Astra Control Center requirements

Contributors netapp-mwallis

Operational environment requirements

Astra Control Center has been validated on the following types of operational environments:

  • Google Anthos 1.10 or 1.11

  • Kubernetes 1.22 to 1.24

  • Rancher Kubernetes Engine (RKE):

    • RKE 1.2.16 w/ Rancher 2.5.12 and RKE 1.3.3 w/ 2.6.3

    • RKE 2 (v1.23.6+rke2r2) w/ Rancher 2.6.3

  • Red Hat OpenShift Container Platform 4.8, 4.9, or 4.10

  • VMware Tanzu Kubernetes Grid 1.4 or 1.5

  • VMware Tanzu Kubernetes Grid Integrated Edition 1.12.2 or 1.13

Ensure that the operating environment you choose to host Astra Control Center meets the basic resource requirements outlined in the environment’s official documentation. Astra Control Center requires the following resources in addition to the environment’s resource requirements:

Component Requirement

Storage backend capacity

At least 500GB available

Worker nodes

At least 3 worker nodes total, with 4 CPU cores and 12GB RAM each

FQDN address

An FQDN address for Astra Control Center

Astra Trident

Astra Trident 21.10.1 or newer installed and configured
Astra Trident 22.07 or newer for SnapMirror-based application replication

Note These requirements assume that Astra Control Center is the only application running in the operational environment. If the environment is running additional applications, adjust these minimum requirements accordingly.
  • Image registry: You must have an existing private Docker image registry to which you can push Astra Control Center build images. You need to provide the URL of the image registry where you will upload the images.

  • Astra Trident / ONTAP configuration: Astra Control Center requires that a storage class be created and set as the default storage class. Astra Control Center supports the following ONTAP drivers provided by Astra Trident:

    • ontap-nas

    • ontap-san

    • ontap-san-economy

Note

During app cloning in OpenShift environments, Astra Control Center needs to allow OpenShift to mount volumes and change the ownership of files. Because of this, you need to configure an ONTAP volume export policy to allow these operations. You can do so with the following commands:

  1. export-policy rule modify -vserver <storage virtual machine name> -policyname <policy name> -ruleindex 1 -superuser sys

  2. export-policy rule modify -vserver <storage virtual machine name> -policyname <policy name> -ruleindex 1 -anon 65534

Note If you plan to add a second OpenShift operational environment as a managed compute resource, you need to ensure that the Astra Trident Volume Snapshot feature is enabled. To enable and test volume snapshots with Astra Trident, see the official Astra Trident instructions.

VMware Tanzu Kubernetes Grid cluster requirements

When hosting Astra Control Center on a VMware Tanzu Kubernetes Grid (TKG) or Tanzu Kubernetes Grid Integrated Edition (TKGi) cluster, keep in mind the following considerations.

  • Disable the TKG or TKGi default storage class enforcement on any application clusters intended to be managed by Astra Control. You can do this by editing the TanzuKubernetesCluster resource on the namespace cluster.

  • As part of Astra Control Center installation, the following resources are created in a pod security policy (PSP) restricted environment:

    • pod security policy

    • RBAC Role

    • RBAC RoleBinding
      The RBAC Role and RoleBinding resources are created in the netapp-acc namespace.

  • Be aware of specific requirements for Astra Trident when you deploy Astra Control Center in a TKG or TKGi environment. For more information, see the Astra Trident documentation.

Note The default VMware TKG and TKGi configuration file token expires ten hours after deployment. If you use Tanzu portfolio products, you must generate a Tanzu Kubernetes Cluster configuration file with a non-expiring token to prevent connection issues between Astra Control Center and managed application clusters. For instructions, visit the VMware NSX-T Data Center Product Documentation.

Google Anthos cluster requirements

When hosting Astra Control Center on a Google Anthos cluster, note that Google Anthos includes the MetalLB load balancer and the Istio ingress gateway service by default, enabling you to simply use the generic ingress capabilities of Astra Control Center during installation. See Configure Astra Control Center for details.

Supported storage backends

Astra Control Center supports the following storage backends.

  • NetApp ONTAP 9.5 or newer AFF and FAS systems

  • NetApp ONTAP 9.8 or newer AFF and FAS systems for SnapMirror-based application replication

  • NetApp Cloud Volumes ONTAP

To use Astra Control Center, verify that you have the following ONTAP licenses, depending on what you need to accomplish:

  • FlexClone

  • SnapMirror: Optional. Needed only for replication to remote systems using SnapMirror technology. Refer to SnapMirror license information.

  • S3 license: Optional. Needed only for ONTAP S3 buckets

You might want to check whether your ONTAP system has the required licenses. Refer to Manage ONTAP licenses.

Application cluster requirements

Astra Control Center has the following requirements for clusters that you plan to manage from Astra Control Center. These requirements also apply if the cluster you plan to manage is the operational environment cluster that hosts Astra Control Center.

  • The most recent version of the Kubernetes snapshot-controller component is installed

  • An Astra Trident volumesnapshotclass object has been defined by an administrator

  • A default Kubernetes storage class exists on the cluster

  • At least one storage class is configured to use Astra Trident

Note Your application cluster should have a kubeconfig.yaml file that defines only one context element. Visit the Kubernetes documentation for information about creating kubeconfig files.
Note When managing application clusters in a Rancher environment, modify the application cluster’s default context in the kubeconfig file provided by Rancher to use a control plane context instead of the Rancher API server context. This reduces load on the Rancher API server and improves performance.

Application management requirements

Astra Control has the following application management requirements:

  • Licensing: To manage applications using Astra Control Center, you need an Astra Control Center license.

  • Namespaces: Astra Control requires that an app not span more than a single namespace, but a namespace can contain more than one app.

  • StorageClass: If you install an application with a StorageClass explicitly set and you need to clone the app, the target cluster for the clone operation must have the originally specified StorageClass. Cloning an application with an explicitly set StorageClass to a cluster that does not have the same StorageClass will fail.

  • Kubernetes resources: Applications that use Kubernetes resources not collected by Astra Control might not have full app data management capabilities. Astra Control collects the following Kubernetes resources:

    ClusterRole

    ClusterRoleBinding

    ConfigMap

    CronJob

    CustomResourceDefinition

    CustomResource

    DaemonSet

    DeploymentConfig

    HorizontalPodAutoscaler

    Ingress

    MutatingWebhook

    NetworkPolicy

    PersistentVolumeClaim

    Pod

    PodDisruptionBudget

    PodTemplate

    ReplicaSet

    Role

    RoleBinding

    Route

    Secret

    Service

    ServiceAccount

    StatefulSet

    ValidatingWebhook

Replication prerequisites

Astra Control application replication requires that the following prerequisites must be met before you begin:

  • To achieve seamless disaster recovery, we recommend that you deploy Astra Control Center in a third fault domain or secondary site.

  • The app’s host Kubernetes cluster and a destination Kubernetes cluster must be available and connected to two ONTAP clusters, ideally at different failure domains or sites.

  • ONTAP clusters and the host SVM must be paired. See Cluster and SVM peering overview.

  • The paired remote SVM must be available to Trident on the destination cluster.

  • Trident version 22.07 or greater must exist on both the source and destination ONTAP clusters.

  • ONTAP SnapMirror asynchronous licenses using the Data Protection bundle must be enabled on both the source and destination ONTAP clusters. See SnapMirror licensing overview in ONTAP.

  • When you add an ONTAP storage backend to Astra Control Center, apply user credentials with the "admin" role, which has access methods http and ontapi enabled on both ONTAP clusters. See Manage User Accounts for more information.

  • Both source and destination Kubernetes clusters and ONTAP clusters must be managed by Astra Control.

    Note You can simultaneously replicate a different app (running on the other cluster or site) in the opposite direction. For example, Apps A, B, C can be replicated from Datacenter 1 to Datacenter 2; and Apps X, Y, Z can be replicated from Datacenter 2 to Datacenter 1.

Supported application installation methods

Astra Control supports the following application installation methods:

  • Manifest file: Astra Control supports apps installed from a manifest file using kubectl. For example:

    kubectl apply -f myapp.yaml
  • Helm 3: If you use Helm to install apps, Astra Control requires Helm version 3. Managing and cloning apps installed with Helm 3 (or upgraded from Helm 2 to Helm 3) is fully supported. Managing apps installed with Helm 2 is not supported.

  • Operator-deployed apps: Astra Control supports apps installed with namespace-scoped operators. The following are some apps that have been validated for this installation model:

Note An operator and the app it installs must use the same namespace; you might need to modify the deployment .yaml file for the operator to ensure this is the case.

Access to the internet

You should determine whether you have outside access to the internet. If you do not, some functionality might be limited, such as receiving monitoring and metrics data from NetApp Cloud Insights, or sending support bundles to the NetApp Support Site.

License

Astra Control Center requires an Astra Control Center license for full functionality. Obtain an evaluation license or full license from NetApp. You need a license to protect your applications and data. Refer to Astra Control Center features for details.

You can try Astra Control Center with an evaluation license, which lets you use Astra Control Center for 90 days from the date you download the license. You can sign up for a free trial by registering here.

For details about licenses needed for ONTAP storage backends, refer to Supported storage backends.

For details about how licenses work, see Licensing.

Ingress for on-premises Kubernetes clusters

You can choose the type of network ingress Astra Control Center uses. By default, Astra Control Center deploys the Astra Control Center gateway (service/traefik) as a cluster-wide resource. Astra Control Center also supports using a service load balancer, if they are permitted in your environment. If you would rather use a service load balancer and you don’t already have one configured, you can use the MetalLB load balancer to automatically assign an external IP address to the service. In the internal DNS server configuration, you should point the chosen DNS name for Astra Control Center to the load-balanced IP address.

Note If you are hosting Astra Control Center on a Tanzu Kubernetes Grid cluster, use the kubectl get nsxlbmonitors -A command to see if you already have a service monitor configured to accept ingress traffic. If one exists, you should not install MetalLB, because the existing service monitor will override any new load balancer configuration.

For more information, see Set up ingress for load balancing.

Networking requirements

The operational environment that hosts Astra Control Center communicates using the following TCP ports. You should ensure that these ports are allowed through any firewalls, and configure firewalls to allow any HTTPS egress traffic originating from the Astra network. Some ports require connectivity both ways between the environment hosting Astra Control Center and each managed cluster (noted where applicable).

Note You can deploy Astra Control Center in a dual-stack Kubernetes cluster, and Astra Control Center can manage applications and storage backends that have been configured for dual-stack operation. For more information about dual-stack cluster requirements, see the Kubernetes documentation.
Source Destination Port Protocol Purpose

Client PC

Astra Control Center

443

HTTPS

UI / API access - Ensure this port is open both ways between the cluster hosting Astra Control Center and each managed cluster

Metrics consumer

Astra Control Center worker node

9090

HTTPS

Metrics data communication - ensure each managed cluster can access this port on the cluster hosting Astra Control Center (two-way communication required)

Astra Control Center

Hosted Cloud Insights service (https://cloudinsights.netapp.com)

443

HTTPS

Cloud Insights communication

Astra Control Center

Amazon S3 storage bucket provider (https://my-bucket.s3.us-west-2.amazonaws.com/)

443

HTTPS

Amazon S3 storage communication

Astra Control Center

NetApp AutoSupport (https://support.netapp.com)

443

HTTPS

NetApp AutoSupport communication

Supported web browsers

Astra Control Center supports recent versions of Firefox, Safari, and Chrome with a minimum resolution of 1280 x 720.

What’s next

View the quick start overview.