Installing Ascender

Overview

Ascender is installed using the ascender-install tool, which automates deployment across multiple Kubernetes platforms. The installer uses Ansible under the hood, driven by a single configuration file (custom.config.yml) that defines your deployment.

Ascender Pro

Ascender Pro adds analytics, reporting, and log aggregation on top of Ascender. It is installed using the same tool and configuration file. See the Ascender Pro Installation Guide to include it in your deployment, or contact us if you're interested in getting access.

Getting Started

Clone the ascender-install repository and create your configuration file:


git clone https://github.com/ctrliq/ascender-install.git
cd ascender-install

Create a custom.config.yml with the settings for your deployment. Use default.config.yml as a reference for all available options. Do not copy it wholesale as it contains settings for every platform and will need to be heavily edited.

Note

The repository also includes a config_vars.sh interactive script that can generate custom.config.yml through a series of prompts.

Quick Start: K3s

K3s is the fastest way to get Ascender running. Set kube_install: true and the installer will set up a single-node K3s cluster and deploy Ascender on it. No pre-existing Kubernetes required.

Minimum system requirements:

2 CPUs
8 GB memory (4 GB if not installing Ascender Pro)
20 GB free in /var
Rocky Linux 8 or 9

DNS

This quick start uses nip.io for simplicity. nip.io is a public wildcard DNS service. ascender.<SERVER-IP>.nip.io automatically resolves to <SERVER-IP> with no DNS configuration required. For a real deployment, use your own DNS name (e.g., ascender.example.com) and point it at your server.

Replace <SERVER-IP> with your server's IP address throughout.

Generate a self-signed TLS certificate. Run this from inside the ascender-install directory. The certificate files will be created there so the installer can locate them automatically:


openssl req -x509 -newkey rsa:4096 -keyout ascender.key -out ascender.crt -days 365 -nodes \
  -subj "/CN=ascender.<SERVER-IP>.nip.io" \
  -addext "subjectAltName=DNS:ascender.<SERVER-IP>.nip.io"

Create custom.config.yml:


k8s_platform: k3s
k8s_lb_protocol: https
kube_install: true
download_kubeconfig: true
k3s_master_node_ip: "<SERVER-IP>"

tls_crt_path: "{{ playbook_dir }}/../ascender.crt"
tls_key_path: "{{ playbook_dir }}/../ascender.key"

ASCENDER_HOSTNAME: <ascender.<SERVER-IP>.nip.io>
ASCENDER_NAMESPACE: ascender
ASCENDER_ADMIN_USER: admin
ASCENDER_ADMIN_PASSWORD: "<change-me>"
ASCENDER_VERSION: 25.3.5
ASCENDER_OPERATOR_VERSION: 2.19.4

ascender_garbage_collect_secrets: true
ascender_setup_playbooks: true

Run these commands on the server where K3s will be installed. The default inventory file uses localhost, so no changes are needed. Run the installer:


sudo ./setup.sh

A successful install ends with:


ASCENDER SUCCESSFULLY SETUP

Verify the pods are running:


kubectl get pods -n ascender

Access the Ascender web UI at https://ascender.<SERVER-IP>.nip.io. The nip.io hostname resolves automatically with no DNS or /etc/hosts changes needed.

To include Ascender Pro in this deployment, add LEDGER_INSTALL: true and the required registry credentials to your custom.config.yml before running setup.sh. See the Ascender Pro installation guide for the full variable reference.

RKE2

RKE2 is a strong option for production deployments and supports running on RLC-Hardened for environments that require additional security hardening. Unlike K3s, the installer does not create the RKE2 cluster. You set it up first, then run the Ascender installer against it. See the RKE2 guide for both single-node and HA cluster setup, or the RKE2 Offline Install guide for air-gapped environments.

Cloud Platforms

Each cloud platform has its own prerequisites (CLI tools, IAM configuration, DNS zones) and platform-specific variables. See the dedicated guides:

Installing on EKS (Amazon Elastic Kubernetes Service)
Installing on GKE (Google Kubernetes Engine)
Installing on AKS (Azure Kubernetes Service)

Cloud installs require Rocky Linux 9 and the appropriate CLI tool authenticated on the install server.

Other Platforms

DKP requires a single additional variable:

Variable	Description
`DKP_CLUSTER_NAME`	Name of the DKP cluster to deploy to or create

OCP (OpenShift) follows the common configuration. Refer to default.config.yml for any OCP-specific defaults.

Upgrading

To upgrade an existing Ascender installation, pull the latest installer first to pick up any bug fixes, then update ASCENDER_VERSION (and ASCENDER_OPERATOR_VERSION if needed) in your custom.config.yml and re-run:


git pull
sudo ./setup.sh

The installer handles the upgrade process through the Ascender Operator.

Configuration Reference

Kubernetes Platform

Variable	Default	Description
`k8s_platform`	`k3s`	Target Kubernetes platform. Options: `k3s`, `eks`, `aks`, `gke`, `rke2`, `dkp`, `ocp`
`k8s_lb_protocol`	`http`	Load balancer protocol. Set to `https` to enable TLS (requires certificate configuration below)
`download_kubeconfig`	`false`	Copy the kubeconfig from the target host to `~/.kube/config` on the installing machine

Offline Install

These variables are used for air-gapped or offline deployments on K3s and RKE2.

Variable	Default	Description
`k8s_offline`	`false`	Use local assets for an offline install
`k8s_container_registry`	(empty)	Internal container registry and namespace where the cluster can access Ascender and operator images (e.g., `registry.internal/ascender`). Also sets the operator image path
`k8s_image_pull_secret`	`None`	Kubernetes secret containing credentials for the internal registry holding Ascender images. Leave as `None` if no authentication is required
`k8s_ee_pull_credentials_secret`	`None`	Kubernetes secret containing credentials for the internal registry holding Execution Environment images. Leave as `None` if no authentication is required

Ascender Application

Variable	Default	Description
`ASCENDER_HOSTNAME`	`ascender.example.com`	DNS-resolvable hostname for the Ascender web UI. Required
`ASCENDER_DOMAIN`	`example.com`	Base domain for all components. Required for cloud platforms (EKS, GKE, AKS). Not required for K3s or RKE2
`ASCENDER_NAMESPACE`	`ascender`	Kubernetes namespace for Ascender objects
`ASCENDER_ADMIN_USER`	`admin`	Administrator username
`ASCENDER_ADMIN_PASSWORD`	`myadminpassword`	Administrator password. Change this before installing
`ASCENDER_IMAGE`	`ghcr.io/ctrliq/ascender`	OCI container image for Ascender. Only change this if using an internal registry
`ASCENDER_VERSION`	`25.3.5`	Image tag applied to `ASCENDER_IMAGE`. See Ascender releases for available versions
`ASCENDER_OPERATOR_VERSION`	`2.19.4`	Version of the Ascender Operator that manages the Ascender lifecycle on Kubernetes. The operator and Ascender versions are released independently; see operator releases for available versions
`ascender_replicas`	`1`	Number of Ascender web pods
`ascender_garbage_collect_secrets`	`true`	When `true`, Kubernetes secrets (admin password, secret key, DB credentials) are deleted if the Ascender deployment is removed from the cluster. Set to `false` to preserve these secrets after CR deletion
`ascender_setup_playbooks`	`true`	Deploy demo playbooks after installation
`ascender_image_pull_policy`	`Always`	Image pull policy for Ascender containers. Set to `Never` for offline installs

The following variable is optional and enables Ascender Automation Mesh:

Variable	Default	Description
`ASCENDER_MESH_HOSTNAME`	(unset)	DNS hostname for Mesh service. Mesh is not configured unless this is set

Execution Environments (Optional)

To pull additional container images for use as Execution Environments, add the ee_images list to your configuration:


ee_images:
  - name: <my-custom-ee>
    image: <registry.example.com/namespace/my-custom-ee:latest>
  - name: <another-ee>
    image: <registry.example.com/namespace/another-ee:2.0>

Each entry requires a name (informal label) and image (full registry path with optional tag).

TLS Configuration

Required when k8s_lb_protocol is set to https. On cloud platforms (EKS, GKE, AKS), certificate handling may differ (see the platform-specific guides).

Variable	Default	Description
`tls_crt_path`	`~/ascender.crt`	Path to TLS certificate file (PEM format). Set to `"{{ playbook_dir }}/../ascender.crt"` when the cert is placed in the `ascender-install` directory
`tls_key_path`	`~/ascender.key`	Path to TLS private key file (PEM format). Set to `"{{ playbook_dir }}/../ascender.key"` when the key is placed in the `ascender-install` directory
`custom_cacert_bundle`	(unset)	Optional CA bundle path containing your CA cert and external CA certs
`custom_ldap_cacert`	(unset)	Optional LDAP CA certificate path

Ascender Pro (Optional)

About the LEDGER_ variable prefix

Ascender Pro was previously named Ledger. The product has been renamed but the configuration variables still use the LEDGER_ prefix. LEDGER_INSTALL, LEDGER_HOSTNAME, and all related variables refer to Ascender Pro.

Ascender Pro provides analytics, reporting, and log aggregation for Ascender. Set LEDGER_INSTALL to true to include it in your deployment. See the Ascender Pro Installation Guide for full configuration details, or contact us if you're interested in getting access.

See the Ascender Pro installation guide for full configuration, registry setup, post-install steps (logging integration, license activation), and scaling options.

External PostgreSQL (Optional)

By default, Ascender deploys its own PostgreSQL instance. To use an external PostgreSQL server instead, uncomment and set the following variables:

Warning

The PostgreSQL password must not contain special characters. This is an installer limitation related to how the password is passed through the configuration.

Variable	Default	Description
`ASCENDER_PGSQL_HOST`	(unset)	External PostgreSQL hostname or IP
`ASCENDER_PGSQL_PORT`	`5432`	External PostgreSQL port
`ASCENDER_PGSQL_USER`	`ascender`	PostgreSQL username
`ASCENDER_PGSQL_PWD`	(unset)	PostgreSQL password
`ASCENDER_PGSQL_DB`	`ascenderdb`	Database name (must already exist)

Storage for the built-in PostgreSQL instance is configurable on new installs only:

Variable	Description
`POSTGRES_PVC_SIZE_GB`	PVC size in GB
`POSTGRES_STORAGE_CLASS`	Storage class for the PVC

Warning

Do not change POSTGRES_PVC_SIZE_GB or POSTGRES_STORAGE_CLASS on an existing install.

Artifacts Directory

Variable	Default	Description
`tmp_dir`	`ascender_install_artifacts/`	Directory for generated manifests, backups, and temporary artifacts

Overview Installing Ascender on AKS