PlatformDeploying Daalu Edge

41. Deploying Daalu Edge

One helm install, an outbound-only WireGuard tunnel, and your private cluster shows up green in the operator app.

This is the deepest chapter in the handbook, but the customer-facing experience is short: you run helm install once, and the cluster row turns green. Everything after that is automatic.

If you don’t operate a Kubernetes cluster yourself, you can skip this chapter — federation is opt-in.

Why it matters: The edge is what lets Daalu reach things behind your firewall without you opening a single inbound port. The tunnel is outbound-only, so revocation is as simple as deleting the chart.

Prerequisites

  • A Kubernetes cluster you operate (k3s, EKS, GKE, AKS — anything).
  • kubectl configured against it, with permission to install Helm charts into a new namespace.
  • helm v3 locally.
  • Outbound HTTPS from the cluster to hub.daalu.io:443 and outbound WireGuard (UDP/51820) to the same host.
  • A Daalu admin account in the tenant this cluster should join.

The connection is outbound-only, so your firewall needs no inbound holes.

Step 1: Generate a bootstrap invite

In the operator app:

  1. Managed Infra → Clusters → Add cluster.
  2. Pick a friendly name (e.g. acme-eu-prod).
  3. Choose the tenant’s WireGuard subnet allocation. The default is fine.
  4. Click Generate invite. Daalu produces:
    • A bootstrap token — single-use, expires in 1 hour.
    • A copy-paste helm install command, pre-filled with the token.

The command looks like this:

helm install daalu-edge oci://ghcr.io/daalu/charts/daalu-edge \
  --namespace daalu-edge --create-namespace \
  --set hub.url=https://hub.daalu.io \
  --set bootstrap.token=<long-random-token>

Step 2: Install the chart

Run the command. It deploys:

  • The WireGuard edge pod — opens and holds the tunnel.
  • A bootstrap Job — exchanges the one-time token for a long-lived WireGuard configuration.
  • Supporting Secret, ConfigMap, and RBAC.

The bootstrap Job:

  1. POSTs the token to hub.daalu.io with the cluster’s freshly-generated WireGuard public key.
  2. Receives back the server endpoint and the IP assigned to this cluster in the tenant’s private subnet.
  3. Writes a Secret with the WireGuard config.
  4. Exits successfully — the token is now burned.

The edge pod consumes the Secret and brings up the tunnel. Within ~30 seconds you should see a successful handshake.

Step 3: Verify in the operator app

Back in Managed Infra → Clusters, the new row should show:

  • Status: connected (green).
  • Tunnel IP — an address in your tenant’s private subnet.
  • Last handshake — under 2 minutes ago.

Click the row for its detail page and confirm:

  • The node list shows your cluster’s nodes.
  • The “kubectl run” panel can execute kubectl get nodes through the tunnel.

If anything is off, jump to troubleshooting.

What got installed

After Step 2, the daalu-edge namespace holds:

  • A Deployment running the WireGuard pod (1 replica).
  • A Secret holding the WireGuard private key.
  • A ConfigMap with the public WireGuard config.
  • A ServiceAccount the edge pod runs as.
  • RBAC granting that account permission to call the API server on Daalu’s behalf.

The default RBAC is scoped to:

  • Read pods, services, deployments, statefulsets, daemonsets cluster-wide.
  • Read events.
  • Read logs (pods/log).

To widen it — so the Assistant can read more, or so write proposals can be applied — edit Settings → Clusters → [cluster] → RBAC. Daalu generates the patch for you to apply.

What did not get installed

A few things that are explicitly absent, because they’d be invasive:

  • No daemonset on every node. The edge is one pod on one node. If it crashloops, your data-plane workloads are untouched.
  • No sidecar or mTLS proxy in your pods. Nothing in your existing workloads changes.
  • No CNI plugin, no DNS hijacking, no privileged container. The WireGuard pod runs with NET_ADMIN for its own interface and nothing else.

Operational properties

  • Restarts. If the edge pod dies, Kubernetes restarts it and the tunnel reconnects in seconds. Daalu notes the dropped handshake; if it stays down for >15 minutes, a critical alert fires.
  • Cluster reboots. Transparent. Once the pod schedules, the tunnel comes back.
  • Updates. Upgrade with helm upgrade. The integration detail page flags “Available update” when there’s a new release.

Removing Daalu Edge

helm uninstall -n daalu-edge daalu-edge

The tunnel dies immediately and the cluster row goes disconnected within seconds. Delete the cluster row in the UI to clean up the Daalu side too.

Troubleshooting

”Awaiting handshake” persists for >5 minutes

  • Egress firewall. The edge pod can’t reach hub.daalu.io on UDP/51820. Verify your egress policy permits it.
  • Bootstrap Job failed. Check kubectl -n daalu-edge get jobs; if the bootstrap Job failed, read its logs with kubectl -n daalu-edge logs job/<bootstrap-job>.
  • Token expired. The bootstrap token is valid for 1 hour. If you generated the invite a while ago, regenerate it.

Connection drops periodically

  • Aggressive NAT timeouts. The edge sends a keepalive every 25 s by default; some NAT devices have shorter windows. Lower the interval via the chart’s wg.keepalive value.
  • Pod evictions. If the cluster keeps rescheduling the edge pod, raise its priority or pin it to a stable node.

kubectl-through-tunnel fails

  • RBAC. The edge ServiceAccount lacks permission for what Daalu asked. Read the error; widen RBAC or narrow the request.
  • NetworkPolicy. A policy forbids the edge pod from reaching the API server. Add an exception.

Next: Chapter 42 — How the LLM router decides

Webhooks and custom sourcesHow the LLM router decides