Installation Guide¶
This guide covers the complete installation of the e6data Kubernetes Operator, including all prerequisites and cloud-specific configurations.
Prerequisites¶
Required Components¶
| Component | Version | Purpose |
|---|---|---|
| Kubernetes | 1.24+ | Container orchestration |
| Helm | 3.8+ | Package management |
| kubectl | Latest | Cluster access |
| cert-manager | 1.10+ | Webhook TLS certificates |
Optional Components¶
| Component | Version | Purpose |
|---|---|---|
| GreptimeDB Operator | 0.1.0+ | Time-series database (for MonitoringServices) |
| Karpenter | 1.0+ | Dynamic node provisioning (AWS) |
| Prometheus Operator | Latest | Metrics collection via ServiceMonitor |
For detailed cloud IAM setup (IRSA, Workload Identity, etc.), see the Prerequisites Guide.
Step 1: Install cert-manager¶
cert-manager is required for webhook certificates.
# Install cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
# Wait for cert-manager to be ready
kubectl wait --for=condition=Available --timeout=120s -n cert-manager \
deployment/cert-manager \
deployment/cert-manager-webhook \
deployment/cert-manager-cainjector
# Verify installation
kubectl get pods -n cert-manager
Expected Output:
NAME READY STATUS RESTARTS AGE
cert-manager-xxxxxxxxx-xxxxx 1/1 Running 0 1m
cert-manager-cainjector-xxxxxxxxx-xxxxx 1/1 Running 0 1m
cert-manager-webhook-xxxxxxxxx-xxxxx 1/1 Running 0 1m
cert-manager on Tainted Nodes (AWS/Karpenter)¶
If your operator NodePool uses taints (e.g., for workload isolation), install cert-manager via Helm with tolerations:
Create cert-manager-values.yaml:
tolerations:
- key: workload
operator: Equal
value: e6operator
effect: NoSchedule
nodeSelector:
app: e6operator
webhook:
tolerations:
- key: workload
operator: Equal
value: e6operator
effect: NoSchedule
nodeSelector:
app: e6operator
cainjector:
tolerations:
- key: workload
operator: Equal
value: e6operator
effect: NoSchedule
nodeSelector:
app: e6operator
startupapicheck:
tolerations:
- key: workload
operator: Equal
value: e6operator
effect: NoSchedule
nodeSelector:
app: e6operator
Install with Helm:
helm install cert-manager oci://quay.io/jetstack/charts/cert-manager \
--namespace cert-manager \
--create-namespace \
--set crds.enabled=true \
--set prometheus.enabled=false \
--set webhook.timeoutSeconds=4 \
-f cert-manager-values.yaml
# Wait for cert-manager
kubectl wait --for=condition=Available --timeout=120s -n cert-manager \
deployment/cert-manager \
deployment/cert-manager-webhook \
deployment/cert-manager-cainjector
Step 2: Install GreptimeDB Operator (Optional)¶
Required only if you plan to use the GreptimeDBCluster CRD for query history and metrics.
# Create namespace
kubectl create namespace greptimedb-admin
# Add Helm repository
helm repo add greptime https://greptimeteam.github.io/helm-charts/
helm repo update
# Install GreptimeDB Operator
helm install greptimedb-operator greptime/greptimedb-operator \
--namespace greptimedb-admin \
--set image.pullPolicy=IfNotPresent
# Verify installation
kubectl get pods -n greptimedb-admin
Step 3: Create Namespaces¶
# Operator namespace
kubectl create namespace e6-operator-system
# Workspace namespace (example)
kubectl create namespace workspace-prod
# GreptimeDB namespace (if using)
kubectl create namespace greptime-system
Step 4: Create Image Pull Secret¶
The operator images are hosted on Google Artifact Registry. Create a pull secret in the operator namespace:
# Create secret for GCP Artifact Registry
kubectl create secret docker-registry gcr-json-key \
--docker-server=us-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat /path/to/service-account.json)" \
--docker-email=e6-operator@e6data-analytics.iam.gserviceaccount.com \
--namespace=e6-operator-system
For workspace namespaces that need to pull e6data images:
# Repeat for each workspace namespace
kubectl create secret docker-registry gcr-json-key \
--docker-server=us-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat /path/to/service-account.json)" \
--namespace=workspace-prod
Step 5: Install CRDs¶
CRDs must be installed before the operator:
# Option 1: Using Helm chart (recommended)
helm install e6-operator-crds ./helm/e6-operator-crds \
--namespace e6-operator-system
# Option 2: Direct kubectl apply
kubectl apply -f config/crd/bases/
Verify CRDs are installed:
Expected Output:
catalogrefreshes.e6data.io 2024-XX-XX
catalogrefreshschedules.e6data.io 2024-XX-XX
e6catalogs.e6data.io 2024-XX-XX
governances.e6data.io 2024-XX-XX
greptimedbclusters.e6data.io 2024-XX-XX
metadataservices.e6data.io 2024-XX-XX
monitoringservices.e6data.io 2024-XX-XX
pools.e6data.io 2024-XX-XX
queryservices.e6data.io 2024-XX-XX
Step 6: Install E6 Operator¶
Minimal Installation¶
helm install e6-operator ./helm/e6-operator \
--namespace e6-operator-system \
--set image.repository=us-docker.pkg.dev/e6data-analytics/e6data/e6-operator \
--set image.tag=1.0.201 \
--set imagePullSecrets[0].name=gcr-json-key
Using Values File (Recommended)¶
Create operator-values.yaml:
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data/e6-operator
tag: "1.0.201"
pullPolicy: IfNotPresent
imagePullSecrets:
- name: gcr-json-key
replicaCount: 1
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
# Enable Karpenter integration (AWS only)
karpenter:
enabled: false # Set to true for AWS with Karpenter
# RBAC configuration
rbac:
create: true
extraRules: [] # Add additional permissions if needed
Install with values file:
helm install e6-operator ./helm/e6-operator \
--namespace e6-operator-system \
--values operator-values.yaml
Verify Installation¶
# Check operator pod
kubectl get pods -n e6-operator-system
# Check operator logs
kubectl logs -n e6-operator-system deployment/e6-operator --tail=50
# Verify webhooks are configured
kubectl get validatingwebhookconfigurations | grep e6
Cloud-Specific Configuration¶
For complete cloud IAM setup guides with step-by-step instructions, see Prerequisites Guide.
AWS EKS¶
Prerequisites¶
- EKS cluster with OIDC provider configured
- IAM roles for service accounts (IRSA) or EKS Pod Identity
- Karpenter installed (optional, for dynamic node provisioning)
See Prerequisites Guide - AWS IRSA for detailed IAM setup.
Karpenter Tolerations¶
If using Karpenter with workspace taints, add tolerations:
# operator-values.yaml
tolerations:
- key: "e6data-workspace-name"
operator: "Equal"
value: "your-workspace"
effect: "NoSchedule"
IRSA Configuration¶
Create IAM role for the operator (if accessing AWS resources):
# Example trust policy for operator service account
aws iam create-role \
--role-name e6-operator-role \
--assume-role-policy-document file://trust-policy.json
# Annotate service account
kubectl annotate serviceaccount e6-operator \
--namespace e6-operator-system \
eks.amazonaws.com/role-arn=arn:aws:iam::ACCOUNT:role/e6-operator-role
Storage Classes¶
Use gp3 for EBS-backed PVCs:
GCP GKE¶
Prerequisites¶
- GKE cluster with Workload Identity configured
- GCS bucket for data storage
See Prerequisites Guide - GCP Workload Identity for detailed IAM setup.
Workload Identity¶
# Bind Kubernetes SA to GCP SA
gcloud iam service-accounts add-iam-policy-binding \
SA@PROJECT.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT.svc.id.goog[NAMESPACE/e6-operator]"
# Annotate Kubernetes SA
kubectl annotate serviceaccount e6-operator \
--namespace e6-operator-system \
iam.gke.io/gcp-service-account=SA@PROJECT.iam.gserviceaccount.com
Storage Classes¶
Use standard-rwo for GCE Persistent Disk:
Linode LKE¶
Prerequisites¶
- Linode Object Storage bucket created
- Access Key and Secret Key for Object Storage
Key Differences from AWS¶
| Feature | AWS | Linode |
|---|---|---|
| Object Storage Auth | IRSA | Static credentials |
| S3 Endpoint | Not needed | Required (us-east-1.linodeobjects.com) |
| Storage Class | gp3 | linode-block-storage |
| Node Provisioning | Karpenter | Manual node pools |
Static Credentials¶
Linode doesn't support IRSA, so use static credentials in your CRs:
# In GreptimeDBCluster or other CRs
storage:
useIRSA: false
accessKeyId: "YOUR_ACCESS_KEY"
secretAccessKey: "YOUR_SECRET_KEY"
endpoint: "https://us-east-1.linodeobjects.com"
Storage Classes¶
Azure AKS¶
Prerequisites¶
- AKS cluster with Azure AD Workload Identity
- Azure Blob Storage container
See Prerequisites Guide - Azure Workload Identity for detailed IAM setup.
Workload Identity¶
# Create federated credential
az identity federated-credential create \
--name e6-operator-federated \
--identity-name e6-operator-identity \
--resource-group YOUR_RG \
--issuer "${AKS_OIDC_ISSUER}" \
--subject system:serviceaccount:e6-operator-system:e6-operator
Storage Classes¶
Use Azure Disk CSI driver:
Helm Values Reference¶
See Helm Values Reference for complete documentation of all configurable values.
Key Values¶
| Value | Description | Default |
|---|---|---|
image.repository | Operator image repository | e6data/e6-operator |
image.tag | Operator image tag | Chart appVersion |
imagePullSecrets | Image pull secrets | [] |
replicaCount | Number of operator replicas | 1 |
resources | CPU/Memory limits and requests | See values.yaml |
karpenter.enabled | Enable Karpenter RBAC | false |
rbac.create | Create RBAC resources | true |
rbac.extraRules | Additional RBAC rules | [] |
webhook.enabled | Enable validation webhooks | true |
webhook.certManager.enabled | Use cert-manager for TLS | true |
Upgrading¶
Upgrade Order¶
Always upgrade CRDs before the operator:
# 1. Upgrade CRDs
helm upgrade e6-operator-crds ./helm/e6-operator-crds \
--namespace e6-operator-system
# 2. Upgrade operator
helm upgrade e6-operator ./helm/e6-operator \
--namespace e6-operator-system \
--values operator-values.yaml
Check Upgrade Status¶
# Watch operator rollout
kubectl rollout status deployment/e6-operator -n e6-operator-system
# Check operator logs for errors
kubectl logs -n e6-operator-system deployment/e6-operator --tail=100
Uninstalling¶
Safe Uninstall (Preserves CRs)¶
# Uninstall operator only
helm uninstall e6-operator --namespace e6-operator-system
# CRDs and custom resources remain intact
Complete Uninstall¶
Warning: This deletes all custom resources.
# 1. Delete all custom resources
kubectl delete metadataservices,queryservices,e6catalogs,pools --all -A
# 2. Uninstall operator
helm uninstall e6-operator --namespace e6-operator-system
# 3. Uninstall CRDs
helm uninstall e6-operator-crds --namespace e6-operator-system
# 4. Delete namespaces
kubectl delete namespace e6-operator-system
Verification Checklist¶
After installation, verify:
- [ ] cert-manager pods running in
cert-managernamespace - [ ] Operator pod running in
e6-operator-systemnamespace - [ ] All CRDs installed (
kubectl get crd | grep e6data) - [ ] Webhooks configured (
kubectl get validatingwebhookconfigurations) - [ ] Operator logs show no errors
- [ ] Test CR creation (see Quickstart in index.md)