Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Edge Documentation / Tips and Tricks / Elemental

27 Elemental

 

27.1 Common

 

27.1.1 Expose Rancher service

 

When using RKE2 or K3s we need to expose services (Rancher in this context) from the management cluster as they are not exposed by default. In RKE2 there is an NGINX Ingress controller, whilst k3s is using Traefik. The current workflow suggests using MetalLB for announcing a service (via L2 or BGP Advertisement) and the respective Ingress Controller to create an Ingress via HelmChartConfig since creating a new Ingress object would override the existing setup.

  1. Install Rancher Prime (via Helm) and configure the necessary values

    hostname: rancher-192.168.64.101.sslip.io
replicas: 1
bootstrapPassword: Admin
global.cattle.psp.enabled: "false"
    Tip
    Tip

    Follow the Rancher installation documentation for more details.

  2. Create a LoadBalancer service to expose Rancher

    kubectl apply -f - <<EOF
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        use-forwarded-headers: "true"
        enable-real-ip: "true"
      publishService:
        enabled: true
      service:
        enabled: true
        type: LoadBalancer
        externalTrafficPolicy: Local
EOF

  3. Create an IP Address Pool for the service using the IP address we set up earlier in the Helm values

    kubectl apply -f - <<EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: ingress-ippool
  namespace: metallb-system
spec:
  addresses:
  - 192.168.64.101/32
  serviceAllocation:
    priority: 100
    serviceSelectors:
    - matchExpressions:
      - {key: app.kubernetes.io/name, operator: In, values: [rke2-ingress-nginx]}
EOF

  4. Create an L2 Advertisement for the IP address pool

    kubectl apply -f - <<EOF
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: ingress-l2-adv
  namespace: metallb-system
spec:
  ipAddressPools:
  - ingress-ippool
EOF

  5. Ensure Elemental is properly installed

    1. Install the Elemental Operator and Elemental UI on the management nodes

    2. Add the Elemental configuration on the downstream node together with a registration code, as that will prompt Edge Image Builder to include the remote registration option for the machine.

Tip
Tip

Check Section 2.5, “Install Elemental” and Section 2.6, “Configure Elemental” for additional information and examples.

27.2 Hardware Specific

 

27.2.1 Trusted Platform Module

 

It is necessary to properly handle the Trusted Platform Module (TPM) configuration. Failing to do so will result in errors similar to the following:

Nov 25 18:17:06 eled elemental-register[4038]: Error: registering machine: cannot generate authentication token: opening tpm for getting attestation data: TPM device not available

This can be mitigated by one of the following approaches:

  • Enable TPM in the Virtual Machine settings

Example with UTM on MacOS

TPM

  • Emulate TPM by using negative value for the TPM seed in the MachineRegistration resource

apiVersion: elemental.cattle.io/v1beta1
kind: MachineRegistration
metadata:
  name: ...
  namespace: ...
spec:
    ...
    elemental:
      ...
      registration:
        emulate-tpm: true
        emulated-tpm-seed: -1

  • Disable TPM in the MachineRegistration resource

apiVersion: elemental.cattle.io/v1beta1
kind: MachineRegistration
metadata:
  name: ...
  namespace: ...
spec:
    ...
    elemental:
      ...
      registration:
        emulate-tpm: false