Documentation survey

Install SUSE Storage Using Rancher

One benefit of installing SUSE Storage through Rancher Apps Marketplace is that Rancher provides authentication to the SUSE Storage UI.

If there is a new version of SUSE Storage available, you will see an Upgrade Available sign on the Apps Marketplace screen. You can click Upgrade button to upgrade Longhorn Manager. See more about upgrade here.

Prerequisites

Each node in the Kubernetes cluster where SUSE Storage is installed must fulfill these requirements.

The Longhorn Command Line Tool can be used to check the SUSE Storage environment for potential issues.

Authentication

To create longhorn-system namespace, run the following command:

kubectl create namespace longhorn-system

Follow the Kubernetes authentication documentation to create a secret in the longhorn-system namespace.

kubectl create secret docker-registry application-collection \
  --docker-server=dp.apps.rancher.io \
  --namespace=longhorn-system \
  --docker-username=<your-username-or-service-account-username> \
  --docker-password=<access-token-or-service-account-secret>

Installation

To install SUSE Storage from SUSE Application Collection instead of Rancher’s default Longhorn community charts, configure a new repository in Rancher that points to SUSE Application Collection chart repository for SUSE Storage. Refer to this guide for details on the process and how to authenticate the chart repository.

The following steps provide an example in Rancher. For detailed instructions, refer to the Rancher documentation.

  1. In Rancher, go to Apps > Repositories.

    Image

  2. Click on the Create button.

  3. Choose OCI Repository in the radio buttons and enter the OCI chart registry path oci://dp.apps.rancher.io/charts/suse-storage along with the authentication, then click Create.

    Image

    The repository should be added successfully.

    Image

  4. In Apps > Chart, you can see suse-storage available for installation.

    Image

  5. Click Install.

    Image

  6. Optional: Select the project where you want to install SUSE Storage.

  7. Optional: Customize the default settings.

    Image

    If you are using SUSE Rancher Prime, it is mandatory to enable Container Registry for Rancher System Container Images and set the value to dp.apps.rancher.io to ensure images are pulled from the correct registry.
    Image

  8. Click Next. In the yaml editor, add the value application-collection in the global.imagePullSecrets field.

    Image

  9. Click Next. SUSE Storage will be installed in the longhorn-system namespace.

    Image

  10. Click the SUSE Storage App Icon to navigate to the SUSE Storage dashboard.

    Image

After SUSE Storage is installed, you can access the SUSE Storage UI by navigating to the Longhorn option from Rancher left panel.

Access UI With Network Policy Enabled

Note that when the Network Policy is enabled, access to the UI from Rancher may be restricted.

Rancher interacts with the SUSE Storage UI via a service called remotedialer, which facilitates connections between Rancher and the downstream clusters it manages. This service allows a user agent to access the cluster through an endpoint on the Rancher server. Remotedialer connects to the SUSE Storage UI service by using the Kubernetes API Server as a proxy.

However, when the Network Policy is enabled, the Kubernetes API Server may be unable to reach pods on different nodes. This occurs because the Kubernetes API Server operates within the network namespace of host without a dedicated per-pod IP address. If you’re using the Calico CNI plugin, any process in the network namespace of host (such as the API Server) connecting to a pod triggers Calico to encapsulate the packet in IPIP before forwarding it to the remote host. The tunnel address is chosen as the source to ensure the remote host knows to encapsulate the return packets correctly.

In other words, to allow the proxy to work with the Network Policy, the Tunnel IP of each node must be identified and explicitly permitted in the policy.

You can find the Tunnel IP by:

$ kubectl get nodes -oyaml | grep "Tunnel"
      projectcalico.org/IPv4VXLANTunnelAddr: 10.42.197.0
      projectcalico.org/IPv4VXLANTunnelAddr: 10.42.99.0
      projectcalico.org/IPv4VXLANTunnelAddr: 10.42.158.0
      projectcalico.org/IPv4VXLANTunnelAddr: 10.42.80.0

Next, permit traffic in the Network Policy using the Tunnel IP. You may need to update the Network Policy whenever new nodes are added to the cluster.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: longhorn-ui-frontend
  namespace: longhorn-system
spec:
  podSelector:
    matchLabels:
      app: longhorn-ui
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.42.197.0/32
    - ipBlock:
        cidr: 10.42.99.0/32
    - ipBlock:
        cidr: 10.42.158.0/32
    - ipBlock:
        cidr: 10.42.80.0/32
    ports:
      - port: 8000
        protocol: TCP

Another way to resolve the issue is by running the server nodes with egress-selector-mode: cluster. For more information, see RKE2 Server Configuration Reference and K3s Control-Plane Egress Selector configuration.