Helm Charts
Prerequisites
-
helm
command line tool. -
kubectl
command line tool. -
Access to a Kubernetes enviroment (cloud, on-prem, or local with a
LoadBalancer
resource implementation).
NOM server Helm Chart
-
Download the NOM server Helm Chart from Neo4j Deployment Center.
-
Following is the reference
values.yaml
for NOM server Helm Chart:
# Default values for neo4j-ops-manager-server. # Refer to "https://neo4j.com/docs/ops-manager/current/installation/server/#config_ref" config: logFileName: "" logLevel: "info" maxHeapSize: "8g" jwtTTL: "2h" grpcAdvertisedHost: "" # this needs to be set if a different IP assigned to GRPC grpcAdvertisedPort: "" # this needs to be set if a different IP assigned to GRPC # An optional reference to a secret that contains some or all values for NOM secrets # Secret name and key should be specified secretsFromSecrets: # storage keys storageUri: secretName: "" key: "" # key in Secret for Storage URI storageUsername: secretName: "" key: "" # key in Secret for Storage username storagePassword: secretName: "" key: "" # key in Secret for Storage URI # tls keys tlsPassword: secretName: "" key: "" # key in Secret for tls password tlsPkcs12CertFileContent: secretName: "" key: "" # key in Secret for tls pkcs12CertFileContent # jwt keys jwtSecret: secretName: "" key: "" # key in Secret for jwt secret # mTls keys mTlsAgentCerts: secretName: "" key: "" # key in Secret for mTls agentCerts ingressTlsCert: secretName: "" key: "" # key in Secret for mTls agentCerts ingressTlsKey: secretName: "" key: "" # key in Secret for mTls agentCerts secrets: # storage storageUri: "" storageUsername: "" storagePassword: "" # tls tlsPassword: "" tlsPkcs12CertFileContent: "" # jwt jwtSecret: "" # mTls mTlsAgentCerts: "" # pem encoded string # ingress tls ingressTlsCert: "" # pem encoded string ingressTlsKey: "" # pem encoded string service: http: # annotations for http service # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for # the K8s environment annotations: { } port: 443 loadBalancerIP: "" # optional static load balancer IP grpc: # annotations for grpc service # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for # the K8s environment annotations: { } port: 9090 loadBalancerIP: "" # optional static load balancer IP ingress: enabled: false sslPassthrough: false ingressClassName: "nginx" annotations: { } httpHostName: "" grpcHostName: "" nameOverride: additionalVolumeMounts: [] image: name: neo4j/neo4j-ops-manager-server pullPolicy: IfNotPresent hpa: spec: targetCPUUtilizationPercentage: 70 resources: limits: cpu: "2" memory: "8G" requests: cpu: "0.2" memory: "4G" affinity: {} nodeSelector: {} tolerations: []
Using pre-configured secrets
Adding senstive information as plain text in values.yaml
is less secure in some environments.
Such environments would have secrets being configured externally by privileged users or secure service agents such as Hashicorp Vault agent.
These securely pre-configured secrets can be used to set sensitive values for NOM server helm chart using secretsFromSecrets
configuration.
This value requires a secretName
and a key
for a NOM secret value.
Following is an example values snippet that demonstrates this usecase with inline comments:
secretsFromSecrets:
storageUri:
secretName: "secret1"
key: "uri"
storageUsername:
secretName: "secret2"
key: "name"
storagePassword: # This is the NOM value reference to map the secret value to which would translate to storage.uri
secretName: "secret3" # Name of the secret to map from
key: "password" # The key to retrieve value from mapped secret which holds the required NOM secret value
Accessing K8s secrets which are not created by the chart uses Helm’s
|
Ingress support
-
An Ingress resource can be deployed using the NOM server charts to support domain routing and SSL termination.
-
Enabling Ingress support using
values.yaml
with SSL termination:
secrets: ingressTlsCert: "<cert file conent as PEM encoded string>" ingressTlsKey: "<key file content as PEM encoded string>" ingress: enabled: true sslPassthrough: false ingressClassName: "<your ingress controller class name e.g nginx>" annotations: { } httpHostName: "<Hostname/domain for NOM server http endpoints>" grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"
-
Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. To enable TLS handling, additional secrets need to be configured as shown in the previous example. It’s common practice to use something like Cert Manager to handle the provisioning and renewal of certificate secrets.
-
annotations
can be used to further customize the Ingress controller based on your requirements.
Disabling SSL termination
-
If you would not like Ingress resource to handle SSL termination and only use it for domain routing and load balancing, Ingress needs to allow SSL passthrough, and NOM server needs to be configured with the certificates as described previously. An example of SSL passthrough:
ingress: enabled: true sslPassthrough: true ingressClassName: "<your ingress controller class name e.g nginx>" annotations: { } httpHostName: "<Hostname/domain for NOM server http endpoints>" grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"