Zarf installation and upgrade for CPSH extended capabilities

This following instructions detail the process of installing the Zarf command-line interface (CLI) and initializing the target Kubernetes cluster for the CPSH extended capabilities deployment.

To begin:

  1. Download and install Zarf if you haven't done so already.
  2. (Optional) Run the Zarf initialization.

Initialize the cluster

This step bootstraps the cluster by installing the infrastructure necessary for Zarf (internal registry, agent, etc.).

  1. Download the standard Zarf init package to your local working directory.

  2. Copy
    zarf tools download-init -a amd64

    Note The -a flag specifies the architecture for the package. By default, zarf tools download-init downloads the package for the architecture of your local machine. For example, if you are using a Mac with arm64, it downloads the arm64 version. However, if your local machine uses a different architecture than your cluster (such as EKS, which is amd64), you must include the -a flag for both the download and initialization steps to avoid an architecture mismatch.

  3. Optional, if you are installing on an OpenShift cluster, you must perform the following steps before running zarf init .These steps create and scope the OpenShift security constraints to the zarf namespace.
    1. Create file called zarf-init-prereqs.yaml.
    2. Copy and paste the following into the new file:
    3. Run the following command:
      Copy
      kubectl apply -f zarf-init-prereqs.yaml
       
  4. Execute the following initialization command to initialize the cluster, enable the registry proxy, and apply specific Kubernetes taints and tolerations required for CPSH node groups:
    Note If you are installing on an OpenShift cluster, you must add the following to the following command:

    --set HOST_NETWORK_PROXY=true \

    Copy
    zarf --log-level=debug init \
      --features=registry-proxy=true \
      --registry-mode=proxy \
      -a amd64 \
      --set REGISTRY_PVC_SIZE=100Gi \
      --set REGISTRY_HPA_MAX=1 \
      --set PROXY_TOLERATIONS='[{"effect":"NoSchedule","key":"collibra.com/node-storage","operator":"Equal","value":"local"},{"effect":"NoSchedule","key":"collibra.com/team","operator":"Equal","value":"techlin"}]' \
      --confirm

Initialization Command Details

Parameter Value/Setting Purpose
--features=registry-proxy=true true Enables the Zarf registry proxy feature.
--set HOST_NETWORK_PROXY=true \ true

If you use an OpenShift cluster, you must set this to true.As OVN-Kubernetes ignores hostPort with hostIP: 127.0.0.1 on OpenShift, setting this parameter to true switches the registry-proxy DaemonSet to hostNetwork: true.

--registry-mode=proxy proxy Sets the internal Zarf registry to run in proxy mode.
--set REGISTRY_HPA_MAX=1 1 Sets the maximum Horizontal Pod Autoscaler replicas for the Zarf registry to 1.
--set PROXY_TOLERATIONS='[...]' Specific JSON array Applies Kubernetes tolerations to the Zarf proxy components, ensuring they run on the dedicated techlin node group with local storage.
--set REGISTRY_PVC_SIZE=100Gi 100Gi If you are going to use all Zarf images, such as Collibra Platform, Edge, and Technical lineage, set the Persistent Volume Claim (PVC) to 100 GB. If not, the Zarf default of 20 GB is used and you may run out of storage space.
--confirm   Skips interactive prompts and automatically confirms the installation.

Update

Standard method

To update Zarf using the standard method, reinstall the new Zarf version and re-run the initialization steps using the same parameters:

Note This is applicable if the newer Zarf version is backward compatible.

Copy
zarf init [...]

Hard method

If Zarf needs to be updated and the new version is incompatible with the previous, or init parameters needs to be changed, you must first remove and then reinstall.

Note This method forces Zarf to forget about previously installed packages, potentially leading to issues.

Run the following if current installed packages can be removed:

Copy
zarf destroy --remove-components --confirm
zarf init [...]

If current installed packages can not be removed:

  1. Backup the current Zarf secrets matching previously installed packages:
  2. Copy
    kubectl get secrets -n zarf -o name |grep 'zarf-package-cpsh'
    kubectl get secrets -n zarf zarf-package-cpsh-platform -o yaml >zarf-package-cpsh-platform-secret.yaml
    kubectl get secrets -n zarf zarf-package-cpsh-lineage -o yaml >zarf-package-cpsh-lineage-secret.yaml
    kubectl get secrets -n zarf zarf-package-cpsh-edge-fips -o yaml >zarf-package-cpsh-edge-fips-secret.yaml
    kubectl get secrets -n zarf zarf-package-cpsh-observability -o yaml >zarf-package-cpsh-observability-secret.yaml

  3. Run Zarf destroy:
  4. Copy
    zarf destroy --confirm

  5. Re-run Zarf init:
  6. Copy
    zarf init [...]

  7. Restore the Zarf secrets for previously installed packages:
  8. Copy
    kubectl create -n zarf -f zarf-package-cpsh-platform-secret.yaml
    kubectl create -n zarf -f zarf-package-cpsh-lineage-secret.yaml
    kubectl create -n zarf -f zarf-package-cpsh-edge-fips-secret.yaml
    kubectl create -n zarf -f zarf-package-cpsh-observability-secret.yaml

  9. Remove the Zarf ignore annotation from existing namespaces:
  10. Copy
    kubectl label ns collibra-control zarf.dev/agent-
    kubectl label ns collibra-edge zarf.dev/agent-
    kubectl label ns collibra-instance zarf.dev/agent-
    kubectl label ns collibra-observability zarf.dev/agent-

  11. Re-install the cpsh-* packages (the Zarf registry is empty now, this will re-push the container images). The workload should not usually be updated.

Operations

Periodically, you should prune the internal Zarf container registry to manage its size. To do this, run the following command:

Copy
zarf tools registry prune

This command will remove the container images that are not currently being used by any Zarf packages (such as old versions of the cpsh-* packages). These images can be re-pushed to the registry by re-installing the corresponding Zarf package.