Deployment and Operations

Configuring Cloudentity Helm Charts

Learn how to configure Cloudentity Helm Charts and apply changes to your deployments.

Applying Changes to Cloudentity Helm Charts Configuration

There are two ways to apply changes to the configuration:

  • Specify each parameter using the --set key=value[,key=value] argument to command helm install or helm upgrade.

    Example

    helm install my-release --set certManager.enabled=true acp/acp
    
  • While installing the chart, provide the YAML file that specifies default parameter overrides.

    Example

    Create myvalues.yaml file:

    certManager
      enabled: true
    
    helm install myrelease -f my_values.yaml acp/acp
    

Result

cert-manager has been enabled in Cloudentity and is ready to be used.

Generic configuration

  • Resources define compute resources available to a pod. It is also required for autoscaling. If no limits are specified, pod will be able to use all resources available on a node. It is not recommended to set CPU limit unless you use integer value to assign full vCPUs. CPU consumption highly depends on the number of incomming request while memory is more static value. Below example is good starting point for your deployment.

    Example

    resources:
      requests:
        cpu: 500m
        memory: 1.2Gi
      limits:
        memory: 2Gi
    
  • Affinity allows user to control scheduling of pods based on labels of other pods or nodes. Cloudentity is highly efficient and its not recommended to run more then one instance on a same node as this might lead to degraded performance (if there is no CPU limit set). Below example provides a way to force one Cloudentity instance per host.

    Example

    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app.kubernetes.io/instance: acp
                app.kubernetes.io/name: acp-primary
            topologyKey: kubernetes.io/hostname
    
  • Topology Spread Constraints provides a way to spread pods across topology domain like cloud provider zone. For high availability purpose, Cloudentity should be spread across multiple zones as well as hosts in the same zone. Below example provides soft requirement for zone spread with a maximum distribution difference of 1 pod per zone.

    Example

    topologySpreadConstraints:
      - labelSelector:
          matchLabels:
            app.kubernetes.io/instance: acp
            app.kubernetes.io/name: acp
        maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: ScheduleAnyway
    
  • Pod Disruption Budget is a feature that provides pods resilence to voluntary (application update) and involuntary (hardware failure) disruptions. It definies minimum number of pods that must be running at any times. Below example shows that Cloudentity should not be taken below 50% of desired replicas.

    Example

    podDisruptionBudget:
      minAvailable: 50%
    

Cloudentity Helm Chart Configuration Reference

Source: values.yaml

 ## ACP image parameters
##
image:
  ## Image repository
  ##
  repository: docker.cloudentity.io/acp

  ## Image pull policy
  ##
  pullPolicy: IfNotPresent

  ## Image tag (immutable tags are recommended)
  ##
  tag:

## Global Docker registry secret names as an array
##
imagePullSecrets:
  - name: docker.cloudentity.io

## Public ACP URL
##
serverURL: "https://acp.local:8443"

## Public ACP URL for Ingress working in mTLS
##
serverURLMtls: "https://mtls.acp.local:8443"

## String to partially override acp.name
##
# nameOverride: ""

## String to fully override acp.fullname
##
# fullnameOverride: ""

## Additional labels to apply to all Kubernetes resources created by this chart.
##
labels: {}

## Define serviceAccount
##
serviceAccount:
  ## Specifies whether a service account should be created
  ##
  create: true

  ## Annotations to add to the service account
  ##
  annotations: {}

  ## The name of the service account to use.
  ## If not set and create is true, a name is generated using the fullname template
  # name: ""

## Array with container arguments to add to the ACP container
##
args:
  - server
  - start
  - --demo
  - --metrics
  - --create-default-tenant
  - --create-default-workspaces

## Enables custom config
##
# configPath:

## Array with environment variables to add to the ACP container
##
# env: []

## Define service
##
service:
  ## ACP service type
  ##
  type: ClusterIP

## Define ingress
##
ingress:
  ## Enables the Ingress for ACP
  ##
  enabled: true

  ## Name of the ingress class
  ##
  ingressClassName: nginx

  ## Ingress additional custom annotations
  ##
  customAnnotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
    nginx.ingress.kubernetes.io/service-upstream: "true"

  ## Ingress hostnames with paths
  ##
  hosts:
    - host: acp.local
      paths:
        - path: /
          pathType: ImplementationSpecific

  ## Ingress TLS configuration
  ## Secrets must be manually created in the namespace
  ## or automatically using `tlsSecrets` variable
  ##
  tls: []
  # - secretName: ingress-tls
  #   hosts:
  #     - acp.acp-system

  ## Ingress TLS secrets
  ## List of certificates to be created for Ingress
  ##
  tlsSecrets: []
  # - name: ingress-tls
  #   cert: |
  #     -----BEGIN CERTIFICATE-----
  #
  #     -----END CERTIFICATE-----
  #   key: |
  #     -----BEGIN RSA PRIVATE KEY-----
  #
  #     -----END RSA PRIVATE KEY-----

ingressMtls:
  ## Enables mTLS Ingress for ACP
  ## This is an independent instance from the one above.
  ##
  enabled: false

  ## Name of the ingress class
  ##
  ingressClassName: nginx

  ## mTLS Ingress additional custom annotations
  ##
  customAnnotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
    nginx.ingress.kubernetes.io/service-upstream: "true"

  ## mTLS Ingress hostnames with paths
  ##
  hosts:
    - host: mtls.acp.local
      paths:
        - path: /
          pathType: ImplementationSpecific

  ## Ingress mTLS configuration
  ## Secrets must be manually created in the namespace
  ## or automatically using `tlsSecrets` variable
  ##
  tls: []
  # - secretName: ingress-mtls
  #   hosts:
  #     - mtls.acp.acp-system

  ## Ingress mTLS secrets
  ## List of certificates to be created for Ingress
  ##
  tlsSecrets:
  # - name: ingress-mtls
  #   cert: |
  #     -----BEGIN CERTIFICATE-----
  #
  #     -----END CERTIFICATE-----
  #   key: |
  #     -----BEGIN RSA PRIVATE KEY-----
  #
  #     -----END RSA PRIVATE KEY-----
  #   caCert: |
  #     -----BEGIN CERTIFICATE-----
  #     -----END CERTIFICATE-----

## ServiceMonitor configuration
##
serviceMonitor:
  ## Enables the ServiceMonitor integration
  ##
  enabled: false

  ## Define ServiceMonitor endpoint config
  ##
  endpointConfig: {}

## Deployment annotations
##
# annotations: {}

## Autoscaling parameters
##
autoscaling:
  ## Enable autoscaling
  ##
  enabled: false

  ## Define mix replica count
  ##
  # minReplicas: 0

  ## Define max replica count
  ##
  # maxReplicas: 1

  ## The average CPU usage of a all pods in a deployment
  ##
  # targetCPUUtilizationPercentage: ""

  ## The average memory usage of a all pods in a deployment
  ##
  # targetMemoryUtilizationPercentage: ""

  ## Custom scaling behavior
  ##
  #  behavior: {}

## Number of ACP replicas to deploy
##
replicaCount: 1

## Pod annotations
##
# podAnnotations: {}

## ACP resource requests and limits
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}

## ACP node selector
##
# nodeSelector: {}

## ACP pod affinity
##
# affinity: {}

## ACP pod tolerations
##
# tolerations: {}

## ACP pod topology spread constraints
##
# topologySpreadConstraints: {}

## ACP Pod disruption budget
##
# podDisruptionBudget: {}

## A security context defines privilege and access control settings for a Pod or Container
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
## Pod security context
##
podSecurityContext:
  fsGroup: 65535
  runAsNonRoot: true

## Container security context
##
containerSecurityContext:
  runAsUser: 65535
  runAsGroup: 65535
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

## ACP feature flags
## To enable a feature, enter its key-value pair, as in:
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
# features: {}

## Cert-manager configuration
##
certManager:
  ## Enables the cert-manager integration
  ##
  enabled: false

  ## The requested ‘duration’ (i.e. lifetime) of the Certificate
  ##
  duration: 2160h

  ## How long before the currently issued certificate’s expiry cert-manager should renew the certificate.
  ##
  renewBefore: 720h

  ## The Common Name (AKA CN) represents the server name protected by the SSL certificate
  ##
  # commonName:

  ## Options to control private keys used for the Certificate.
  ##
  privateKey:
    size: 2048
    algorithm: RSA

  ## extraNames is a list of DNS subjectAltNames to be set on the Certificate.
  ##
  extraNames: []

  ## IssuerRef is a reference to the issuer for this certificate
  ##
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer

## Disables TLS in ACP
##
tlsDisabled: false

## Migrate Job configuration
##
migrateJob:
  ## Enables the SQL migrate job
  ##
  enabled: false

  ## Enables custom config
  ##
  # configPath:

  ## The data should match acp configuration options
  ## https://docs.operations.cloudentity.com/reference/acp-configuration/
  ##
  config: {}

## Import Job configuration
##
importJob:
  ## Enables the import job
  ##
  enabled: false

  ## Enables custom config
  ##
  # configPath:

  ## Import mode (update, fail, ignore)
  ##
  mode: update

  ## Input file format: yaml or json
  ##
  format: yaml

  ## Path to the input file
  ##
  input: /import/seed.yaml

  ## Extra args for import command
  ##
  extraArgs: []

  ## The data should match import configuration endpoint request body
  ## https://docs.authorization.cloudentity.com/api/system/#operation/importConfiguration
  ##
  data:
    tenants: []
    servers: []
    clients: []

  ## ACP import job resource requests and limits
  ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources: {}

## Enable Default ACP config
##
config:
  create: true

  ## The data should match acp configuration options
  ## https://docs.operations.cloudentity.com/reference/acp-configuration/
  ##
  data:
  #  logging:
  #     level: debug

  ## Config name if create false
  ##
  # name:

## ACP config file from secret
##
secretConfig:
  ## Enable secret config
  ##
  create: true

  ## Secret name if create false
  ##
  # name:

  ## Secret annotations
  ##
  # annotations: {}

  ## The data should match acp configuration options
  ## https://docs.operations.cloudentity.com/reference/acp-configuration/
  ##
  data: {}
  #  system:
  #     secret: mysecret

## ACP http client configuration
##
# client:
  # rootCa: |
  #   -----BEGIN CERTIFICATE-----
  #
  #   -----END CERTIFICATE-----

## ACP certificate
##
certificate:
  ## If true certificate will be taken from files/ folder stored in this chart
  ## root folder.
  ##
  create: true

  ## Enable if want to take certificate and key from values instead of
  ## files/ folder
  ##
  # cert: |
  #   -----BEGIN CERTIFICATE-----
  #
  #   -----END CERTIFICATE-----
  #
  # key: |
  #   -----BEGIN RSA PRIVATE KEY-----
  #
  #   -----END RSA PRIVATE KEY-----

## SQL client
## The data should match acp configuration options
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
# sql: {}

## Redis client
## The data should match acp configuration options
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
# redis: {}

## Workers chart configuration
## Worker nodes are used to create seperate ACP deployment for asynchronous jobs handling
##
workers:
  ## Enables worker nodes for ACP
  ##
  enabled: false

  ## Autoscaling parameters
  ##
  autoscaling:
    ## Enable autoscaling
    ##
    enabled: false

    ## Define mix replica count
    ##
    # minReplicas: 0

    ## Define max replica count
    ##
    # maxReplicas: 1

    ## The average CPU usage of a all pods in a deployment
    ##
    # targetCPUUtilizationPercentage: ""

    ## The average memory usage of a all pods in a deployment
    ##
    # targetMemoryUtilizationPercentage: ""

    ## Custom scaling behavior
    ##
    #  behavior: {}

  ## Number of ACP workers replicas to deploy
  ##
  replicaCount: 1

  ## Define workers service
  ##
  service:
    ## Enables workers service for ACP
    ##
    enabled: false

    ## ACP workers service type
    ##
    type: ClusterIP

  ## ServiceMonitor configuration
  ##
  serviceMonitor:
    ## Enables workers ServiceMonitor integration
    ##
    enabled: false

    ## Define workers ServiceMonitor endpoint config
    ##
    endpointConfig: {}

  ## Deployment annotations
  ##
  # annotations: {}

  ## Pod annotations
  ##
  # podAnnotations: {}

  ## ACP workers resource requests and limits
  ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources: {}

  ## ACP workers node selector
  ##
  # nodeSelector: {}

  ## ACP workers pod affinity
  ##
  # affinity: {}

  ## ACP workers pod tolerations
  ##
  # tolerations: {}

  ## ACP workers pod topology spread constraints
  ##
  # topologySpreadConstraints: {}

  ## ACP workers Pod disruption budget
  ##
  # podDisruptionBudget: {}

## Fission chart configuration
##
fission:
  ## Enables the Fission for ACP
  ##
  enabled: false

  ## Define namespace where the Fission Environment can be deployed
  ##
  namespace: acp-faas

  ## Define NetworkPolicy Egress rules for Fission deployment
  ##
  networkPolicy:
    ipBlock:
      cidr: 0.0.0.0/0
      except:
        - 10.0.0.0/8
        - 192.168.0.0/16
        - 172.16.0.0/20

  ## Pod security context
  ##
  podSecurityContext:
    fsGroup: 65535
    runAsUser: 65535
    runAsGroup: 65535
    runAsNonRoot: true
  
  ## Container security context
  ##
  containerSecurityContext:
    runAsUser: 65535
    runAsGroup: 65535
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL

  ## Annotations to add to the Environment resource created for Fission
  annotations: {}
  # cluster-autoscaler.kubernetes.io/safe-to-evict: "true"

  ## Define the pool size
  ##
  poolsize: 3

  ## Specify a imagePullPolicy
  ##
  imagePullPolicy: IfNotPresent

  ## Docker registry secret name
  ##
  imagepullsecret: docker.cloudentity.io

  ## Affinity for pod assignment
  affinity: {}
  #   nodeAffinity:
  #     requiredDuringSchedulingIgnoredDuringExecution:
  #       nodeSelectorTerms:
  #         - matchExpressions:
  #             - key: fission
  #               operator: In
  #              values:
  #                 - "true"

  ## Tolerations for pod assignment
  tolerations: []
  # - key: fission
  #   value: "true"
  #   effect: NoSchedule

  ## Pod resources definition
  resources: {}
  #   requests:
  #     cpu: 10m
  #     memory: 48Mi
  #   limits:
  #     cpu: 100m
  #     memory: 96Mi

  ## Fission function idle timeout
  ##
  idleTimeout: 3m0s