publish docker-compose with bare minimum requirements for on-prem
rsmitty opened this issue · comments
With the release of image-factory integration into Omni, we will now have to require image-factory into the on-prem environment if folks do not wish to use the service. We should publish a compose file with the following containers for on-prem users such that on-prem users have a good experience and it's easy to deploy:
- image factory
- docker registry (insecure, for factory to push to)
- discovery service
- omni
Would also like to see the entire thing baked in to a machine image. Talking to at least several of our on-prem prospects (not concerning Omni or Talos, yet), the ask for a machine image has been common.
A helm chart for an on-prem kubernetes installation of Omni would be awesome!
This would actually help me get a philosophical grip on how sidero runs omni
I'm behind on documentation reading, because I always am, but I can sounding board some of what might be considered bare minimum?
For instance, the airgap doc is confusing ~ https://omni.siderolabs.com/docs/tutorials/install-airgapped-omni/
Is a git server / keycloak required or highly recommended for running Omni airgapped? I would assume the docker-compose would need to follow a similar structure to the airgapped setup. Where do we draw the line at bare minimum?
The current config that I found - this is my best stab at starting to fill it out
https://github.com/siderolabs/omni/tree/main/deploy
# Omni
OMNI_IMG_TAG=v.0.34.0
OMNI_ACCOUNT_UUID=
Is this any generated uuid? I don't have an omni account uuid
If I just need to generate a random uuid, I'd drop ACCOUNT from the variable declaration.
Makes me think I have to go sign up for an omni account somewhere. Dumb complaint, but I barely know what I'm doing.
NAME=omni
EVENT_SINK_PORT=8091
## Keys and Certs
TLS_CERT=t.crt
TLS_KEY=t.key
I don't just have etcd running in this test environment, I would hope to set this up after setting Omni up. This is my first chicken and egg problem. Can omni configure etcd post setup?
ETCD_VOLUME_PATH=<full-path-to-etcd-directory>
ETCD_ENCRYPTION_KEY=<full-path-to-etcd-encryption-key>
## Binding
BIND_ADDR=0.0.0.0:443
SIDEROLINK_API_BIND_ADDR=0.0.0.0:8090
K8S_PROXY_BIND_ADDR=0.0.0.0:8100
## Domains and Advertisements
OMNI_DOMAIN_NAME="<omni-host-domain-name>"
ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}"
SIDEROLINK_ADVERTISED_API_URL="https://${OMNI_DOMAIN_NAME}:8090/"
ADVERTISED_K8S_PROXY_URL="https://${OMNI_DOMAIN_NAME}:8100/"
SIDEROLINK_WIREGUARD_ADVERTRISED_ADDR="<omni-host-ip>:50180"
SMTP is another thing that would be nice to setup after the fact but I'm not sure if that's what the initial user emails setup is for here.
## Users
INITIAL_USER_EMAILS='<initial-emails>'
I also don't have external auth setup, unless you count LDAP. Is auth integration also required in order to boot omni up the first time? Or a nice to have.
## Authentication
#Auth0
AUTH='--auth-auth0-enabled=true \
--auth-auth0-domain=<auth0-domain> \
--auth-auth0-client-id=<auth0-client-id>'
# Or, when using SAML:
# AUTH='--auth-saml-enabled=true \
# --auth-saml-url=<saml-url>'
#Only one AUTH version can be used at a time, so ensure to remove the one you don't use.
Thanks for pushing this forward, hopefully me bumbling around behind you will help.