All Kaa services, including ECR, are distributed as Helm charts. You can run these charts using Kubernetes.

Installing ECR chart on Kubernetes


These steps should be done once for your entire Kaa cluster in Kubernetes.

  1. Install Kubernetes.

  2. Install Helm client and Tiller server.

  3. Create a Kaa license secret (remember to put in your Kaa license key file contents and password):

     export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
      cat << EOF > /tmp/kaa-licence.yaml
     apiVersion: v1
       file: < your licence key file contents, base64-encoded >
       password: < your licence key password >
     kind: Secret
       name: license
       type: Opaque
     kubectl create -f /tmp/kaa-licence.yaml
  4. Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:

     export HISTCONTROL=ignorespace  # Prevent saving your credentials in the shell history; note the leading space in the next line
      export KAAID_EMAIL=<your KaaID email, eg.> KAAID_PASSWORD=<your KaaID password>
     kubectl create secret docker-registry kaaid --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
  5. If you want to enable API security in your Kaa cluster (recommended), you should create an auth server backend secret for the service to be able to request PAT tokens.

     export HISTCONTROL=ignorespace # Prevent saving your client ID amd secret in the shell history; note the leading space in the next line
      cat << EOF > /tmp/keycloak-backend-secret.yaml
     apiVersion: v1
       client-id: < your client-id, base64-encoded >
       client-secret: < your client-secret, base64-encoded >
     kind: Secret
       name: "keycloak-backend"
       labels: "kaa-name" "kaa-chart-version" "kaa-instance-name" "release-service-name"
     kubectl create -f /tmp/keycloak-backend-secret.yaml
  6. Add the KaaIoT Helm repository:

     helm repo add kaa-museum


Once you have completed the preparation steps, everything is ready for deploying ECR on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):

helm install --set global.license.secretName=license kaa-museum/ecr --name kaa-ecr

Check that pods are running:

kubectl get pods

Once the service initialization is complete, you should observe the output similar to the below:

NAME                                          READY   STATUS             RESTARTS   AGE
kaa-ecr                       1/1     Running            0          2m

Chart Requirements

Repository Name Version
@bitnami mongodb 10.1.1
@kaa service-chart 0.0.31

Chart Values

Key Type Default Description
affinity object {}  
annotations.deployment object {}  
annotations.pod object {}  
config string ""  
env.JAVA_OPTS.value string "-XX:MaxRAMPercentage=80.0 -XX:MinRAMPercentage=50.0 -Xverify:none -XX:TieredStopAtLevel=1"  
exports.dependencies.mongodb.enabled bool true  
extraPodSpecs.automountServiceAccountToken bool false  
fullnameOverride string ""  
global.epr.baseUrl string "" EPR base URL.
global.image.pullSecrets list []  
global.kaaIngress.tls.issuerKind string "Issuer"  
global.kaaIngress.tls.issuerName string "letsencrypt-stage"  
global.kaaIngress.tls.selfSigned bool false  
global.keycloak.backend.existingSecret string "-keycloak-backend"  
global.keycloak.enabled string ""  
global.keycloak.privateUrl string ""  
global.keycloak.publicUrl string ""  
global.keycloak.realm string ""  
global.license.secretName string ""  
global.mongodb.url string ""  
global.monitoring.enabled bool false  
global.nats.url string ""  
global.tekton.enabled string ""  
global.tekton.url string ""  
global.tenantManager.baseUrl string "" Tenant manager base URL.
global.tenantManager.enabled string "" Enables multitenancy using the Kaa Tenant Manager. Overrides tenantManager.enabled.
image.pullPolicy string "IfNotPresent"  
image.pullSecrets list []  
image.repository string ""  
image.tag string ""  
ingress.annotations object {}  
ingress.enabled bool false  
ingress.hosts[0] string "chart-example.local"  
ingress.paths list []  
ingress.tls list []  
metadata.component string "backend"  
metadata.partOf string "kaa"  
mongodb.auth.enabled bool false  
mongodb.enabled bool true  
mongodb.image.pullPolicy string "IfNotPresent"  
mongodb.image.tag string "3.6.10"  
mongodb.persistence.enabled bool true  
mongodb.url string "mongodb://-:27017"  
mongodb.urlOverride string ""  
mongodb.useStatefulSet bool true  
nameOverride string ""  
nodeSelector object {}  
probes.enabled bool true Enables liveness, readiness, and startup probes for containers.
probes.liveness.initialDelaySeconds int 600  
probes.liveness.periodSeconds int 3  
probes.readiness.initialDelaySeconds int 10  
probes.readiness.periodSeconds int 5  
replicaCount int 1  
resources.limits.cpu int 1  
resources.limits.memory string "700Mi"  
resources.requests.cpu string "100m"  
resources.requests.memory string "700Mi"  
securityContext object {}  
service.externalIPs list []  
service.loadBalancerIP string ""  
service.port int 80  
service.type string "ClusterIP"  
terminationMessagePolicy string "FallbackToLogsOnError"  
tolerations list []  
updateStrategy.type string "RollingUpdate"  
waitContainers.curl.image string ""  
waitContainers.curl.tag string "0.0.2"  
waitContainers.enabled bool true  
waitContainers.timeout int 300  

The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.

Environment variables

The table below summarizes the variables supported by the ECR Docker image and provides default values along with descriptions.

Variable name Default value Description
INSTANCE_NAME ecr Service instance name.
APP_CONFIG_PATH /srv/ecr/service-config.yml Path to the service configuration YAML file inside container. In case of running in Kubernetes, consider using K8s Volumes for externalization.
KAA_TEKTON_ENABLED false Enables Tekton integration.
KAA_TEKTON_URL http://tekton URL of the Tekton service.
KAA_SECURITY_ENABLED false Enables authentication and authorization on REST API endpoints (inbound and outbound API calls).
KAA_SECURITY_ISSUER_PUBLIC_URL   OAuth 2.0 issuer public URL for the system tenant (“kaa”).
KAA_SECURITY_ISSUER_PRIVATE_URL   OAuth 2.0 issuer private URL for the system tenant (“kaa”).
KAA_SECURITY_CLIENT_ID   Client ID for making requests in the system tenant scope.
KAA_SECURITY_CLIENT_SECRET   Client secret for making requests in the system tenant scope.
KAA_SECURITY_MULTITENANCY_ENABLED false Enables multitenancy via integration with the Kaa Tenant Manager. Only effective when is set to true.
KAA_SECURITY_MULTITENANCY_TENANT_MANAGER_URL "http://tenant-manager" URL of the Kaa Tenant Manager that provides security configurations for tenants.
JMX_ENABLE false Enables JMX monitoring.
JMX_PORT 10500 JMX service port.
JMX_MONITOR_USER_PASSWORD   JMX monitor user password. Required when JMX_ENABLE=true.
JAVA_OPTIONS -Xmx700m Additional parameters for Java process launch.
NATS_USERNAME   Username for connecting to NATS message broker.
NATS_PASSWORD   Password for connecting to NATS message broker.
MONGODB_USERNAME   Username for connecting to MongoDB.
MONGODB_PASSWORD   Password for connecting to MongoDB.
KAA_LICENSE_CERT_PATH /run/license/license.p12 Path to the Kaa platform license certificate file in PKCS #12 format.
KAA_LICENSE_CERT_PASSWORD   License certificate password. Required.