Install
Summary
Konstruct currently supports installation on AWS natively, with support for Civo, Google, Azure, and self-hosted available upon request.
Supported Installs
The Konstruct engineering team is here to provide you with a guided installation of the Konstruct control plane. To receive a Konstruct demo or to arrange for a supported installation schedule time with us.
Installation Guide
This guide provides instructions for installing Konstruct, a comprehensive multi-tenant, multi-cloud Kubernetes management platform.
Prerequisites
Before installing Konstruct, ensure you have:
- A Kubernetes cluster (v1.24+)
- ArgoCD installed and configured (v2.6+)
- NGINX Ingress Controller deployed
- Cert-Manager configured with a cluster issuer named
letsencrypt-prod - Vault or a compatible secret management solution
- Access to the Konstruct Helm repository
A handy way to get these prerequisites is to ensure all components are properly configured before proceeding.
Component Overview
Konstruct Platform 0.1 consists of the following components:
| Component | Version | Description |
|---|---|---|
| Application Operator | 0.2.0 | Manages application deployments across clusters |
| CloudAccount Operator | 0.2.0 | Handles cloud provider account integrations |
| GitAccount Operator | 0.2.0 | Manages Git provider integrations |
| SSO Operator | 0.2.0 | Configures single sign-on across the platform |
| Team Management Operator | 0.2.0 | Manages team access and permissions |
| WorkloadCluster Operator | 0.2.0 | Provisions and manages workload clusters |
| Konstruct API | 0.2.0-rc.d355e1ca | Core API server for the platform |
| Konstruct UI | 0.2.0-rc.f1c814d4 | Web interface for platform management |
| Dex | 0.24.0 | OIDC provider for authentication |
Installation Steps
Step 1: Create Required Namespaces
kubectl create namespace konstruct-system
kubectl create namespace dex
kubectl create namespace argocd # If not already created
Step 2: Configure Image Pull Secrets
Create a Docker registry secret for pulling Konstruct images:
apiVersion: v1
kind: Secret
metadata:
name: docker-config
namespace: konstruct-system
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <base64-encoded-docker-config>
Apply the same secret to the dex namespace:
kubectl apply -f docker-config.yaml -n konstruct-system
kubectl apply -f docker-config.yaml -n dex
Step 3: Configure External Secrets (if using Vault)
If you're using Vault with External Secrets Operator, create the required ExternalSecret resources:
# dex-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: dex-config
namespace: dex
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault-kv-secret
target:
name: dex-config
dataFrom:
- extract:
key: /dex
# docker-config-external-secret.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: docker-config
namespace: konstruct-system
spec:
secretStoreRef:
name: vault-kv-secret
kind: ClusterSecretStore
target:
name: docker-config
dataFrom:
- extract:
key: /docker-config
Step 4: Deploy Core Operators (Sync Wave 0)
Deploy all operators that have sync-wave 0. These can be deployed in parallel:
# Apply all operator manifests
kubectl apply -f application-operator.yaml
kubectl apply -f cloudaccount-operator.yaml
kubectl apply -f gitaccount-operator.yaml
kubectl apply -f sso-operator.yaml
kubectl apply -f team-management-operator.yaml
kubectl apply -f workloadcluster-operator.yaml
kubectl apply -f dex.yaml
Wait for all operators to be healthy:
kubectl wait --for=condition=Ready pods -n konstruct-system --all --timeout=300s
kubectl wait --for=condition=Ready pods -n dex --all --timeout=300s
Step 5: Deploy API and UI Components (Sync Wave 10)
After the operators are running, deploy the API and UI:
kubectl apply -f konstruct-api.yaml
kubectl apply -f konstruct-ui.yaml
Wait for deployment:
kubectl wait --for=condition=Ready pods -l app=konstruct-api -n konstruct-system --timeout=300s
kubectl wait --for=condition=Ready pods -l app=konstruct-ui -n konstruct-system --timeout=300s
ArgoCD Application Manifests
For automated GitOps deployment, you can use the provided ArgoCD Application manifests. Here's an example for the Application Operator:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: application-operator
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
annotations:
argocd.argoproj.io/sync-wave: '0'
spec:
project: default
source:
repoURL: europe-west2-docker.pkg.dev/civo-com/charts
chart: application-operator
targetRevision: 0.1.0-rc.95efd83f
helm:
values: |-
imagePullSecrets:
- name: docker-config
serviceAccount:
create: true
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::YOUR_ACCOUNT_ID:role/konstruct-mgmt-YOUR_CLUSTER_NAME
destination:
name: in-cluster
namespace: konstruct-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Configuration Requirements
AWS IAM Role (for EKS clusters)
If deploying on AWS EKS, ensure the Application Operator service account has the appropriate IAM role:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::YOUR_ACCOUNT_ID:role/konstruct-mgmt-YOUR_CLUSTER_NAME
Ingress Configuration
The platform components expose the following endpoints:
- Dex:
https://dex.YOUR_DOMAIN - Konstruct UI: Configure via Helm values
- Konstruct API: Configure via Helm values
Ensure your DNS is configured to point these domains to your ingress controller.
Verification
After installation, verify all components are running:
# Check all pods in konstruct-system namespace
kubectl get pods -n konstruct-system
# Check all pods in dex namespace
kubectl get pods -n dex
# Verify ArgoCD applications
kubectl get applications -n argocd | grep -E "konstruct|dex|application-operator|cloudaccount-operator"
# Check ingress resources
kubectl get ingress -A | grep -E "konstruct|dex"
Troubleshooting
Common Issues
-
Image Pull Errors: Ensure docker-config secret is properly configured with credentials for
europe-west2-docker.pkg.dev/civo-com/charts -
Sync Failures: Check ArgoCD application logs:
kubectl logs -n argocd deployment/argocd-application-controller -
Pod Crashes: Review pod logs:
kubectl logs -n konstruct-system <pod-name> -
External Secrets Issues: Verify ClusterSecretStore is configured and Vault paths exist:
kubectl get clustersecretstore
kubectl describe externalsecret -n konstruct-system
Next Steps
After successful installation:
- Access the Konstruct UI at your configured ingress URL
- Configure SSO integration through Dex
- Create your first CloudAccount and GitAccount resources
- Deploy your first workload cluster using the WorkloadCluster CRD