Here is new documentation version.
You are reading outdated documentation, which will be shutdown soon!

Deployment

All Kaa services, including KPC, are distributed as Helm charts. You can run these charts using Kubernetes.

Installing KPC chart on Kubernetes

Preparation

These steps should be done once for your entire Kaa cluster in Kubernetes.

  1. Install Kubernetes.

  2. Install Helm client and Tiller server.

  3. Create a Kaa license secret (remember to put in your Kaa license key file contents and password):

     export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
      cat << EOF > /tmp/kaa-licence.yaml
     apiVersion: v1
     data:
       file: < your licence key file contents, base64-encoded >
       password: < your licence key password >
     kind: Secret
     metadata:
       name: license
       type: Opaque
     EOF
     kubectl create -f /tmp/kaa-licence.yaml
    
  4. Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:

     export HISTCONTROL=ignorespace  # Prevent saving your credentials in the shell history; note the leading space in the next line
      export KAAID_EMAIL=<your KaaID email, eg. bob@example.com> KAAID_PASSWORD=<your KaaID password>
     kubectl create secret docker-registry kaaid --docker-server=dev-hub.kaaiot.net --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
    
  5. If you want to enable API security in your Kaa cluster (recommended), you should create an auth server backend secret for the service to be able to request PAT tokens.

     export HISTCONTROL=ignorespace # Prevent saving your client ID amd secret in the shell history; note the leading space in the next line
      cat << EOF > /tmp/keycloak-backend-secret.yaml
     apiVersion: v1
     data:
       client-id: < your client-id, base64-encoded >
       client-secret: < your client-secret, base64-encoded >
     kind: Secret
     metadata:
       name: "keycloak-backend"
       labels:
         app.kubernetes.io/name: "kaa-name"
         helm.sh/chart: "kaa-chart-version"
         app.kubernetes.io/instance: "kaa-instance-name"
         app.kubernetes.io/managed-by: "release-service-name"
     EOF
     kubectl create -f /tmp/keycloak-backend-secret.yaml
    
  6. Add the KaaIoT Helm repository:

     helm repo add kaa-museum https://museum.kaaiot.net/
    

Installation

Once you have completed the preparation steps, everything is ready for deploying KPC on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):

helm install --set global.license.secretName=license kaa-museum/kpc --name kaa-kpc

Check that pods are running:

kubectl get pods

Once the service initialization is complete, you should observe the output similar to the below:

NAME                                          READY   STATUS             RESTARTS   AGE
...
kaa-kpc                                       1/1     Running            0          2m
...

Chart Requirements

Repository Name Version
@kaa service-chart 0.0.91

Chart Values

Key Type Default Description
affinity object {}  
annotations.deployment object {}  
annotations.pod object {}  
autoscaling.enabled bool false  
autoscaling.replicaCountMax int 10  
autoscaling.replicaCountMin int 1  
autoscaling.targetCustomMetric object {}  
certmanager.apiVersion string "cert-manager.io/v1beta1"  
certmanager.issuerName string "letsencrypt-prod"  
config string "" Content for the service config map, automatically mounted as a config file into the pod.
configOverrides string ""  
env object {} Defines the environment variables that Kubernetes passes to the service replica.
extraPodSpecs.automountServiceAccountToken bool false  
extraVolumeMounts list []  
extraVolumes list []  
fullnameOverride string ""  
global.ccm.enabled bool true  
global.ccm.platform_certs.enabled bool true  
global.ccm.platform_certs.secretName string "-platform-tls"  
global.iamcore.enabled bool false  
global.image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets.
global.kaaIngress.tls.issuerKind string "Issuer"  
global.kaaIngress.tls.issuerName string "letsencrypt-stage"  
global.kaaIngress.tls.selfSigned bool false  
global.keycloak.auth.existingSecret string "-keycloak-auth"  
global.keycloak.backend.existingSecret string "-keycloak-backend"  
global.keycloak.enabled string "" Enables API security using the auth provider. Overrides keycloak.enabled.
global.keycloak.privateUrl string ""  
global.keycloak.publicUrl string ""  
global.kp1.ingress.annotations object {"nginx.ingress.kubernetes.io/cors-allow-origin":"*","nginx.ingress.kubernetes.io/enable-cors":"true","nginx.ingress.kubernetes.io/ssl-redirect":"false"} Map of custom kp1 ingress annotations
global.kp1.ingress.enabled bool false Enables kp1 ingress endpoint.
global.kp1.ingress.host string "" kp1 ingress hostname.
global.kp1.ingress.tls.enabled bool false Enables SSL for kp1 ingress endpoint.
global.kp1.ingress.tls.existingSecret string "" kp1 ingress SSL secret name if not defined Let’s encrypt cert will be created.
global.kp1.ingress.tls.letsencrypt.dnsNames list []  
global.kp1.ingress.tls.letsencrypt.enabled bool false  
global.license.existingSecret string "" Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password. Overrides license.secretName.
global.monitoring.enabled bool false  
global.nats.url string "" NATS URL.
global.tekton.enabled string "" Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in the config map. Overrides tekton.enabled.
global.tekton.url string "" Tekton URL. Overrides tekton.url.
global.tenantManager.baseUrl string "" Tenant manager base URL.
global.tenantManager.enabled string "" Enables multitenancy using the Kaa Tenant Manager. Overrides tenantManager.enabled.
image.pullPolicy string "IfNotPresent" Docker image pull policy.
image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field.
image.repository string "dev-hub.kaaiot.net/core/service//" Docker image repository image URL.
image.tag string "" Docker image tag version which need to pull and run.
metadata.component string "backend"  
metadata.partOf string "kaa"  
nameOverride string ""  
nodeSelector object {}  
probes.enabled bool true Enables liveness, readiness, and startup probes for containers.
probes.liveness.initialDelaySeconds int 15  
probes.liveness.periodSeconds int 3  
probes.readiness.initialDelaySeconds int 5  
probes.readiness.periodSeconds int 1  
replicaCount int 1 The number of service instance replicas to run.
resources.limits.cpu int 1  
resources.limits.memory string "512Mi"  
resources.requests.cpu string "100m"  
resources.requests.memory string "128Mi"  
rules[0].alert string "The KPC basic authorization request error."  
rules[0].annotations.message string "Got more than 100 \"CAP client basic authorization request\" errors on the pod [/] for last 10 minutes."  
rules[0].annotations.runbook string ""  
rules[0].expr string "increase(kaa_cap_basic_auth_errors_total{}[10m]) > 100"  
rules[0].for string "10m"  
rules[0].labels.severity string "error"  
rules[1].alert string "The KPC X.509 certificate authorization request error."  
rules[1].annotations.message string "Got more than 100 \"CAP client X.509 certificate authorization request\" errors on the pod [/] for last 10 minutes."  
rules[1].annotations.runbook string ""  
rules[1].expr string "increase(kaa_cap_x509_auth_errors_total{}[10m]) > 100"  
rules[1].for string "10m"  
rules[1].labels.severity string "error"  
rules[2].alert string "The KPC EAP get EP ID by token error."  
rules[2].annotations.message string "Got more than 100 \"EAP get EP ID by token\" errors on the pod [/] for last 10 minutes."  
rules[2].annotations.runbook string ""  
rules[2].expr string "increase(kaa_eap_ep_id_by_token_errors_total{}[10m]) > 100"  
rules[2].for string "10m"  
rules[2].labels.severity string "error"  
rules[3].alert string "The KPC ESP messages drop error."  
rules[3].annotations.message string "Got more than 100 \"ESP message dropped\" errors on the pod [/] for last 10 minutes."  
rules[3].annotations.runbook string ""  
rules[3].expr string "increase(kaa_esp_extension_data_dropped_count{}[10m]) > 100"  
rules[3].for string "10m"  
rules[3].labels.severity string "error"  
runbookUrl string ""  
securityContext object {}  
service.annotations object {}  
service.externalIPs list []  
service.port int 8008  
service.transports.http.tcp.enabled bool true Enables plain HTTP transport.
service.transports.http.tcp.nodePort string "" Node port number to expose the plain HTTP interface at. Only used when service.type is “NodePort”.
service.transports.http.tcp.port int 80 Port number within the pod to expose the plain HTTP interface at.
service.transports.mqtt.tcp.enabled bool true Enables plain MQTT transport.
service.transports.mqtt.tcp.nodePort string "" Node port number to expose the plain MQTT interface at. Only used when service.type is “NodePort”.
service.transports.mqtt.tcp.port int 1883 Port number within the pod to expose the plain MQTT interface at.
service.transports.mqtt.tls.create.caB64 string "" Base64-encoded certificate authority for the MQTT/TLS transport.
service.transports.mqtt.tls.create.certB64 string "" Base64-encoded certificate for the MQTT/TLS transport.
service.transports.mqtt.tls.create.enabled bool false Enables the creation of a secret for the MQTT/TLS transport. Mutually exclusive with service.transports.mqtt.tls.existingSecret.enabled.
service.transports.mqtt.tls.create.keyB64 string "" Base64-encoded certificate private key for the MQTT/TLS transport.
service.transports.mqtt.tls.enabled bool false Enables MQTT/TLS transport.
service.transports.mqtt.tls.existingSecret.enabled bool false Enables the use of an existing secret for the MQTT/TLS transport. Mutually exclusive with service.transports.mqtt.tls.create.enabled.
service.transports.mqtt.tls.existingSecret.name string "" Existing secret name for the MQTT/TLS transport.
service.transports.mqtt.tls.nodePort string "" Node port number to expose the MQTT/TLS interface at. Only used when service.type is “NodePort”.
service.transports.mqtt.tls.port int 8883 Port number within the pod to expose the MQTT/TLS interface at.
service.transports.mqtt.tls.x509_auth.enabled bool false Enables plain x509 authentication, if enabled requires trust-store-file, enables if platform_certs: true
service.transports.mqtt.ws.enabled bool false Enables MQTT/Websocket transport.
service.transports.mqtt.ws.nodePort string "" Node port number to expose the MQTT/Websocket interface at. Only used when service.type is “NodePort”.
service.transports.mqtt.ws.port int 9001 Port number within the pod to expose the MQTT/Websocket interface at.
service.type string "LoadBalancer"  
terminationMessagePolicy string "FallbackToLogsOnError" Kubernetes termination message policy.
tolerations list []  
updateStrategy.type string "RollingUpdate" Deployment update strategy.
waitContainers.curl.image string "dev-hub.kaaiot.net/devops/docker/alpine-curl-jq/alpine-curl-jq"  
waitContainers.curl.tag string "0.0.3"  
waitContainers.enabled bool true Wait for dependency services.
waitContainers.timeout int 300 Wait timeout for dependency services in seconds.

The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.

Environment variables

The table below summarizes the variables supported by the KPC Docker image and provides default values along with descriptions.

Variable name Default value Description
APP_CONFIG_PATH "/srv/kpc/service-config.yml" Path to the service configuration YAML file inside container. In case of running in Kubernetes, consider using K8s Volumes for externalization.
NATS_URLS "nats://nats:4222" NATS connection URLs. May include connection credentials, e.g. "nats://derek:pass@localhost:4222".
KAA_KPC_TRANSPORTS_MQTT_TCP_ENABLED true Enables plain MQTT transport.
KAA_KPC_TRANSPORTS_MQTT_TCP_PORT 1883 Port number to expose the plain MQTT interface at.
KAA_KPC_TRANSPORTS_MQTT_TLS_ENABLED false Enables MQTT/TLS transport.
KAA_KPC_TRANSPORTS_MQTT_TLS_PORT 8883 Port number to expose the MQTT/TLS interface at.
KAA_KPC_TRANSPORTS_MQTT_TLS_CLIENT_AUTH_ENABLED false Enables X.509 certificate-based client authentication.
KAA_KPC_TRANSPORTS_MQTT_WS_ENABLED false Enables MQTT/Websocket transport.
KAA_KPC_TRANSPORTS_MQTT_WS_PORT 9001 Port number to expose the MQTT/Websocket interface at.
KAA_KPC_TRANSPORTS_HTTP_TCP_ENABLED false Enables plain HTTP transport.
KAA_KPC_TRANSPORTS_HTTP_TCP_PORT 80 Port number to expose the plain HTTP interface at.
KAA_KPC_TRAFFIC_MONITORING_CRON "* * * * *" Cron for traffic report publishing and monitoring
KAA_KPC_TRAFFIC_MONITORING_QUEUE_LENGTH 50 The maximum amount of pending messages of traffic events in the underlying reporter’s queue. Must be between 3 and 500 inclusively
KAA_KPC_TRAFFIC_MONITORING_TOTAL_RECEIVED_MESSAGE_COUNT_QUOTA 0 Quota of total received message count in cron period. 0 means no quota is applied
KAA_KPC_TRAFFIC_MONITORING_TOTAL_SENT_MESSAGE_COUNT_QUOTA 0 Quota of total sent message count in cron period. 0 means no quota is applied
KAA_TEKTON_ENABLED false Enables Tekton integration.
KAA_TEKTON_URL "http://tekton" URL of the Tekton service.
KAA_SECURITY_ENABLED false Enables authentication and authorization for outbound REST API calls.
KAA_SECURITY_ISSUER   OAuth 2.0 issuer URL for the system tenant (“kaa”).
KAA_SECURITY_CLIENT_ID   Client ID for making requests in the system tenant scope.
KAA_SECURITY_CLIENT_SECRET   Client secret for making requests in the system tenant scope.
KAA_SECURITY_MULTITENANCY_ENABLED false Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when kaa.security.enabled is set to true.
KAA_SECURITY_MULTITENANCY_TENANT_MANAGER_URL "http://tenant-manager" URL of the Kaa Tenant Manager that provides security configurations for tenants.
KAA_SECURITY_IAMCORE_ENABLED false Enables iamcore integration.
KAA_SECURITY_IAMCORE_API_KEY   iamcore API KEY.
KAA_SECURITY_IAMCORE_URL "https://cloud.iamcore.io" iamcore server URL.
KAA_SECURITY_IAMCORE_APPLICATION "kaa" iamcore application.
KAA_LICENSE_CERT_PATH "/run/license/license.p12" Path to the Kaa platform license certificate file in PKCS #12 format.
KAA_LICENSE_CERT_PASSWORD   License certificate password. Required.
SERVICE_DEBUG false Enables debug level logging.

Some of the listed above settings can also be controlled via the configuration options. When set, environment variables take precedence over corresponding configuration file settings.