Installation
This guide walks through a fresh, single-host installation of Manifest Self-Hosted using the manifest-installer CLI. One Linux host runs the entire stack: the k3s control plane, the Manifest applications, and the supporting services. The same host is also where you run manifest-installer itself.
For customers migrating from a pre-1.20.0 unmanaged installation, see Upgrade from Unmanaged Installation instead.
Latest released version:
1.63.1Manifest Cyber will provide the version string for your release.
Prerequisites
Before proceeding, ensure you have:
- Met all host and software requirements
- Gathered all required credentials
1. Configure AWS Access
All commands are run on the Manifest host.
The bundle and the install-tools container image are distributed via Manifest's AWS account. Configure an AWS CLI profile using the IAM credentials provided during onboarding.
- Configure the AWS CLI profile:
aws configure --profile manifestAWS Access Key ID [None]: <Access Key ID>
AWS Secret Access Key [None]: <Secret Access Key>
Default region name [None]: us-east-1
Default output format [None]: json- Export the profile so subsequent commands pick it up:
export AWS_PROFILE=manifest- Verify CLI access:
aws sts get-caller-identity- Log Docker into Manifest's ECR so it can pull the
install-toolsimage:
aws ecr get-login-password --region us-east-1 \
| docker login --username AWS --password-stdin 623542229617.dkr.ecr.us-east-1.amazonaws.comECR tokens expire after 12 hours. If pulls start failing later, re-run the docker login command above.
2. Download and Install the Bundle
- Set the bundle version.
INSTALL_TOOLS_VERSIONshould matchVERSION:
export VERSION=<version>
export INSTALL_TOOLS_VERSION=${VERSION}- Download the installer script and the bundle tarball from S3:
aws s3 cp s3://manifest-deployables/on-prem/install.sh install.sh
aws s3 cp "s3://manifest-deployables/on-prem/k3s-on-prem-${VERSION}.tar" k3s-on-prem-${VERSION}.tar
chmod +x install.sh- Run the installer to extract the bundle and install the
manifest-installerCLI:
./install.sh --bundle k3s-on-prem-${VERSION}.tarThis creates the following structure under ~/.manifest/ (the default location follows the XDG Base Directory specification):
~/.manifest/
├── bin/manifest-installer # CLI binary
├── versions/<version>/ # Extracted bundle (immutable)
└── deployment/ # Populated by `init` in the next step- Add the CLI to your
PATH(the install script prints the exact command for your shell):
export PATH="$HOME/.manifest/bin:$PATH"- Verify the binary is on your
PATH:
manifest-installer version3. Initialize the Deployment
Create the deployment directory and generate a SOPS encryption key. No prompts are issued in this step — configuration happens in the next one.
manifest-installer init --version ${VERSION}This creates ~/.manifest/deployment/default/, generates age.key, and writes .sops.yaml.
Back up~/.manifest/deployment/default/age.keyimmediately. This key encrypts your configuration and secrets. If it is lost, encrypted values cannot be recovered.
To use a deployment name other than default:
manifest-installer --deployment <name> init --version ${VERSION}4. Configure and Deploy
Run the upgrade command to launch the configuration wizard inside the install-tools container and deploy the platform:
manifest-installer upgrade --to ${VERSION}The wizard prompts you for the configuration values described in the Configuration Reference. For a single-host deployment, accept the defaults that match the table below:
| Prompt | Single-host answer |
|---|---|
| Number of control plane nodes | 1 |
| Number of agent nodes | 0 |
| High availability | false |
| Schedulable control plane | true (required — workloads must run on the one node you have) |
| Domain / FQDN | e.g. manifest.example.com |
| Admin email | your administrator user's email |
| SMTP / OIDC / custom CA | optional — skip to start, configure later via manifest-installer config |
Once the wizard completes, Ansible provisions k3s and installs the Manifest applications. First-run can take 10-20 minutes depending on image-pull speed and host performance.
5. Verify the Installation
kubectl is not required on the host — the install-tools container ships with it and the kubeconfig already wired up. Drop into that environment with manifest-installer shell and confirm pods are healthy:
manifest-installer shell
kubectl get nodes
kubectl get pods -AAll pods should reach Running or Completed. Confirm Traefik is listening:
kubectl -n traefik get svcType exit when you are done to leave the shell.
Resolve your domain to the host IP (via DNS or a temporary /etc/hosts entry on a test machine) and visit the URL in a browser. The first login uses the admin email you supplied during configuration; follow the password-reset flow on first sign-in.
Day-2 Operations
| Task | Command |
|---|---|
| Change a configuration value | manifest-installer config <key> <value>, then manifest-installer upgrade --to <current-version> to apply |
| Upgrade to a new release | See Upgrade |
| Inspect deployment state | manifest-installer status |
| Open a shell inside the install-tools container | manifest-installer shell |
Next Steps
After installation completes:
- Review the Configuration Reference for host and OIDC configuration options
- Complete the Post-Install steps to configure certificate trust
- If you encounter issues, see the Troubleshooting Guide
Updated about 6 hours ago