All Kaa services, including Tenant Manager, are distributed as Helm charts. You can run these charts using Kubernetes.


These steps should be done once for your entire Kaa cluster in Kubernetes.

  1. Install Kubernetes.

  2. Install Helm client.

  3. Create a Kaa license secret (remember to put in your Kaa license key file contents and password):

export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
 cat << EOF > /tmp/kaa-license.yaml
apiVersion: v1
  file: < your license key file contents, base64-encoded >
  password: < your license key password >
kind: Secret
  name: license
  type: Opaque
kubectl create -f /tmp/kaa-license.yaml
  1. Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:
export HISTCONTROL=ignorespace  # Prevent saving your credentials in the shell history; note the leading space in the next line
 export KAAID_EMAIL=<your KaaID email, eg.> KAAID_PASSWORD=<your KaaID password>
kubectl create secret docker-registry kaaid --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
  1. Add the KaaIoT Helm repository:
helm repo add kaa-museum 


Once you have completed the preparation steps, everything is ready for deploying Tenant Manager on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):

helm install --set global.license.existingSecret=license kaa-museum/tenant manager --name kaa-tenant manager

Check that pods are running:

kubectl get pods

Once the service initialization is complete, you should observe the output similar to the below:

NAME                                          READY   STATUS             RESTARTS   AGE
kaa-tenant manager                                       1/1     Running            0          2m

Chart Requirements

Repository Name Version
@bitnami postgresql 10.1.1
@bitnami redis 10.5.7
@kaa service-chart 0.0.42

Chart Values

Key Type Default Description
affinity object {}  
annotations.deployment object {}  
annotations.pod object {}  
config object {"args":["-l","info"]} Service config
env object {} Defines the environment variables that Kubernetes passes to the service replica.
extraPodSpecs.automountServiceAccountToken bool false  
fullnameOverride string ""  
global.iam.enabled string ""  
global.image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets.
global.kaaIngress.tls.issuerKind string "Issuer"  
global.kaaIngress.tls.issuerName string "letsencrypt-stage"  
global.kaaIngress.tls.selfSigned bool false  
global.keycloak.auth.existingSecret string "-keycloak-auth"  
global.keycloak.backend.existingSecret string "-keycloak-backend"  
global.keycloak.env.tenantEventsEnabled string "false"  
global.keycloak.frontend.existingSecret string "-keycloak-frontend"  
global.keycloak.privateUrl string ""  
global.keycloak.publicUrl string ""  
global.licenseValidationServer.url string ""  
global.logLevel string ""  
global.minio.accessKey string "AKIAIOSFODNN7EXAMPLE"  
global.minio.enabled bool true  
global.minio.endpoint string ":9000"  
global.minio.secretKey string "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"  
global.monitoring.enabled bool false  
global.nats.url string "" NATS URL. Overrides nats.url.
global.opendistro.enabled bool false  
global.opendistro.indexPolicyRotationsSpan string ""  
global.opendistro.kibanaUrl string ""  
global.opendistro.password string ""  
global.opendistro.url string ""  
global.opendistro.urlOverride string ""  
global.opendistro.username string ""  
global.postgresql.url string "" Postgres database URL.
global.redis.url string "" Redis database URL.
global.slack.apiToken string "sample" string "sample"  
global.slack.enabled bool false  
image.pullPolicy string "Always" Docker image pull policy.
image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field.
image.repository string "" Docker image repository image URL.
image.tag string "" Docker image tag version to pull and run.
ingress.annotations object {} You can use annotations to attach metadata to Kubernetes objects.
ingress.enabled bool false  
ingress.hosts list ["chart-example.local"] hosts must match the content of an incoming request before the load balancer directs traffic to the referenced Service.
ingress.paths list [] paths must match the content of an incoming request before the load balancer directs traffic to the referenced Service.
ingress.tls list [] Utilize TLS backend in ingress
licenseValidationServer.url string ""  
metadata.component string "backend"  
metadata.partOf string "kaa"  
minio.accessKey string ""  
minio.endpoint string ""  
minio.secretKey string ""  
nameOverride string ""  
nats.auth.enabled bool false  
nats.enabled bool true Enables NATS dependency. For detailed info refer
nats.url string "nats://-nats-client:4222" NATS URL.
nats.urlOverride string "" NATS URL. Overrides global.nats.url and nats.url.
nginx.image.repository string ""  
nginx.image.tag string ""  
nginx.resources.requests.cpu string "100m"  
nginx.resources.requests.memory string "256Mi"  
nodeSelector object {}  
opendistro.indexPolicyRotationsSpan string ""  
opendistro.kibanaUrl string ""  
opendistro.url string ""  
opendistro.urlOverride string ""  
postgresql.enabled bool true  
postgresql.existingSecret string ""  
postgresql.master.persistence.enabled bool true  
postgresql.master.persistence.size string "2Gi"  
postgresql.persistence.enabled bool true  
postgresql.postgresqlDatabase string "tenant-manager"  
postgresql.postgresqlUsername string "tenant-manager"  
postgresql.replication.enabled bool false  
postgresql.service.port int 5432  
postgresql.url string "-"  
postgresql.urlOverride string "" Postgresql URL. Overrides global.postgresql.url and postgresql.url.
probes.enabled bool true Enables liveness, readiness, and startup probes for containers.
probes.liveness.initialDelaySeconds int 600  
probes.liveness.periodSeconds int 3  
probes.readiness.initialDelaySeconds int 10  
probes.readiness.periodSeconds int 5  
redis.cluster.enabled bool false  
redis.enabled bool true For detailed info please look in
redis.master.persistence.enabled bool true  
redis.master.resources.requests.cpu string "100m"  
redis.master.resources.requests.memory string "256Mi"  
redis.url string "--master" Redis url
redis.urlOverride string "" Redis URL. Overrides global.redis.url and redis.url.
redis.usePassword bool false  
replicaCount int 1 The number of service instance replicas to run.
resources.limits.cpu int 2  
resources.limits.memory string "1Gi"  
resources.requests.cpu string "100m"  
resources.requests.memory string "700Mi"  
securityContext object {}  
service.externalIPs list []  
service.loadBalancerIP string ""  
service.port int 80 Port of running Tenant Manager
service.type string "ClusterIP" Kubernetes Service type
slack.apiToken string "" string ""  
terminationMessagePolicy string "FallbackToLogsOnError" Kubernetes termination message policy.
tolerations list []  
updateStrategy.type string "RollingUpdate" Deployment update strategy.
waitContainers.curl.image string ""  
waitContainers.curl.tag string "0.0.2"  
waitContainers.enabled bool true Waiting for dependent on services.
waitContainers.timeout int 300 Waiting for dependent on services in seconds.

The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.

Environment variables

The table below summarizes the variables supported by the Tenant Manager Docker image and provides default values along with descriptions.

Variable name Default value Description
KAA_ELASTICSEARCH_URL "" Elasticsearch connection URL.
ELASTICSEARCH_TIMEOUT 120 Elasticsearch connection timeout.
KIBANA_URL "" Kibana dashboard URL.
KAA_TENANT_ADMIN_USER "admin" Kaa tenant admin user.
KAA_TENANT_ADMIN_PASSWORD "admin" Kaa tenant admin user’s password.
KAA_TENANT_ADMIN_EMAIL "" Kaa tenant admin user’s email.
KAA_ELASTICSEARCH_USERNAME "" Elasticsearch connection username.
KAA_ELASTICSEARCH_PASSWORD "" Elasticsearch connection password.
KAA_PUBLIC_KEYCLOAK_URL "" OAuth 2.0 issuer public URL for the system tenant (“kaa”).
KAA_PRIVATE_KEYCLOAK_URL "" OAuth 2.0 issuer private URL for the system tenant (“kaa”).
KAA_SYSTEM_BACKEND_CLIENT_ID "" Client Backend ID for making requests in the system tenant scope.
KAA_SYSTEM_FRONTEND_CLIENT_ID "" Client Front ID for making requests in the system tenant scope.
KAA_SYSTEM_BACKEND_CLIENT_SECRET "" Client secret for making requests in the system tenant scope.
KAA_KEYCLOAK_USERNAME "" Kaa tenant username for making requests in the system tenant scope.
POSTGRES_HOST "localhost" PostgreSQL connection host.
POSTGRES_USER "root" PostgreSQL connection username.
POSTGRES_PASSWORD "root" PostgreSQL connection password.
POSTGRES_DATABASE "tenant-manager" PostgreSQL connection database.
KAA_KEYCLOAK_PASSWORD "" Kaa tenant password for making requests in the system tenant scope.
KAA_LICENSE_CERT_PASSWORD   License certificate password. Required.
MINIO_ENDPOINT "" Minio connection URL.
MINIO_ACCESS_KEY "" Minio access key URL.
MINIO_SECRET_KEY "" Minio secret key.
SLACK_ENABLED False Enables slack.
SLACK_API_TOKEN "" Slack Api token service.
SLACK_CHANNEL "" Slack channel.
MINIO_ALIAS "" Minio alias.
REDIS_HOST "localhost" Redis server host.
NATS_URL "" Nats server host.
LOG_LEVEL "INFO" Log level for TM application.
WORKERS_PER_CORE "2" Worker size per core.
HOST "" Host of the service.
PORT "8080" Worker size per core.
DEBUG False Enables debug level.
TENANT_MANAGER_TIME_ZONE "Europe/Kiev" Time zone for the service.
RETRY_LIMIT "10" Retry limit of requests to Elasticsearch.
TENANT_AUTH_ACTIVITY_EVENT_ENABLED False Enables tenant auth activity in keycloak.
DEFAULT_IDP_ENABLED False Enables default identity provider for kaa realm.
INDEX_POLICY_ROTATIONS_SPAN 15 Index rotation policy span realm.
FREE_TRIAL_PERIOD "30" Free trial period of the 30.
SUSPENSION_PERIOD "30" Suspension period of the tenant.
BEFORE_SUSPENSION "3" Email to be sent the day before suspension.
BEFORE_DELETION "15" Email to be sent the day before tenan deletion.