Install Kuadrant on a Kubernetes cluster

Note

You must perform these steps on each Kubernetes cluster where you want to use Kuadrant.

Prerequisites

• Access to a Kubernetes cluster, with kubeadmin or an account with similar permissions
• cert-manager installed

Procedure

This guide will show you how to install Kuadrant onto a bare Kubernetes cluster.

Alternatively, if you are looking instead for a way to set up Kuadrant locally to evaluate or develop, consider running the kind & Kubernetes quickstart script.

Install Gateway API

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml

Install OLM

Note

Currently, we recommend installing our operator via OLM. We plan to support Helm soon.

curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.28.0/install.sh | bash -s v0.28.0

(Optional) Install Istio as a Gateway API provider

Note

Skip this step if planing to use Envoy Gateway as Gateway API provider

Note

There are several ways to install Istio (via istioctl, Helm chart or Operator) - this is just an example for starting from a bare Kubernetes cluster.

curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.5 sh -
./istio-1.22.5/bin/istioctl install --set profile=minimal
./istio-1.22.5/bin/istioctl operator init
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/main/config/dependencies/istio/istio-operator.yaml

(Optional) Install Envoy Gateway as a Gateway API provider

Note

Skip this step if planing to use Istio as Gateway API provider

Note

There are several ways to install Envoy Gateway (via egctl, Helm chart or Kubernetes yaml) - this is just an example for starting from a bare Kubernetes cluster.

helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system --create-namespace

Kuadrant relies on the Envoy Gateway patch policy feature to function correctly - enable the EnvoyPatchPolicy feature like so:

TMP=$(mktemp -d)
kubectl get configmap -n envoy-gateway-system envoy-gateway-config -o jsonpath='{.data.envoy-gateway\.yaml}' > ${TMP}/envoy-gateway.yaml
yq e '.extensionApis.enableEnvoyPatchPolicy = true' -i ${TMP}/envoy-gateway.yaml
kubectl create configmap -n envoy-gateway-system envoy-gateway-config --from-file=envoy-gateway.yaml=${TMP}/envoy-gateway.yaml -o yaml --dry-run=client | kubectl replace -f -
kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system

Wait for Envoy Gateway to become available:

kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available

Install Kuadrant

kubectl create -f https://operatorhub.io/install/kuadrant-operator.yaml
kubectl get crd --watch | grep -m 1 "kuadrants.kuadrant.io"

Request a Kuadrant instance

kubectl create namespace kuadrant-system
kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
spec: {}
EOF

Kuadrant should now install. You can check the operator's install status with:

kubectl wait --for=jsonpath='{.status.state}'=AtLatestKnown subscription/my-kuadrant-operator -n operators --timeout=600s

Kuadrant is now ready to use.

(Optional) DNSPolicy setup

If you plan to use DNSPolicy, this doc uses an AWS Account with access to Route 53. There are other providers that you can also use for DNS integration:

DNS Providers

Export the following environment variables for setup:

export AWS_ACCESS_KEY_ID=xxxxxxx # Key ID from AWS with Route 53 access
export AWS_SECRET_ACCESS_KEY=xxxxxxx # Access key from AWS with Route 53 access

Create an AWS credentials secret:

kubectl -n kuadrant-system create secret generic aws-credentials \
  --type=kuadrant.io/aws \
  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY

(Optional) Multi-cluster RateLimitPolicy

To enable RateLimitPolicy to use shared, multi-cluster counters for Kuadrant's Limitador component, you need to configure Kuadrant with a Redis cluster URL. Redis URIs can be either redis:// for standard connections or rediss:// for secure connections.

Follow these steps to create the necessary secret:

1. Replace some-redis.com:6379 with the URL of your accessible Redis cluster. Ensure you include the appropriate URI scheme (redis:// or rediss://).

2. Execute the following commands:

   # Replace this with an accessible Redis cluster URL
   export REDIS_URL=redis://user:xxxxxx@some-redis.com:6379
   

3. Create the secret:

   kubectl -n kuadrant-system create secret generic redis-config \
     --from-literal=URL=$REDIS_URL
   

This will create a secret named redis-config in the kuadrant-system namespace containing your Redis cluster URL, which Kuadrant will use for multi-cluster rate limiting.

You'll also need to update the Limitador instance (the component that handles rate limiting) to reconfigure Kuadrant to use Redis:

kubectl patch limitador limitador --type=merge -n kuadrant-system -p '
spec:
  storage:
    redis:
      configSecretRef:
        name: redis-config
'

kubectl wait limitador/limitador -n kuadrant-system --for="condition=Ready=true"

Metal LB (local setup)

If you are using a local kind cluster, we recommend using metallb to allow the service type loadbalancer to be used with your gateways and an IP to be assigned to your gateway address rather than an internal service name.

Next Steps

• Secure, protect, and connect APIs with Kuadrant on Kubernetes