Install as Helm Chart in Kubernetes
We created a Helm chart to allow convenient deployments of EuroDaT clients into Kubernetes clusters. Follow this guide if you want to use the EuroDaT Client in a Kubernetes cluster.
Install Helm
There are multiple ways to install Helm, refer to Helm's official installation site .
Create a Project Chart
If you don't have an own helm chart for your k8s deployment yet, create one. You can use it to deploy other resources of your cluster. We will add the EuroDaT Client as a subchart.
Create the chart using
This will create a folder for your project which contains all necessary components:
project-name ├── Chart.yaml (chart definition, including used Helm subcharts) ├── charts (Helm's download location for subcharts) ├── templates (directory with definitions of additional k8s resources) └── values.yaml (configuration values for own resources and subcharts)
If you only want to deploy a EuroDaT client and nothing more, you can delete all resources that were created by helm create
in the templates
directory and delete the content of the values.yaml
file:
Install the Eurodat-Client Chart
Add the Helm chart of the EuroDaT Client as a dependency in project-name/Chart.yaml
:
dependencies:
- name: eurodat-client
alias: client1
version: vx.x.x
repository: https://gitlab.com/api/v4/projects/33611450/packages/helm/dev
- name: eurodat-client
alias: client2
version: vx.x.x
repository: https://gitlab.com/api/v4/projects/33611450/packages/helm/dev
Add the EuroDaT helm repository:
Choose a EuroDaT client version. Check for the latest version by running
and looking for the CHART VERSION
. Note that we align CHART VERSION
and APP VERSION
to the version of EuroDaT's release.
The version for which this documentation is valid is printed in the bottom-left corner of the page.
The code snippet above deploys two EuroDaT Clients, client1
and client2
. You can add an arbitrary number of clients
using different aliases. If you only need one client, you may remove the alias:
line. Due to some restrictions in Helm,
avoid using dashes (-
) in the alias and only use lower-case letters.
Configure the EuroDaT Client
The EuroDaT Client helm chart deploys a client-controller
application that needs to be configured to communicate with
a EuroDaT instance. A few configurations are mandatory. For more, refer to the client's own
values file
Add this minimal configuration to the <project-name>/values.yaml
file:
global:
imageCredentials:
registry: "registry.gitlab.com/eurodat/trustee-platform"
client1:
iam:
fqdn: "<EuroDaT's IAM FQDN>"
credentials:
client:
id: "<EuroDaT Client ID"
images:
clientController: "client-controller"
tag: "<Image Tag>"
The individual values explained:
Value | What it is for | Where to find it |
---|---|---|
iam.fqdn |
The fully qualified domain name of the EuroDaT cluster you want to connect to | Address of the EuroDaT cluster |
iam.credentials.client.id |
Client ID registered at EuroDaT's IAM service | The ID used in the registration process |
images.tag |
Image tag of the client controller application's image | The EuroDaT version you want to use, find all images here |
Create the Client Secret
Create a k8s secret following our tutorial on how to generate a client secret. Save the
resulting secret as templates/eurodat-certificate-secret.yaml
into the templates directory of our helm chart. Create
a second k8s secret templates/<alias>-client-cluster-keystore-password-secret.yaml
containing the base64-encoded password
that was used to create the keystore:
apiVersion: v1
kind: Secret
metadata:
name: <alias>-cluster-keystore-password-secret
type: Opaque
data:
keystorePassword: "<bas64-encoded password>"
The placeholder <alias>
refers to the alias which you have given to the EuroDaT client in the definition of the subchart
dependency. You can use
to encode the password. Be aware that echo
appends a newline character by default.
Warning
Consider storing the keystore password in a secure environment, e.g., Vault or use a native cloud provider specific secrets management solution. In production environments, you should never hardcode secrets in files but generate the k8s secret from a secure source.
Deploying the Eurodat-Client
Set up the connection to your k8s cluster and run: