Skip to main content
Version: 8.2405.x.x RR

Installation in Kubernetes Cluster

If you want to deploy Nevis onto a Cloud infrastructure, we recommend a Kubernetes-based installation. This installation is based on the Docker containerization and Kubernetes orchestration technologies.

For a general overview of the Nevis-on-Kubernetes deployment solution, check Kubernetes Deployment (Cloud).

  • In the chapter Kubernetes Deployment Troubleshooting you can find information about how to debug the configuration.
  • In the chapter Kubernetes Upgrade you can find information about how to upgrade your existing installation.

In this installation tutorial, you will set up nevisAdmin 4 on an existing Kubernetes cluster.

Pay attention to the following points:

  • For general guidance, refer to System Requirements.
  • For the database, you should use a MariaDB server.
  • In some Kubernetes installations, special permission settings or entitlements are required, for example, for the ingress-nginx component.
  • Any Kubernetes-compatible product or cloud provider should work.
    • For more details about the supported versions of the above providers, see the Nevis Product Lifetime and Platform Support Matrix.

Prerequisites

  • Have an existing Kubernetes cluster and have enough permissions to create resource groups and resources, which includes RBAC permissions.
    • The installation of the crds, ingress-nginx and the cert-manager component needs cluster-wide permissions, for the rest, namespace scoped permissions are enough.
  • Have a MariaDB database with the correct configuration, see component specific documentation, generally the following is needed:
autocommit=0
transaction-isolation = READ-COMMITTED
log_bin_trust_function_creators = 1
lower_case_table_names = 1
character-set-server = utf8mb4
  • The supported Kubernetes versions for this guide are 1.24, 1.25, 1.26, 1.27 and 1.28.
  • A Linux environment with the following software pre-installed:
    • kubectl: Kubernetes command line interface. The same minor version is recommended as the used Kubernetes version, in this case 1.24, 1.25, 1.26, 1.27 and 1.28.
    • docker: Docker client.
    • helm: Helm CLI

This guide requires basic knowledge of Linux and Kubernetes. If you are new to these topics, we recommend that you see tutorials or courses available online. If you have limited time, focus on Kubernetes tutorials, for example: Viewing Pods and Nodes.

Prepare the Git Deployment Repository

In this tutorial, we use GitHub as the Git system. However, it is possible to use Bitbucket, Gitea, GitLab and more instead. The same options should be available in every case.

To configure the Git connection for nevisOperator, perform the following steps:

  1. Prepare GitHub.
  2. Create the SSH key material through the following commands:
#generate key pair
ssh-keygen -t ecdsa -C "kubernetes" -m PEM -P "" -f key

# create know_hosts file, replace the github domain if other Git system is used
ssh-keyscan github.com > known_hosts

# make sure ssh keys were generated
cat key
cat key.pub

The created key is used by both nevisOperator and nevisAdmin 4 to connect to GitHub. 3. Add the key key.pub to your GitHub account, or to the repository itself as a deploy key.

Setting environment variables

Set the following environment variables:

# Initial password of nevisAdmin 4
export NEVISADMIN_PASSWORD=
# The container registry of the Kubernetes cluster, for example: nevis.azurecr.io
export CONTAINER_REGISTRY=
# The namespace where the helm chart will be installed
export RELEASE_NAMESPACE=
# The name of the Helm release, for example nevisadmin4-prod
export RELEASE_NAME=
# Database host of the MariaDB database
export DATABASE_HOST=
# The root database user for the mariadb database, for example: root. If you are using an Azure database, do not include the host in the username.
export DB_ROOT_USER=
# The root database password for the mariadb database.
export DB_ROOT_PASSWORD=
# Password of the nevisAdmin 4 schema user which will be created during the installation
export DB_NEVISADMIN_SCHEMA_USER_PASSWORD=
# Password of the nevisAdmin 4 app user which will be created during the installation
export DB_NEVISADMIN_APP_USER_PASSWORD=
# URL of the Git repository to be used by nevisAdmin4.
export GIT_REPOSITORY_URL=
# Domain where nevisAdmin4 will be available. Make sure to point the domain to the IP of the nginx LoadBalancer after the installation is done. For example: test.westeurope.cloudapp.azure.com
export DOMAIN=
# For the temporary credentials, click the download button for one of the Docker images at https://portal.nevis.net/portal/secure/releases/rolling
export CLOUDSMITH_PASSWORD=

Upload Nevis Docker Images

Use the provided script to copy the Docker images from the Nevis Portal registry to the container registry of the Kubernetes cluster. Select one of the docker images in the portal under http://portal.nevis.net/portal/secure/releases/rolling to acquire a temporary username and password for the Nevis registry.

#!/bin/bash
# get temporary username/token on the portal
REGISTRY=docker.cloudsmith.io/nevissecurity/rolling

echo "Login to registry $REGISTRY"
docker login $REGISTRY -u nevissecurity/rolling -p $CLOUDSMITH_PASSWORD
echo "Login to registry $CONTAINER_REGISTRY"
if [[ $CONTAINER_REGISTRY == *.azurecr.io ]] ; then
az acr login --name ${CONTAINER_REGISTRY%".azurecr.io"}
else
docker login $CONTAINER_REGISTRY
fi

declare -a images=("nevisproxy:8.2405.0"
"nevisproxy-dbschema:8.2405.0"
"nevislogrend:8.2405.0"
"nevisfido:8.2405.0"
"nevisfido-dbschema:8.2405.0"
"nevisauth:8.2405.0"
"nevisauth-dbschema:8.2405.0"
"nevisidm:8.2405.0"
"nevisidm-dbschema:8.2405.0"
"nevismeta:8.2405.0"
"nevismeta-dbschema:8.2405.0"
"nevisadmin4:8.2405.0"
"nevisadmin4-dbschema:8.2405.0"
"nevisoperator:8.2405.0"
"nevisadapt:8.2405.0"
"nevisdetect-admin:8.2405.0"
"nevisdetect-core:8.2405.0"
"nevisdetect-entrypoint:8.2405.0"
"nevisdetect-persistency:8.2405.0"
"nevisadapt-dbschema:8.2405.0"
"nevisdetect-persistency-dbschema:8.2405.0"
"nevis-git-init:1.3.0"
"nevisdp:8.2405.0"
"nevis-ubi-tools:1.4.0"
"nevis-base-flyway:8.2405.0")
for i in "${images[@]}"; do
docker pull $REGISTRY/$i
NAME=$(echo "$i" | cut -d '/' -f 2 | cut -d ':' -f 1 )
docker tag $REGISTRY/$i $CONTAINER_REGISTRY/nevis/$i
docker push $CONTAINER_REGISTRY/nevis/$i
done

Save it as publish_images.sh, then run:

chmod +x publish_images.sh
./publish_images.sh

Deploy cert-manager

If the Kubernetes cluster does not have cert-manager already installed, then follow the official guide: https://cert-manager.io/docs/installation/helm/

Install CRD chart

Install the helm chart that contains the CustomResourceDefinitions used by nevisAdmin 4.

helm install nevisadmin4-crd nevisadmin4-crd --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/
caution

Uninstalling this chart deletes all the existing CustomResources, which results in the deletion of all the deployments made with nevisAdmin 4

Install chart

Prepare secrets for installation

Prepare the required secrets to be used by the helm chart. This is done to avoid plain secret values in the values.yaml.

Create namespace

kubectl create namespace $RELEASE_NAMESPACE

Create credential secrets

These secrets are used to avoid having plain values in the values.yaml.

# nevisAdmin 4 admin user credential
kubectl create secret generic nevis-nevisadmin4-admin-credential \
--from-literal=password=$NEVISADMIN_PASSWORD \
-n $RELEASE_NAMESPACE

# git credential
kubectl create secret generic nevis-git-credential \
--from-file=key=key \
--from-file=key.pub=key.pub \
--from-file=known_hosts=known_hosts \
--from-literal=passphrase="" \
--from-literal=username="" \
--from-literal=password="" \
-n $RELEASE_NAMESPACE

# database credential
kubectl create secret generic nevis-database-credential \
--from-literal=username=$DB_ROOT_USER \
--from-literal=password=$DB_ROOT_PASSWORD \
-n $RELEASE_NAMESPACE

# nevisAdmin 4 database credential
kubectl create secret generic nevis-nevisadmin4-database-credential \
--from-literal=applicationUser=admin4appuser \
--from-literal=applicationUserPassword=$DB_NEVISADMIN_APP_USER_PASSWORD \
--from-literal=schemaUser=admin4schemauser \
--from-literal=schemaUserPassword=$DB_NEVISADMIN_SCHEMA_USER_PASSWORD \
-n $RELEASE_NAMESPACE

The nevis-database-credential secret can be used for the Root Credential and Root Credential Namespace fields in the database patterns inside nevisAdmin 4.

For more configuration options see the values table below.

Install

Kubernetes

helm install $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE \
--repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
--set image.repository=$CONTAINER_REGISTRY \
--set git.repositoryUrl=$GIT_REPOSITORY_URL \
--set git.credentialSecret=nevis-git-credential \
--set database.host=$DATABASE_HOST \
--set database.root.preparedCredentialSecret=nevis-database-credential \
--set nevisAdmin4.domain=$DOMAIN \
--set nevisAdmin4.credentialSecret=nevis-nevisadmin4-admin-credential \
--set nevisAdmin4.database.credentialSecret=nevis-nevisadmin4-database-credential \
--set nginx.nameOverride=$RELEASE_NAMESPACE-nginx

OpenShift

As ingress-nginx must run with user 101 and needs capabilities such as NET_BIND_SERVICE, it's required that the used SecurityContext is changed on OpenShift. Additionally, it's not allowed to set the fsGroup of the nevisAdmin 4 deployment.

# Username for the registry
REGISTRY_USERNAME=
# Password for the registry
REGISTRY_PASSWORD=

# Prepare registry secret
oc create secret docker-registry registry-secret --docker-server="$CONTAINER_REGISTRY" --docker-username="$REGISTRY_USERNAME" --docker-password="$REGISTRY_PASSWORD" -n "$RELEASE_NAMESPACE"
# Prepare nginx service account
oc create serviceaccount nevisadmin4-nginx -n "$RELEASE_NAMESPACE"
oc adm policy add-scc-to-user privileged -z nevisadmin4-nginx -n "$RELEASE_NAMESPACE"

helm install $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE \
--repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
--set image.repository=$CONTAINER_REGISTRY \
--set image.imagePullSecretName=registry-secret \
--set git.repositoryUrl=$GIT_REPOSITORY_URL \
--set git.credentialSecret=nevis-git-credential \
--set database.host=$DATABASE_HOST \
--set database.root.preparedCredentialSecret=nevis-database-credential \
--set nevisAdmin4.domain=$DOMAIN \
--set nevisAdmin4.podSecurityContext.fsGroup=null \
--set nevisAdmin4.credentialSecret=nevis-nevisadmin4-admin-credential \
--set nevisAdmin4.database.credentialSecret=nevis-nevisadmin4-database-credential \
--set nginx.serviceAccount.create=false \
--set nginx.serviceAccount.name=nevisadmin4-nginx \
--set nginx.nameOverride=$RELEASE_NAMESPACE-$RELEASE_NAME

Upgrade

To upgrade the installation, copy over the new images from Upload Nevis Docker Images then run:

helm get values $RELEASE_NAME -n $RELEASE_NAMESPACE > values.yaml \
&& helm upgrade $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE -f values.yaml \
--repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
--set <your-new-values> \
--version <version-to-upgrade>

If the version is not provided, it upgrades to the latest one.

Using existing ingress-nginx installation

Set the nginx.enabled to false, and set the nginx.controller.ingressClassResource.name and nginx.controller.ingressClass values to the ingress class of the existing ingress-nginx controller.

On some installations, the snippet feature is disabled by default, as this is required for the side-by-side deployment to function. Make sure that you have the following in the ConfigMap used by ingress-nginx:

allow-snippet-annotations: "true"
annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,',\

It's recommended to use a blocklist to prevent misuse.

Configure an Example Project and Inventory in the GUI

The final step is to import and deploy an example project using nevisAdmin 4:

  1. In the nevisAdmin 4 Welcome or Project Settings screen, import the following project: project_CLOUD-PROJECT_20200519T102912Z.zip Adapt the project:

    • Set the latest libraries in the Administration tab under Standard libraries.
    • Open the just imported Cloud-Project project in the Configuration tab. Note that the patterns nevisAuth/nevisProxy Remote Session Store and nevisIDM Database are marked with a red bullet point - this is because their database hostname is incorrect. Correct the database hostname of these patterns.
  2. In the Administration > Inventory Settings screen, import the following inventory: inventory_CLOUD-INVENTORY_20200519T102841Z.zip Adapt the inventory:

    • Enter the URL of your GitHub repository.

    • Enter the component namespace where the Nevis components will be deployed. This is the same as the RELEASE_NAMESPACE unless additionalComponentNamespaces were used.

    • Enter the DOMAIN for the proxy-host-name.

    • Enter the API URL of your Kubernetes cluster using HTTPS and port 443. As long as nevisadmin4 is inside the cluster https://kubernetes.default.svc:443 can be used.

    • Enter the token of your Kubernetes cluster. Get the token by executing the following command:

      kubectl describe secret -n $RELEASE_NAMESPACE nevisadmin4-sa-secret| grep token
  3. Click the Deploy button and go through the steps of the Deployment Wizard. If there is a warning, you can just accept it and continue.

  4. Go to the following URLs to test:

URLs to test

# nevisIDM admin reachable here, default credentials: bootstrap/generated
google-chrome https://$DOMAIN/nevisidm/admin

# Example standalone nevisAuth flow
google-chrome https://$DOMAIN/

Helm values

KeyTypeDefaultDescription
additionalComponentNamespaceslist[]Listing additional ones here, will make it so that nevisAdmin4 can deploy to these namespaces. The namespace itself has to exist already.
bootstrapobject{"annotations":{},"gitea":{"enabled":false},"image":{"version":"1.3.0"},"labels":{},"nevisAdmin4":{"enabled":false},"podAnnotations":{},"podLabels":{}}Supports importing initial projects and inventories into nevisAdmin 4 and creating a repository in gitea.
bootstrap.annotationsobject{}Annotations to put onto the Job.
bootstrap.labelsobject{}Labels to put onto the bootstrap job.
bootstrap.podAnnotationsobject{}Annotations to put onto the pods.
bootstrap.podLabelsobject{}Labels to put onto the bootstrap job pod.
certManager.createCAIssuerbooltrueCreate a CA Issuer to the main release namespace, it also creates a self-signed issuer to prepare the root CA
certManager.createLetsEncryptIssuerbooltrueCreates a Let's encrypt issuer to every component namespace
database.hoststring""Database host, example: mariadb29a7439e.mariadb.database.azure.com
database.portstring"3306"Database port
database.root.credentialSecretstring"helm-database-credential"DEPRECATED: Use preparedCredentialSecret instead. Secret containing the username and password for the root user. Must have the "username" and "password" key.
database.root.passwordstring""Root password in plain value. It's recommended to prepare a secret instead.
database.root.preparedCredentialSecretstring""When using this value, root-creds secret will only be created in the namespace where nevisAdmin4 resides. Adjust the Root Credential Namespace in the Database patterns of nevisAdmin 4 before the migration to this value.
database.root.usernamestring""Root username in plain value. It's recommended to prepare a secret instead.
database.typestring"mariadb"Type of the database, supported values: mariadb, postgresql
git.credentialSecretstring""Secret containing the git credentials, to avoid having plain values in the values file. Must have "key", "key.pub", "known_hosts", "passphrase", "username", "password" secret keys. In case only http or ssh is used, the corresponding keys can be empty, but still has to exist in the secret.
git.httpCredentialSecretstring""DEPRECATED: Use credentialSecret instead. Secret containing the username and password for http authentication. Must have the "username" and "password" key.
git.knownHosts64string""Base64 known_hosts.
git.passphrasestring""Private key passphrase
git.passwordstring""Password used for http authentication. It's recommended to prepare a secret instead.
git.privateKey64string""Base64 git private key.
git.publicKey64string""Base64 git public key.
git.repositoryUrlstring""Git repository, can be either ssh or http
git.repositoryUrlMapobject{}Makes it possible to use a different repository for each component namespace
git.sshCredentialSecretstring"helm-git-ssh"DEPRECATED: Use credentialSecret instead. Secret containing the git credentials, to avoid having plain values in the values file. Must have "key", "key.pub", "known_hosts" key.
git.usernamestring""Username used for http authentication. It's recommended to prepare a secret instead.
gitea.enabledboolfalse
gitea.fullnameOverridestring"gitea"Name of the gitea deployment
gitea.gitea.admin.emailstring"[email protected]"
gitea.gitea.admin.passwordstring""Gitea admin password
gitea.gitea.admin.usernamestring""Gitea admin username
gitea.gitea.config.cache.ADAPTERstring"memory"
gitea.gitea.config.cache.ENABLEDbooltrue
gitea.gitea.config.cache.HOSTstring"127.0.0.1:9090"
gitea.gitea.config.cache.INTERVALint60
gitea.gitea.config.database.DB_TYPEstring"mysql"
gitea.gitea.config.database.HOSTstring"mariadb:3306"
gitea.gitea.config.database.NAMEstring"gitea"
gitea.gitea.config.database.PASSWDstring""Database user password
gitea.gitea.config.database.SCHEMAstring"gitea"
gitea.gitea.config.database.USERstring""Database user for gitea
gitea.gitea.config.server.ROOT_URLstring""Root url of gitea
gitea.image.rootlessbooltrueUse rootless image
gitea.ingress.annotations."cert-manager.io/cluster-issuer"string"letsencrypt-prod"
gitea.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target"string"/$2"
gitea.ingress.apiVersionstring"networking.k8s.io/v1"
gitea.ingress.enabledbooltrue
gitea.ingress.hosts[0].hoststring""
gitea.ingress.hosts[0].paths[0].pathstring`"/gitea(/$)(.*)"`
gitea.ingress.hosts[0].paths[0].pathTypestring"ImplementationSpecific"
gitea.ingress.tls[0].hosts[0]string""
gitea.ingress.tls[0].secretNamestring"gitea-tls"
gitea.job.annotationsobject{}Annotations to put onto the Job.
gitea.job.labelsobject{}
gitea.job.podAnnotationsobject{}Annotations to put onto the pods.
gitea.job.podLabelsobject{}Labels to put onto the bootstrap job pod.
gitea.memcached.enabledboolfalse
gitea.mysql.enabledboolfalse
gitea.postgresql.enabledboolfalse
gitea.statefulset.env[0].namestring"HOME"
gitea.statefulset.env[0].valuestring"/data/git"
image.imagePrefixstring"nevis"Image prefix, nevis images will be pulled from [repository]/[imagePrefix]
image.imagePullSecretNamestring""Name of the secret containing the credentials, only necessary if a private repository is used.
image.repositorystring""Repository where the images will be pulled from
maria.auth.passwordstring"nevis"Name of the additional user created for mariadb
maria.auth.rootPasswordstring""Root password of mariadb
maria.auth.usernamestring""Password of the additional user
maria.enabledboolfalse
maria.fullnameOverridestring"mariadb"Name of the mariadb deployment
maria.primary.configurationstring"[mysqld]\nskip-name-resolve\nexplicit_defaults_for_timestamp\nbasedir=/opt/bitnami/mariadb\nplugin_dir=/opt/bitnami/mariadb/plugin\nport=3306\nsocket=/opt/bitnami/mariadb/tmp/mysql.sock\ntmpdir=/opt/bitnami/mariadb/tmp\nmax_allowed_packet=16M\nbind-address=*\npid-file=/opt/bitnami/mariadb/tmp/mysqld.pid\nlog-error=/opt/bitnami/mariadb/logs/mysqld.log\ncharacter-set-server=utf8mb4\nslow_query_log=0\nslow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log\nlong_query_time=10.0\nmax_connections=1200\nconnect_timeout=5\nwait_timeout=600\ntransaction-isolation=READ-COMMITTED\nlower_case_table_names=1\nlog_bin_trust_function_creators=1\n\n[client]\nport=3306\nsocket=/opt/bitnami/mariadb/tmp/mysql.sock\ndefault-character-set=UTF8\nplugin_dir=/opt/bitnami/mariadb/plugin\n\n[manager]\nport=3306\nsocket=/opt/bitnami/mariadb/tmp/mysql.sock\npid-file=/opt/bitnami/mariadb/tmp/mysqld.pid"Primary node configuration
nevisAdmin4.affinityobject{}
nevisAdmin4.annotationsobject{}Additional annotations to be put on the nevisAdmin4 StatefulSet.
nevisAdmin4.certManagerIssuerstring"letsencrypt-prod"Specify the cert-manager issuer for the nevisAdmin4 ingress
nevisAdmin4.configobject{"env":"","logback":"","nevisadmin4":{}}low level configuration options
nevisAdmin4.config.envstring""Content of env.conf configuration file as multiline string
nevisAdmin4.config.logbackstring""Content of logback.xml configuration file as multiline string
nevisAdmin4.config.nevisadmin4object{}Content of nevisadmin4.yml configuration file
nevisAdmin4.configOverrideEnabledboolfalseThe env.conf, nevisadmin4.yml and logback.xml can be overriden by placing tha file with the same name besides the values.yaml
nevisAdmin4.containerSecurityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}Security context for the nevisAdmin4 pod containers.
nevisAdmin4.corsobject{}cors attributes
nevisAdmin4.credentialSecretstring""Secret containing the initial password of nevisAdmin4 to avoid plain values in the values file. Must have the "password" key. If credentialSecret and password is not given it will be autogenerated. Must be prepared id advance.
nevisAdmin4.database.applicationUserstring"admin4appuser"Database user by nevisAdmin4
nevisAdmin4.database.applicationUserPasswordstring""Database app user password.
nevisAdmin4.database.credentialSecretstring""Secret containing schema and application user credentials to avoid plain values in the values file. Must have the "applicationUser", "applicationUserPassword", "schemaUser", "schemaUserPassword" key. Must be prepared is advance.
nevisAdmin4.database.enableSSLbooltrueDisable ssl if it's not supported by the database
nevisAdmin4.database.jobobject{"annotations":{},"cleanupEnabled":true,"labels":{},"podAnnotations":{},"podLabels":{},"ttlSecondsAfterFinished":1200}Values for the dbschema job
nevisAdmin4.database.job.annotationsobject{}Annotations to put onto the migration job.
nevisAdmin4.database.job.cleanupEnabledbooltruedbschema job will be deleted automatically
nevisAdmin4.database.job.labelsobject{}Labels to put onto the migration job.
nevisAdmin4.database.job.podAnnotationsobject{}Annotations to put onto the migration job pod.
nevisAdmin4.database.job.podLabelsobject{}Labels to put onto the migration job pod.
nevisAdmin4.database.namestring"nevisadmin4"Name of the database
nevisAdmin4.database.schemaUserstring"admin4schemauser"Database user used for the migration of the database for nevisAdmin4.
nevisAdmin4.database.schemaUserPasswordstring""Database schema user password.
nevisAdmin4.domainstring""Domain where nevisAdmin4 will be reachable
nevisAdmin4.enabledbooltrue
nevisAdmin4.extraEnvslist[]Additional environment variables that will be added to the nevisAdmin4 container
nevisAdmin4.image.migrationTagstring""Overrides the dbschema image tag whose default is the chart appVersion.
nevisAdmin4.image.tagstring""Overrides the image tag whose default is the chart appVersion.
nevisAdmin4.ingress.annotationsobject{"nginx.ingress.kubernetes.io/proxy-body-size":"100m"}Annotations to be put on the nevisAdmin4 Ingress.
nevisAdmin4.ingress.enabledbooltrue
nevisAdmin4.ingressIssuerAnnotationstring"cert-manager.io/issuer"cert-manager annotation to put on the ingress
nevisAdmin4.labelsobject{}Additional labels to be put on the nevisAdmin4 StatefulSet.
nevisAdmin4.ldapobject{"context":{},"enabled":false,"search":{},"truststore64":"","truststorePassphrase":"","user":{}}ldap attributes for the nevisadmin4.yml
nevisAdmin4.ldap.contextobject{}ldap context block
nevisAdmin4.ldap.enabledboolfalseEnable ldap
nevisAdmin4.ldap.searchobject{}ldap search block
nevisAdmin4.ldap.truststore64string""pkcs12 truststore in base64 format
nevisAdmin4.ldap.truststorePassphrasestring""truststore passphrase
nevisAdmin4.ldap.userobject{}ldap user block
nevisAdmin4.livenessProbeobject{}Specify a custom livenessProbe.
nevisAdmin4.managementPortint9889Management port, this is where the health checks will be available
nevisAdmin4.migrationResources.limits.cpustring"1000m"
nevisAdmin4.migrationResources.limits.memorystring"1000Mi"
nevisAdmin4.migrationResources.requests.cpustring"20m"
nevisAdmin4.migrationResources.requests.memorystring"200Mi"
nevisAdmin4.nodeSelectorobject{}
nevisAdmin4.otel.enabledboolfalseEnable OpenTelemetry forwarding
nevisAdmin4.otel.protocolstring"http/protobuf"OpenTelemetry protocol
nevisAdmin4.otel.urlstring""OpenTelemetry url
nevisAdmin4.passwordstring""Initial password of nevisAdmin4. If credentialSecret and password is not given it will be autogenerated.
nevisAdmin4.podAnnotationsobject{}Additional annotations to be put on the nevisAdmin4 pods.
nevisAdmin4.podLabelsobject{}Additional labels to be put on the nevisAdmin4 pods.
nevisAdmin4.podSecurityContextobject{"fsGroup":2000,"runAsNonRoot":true}Security context for the nevisAdmin4 pods.
nevisAdmin4.portint9080Default port of nevisAdmin4
nevisAdmin4.productAnalytics.enabledboolfalseEnable product analytics
nevisAdmin4.productAnalytics.prometheus.credentialSecretstring""Credential secret for Prometheus in case basic authentication is enabled. Has to have "password" and "username" keys.
nevisAdmin4.productAnalytics.prometheus.passwordstring""Password for Prometheus in case basic authentication is enabled
nevisAdmin4.productAnalytics.prometheus.urlstring""base url of the Prometheus instance
nevisAdmin4.productAnalytics.prometheus.usernamestring""Username for Prometheus in case basic authentication is enabled
nevisAdmin4.readinessProbeobject{}Specify a custom readinessProbe.
nevisAdmin4.resources.limits.cpustring"4000m"
nevisAdmin4.resources.limits.memorystring"4500Mi"
nevisAdmin4.resources.requests.cpustring"1000m"
nevisAdmin4.resources.requests.memorystring"1500Mi"
nevisAdmin4.saml.attributeobject{"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","first-name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname","group-keys":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role","last-name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","user-key":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"}SAML attributes, by default it is set up for azure AD
nevisAdmin4.saml.certificate64string""Base64 saml.crt.
nevisAdmin4.saml.enabledboolfalseEnable SAML login
nevisAdmin4.saml.idp.metadataUristringnil
nevisAdmin4.saml.keySecretstring""Secret containing the sam key and certificate to avoid using local files. Must be prepared advance. Must have saml.key and saml.crt key.
nevisAdmin4.saml.privateKey64string""Base64 saml.key.
nevisAdmin4.springProfilesstring""Commma seperated list of spring profiles to use, overrides all defaults
nevisAdmin4.storageClassstring""Specify the storage class for the nevisAdmin4 persistent volume
nevisAdmin4.tls.enabledboolfalseEnable https for nevisadmin4, it will only affect the traffic between nginc and nevisadmin4
nevisAdmin4.tls.keyAliasstring"nevisadmin"The key alias
nevisAdmin4.tls.keystorestring"keystore.p12"Keystore file to use, will be used instead of the prepared secret or base64 if the file is available in the chart folder.
nevisAdmin4.tls.keystore64string""Base64 keystore file.
nevisAdmin4.tls.keystoreSecretstring""Secret containing the tls keystore, to avoid plain values and using a local files. Must be prepared in advance. Must have the "passphrase" and the value for tls.keystore as a secret key.
nevisAdmin4.tls.keystoreTypestring"pkcs12"Keystore type
nevisAdmin4.tls.passphrasestring""Keystore passphrase
nevisAdmin4.tls.portint8443what port to use if https is enabled
nevisAdmin4.tolerationslist[]
nevisOperator.affinityobject{}
nevisOperator.annotationsobject{}Annotations to put onto the Deployment.
nevisOperator.certificateDurationstring"8760h"Certificate duration of the internal certificates created with cert-manager
nevisOperator.containerSecurityContextobject{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}Security context for the nevisOperator pod containers.
nevisOperator.csrobject{"country":"CH","email-address":"[email protected]","locality":"K8S","organization":"K8S","organizational-unit":"K8S","province":"K8S"}These values will be used for creating the internal certicates with cert-manager
nevisOperator.defaultImagePullPolicystring""Sets the default imagePullPolicy for the deployed components by nevisAdmin 4
nevisOperator.enableLeaderElectionbooltrueEnable leader election for nevisOperator, this make it possible to run with multiple replicas
nevisOperator.image.tagstring""Overrides the image tag whose default is the chart appVersion.
nevisOperator.ingressIssuerstring"letsencrypt-prod"Name of the issuer that will be used for the generated ingresses
nevisOperator.ingressIssuerAnnotationstring"cert-manager.io/issuer"cert-manager annotation to put on the ingress
nevisOperator.internalIssuerstring"ca-issuer"Name of the internal issuer used to create the certificate for internal communication between the components
nevisOperator.internalIssuerCASecretstring"ca-root-secret"Name of the CA secret of the internal issuer
nevisOperator.internalIssuerCASecretNamespacestring""Namespace of the CA secret, defaults to the release namespace
nevisOperator.internalIssuerNamespacestring""Namespace of the internal issuer used to create the certificate for internal communication between the components
nevisOperator.labelsobject{}Labels to put onto the Deployment.
nevisOperator.nodeSelectorobject{}
nevisOperator.podAnnotationsobject{}Annotations to put onto the pods.
nevisOperator.podLabelsobject{}Labels to put onto the pods.
nevisOperator.podSecurityContextobject{"runAsNonRoot":true}Security context for the nevisOperator pods.
nevisOperator.replicasint1
nevisOperator.resources.limits.cpustring"200m"
nevisOperator.resources.limits.memorystring"256Mi"
nevisOperator.resources.requests.cpustring"100m"
nevisOperator.resources.requests.memorystring"96Mi"
nevisOperator.restrictNamespaces.additionalNamespaceslist[]If the goal is to deploy to these namespace use the additionalComponentNamespaces value instead
nevisOperator.restrictNamespaces.enabledbooltrueBy default, nevisOperator only has access to the namespace where it resides, and the namespaces from the additionalComponentNamespaces
nevisOperator.tolerationslist[]
nginxobject{"controller":{"admissionWebhooks":{"enabled":false},"config":{"annotation-value-word-blocklist":"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount"},"ingressClassResource":{"enabled":true,"name":"nginx"},"service":{"externalTrafficPolicy":"Local"}},"enabled":true}nginx settings, disable if nginx is already installed, the generated ingress will use the ingress class specified here
podLabelsobject{}Labels that will put onto every pod created by the chart
serviceAccount.createbooltrueEnable service account creation, if disabled the default service account will be used
serviceAccount.namestring""Override the name of the created service account for nevisadmin4
serviceAccount.nevisOperatorNamestring""Override the name of the created service account for nevisoperator

Installation automation on Kubernetes

The installation process described in Installation automation on OpenShift is also available for Kubernetes: kubernetes-installer.sh