Prerequisites
1. Prerequisites¶
1.1. Infrastructure Requirements¶
-
Operating System:
- Ubuntu 24.04
- RHEL 8
- RHEL 9
-
Instance Requirements:
- Single Node Controller: 1 node
- High Availability Controller: 3 master nodes
-
System Size (Minimum):
- 'S': 16 CPU, 64GB memory (Non-HA)
- 'M': 32 CPU, 64GB memory
- 'L': 64 CPU, 128GB memory
- Root Disk: Minimum 500 GB
- Temp Directory (
/tmp): Minimum 50GB (if not part of root disk) - Data Disk: 1 TB (mounted as
/datavolume, size varies based on storage requirements)
- RHEL installations need connectivity to default repository servers
- Inbound port 443/tcp must be allowed to all instances
- All localhost ports must be reachable
- Port 30053/UDP must be reachable in non-DNS environments
- SELinux/firewall must be disabled on all nodes
1.2. DNS Configuration¶
DNS records are required for the controller to function properly. Replace rafay.example.com with your desired domain.
*.rafay.example.com
If wildcard DNS is not available, create these individual records:
api.<rafay.example.com>
console.<rafay.example.com>
fluentd-aggr.<rafay.example.com>
grafana.<rafay.example.com>
kibana.<rafay.example.com>
ops-console.<rafay.example.com>
repo.<rafay.example.com>
*.cdrelay.<rafay.example.com>
*.core-connector.<rafay.example.com>
*.core.<rafay.example.com>
*.connector.infrarelay.<rafay.example.com>
*.user.infrarelay.<rafay.example.com>
*.kubeapi-proxy.<rafay.example.com>
*.user.<rafay.example.com>
Note
DNS records should point to the controller nodes' IP addresses. For external SSL offloading, refer to the SSL Offloading section.
1.3. Additional Requirements¶
- Company logo in PNG format
- Size: Less than 600 KB
- Used for white labeling and branding
- Required for TLS secure communication
- Trusted CA signed wildcard certificate (2048 bit)
- Self-signed certificates can be auto-generated for non-prod environments
- Set
generate-self-signed-certs: truein config.yaml for auto-generation
1.4. SSL Offloading Configuration (Optional)¶
-
Rafay controller supports SSL offload at load balancer level using ACM/certificates. This would need two load balancers, one for UI FQDNs which requires SSL offload and another for backed FQDNs which requires SSL passthrough.
-
To enable external SSL offloading, the below override-config has to be enabled in config.yaml.
override-config.global.external_lb: true
1.5. DNS Settings for Using External SSL Offload (Optional)¶
For extended security, all Rafay backend endpoints use mTLS and do not support SSL offloading, except for the frontend UI endpoints.
Frontend FQDNs (Point to Classic Load Balancer for SSL Offloading)¶
api.<rafay.example.com>console.<rafay.example.com>fluentd-aggr.<rafay.example.com>ops-console.<rafay.example.com>grafana.<rafay.example.com>repo.<rafay.example.com>
Backend FQDNs (Point to NLB for mTLS)¶
registry.<rafay.example.com>*.core-connector.<rafay.example.com>*.core.<rafay.example.com>*.kubeapi-proxy.<rafay.example.com>*.user.<rafay.example.com>*.cdrelay.<rafay.example.com>*.infrarelay.<rafay.example.com>*.connector.infrarelay.<rafay.example.com>*.user.infrarelay.<rafay.example.com>
1.6. Load Balancer Setup (Optional)¶
- Requires two load balancers:
- Load balancer with certificate for SSL offloading in UI traffic.
- Load balancer with SSL passthrough for mTLS traffic
- Enable with:
override-config.global.external_lb: truein config.yaml
Certificate Requirements:
- CA signed wildcard certificate
- Ports: 80/TCP and 443/TCP inbound
- Redirecting Connections as per the below table
Port Configuration:
| Frontend Port | Frontend Protocol | Backend Port | Backend Protocol |
|---|---|---|---|
| 80 | HTTP | 30426 | HTTP |
| 443 | SECURE TCP(SSL) | 30726 | TCP |
SSL Passthrough Configuration:
| Frontend Port | Frontend Protocol | Backend Port | Backend Protocol |
|---|---|---|---|
| 443 | TCP | 30526 | TCP |
Ping Protocol: HTTP
Ping Port: 30326
Ping Path: /healthz/ready
Next Steps¶
➡️ Continue to Installation Guide