Getting Started

Setting up Welkin consists of two parts: setting up at least two Kubernetes Clusters and deploying welkin-apps on top of them.

In theory, any Kubernetes Cluster can be used for Welkin. We suggest to use Kubespray or Cluster-API.

Before you start

Note

The following ZIP files are retrieved from Elastisys.

Download and extract the ZIP archives for the following:

• welkin-apps
• welkin-kubespray or welkin-cluster-api

cd </path/to/zips>

unzip welkin-apps-v0.51.5.zip -d welkin-apps
unzip welkin-kubespray-v2.28.0-ck8s1.zip -d welkin-kubespray
unzip welkin-cluster-api-v0.9.0.zip -d welkin-cluster-api

Install the following required tools:

• Python3 pip
• Ansible

Pre-requisites for Kubespray

The following tools are necessary for Kubespray.

• Terraform
• pwgen

Ansible for Kubespray and Terraform is best installed as follows:

cd welkin-kubespray
pip3 install -r kubespray/requirements.txt
ansible-playbook -e 'ansible_python_interpreter=/usr/bin/python3' --ask-become-pass --connection local --inventory 127.0.0.1, get-requirements.yaml

Pre-requisites for Cluster-API

Install pre-requisites for Cluster-API:

welkin-cluster-api/bin/ck8s-capi install-requirements

Pre-requisites for Welkin Apps

Install pre-requisites for Welkin Apps:

welkin-apps/bin/ck8s install-requirements

Optional tools

For debugging, you may want CLI tools to interact with your chosen Infrastructure Provider:

• AWS CLI
• Exoscale CLI
• OpenStack Client
• VMware vSphere CLI (govmomi)

Secrets Encryption (SOPS & GPG)

Important

Welkin recommends storing GPG and SSH keys on a personal HSM, such as YubiKey. Please consult documentation from the personal HSM vendor to generates keys on-device, so as to make sure that private keys cannot be exfiltrated even if the platform administrator's workstation is compromised. This section provides documentation for platform administrators without access to a personal HSM.

Welkin uses SOPS to encrypt configuration secrets. We currently only support using PGP when encrypting secrets.

1. Generate a GPG Key

If you do not already have a GPG key, generate one now.

1. Run the generation command:

gpg --full-generate-key

1. When prompted: - Select RSA and RSA (default). - Choose a key size of 4096 bits. - Set the expiration as preferred. - Enter your Name and Email.

2. Verify GPG Setup

To ensure SOPS can use your GPG key, locate your GPG Fingerprint:

gpg --list-secret-keys --keyid-format LONG

Note

You will need this fingerprint later to set the CK8S_PGP_FP environment variable to initialize your Welkin configuration.

After initialization, a .sops.yaml file is created at $CK8S_CONFIG_PATH/.sops.yaml. This file controls which keys are used for encrypting the configuration secrets after initialization.

Misc

Welkin relies on SSH for accessing Nodes. If you haven't already done so, generate an SSH key as follows:

ssh-keygen