Deployment
All Kaa services, including Tenant Manager, are distributed as Helm charts. You can run these charts using Kubernetes.
Preparation
These steps should be done once for your entire Kaa cluster in Kubernetes.
-
Install Helm client.
-
Create a Kaa license secret (remember to put in your Kaa license key file contents and password):
export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
cat << EOF > /tmp/kaa-license.yaml
apiVersion: v1
data:
file: < your license key file contents, base64-encoded >
password: < your license key password >
kind: Secret
metadata:
name: license
type: Opaque
EOF
kubectl create -f /tmp/kaa-license.yaml
- Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:
export HISTCONTROL=ignorespace # Prevent saving your credentials in the shell history; note the leading space in the next line
export KAAID_EMAIL=<your KaaID email, eg. bob@example.com> KAAID_PASSWORD=<your KaaID password>
kubectl create secret docker-registry kaaid --docker-server=dev-hub.kaaiot.net --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
- Add the KaaIoT Helm repository:
helm repo add kaa-museum
Installation
Once you have completed the preparation steps, everything is ready for deploying Tenant Manager on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):
helm install --set global.license.existingSecret=license kaa-museum/tenant manager --name kaa-tenant manager
Check that pods are running:
kubectl get pods
Once the service initialization is complete, you should observe the output similar to the below:
NAME READY STATUS RESTARTS AGE
...
kaa-tenant manager 1/1 Running 0 2m
...
Chart Requirements
Repository | Name | Version |
---|---|---|
@bitnami | postgresql | 10.1.1 |
@bitnami | redis | 10.5.7 |
@kaa | service-chart | 0.0.42 |
Chart Values
Key | Type | Default | Description |
---|---|---|---|
affinity | object | {} |
|
annotations.deployment | object | {} |
|
annotations.pod | object | {} |
|
config | object | {"args":["-l","info"]} |
Service config |
env | object | {} |
Defines the environment variables that Kubernetes passes to the service replica. |
extraPodSpecs.automountServiceAccountToken | bool | false |
|
fullnameOverride | string | "" |
|
global.iam.enabled | string | "" |
|
global.image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets . |
global.kaaIngress.tls.issuerKind | string | "Issuer" |
|
global.kaaIngress.tls.issuerName | string | "letsencrypt-stage" |
|
global.kaaIngress.tls.selfSigned | bool | false |
|
global.keycloak.auth.existingSecret | string | "-keycloak-auth" |
|
global.keycloak.backend.existingSecret | string | "-keycloak-backend" |
|
global.keycloak.env.tenantEventsEnabled | string | "false" |
|
global.keycloak.frontend.existingSecret | string | "-keycloak-frontend" |
|
global.keycloak.privateUrl | string | "" |
|
global.keycloak.publicUrl | string | "" |
|
global.licenseValidationServer.url | string | "" |
|
global.logLevel | string | "" |
|
global.minio.accessKey | string | "AKIAIOSFODNN7EXAMPLE" |
|
global.minio.enabled | bool | true |
|
global.minio.endpoint | string | ":9000" |
|
global.minio.secretKey | string | "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" |
|
global.monitoring.enabled | bool | false |
|
global.nats.url | string | "" |
NATS URL. Overrides nats.url . |
global.opendistro.enabled | bool | false |
|
global.opendistro.indexPolicyRotationsSpan | string | "" |
|
global.opendistro.kibanaUrl | string | "" |
|
global.opendistro.password | string | "" |
|
global.opendistro.url | string | "" |
|
global.opendistro.urlOverride | string | "" |
|
global.opendistro.username | string | "" |
|
global.postgresql.url | string | "" |
Postgres database URL. |
global.redis.url | string | "" |
Redis database URL. |
global.slack.apiToken | string | "sample" |
|
global.slack.channel | string | "sample" |
|
global.slack.enabled | bool | false |
|
image.pullPolicy | string | "Always" |
Docker image pull policy. |
image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. |
image.repository | string | "dev-hub.kaaiot.net/core/service/tenant-manager/tenant-manager" |
Docker image repository image URL. |
image.tag | string | "" |
Docker image tag version to pull and run. |
ingress.annotations | object | {} |
You can use annotations to attach metadata to Kubernetes objects. |
ingress.enabled | bool | false |
|
ingress.hosts | list | ["chart-example.local"] |
hosts must match the content of an incoming request before the load balancer directs traffic to the referenced Service. |
ingress.paths | list | [] |
paths must match the content of an incoming request before the load balancer directs traffic to the referenced Service. |
ingress.tls | list | [] |
Utilize TLS backend in ingress |
licenseValidationServer.url | string | "http://license.kaaiot.net" |
|
metadata.component | string | "backend" |
|
metadata.partOf | string | "kaa" |
|
minio.accessKey | string | "" |
|
minio.endpoint | string | "" |
|
minio.secretKey | string | "" |
|
nameOverride | string | "" |
|
nats.auth.enabled | bool | false |
|
nats.enabled | bool | true |
Enables NATS dependency. For detailed info refer https://github.com/helm/charts/tree/master/stable/nats. |
nats.url | string | "nats://-nats-client:4222" |
NATS URL. |
nats.urlOverride | string | "" |
NATS URL. Overrides global.nats.url and nats.url . |
nginx.image.repository | string | "dev-hub.kaaiot.net/core/service/tenant-manager/tenant-manager/nginx" |
|
nginx.image.tag | string | "" |
|
nginx.resources.requests.cpu | string | "100m" |
|
nginx.resources.requests.memory | string | "256Mi" |
|
nodeSelector | object | {} |
|
opendistro.indexPolicyRotationsSpan | string | "" |
|
opendistro.kibanaUrl | string | "" |
|
opendistro.url | string | "" |
|
opendistro.urlOverride | string | "" |
|
postgresql.enabled | bool | true |
|
postgresql.existingSecret | string | "" |
|
postgresql.master.persistence.enabled | bool | true |
|
postgresql.master.persistence.size | string | "2Gi" |
|
postgresql.persistence.enabled | bool | true |
|
postgresql.postgresqlDatabase | string | "tenant-manager" |
|
postgresql.postgresqlUsername | string | "tenant-manager" |
|
postgresql.replication.enabled | bool | false |
|
postgresql.service.port | int | 5432 |
|
postgresql.url | string | "-" |
|
postgresql.urlOverride | string | "" |
Postgresql URL. Overrides global.postgresql.url and postgresql.url . |
probes.enabled | bool | true |
Enables liveness, readiness, and startup probes for containers. |
probes.liveness.initialDelaySeconds | int | 600 |
|
probes.liveness.periodSeconds | int | 3 |
|
probes.readiness.initialDelaySeconds | int | 10 |
|
probes.readiness.periodSeconds | int | 5 |
|
redis.cluster.enabled | bool | false |
|
redis.enabled | bool | true |
For detailed info please look in https://github.com/helm/charts/tree/master/stable/redis |
redis.master.persistence.enabled | bool | true |
|
redis.master.resources.requests.cpu | string | "100m" |
|
redis.master.resources.requests.memory | string | "256Mi" |
|
redis.url | string | "--master" |
Redis url |
redis.urlOverride | string | "" |
Redis URL. Overrides global.redis.url and redis.url . |
redis.usePassword | bool | false |
|
replicaCount | int | 1 |
The number of service instance replicas to run. |
resources.limits.cpu | int | 2 |
|
resources.limits.memory | string | "1Gi" |
|
resources.requests.cpu | string | "100m" |
|
resources.requests.memory | string | "700Mi" |
|
securityContext | object | {} |
|
service.externalIPs | list | [] |
|
service.loadBalancerIP | string | "" |
|
service.port | int | 80 |
Port of running Tenant Manager |
service.type | string | "ClusterIP" |
Kubernetes Service type |
slack.apiToken | string | "" |
|
slack.channel | string | "" |
|
terminationMessagePolicy | string | "FallbackToLogsOnError" |
Kubernetes termination message policy. |
tolerations | list | [] |
|
updateStrategy.type | string | "RollingUpdate" |
Deployment update strategy. |
waitContainers.curl.image | string | "dev-hub.kaaiot.net/devops/docker/alpine-curl-jq/alpine-curl-jq" |
|
waitContainers.curl.tag | string | "0.0.2" |
|
waitContainers.enabled | bool | true |
Waiting for dependent on services. |
waitContainers.timeout | int | 300 |
Waiting for dependent on services in seconds. |
The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.
Environment variables
The table below summarizes the variables supported by the Tenant Manager Docker image and provides default values along with descriptions.
Variable name | Default value | Description |
---|---|---|
KAA_ELASTICSEARCH_URL |
"" |
Elasticsearch connection URL. |
ELASTICSEARCH_TIMEOUT |
120 |
Elasticsearch connection timeout. |
KIBANA_URL |
"" |
Kibana dashboard URL. |
KAA_TENANT_ADMIN_USER |
"admin" |
Kaa tenant admin user. |
KAA_TENANT_ADMIN_PASSWORD |
"admin" |
Kaa tenant admin user’s password. |
KAA_TENANT_ADMIN_EMAIL |
"admin@example.com" |
Kaa tenant admin user’s email. |
KAA_ELASTICSEARCH_USERNAME |
"" |
Elasticsearch connection username. |
KAA_ELASTICSEARCH_PASSWORD |
"" |
Elasticsearch connection password. |
KAA_PUBLIC_KEYCLOAK_URL |
"" |
OAuth 2.0 issuer public URL for the system tenant (“kaa”). |
KAA_PRIVATE_KEYCLOAK_URL |
"" |
OAuth 2.0 issuer private URL for the system tenant (“kaa”). |
KAA_SYSTEM_BACKEND_CLIENT_ID |
"" |
Client Backend ID for making requests in the system tenant scope. |
KAA_SYSTEM_FRONTEND_CLIENT_ID |
"" |
Client Front ID for making requests in the system tenant scope. |
KAA_SYSTEM_BACKEND_CLIENT_SECRET |
"" |
Client secret for making requests in the system tenant scope. |
KAA_KEYCLOAK_USERNAME |
"" |
Kaa tenant username for making requests in the system tenant scope. |
POSTGRES_HOST |
"localhost" |
PostgreSQL connection host. |
POSTGRES_USER |
"root" |
PostgreSQL connection username. |
POSTGRES_PASSWORD |
"root" |
PostgreSQL connection password. |
POSTGRES_DATABASE |
"tenant-manager" |
PostgreSQL connection database. |
KAA_KEYCLOAK_PASSWORD |
"" |
Kaa tenant password for making requests in the system tenant scope. |
KAA_LICENSE_CERT_PASSWORD |
License certificate password. Required. | |
LICENSE_VALIDATION_SERVER_URL |
"https://license.kaaiot.net" |
License validation URL. |
MINIO_ENDPOINT |
"" |
Minio connection URL. |
MINIO_ACCESS_KEY |
"" |
Minio access key URL. |
MINIO_SECRET_KEY |
"" |
Minio secret key. |
SLACK_ENABLED |
False |
Enables slack. |
SLACK_API_TOKEN |
"" |
Slack Api token service. |
SLACK_CHANNEL |
"" |
Slack channel. |
MINIO_ALIAS |
"" |
Minio alias. |
REDIS_HOST |
"localhost" |
Redis server host. |
NATS_URL |
"" |
Nats server host. |
IAM_SERVICE_URL |
"" |
IAM service URL. |
LOG_LEVEL |
"INFO" |
Log level for TM application. |
WORKERS_PER_CORE |
"2" |
Worker size per core. |
HOST |
"0.0.0.0" |
Host of the service. |
PORT |
"8080" |
Worker size per core. |
DEBUG |
False |
Enables debug level. |
TENANT_MANAGER_TIME_ZONE |
"Europe/Kiev" |
Time zone for the service. |
RETRY_LIMIT |
"10" |
Retry limit of requests to Elasticsearch. |
TENANT_AUTH_ACTIVITY_EVENT_ENABLED |
False |
Enables tenant auth activity in keycloak. |
DEFAULT_IDP_ENABLED |
False |
Enables default identity provider for kaa realm. |
KEYCLOAK_CLIENT_ID_STRING_ENABLED |
False |
Enables client ID realm. |
INDEX_POLICY_ROTATIONS_SPAN |
15 |
Index rotation policy span realm. |
FREE_TRIAL_PERIOD |
"30" |
Free trial period of the 30. |
SUSPENSION_PERIOD |
"30" |
Suspension period of the tenant. |
BEFORE_SUSPENSION |
"3" |
Email to be sent the day before suspension. |
BEFORE_DELETION |
"15" |
Email to be sent the day before tenan deletion. |