Helm chart for Kubernetes/OpenShift deployment

This option requires a Kubernetes cluster, Helm, and a PostgreSQL database to be available and is intended for the production deployment of Governor. If you prefer an easier option to install Governor for evaluation and demonstration purposes, use the demo setup instead. If you want to run Governor in production without a Kubernetes cluster, use the docker-compose based installation option.

Prerequisites

  1. Kubernetes cluster

  2. kubectl tool installed and set up for your cluster.

  3. Helm 3 installed

  4. PostgreSQL server (version 13 or later) must be available in order to hold the Governor database. Empty database should be created prior to installation of Governor and login credentials for this database should be known.

Configuring and installing the Helm chart

  • Configure the kubectl tool to work with your Kubernetes cluster. For cloud distributions of Kubernetes, you might need to install additional tools and/or apply additional configuration. Refer to your cloud documentation providers reference for details:

  • Set Up Database Credentials:

  • Mac/Linux

  • Windows (Powershell)

export DB_URL=[db-url]
export DB_USERNAME=[db-username]
export DB_PASSWORD=[db-password]
$DB_URL=[db-url]
$DB_USERNAME=[db-username]
$DB_PASSWORD=[db-password]

DB_URL is the JDBC URL for Governor database in the following format: jdbc:postgresql://[host]:5432/[database-name].

  • Generate JWT Secret for Authentication:

  • Mac/Linux

  • Windows (Powershell)

export JWT_SECRET=$(openssl rand -base64 256 | tr -d '\n')
$JWT_SECRET=[Convert]::ToBase64String((Get-Random -Count 256 -InputObject (0..255)))

  • Set admin email

  • Mac/Linux

  • Windows (Powershell)

export ADMIN_EMAIL=[admin email]
$ADMIN_EMAIL=[admin email]

  • Generate admin password

  • Mac/Linux

  • Windows (Powershell)

export ADMIN_DEFAULT_PASSWORD=$(openssl rand -hex 20 | tr -d '\n')
$ADMIN_DEFAULT_PASSWORD = -join ((33..126) | Get-Random -Count 20 | ForEach-Object {[char]$_})

  • Set the Licence key:

  • Mac/Linux

  • Windows (Powershell)

export SYNTHESIZED_KEY=[synthesized-key]
$SYNTHESIZED_KEY=[synthesized-key]

  • Create a values.yaml file with all necessary configurations for your deployment (except secret values):

api:
  container:
    secretConfig:
      SPRING_DATASOURCE_URL: "[your-database-url]"  # Leave this blank or set with --set
      SPRING_DATASOURCE_USERNAME: "[your-database-username]"  # Leave this blank or set with --set
      SPRING_DATASOURCE_PASSWORD: "[your-database-password]"  # Leave this blank or set with --set
      JWT_SECRET: "[leave this blank or set with --set]"
      ADMIN_EMAIL: "[your-admin-email]"  # Leave this blank or set with --set
      ADMIN_DEFAULT_PASSWORD: "[leave this blank or set with --set]"
      SYNTHESIZED_KEY: "[your-synthesized-key]"  # Leave this blank or set with --set

Once this file is created, replace the placeholders in the values.yaml file with the actual values you obtained from the previous steps, leaving the secret values blank.

  • Run the following command to download and install the Governor Helm Chart with your values.yaml file and all secrets set via --set:

  • Kubernetes

  • OpenShift

helm pull oci://synthesizedio.jfrog.io/helm/governor
helm install governor oci://synthesizedio.jfrog.io/helm/governor -f values.yaml \
  --set api.container.secretConfig.SPRING_DATASOURCE_URL=$DB_URL \
  --set api.container.secretConfig.SPRING_DATASOURCE_USERNAME=$DB_USERNAME \
  --set api.container.secretConfig.SPRING_DATASOURCE_PASSWORD=$DB_PASSWORD \
  --set api.container.secretConfig.JWT_SECRET=$JWT_SECRET \
  --set api.container.secretConfig.ADMIN_EMAIL=$ADMIN_EMAIL \
  --set api.container.secretConfig.ADMIN_DEFAULT_PASSWORD=$ADMIN_DEFAULT_PASSWORD \
  --set api.container.secretConfig.SYNTHESIZED_KEY=$SYNTHESIZED_KEY
helm pull oci://synthesizedio.jfrog.io/helm/governor
helm install governor oci://synthesizedio.jfrog.io/helm/governor -f values.yaml \
  --set api.container.secretConfig.SPRING_DATASOURCE_URL=$DB_URL \
  --set api.container.secretConfig.SPRING_DATASOURCE_USERNAME=$DB_USERNAME \
  --set api.container.secretConfig.SPRING_DATASOURCE_PASSWORD=$DB_PASSWORD \
  --set api.container.secretConfig.JWT_SECRET=$JWT_SECRET \
  --set api.container.secretConfig.ADMIN_EMAIL=$ADMIN_EMAIL \
  --set api.container.secretConfig.ADMIN_DEFAULT_PASSWORD=$ADMIN_DEFAULT_PASSWORD \
  --set api.container.secretConfig.SYNTHESIZED_KEY=$SYNTHESIZED_KEY \
  --set openshiftEnabled=true

Use kubectl get pods command in order to make sure that governor-api and governor-front are in Running status. The most common source of potential problems is connectivity to the database. Verify that database connection URL, username and password are correct, check governor-api logs for details if the problem persists.

Configuring the Kubernetes Ingress for Helm Chart

In order to make Governor UI available for end users, Kubernetes ingress must be configured for the governor-front service. Since governor-front operates over HTTP port 80, the ingress must also provide TLS termination to allow users to connect to Governor UI using HTTPS.

With Helm, the ingress resource can be managed through the values.yaml file. This provides flexibility to configure the ingress resource based on the specific environment.

The Helm chart includes an ingress resource template that can be customized via the values.yaml file. By enabling the ingress and defining the necessary parameters, you can automatically deploy and configure the ingress resource.

Managing the Ingress via values.yaml

In your values.yaml file, you can configure the ingress settings like this:

ingress:
  enabled: true
  annotations: {}
  hosts:
    - host: example.com
      paths:
        - path: /
          service: governor-front
          servicePort: 80
  tls:
    - secretName: example-tls-secret
      hosts:
        - example.com

Values Description

  • ingress.enabled: Set this to true to enable the ingress resource. If it’s set to false, no ingress resource will be created.

  • ingress.annotations: A map of annotations to apply to the ingress. You can use this to configure settings like SSL certificates, ingress controller specifics, or other annotations required by your cloud provider.

  • ingress.hosts: A list of hosts (domains) for which the ingress will route traffic. For each host, you define the paths and service backend information.

  • host: The domain name for your service (e.g., example.com).

  • paths: A list of paths and their corresponding services and ports.

  • path: The URL path for the service.

  • service: The name of the service to route traffic to.

  • servicePort: The port on the service to route traffic to.

  • ingress.tls: Configure TLS for the ingress. This section contains the secretName and the list of hosts to be used for TLS encryption.

  • secretName: The name of the Kubernetes secret that contains the TLS certificate.

  • hosts: A list of hostnames that will use the TLS certificate.

Example

Here is an example of a fully configured values.yaml file for your Helm chart:

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
  hosts:
    - host: governor.example.com
      paths:
        - path: /
          service: governor-front
          servicePort: 80
  tls:
    - secretName: governor-tls-secret
      hosts:
        - governor.example.com

Deploy the Ingress Resource

Once your values.yaml file is configured, you can deploy the ingress by running the following command:

helm upgrade --install <release-name> <chart-name> -f values.yaml --reuse-values

This command will apply your values.yaml configuration and create the ingress resource with the specified parameters. If you have TLS enabled, make sure the TLS secret (governor-tls-secret in this case) is already created in your cluster. --reuse-values will keep the existing values in the release (including those for secrets) and avoid resetting them, while --set allows you to specify the values that you want to change or add.

Notes

  • Ensure that the domain (governor.example.com) points to the external IP of your Kubernetes ingress controller.

  • If you are using a cloud provider (e.g., Azure, AWS), make sure that your cloud provider’s DNS settings are configured correctly. For instance, in Azure, you may need to create a DNS A record that points to the ingress controller’s external IP address.

If you wish to use a cloud provider’s interface (like Azure’s UI), follow the steps from the original documentation to manually configure the ingress. However, using the Helm chart with values.yaml is the recommended approach for repeatable deployments.