Installation in Kubernetes Cluster

If you want to deploy Nevis onto a Cloud infrastructure, we recommend a Kubernetes-based installation. This installation is based on the Docker containerization and Kubernetes orchestration technologies.

For a general overview of the Nevis-on-Kubernetes deployment solution, check Kubernetes Deployment (Cloud).

• In the chapter Kubernetes Deployment Troubleshooting you can find information about how to debug the configuration.
• In the chapter Kubernetes Upgrade you can find information about how to upgrade your existing installation.

In this installation tutorial, you will set up nevisAdmin 4 on an existing Kubernetes cluster.

Pay attention to the following points:

• For general guidance, refer to System Requirements.
• For the database, you should use a MariaDB server.
• In some Kubernetes installations, special permission settings or entitlements are required, for example, for the ingress-nginx component.
• Any Kubernetes-compatible product or cloud provider should work.
  • For more details about the supported versions of the above providers, see the Nevis Product Lifetime and Platform Support Matrix.

Prerequisites

• Have an existing Kubernetes cluster and have enough permissions to create resource groups and resources, which includes RBAC permissions.
  • The installation of the crds, ingress-nginx and the cert-manager component needs cluster-wide permissions, for the rest, namespace scoped permissions are enough.
• Have a MariaDB database with the correct configuration, see component specific documentation, generally the following is needed:

autocommit=0
transaction-isolation = READ-COMMITTED
log_bin_trust_function_creators = 1
lower_case_table_names = 1
character-set-server = utf8mb4

• The supported Kubernetes versions for this guide are 1.24, 1.25, 1.26, 1.27 and 1.28.
• A Linux environment with the following software pre-installed:
  • kubectl: Kubernetes command line interface. The same minor version is recommended as the used Kubernetes version, in this case 1.24, 1.25, 1.26, 1.27 and 1.28.
  • docker: Docker client.
  • helm: Helm CLI

This guide requires basic knowledge of Linux and Kubernetes. If you are new to these topics, we recommend that you see tutorials or courses available online. If you have limited time, focus on Kubernetes tutorials, for example: Viewing Pods and Nodes.

Prepare the Git Deployment Repository

In this tutorial, we use GitHub as the Git system. However, it is possible to use Bitbucket, Gitea, GitLab and more instead. The same options should be available in every case.

To configure the Git connection for nevisOperator, perform the following steps:

1. Prepare GitHub.
   • Create a GitHub account.
   • Create an empty Git repository called deploy.
   • Set the GitHub repository to private. See https://help.github.com/en/articles/setting-repository-visibility#making-a-repository-private for detailed instructions
2. Create the SSH key material through the following commands:

#generate key pair
ssh-keygen -t ecdsa -C "kubernetes" -m PEM -P "" -f key

# create know_hosts file, replace the github domain if other Git system is used
ssh-keyscan github.com > known_hosts

# make sure ssh keys were generated
cat key
cat key.pub

The created key is used by both nevisOperator and nevisAdmin 4 to connect to GitHub. 3. Add the key key.pub to your GitHub account, or to the repository itself as a deploy key.

• See http://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account.
• See the Deploy keys section in http://developer.github.com/v3/guides/managing-deploy-keys

Setting environment variables

Set the following environment variables:

# Initial password of nevisAdmin 4
export NEVISADMIN_PASSWORD=
# The container registry of the Kubernetes cluster, for example: nevis.azurecr.io
export CONTAINER_REGISTRY=
# The namespace where the helm chart will be installed
export RELEASE_NAMESPACE=
# The name of the Helm release, for example nevisadmin4-prod
export RELEASE_NAME=
# Database host of the MariaDB database
export DATABASE_HOST=
# The root database user for the mariadb database, for example: root. If you are using an Azure database, do not include the host in the username.
export DB_ROOT_USER=
# The root database password for the mariadb database.
export DB_ROOT_PASSWORD=
# Password of the nevisAdmin 4 schema user which will be created during the installation
export DB_NEVISADMIN_SCHEMA_USER_PASSWORD=
# Password of the nevisAdmin 4 app user which will be created during the installation
export DB_NEVISADMIN_APP_USER_PASSWORD=
# URL of the Git repository to be used by nevisAdmin4.
export GIT_REPOSITORY_URL=
# Domain where nevisAdmin4 will be available. Make sure to point the domain to the IP of the nginx LoadBalancer after the installation is done. For example: test.westeurope.cloudapp.azure.com
export DOMAIN=
# For the temporary credentials, click the download button for one of the Docker images at https://portal.nevis.net/portal/secure/releases/rolling
export CLOUDSMITH_PASSWORD=

Upload Nevis Docker Images

Use the provided script to copy the Docker images from the Nevis Portal registry to the container registry of the Kubernetes cluster. Select one of the docker images in the portal under http://portal.nevis.net/portal/secure/releases/rolling to acquire a temporary username and password for the Nevis registry.

#!/bin/bash
# get temporary username/token on the portal
REGISTRY=docker.cloudsmith.io/nevissecurity/rolling

echo "Login to registry $REGISTRY"
docker login $REGISTRY -u nevissecurity/rolling -p $CLOUDSMITH_PASSWORD
echo "Login to registry $CONTAINER_REGISTRY"
if [[ $CONTAINER_REGISTRY == *.azurecr.io ]] ; then
    az acr login --name ${CONTAINER_REGISTRY%".azurecr.io"}
else
    docker login $CONTAINER_REGISTRY
fi

declare -a images=("nevisproxy:7.2402.0"
                   "nevisproxy-dbschema:7.2402.0"
                   "nevislogrend:7.2402.0"
                   "nevisfido:7.2402.0"
                   "nevisfido-dbschema:7.2402.0"
                   "nevisauth:7.2402.0"
                   "nevisauth-dbschema:7.2402.0"
                   "nevisidm:7.2402.0"
                   "nevisidm-dbschema:7.2402.0"
                   "nevismeta:7.2402.0"
                   "nevismeta-dbschema:7.2402.0"
                   "nevisadmin4:7.2402.0"
                   "nevisadmin4-dbschema:7.2402.0"
                   "nevisoperator:7.2402.0"
                   "nevisadapt:7.2402.0"
                   "nevisdetect-admin:7.2402.0"
                   "nevisdetect-core:7.2402.0"
                   "nevisdetect-entrypoint:7.2402.0"
                   "nevisdetect-persistency:7.2402.0"
                   "nevisadapt-dbschema:7.2402.0"
                   "nevisdetect-persistency-dbschema:7.2402.0"
                   "nevis-git-init:1.3.0"
                   "nevisdp:7.2402.0"
                   "nevis-ubi-tools:1.3.0"
                   "nevis-base-flyway:7.2402.0")
for i in "${images[@]}"; do
  docker pull $REGISTRY/$i
  NAME=$(echo "$i" | cut -d '/' -f 2 | cut -d ':' -f 1 )
  docker tag $REGISTRY/$i $CONTAINER_REGISTRY/nevis/$i
  docker push $CONTAINER_REGISTRY/nevis/$i
done

Save it as publish_images.sh, then run:

chmod +x publish_images.sh
./publish_images.sh

Deploy cert-manager

If the Kubernetes cluster does not have cert-manager already installed, then follow the official guide: https://cert-manager.io/docs/installation/helm/

Install CRD chart

Install the helm chart that contains the CustomResourceDefinitions used by nevisAdmin 4.

helm install nevisadmin4-crd nevisadmin4-crd --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/

caution

Uninstalling this chart deletes all the existing CustomResources, which results in the deletion of all the deployments made with nevisAdmin 4

Install chart

Prepare secrets for installation

Prepare the required secrets to be used by the helm chart. This is done to avoid plain secret values in the values.yaml.

Create namespace

kubectl create namespace $RELEASE_NAMESPACE

Create credential secrets

These secrets are used to avoid having plain values in the values.yaml.

# nevisAdmin 4 admin user credential
kubectl create secret generic nevis-nevisadmin4-admin-credential \
--from-literal=password=$NEVISADMIN_PASSWORD \
-n $RELEASE_NAMESPACE

# git credential
kubectl create secret generic nevis-git-credential \
--from-file=key=key \
--from-file=key.pub=key.pub \
--from-file=known_hosts=known_hosts \
--from-literal=passphrase="" \
--from-literal=username="" \
--from-literal=password="" \
-n $RELEASE_NAMESPACE

# database credential
kubectl create secret generic nevis-database-credential \
--from-literal=username=$DB_ROOT_USER \
--from-literal=password=$DB_ROOT_PASSWORD \
-n $RELEASE_NAMESPACE

# nevisAdmin 4 database credential
kubectl create secret generic nevis-nevisadmin4-database-credential \
--from-literal=applicationUser=admin4appuser \
--from-literal=applicationUserPassword=$DB_NEVISADMIN_APP_USER_PASSWORD \
--from-literal=schemaUser=admin4schemauser \
--from-literal=schemaUserPassword=$DB_NEVISADMIN_SCHEMA_USER_PASSWORD \
-n $RELEASE_NAMESPACE

The nevis-database-credential secret can be used for the Root Credential and Root Credential Namespace fields in the database patterns inside nevisAdmin 4.

For more configuration options see the values table below.

Install

Kubernetes

helm install $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE \
    --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
    --set image.repository=$CONTAINER_REGISTRY \
    --set git.repositoryUrl=$GIT_REPOSITORY_URL \
    --set git.credentialSecret=nevis-git-credential \
    --set database.host=$DATABASE_HOST \
    --set database.root.preparedCredentialSecret=nevis-database-credential \
    --set nevisAdmin4.domain=$DOMAIN \
    --set nevisAdmin4.credentialSecret=nevis-nevisadmin4-admin-credential \
    --set nevisAdmin4.database.credentialSecret=nevis-nevisadmin4-database-credential \
    --set nginx.nameOverride=$RELEASE_NAMESPACE-nginx

OpenShift

As ingress-nginx must run with user 101 and needs capabilities such as NET_BIND_SERVICE, it's required that the used SecurityContext is changed on OpenShift. Additionally, it's not allowed to set the fsGroup of the nevisAdmin 4 deployment.

# Username for the registry
REGISTRY_USERNAME=
# Password for the registry
REGISTRY_PASSWORD=

# Prepare registry secret
oc create secret docker-registry registry-secret --docker-server="$CONTAINER_REGISTRY" --docker-username="$REGISTRY_USERNAME" --docker-password="$REGISTRY_PASSWORD" -n "$RELEASE_NAMESPACE"
# Prepare nginx service account
oc create serviceaccount nevisadmin4-nginx -n "$RELEASE_NAMESPACE"
oc adm policy add-scc-to-user privileged -z nevisadmin4-nginx -n "$RELEASE_NAMESPACE"

helm install $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE \
    --repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
    --set image.repository=$CONTAINER_REGISTRY \
    --set image.imagePullSecretName=registry-secret \
    --set git.repositoryUrl=$GIT_REPOSITORY_URL \
    --set git.credentialSecret=nevis-git-credential \
    --set database.host=$DATABASE_HOST \
    --set database.root.preparedCredentialSecret=nevis-database-credential \
    --set nevisAdmin4.domain=$DOMAIN \
    --set nevisAdmin4.podSecurityContext.fsGroup=null \
    --set nevisAdmin4.credentialSecret=nevis-nevisadmin4-admin-credential \
    --set nevisAdmin4.database.credentialSecret=nevis-nevisadmin4-database-credential \
    --set nginx.serviceAccount.create=false \
    --set nginx.serviceAccount.name=nevisadmin4-nginx \
    --set nginx.nameOverride=$RELEASE_NAMESPACE-$RELEASE_NAME

Upgrade

To upgrade the installation, copy over the new images from Upload Nevis Docker Images then run:

helm get values $RELEASE_NAME -n $RELEASE_NAMESPACE > values.yaml \
&& helm upgrade $RELEASE_NAME nevisadmin4 -n $RELEASE_NAMESPACE -f values.yaml \
--repo https://dl.cloudsmith.io/$CLOUDSMITH_PASSWORD/nevissecurity/rolling/helm/charts/ \
--set <your-new-values> \
--version <version-to-upgrade>

If the version is not provided, it upgrades to the latest one.

Using existing ingress-nginx installation

Set the nginx.enabled to false, and set the nginx.controller.ingressClassResource.name and nginx.controller.ingressClass values to the ingress class of the existing ingress-nginx controller.

On some installations, the snippet feature is disabled by default, as this is required for the side-by-side deployment to function. Make sure that you have the following in the ConfigMap used by ingress-nginx:

allow-snippet-annotations: "true"
annotation-value-word-blocklist: load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,',\

It's recommended to use a blocklist to prevent misuse.

Configure an Example Project and Inventory in the GUI

The final step is to import and deploy an example project using nevisAdmin 4:

1. In the nevisAdmin 4 Welcome or Project Settings screen, import the following project: project_CLOUD-PROJECT_20200519T102912Z.zip Adapt the project:

   • Set the latest libraries in the Administration tab under Standard libraries.
   • Open the just imported Cloud-Project project in the Configuration tab. Note that the patterns nevisAuth/nevisProxy Remote Session Store and nevisIDM Database are marked with a red bullet point - this is because their database hostname is incorrect. Correct the database hostname of these patterns.

2. In the Administration > Inventory Settings screen, import the following inventory: inventory_CLOUD-INVENTORY_20200519T102841Z.zip Adapt the inventory:

   • Enter the URL of your GitHub repository.

   • Enter the component namespace where the Nevis components will be deployed. This is the same as the RELEASE_NAMESPACE unless additionalComponentNamespaces were used.

   • Enter the DOMAIN for the proxy-host-name.

   • Enter the API URL of your Kubernetes cluster using HTTPS and port 443. As long as nevisadmin4 is inside the cluster https://kubernetes.default.svc:443 can be used.

   • Enter the token of your Kubernetes cluster. Get the token by executing the following command:

     kubectl describe secret -n $RELEASE_NAMESPACE nevisadmin4-sa-secret| grep token

3. Click the Deploy button and go through the steps of the Deployment Wizard. If there is a warning, you can just accept it and continue.

4. Go to the following URLs to test:

URLs to test

# nevisIDM admin reachable here, default credentials: bootstrap/generated
google-chrome https://$DOMAIN/nevisidm/admin

# Example standalone nevisAuth flow
google-chrome https://$DOMAIN/

Helm values

Key	Type	Default	Description
additionalComponentNamespaces	list	[]	Listing additional ones here, will make it so that nevisAdmin4 can deploy to these namespaces. The namespace itself has to exist already.
bootstrap	object	{"annotations":{},"gitea":{"enabled":false},"image":{"version":"1.3.0"},"labels":{},"nevisAdmin4":{"enabled":false},"podAnnotations":{},"podLabels":{}}	Supports importing initial projects and inventories into nevisAdmin 4 and creating a repository in gitea.
bootstrap.annotations	object	{}	Annotations to put onto the Job.
bootstrap.labels	object	{}	Labels to put onto the bootstrap job.
bootstrap.podAnnotations	object	{}	Annotations to put onto the pods.
bootstrap.podLabels	object	{}	Labels to put onto the bootstrap job pod.
certManager.createCAIssuer	bool	true	Create a CA Issuer to the main release namespace, it also creates a self-signed issuer to prepare the root CA
certManager.createLetsEncryptIssuer	bool	true	Creates a Let's encrypt issuer to every component namespace
database.host	string	""	Database host, example: mariadb29a7439e.mariadb.database.azure.com
database.port	string	"3306"	Database port
database.root.credentialSecret	string	"helm-database-credential"	DEPRECATED: Use preparedCredentialSecret instead. Secret containing the username and password for the root user. Must have the "username" and "password" key.
database.root.password	string	""	Root password in plain value. It's recommended to prepare a secret instead.
database.root.preparedCredentialSecret	string	""	When using this value, root-creds secret will only be created in the namespace where nevisAdmin4 resides. Adjust the Root Credential Namespace in the Database patterns of nevisAdmin 4 before the migration to this value.
database.root.username	string	""	Root username in plain value. It's recommended to prepare a secret instead.
database.type	string	"mariadb"	Type of the database, supported values: mariadb, postgresql
git.credentialSecret	string	""	Secret containing the git credentials, to avoid having plain values in the values file. Must have "key", "key.pub", "known_hosts", "passphrase", "username", "password" secret keys. In case only http or ssh is used, the corresponding keys can be empty, but still has to exist in the secret.
git.httpCredentialSecret	string	""	DEPRECATED: Use credentialSecret instead. Secret containing the username and password for http authentication. Must have the "username" and "password" key.
git.knownHosts64	string	""	Base64 known_hosts.
git.passphrase	string	""	Private key passphrase
git.password	string	""	Password used for http authentication. It's recommended to prepare a secret instead.
git.privateKey64	string	""	Base64 git private key.
git.publicKey64	string	""	Base64 git public key.
git.repositoryUrl	string	""	Git repository, can be either ssh or http
git.repositoryUrlMap	object	{}	Makes it possible to use a different repository for each component namespace
git.sshCredentialSecret	string	"helm-git-ssh"	DEPRECATED: Use credentialSecret instead. Secret containing the git credentials, to avoid having plain values in the values file. Must have "key", "key.pub", "known_hosts" key.
git.username	string	""	Username used for http authentication. It's recommended to prepare a secret instead.
gitea.enabled	bool	false
gitea.fullnameOverride	string	"gitea"	Name of the gitea deployment
gitea.gitea.admin.email	string	"[email protected]"
gitea.gitea.admin.password	string	""	Gitea admin password
gitea.gitea.admin.username	string	""	Gitea admin username
gitea.gitea.config.cache.ADAPTER	string	"memory"
gitea.gitea.config.cache.ENABLED	bool	true
gitea.gitea.config.cache.HOST	string	"127.0.0.1:9090"
gitea.gitea.config.cache.INTERVAL	int	60
gitea.gitea.config.database.DB_TYPE	string	"mysql"
gitea.gitea.config.database.HOST	string	"mariadb:3306"
gitea.gitea.config.database.NAME	string	"gitea"
gitea.gitea.config.database.PASSWD	string	""	Database user password
gitea.gitea.config.database.SCHEMA	string	"gitea"
gitea.gitea.config.database.USER	string	""	Database user for gitea
gitea.gitea.config.server.ROOT_URL	string	""	Root url of gitea
gitea.image.rootless	bool	true	Use rootless image
gitea.ingress.annotations."cert-manager.io/cluster-issuer"	string	"letsencrypt-prod"
gitea.ingress.annotations."nginx.ingress.kubernetes.io/rewrite-target"	string	"/$2"
gitea.ingress.apiVersion	string	"networking.k8s.io/v1"
gitea.ingress.enabled	bool	true
gitea.ingress.hosts[0].host	string	""
gitea.ingress.hosts[0].paths[0].path	string	`"/gitea(/	$)(.*)"`
gitea.ingress.hosts[0].paths[0].pathType	string	"ImplementationSpecific"
gitea.ingress.tls[0].hosts[0]	string	""
gitea.ingress.tls[0].secretName	string	"gitea-tls"
gitea.job.annotations	object	{}	Annotations to put onto the Job.
gitea.job.labels	object	{}
gitea.job.podAnnotations	object	{}	Annotations to put onto the pods.
gitea.job.podLabels	object	{}	Labels to put onto the bootstrap job pod.
gitea.memcached.enabled	bool	false
gitea.mysql.enabled	bool	false
gitea.postgresql.enabled	bool	false
gitea.statefulset.env[0].name	string	"HOME"
gitea.statefulset.env[0].value	string	"/data/git"
image.imagePrefix	string	"nevis"	Image prefix, nevis images will be pulled from [repository]/[imagePrefix]
image.imagePullSecretName	string	""	Name of the secret containing the credentials, only necessary if a private repository is used.
image.repository	string	""	Repository where the images will be pulled from
maria.auth.password	string	"nevis"	Name of the additional user created for mariadb
maria.auth.rootPassword	string	""	Root password of mariadb
maria.auth.username	string	""	Password of the additional user
maria.enabled	bool	false
maria.fullnameOverride	string	"mariadb"	Name of the mariadb deployment
maria.primary.configuration	string	"[mysqld]\nskip-name-resolve\nexplicit_defaults_for_timestamp\nbasedir=/opt/bitnami/mariadb\nplugin_dir=/opt/bitnami/mariadb/plugin\nport=3306\nsocket=/opt/bitnami/mariadb/tmp/mysql.sock\ntmpdir=/opt/bitnami/mariadb/tmp\nmax_allowed_packet=16M\nbind-address=*\npid-file=/opt/bitnami/mariadb/tmp/mysqld.pid\nlog-error=/opt/bitnami/mariadb/logs/mysqld.log\ncharacter-set-server=utf8mb4\nslow_query_log=0\nslow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log\nlong_query_time=10.0\nmax_connections=1200\nconnect_timeout=5\nwait_timeout=600\ntransaction-isolation=READ-COMMITTED\nlower_case_table_names=1\nlog_bin_trust_function_creators=1\n\n[client]\nport=3306\nsocket=/opt/bitnami/mariadb/tmp/mysql.sock\ndefault-character-set=UTF8\nplugin_dir=/opt/bitnami/mariadb/plugin\n\n[manager]\nport=3306\nsocket=/opt/bitnami/mariadb/tmp/mysql.sock\npid-file=/opt/bitnami/mariadb/tmp/mysqld.pid"	Primary node configuration
nevisAdmin4.affinity	object	{}
nevisAdmin4.annotations	object	{}	Additional annotations to be put on the nevisAdmin4 StatefulSet.
nevisAdmin4.certManagerIssuer	string	"letsencrypt-prod"	Specify the cert-manager issuer for the nevisAdmin4 ingress
nevisAdmin4.config	object	{"env":"","logback":"","nevisadmin4":{}}	low level configuration options
nevisAdmin4.config.env	string	""	Content of env.conf configuration file as multiline string
nevisAdmin4.config.logback	string	""	Content of logback.xml configuration file as multiline string
nevisAdmin4.config.nevisadmin4	object	{}	Content of nevisadmin4.yml configuration file
nevisAdmin4.configOverrideEnabled	bool	false	The env.conf, nevisadmin4.yml and logback.xml can be overriden by placing tha file with the same name besides the values.yaml
nevisAdmin4.containerSecurityContext	object	{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}	Security context for the nevisAdmin4 pod containers.
nevisAdmin4.cors	object	{}	cors attributes
nevisAdmin4.credentialSecret	string	""	Secret containing the initial password of nevisAdmin4 to avoid plain values in the values file. Must have the "password" key. If credentialSecret and password is not given it will be autogenerated. Must be prepared id advance.
nevisAdmin4.database.applicationUser	string	"admin4appuser"	Database user by nevisAdmin4
nevisAdmin4.database.applicationUserPassword	string	""	Database app user password.
nevisAdmin4.database.credentialSecret	string	""	Secret containing schema and application user credentials to avoid plain values in the values file. Must have the "applicationUser", "applicationUserPassword", "schemaUser", "schemaUserPassword" key. Must be prepared is advance.
nevisAdmin4.database.enableSSL	bool	true	Disable ssl if it's not supported by the database
nevisAdmin4.database.job	object	{"annotations":{},"cleanupEnabled":true,"labels":{},"podAnnotations":{},"podLabels":{},"ttlSecondsAfterFinished":1200}	Values for the dbschema job
nevisAdmin4.database.job.annotations	object	{}	Annotations to put onto the migration job.
nevisAdmin4.database.job.cleanupEnabled	bool	true	dbschema job will be deleted automatically
nevisAdmin4.database.job.labels	object	{}	Labels to put onto the migration job.
nevisAdmin4.database.job.podAnnotations	object	{}	Annotations to put onto the migration job pod.
nevisAdmin4.database.job.podLabels	object	{}	Labels to put onto the migration job pod.
nevisAdmin4.database.name	string	"nevisadmin4"	Name of the database
nevisAdmin4.database.schemaUser	string	"admin4schemauser"	Database user used for the migration of the database for nevisAdmin4.
nevisAdmin4.database.schemaUserPassword	string	""	Database schema user password.
nevisAdmin4.domain	string	""	Domain where nevisAdmin4 will be reachable
nevisAdmin4.enabled	bool	true
nevisAdmin4.extraEnvs	list	[]	Additional environment variables that will be added to the nevisAdmin4 container
nevisAdmin4.image.migrationTag	string	""	Overrides the dbschema image tag whose default is the chart appVersion.
nevisAdmin4.image.tag	string	""	Overrides the image tag whose default is the chart appVersion.
nevisAdmin4.ingress.annotations	object	{"nginx.ingress.kubernetes.io/proxy-body-size":"100m"}	Annotations to be put on the nevisAdmin4 Ingress.
nevisAdmin4.ingress.enabled	bool	true
nevisAdmin4.ingressIssuerAnnotation	string	"cert-manager.io/issuer"	cert-manager annotation to put on the ingress
nevisAdmin4.labels	object	{}	Additional labels to be put on the nevisAdmin4 StatefulSet.
nevisAdmin4.ldap	object	{"context":{},"enabled":false,"search":{},"truststore64":"","truststorePassphrase":"","user":{}}	ldap attributes for the nevisadmin4.yml
nevisAdmin4.ldap.context	object	{}	ldap context block
nevisAdmin4.ldap.enabled	bool	false	Enable ldap
nevisAdmin4.ldap.search	object	{}	ldap search block
nevisAdmin4.ldap.truststore64	string	""	pkcs12 truststore in base64 format
nevisAdmin4.ldap.truststorePassphrase	string	""	truststore passphrase
nevisAdmin4.ldap.user	object	{}	ldap user block
nevisAdmin4.livenessProbe	object	{}	Specify a custom livenessProbe.
nevisAdmin4.managementPort	int	9889	Management port, this is where the health checks will be available
nevisAdmin4.migrationResources.limits.cpu	string	"1000m"
nevisAdmin4.migrationResources.limits.memory	string	"1000Mi"
nevisAdmin4.migrationResources.requests.cpu	string	"20m"
nevisAdmin4.migrationResources.requests.memory	string	"200Mi"
nevisAdmin4.nodeSelector	object	{}
nevisAdmin4.password	string	""	Initial password of nevisAdmin4. If credentialSecret and password is not given it will be autogenerated.
nevisAdmin4.podAnnotations	object	{}	Additional annotations to be put on the nevisAdmin4 pods.
nevisAdmin4.podLabels	object	{}	Additional labels to be put on the nevisAdmin4 pods.
nevisAdmin4.podSecurityContext	object	{"fsGroup":2000,"runAsNonRoot":true}	Security context for the nevisAdmin4 pods.
nevisAdmin4.port	int	9080	Default port of nevisAdmin4
nevisAdmin4.readinessProbe	object	{}	Specify a custom readinessProbe.
nevisAdmin4.resources.limits.cpu	string	"4000m"
nevisAdmin4.resources.limits.memory	string	"4500Mi"
nevisAdmin4.resources.requests.cpu	string	"1000m"
nevisAdmin4.resources.requests.memory	string	"1500Mi"
nevisAdmin4.saml.attribute	object	{"email":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress","first-name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname","group-keys":"http://schemas.microsoft.com/ws/2008/06/identity/claims/role","last-name":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","user-key":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"}	SAML attributes, by default it is set up for azure AD
nevisAdmin4.saml.certificate64	string	""	Base64 saml.crt.
nevisAdmin4.saml.enabled	bool	false	Enable SAML login
nevisAdmin4.saml.idp.metadataUri	string	nil
nevisAdmin4.saml.keySecret	string	""	Secret containing the sam key and certificate to avoid using local files. Must be prepared advance. Must have saml.key and saml.crt key.
nevisAdmin4.saml.privateKey64	string	""	Base64 saml.key.
nevisAdmin4.springProfiles	string	""	Commma seperated list of spring profiles to use, overrides all defaults
nevisAdmin4.storageClass	string	""	Specify the storage class for the nevisAdmin4 persistent volume
nevisAdmin4.tls.enabled	bool	false	Enable https for nevisadmin4, it will only affect the traffic between nginc and nevisadmin4
nevisAdmin4.tls.keyAlias	string	"nevisadmin"	The key alias
nevisAdmin4.tls.keystore	string	"keystore.p12"	Keystore file to use, will be used instead of the prepared secret or base64 if the file is available in the chart folder.
nevisAdmin4.tls.keystore64	string	""	Base64 keystore file.
nevisAdmin4.tls.keystoreSecret	string	""	Secret containing the tls keystore, to avoid plain values and using a local files. Must be prepared in advance. Must have the "passphrase" and the value for tls.keystore as a secret key.
nevisAdmin4.tls.keystoreType	string	"pkcs12"	Keystore type
nevisAdmin4.tls.passphrase	string	""	Keystore passphrase
nevisAdmin4.tls.port	int	8443	what port to use if https is enabled
nevisAdmin4.tolerations	list	[]
nevisOperator.affinity	object	{}
nevisOperator.annotations	object	{}	Annotations to put onto the Deployment.
nevisOperator.certificateDuration	string	"8760h"	Certificate duration of the internal certificates created with cert-manager
nevisOperator.containerSecurityContext	object	{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}	Security context for the nevisOperator pod containers.
nevisOperator.csr	object	{"country":"CH","email-address":"[email protected]","locality":"K8S","organization":"K8S","organizational-unit":"K8S","province":"K8S"}	These values will be used for creating the internal certicates with cert-manager
nevisOperator.defaultImagePullPolicy	string	""	Sets the default imagePullPolicy for the deployed components by nevisAdmin 4
nevisOperator.enableLeaderElection	bool	true	Enable leader election for nevisOperator, this make it possible to run with multiple replicas
nevisOperator.image.tag	string	""	Overrides the image tag whose default is the chart appVersion.
nevisOperator.ingressIssuer	string	"letsencrypt-prod"	Name of the issuer that will be used for the generated ingresses
nevisOperator.ingressIssuerAnnotation	string	"cert-manager.io/issuer"	cert-manager annotation to put on the ingress
nevisOperator.internalIssuer	string	"ca-issuer"	Name of the internal issuer used to create the certificate for internal communication between the components
nevisOperator.internalIssuerCASecret	string	"ca-root-secret"	Name of the CA secret of the internal issuer
nevisOperator.internalIssuerCASecretNamespace	string	""	Namespace of the CA secret, defaults to the release namespace
nevisOperator.internalIssuerNamespace	string	""	Namespace of the internal issuer used to create the certificate for internal communication between the components
nevisOperator.labels	object	{}	Labels to put onto the Deployment.
nevisOperator.nodeSelector	object	{}
nevisOperator.podAnnotations	object	{}	Annotations to put onto the pods.
nevisOperator.podLabels	object	{}	Labels to put onto the pods.
nevisOperator.podSecurityContext	object	{"runAsNonRoot":true}	Security context for the nevisOperator pods.
nevisOperator.replicas	int	1
nevisOperator.resources.limits.cpu	string	"200m"
nevisOperator.resources.limits.memory	string	"256Mi"
nevisOperator.resources.requests.cpu	string	"100m"
nevisOperator.resources.requests.memory	string	"96Mi"
nevisOperator.restrictNamespaces.additionalNamespaces	list	[]	If the goal is to deploy to these namespace use the additionalComponentNamespaces value instead
nevisOperator.restrictNamespaces.enabled	bool	true	By default, nevisOperator only has access to the namespace where it resides, and the namespaces from the additionalComponentNamespaces
nevisOperator.tolerations	list	[]
nginx	object	{"controller":{"admissionWebhooks":{"enabled":false},"config":{"annotation-value-word-blocklist":"load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount"},"ingressClassResource":{"enabled":true,"name":"nginx"},"service":{"externalTrafficPolicy":"Local"}},"enabled":true}	nginx settings, disable if nginx is already installed, the generated ingress will use the ingress class specified here
podLabels	object	{}	Labels that will put onto every pod created by the chart
serviceAccount.create	bool	true	Enable service account creation, if disabled the default service account will be used
serviceAccount.name	string	""	Override the name of the created service account for nevisadmin4
serviceAccount.nevisOperatorName	string	""	Override the name of the created service account for nevisoperator

Installation automation on Kubernetes

The installation process described in Installation automation on OpenShift is also available for Kubernetes: kubernetes-installer.sh