Requirements

Qovery requires a Kubernetes cluster with the following requirements:

• Kubernetes version 1.26 or higher
• Helm version 3.0 or higher
• from 1 CPU to 4 CPU depending on the third-party components you want to install
• From 512 MB to 4 GB RAM depending on the third-party components you want to install
• 20 GB disk space
• Being able to access to the Internet
• A private registry

Why Qovery needs a Container Registry?

Qovery requires a private container registry to store built images and mirror containers in order to reduce potential images deletion by 3rd party, while you still need them (more info here).

⚠️ Temporary limitations

In our current state of Qovery BYOK development, we have some temporary limitations that will be removed within February 2024.

Kubernetes hosting & access

You can run Qovery BYOK on any Kubernetes cluster running on:

• AWS
• GCP
• Scaleway

To access your Kubernetes cluster and deploy on it, Qovery needs:

• your cloud provider credentials
• the cluster Kubeconfig

The cluster must be reachable from the internet and so Qovery to be able to deploy on it.

Container registry

As of now, we only support AWS ECR or GCP GCR as Container Registries.

Below you can find the installation step to make your cluster work with ECR or GCR.

This is not necessary if you are using EKS or GKE Kubernetes clusters.

• ECR
• GCR

Create an IAM user with the following policy, and generate an access key:

{
    "Statement": [
        {
            "Action": [
                "ecr:*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

Then, create a config.yaml file to configure the ECR Credentials Provider, where you should set the AWS credentials previously generated:

config.yaml

apiVersion: kubelet.config.k8s.io/v1
kind: CredentialProviderConfig
providers:
  - name: ecr-credential-provider
    matchImages:
      - "*.dkr.ecr.*.amazonaws.com"
      - "*.dkr.ecr.*.amazonaws.com.cn"
      - "*.dkr.ecr-fips.*.amazonaws.com"
      - "*.dkr.ecr.us-iso-east-1.c2s.ic.gov"
      - "*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov"
    defaultCacheDuration: "12h"
    apiVersion: credentialprovider.kubelet.k8s.io/v1
    env:
      - name: AWS_ACCESS_KEY_ID
        value: CHANGE_ME
      - name: AWS_DEFAULT_REGION
        value: CHANGE_ME
      - name: AWS_SECRET_ACCESS_KEY
        value: CHANGE_ME

Here we use the Kubelet Credential Provider to inject the AWS credentials into the pods. The config.yaml file is mounted into the Kubernetes nodes, and the ecr-credential-provider binary is also mounted into the nodes.