Kubeapps

Install

1. Disable PSPs

    kubectl create clusterrolebinding "psp:authenticated" --clusterrole=psp:vmware-system-privileged --group=system:authenticated
   

2. Add Bitnami Helm Repo

    helm repo add bitnami https://charts.bitnami.com/bitnami
   

3. Add Docker secret

    # Load environment variables first: source .envrc or direnv allow
    kubectl create secret docker-registry docker-hub --docker-username="${DOCKER_HUB_USERNAME}" \
        --docker-password="${DOCKER_HUB_PASSWORD}" \
        --docker-email="${DOCKER_HUB_EMAIL}" \
        --namespace=default
   

4. After the secret has been created, we need to patch the default service account so it uses those credentials to install Kubeapps:

    kubectl patch serviceaccount default -p "{\"imagePullSecrets\": [{\"name\": \"docker-hub\"}]}"
   

5. Alright, now we’re almost ready for installation. To keep things clean, we will install Kubeapps into its own namespace:

    kubectl create ns kubeapps
   

6. We also have to give Kubeapps access to your Docker Hub credentials so it can pull down images and deploy applications on its own. All we need to do is create another secret using the same Docker Hub credentials in the Kubeapps namespace. To keep things simple, I even kept the same $SECRET name:

    kubectl create secret docker-registry docker-hub --docker-username="${DOCKER_HUB_USERNAME}" \
        --docker-password="${DOCKER_HUB_PASSWORD}" \
        --docker-email="${DOCKER_HUB_EMAIL}" \
        --namespace=kubeapps
   

   NOTE: If you need to troubleshoot, examine the output of your Kubernetes secret. Special characters need to be escaped:

    kubectl get secret docker-hub -o go-template='\n'
   

7. Now let’s install Kubeapps using Helm! For Tanzu Kubernetes Clusters, we are going to set two flags:

   • --set frontend.service.type=LoadBalancer is used to automatically get an IP from our HAProxy virtual appliance so we can access Kubeapps externally from the cluster.

   • --set global.imagePullSecrets={$SECRET} is used to apply our Docker Hub credentials. The brackets are necessary because it’s an array that is passed.

    export SECRET=docker-hub
    helm install kubeapps --namespace kubeapps bitnami/kubeapps --set frontend.service.type=LoadBalancer --set global.imagePullSecrets={$SECRET}
   

8. After a few minutes, the images will be up and you can get the IP address to access Kubeapps using:

    kubectl get svc -n kubeapps
   

   Once you navigate to the IP address, you will have to get a token to access the page.

    export SERVICE_IP=$(kubectl get svc --namespace kubeapps kubeapps --template "")
    open http://$SERVICE_IP:80
   

9. Login

   We recommend following the Kubeapps documentation on securing access control. As a way to quickly get started, create a serviceaccount and clusterrolebinding:

    kubectl create serviceaccount kubeapps-operator -n default
    kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator
   

   Get the secret token for this service account using this command and copy/paste the token into the kubeapps page and log in:

    kubectl get secret $(kubectl get serviceaccount -n default kubeapps-operator -o jsonpath='{range .secrets[*]}{.name}{"\n"}{end}' | grep kubeapps-operator-token) -n default -o jsonpath='{.data.token}' -o go-template='' | pbcopy
   

   Now you can browse the catalog to see all the applications available!

References

• I’m a VMware Admin: What Do I Do with Tanzu Kubernetes Clusters?