Skip to main content

VerteX Management Appliance

tech preview

This is a Tech Preview feature and is subject to change. Upgrades from a Tech Preview deployment may not be available. Do not use this feature in production workloads.

The VerteX Management Appliance is downloadable as an ISO file and is a solution for installing Palette VerteX on your infrastructure. The ISO file contains all the necessary components needed for Palette to function. The ISO file is used to boot the nodes, which are then clustered to form a Palette management cluster.

Once Palette VerteX has been installed, you can download pack bundles and upload them to the internal Zot registry or an external registry. These pack bundles are used to create your cluster profiles. You will then be able to deploy clusters in your environment.

There is an additional option to download and install the Third Party packs that provide complementary functionality to Palette VerteX. These packs are not required for Palette VerteX to function, but they do provide additional features and capabilities as described in the following table.

FeatureIncluded with Palette Third Party PackIncluded with Palette Third Party Conformance Pack
Backup and Restore
Configuration Security
Penetration Testing
Software Bill Of Materials (SBOM) scanning
Conformance Testing

Architecture

The ISO file is built with the Operating System (OS), Kubernetes distribution, Container Network Interface (CNI), and Container Storage Interface (CSI). A Zot registry is also included in the Appliance Framework ISO. Zot is a lightweight, OCI-compliant container image registry that is used to store the Palette packs needed to create cluster profiles.

This solution is designed to be immutable, secure, and compliant with industry standards, such as the Federal Information Processing Standards (FIPS). The following table displays the infrastructure profile for the Palette VerteX appliance.

LayerComponentVersionFIPS-compliant
OSUbuntu: Immutable Kairos20.04
KubernetesPalette eXtended Kubernetes Edge (PXK-E)1.32.3
CNICalico3.29.2
CSIPiraeus2.8.1
RegistryZot0.1.67

Supported Platforms

The VerteX Management Appliance can be used on the following infrastructure platforms:

  • VMware vSphere
  • Bare Metal
  • Machine as a Service (MAAS)

Limitations

  • Only public image registries are supported if you are choosing to use an external registry for your pack bundles.

Installation Steps

Follow the instructions to install Palette VerteX using the VerteX Management Appliance on your infrastructure platform.

Prerequisites

  • Access to the Artifact Studio to download the Palette VerteX ISO.

  • A minimum of three nodes must be provisioned in advance for the Palette installation. We recommended the following resources for each node. Refer to the Palette Size Guidelines for additional sizing information.

    • 8 CPUs per node.

    • 16 GB memory per node.

    • Two disks per node.

      • The first disk must be at least 250 GB and is used for the ISO stack.

      • The second disk must be at least 500 GB and is used for the storage pool.

      tip

      The largest drive is automatically selected for the ISO stack. Therefore, it is recommended that the first disk has more storage than the second disk.

  • The following network ports must be accessible on each node for Palette to operate successfully.

    • TCP/443: Must be open between all Palette nodes and accessible for user connections to the Palette management cluster.

    • TCP/6443: Outbound traffic from the Palette management cluster to the deployed cluster's Kubernetes API server.

  • SSH access must be available to the nodes used for Palette installation.

  • Relevant permissions to install Palette on the nodes including permission to attach or mount an ISO and set nodes to boot from it.

    warning

    The ISO is only supported on Unified Extensible Firmware Interface (UEFI) systems. Ensure you configured the nodes to boot from the ISO in UEFI mode.

  • You can choose to use either an internal Zot registry that comes with Palette or an external registry of your choice. If using an external registry, you will need to provide the following information during the Palette installation process.

    • The DNS/IP endpoint and port for the external registry.
      • Ensure the nodes used to host the Palette management cluster have network access to the external registry server.
    • The username for the registry.
    • The password for the registry.
    • (Optional) The Certificate Authority (CA) certificate that was used to sign the external registry certificate in Base64 format.

    How to get Base64 encoded entries for a certificate

    You can get the Base64 encoded entry from your certificate by using the following command. Replace <certificate-file> with the filename of your certificate file.

    base64 --wrap 0 <certificate-file>

  • If you have an Ubuntu Pro subscription, you can provide the Ubuntu Pro token during the Palette installation process. This is optional but recommended for security and compliance purposes.

  • A virtual IP address (VIP) must be available for the Palette management cluster. This is assigned during the Palette installation process and is used for load balancing and high availability. The VIP must be accessible to all nodes in the Palette management cluster.

    How to discover free IPs in your environment

    You can discover free IPs in your environment by using a tool like arping or nmap. For example, you can issue the following command to probe a CIDR block for free IP addresses.

    nmap --unprivileged -sT -Pn 10.10.200.0/24

    This command will scan the CIDR block and output any hosts it finds.

    Example nmap output
    Nmap scan report for test-worker-pool-cluster2-6655ab7a-tyuio.company.dev (10.10.200.2)
    Host is up.
    All 1000 scanned ports on test-worker-pool-cluster2-6655ab7a-tyuio.company.dev (10.10.200.2) are in ignored states.
    Not shown: 1000 filtered tcp ports (no-response)

    For any free IP addresses, you can use arping to double-check if the IP is available.

    Example arping command
    arping -D -c 4 10.10.200.101
    Example arping output
    ARPING 10.10.200.101 from 0.0.0.0 ens103
    Sent 4 probes (4 broadcast(s))
    Received 0 response(s)

    If you receive no responses like the example output above, the IP address is likely free.

Install Palette VerteX

  1. Download the Palette VerteX ISO from the Artifact Studio. Refer to the Artifact Studio guide for instructions on how to access and download the ISO.

  2. Upload the ISO to your infrastructure provider. This can be done using the web interface of your infrastructure provider or using command-line tools.

    • For VMware vSphere, you can upload the ISO to a datastore using the vSphere Client or the govc CLI tool. Refer to the vSphere or govc documentation for more information.
    • For Bare Metal, you can use tools like scp or rsync to transfer the ISO to the nodes, or use a USB drive to boot the nodes from the ISO.
    • For Machine as a Service (MAAS), you can upload and deploy ISOs using Packer. Refer to the MAAS documentation for more information.

    Ensure that the ISO is accessible to all nodes that will be part of the Palette VerteX management cluster.

  3. Boot each node from the ISO to install the necessary software for Palette VerteX. The installation process will automatically configure the nodes with the required components, including the operating system, Kubernetes, CNI, and CSI.

  4. Once the nodes have booted from the ISO, they will automatically start the installation process. The GRand Unified Bootloader (GRUB) screen may be displayed with selectable options; this should be ignored as the installation will proceed automatically.

    Wait for the installation process to complete. This will take at least 15 minutes, depending on the resources available on the nodes. After completion, the nodes will reboot and display the Palette Terminal User Interface (TUI).

  5. In the Palette TUI, provide credentials for the initial account. This account will be used to log in to Local UI and for SSH access to the node.

    FieldDescription
    UsernameProvide a username to use for the account.
    PasswordEnter a password for the account.
    Confirm PasswordRe-enter the password for confirmation.

    Press ENTER to continue.

  6. In the Palette TUI, the available configuration options are displayed and are described in the next three steps. Use the TAB key or the up and down arrow keys to switch between fields. When you make a change, press ENTER to apply the change. Use ESC to go back.

  7. In Hostname, check the existing hostname and, optionally, change it to a new one.

  8. In Host Network Adapters, select a network adapter you would like to configure. By default, the network adapters request an IP automatically from the Dynamic Host Configuration Protocol (DHCP) server. The CIDR block of an adapter's possible IP address is displayed in the Host Network Adapters screen without selecting an individual adapter.

    In the configuration page for each adapter, you can change the IP addressing scheme of the adapter and choose a static IP instead of DHCP. In Static IP mode, you will need to provide a static IP address and subnet mask, as well as the address of the default gateway. Specifying a static IP will remove the existing DHCP settings.

    You can also specify the Maximum Transmission Unit (MTU) for your network adapter. The MTU defines the largest size, in bytes, of a packet that can be sent over a network interface without needing to be fragmented.

  9. In DNS Configuration, specify the IP address of the primary and alternate name servers. You can optionally specify a search domain.

  10. After you are satisfied with the configurations, navigate to Quit and press ENTER to finish the configuration. Press ENTER again on the confirmation prompt.

    After a few seconds, the terminal displays the Device Info and prompts you to provision the device through Local UI.

    tip

    If you need to access the Palette TUI again, issue the palette-tui command in the terminal.

  11. Ensure you complete the configuration on each node before proceeding to the next step.

  12. Decide on the host that you plan to use as the leader of the group. Refer to Link Hosts for more information about leader hosts.

  13. Access the Local UI of the leader host. Local UI is used to manage the Palette VerteX nodes and perform administrative tasks. It provides a web-based interface for managing the Palette VerteX management cluster.

    In your web browser, go to https://<node-ip>:5080. Replace <node-ip> with the IP address of your node. If you have changed the default port of the console, replace 5080 with the Local UI port. The address of the Local UI console is also displayed on the terminal screen of the node.

    If you are accessing Local UI for the first time, a security warning may be displayed in your web browser. This is because Local UI uses a self-signed certificate. You can safely ignore this warning and proceed to Local UI.

  14. Log in to Local UI using the credentials you provided in step 5.

  15. (Optional) If you need to configure a HTTP proxy server for the node, follow the steps in the Configure HTTP-Proxy in Local UI guide. When done, proceed to the next step.

  16. From the left main menu, click Linked Edge Hosts.

  17. Click Generate token. The host begins generating tokens that you will use to link this host with other hosts. The Base64 encoded token contains the IP address of the host, as well as an OTP that will expire in two minutes. Once a token expires, the leader generates another token automatically.

  18. Click the Copy button to copy the token.

  19. Log in to Local UI on the host that you want to link to the leader host.

  20. From the left main menu, click Linked Edge Hosts.

  21. Click Link this device to another.

  22. In the pop-up box that appears, enter the token you copied from the leader host.

  23. Click Confirm.

  24. Repeat steps 19-23 for every host you want to link to the leader host.

  25. Confirm that all linked hosts appear in the Linked Edge Hosts table. The following columns should show the required statuses.

    ColumnStatus
    StatusReady
    ContentSynced
    HealthHealthy

    Content synchronization will take at least five minutes to complete, depending on your network resources.

  26. On the left main menu, click Cluster.

  27. Click Create cluster.

  28. For Basic Information, provide a name for the cluster and optional tags in key:value format.

  29. In Cluster Profile, the Imported Applications preview section displays the applications that are included with the VerteX Management Appliance. These applications are pre-configured and used to deploy your Palette VerteX management cluster.

    Leave the default options in place and click Next.

  30. In Profile Config, configure the cluster profile settings to your requirements. Review the following tables for the available options.

    Cluster Profile Options

    OptionDescriptionTypeDefault
    Pod CIDRThe CIDR range for the pod network. This is used to allocate IP addresses to pods in the cluster.CIDR notation100.64.0.0/18
    Service CIDRThe CIDR range for the service network. This is used to allocate IP addresses to services in the cluster.CIDR notation100.64.64.0/18
    Ubuntu Pro Token (Optional)The token for your Ubuntu Pro subscription.StringNo default
    Storage Pool Drive (Optional)The storage pool device to use for the cluster. As mentioned in the Prerequisites, assign this to your second storage device.String/dev/sdb
    CSI Placement CountThe number of replicas for the Container Storage Interface (CSI) Persistent Volumes (PVs). The accepted values are 1 or 3. We recommend using 3 to provide high availability for the CSI volumes. This value must match the MongoDB Replicas value.Integer3

    Registry Options

    OptionDescriptionTypeDefault
    In Cluster Registry (Optional)- True - Use internal Zot registry
    - False - Use external registry.    		BooleanTrue
    Registry EndpointThe DNS/IP endpoint for the registry. Leave the default entry if using the internal Zot registry, which is a virtual IP address assigned by kube-vip. Adjust if using an external registry.String{{.spectro.system.cluster.kubevip}}
    Registry PortThe port for the registry. The default value can be changed for the internal Zot registry. Adjust if using an external registry.Integer30003
    OCI Registry Base Content Path (Optional)The base path for the registry content for the internal or external registry. Palette VerteX packs will be stored in this directory.Stringspectro-content
    OCI Pack Registry UsernameIf using the internal Zot registry, leave the default username or adjust to your requirements. If using an external registry, provide the appropriate username.Stringadmin
    OCI Pack Registry PasswordIf using the internal Zot registry, enter a password to your requirements. If using an external registry, provide the appropriate password.StringNo default - must be provided.
    OCI Registry Storage Size (GiB) (Optional)The size of the storage for the OCI registry. This is used to store the images and packs in the registry. The default value is set to 100 GiB, but this should be increased to at least 250 GiB for production environments.Integer100
    OCI Pack Registry Ca Cert (Optional)- Internal Zot registry - Not required.
    - External registry - The CA certificate that was used to sign the external registry certificate.    		Base64 encoded stringNo default
    Image Replacement Rules (Optional)Set rules for replacing image references when using an external registry. For example, all: oci-registry-ip:oci-registry-port/spectro-content. Leave empty if using the internal Zot registry.StringNo default
    Root Domain (Optional)The root domain for the registry. The default is set for the internal Zot registry, which is a virtual IP address assigned by kube-vip. If using an external registry, adjust this to the appropriate domain.String{{.spectro.system.cluster.kubevip}}
    Mongo ReplicasThe number of MongoDB replicas to create for the cluster. The accepted values are 1 or 3. We recommend using 3 to provide high availability for the MongoDB database. This value must match the CSI Placement Count value.Integer3

  31. Click Next when you are done.

  32. In Cluster Config, configure the following options.

    Cluster Config Options

    OptionDescriptionTypeDefault
    Network Time Protocol (NTP) (Optional)The NTP servers to synchronize time within the cluster.StringNo default
    SSH Keys (Optional)The public SSH keys to access the cluster nodes. Add additional keys by clicking Add Item.StringNo default
    Virtual IP Address (VIP)The virtual IP address for the cluster. This is used for load balancing and high availability.StringNo default

    Click Next when you are done.

  33. In Node Config, configure the following options.

    important

    We recommend having at least three control plane nodes for high availability. You can remove the worker node pool as it is not required for the Palette VerteX management cluster. If doing this, ensure that the Allow worker capability option is enabled for the control plane node pool.

    Node Pool Options

    OptionDescriptionTypeDefault
    Node pool nameThe name of the control plane node pool. This will be used to identify the node pool in Palette VerteX.Stringcontrol-plane-pool
    Allow worker capability (Optional)Whether to allow workloads to be scheduled on this control plane node pool. Ensure that this is enabled if no worker pool is assigned to the cluster.BooleanTrue
    Additional Kubernetes Node Labels (Optional)Tags for the node pool in key:value format. These tags can be used to filter and search for node pools in Palette VerteX.StringNo default
    TaintsTaints for the node pool in key=value:effect format. Taints are used to prevent pods from being scheduled on the nodes in this pool unless they tolerate the taint.- Key = string
    - Value = string
    - Effect = string (enum)    		No default
    Pool Configuration

    The following options are available for both the control plane and worker node pools. You can configure these options to your requirements. You can also remove worker pools if not needed.

    OptionDescriptionTypeDefault
    ArchitectureThe CPU architecture of the nodes. This is used to ensure compatibility with the applications operating on the nodes.String (enum)amd64
    Add Edge HostsClick Add Item and select the other hosts that you installed using the VerteX Management Appliance ISO. These hosts will be added to the node pool. Each pool must contain at least one node.N/A- Control Plane Pool = Current host selected
    - Worker Pool = No host selected
    NIC NameThe name of the network interface card (NIC) to use for the nodes. Leave on Auto to let the system choose the appropriate NIC, or select one manually from the drop-down menu.N/AAuto
    Host Name (Optional)The hostname for the nodes. This is used to identify the nodes in the cluster. A generated hostname is provided automatically, which you can adjust to your requirements.Stringedge-*

  34. Click Next when you are done.

  35. In Review, check that your configuration is correct. If you need to make changes, click on any of the sections in the left sidebar to go back and edit the configuration.

    When you are satisfied with your configuration, click Deploy Cluster. This will start the cluster creation process.

    The cluster creation process will take 20 to 30 minutes to complete. You can monitor progress from the Overview tab on the Cluster page in the left main menu. The cluster is fully provisioned when the status changes to Running and the health status is Healthy.

  36. Once the cluster is provisioned, access the Palette VerteX system console using the virtual IP address (VIP) you configured earlier. Open your web browser and go to https://<vip-address>/system. Replace <vip-address> with the VIP you configured for the cluster.

    The first time you visit the system console, a warning message about an untrusted TLS certificate may appear. This is expected, as you have not yet uploaded your TLS certificate. You can ignore this warning message and proceed.

  37. You will be prompted to log in to Palette VerteX system console. Use admin as the username and admin as the password. You will be prompted to change the password after logging in.

  38. In the Account Info window, provide the following information.

    FieldDescription
    Email addressThis is used for notifications and password recovery as well as logging in to the Palette VerteX system console. This will not be active until you configure SMTP settings in Palette VerteX system console and verify your email address.
    Current passwordUse admin as the current password.
    New passwordEnter a new password for the account.
    Confirm new passwordRe-enter the new password for confirmation.

    Refer to Password Requirements and Security to learn about password requirements.

After logging in, a summary page is displayed. You now have access to the Palette VerteX system console, where you can manage your Palette VerteX environment.

If you are accessing the Palette VerteX system console for the first time, a security warning may be displayed in your web browser. This is because Palette VerteX is configured with a self-signed certificate. You can replace the self-signed certificate with your own SSL certificates as guided later in Next Steps.

warning

If your installation is not successful, verify that the piraeus-operator pack was correctly installed. For more information, refer to the Self-Hosted Installation - Troubleshooting guide.

Validate

  1. Log in to the Local UI of the leader host using the URL https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host. If you have changed the default port of the console, replace 5080 with the Local UI port.

  2. In Local UI, click on Cluster in the left main menu.

  3. Check that the cluster status is Running and the health status is Healthy. In the Applications section on this page, the listed applications should be in the Running state.

  4. Log in to the Palette VerteX system console using the virtual IP address (VIP) you configured earlier. Open your web browser and go to https://<vip-address>/system. Replace <vip-address> with the VIP you configured for the cluster.

  5. On the login page, use admin as the username and the new password you set during the initial login.

  6. On the Summary page, check that the On-prem system console is healthy message is displayed.

Upload Packs to Palette VerteX

Follow the instructions to upload packs to your Palette VerteX instance. Packs are used to create cluster profiles and deploy workload clusters in your environment.

info

If you are intending to upgrade Palette VerteX using a content bundle, you must upload the bundle to the internal Zot registry using Local UI. This is regardless of whether you are using an external registry or the internal Zot registry for your pack bundles.

Prerequisites

  • Access to the Artifact Studio to download the Palette VerteX pack bundles.

  • Access to your registry depending on the registry type you chose to use for Palette VerteX.

    • If using the internal Zot registry, ensure you have access to the Local UI of the leader node of the Palette VerteX management cluster. Also, verify that your local machine can access the Local UI, as airgapped environments may have strict network policies preventing direct access.

    • If using an external registry, ensure your local machine has access to the external registry server and you have the necessary permissions to push images to the registry.

  • (Optional) The Palette CLI installed on your local machine if you prefer to use the command line for uploading packs. Refer to the Palette CLI guide for installation instructions.

Upload Packs

  1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

  2. Select the Palette VerteX Appliance product on the Product selection step and build your pack bundles by following the prompts in the Artifact Studio.

    Refer to the Artifact Studio guide for detailed guidance on how to build pack bundles and verify the integrity of the downloaded files.

  3. Download the pack bundles to your local machine. Each pack is downloaded in .zst format.

  4. Log in to the Local UI of the leader host of the Palette VerteX management cluster. By default, Local UI is accessible at https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host.

  5. From the left main menu, click Content.

  6. Click Actions in the top right and select Upload Content from the drop-down menu.

  7. Click the upload icon to open the file selection dialog and select the downloaded pack ZST files from your local machine. You can select multiple files at once. Alternatively, you can drag and drop the files into the upload area.

    The upload process starts automatically once the files are selected. You can monitor the upload progress in the Upload Content dialog.

    Wait for the Upload Successful confirmation message to appear.

  8. Log in to the Palette VerteX system console.

  9. From the left main menu, select Administration, and then select the Pack Registries tab.

  10. Select the three-dot menu for the OCI Pack Registry and click Sync.

Validate

  1. Log in to the Local UI of the leader host of the Palette VerteX management cluster.

  2. From the left main menu, click Content.

  3. Enter the filename of the uploaded pack in the Filter by name search bar. The pack should appear in the table below. You can repeat this step for each pack you uploaded.

(Optional) Upload Third Party Packs

Follow the instructions to upload the Third Party packs to your Palette VerteX instance. The Third Party packs contain additional functionality and capabilities that enhance the Palette VerteX experience, such as backup and restore, configuration scanning, penetration scanning, SBOM scanning, and conformance scanning.

Prerequisites

  • Access to the Artifact Studio to download the Third Party packs.

  • Access to your registry depending on the registry type you chose to use for Palette VerteX.

    • If using the internal Zot registry, ensure you have access to the Local UI of the leader node of the Palette VerteX management cluster. Also, verify that your local machine can access the Local UI, as airgapped environments may have strict network policies preventing direct access.

    • If using an external registry, ensure your local machine has access to the external registry server and you have the necessary permissions to push images to the registry.

  • (Optional) The Palette CLI installed on your local machine if you prefer to use the command line for uploading packs. Refer to the Palette CLI guide for installation instructions.

Upload Packs

  1. Navigate to the Artifact Studio through a web browser, and under Create pack bundle, select Build bundle.

  2. Select the Palette VerteX Appliance product on the Product selection step and select your current version on the Version selection step.

  3. On the Use case step, select the Add-on only option.

  4. On the Configure bundle step, enter Palette Third Party in the Search packs field and click Search. Alternatively, you can find the packs in the thirdparty category.

    Click the checkbox next to the Palette Third Party and Palette Third Party Conformance packs to select them, and click Next Step.

  5. On the Review and download step, click the I'm not a robot reCAPTCHA checkbox, and then click the Download bundle button to begin the download. Alternatively, you can click the Copy all URLs button to copy the download URLs to your clipboard.

    Wait until the packs have been downloaded to your local machine. The packs are downloaded in .zst format alongside a signature file in sig.bin format.

    tip

    Refer to the Artifact Studio guide for detailed guidance on how to verify the integrity of the downloaded files using the provided signature file.

  6. Log in to the Local UI of the leader host of the Palette VerteX management cluster. By default, Local UI is accessible at https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host.

  7. From the left main menu, click Content.

  8. Click Actions in the top right and select Upload Content from the drop-down menu.

  9. Click the upload icon to open the file selection dialog and select the Third Party ZST files from your local machine. Alternatively, you can drag and drop the files into the upload area.

    The upload process starts automatically once the files are selected. You can monitor the upload progress in the Upload Content dialog.

    Wait for the Upload Successful confirmation message to appear.

  10. Log in to the Palette VerteX system console.

  11. From the left main menu, select Administration, and then select the Pack Registries tab.

  12. Select the three-dot menu for the OCI Pack Registry and click Sync.

Validate

  1. Log in to the Local UI of the leader host of the Palette VerteX management cluster. By default, Local UI is accessible at https://<node-ip>:5080. Replace <node-ip> with the IP address of the leader host.

  2. From the left main menu, click Content.

  3. Enter the filename of each Third Party pack in the Filter by name search bar. The packs should appear in the table.

Next Steps

The following actions are recommended after installing Palette VerteX to ensure your environment is ready for use:

  • Assign your SSL certificates to Palette VerteX. Palette VerteX is installed with a self-signed SSL certificate. To assign a different SSL certificate, upload the certificate, key, and certificate authority files to Palette VerteX. You can upload the files using the system console. Refer to the Configure HTTPS Encryption page for instructions on how to upload the SSL certificate files to Palette VerteX.

  • Create a tenant in Palette VerteX to host your users. Refer to the Create a Tenant guide for instructions on how to create a tenant in Palette VerteX.

  • Activate your Palette VerteX installation before the trial mode expires. Refer to the Activate Installation guide for instructions on how to activate your installation.

  • Create additional system administrator accounts and assign roles to users in the system console. Refer to the Account Management guide for instructions on how to manage user accounts and roles in Palette VerteX.

  • Configure SMTP settings to enable email notifications and password recovery. Refer to the Configure SMTP Settings guide for instructions on how to configure SMTP settings in Palette VerteX.

For all system management options in Palette VerteX, refer to the System Management guide.