Version: 0.7

Prerequisites

This page details the prerequisites you need in place in order for Kore to run successfully.

Tools on your workstation:

Pre-install:

Post-install:

Kubernetes cluster to host Kore#

Kore runs in a Kubernetes cluster. You can use an existing Kubernetes cluster, or follow Bootstrap a Cluster for Kore to use a local install of Kore to create a cluster in which to host your Kore instance.

The cluster where Kore runs must meet the following requirements:

  1. We recommend a dedicated cluster to host Kore because it creates and manages namespaces as teams are created. It is not recommended to install Kore into a cluster running other workloads without significant care, and only a single instance of Kore may be installed into a cluster.

    Kore can be setup to run using credentials managed entirely by AWS on EKS (recomended). To enable this with Kore on EKS, see kore setup cloudidentity.

  2. You must give kubectl access to this cluster with privileges to install a helm chart.

  3. A namespace should be pre-created to install Kore's machinery into - we recommend the namespace kore for this purpose. For example, run kubectl create ns kore.

Identity Provider details#

Kore uses your existing identity provider to grant access to the UI, CLI, and the infrastructure provisioned for teams. If you are testing out Kore, you can use local users (created and managed within the application), however we do not recommend this configuration for production use.

Kore supports Open ID Connect (OIDC) for integrating with identity providers, and must provide the following details when installing Kore:

  • Client ID
  • Server URL
  • Client Secret
  • Client Scopes to use. If the provider does not support the default scopes email, profile, and offline_access (notably Google Workspace/GSuite), you must set this to email and profile.

If you need advice on integrating your existing single sign-on infrastructure with Kore, please get in touch and we will be happy to help.

Ingress controller#

In order for Kore to expose its UI and API for your use, you need an ingress controller configured in your cluster. We recommend configuring the NGINX ingress as follows.

To configure NGINX:

  1. Run the following:

    NGINX_VERSION=2.15.0
    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
    helm repo update
    if ! kubectl get ns ingress >/dev/null 2>&1; then
    kubectl create ns ingress
    fi
    helm upgrade ingress ingress-nginx/ingress-nginx \
    --install \
    --version ${NGINX_VERSION} \
    --namespace=ingress \
    --set=controller.autoscaling.enabled=true \
    --set=controller.autoscaling.maxReplicas=10 \
    --set=controller.autoscaling.minReplicas=2 \
    --set=controller.service.externalTrafficPolicy=Local \
    --set=controller.service.type=LoadBalancer \
    --set=podSecurityPolicy.enabled=true

Certificate Manager#

Optionally, if you do not wish to manually generate and maintain TLS certificates for Kore, you can install cert-manager into your cluster to do this for you.

To install cert-manager:

  1. Create a configuration file cert-issuer.yaml for your issuer - setting the email address as appropriate:

    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
    name: letsencrypt
    spec:
    acme:
    email: you@yourorg.org
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
    name: letsencrypt-account-key
    solvers:
    - http01:
    ingress:
    class: nginx
  2. Install cert-manager:

    CERTMGR_VERSION=v1.0.2
    helm repo add jetstack https://charts.jetstack.io
    helm repo update
    if ! kubectl get ns cert-manager >/dev/null 2>&1; then
    kubectl create ns cert-manager
    fi
    helm upgrade cert-manager jetstack/cert-manager \
    --install \
    --version ${CERTMGR_VERSION} \
    --namespace cert-manager \
    --set installCRDs=true \
    --wait
    kubectl apply -f ./cert-issuer.yaml

Cloud accounts#

In order to use Kore, you must provide it with one or more cloud accounts that you want it to use. There are two types of cloud accounts you can provide for each cloud:

  • Shared Accounts—if you want to use existing cloud accounts for your teams' infrastructure, you can add each account individually to Kore and allocate it to the desired teams within Kore. Each account maps to a specific AWS account, GCP project, or Azure subscription. Infrastructure is provisioned directly into the account when requested by teams.

  • Organizations—if you want to use Kore's account automation feature, you must provide Kore with access to a root organizational account in which it should create and manage child accounts. Account automation provides AWS accounts, GCP projects, and Azure subscriptions on demand for your teams.

For more information, see Cloud Accounts.