Deployment
All Kaa services, including ASF, are distributed as Helm charts. You can run these charts using Kubernetes.
Preparation
These steps should be done once for your entire Kaa cluster in Kubernetes.
-
Install Helm client.
-
Create a Kaa license secret (remember to put in your Kaa license key file contents and password):
export HISTCONTROL=ignorespace # Prevent saving your key password in the shell history; note the leading space in the next line
cat << EOF > /tmp/kaa-license.yaml
apiVersion: v1
data:
file: < your license key file contents, base64-encoded >
password: < your license key password >
kind: Secret
metadata:
name: license
type: Opaque
EOF
kubectl create -f /tmp/kaa-license.yaml
- Specify the image pull secret for the official KaaIoT docker registry. To define this secret, use your KaaID credentials:
export HISTCONTROL=ignorespace # Prevent saving your credentials in the shell history; note the leading space in the next line
export KAAID_EMAIL=<your KaaID email, eg. bob@example.com> KAAID_PASSWORD=<your KaaID password>
kubectl create secret docker-registry kaaid --docker-server=dev-hub.kaaiot.net --docker-username=$KAAID_EMAIL --docker-email=$KAAID_EMAIL --docker-password=$KAAID_PASSWORD
- Add the KaaIoT Helm repository:
helm repo add kaa-museum https://museum.kaaiot.net/
Installation
Once you have completed the preparation steps, everything is ready for deploying ASF on your Kubernetes cluster. To deploy the service, run the following command (observe the reference to the previously created license secret):
helm install --set global.license.existingSecret=license kaa-museum/asf --name kaa-asf
Check that pods are running:
kubectl get pods
Once the service initialization is complete, you should observe the output similar to the below:
NAME READY STATUS RESTARTS AGE
...
kaa-asf 1/1 Running 0 2m
...
Requirements
| Repository | Name | Version |
|---|---|---|
| @kaa | service-chart | 0.0.35 |
Values
| Key | Type | Default | Description |
|---|---|---|---|
| affinity | object | {} |
|
| annotations.deployment | object | {} |
|
| annotations.pod | object | {} |
|
| config | string | "" |
Content for the service config map, automatically mounted as a config file into the pod. |
| env | object | {} |
Defines the environment variables that Kubernetes passes to the service replica. |
| env | object | {"SCRIPT_NAME":{"value":"/asf"}} |
Defines the environment variables that Kubernetes passes to the service replica. |
| extraPodSpecs.automountServiceAccountToken | bool | false |
|
| fullnameOverride | string | "" |
|
| global.hosts.kaaDomain | string | "" |
|
| global.image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. Overrides image.pullSecrets. |
| global.kaaIngress.tls.issuerKind | string | "Issuer" |
|
| global.kaaIngress.tls.issuerName | string | "letsencrypt-stage" |
|
| global.kaaIngress.tls.selfSigned | bool | false |
|
| global.keycloak | object | {"auth":{"existingSecret":"-keycloak-auth"},"backend":{"existingSecret":"-keycloak-backend"},"frontend":{"existingSecret":"-keycloak-frontend"},"privateUrl":"","publicUrl":""} |
name: ca-tls commonName: “*.kaatech.com” dns: - auth.local.kaatech.com - env.local.kaatech.com |
| global.license.secretName | string | "" |
Name of the license secret, which must contain two base64-encoded fields: file (license file contents in PKCS #12) and password. Overrides license.secretName. |
| global.logLevel | string | "" |
|
| global.monitoring.enabled | bool | false |
|
| global.opendistro.password | string | "" |
Elastic password. Overrides opendistro.password. |
| global.opendistro.url | string | "" |
Elastic URL. Overrides opendistro.url. |
| global.opendistro.username | string | "" |
Elastic username. Overrides opendistro.username. |
| global.tenantManager.baseUrl | string | "" |
Tenant manager base URL. |
| global.tenantManager.enabled | string | "true" |
|
| image.pullPolicy | string | "Always" |
Docker image pull policy. |
| image.pullSecrets | list | [] |
List of image pull secret names. Each must be defined as a record with the name field. |
| image.repository | string | "dev-hub.kaaiot.net/core/service/asf/asf" |
Docker image repository image URL. |
| image.tag | string | "" |
Docker image tag version to pull and run. |
| ingress.annotations | object | {} |
|
| ingress.enabled | bool | false |
|
| ingress.hosts[0] | string | "chart-example.local" |
|
| ingress.paths | list | [] |
kubernetes.io/tls-acme: “true” |
| ingress.tls | list | [] |
|
| metadata.component | string | "backend" |
|
| metadata.partOf | string | "kaa" |
|
| nameOverride | string | "" |
|
| nginx | object | {"image":{"repository":"dev-hub.kaaiot.net/core/service/asf/asf/nginx","tag":""},"resources":{"requests":{"cpu":"100m","memory":"256Mi"}}} |
drop: - ALL add: - NET_BIND_SERVICE runAsUser: 65534 |
| nodeSelector | object | {} |
|
| probes.enabled | bool | true |
Enables liveness, readiness, and startup probes for containers. |
| probes.liveness.initialDelaySeconds | int | 15 |
|
| probes.liveness.periodSeconds | int | 40 |
|
| probes.liveness.timeoutSeconds | int | 15 |
|
| probes.readiness.initialDelaySeconds | int | 15 |
|
| probes.readiness.periodSeconds | int | 40 |
|
| probes.readiness.timeoutSeconds | int | 15 |
|
| replicaCount | int | 1 |
The number of service instance replicas to run. |
| resources.limits.cpu | int | 2 |
|
| resources.limits.memory | string | "1.5Gi" |
|
| resources.requests.cpu | string | "100m" |
|
| resources.requests.memory | string | "128Mi" |
|
| runbookUrl | string | "" |
|
| securityContext | object | {} |
|
| service.externalIPs | list | [] |
|
| service.loadBalancerIP | string | "" |
|
| service.port | int | 80 |
|
| service.type | string | "ClusterIP" |
|
| terminationMessagePolicy | string | "FallbackToLogsOnError" |
Kubernetes termination message policy. |
| tolerations | list | [] |
|
| waitContainers.curl.image | string | "dev-hub.kaaiot.net/devops/docker/alpine-curl-jq/alpine-curl-jq" |
|
| waitContainers.curl.tag | string | "0.0.2" |
|
| waitContainers.enabled | bool | true |
Wait for dependency services. |
| waitContainers.timeout | int | 300 |
Wait timeout for dependency services in seconds. |
The keys with no description are standard Kubernetes values. Refer to the official Kubernetes documentation for more information on these.
Environment variables
The table below summarizes the variables supported by the ASF Docker image and provides default values along with descriptions.
| Variable name | Default value | Description |
|---|---|---|
KAA_ELASTICSEARCH_URL |
"" |
Elasticsearch connection URL. |
KAA_ELASTICSEARCH_USERNAME |
"" |
Elasticsearch connection username. |
KAA_ELASTICSEARCH_PASSWORD |
"" |
Elasticsearch connection password. |
KAA_PUBLIC_KEYCLOAK_URL |
"" |
OAuth 2.0 issuer public URL for the system tenant (“kaa”). |
KAA_PRIVATE_KEYCLOAK_URL |
"" |
OAuth 2.0 issuer private URL for the system tenant (“kaa”). |
KAA_SYSTEM_BACKEND_CLIENT_ID |
"" |
Client Backend ID for making requests in the system tenant scope. |
KAA_SYSTEM_FRONTEND_CLIENT_ID |
"" |
Client Front ID for making requests in the system tenant scope. |
KAA_SYSTEM_BACKEND_CLIENT_SECRET |
"" |
Client secret for making requests in the system tenant scope. |
KAA_KEYCLOAK_USERNAME |
"" |
Kaa tenant username for making requests in the system tenant scope. |
KAA_KEYCLOAK_PASSWORD |
"" |
Kaa tenant password for making requests in the system tenant scope. |
KAA_SECURITY_MULTITENANCY_TENANT_MANAGER_URL |
"http://localhost:8000" |
URL of the Kaa Tenant Manager that provides security configurations for tenants. |
KAA_LICENSE_CERT_PASSWORD |
License certificate password. Required. | |
LOG_LEVEL |
"INFO" |
Log level for ASF application. |
TZ |
"Europe/Kiev" |
Time zone for ASF application. |
APP_NAME |
"Analytics Security Facade" |
Application name. |
SWAGGER |
"" |
Swagger API doc base URL. |
WORKERS_PER_CORE |
"2" |
Worker size per core. |
HOST |
"0.0.0.0" |
Host of the service. |
PORT |
"8080" |
Worker size per core. |
