Get started quickly with Wickr Enterprise Embedded Cluster

Customers operating in austere Edge environments have unique challenges when it comes to deploying a robust, secure collaboration solution. Having containerized applications orchestrated by Kubernetes is becoming the standard for many always-connected enterprises, but this deployment type is an especially challenging task for customers operating at the edge with limited technical expertise and limited, unreliable, or no internet connectivity.

Wickr Enterprise is a secure collaboration platform that can be deployed on premises using Kubernetes. For large enterprises that are already running Kubernetes, Wickr can install into the existing cluster. Although Kubernetes adoption at the edge is starting to be more commonly used, a simpler deployment option is typically preferred.

Wickr Enterprise software is installed using a tool called Replicated KOTS. A newly released feature called the Embedded Cluster gives the ability to install both a k0s Kubernetes cluster and Wickr software from a single binary, without any internet dependencies. This capability is a streamlined option for customers operating in edge environments, giving them the ability to deploy a robust communications solution quickly without needing to be a Kubernetes expert.

Solution overview

The following deployment guidance is intended to help you get started quickly with Wickr Enterprise for capability testing. It’s not intended to be a production deployment. For a production-grade deployment, we recommend using a dedicated Kubernetes cluster.

The following diagram is the solution architecture. The major components are the Replicated Repository, the air-gapped package, the air-gapped network, and the server or virtual machine (VM) where the embedded cluster will be installed.

Figure 1. Wickr Enterprise Embedded Cluster architecture

The following is a high-level overview of the deployment process flow. This deployment is focused on a single edge server or VM running in a completely air-gapped environment:

1. Download the installation packages from the Replicated Customer portal.
2. Transfer the installation packages to the target host server or VM.
3. Install the packages on the target host server or VM.
4. Configure the Wickr clients to connect to the Wickr Enterprise server.

Prerequisites

Before you get started, make sure you have the following:

1. A Wickr Enterprise license. For a trial license, contact wickr-sales@amazon.com.
2. A single VM or physical machine that satisfies the following minimum hardware resource requirements:
   1. 8 CPU cores
   2. 12 gigabytes (GB) of RAM
   3. 100 GB of storage on the / disk partition
3. Satisfy the Embedded Cluster Installation Requirements.
4. SELinux set to permissive mode.
5. A local area network (LAN) with at least one client machine or mobile device for a Wickr test client and the ability to connect by using Secure Shell (SSH) into the server host or VM from the management machine.
6. Internet connectivity from the management machine to pull down the Embedded Cluster package.

Installation instructions

A Wickr representative will provide access to a Replicated customer portal that will have details about the installation and contain your Wickr license file.

1. 1. After you have access to the Replicated Customer portal, select Embedded cluster, as shown in the following screenshot.
      

      Figure 2. Embedded cluster option in the Replicated customer portal

   2. Enable Install in air gap environment, as shown in the following screenshot. This allows for a completely air-gapped installation where all of the Wickr software will be bundled into a single tarball file instead of being downloaded from an internet registry by the host machine.
      

      Figure 3. Embedded cluster installation steps that the user will follow

   3. Follow the steps from the local management machine to pull down the installation assets:
      curl -f "https://replicated.app/embedded/wickr-enterprise-ha/stable/2025.3.12?airgap=true" -H "Authorization: <redacted>" -o wickr-enterprise-ha-stable.tgz
   4. Move the tarball to the target VM or machine. With SSH access to the target machine, you can use the following command, replacing user and host with your values:

      scp wickr-enterprise-ha-stable.tgz user@host:~

   5. From the target host machine, you can extract the tarball:tar -xvzf wickr-enterprise-ha-stable.tgz
wickr-enterprise-ha
license.yaml
wickr-enterprise-ha.airgap

      After expanding, you can see the wickr-enterprise-ha cluster binary, a license.yaml Wickr license file, and an airgap bundle file that contains all the Wickr software components.

   6. Install with the following command. If your machine has multiple network interfaces, you need to specify the intended interface to bind the k0s cluster to with the flag --network-interface <network-interface-name>. For a full list of install flags, refer to Embedded Cluster Install Command Options:

      sudo ./wickr-enterprise-ha install --license license.yaml --airgap-bundle wickr-enterprise-ha.airgap

      After specifying an admin password, the installation will begin. The installation will automatically install a local registry and populate it with the Wickr Enterprise manifests and images from the airgap package:

      sudo ./wickr-enterprise-ha install --license license.yaml --airgap-bundle wickr-enterprise-ha.airgap
? Set the Admin Console password (minimum 6 characters): *********
? Confirm the Admin Console password: *********
✔  Host files materialized!
✔  Host preflights succeeded!
✔  Node installation finished!
✔  Storage is ready!
✔  Embedded Cluster Operator is ready!
✔  Registry is ready!
✔  Application images are ready!
✔  Admin Console is ready!
Visit the Admin Console to configure and install wickr-enterprise-ha: http://192.168.50.56:30000

   7. Continue to the admin console using the password we created above and the IP and port that the installer outputs and choose Start, as shown in the following screenshot.
      

      Figure 4. Replicated admin panel landing page

   8. Allow your browser to trust the initial self-signed certificate.
   9. To upload your own certificate to secure the admin console, select Upload your own. To use the default self-signed certificate, select Self-signed, as shown in the following screenshot.
      

      Figure 5. Replicated admin panel certificate configuration

   10. To sign in to the admin console, enter the password you set earlier to set the parameters for the Wickr Enterprise installation. Select Log in, as shown in the following screenshot.
       

       Figure 6. Replicated admin console login prompt

   11. The next screen has details to join other nodes to the cluster, but for this simple deployment, you deploy with a single node cluster by choosing Continue, as shown in the following screenshot.
       
       

       Figure 7. k0s node overview

        

   12. Before populating configuration fields, you need to determine if you’ll be using a public certificate or a self-signed certificate for the Wickr Enterprise server. A public certificate is straightforward, but a self-signed certificate will need to be created in the following manner from a machine with terminal access and the openssl(tested on version 3.4.1) tool. This is an example command for a hostname-based installation:

export YOUR_DOMAIN=example.domain

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout $YOUR_DOMAIN.key -out $YOUR_DOMAIN.crt -subj "/CN=$YOUR_DOMAIN" -addext "subjectAltName=DNS:$YOUR_DOMAIN" -addext "extendedKeyUsage = serverAuth"

If your Wickr Server will use an IP-based hostname, the command to generate a certificate needs to be slightly modified:

export YOUR_DOMAIN=<ip_addr>

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout $YOUR_DOMAIN.key -out $YOUR_DOMAIN.crt -subj "/CN=$YOUR_DOMAIN" -addext "subjectAltName=IP:$YOUR_DOMAIN" -addext "extendedKeyUsage = serverAuth"

The recommended settings for a simple deployment are as follows:

Hostname – The hostname or IP address that corresponds to the fully qualified domain name (FQDN) or IP address specified in the certificate

Enable Global Federation – Disable

Username Format – Username

Certificate Type – Upload a certificate and choose the private key, server certificate, and fullchain certificate. Fullchain certificate must be the concatenation of the server certificate and the CA certificate. If you used the self-signed certificate command in the preceding step, you can safely use the generated certificate for the certificate, certificate chain, and pinned certificate fields.

Set a pinned certificate – This must be checked if using a self-signed certificate which will expose the field to upload the CA certificate that signed your server certificate

Database – Internal

Amazon Storage Service (Amazon S3) storage location – Internal

Internal S3 server count – 1

Internal S3 volume count – 1

Internal S3 volume size – 10 GB

Require Calling Nodes – Disable

Enable TCP Proxy – Disable

Automatically discover server public IP addresses – Disable

Use host primary IP address for Calling traffic – Enable

Storage Class name for internal PVC storage – Leave blank for default

Advanced options – Only enable the following options: Configure Ingress Controller and Enable Low Resource Mode:

Selecting Configure Ingress Controller will expose an Ingress configuration block. Select the Single Node Embedded Cluster option within this block and add the IP address of the server in the field. Note: if the hostname of the server is an IP address, also select Use wildcard hostname. Service Annotations block can be left blank.

After all the fields are populated, choose Save config. When the preflight host checks are complete, choose Deploy to install Wickr Enterprise.

You can monitor the progress of the deployment from the Replicated web admin console, but optionally you can also monitor the progress using Kubernetes commands from the terminal. From a terminal on the host in the directory where the wickr-enterprise-ha binary is, run the following command to gain access to the Kubernetes cluster:

sudo ./wickr-enterprise-ha shell

This command will export the location of k0s embedded cluster Kubernetes configuration, as well as add the kubectl tool to the system path:

export KUBECONFIG="/var/lib/embedded-cluster/k0s/pki/admin.conf"

export PATH="$PATH:/var/lib/embedded-cluster/bin"

Now, you can run kubectl commands against the cluster. To view the status of Wickr Enterprise pods, run:

 kubectl -n kotsadm get pods
NAME                                        READY   STATUS             RESTARTS        AGE
admin-api-5449f65dd9-jz58l                  1/1     Running            0               6m35s
directory-7f8f788c7c-h4nwn                  1/1     Running            0               6m34s
enterprise-init-24zlr                       0/1     Completed          0               6m34s
expirer-f78dbf768-2fbqg                     1/1     Running            0               6m33s
fileproxy-c6d5457d4-ftxd7                   1/1     Running            0               6m33s
ingress-nginx-controller-76697dcf96-2sx86   1/1     Running            0               6m36s
kotsadm-5db7d8b45f-rjk7p                    1/1     Running            0               3h53m
kotsadm-rqlite-0                            1/1     Running            0               3h56m
kurl-proxy-kotsadm-57dc6ff496-467db         1/1     Running            1 (3h56m ago)   3h56m
minio-operator-6dc76dccd7-6v969             1/1     Running            0               6m31s
minio-operator-6dc76dccd7-9nfjf             1/1     Running            0               6m31s
mysql-primary-0                             1/1     Running            0               6m36s
mysql-secondary-0                           1/1     Running            0               6m36s
oidc-767b45fc54-nx44f                       1/1     Running            0               6m32s
opensearch-cluster-master-0                 1/1     Running            0               6m32s
orville-fhqjk                               1/1     Running            0               6m30s
orville-redis-dcd9d4bb9-b9q76               1/1     Running            0               6m30s
push-device-85b6d77957-bdt77                1/1     Running            0               6m30s
rabbitmq-0                                  1/1     Running            0               6m29s
react-b6cdc6b9-msctk                        1/1     Running            0               6m29s
receipts-6949dc7746-nnzns                   1/1     Running            0               6m29s
redis-node-0                                2/2     Running            0               6m28s
replicated-7ccb79c77c-8xhbx                 0/1     ImagePullBackOff   0               6m34s
schema-w47zm                                0/1     Completed          0               6m28s
server-api-6944c8c468-q7q9l                 1/1     Running            0               6m28s
switchboard-0                               1/1     Running            3 (5m10s ago)   6m27s
wickr-s3-ss-0-0                             2/2     Running            0               5m55s

When all the pods are shown as Running, the admin console should show Currently deployed version in green and a status of Ready in green, as shown in the following screenshot.

Figure 8. Wickr Enterprise server in a successfully deployed state

You now have a running Wickr Enterprise server. You should be able to access the Wickr Enterprise admin console by navigating to https://hostname, and you should see the sign-in page for Wickr Enterprise admin access, as shown in the following screenshot.

Figure 9. Wickr Enterprise admin console

To configure your network and Wickr clients, follow the public instructions in the Wickr Enterprise Administration Guide.

Conclusion

In this post, we showed you how the Embedded Cluster can accelerate the process of installing a Kubernetes-based Wickr Enterprise installation by abstracting away complicated Kubernetes cluster installation and configuration. This can help you get started quickly with Wickr Enterprise capability testing on edge deploys or proof of concept installations.

For more information on how Wickr Enterprise can help your organization, contact wickr-sales@amazon.com.