Post installation steps
Follow the post-installation steps after initial installation.
Step 1: Get the log output of the installer job
When the installer job (in the default namespace) has finished, copy the URL and use the generated password from the bottom of the logs, sign in to the APL Console.
Use the following command to get the logs of the installer job:
kubectl logs jobs/apl -n default -f
Step 2 (optional): Add the auto generated CA to your keychain
When APL is installed without DNS, APL automatically generates a CA. The generated CA is not trusted on your local machine. Here are some options to prevent you from clicking away lots of security warning in your browser:
- In the left menu of the console, click on "Download CA"
- Double click the downloaded CA.crt or add the CA to your keychain on Mac using the following command:
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/Downloads/ca.crt
On Windows, use PowerShell (running as Administrator) with the Certutil:
certutil.exe -addstore root <downloaded cert path>
Or:
Import-Certificate -FilePath "<downloaded cert path>" -CertStoreLocation Cert:\LocalMachine\Root
# Restart the browser
But you could also run Chrome in insecure mode:
alias chrome-insecure='/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors --ignore-urlfetcher-cert-requests &> /dev/null'
Step 3 (Optional): Create a new admin user
We strongly advise to not use the default otomi-admin
account after activation and to not change the password. Store it somewhere safe and only use it in case absolutely required.
Create a new user account in Keycloak and add the new user to the otomi-admin
and team-admin
group:
To create users in Keycloak, follow these steps:
-
Open the Keycloak app
-
Click on
Administration Console
. -
Login with admin credentials (using
otomi-admin
user and password provided in the installer log or theotomi.adminPassword
provided in the initial values). -
Select the
Otomi
realm. -
Click on
Users
thenAdd user
. -
Fill in a user name in the
Username
field. -
Fill in your email address in the
Email
field. -
Select
Email verified
. -
Click
Join Groups
. -
Add the user to the required group (otomi-admin).
-
Click
Create
. -
Choose the
Credentials
tab and thenSet password
. -
Fill in a password.
-
Optional: Make the password
Temporary
. This requires the user to change the password at the first login. -
Click on "Save".
-
Click
Save password
.
Step 4 (Optional): Add the URL of the Kubernetes API
Adding the URL of the K8s cluster API is required by teams to be able to download the KUBECONFIG
-
Under
Platform
in APL Console, click onSettings
. -
Click on
Cluster
. -
Add the full URL of the API server.
-
Click on
Submit
. -
Click on
Deploy Changes
.
Step 5 (Optional): Configure Object Storage
If you're planning on activating apps that can use Object Storage (like Loki, Harbor, Tempo, Velero), then first configure Object Storage. Check the table in Step 6 to see which App requires Object Storage configured.
Velero requires Object Storage!
Creating Database backups requires Object Storage!
-
Under
Platform
in APL Console, click onSettings
. -
Click on
Object Storage
. -
Select
Minio Local
orLinode
.
When Minio is selected (only for development), Minio App is enabled and all required buckets are automatically provisioned. When Linode is selected, create the buckets for the apps you are planning to use and fill in the region and the Access Key ID and Secret Access Key (with read/write access).
-
Click on
Submit
. -
Click on
Deploy Changes
.
Step 6 (Optional): Add a Linode Personal Access Token to backup Persistent Volumes (Linode only)
To use the self-service feature to create backups of Persistent Volumes in Linode, first create a new Personal Access Token with Read/Write access for Volumes:
-
Go to your profile on the top right.
-
Click on
API Tokens
. -
Click on
Create A Personal Access Token
. -
Add a
Label
. -
Select the desired
Expiry
. -
Select
No Access
for all. -
Select
Read/Write
forVolumes
. -
Click
Create Token
. -
Copy your Personal Access Token.
Then Add the Token to APL:
-
Sign in to the APL Console as an admin.
-
In the left menu, click on Settings.
-
Click on
Backup
. -
Add the API Token in the
Backup persistent volumes
section.
When Object Storage is configured and an API Token is added, then activate the Velero App. You can now use the Backup self-service feature in APL to create backup schedules to backup Persistent Volumes.
Step 7 (Optional): Activate more Apps
APL is a composable platform. Activate more Apps based on the required platform capabilities:
Capability | App | Object storage |
---|---|---|
Log aggregation | Loki and Grafana | Optional |
Metric collection | Prometheus and Grafana | No |
Send Alerts | Prometheus and Alert manager | No |
Tracing | Tempo, OTEL, Loki and Grafana | Required |
Build images from source code | Harbor | Optional |
Scan running containers for vulnerabilities | Trivy | No |
Enforce security policies | Kyverno | No |
Database backups | CloudnativePG | Required |
Step 8: Create Teams
Create your first team. Follow the instructions here.
Step 9: Create users and add them to a Team
Create users in Keycloak and add the users to a Team Group
in Keycloak:
-
Open the Keycloak app
-
Click on
Administration Console
. -
Login with admin credentials (using
otomi-admin
user and password provided in the installer log or theotomi.adminPassword
provided in the initial values). -
Select the
Otomi
realm. -
Click on
Users
thenAdd user
. -
Fill in a user name in the
Username
field. -
Fill in your email address in the
Email
field. -
Select
Email verified
. -
Click
Join Groups
. -
Add the user to the required Team group (
team-<team-name>
). -
Click
Create
. -
Choose the
Credentials
tab and thenSet password
. -
Fill in a password.
-
Optional: Make te password
Temporary
. This requires the user to change the password at the first login. -
Click on "Save".
-
Click
Save password
.