Deployment
All Kaa services, including KPC, are distributed as Helm charts. You can run these charts using Kubernetes.
Installing KPC chart on Kubernetes
Preparation
These steps should be done once for your entire Kaa cluster in Kubernetes.
-
Install Helm client and Tiller server.
-
Create a Kaa license secret (remember to put in your Kaa license key file contents and password):
export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line cat << EOF > /tmp/kaa-licence.yaml apiVersion: v1 data: file: < your licence key file contents, base64-encoded > password: < your licence key password > kind: Secret metadata: name: license type: Opaque EOF kubectl create -f /tmp/kaa-licence.yaml
-
Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:
export HISTCONTROL=ignorespace # Prevent saving your credentials in the shell history; note the leading space in the next line export KAAID_EMAIL=<your KaaID email, eg. bob@example.com> KAAID_PASSWORD=<your KaaID password> kubectl create secret docker-registry kaaid --docker-server=dev-hub.kaaiot.net --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
-
If you want to enable API security in your Kaa cluster (recommended), you should create an auth server backend secret for the service to be able to request PAT tokens.
export HISTCONTROL=ignorespace # Prevent saving your client ID amd secret in the shell history; note the leading space in the next line cat << EOF > /tmp/keycloak-backend-secret.yaml apiVersion: v1 data: client-id: < your client-id, base64-encoded > client-secret: < your client-secret, base64-encoded > kind: Secret metadata: name: "keycloak-backend" labels: app.kubernetes.io/name: "kaa-name" helm.sh/chart: "kaa-chart-version" app.kubernetes.io/instance: "kaa-instance-name" app.kubernetes.io/managed-by: "release-service-name" EOF kubectl create -f /tmp/keycloak-backend-secret.yaml
-
Add the KaaIoT Helm repository:
helm repo add kaa-museum https://museum.kaaiot.net/
Installation
Once you have completed the preparation steps, everything is ready for deploying KPC on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):
helm install --set global.license.secretName=license kaa-museum/kpc --name kaa-kpc
Check that pods are running:
kubectl get pods
Once the service initialization is complete, you should observe the output similar to the below:
NAME READY STATUS RESTARTS AGE
...
kaa-kpc 1/1 Running 0 2m
...
Chart Requirements
Repository | Name | Version |
---|---|---|
@kaa | service-chart | 0.0.91 |
Chart Values
Key | Type | Default | Description |
---|---|---|---|
affinity | object | {} |
|
annotations.deployment | object | {} |
|
annotations.pod | object | {} |
|
autoscaling.enabled | bool | false |
|
autoscaling.replicaCountMax | int | 10 |
|
autoscaling.replicaCountMin | int | 1 |
|
autoscaling.targetCustomMetric | object | {} |
|
certmanager.apiVersion | string | "cert-manager.io/v1beta1" |
|
certmanager.issuerName | string | "letsencrypt-prod" |
|
config | string | "" |
Content for the service config map, automatically mounted as a config file into the pod. |
configOverrides | string | "" |
|
env | object | {} |
Defines the environment variables that Kubernetes passes to the service replica. |
extraPodSpecs.automountServiceAccountToken | bool | false |
|
extraVolumeMounts | list | [] |
|
extraVolumes | list | [] |
|
fullnameOverride | string | "" |
|
global.ccm.enabled | bool | true |
|
global.ccm.platform_certs.enabled | bool | true |
|
global.ccm.platform_certs.secretName | string | "-platform-tls" |
|
global.iamcore.enabled | bool | false |
|
global.image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets . |
global.kaaIngress.tls.issuerKind | string | "Issuer" |
|
global.kaaIngress.tls.issuerName | string | "letsencrypt-stage" |
|
global.kaaIngress.tls.selfSigned | bool | false |
|
global.keycloak.auth.existingSecret | string | "-keycloak-auth" |
|
global.keycloak.backend.existingSecret | string | "-keycloak-backend" |
|
global.keycloak.enabled | string | "" |
Enables API security using the auth provider. Overrides keycloak.enabled . |
global.keycloak.privateUrl | string | "" |
|
global.keycloak.publicUrl | string | "" |
|
global.kp1.ingress.annotations | object | {"nginx.ingress.kubernetes.io/cors-allow-origin":"*","nginx.ingress.kubernetes.io/enable-cors":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false"} |
Map of custom kp1 ingress annotations |
global.kp1.ingress.enabled | bool | false |
Enables kp1 ingress endpoint. |
global.kp1.ingress.host | string | "" |
kp1 ingress hostname. |
global.kp1.ingress.tls.enabled | bool | false |
Enables SSL for kp1 ingress endpoint. |
global.kp1.ingress.tls.existingSecret | string | "" |
kp1 ingress SSL secret name if not defined Let’s encrypt cert will be created. |
global.kp1.ingress.tls.letsencrypt.dnsNames | list | [] |
|
global.kp1.ingress.tls.letsencrypt.enabled | bool | false |
|
global.license.existingSecret | string | "" |
Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password . Overrides license.secretName . |
global.monitoring.enabled | bool | false |
|
global.nats.url | string | "" |
NATS URL. |
global.tekton.enabled | string | "" |
Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in the config map. Overrides tekton.enabled . |
global.tekton.url | string | "" |
Tekton URL. Overrides tekton.url . |
global.tenantManager.baseUrl | string | "" |
Tenant manager base URL. |
global.tenantManager.enabled | string | "" |
Enables multitenancy using the Kaa Tenant Manager. Overrides tenantManager.enabled . |
image.pullPolicy | string | "IfNotPresent" |
Docker image pull policy. |
image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. |
image.repository | string | "dev-hub.kaaiot.net/core/service//" |
Docker image repository image URL. |
image.tag | string | "" |
Docker image tag version which need to pull and run. |
metadata.component | string | "backend" |
|
metadata.partOf | string | "kaa" |
|
nameOverride | string | "" |
|
nodeSelector | object | {} |
|
probes.enabled | bool | true |
Enables liveness, readiness, and startup probes for containers. |
probes.liveness.initialDelaySeconds | int | 15 |
|
probes.liveness.periodSeconds | int | 3 |
|
probes.readiness.initialDelaySeconds | int | 5 |
|
probes.readiness.periodSeconds | int | 1 |
|
replicaCount | int | 1 |
The number of service instance replicas to run. |
resources.limits.cpu | int | 1 |
|
resources.limits.memory | string | "512Mi" |
|
resources.requests.cpu | string | "100m" |
|
resources.requests.memory | string | "128Mi" |
|
rules[0].alert | string | "The KPC basic authorization request error." |
|
rules[0].annotations.message | string | "Got more than 100 \"CAP client basic authorization request\" errors on the pod [/] for last 10 minutes." |
|
rules[0].annotations.runbook | string | "" |
|
rules[0].expr | string | "increase(kaa_cap_basic_auth_errors_total{}[10m]) > 100" |
|
rules[0].for | string | "10m" |
|
rules[0].labels.severity | string | "error" |
|
rules[1].alert | string | "The KPC X.509 certificate authorization request error." |
|
rules[1].annotations.message | string | "Got more than 100 \"CAP client X.509 certificate authorization request\" errors on the pod [/] for last 10 minutes." |
|
rules[1].annotations.runbook | string | "" |
|
rules[1].expr | string | "increase(kaa_cap_x509_auth_errors_total{}[10m]) > 100" |
|
rules[1].for | string | "10m" |
|
rules[1].labels.severity | string | "error" |
|
rules[2].alert | string | "The KPC EAP get EP ID by token error." |
|
rules[2].annotations.message | string | "Got more than 100 \"EAP get EP ID by token\" errors on the pod [/] for last 10 minutes." |
|
rules[2].annotations.runbook | string | "" |
|
rules[2].expr | string | "increase(kaa_eap_ep_id_by_token_errors_total{}[10m]) > 100" |
|
rules[2].for | string | "10m" |
|
rules[2].labels.severity | string | "error" |
|
rules[3].alert | string | "The KPC ESP messages drop error." |
|
rules[3].annotations.message | string | "Got more than 100 \"ESP message dropped\" errors on the pod [/] for last 10 minutes." |
|
rules[3].annotations.runbook | string | "" |
|
rules[3].expr | string | "increase(kaa_esp_extension_data_dropped_count{}[10m]) > 100" |
|
rules[3].for | string | "10m" |
|
rules[3].labels.severity | string | "error" |
|
runbookUrl | string | "" |
|
securityContext | object | {} |
|
service.annotations | object | {} |
|
service.externalIPs | list | [] |
|
service.port | int | 8008 |
|
service.transports.http.tcp.enabled | bool | true |
Enables plain HTTP transport. |
service.transports.http.tcp.nodePort | string | "" |
Node port number to expose the plain HTTP interface at. Only used when service.type is “NodePort”. |
service.transports.http.tcp.port | int | 80 |
Port number within the pod to expose the plain HTTP interface at. |
service.transports.mqtt.tcp.enabled | bool | true |
Enables plain MQTT transport. |
service.transports.mqtt.tcp.nodePort | string | "" |
Node port number to expose the plain MQTT interface at. Only used when service.type is “NodePort”. |
service.transports.mqtt.tcp.port | int | 1883 |
Port number within the pod to expose the plain MQTT interface at. |
service.transports.mqtt.tls.create.caB64 | string | "" |
Base64-encoded certificate authority for the MQTT/TLS transport. |
service.transports.mqtt.tls.create.certB64 | string | "" |
Base64-encoded certificate for the MQTT/TLS transport. |
service.transports.mqtt.tls.create.enabled | bool | false |
Enables the creation of a secret for the MQTT/TLS transport. Mutually exclusive with service.transports.mqtt.tls.existingSecret.enabled. |
service.transports.mqtt.tls.create.keyB64 | string | "" |
Base64-encoded certificate private key for the MQTT/TLS transport. |
service.transports.mqtt.tls.enabled | bool | false |
Enables MQTT/TLS transport. |
service.transports.mqtt.tls.existingSecret.enabled | bool | false |
Enables the use of an existing secret for the MQTT/TLS transport. Mutually exclusive with service.transports.mqtt.tls.create.enabled. |
service.transports.mqtt.tls.existingSecret.name | string | "" |
Existing secret name for the MQTT/TLS transport. |
service.transports.mqtt.tls.nodePort | string | "" |
Node port number to expose the MQTT/TLS interface at. Only used when service.type is “NodePort”. |
service.transports.mqtt.tls.port | int | 8883 |
Port number within the pod to expose the MQTT/TLS interface at. |
service.transports.mqtt.tls.x509_auth.enabled | bool | false |
Enables plain x509 authentication, if enabled requires trust-store-file, enables if platform_certs: true |
service.transports.mqtt.ws.enabled | bool | false |
Enables MQTT/Websocket transport. |
service.transports.mqtt.ws.nodePort | string | "" |
Node port number to expose the MQTT/Websocket interface at. Only used when service.type is “NodePort”. |
service.transports.mqtt.ws.port | int | 9001 |
Port number within the pod to expose the MQTT/Websocket interface at. |
service.type | string | "LoadBalancer" |
|
terminationMessagePolicy | string | "FallbackToLogsOnError" |
Kubernetes termination message policy. |
tolerations | list | [] |
|
updateStrategy.type | string | "RollingUpdate" |
Deployment update strategy. |
waitContainers.curl.image | string | "dev-hub.kaaiot.net/devops/docker/alpine-curl-jq/alpine-curl-jq" |
|
waitContainers.curl.tag | string | "0.0.3" |
|
waitContainers.enabled | bool | true |
Wait for dependency services. |
waitContainers.timeout | int | 300 |
Wait timeout for dependency services in seconds. |
The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.
Environment variables
The table below summarizes the variables supported by the KPC Docker image and provides default values along with descriptions.
Variable name | Default value | Description |
---|---|---|
APP_CONFIG_PATH |
"/srv/kpc/service-config.yml" |
Path to the service configuration YAML file inside container. In case of running in Kubernetes, consider using K8s Volumes for externalization. |
NATS_URLS |
"nats://nats:4222" |
NATS connection URLs. May include connection credentials, e.g. "nats://derek:pass@localhost:4222" . |
KAA_KPC_TRANSPORTS_MQTT_TCP_ENABLED |
true |
Enables plain MQTT transport. |
KAA_KPC_TRANSPORTS_MQTT_TCP_PORT |
1883 |
Port number to expose the plain MQTT interface at. |
KAA_KPC_TRANSPORTS_MQTT_TLS_ENABLED |
false |
Enables MQTT/TLS transport. |
KAA_KPC_TRANSPORTS_MQTT_TLS_PORT |
8883 |
Port number to expose the MQTT/TLS interface at. |
KAA_KPC_TRANSPORTS_MQTT_TLS_CLIENT_AUTH_ENABLED |
false |
Enables X.509 certificate-based client authentication. |
KAA_KPC_TRANSPORTS_MQTT_WS_ENABLED |
false |
Enables MQTT/Websocket transport. |
KAA_KPC_TRANSPORTS_MQTT_WS_PORT |
9001 |
Port number to expose the MQTT/Websocket interface at. |
KAA_KPC_TRANSPORTS_HTTP_TCP_ENABLED |
false |
Enables plain HTTP transport. |
KAA_KPC_TRANSPORTS_HTTP_TCP_PORT |
80 |
Port number to expose the plain HTTP interface at. |
KAA_KPC_TRAFFIC_MONITORING_CRON |
"* * * * *" |
Cron for traffic report publishing and monitoring |
KAA_KPC_TRAFFIC_MONITORING_QUEUE_LENGTH |
50 | The maximum amount of pending messages of traffic events in the underlying reporter’s queue. Must be between 3 and 500 inclusively |
KAA_KPC_TRAFFIC_MONITORING_TOTAL_RECEIVED_MESSAGE_COUNT_QUOTA |
0 | Quota of total received message count in cron period. 0 means no quota is applied |
KAA_KPC_TRAFFIC_MONITORING_TOTAL_SENT_MESSAGE_COUNT_QUOTA |
0 | Quota of total sent message count in cron period. 0 means no quota is applied |
KAA_TEKTON_ENABLED |
false |
Enables Tekton integration. |
KAA_TEKTON_URL |
"http://tekton" |
URL of the Tekton service. |
KAA_SECURITY_ENABLED |
false |
Enables authentication and authorization for outbound REST API calls. |
KAA_SECURITY_ISSUER |
OAuth 2.0 issuer URL for the system tenant (“kaa”). | |
KAA_SECURITY_CLIENT_ID |
Client ID for making requests in the system tenant scope. | |
KAA_SECURITY_CLIENT_SECRET |
Client secret for making requests in the system tenant scope. | |
KAA_SECURITY_MULTITENANCY_ENABLED |
false |
Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when kaa.security.enabled is set to true . |
KAA_SECURITY_MULTITENANCY_TENANT_MANAGER_URL |
"http://tenant-manager" |
URL of the Kaa Tenant Manager that provides security configurations for tenants. |
KAA_SECURITY_IAMCORE_ENABLED |
false |
Enables iamcore integration. |
KAA_SECURITY_IAMCORE_API_KEY |
iamcore API KEY. | |
KAA_SECURITY_IAMCORE_URL |
"https://cloud.iamcore.io" |
iamcore server URL. |
KAA_SECURITY_IAMCORE_APPLICATION |
"kaa" |
iamcore application. |
KAA_LICENSE_CERT_PATH |
"/run/license/license.p12" |
Path to the Kaa platform license certificate file in PKCS #12 format. |
KAA_LICENSE_CERT_PASSWORD |
License certificate password. Required. | |
SERVICE_DEBUG |
false |
Enables debug level logging. |
Some of the listed above settings can also be controlled via the configuration options. When set, environment variables take precedence over corresponding configuration file settings.