Common Installation
These steps are common across on-line, air-gapped, existing cluster or embedded cluster setups. Connect to Kotsadmin
kotsadmin UI
Visit the address shown in the kotsadmin output. The initial screen explains that the UI is secured with a self-signed TLS certificate by default.
Click on the button or the link to proceed.
You will be presented with a choice about whether or not to use the default self-signed TLS certificate or provide your own.
kotsadmin UI TLS (optional)
If you choose to upload your own certificate pair, ensure they are in the PEM format.
kotsadmin UI
Use the password or the one you set to login.
Upload license
Upload the license you downloaded from the Customer Download Portal.
kots Credo AI Application (air gap only)
If you selected the air-gapped installation, you will see a screen where you can upload the air gap bundle that was downloaded from the Customer Download Portal.
Even if you selected airgap you also have the option to install from the internet if your particular environment has an outbound connection.
Configure and Deploy Credo AI
Once you have configured kotsadmin with TLS settings, your license and added the credoai application you will be directed to the credoai application page.
Configuration
The Credo AI application configuration screen shows by default before any deployments have been issued.
Tenant
Enter a tenant slug and environment. This tenant name will be used later in the Tenant Initialization section below.
The slugs accepted by the Credo AI application must follow these requirements:
- All lower-case alphanumeric
- Cannot start or end with underscore
- Maximum two (2) underscores
Hostname
Enter the DNS hostname that you have provisioned, or plan to provision, for the Credo AI application.
Ingress (existing cluster only)
For existing clusters we recommend using the k8s ingress option and configuring it for the ingress controller in your cluster.
If you are using AWS ALB load balancer ingress (IngressClass: alb) you may have to deploy the application and then set the DNS records after the ALB endpoints are returned by the controller. If you are using an existing ingress controller with known endpoints, you could provision the DNS records prior to deploying the application.
If you are using AWS ALB load balancer ingress (IngressClass: alb) consider the following annotations at a minimum from the reference (https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/annotations/).
# generally applicable
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/ssl-redirect: "443"
alb.ingress.kubernetes.io/target-type: ip
# public IP address
alb.ingress.kubernetes.io/scheme: internet-facing
# private IP address
alb.ingress.kubernetes.io/scheme: internal
If you are using AWS ALB load balancer ingress recall that the .spec.tls field is not recognized. Specify an ACM certificate using annotations (https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/ingress/annotations/#certificate-arn)
Ingress (embedded cluster only)
We recommend using the Contour HTTPProxy for ingress to the application in an embedded cluster.
Ingress TLS
Both ingress options allow for the following TLS options:
- none (choose this if you will have TLS terminated by another load balancer)
- existing secret
- self-signed cert (this is for test only and is not recommended for production)
- bring your own cert
If you have an existing k8s kubernetes.io/tls secret, fill the name reference in.
If you have a cert/key pair copy the PEM contents into the text fields
Object Store
Enter the names of the S3 bucket(s) provisioned for the Credo AI application. It is recommended to use different buckets but it is supported to use path prefixes in a common bucket.
The policy assets support the policy pack feature of Credo AI. The defaults are OK to keep. You will provision these locations with the required metadata and policy pack archive later in the Policy Pack Management section.
If the S3 bucket(s) have a policy requiring SSE AES256 headers for object writes, select AES256. The default does not include headers which stores objects with the bucket configured encryption.
Object Store Bundled Minio
AWS Credentials
Configure the Credo AI application to use S3 object storage or equivalent.
If you select the bundled minio for object storage, this option is not available and credentials are set in the minio section.
If you are using IAM roles for service accounts (IRSA) enter the IRSA annotation.
If you are using an AWS IAM user with key pair credentials or an S3-compliant alternative, select the checkbox and enter the access key id and secret access key.
If you are using AWS S3 and not a compliant S3 alternative you can omit the S3 endpoint fields and only enter the AWS region.
If you are using a private VPC S3 endpoint or an S3 alternative, enter the endpoint details.
If the custom endpoint is secured with a TLS certificate signed by a private certificate authority (CA) you can supply the CA certificate to ensure trust between the backend the the buckets endpoint.
Configure Database
Click the checkbox and enter the connection details to the external postgres database
See the Postgres Database Setup Appendix for information on the required setup.
Configure SSO
Select the identity provider protocol and enter the appropriate details.
At this time, OIDC is supported natively. See the SSO with Okta OIDC in the appendix for comprehensive setup and configuration instructions.
Integrating with a SAML provider requires an adapter. The Credo AI installer includes dex IdP to serve as this adapter. See the SSO with Okta SAML in the appendix for comprehensive setup and configuration instructions.
Configure Email
Click the checkbox and enter SMTP server settings.
Post-Config Preflight
After configuration is validated, you will see a cluster preflight screen with status.
Deployed
The application is now deployed and can be visited at the hostname configured for the application, in this example http://credoai.example.com.
Post-Installation Policy Pack Setup
At this time the Credo AI kots installer does not support configuring policy packs from within the application. The policy pack assets can be uploaded to object storage using a manual method.
Please see the appendix Policy Pack Management below for instructions and contact Credo AI for bundle artifacts.
Post-Installation Tenant Setup
At this time the Credo AI kots installer configuration screen does not support an automatic tenant creation. Please see the appendix tenant creation