Install Korifi to Manage K3s at the Edge
Cloud Foundry Korifi is the familiar Cloud Foundry abstraction ported over to Kubernetes clusters. It brings a multitenant experience to Kubernetes and helps app developers consume clusters with ease. It presents an answer to a question that many people in the community are asking: “What’s the best way for Cloud Foundry users to move to Kubernetes?”
Korifi works by being installed in a Kubernetes cluster. While vanilla Kubernetes is the ideal, each managed-cloud provider meets the market with their small variations on Kubernetes. For this reason, we are creating tutorials that are specific to each cloud provider. While this can mean yet another open source project getting fragmented, each cloud provider is preferred for specific purposes such as for use in production, for use by internal teams, etc. Therefore, it does make sense to have guides that enable teams to install and use Korifi on each provider.
So, with that, we introduce our first tutorial about deploying Korifi on the popular, lightweight K3s for edge and IoT applications.
K3s is a lightweight Kubernetes distribution designed for resource-constrained environments such as edge computing or IoT devices. K3s was initially developed by Rancher Labs, a company specializing in Kubernetes management solutions. In the year 2020, Rancher Labs was acquired by SUSE, and the development and maintenance of K3s are now driven by the open source community. K3s has gained significant traction and a growing community of contributors. It has evolved into a mature and stable project with regular releases, the latest one being version 25.10-rc1+k3s1.
K3s’ small footprint allows it to run on devices with lower computational power, making it useful for IoT deployments. K3s is also well-suited for edge computing scenarios where resources are limited and connectivity may be intermittent. It enables developers to deploy Kubernetes clusters closer to the edge devices, reducing latency and enhancing data processing capabilities.
In this tutorial, we will cover how to install Cloud Foundry Korifi on a K3s cluster. We will first install Kubernetes — in the form of K3s — and then install Korifi CRDs to the cluster. The final steps of the tutorial will be an example of an app deployed to the cluster.
But first, some more background on Cloud Foundry Korifi. Korifi is open source software built by the Cloud Foundry community. It was born out of the need for internal development platforms to be built over Kubernetes. Korifi’s purpose is to deliver an inherently higher-order abstraction over Kubernetes, ultimately enabling developers to focus on building applications. It is a fully open source tool, built to serve as a means to deploy applications on Kubernetes while providing automated networking, security, availability, and much more. Now, let’s get started.
Prerequisites: Please install the following tools to start.
Step 1: Install K3s.
|
1 |
curl -sfL https://get.k3s.io | sh -s - --disable traefik --write-kubeconfig-mode 644 |
The instructions for this are quite clear in the quick start guide. However, we have to configure a couple additional parameters to suit our installation. The –disable traefik argument is passed to the installation script to disable the installation of the Traefik ingress controller. This is because we will install Contour for ingress control at a later step and the two will conflict with each other.
The second argument passed to the script is –write-kubeconfig-mode 644. This sets the file permission mode of the generated kubeconfig file to 644 which means the owner will have read and write access, while others have only read access. This is not done by default during a K3s install. Skipping this step means that we will be unable to make use of kubectl to connect with the cluster, which is required to proceed further.
Step 2: Set Environment Variables
|
1 2 3 4 |
export ROOT_NAMESPACE="cf" export KORIFI_NAMESPACE="korifi" export ADMIN_USERNAME="system:admin" export BASE_DOMAIN="localhost" |
This is merely a step for convenience. We could make use of the environment variables in later steps.
Step 3: Install Cert Manager
|
1 |
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml |
Cert Manager is installed with a single kubectl apply command, with the latest release referenced in the path to the yaml definition.
Cert Manager is an open source certificate-management solution designed specifically for Kubernetes clusters. It helps automate the management and issuance of X.509 certificates, which are used for securing communications between various components and services within a Kubernetes environment.
The Cert Manager project extends Kubernetes with custom resource definitions (CRDs) to define certificate-related objects, such as Certificate, CertificateRequest and ClusterIssuer. By using Cert Manager, Kubernetes users can simplify the management of TLS certificates within their clusters. It ensures that all the necessary components, such as ingress controllers, pods and services, have valid and up-to-date certificates, thereby enhancing the security and reliability of the Kubernetes environment.
Step 4: Install kpack
Kpack is an open source project that integrates with Kubernetes to provide a container-native build process. It consumes Cloud Native Buildpacks to export OCI-compatible containers. By using kpack, developers can adopt a cloud native approach to building and packaging applications to deploy on Kubernetes clusters.
kpack is installed with a single kubectl apply command, with the latest release referenced in the path to the yaml definition.
|
1 |
kubectl apply -f https://github.com/pivotal/kpack/releases/download/v0.11.0/release-0.11.0.yaml |
Step 5: Create Root Namespaces
|
1 2 3 4 5 6 7 8 9 10 11 |
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Namespace metadata: name: $ROOT_NAMESPACE labels: pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/enforce: restricted EOF |
|
1 2 3 4 5 6 7 8 9 10 |
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Namespace metadata: name: $KORIFI_NAMESPACE labels: pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/enforce: restricted EOF |
In this step, we create the cf and korifi namespaces.
Step 6: Install Contour
|
1 |
kubectl apply -f https://projectcontour.io/quickstart/contour.yaml |
Contour is an open source Ingress controller for Kubernetes that is built on top of the Envoy proxy. An Ingress controller is a Kubernetes resource that manages the inbound network traffic to services within a cluster. It acts as a gateway and provides external access to the services running inside the cluster. Contour specifically focuses on providing advanced features and capabilities for managing Ingress in Kubernetes.
Step 7: Create a Secret to Help Access the Container Registry
|
1 2 3 |
kubectl --namespace "cf" create secret docker-registry image-registry-credentials --docker-server="us-central1-docker.pkg.dev" --docker-username="_json_key" --docker-password "$(awk -v RS= '{$1=$1}1' ~/Downloads/summit-labs-8ff7123608fe.json)" |
A container registry is used to manage all the containers built for deployment on the cluster. At the end of the build workflow, packages are uploaded to it and the start of a run workflow pulls containers from there for deployment. In this case, we are using Google Artifact Registry for pushing and pulling images.
Alternate container registries (such as Docker Hub, Github Container Registry, etc.) can be used. Please see the installation documents for specific information.
Step 8: Install Korifi
|
1 2 3 4 5 6 7 8 9 10 11 |
helm install korifi https://github.com/cloudfoundry/korifi/releases/download/v0.7.1/korifi-0.7.1.tgz -- namespace="korifi" --set=global.generateIngressCertificates=true --set=global.rootNamespace="cf" -- set=global.containerRegistrySecret="image-registry-credentials" --set=adminUserName="system:admin" -- set=api.apiServer.url="api.localhost" --set=global.defaultAppDomainName="apps.localhost" -- set=global.containerRepositoryPrefix="us-central1-docker.pkg.dev/summit-labs/korifi/korifi-" -- set=kpackImageBuilder.builderRepository="us-central1-docker.pkg.dev/summit-labs/korifi/kpack-builder" --wait |
Korifi is installed using the official helm chart. Each release has a corresponding helm chart which is updated by the community. All the options available for customizing the helm chart are available here.
Step 9: Authenticate with the Cloud Foundry API
|
1 2 3 |
cf api https://api.localhost --skip-ssl-validation cf login |
There are two steps to be taken for authenticating with the Cloud Foundry API. The first is to set the URL for the API. The second is the login command. The output for this will ask which of the different user identities you would like to use. Select the default one to proceed.
Step 9: Create and Org and Space
|
1 2 3 4 |
cf create-org acme-corp cf target -o acme-corp cf create-space -o acme-corp foo-bu && cf target -o acme-corp -s foo-bu |
In Cloud Foundry parlance,
- The target refers to setting the active organization and space within a Cloud Foundry instance.
- An organization (org) is a logical grouping of users, applications and services, providing administrative and collaborative control.
- A space is a subdivision within an organization, offering isolation and independence for different teams or projects to develop and manage their applications and services.
Step 10: Deploy the Application
|
1 |
cf push mighty-monkey -p ~/sandbox/korifi/tests/smoke/assets/test-node-app/ |
The single cf push command is used to deploy an application to the K3s instance that has Korifi installed on it.
Conclusion
The Cloud Foundry community has a goal to make Korifi a tool of choice for operators who work with large volumes of application developers and would like a tool to help them manage their Kubernetes clusters at scale. Korifi has been built based on principles gleaned from decades of production excellence with Cloud Foundry. With Korifi running on a K3s instance, it becomes simpler to deploy to the edge and IoT devices running Kubernetes.
