Dashboard Access

There are several options for accessing the Kasten K10 dashboard.

Access via kubectl

By default, the K10 dashboard will not be exposed externally. To establish a connection to it use the following kubectl commands.

$ kubectl --namespace kasten-io port-forward service/gateway 8080:8000

The K10 dashboard will be available at http://127.0.0.1:8080/k10/#/

Note

If you installed K10 with a different release name than k10 (specified via the --name option in the install command), the above URL should be modified to replace the last occurrence of k10 with the specified release name. The revised URL would look like http://127.0.0.1:8080/<release-name>/#/

If you are running on GKE and want to access the dashboard without local kubectl access, you can use the following advanced GKE console instructions:

Accessing via a LoadBalancer

If you would like to expose the K10 dashboard via an external load balancer, you will need to configure an authentication method. The currently supported options are Basic Authentication, Token Authentication, or OpenID Connect Authentication.

To configure the K10 dashboard to be exposed through the default LoadBalancer and potentially a DNS entry, please use the following helm options. If you have not yet installed K10, add the options to the install command for your environment. Alternatively, you can upgrade the installation as follows:

# example uses Token Authentication method
$ helm upgrade k10 kasten/k10 --namespace=kasten-io \
    --reuse-values \
    --set externalGateway.create=true \
    --set auth.tokenAuth.enabled=true
# example uses Token Authentication method
$ helm upgrade k10 kasten/k10 \
    --reuse-values \
    --set externalGateway.create=true \
    --set auth.tokenAuth.enabled=true

Configuring DNS

The K10 dashboard will be available at the /k10/ URL path of the DNS or IP address setup using the below options.

Note

If you installed K10 with a different release name than k10 (specified via the --name option in the install command), the dashboard will be available at the /<release-name>/ URL path.

Using ExternalDNS

If your Kubernetes cluster is already using ExternalDNS and has it properly configured, you should add the following options to automatically configure a DNS entry for the load balancer.

--set externalGateway.externalGateway.fqdn.type=external-dns \
--set externalGateway.fqdn.name=<my-desired.dns.name>

Manually adding a DNS entry

If your environment does not support ExternalDNS, first find the LoadBalancer's public DNS/IP address:

$ kubectl --namespace kasten-io get service gateway-ext \
   -o jsonpath='{.status.loadBalancer.ingress[].hostname}'

You can then optionally setup a DNS record that points from a desired FQDN to the LoadBalancer DNS or IP address from above.

Adding Custom Annotations

In certain scenarios, custom annotations on the LoadBalancer be required. These can be added as a part of the install process too. For example, if an annotation of the form service.beta.kubernetes.io/aws-loadbalancer-internal: 0.0.0.0/0 was needed, add it to a values file as follows:

cat > value.yaml <<EOF
externalGateway:
  annotations:
    service.beta.kubernetes.io/aws-loadbalancer-internal: 0.0.0.0/0
EOF

and then use --values in the helm install command:

--values value.yaml

Existing Ingress Controller

If you already have an ingress controller installed and would like to expose the K10 dashboard via it, you need to specify the following option to the helm install command:

--set ingress.create=true

In this case, you will need to follow your specific ingress controller guidelines to expose an external endpoint for the k10-ingress Kubernetes ingress object that will be installed in the kasten-io namespace as part of the Helm install.

You will then have the option to use the kubectl proxy method described above or an externally accessible endpoint but the configuration will depend on your specific ingress controller configuration.

Additionally, You can choose the ingress class for the ingress object by specifying the following option to the helm command:

--set ingress.create=true --set ingress.class=nginx

In some environments, additional Ingress annotations might be required. Required annotations can be added during install via the `` ingress.annotations `` option. For example, the below option will add `` nginx.ingress.kubernetes.io/force-ssl-redirect: "true" `` to the K10 Ingress resource.

--set ingress.annotations."nginx.ingress.kubernetes.io/ssl-redirect"="true"

Access via OpenShift Routes

To access the K10 dashboard via an OpenShift Route, an authentication method needs to be configured. The currently supported authentication options are Basic Authentication, Token Authentication, or OpenID Connect Authentication.

The following Helm options can be used to configure the K10 dashboard to be exposed through an OpenShift Route and potentially a DNS entry. If K10 is not yet installed, add the options to the helm install command for the environment. Alternatively, the installation can be upgraded as follows:

# This example uses the Token Authentication method
$ helm upgrade k10 kasten/k10 --namespace=kasten-io \
    --reuse-values \
    --set route.enabled=true \
    --set auth.tokenAuth.enabled=true
# This example uses the Token Authentication method
$ helm upgrade k10 kasten/k10 \
    --reuse-values \
    --set route.enabled=true \
    --set auth.tokenAuth.enabled=true

The following option will auto-generate a route hostname as a subdomain to the existing FQDN. A host name can be explicitly with the route with the following option:

--set route.host=<A FQDN of your choice with proper DNS entry>

The ability to use the kubectl proxy method described above or an externally accessible endpoint is still there but their configuration depends on the specific cluster configuration.

Additionally, the path for the Route object can be specified by using the following option:

--set route.path="/k10"

SSL/TLS with the Route can enabled by specifying the following option:

--set route.tls.enabled=true

Additionally, to specify the TLS insecureEdgeTerminationPolicy or termination Route parameters, the following option needs to be specified:

--set route.tls.termination=<reencrypt/edge/passthrough>
--set route.tls.insecureEdgeTerminationPolicy=<disable/redirect/allow>