Deployment
All Kaa services, including WD, are distributed as Helm charts. You can run these charts using Kubernetes.
Installing WD chart on Kubernetes
Preparation
These steps should be done once for your entire Kaa cluster in Kubernetes.
-
Install Helm client and Tiller server.
-
Create a Kaa license secret (remember to put in your Kaa license key file contents and password):
export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line cat << EOF > /tmp/kaa-licence.yaml apiVersion: v1 data: file: < your licence key file contents, base64-encoded > password: < your licence key password > kind: Secret metadata: name: license type: Opaque EOF kubectl create -f /tmp/kaa-licence.yaml
-
Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:
export HISTCONTROL=ignorespace # Prevent saving your credentials in the shell history; note the leading space in the next line export KAAID_EMAIL=<your KaaID email, eg. bob@example.com> KAAID_PASSWORD=<your KaaID password> kubectl create secret docker-registry kaaid --docker-server=hub.kaaiot.net --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
-
If you want to enable API security in your Kaa cluster (recommended), you should create an auth server backend secret for the service to be able to request PAT tokens.
export HISTCONTROL=ignorespace # Prevent saving your client ID amd secret in the shell history; note the leading space in the next line cat << EOF > /tmp/keycloak-backend-secret.yaml apiVersion: v1 data: client-id: < your client-id, base64-encoded > client-secret: < your client-secret, base64-encoded > kind: Secret metadata: name: "keycloak-backend" labels: app.kubernetes.io/name: "kaa-name" helm.sh/chart: "kaa-chart-version" app.kubernetes.io/instance: "kaa-instance-name" app.kubernetes.io/managed-by: "release-service-name" EOF kubectl create -f /tmp/keycloak-backend-secret.yaml
-
Add the KaaIoT Helm repository:
helm repo add kaa-museum https://museum.kaaiot.net/
Installation
Once you have completed the preparation steps, everything is ready for deploying WD on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):
helm install --set global.license.secretName=license kaa-museum/wd --name kaa-wd
Check that pods are running:
kubectl get pods
Once the service initialization is complete, you should observe the output similar to the below:
NAME READY STATUS RESTARTS AGE
...
kaa-wd 1/1 Running 0 2m
...
Chart Requirements
Repository | Name | Version |
---|---|---|
@stable | nats | 2.0.6 |
Chart Values
Key | Type | Default | Description |
---|---|---|---|
affinity | object | {} |
|
analytics.enabled | bool | false |
|
analytics.siteId | string | "" |
|
analytics.url | string | "" |
|
annotations.deployment | object | {} |
|
annotations.pod | object | {} |
|
config | string | "info:\n favicon: /img/fav-public-demo.png\n logo:\n main: \"\"\n secondary: \"\"\n theme: night\n title: \"Kaa\"\n" |
Content for the service config map, automatically mounted as a config file into the pod. |
env | object | {} |
Defines the environment variables that Kubernetes passes to the service replica. |
extraInitContainers | list | [] |
|
extraPodSpecs.automountServiceAccountToken | bool | false |
|
extraVolumeMounts | list | [] |
|
extraVolumes | list | [] |
Defines extra volumes and mounts. |
fullnameOverride | string | "" |
|
global.hosts.kaaDomain | string | "" |
Kaa Platform host. |
global.image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets . |
global.kaaIngress.enabled | bool | false |
|
global.kaaIngress.tls | object | {} |
|
global.keycloak.backendSecretName | string | "" |
Name of the backend auth server secret, which must contain base64-encoded client-id and client-secret . Required. |
global.keycloak.baseURL | string | "" |
|
global.keycloak.enabled | string | "" |
Enables API security using the auth provider. Overrides keycloak.enabled . |
global.keycloak.frontendSecretName | string | "" |
|
global.keycloak.realm | string | "" |
Auth provider realm. Required. |
global.license.secretName | string | "" |
Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password . Overrides license.secretName . |
global.nats.url | string | "" |
NATS URL. Overrides nats.url . |
global.tekton.enabled | string | "true" |
Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in the config map. Overrides tekton.enabled . |
global.tekton.url | string | "http://-tekton" |
Tekton URL. Overrides tekton.url . |
image.pullPolicy | string | "Always" |
Docker image pull policy. |
image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. |
image.repository | string | "hub.kaaiot.net/core/service/wd/wd" |
Docker image repository image URL. |
image.tag | string | "" |
Docker image tag version to pull and run. |
ingress.annotations | object | {} |
|
ingress.enabled | bool | false |
|
ingress.hosts[0].host | string | "chart-example.local" |
|
ingress.hosts[0].paths | list | [] |
|
ingress.tls | list | [] |
|
keycloak.config | string | "enabled: true\ninitialLoginPage:\n copyright: 'Powered by the Kaa IoT Platform, 2019 KaaIoT Technologies, LLC'\n header: Welcome to the KaaIoT building management system\n show: true\n subheader: Please log in to continue.\n terms:\n - link: 'https://www.kaaiot.io/terms-of-use'\n name: Terms of Use.\n - link: 'https://www.kaaiot.io/privacy-policy'\n name: Privacy Policy.\n - link: 'https://www.kaaiot.io/cookies-policy'\n name: Cookies Policy.\n" |
|
keycloak.enabled | string | "" |
Enables API security using the auth provider. Overrides global.keycloak.enabled . |
license.secretName | string | "" |
Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password . |
metadata.component | string | "frontend" |
|
metadata.partOf | string | "kaa" |
|
nameOverride | string | "" |
|
nats.auth.enabled | bool | false |
|
nats.enabled | bool | true |
Enables NATS dependency. For detailed info refer https://github.com/helm/charts/tree/master/stable/nats. |
nats.url | string | "nats://-nats-client:4222" |
NATS URL. |
nats.urlOverride | string | "" |
NATS URL. Overrides global.nats.url and nats.url . |
nodeSelector | object | {} |
|
probes.enabled | bool | true |
Enables liveness, readiness, and startup probes for containers. |
probes.liveness.initialDelaySeconds | int | 30 |
|
probes.liveness.periodSeconds | int | 3 |
|
probes.readiness.initialDelaySeconds | int | 15 |
|
probes.readiness.periodSeconds | int | 1 |
|
replicaCount | int | 1 |
The number of service instance replicas to run. |
resources | object | {} |
|
securityContext | object | {} |
|
service.externalIPs | list | [] |
|
service.loadBalancerIP | string | "" |
|
service.port | int | 80 |
|
service.type | string | "ClusterIP" |
|
tekton.enabled | string | "false" |
Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in config . |
tekton.url | string | "http://-tekton" |
Tekton URL. |
tekton.urlOverride | string | "" |
Tekton URL. Overrides global.tekton.url and tekton.url . |
tolerations | list | [] |
|
updateStrategy.type | string | "RollingUpdate" |
Deployment update strategy. |
waitContainers.enabled | bool | true |
Wait for dependency services. |
waitContainers.timeout | int | 300 |
Wait timeout for dependency services in seconds. |
The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.
Environment variables
The table below summarizes the variables supported by the WD Docker image and provides default values along with descriptions.
Variable name | Default value | Description |
---|---|---|
INSTANCE_NAME |
wd | Service instance name. |
APP_CONFIG_PATH |
/srv/wd/service-config.yml | Path to the service configuration YAML file inside container. In case of running in Kubernetes, consider using K8s Volumes for externalization. |
KAA_SECURITY_ENABLED |
“true” or “false” | Enable / disable security |
KAA_SECURITY_REALM |
realm | Keycloak realm. Required if security is enabled |
KAA_SECURITY_BASE_URL |
https://keycloak | Keycloak base url. Required if security is enabled |
KAA_LICENSE_CERT_PATH |
/run/license/license.p12 | Path to the Kaa platform license certificate file in PKCS #12 format. |
KAA_LICENSE_CERT_PASSWORD |
License certificate password. Required. | |
OAUTH2_CLIENT_ID |
Keycloak client ID. Required. | |
OAUTH2_AUDIENCE |
Keycloak audience. Required. | |
SOLUTION_CONFIG_SOURCE |
SERVICE_CONFIG | Solution configurations source. Possible values: SERVICE_CONFIG - solution configs are provided along the service configs; CONFIG_SERVICE - solution configs must be retrieved from Config service. |
CONFIG_SERVICE_BASE_URL |
http://tekton | Config service base URL. |
CONFIG_SERVICE_INSTANCE_NAME |
tekton | Config service instance name. |
NATS_URLS |
nats://nats:4222 | Comma separated list of NATS URLs. |