All Kaa services, including RE, are distributed as Helm charts. You can run these charts using Kubernetes.

Installing RE chart on Kubernetes


These steps should be done once for your entire Kaa cluster in Kubernetes.

  1. Install Kubernetes.

  2. Install Helm client.

  3. Create a Kaa license secret (remember to put in your Kaa license key file contents and password):

     export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
      cat << EOF > /tmp/kaa-licence.yaml
     apiVersion: v1
       file: < your licence key file contents, base64-encoded >
       password: < your licence key password >
     kind: Secret
       name: license
       type: Opaque
     kubectl create -f /tmp/kaa-licence.yaml
  4. Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:

     export HISTCONTROL=ignorespace  # Prevent saving your credentials in the shell history; note the leading space in the next line
      export KAAID_EMAIL=<your KaaID email, eg.> KAAID_PASSWORD=<your KaaID password>
     kubectl create secret docker-registry kaaid --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
  5. Add the KaaIoT Helm repository:

     helm repo add kaa-museum


Once you have completed the preparation steps, everything is ready for deploying RE on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):

helm install --set global.license.secretName=license kaa-museum/re --name kaa-re

Check that pods are running:

kubectl get pods

Once the service initialization is complete, you should observe the output similar to the below:

NAME                                          READY   STATUS             RESTARTS   AGE
kaa-re                       1/1     Running            0          2m

Chart Requirements

Repository Name Version
@bitnami-pre-2022 postgresql 10.1.1
@kaa service-chart 0.0.91

Chart Values

Key Type Default Description
affinity object {}  
annotations.deployment object {}  
annotations.pod object {}  
app.ports.http int 80 int 8080  
config string "" Content for the service config map, automatically mounted as a config file into the pod.
configOverrides string ""  
env object {"JAVA_OPTIONS":{"value":"-XX:MaxRAMPercentage=80.0 -XX:MinRAMPercentage=50.0 -Xverify:none -XX:TieredStopAtLevel=1"}} Defines the environment variables that Kubernetes passes to the service replica.
extraPodSpecs.automountServiceAccountToken bool false  
extraVolumeMounts list []  
extraVolumes list []  
fullnameOverride string ""  
global.epr.baseUrl string "" EPR base URL.
global.epts.baseUrl string "" EPTS base URL.
global.iamcore.enabled bool false  
global.image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets.
global.kaaIngress.tls.issuerKind string "Issuer"  
global.kaaIngress.tls.issuerName string "letsencrypt-stage"  
global.kaaIngress.tls.selfSigned bool false  
global.keycloak.backend.existingSecret string "-keycloak-backend"  
global.keycloak.enabled string "" Enables API security using the auth provider. Overrides keycloak.enabled.
global.keycloak.privateUrl string ""  
global.keycloak.publicUrl string ""  
global.keycloak.realm string "" Auth provider realm. Required.
global.license.existingSecret string "" Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password. Overrides license.secretName.
global.monitoring.enabled bool false  
global.nats.url string "" NATS URL.
global.opendistro.existingSecret string "" Elastic existingSecret.
global.opendistro.url string "" Elastic URL. Overrides opendistro.url.
global.postgresql.existingSecret string "" Name of an existing Kubernetes secret containing PostgreSQL admin and user passwords (postgresql-postgres-password and postgresql-password secret keys, respectively).
global.postgresql.url string "" Postgres database URL.
global.tekton.enabled string "" Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in the config map. Overrides tekton.enabled.
global.tekton.url string "" Tekton URL. Overrides tekton.url.
global.tenantManager.baseUrl string "" Tenant manager base URL.
global.tenantManager.enabled string "" Enables multitenancy using the Kaa Tenant Manager. Overrides tenantManager.enabled.
image.pullPolicy string "IfNotPresent" Docker image pull policy.
image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field.
image.repository string "" Docker image repository image URL.
image.tag string "" Docker image tag version to pull and run.
ingress.annotations object {}  
ingress.enabled bool false  
ingress.hosts[0] string "chart-example.local"  
ingress.paths list []  
ingress.tls list []  
job.restartPolicy string "Never"  
metadata.component string "backend"  
metadata.partOf string "kaa"  
monitoring.metrics.export.path string "/prometheus" Specifies REST resource path that exposes metrics.
monitoring.metrics.type string "java"  
monitoring.rules[0].alert string "RE connection pool has totally more than 3 leased connections"  
monitoring.rules[0].annotations.message string "Got more then 3 leased pool's connections error on the pod [/]."  
monitoring.rules[0].annotations.runbook string ""  
monitoring.rules[0].expr string "sum(httpcomponents_httpclient_pool_total_connections{httpclient=\"rest-client-connection-pool\", container=\"re\", state=\"leased\"}) > 3"  
monitoring.rules[0].for string "1m"  
monitoring.rules[0].labels.severity string "error"  
monitoring.rules[1].alert string "RE connection pool has more than 1 pending connection"  
monitoring.rules[1].annotations.message string "Got more then 1 pending pool's connection error on the pod [/]."  
monitoring.rules[1].annotations.runbook string ""  
monitoring.rules[1].expr string "sum(httpcomponents_httpclient_pool_total_pending{httpclient=\"rest-client-connection-pool\", container=\"re\"}) > 1"  
monitoring.rules[1].for string "1m"  
monitoring.rules[1].labels.severity string "error"  
monitoring.rules[2].alert string "RE connection pool used all available connections"  
monitoring.rules[2].annotations.message string "Got more then 1 pending pool's connection error on the pod [/]."  
monitoring.rules[2].annotations.runbook string ""  
monitoring.rules[2].expr string "httpclient_pool_connections_per_route_available{host=~\".*keycloak.*\", container=\"re\"} >= httpcomponents_httpclient_pool_route_max_default{httpclient=\"rest-client-connection-pool\", container=\"re\"}"  
monitoring.rules[2].for string "1m"  
monitoring.rules[2].labels.severity string "error"  
monitoring.rules[3].alert string "RE connection pool has totally more than 75% available connections"  
monitoring.rules[3].annotations.message string "Got more then 75% available pool's connections error on the pod [/]."  
monitoring.rules[3].annotations.runbook string ""  
monitoring.rules[3].expr string "sum(httpcomponents_httpclient_pool_total_connections{httpclient=\"rest-client-connection-pool\", container=\"re\", state=\"available\"}) > (0.75 * sum(httpcomponents_httpclient_pool_total_max{httpclient=\"rest-client-connection-pool\", container=\"re\"}))"  
monitoring.rules[3].for string "1m"  
monitoring.rules[3].labels.severity string "error"  
monitoring.rules[4].alert string "RE connection pool has routes with half leased connections"  
monitoring.rules[4].annotations.message string "Got warning - appeared connection pool's routes with half leased connections on the pod [/]."  
monitoring.rules[4].annotations.runbook string ""  
monitoring.rules[4].expr string "sum(httpclient_pool_routes_with_half_leased_connections{container=\"re\"}) > 0"  
monitoring.rules[4].for string "1m"  
monitoring.rules[4].labels.severity string "warning"  
monitoring.rules[5].alert string "RE connection pool has routes with all leased connections"  
monitoring.rules[5].annotations.message string "Got warning - appeared connection pool's routes with all leased connections on the pod [/]."  
monitoring.rules[5].annotations.runbook string ""  
monitoring.rules[5].expr string "sum(httpclient_pool_routes_with_max_leased_connections{container=\"re\"}) > 0"  
monitoring.rules[5].for string "1m"  
monitoring.rules[5].labels.severity string "error"  
monitoring.rules[6].alert string "RE connection pool has routes with pending connections"  
monitoring.rules[6].annotations.message string "Got warning - appeared connection pool's routes with pending connections on the pod [/]."  
monitoring.rules[6].annotations.runbook string ""  
monitoring.rules[6].expr string "sum(httpclient_pool_routes_with_pending_connections{container=\"re\"}) > 0"  
monitoring.rules[6].for string "1m"  
monitoring.rules[6].labels.severity string "error"  
monitoring.rules[7].alert string "RE has spike in rule executions. Probably RE went into infinite loop rule execution"  
monitoring.rules[7].annotations.message string "Average number of executed rules per second is "  
monitoring.rules[7].annotations.runbook string ""  
monitoring.rules[7].expr string "sum(rate(kaa_rules_execution_total{container=\"re\"}[5m])) > 15"  
monitoring.rules[7].labels.severity string "error"  
nameOverride string ""  
nodeSelector object {}  
postgresql.enabled bool true  
postgresql.init.extraSteps[0] string "psql -d $NEW_DB_NAME -c \"CREATE EXTENSION IF NOT EXISTS btree_gin;\";"  
postgresql.init.extraSteps[1] string "psql -d $NEW_DB_NAME -c \"CREATE EXTENSION IF NOT EXISTS pg_trgm;\";"  
postgresql.initdbPassword string ""  
postgresql.initdbUser string "postgres"  
postgresql.persistence.enabled bool true  
postgresql.postgresqlDatabase string "re"  
postgresql.postgresqlUsername string "re"  
postgresql.replication.enabled bool false  
postgresql.service.port int 5432  
postgresql.url string "jdbc:postgresql://-:/"  
probes.enabled bool true Enables liveness, readiness, and startup probes for containers.
probes.liveness.initialDelaySeconds int 600  
probes.liveness.periodSeconds int 3  
probes.readiness.initialDelaySeconds int 10  
probes.readiness.periodSeconds int 5  
replicaCount int 1 The number of service instance replicas to run.
resources.limits.cpu int 1  
resources.limits.memory string "2Gi"  
resources.requests.cpu string "100m"  
resources.requests.memory string "700Mi"  
runbookUrl string ""  
securityContext object {}  
service.externalIPs list []  
service.loadBalancerIP string ""  
service.port int 80  
service.type string "ClusterIP"  
terminationMessagePolicy string "FallbackToLogsOnError" Kubernetes termination message policy.
tolerations list []  
updateStrategy.type string "RollingUpdate" Deployment update strategy.
waitContainers.curl.image string ""  
waitContainers.curl.tag string "0.0.3"  
waitContainers.enabled bool true Wait for dependency services.
waitContainers.timeout int 300 Wait timeout for dependency services in seconds.

The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.

Environment variables

The table below summarizes the variables supported by the RE Docker image and provides default values along with descriptions.

Variable name Default value Description
INSTANCE_NAME re Service instance name.
APP_CONFIG_PATH "/srv/re/service-config.yml" Path to the service configuration YAML file inside container. In case of running in Kubernetes, consider using K8s Volumes for externalization.
NATS_URLS "nats://nats:4222" NATS connection URLs. May include connection credentials, e.g. "nats://derek:pass@localhost:4222".
NATS_USERNAME   Username for connecting to NATS message broker.
NATS_PASSWORD   Password for connecting to NATS message broker.
KAA_LICENSE_CERT_PATH "/run/license/license.p12" Path to the Kaa platform license certificate file in PKCS #12 format.
KAA_LICENSE_CERT_PASSWORD   License certificate password. Required.
KAA_TEKTON_ENABLED false Enables Tekton integration.
KAA_TEKTON_URL http://tekton URL of the Tekton service.
KAA_SECURITY_ENABLED false Enables authentication and authorization on REST API endpoints (inbound and outbound API calls).
KAA_SECURITY_ISSUER_PUBLIC_URL   OAuth 2.0 issuer public URL for the system tenant (“kaa”).
KAA_SECURITY_ISSUER_PRIVATE_URL   OAuth 2.0 issuer private URL for the system tenant (“kaa”).
KAA_SECURITY_CLIENT_ID   Client ID for making requests in the system tenant scope.
KAA_SECURITY_CLIENT_SECRET   Client secret for making requests in the system tenant scope.
KAA_SECURITY_MULTITENANCY_ENABLED false Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when is set to true.
KAA_SECURITY_MULTITENANCY_TENANT_MANAGER_URL "http://tenant-manager" URL of the Kaa Tenant Manager that provides security configurations for tenants.
JAVA_OPTS -Xmx700m Additional parameters for Java process launch.
JMX_ENABLE false Enables JMX monitoring.
JMX_PORT 10500 JMX service port.
JMX_MONITOR_USER_PASSWORD   JMX monitor user password. Required when JMX_ENABLE=true.
SPRING_DATASOURCE_URL "jdbc:postgresql://postgresql:5432/re" Postgres database connection URL.
SPRING_DATASOURCE_USERNAME   Username for connection to the Postgres database.
SPRING_DATASOURCE_PASSWORD   Password for connection to the Postgres database.
SPRING_ELASTICSEARCH_REST_URIS "http://elasticsearch:9200" Comma-separated list of the Elasticsearch instances to use.
SPRING_ELASTICSEARCH_REST_USERNAME   Username for connection to the Elasticsearch
SPRING_ELASTICSEARCH_REST_PASSWORD   Password for connection to the Elasticsearch

Some of the listed above settings can also be controlled via the configuration options. When set, environment variables take precedence over corresponding configuration file settings.