LogoLogo
StackState.comDownloadSupportExplore playground
SUSE Observability
SUSE Observability
  • SUSE Observability docs!
  • Docs for all SUSE Observability products
  • 🚀Get started
    • Quick start guide
    • SUSE Observability walk-through
    • SUSE Rancher Prime
      • Air-gapped
      • Agent Air-gapped
    • SUSE Cloud Observability
  • 🦮Guided troubleshooting
    • What is guided troubleshooting?
    • YAML Configuration
    • Changes
    • Logs
  • 🚨Monitors and alerts
    • Monitors
    • Out of the box monitors for Kubernetes
    • Notifications
      • Configure notifications
      • Notification channels
        • Slack
        • Teams
        • Webhook
        • Opsgenie
      • Troubleshooting
    • Customize
      • Add a monitor using the CLI
      • Derived State monitor
      • Dynamic Threshold monitor
      • Override monitor arguments
      • Write a remediation guide
  • 📈Metrics
    • Explore Metrics
    • Custom charts
      • Adding custom charts to components
      • Writing PromQL queries for representative charts
      • Troubleshooting custom charts
    • Advanced Metrics
      • Grafana Datasource
      • Prometheus remote_write
      • OpenMetrics
  • 📑Logs
    • Explore Logs
    • Log Shipping
  • 🔭Traces
    • Explore Traces
  • 📖Health
    • Health synchronization
    • Send health data over HTTP
      • Send health data
      • Repeat Snapshots JSON
      • Transactional Increments JSON
    • Debug health synchronization
  • 🔍Views
    • Kubernetes views
    • Custom views
    • Component views
    • Explore views
    • View structure
      • Overview perspective
      • Highlights perspective
      • Topology perspective
      • Events perspective
      • Metrics perspective
      • Traces perspective
      • Filters
      • Keyboard shortcuts
    • Timeline and time travel
  • 🕵️Agent
    • Network configuration
      • Proxy Configuration
    • Using a custom registry
    • Custom Secret Management
      • Custom Secret Management (Deprecated)
    • Request tracing
      • Certificates for sidecar injection
  • 🔭Open Telemetry
    • Overview
    • Getting started
      • Concepts
      • Kubernetes
      • Kubernetes Operator
      • Linux
      • AWS Lambda
    • Open telemetry collector
      • Sampling
      • SUSE Observability OTLP APIs
    • Instrumentation
      • Java
      • Node.js
        • Auto-instrumentation of Lambdas
      • .NET
      • SDK Exporter configuration
    • Troubleshooting
  • CLI
    • SUSE Observability CLI
  • 🚀Self-hosted setup
    • Install SUSE Observability
      • Requirements
      • Kubernetes / OpenShift
        • Kubernetes install
        • OpenShift install
        • Alibaba Cloud ACK install
        • Required Permissions
        • Override default configuration
        • Configure storage
        • Exposing SUSE Observability outside of the cluster
      • Initial run guide
      • Troubleshooting
        • Advanced Troubleshooting
        • Support Package (Logs)
    • Configure SUSE Observability
      • Slack notifications
      • E-mail notifications
      • Stackpacks
      • Advanced
        • Analytics
    • Release Notes
      • v2.0.0 - 11/Sep/2024
      • v2.0.1 - 18/Sep/2024
      • v2.0.2 - 01/Oct/2024
      • v2.1.0 - 29/Oct/2024
      • v2.2.0 - 09/Dec/2024
      • v2.2.1 - 10/Dec/2024
      • v2.3.0 - 30/Jan/2025
      • v2.3.1 - 17/Mar/2025
      • v2.3.2 - 22/Apr/2025
      • v2.3.3 - 07/May/2025
    • Upgrade SUSE Observability
      • Migration from StackState
      • Steps to upgrade
      • Version-specific upgrade instructions
    • Uninstall SUSE Observability
    • Air-gapped
      • SUSE Observability air-gapped
      • SUSE Observability Kubernetes Agent air-gapped
    • Data management
      • Backup and Restore
        • Kubernetes backup
        • Configuration backup
      • Data retention
      • Clear stored data
    • Security
      • Authentication
        • Authentication options
        • Single password
        • File-based
        • LDAP
        • Open ID Connect (OIDC)
          • Microsoft Entra ID
        • KeyCloak
        • Service tokens
        • Troubleshooting
      • RBAC
        • Role-based Access Control
        • Permissions
        • Roles
        • Scopes
      • Self-signed certificates
      • External secrets
  • 🔐Security
    • Service Tokens
    • API Keys
  • ☁️SaaS
    • User Management
  • Reference
    • SUSE Observability Query Language (STQL)
    • Chart units
    • Topology Identifiers
Powered by GitBook
LogoLogo

Legal notices

  • Privacy
  • Cookies
  • Responsible disclosure
  • SOC 2/SOC 3
On this page
  • Before you start
  • Install SUSE Observability
  • Create project
  • Generate baseConfig_values.yaml and sizing_values.yaml
  • Create openshift-values.yaml
  • Deploy SUSE Observability with Helm
  • Access the SUSE Observability UI
  • Manually create SecurityContextConfiguration objects
  • See also
  1. Self-hosted setup
  2. Install SUSE Observability
  3. Kubernetes / OpenShift

OpenShift install

SUSE Observability Self-hosted

PreviousKubernetes installNextAlibaba Cloud ACK install

Last updated 1 month ago

Before you start

Extra notes for installing on:

  • OpenShift clusters with limited permissions: Read the .

  • Kubernetes: Refer to the .

Before you start the installation of SUSE Observability:

  • Check that your OpenShift environment meets the

  • Ensure you have the OpenShift command line tools installed (oc)

  • Add the SUSE Observability helm repository to the local helm client:

helm repo add suse-observability https://charts.rancher.com/server-charts/prime/suse-observability
helm repo update

Install SUSE Observability

For environments without internet access, also known as air-gapped environments, first follow .

Also make sure to follow the air-gapped installation instructions whenever those are present for a step.

Create project

Start by creating the project where you want to install SUSE Observability. In our walkthrough we will use the namespace suse-observability:

oc new-project suse-observability

The project name is used in helm and kubectl commands as the namespace name in the --namespace flag

Generate baseConfig_values.yaml and sizing_values.yaml

The baseConfig_values.yaml file is required to deploy StackState with Helm. It contains your StackState license key, StackState Receiver API key and other important information. The sizing_values.yaml file is recommended to deploy StackState with Helm as it contains information about the resources that StackState will be provisioned with according to the size on the landscape you want to observe.

Before you continue: Make sure you have the latest version of the Helm charts with helm repo update.

The SUSE Observability baseConfig_values.yaml and sizing_values.yaml files can be generated by running a separate Helm Chart, the suse-observability/suse-observability-values chart. A sample command line is:

export VALUES_DIR=.
helm template \
  --set license='<your license>' \
  --set baseUrl='<suse-observability-base-url>' \
  --set sizing.profile='<sizing.profile>' \
  suse-observability-values \
  suse-observability/suse-observability-values --output-dir $VALUES_DIR

This command will generate a $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml and a $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml file which contains the necessary configuration for installing the SUSE Observability Helm Chart.

The SUSE Observability administrator passwords will be autogenerated by the above command and are output as comments in the generated basicConfig.yaml file. The actual values contain the bcrypt hashes of those passwords so that they're securely stored in the Helm release in the cluster.

The values that can be passed to this chart are:

Configuration
Value
Description

Basic Config generate

basicConfig.generate

Switch on or off the generation of the basicConfig_values.yaml file.

Receiver API Key

receiverApiKey

The API key used by SUSE Observability to receive data from agents. This is a secret key that should be kept private. If you omit this, a random key will be generated for you.

Base URL

baseUrl

The <STACKSTATE_BASE_URL>. The external URL for SUSE Observability that users and agents will use to connect. For example https://suse-observability.internal. If you haven't decided on an Ingress configuration yet, use http://localhost:8080. This can be updated later in the generated file.

Username and password**

-u -p

The username and password used by SUSE Observability to pull images. For air-gapped environments these need to be the username and password for the local docker registry.

License key

license

The SUSE Observability license key.

Default password

adminPassword

The password for the default user (admin) to access SUSE Observability's UI. If you omit this, a random password will be generated for you. If you do pass this value and it's not bcrypt hashed, the chart will hash it for you.

Image Registry

imageRegistry

The registry where the SUSE Observability images are hosted. If not provided, the default value will be 'quay.io'

Pull Secret Username

pullSecret.username

The username used to pull images from the Docker registry where the SUSE Observability images are hosted.

Pull Secret Password

pullSecret.password

The password used to pull images from the Docker registry where the SUSE Observability images are hosted.

Sizing generate

sizing.generate

Switch on or off the generation of the sizing_values.yaml file.

Sizing profile

sizing.profile

OneOf 10-nonha, 20-nonha, 50-nonha, 100-nonha, 150-ha, 250-ha, 500-ha. Based on this profiles the sizing_values.yaml file is generated containing default sizes for the SUSE Observability resources and configuration to be deployed on an Ha or NonHa mode. E.g. 10-nonha will produce a sizing_values.yaml meant to deploy a NonHa SUSE Observability instance to observe a 10 node cluster in a Non High Available mode. Currently moving from a nonha to an ha environment is not possible, so if you expect that your environment willrequire to observe around 150 nodes then better to go with ha immediately.

Store the generated basicConfig.yaml and sizing_values.yaml files somewhere safe. You can reuse this files for upgrades, which will save time and (more importantly) will ensure that SUSE Observability continues to use the same API key. This is desirable as it means Agents and other data providers for SUSE Observability won't need to be updated. The files can be regenerated independently using the switches basicConfig.generate=false and sizing.generate=false to disable any of them while still keeping the previosuly generated version of the file in the output-dir.

Create openshift-values.yaml

Because OpenShift has stricter security model than plain Kubernetes, all of the standard security contexts in the deployment need to be disabled.

Create a Helm values file openshift-values.yaml with the following content and store it next to the generated values.yaml file. This contains the values that are needed for an OpenShift deployment.

elasticsearch:
  prometheus-elasticsearch-exporter:
    podSecurityContext: ""
  sysctlInitContainer:
    enabled: false
scc:
  enabled: true
clickhouse:
   podSecurityContext:
      enabled: false
   containerSecurityContext:
      enabled: false

Deploy SUSE Observability with Helm

The recommended deployment of SUSE Observability is a production ready, high availability setup with many services running redundantly. If required, it's also possible to run SUSE Observability in a non-redundant setup, where each service has only a single replica. This setup is only recommended for a test environment.

For air-gapped environments follow the instructions for the air-gapped installations.

To deploy SUSE Observability in a high availability setup on OpenShift:

  1. Before you deploy:

  2. Deploy the latest SUSE Observability version to the suse-observability namespace with the following command:

helm upgrade \
  --install \
  --namespace suse-observability \
  --values $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml \
  --values $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml \
  --values openshift-values.yaml \
  --set "clickhouse.sidecars[0].securityContext.runAsUser=null" \
suse-observability \
suse-observability/suse-observability

To deploy SUSE Observability in an air-gapped setup on OpenShift:

  1. Before you deploy:

  2. Deploy the latest SUSE Observability version to the suse-observability namespace with the following command:

helm upgrade \
  --install \
  --namespace suse-observability \
  --values local-docker-registry.yaml \
  --values $VALUES_DIR/suse-observability-values/templates/baseConfig_values.yaml \
  --values $VALUES_DIR/suse-observability-values/templates/sizing_values.yaml \
  --values openshift-values.yaml \
  --set "clickhouse.sidecars[0].securityContext.runAsUser=null" \
suse-observability \
suse-observability/suse-observability

After the install, the SUSE Observability release should be listed in the SUSE Observability namespace and all pods should be running:

# Check the release is listed
helm list --namespace suse-observability

# Check pods are running
# It may take some time for all pods to be installed or available
kubectl get pods --namespace suse-observability

Access the SUSE Observability UI

After SUSE Observability has been deployed, you can check if all pods are up and running:

kubectl get pods --namespace suse-observability

When all pods are up, you can enable a port-forward:

kubectl port-forward service/suse-observability-router 8080:8080 --namespace suse-observability

SUSE Observability will now be available in your browser at https://localhost:8080. Log in with the username admin and the default password provided in the values.yaml file.

Next steps are

Manually create SecurityContextConfiguration objects

If you can't use an administrator account to install SUSE Observability on OpenShift, ask your administrator to apply the below SecurityContextConfiguration objects.

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: {{ template "common.fullname.short" . }}-{{ .Release.Namespace }}
  labels:
    {{- include "common.labels.standard" . | nindent 4 }}
  annotations:
    helm.sh/hook: pre-install
    suse-observability.io/note: "Ignored by helm uninstall, has to be deleted manually"
fsGroup:
  type: RunAsAny
groups:
- system:serviceaccounts:{{ .Release.Namespace }}
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
readOnlyRootFilesystem: false

See also

Give your .

For other configuration and management options, refer to the Kubernetes documentation -

🚀
Expose SUSE Observability outside of the cluster
Start monitoring your Kubernetes clusters
co-workers access
manage a SUSE Observability Kubernetes installation
required permissions
Kubernetes installation instructions
requirements
these extra instructions
Create the project where SUSE Observability will be installed
Generate baseConfig_values.yaml and sizing_values.yaml
Create the openshift-values.yaml file
Deploy SUSE Observability with Helm
Access the SUSE Observability UI
Manually create SecurityContextConfiguration objects
Create the project where SUSE Observability will be installed
Generate baseConfig_values.yaml and sizing_values.yaml
Create openshift-values.yaml
Create the project where SUSE Observability will be installed
Generate baseConfig_values.yaml and sizing_values.yaml
Create openshift-values.yaml