Install Kf outside Google Cloud

This document describes how to install Kf and its dependencies on either a Google Distributed Cloud or Google Distributed Cloud on-premises cluster.

If you are already familiar with the process of installing Kf on a GKE cluster in Google Cloud, the main differences for the on-premises procedure are:

You do not have to install the Config Connector for an on-premises install.
The on-premises procedure uses Docker credentials instead of Workload Identity.

Before you begin

Google Distributed Cloud requirements

A user cluster for Google Distributed Cloud that meets Cloud Service Mesh requirements.
Configured for logging and monitoring.
- Google Distributed Cloud.
- Google Distributed Cloud.
Registered in your GKE Enterprise fleet:

Go to GKE Enterprise clusters

Learn how to register a cluster.

Kf requirements

Review and understand the access permissions of components in Kf in the Kf dependencies and architecture page.

Cloud Service Mesh.
Tekton for use by Kf. This is not a user facing service.
A dedicated Google Service Account.

Prepare a new Google Distributed Cloud cluster and related services

Set up environment variables

Linux and Mac

export PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export COMPUTE_ZONE=us-central1-a
export COMPUTE_REGION=us-central1
export CLUSTER_LOCATION=${COMPUTE_ZONE} # Replace ZONE with REGION to switch
export NODE_COUNT=4
export MACHINE_TYPE=e2-standard-4
export NETWORK=default
export CLUSTER_PROJECT_ID=YOUR_PROJECT_ID
export CLUSTER_NAME=kf-cluster
export DOCKER_SERVER=YOUR_DOCKER_SERVER_URL
export SA_NAME=${CLUSTER_NAME}-sa
export SA_EMAIL=${SA_NAME}@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

Windows PowerShell

Set-Variable -Name PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name COMPUTE_ZONE -Value us-central1-a
Set-Variable -Name COMPUTE_REGION -Value us-central1
Set-Variable -Name CLUSTER_LOCATION -Value $COMPUTE_ZONE # Replace ZONE with REGION to switch
Set-Variable -Name NODE_COUNT -Value 4
Set-Variable -Name MACHINE_TYPE -Value e2-standard-4
Set-Variable -Name NETWORK -Value default
Set-Variable -Name CLUSTER_PROJECT_ID -Value YOUR_PROJECT_ID
Set-Variable -Name CLUSTER_NAME -Value kf-cluster
Set-Variable -Name DOCKER_SERVER -Value YOUR_DOCKER_SERVER_URL
Set-Variable -Name SA_NAME -Value ${CLUSTER_NAME}-sa
Set-Variable -Name SA_EMAIL -Value ${SA_NAME}@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com

Set up service account

Create the Google Cloud service account (GSA) and service account key used for the builds to read/write from Container Registry. This step is different if you are using a different container registry because it could have a different way of obtaining the credentials to access the registry.

Create the service account used by Kf:

gcloud beta iam service-accounts create ${SA_NAME} \
    --project=${CLUSTER_PROJECT_ID} \
    --description="gcr.io admin for ${CLUSTER_NAME}" \
    --display-name="${CLUSTER_NAME}"

Assign the service account the storage.admin role required to read/write from the Container Registry:

gcloud projects add-iam-policy-binding ${CLUSTER_PROJECT_ID} \
    --member="serviceAccount:${SA_NAME}@${CLUSTER_PROJECT_ID}.iam.gserviceaccount.com" \
    --role="roles/storage.admin"

Create the service account key:

temp_dir=$(mktemp -d)
key_path=${temp_dir}/key.json
gcloud iam service-accounts keys create --iam-account ${SA_EMAIL} ${key_path}
key_json=$(cat ${key_path})
rm -rf ${temp_dir}

Install software dependencies on cluster

Install Cloud Service Mesh.
1. Follow the Cloud Service Mesh install guide to install Cloud Service Mesh.
2. If on Google Distributed Cloud, set the loadBalancerIP to an IP allocated to the cluster as described in Configure external IP addresses for Google Distributed Cloud.

Install Tekton:

kubectl apply -f "https://storage.googleapis.com/tekton-releases/pipeline/previous/v0.26.0/release.yaml"

Install Kf

Install the Kf CLI:
Linux
This command installs the Kf CLI for all users on the system. Follow the instructions in the Cloud Shell tab to install it just for yourself.
```
gcloud storage cp gs://kf-releases/v2.6.1/kf-linux /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf
```
Mac
This command installs kf for all users on the system.
```
gcloud storage cp gs://kf-releases/v2.6.1/kf-darwin /tmp/kf
chmod a+x /tmp/kf
sudo mv /tmp/kf /usr/local/bin/kf
```
Cloud Shell
This command installs kf on your Cloud Shell instance if you use bash, the instructions may need to be modified for other shells.
```
mkdir -p ~/bin
gcloud storage cp gs://kf-releases/v2.6.1/kf-linux ~/bin/kf
chmod a+x ~/bin/kf
echo "export PATH=$HOME/bin:$PATH" >> ~/.bashrc
source ~/.bashrc
```
Windows
This command downloads kf to current directory. Add it to the path if you want to call if from anywhere other than the current directory.
```
gcloud storage cp gs://kf-releases/v2.6.1/kf-windows.exe kf.exe
```

Install the operator:

kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.6.1/operator.yaml"

Configure the operator for Kf:

kubectl apply -f "https://storage.googleapis.com/kf-releases/v2.6.1/kfsystem.yaml"

Create a Kubernetes secret for Docker credentials

Create a Kubernetes secret in the Kf namespace for Docker credentials you created above in Service account setup. Then patch the Kubernetes secret to the subresource-apiserver deployment for source uploads.

Enable and update the Kf operator to use Container Registry as the container registry.

Note: The command below uses the following Container Registry as the container registry: gcr.io/${CLUSTER_PROJECT_ID}. Alternatively, you can use your own custom container registry. Modify this command as necessary if you use a custom container registry.
```
export CONTAINER_REGISTRY=gcr.io/${CLUSTER_PROJECT_ID}
kubectl patch kfsystem kfsystem \
  --type='json' \
  -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'enabled': true, 'config': {'spaceContainerRegistry':'${CONTAINER_REGISTRY}'}}}]"
```
Verify the kf namespace has been created by the Kf operator. This might take a few minutes to complete.
```
kubectl get namespace kf
```

Create a Kubernetes secret for use with Docker registries.

export secret_name=kf-gcr-key-${RANDOM}
kubectl -n kf create secret docker-registry ${secret_name} \
   --docker-username=_json_key --docker-server ${DOCKER_SERVER} \
   --docker-password="${key_json}"

Update the Kf operator to specify the secret containing Docker credentials.

kubectl patch kfsystem kfsystem \
  --type='json' \
  -p="[{'op': 'replace', 'path': '/spec/kf', 'value': {'config': {'secrets':{'build':{'imagePushSecrets':'${secret_name}'}}}}}]"

Validate installation

kf doctor --retries=20