Deployment

All Kaa services, including BCX, are distributed as Helm charts. You can run these charts using Kubernetes.

Installing BCX chart on Kubernetes

Preparation

These steps should be done once for your entire Kaa cluster in Kubernetes.

  1. Install Kubernetes.

  2. Install Helm client and Tiller server.

  3. Create a Kaa license secret (remember to put in your Kaa license key file contents and password):

     export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
      cat << EOF > /tmp/kaa-licence.yaml
     apiVersion: v1
     data:
       file: < your licence key file contents, base64-encoded >
       password: < your licence key password >
     kind: Secret
     metadata:
       name: license
       type: Opaque
     EOF
     kubectl create -f /tmp/kaa-licence.yaml
    
  4. Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:

     export HISTCONTROL=ignorespace  # Prevent saving your credentials in the shell history; note the leading space in the next line
      export KAAID_EMAIL=<your KaaID email, eg. bob@example.com> KAAID_PASSWORD=<your KaaID password>
     kubectl create secret docker-registry kaaid --docker-server=dev-hub.kaaiot.net --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
    
  5. If you want to enable API security in your Kaa cluster (recommended), you should create an auth server backend secret for the service to be able to request PAT tokens.

     export HISTCONTROL=ignorespace # Prevent saving your client ID amd secret in the shell history; note the leading space in the next line
      cat << EOF > /tmp/keycloak-backend-secret.yaml
     apiVersion: v1
     data:
       client-id: < your client-id, base64-encoded >
       client-secret: < your client-secret, base64-encoded >
     kind: Secret
     metadata:
       name: "keycloak-backend"
       labels:
         app.kubernetes.io/name: "kaa-name"
         helm.sh/chart: "kaa-chart-version"
         app.kubernetes.io/instance: "kaa-instance-name"
         app.kubernetes.io/managed-by: "release-service-name"
     EOF
     kubectl create -f /tmp/keycloak-backend-secret.yaml
    
  6. Add the KaaIoT Helm repository:

     helm repo add kaa-museum https://museum.kaaiot.net/
    

Installation

Once you have completed the preparation steps, everything is ready for deploying BCX on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):

helm install --set global.license.secretName=license kaa-museum/bcx --name kaa-bcx

Check that pods are running:

kubectl get pods

Once the service initialization is complete, you should observe the output similar to the below:

NAME                                          READY   STATUS             RESTARTS   AGE
...
kaa-bcx                                       1/1     Running            0          2m
...

Chart Requirements

Repository Name Version
@stable nats 2.0.6
@stable postgresql 0.15.0

Chart Values

Key Type Default Description
affinity object {}  
annotations.deployment object {}  
annotations.pod object {}  
aws.accessKeyId string "" The AWS access key ID. Required.
aws.region string "eu-west-1" The AWS S3 region to store the binary data blobs.
aws.secretAccessKey string "" The AWS secret access key. Required.
config string "" Content for the service config map, automatically mounted as a config file into the pod.
env object {} Defines the environment variables that Kubernetes passes to the service replica.
extraPodSpecs.automountServiceAccountToken bool false  
fullnameOverride string ""  
global.image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets.
global.keycloak.backendSecretName string "" Name of the backend auth server secret, which must contain base64-encoded client-id and client-secret. Required.
global.keycloak.baseUrl string "" Auth provider base URL. Required.
global.keycloak.enabled string "" Enables API security using the auth provider. Overrides keycloak.enabled.
global.license.secretName string "" Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password. Overrides license.secretName.
global.monitoring.enabled bool false  
global.nats.url string "" NATS URL. Overrides nats.url.
global.tekton.enabled string "" Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in the config map. Overrides tekton.enabled.
global.tekton.url string "" Tekton URL. Overrides tekton.url.
global.tenantManager.baseUrl string "" Tenant manager base URL.
global.tenantManager.enabled string "" Enables multitenancy using the Kaa Tenant Manager. Overrides tenantManager.enabled.
image.pullPolicy string "IfNotPresent" Docker image pull policy.
image.pullSecrets list [] List of image pull secret names. Each must be defined as a record with the name field.
image.repository string "dev-hub.kaaiot.net/core/service//" Docker image repository image URL.
image.tag string "" Docker image tag version to pull and run.
ingress.annotations object {}  
ingress.enabled bool false  
ingress.hosts[0] string "chart-example.local"  
ingress.paths list []  
ingress.tls list []  
keycloak.enabled string "" Enables API security using the auth provider.
license.secretName string "" Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password.
metadata.component string "backend"  
metadata.partOf string "kaa"  
nameOverride string ""  
nats.auth.enabled bool false  
nats.enabled bool true  
nats.url string "nats://-nats-client:4222"  
nats.urlOverride string ""  
nodeSelector object {}  
postgresql.cluster.enabled bool false  
postgresql.enabled bool true  
postgresql.master.persistence.enabled bool true  
postgresql.nameOverride string "bcx-postgresql"  
postgresql.postgresDatabase string "bcx"  
postgresql.postgresPassword string "bcx"  
postgresql.postgresUser string "bcx"  
postgresql.service.port int 5432  
postgresql.url string "-"  
postgresql.urlOverride string ""  
probes.enabled bool true Enables liveness, readiness, and startup probes for containers.
probes.liveness.initialDelaySeconds int 15  
probes.liveness.periodSeconds int 3  
probes.readiness.initialDelaySeconds int 5  
probes.readiness.periodSeconds int 1  
replicaCount int 1 The number of service instance replicas to run.
resources.limits.cpu int 1  
resources.limits.memory string "512Mi"  
resources.requests.cpu string "100m"  
resources.requests.memory string "128Mi"  
secrets.tokenAuthority.keyB64 string "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdk4xQWxpM2U1aGZ1ajRLei9jUGZubzY2TVYzdHJNa1liM2MzUkJjRHByZzZNU1ErCituT2RSa0xIclZoSjdkdWtTTHhJVUdzRkdacU1Hd0RjeE1rVVdHSkttY3BRWmZ0d3B4UVNkOWMraitraEh3QWQKNXJhSDNaY1Y1UUJMcE1PM2oyZzhoZlFsNzhrQzJ5dUFyRHRyY2Fhc0FSNFRHdTVLRVM0QTFzYmE0WitGZEp0VApMK0c5b3lrTnFqMytINk5Jc3RLYWw2VVNtK0ZKeWlPTUdoMW5YbjhVUHB3cWJXRjg1R21Oc0U1QTlQcU1zRGMrCkV5SjJGSmlmTW9tTlJLM051MHdhcGVsMFFEUUdnK0xBZ1lvQ0x6Rjg2OTZrZFhBQUMrV0tRK3Y2d1JXUnhKMFcKYzBhdEx6SXFNY1NIamptYWE3a1JQMUl5OHJHdDFjVEJwdXlKSVFJREFRQUJBb0lCQUMxS1VZYXlFVlhVUDEwaQoxczd2L2R3a0ZmcG9yK3BUZnd5YjVpRHA4L0l6RTZGZE04MFRsSStZekJHQnJwamZweEhhTk8wei9ORWJBcVluCkdzb0YvbDhEa3lnMkgvbVV4bnNLa1RNejVzalQreUZZQWRPbHlnY1ZpQ2FXWDQxdmNjRnVHYlYxeXZNcG5RbTUKOE8xY2duT0txSXpNRFlEVHkrYzZ4UEM4Vnhqcm9kaEdGZ0FIKys5NDhUMW5saER5bVI3L1c1Rlk2UkF1aXNOSQphSDZwUXB3M01MWmpPZTVRVUdnbDdqY29HNGlBSEVjaCtCd282eE91dUNEWkllN29sKzRtRVNxam5qa05hdllhCk5SQTBRb3ZQblFSbnFKdFc2RThrbGplWk1aRUFhMGFhc1VRb1pZVEVhTG4vd0oyNjgrY2RHNFE0VE5uOGRpK0MKRC9JcFlNRUNnWUVBK2xRc2pWL2FGQ2x5MUx2QzZwRFVqYjYrR3ZMWUJUZCtuMFQraHF4ak85MUxaeHdobzB4cQpVRmVnekk1bWRhY1gzR3htelBrME5EYXR0K3FoNjBXQ2Jha3FQSlgzOEl6VTVWSCs0LzE4UXNkZ1FCamRPQnVoCmZpNndMaTRJeVNCd2Q3b1oyU3FVUG5Ya2dyWTNaMjBZQlBDWFh0ZHNnMnFaQTJCY2x0NFVwc1VDZ1lFQXdTU2EKbGdTMWtMbU5DQ2dBSW5oUlZkNml3amprM0Q4T29hRUxqSEszTjVtS2c4eTd6enRoNjllTHVycTVqZXE1R3lKSgpnOVRweGgvMUFYc1k2VFpRMi9ReFlzWk53eFpJK2VuTzFGVDlOK0Q1S2tFYjdPdkQ1SHBKUm9RQytLVWJ2MHMvCkJjb1NIc0lBdnNUNWtZcnowVUxSNXdmY0Jtbkc5TzdheVU2RjNxMENnWUFHdk9WR0dPSmgwSXZLdGhNVkJUanoKWjhMdUxzTXB3TWlqdU5PeEJFclhmYWxkNlIvdXFVdmpSYmlLU1ByeEI4SllxSUpMMmhsUm5uY21rQ1l6a3Zkagp4RDNpeTVhVTN2V01CcHo1dmdUdU56ZWNBZzlTUjB3ZGZWdzRvZnlTalZENXFBU3lGN2ROeHhhVGZod1hxSlFRCjdmamxFSjlYR2pOc0o5ZldKN3dla1FLQmdBMk0rZU9JbFF5QVdDcTRVN29YWXUxNVgwWHRJL0ZuNHlqbjJaMlMKOXRQSnkvUVBTeVh3N3AvVFVaUmFRV1o1ajE4ZCtyWnJHN093emttNlR6Y2RmbkxRSVI3aTl0VzNISXVjSWN5Mwo0Y1FuM3BOZVdnMDNSVmtrVXp2RlMwZ1NuVzNBWTcyT1BkTTJuVUxGSXhWWkFGNHdKL1hqa1VaSjZaR0pxSVB6CkpHVkpBb0dCQUpBVHpmREtlYmJTMG1TK1prd0RNU1c2ZDN4WUFJdjdkajAzUHQ2d2tmUG9ZUHJ3YzlRcHhWbGMKZ2ZjeUl1b2tUYjV3YjBCeGdFaTM2a2QyU0RDT0JoVzk5cDA3b0RiV1ZUZXdpT2pPRzhKUlpPK0VNYnVwR1F0KwpDU3NOQzZ0MXRENHVISmxRanR5OUcvVTA1VXppMC84ZEhqYTl2dVg0RlV2TllUN0NwaWU3Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" Base64-encoded private RSA key in PEM format for the token authority to be automatically mounted to the pod. Only used when secrets.tokenAuthority.useExistingSecret is false. DO NOT USE THE DEFAULT VALUE IN PRODUCTION.
secrets.tokenAuthority.secretName string "" Name of the existing secret with private RSA key in PEM format for the token authority. Only used when secrets.tokenAuthority.useExistingSecret is true.
secrets.tokenAuthority.useExistingSecret bool false Enables the use of an existing secret with private RSA key for the token authority. Requires a valid secrets.tokenAuthority.secretName.
securityContext object {}  
service.externalIPs list []  
service.loadBalancerIP string ""  
service.port int 80  
service.type string "ClusterIP"  
tekton.enabled string "false" Enables Tekton integration. When disabled, the service will expect Kaa application configs to be defined in config.
tekton.url string "http://-tekton" Tekton URL.
tekton.urlOverride string "" Tekton URL. Overrides global.tekton.url and tekton.url.
tenantManager.enabled string "" Enables multitenancy using the Kaa Tenant Manager.
terminationMessagePolicy string "FallbackToLogsOnError" Kubernetes termination message policy.
tolerations list []  
updateStrategy.type string "RollingUpdate" Deployment update strategy.
waitContainers.curl.image string "dev-hub.kaaiot.net/devops/docker/alpine-curl-jq/alpine-curl-jq"  
waitContainers.curl.tag string "0.0.2"  
waitContainers.enabled bool true Wait for dependency services.
waitContainers.timeout int 300 Wait timeout for dependency services in seconds.

The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.

Environment variables

The table below summarizes the variables supported by the BCX Docker image and provides default values along with descriptions.

Variable name Default value Description
APP_CONFIG_PATH "/srv/bcx/service-config.yml" Path to the service configuration YAML file inside container. In case of running in Kubernetes, consider using K8s Volumes for externalization.
KAA_BCX_TOKENS_KEY_FILE "/run/rsa/private.pem" Location of the PEM-encoded RSA private key used for signing and validating tokens.
KAA_BCX_TOKENS_EXPIRATION 3600 Temporary token validity duration in seconds.
NATS_URLS "nats://nats:4222" NATS connection URLs. May include connection credentials, e.g. "nats://derek:pass@localhost:4222".
KAA_POSTGRESQL_URL "postgres://bcx:bcx@bcx-postgresql:5432/bcx?sslmode=disable" PostgreSQL connection URL for storing the binary data blobs metadata.
KAA_POSTGRESQL_MAX_OPEN_CONNECTIONS 100 Maximum number of open connections to PostgreSQ.
KAA_BCX_STORAGE_BACKEND "aws-s3" Backend to use for binary data blobs storage ("aws-s3" or "ram").
AWS_REGION   The AWS S3 region to store the binary data blobs. Required when the storage backend is AWS S3.
AWS_ACCESS_KEY_ID   The AWS access key ID. Required when the storage backend is AWS S3.
AWS_SECRET_ACCESS_KEY   The AWS secret access key. Required when the storage backend is AWS S3.
KAA_TEKTON_ENABLED false Enables Tekton integration.
KAA_TEKTON_URL "http://tekton" URL of the Tekton service.
KAA_SECURITY_ENABLED false Enables authentication and authorization on REST API endpoints (inbound and outbound API calls).
KAA_SECURITY_ISSUER   OAuth 2.0 issuer URL for the system tenant (“kaa”).
KAA_SECURITY_CLIENT_ID   Client ID for making requests in the system tenant scope.
KAA_SECURITY_CLIENT_SECRET   Client secret for making requests in the system tenant scope.
KAA_SECURITY_MULTITENANCY_ENABLED false Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when kaa.security.enabled is set to true.
KAA_SECURITY_MULTITENANCY_TENANT_MANAGER_URL "http://tenant-manager" URL of the Kaa Tenant Manager that provides security configurations for tenants.
KAA_LICENSE_CERT_PATH "/run/license/license.p12" Path to the Kaa platform license certificate file in PKCS #12 format.
KAA_LICENSE_CERT_PASSWORD   License certificate password. Required.
SERVICE_DEBUG false Enables debug level logging.

Some of the listed above settings can also be controlled via the configuration options. When set, environment variables take precedence over corresponding configuration file settings.