specifies whether CRDs are installed. |
| nameOverride | string |
""
|
Overrides the chart's name (instana-enterprise-operator). |
| operator.affinity | object |
{}
|
Affinity for the operator pod. |
| operator.clusterDomain | string |
""
|
Specifies a custom cluster domain. |
| operator.enabled | bool |
true
|
If true, the operator deployment is installed. |
| operator.extraArgs | list |
[]
|
Additional CLI arguments for the operator process. |
| operator.extraEnv | list |
[]
|
Additional environment variables for the operator process. |
| operator.image.registry | string |
"artifact-public.instana.io"
|
The image registry to use. |
| operator.image.repository | string |
"infrastructure/instana-enterprise-operator"
|
The image repository to use. |
| operator.image.tag | string |
""
|
The image tag to use. Defaults to the chart's appVersion. |
| operator.nodeSelector | object |
{}
|
Node selector for the operator pod. |
| operator.replicas | int |
1
|
The number of replicas to create. |
| operator.resources | object |
{}
|
Resource requests and limits for the operator pod. |
| operator.securityContext | object |
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
|
Security context for the operator container. |
| operator.tolerations | list |
[]
|
Tolerations for the operator pod. |
| webhook.affinity | object |
{}
|
Affinity for the operator pod. |
| webhook.caBundleBase64 | string |
""
|
Base64-encoded CA bundle for the webhook. |
| webhook.enabled | bool |
true
|
If true, the webhook deployment is installed. |
| webhook.extraArgs | list |
[]
|
Additional CLI arguments for the operator process. |
| webhook.extraEnv | list |
[]
|
Additional environment variables for the operator process. |
| webhook.image.registry | string |
"artifact-public.instana.io"
|
The image registry to use. |
| webhook.image.repository | string |
"infrastructure/instana-enterprise-operator-webhook"
|
The image repository to use. |
| webhook.image.tag | string |
""
|
The image tag to use. Defaults to the chart's appVersion. |
| webhook.nodeSelector | object |
{}
|
Node selector for the operator pod. |
| webhook.replicas | int |
1
|
The number of replicas to create. |
| webhook.resources | object |
{}
|
Resource requests and limits for the operator pod. |
| webhook.securityContext | object |
{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}
|
Security context for the operator container. |
| webhook.tolerations | list |
[]
|
Tolerations for the operator pod. |