Helm Charts

Prerequisites

  • helm command line tool.

  • kubectl command line tool.

  • Access to a Kubernetes enviroment (cloud, on-prem, or local with a LoadBalancer resource implementation).

NOM server Helm Chart

  • Download the NOM server Helm Chart from Neo4j Deployment Center.

  • Following is the reference values.yaml for NOM server Helm Chart:

# Default values for neo4j-ops-manager-server.

# Refer to "https://neo4j.com/docs/ops-manager/current/installation/server/#config_ref"
config:
  logFileName: ""
  logLevel: "info"
  maxHeapSize: "8g"
  jwtTTL: "2h"
  grpcAdvertisedHost: "" # this needs to be set if a different IP assigned to GRPC
  grpcAdvertisedPort: "" # this needs to be set if a different IP assigned to GRPC

# An optional reference to a secret that contains some or all values for NOM secrets
# Secret name and key should be specified
secretsFromSecrets:
  # storage keys
  storageUri:
    secretName: ""
    key: "" # key in Secret for Storage URI
  storageUsername:
    secretName: ""
    key: "" # key in Secret for Storage username
  storagePassword:
    secretName: ""
    key: "" # key in Secret for Storage URI
  # tls keys
  tlsPassword:
    secretName: ""
    key: "" # key in Secret for tls password
  tlsPkcs12CertFileContent:
    secretName: ""
    key: "" # key in Secret for tls pkcs12CertFileContent
  # jwt keys
  jwtSecret:
    secretName: ""
    key: "" # key in Secret for jwt secret
  # mTls keys
  mTlsAgentCerts:
    secretName: ""
    key: "" # key in Secret for mTls agentCerts
  ingressTlsCert:
    secretName: ""
    key: "" # key in Secret for mTls agentCerts
  ingressTlsKey:
    secretName: ""
    key: "" # key in Secret for mTls agentCerts

secrets:
  # storage
  storageUri: ""
  storageUsername: ""
  storagePassword: ""
  # tls
  tlsPassword: ""
  tlsPkcs12CertFileContent: ""
  # jwt
  jwtSecret: ""
  # mTls
  mTlsAgentCerts: "" # pem encoded string
  # ingress tls
  ingressTlsCert: "" # pem encoded string
  ingressTlsKey: "" # pem encoded string

service:
  http:
    # annotations for http service
    # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
    # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
    # the K8s environment
    annotations: { }
    port: 443
    loadBalancerIP: "" # optional static load balancer IP
  grpc:
    # annotations for grpc service
    # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
    # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
    # the K8s environment
    annotations: { }
    port: 9090
    loadBalancerIP: "" # optional static load balancer IP

ingress:
  enabled: false
  sslPassthrough: false
  ingressClassName: "nginx"
  annotations: { }
  httpHostName: ""
  grpcHostName: ""

nameOverride:

additionalVolumeMounts: []

image:
  name: neo4j/neo4j-ops-manager-server
  pullPolicy: IfNotPresent

hpa:
  spec:
    targetCPUUtilizationPercentage: 70

resources:
  limits:
    cpu: "2"
    memory: "8G"
  requests:
    cpu: "0.2"
    memory: "4G"

affinity: {}

nodeSelector: {}

tolerations: []

Using pre-configured secrets

Adding senstive information as plain text in values.yaml is less secure in some environments. Such environments would have secrets being configured externally by privileged users or secure service agents such as Hashicorp Vault agent. These securely pre-configured secrets can be used to set sensitive values for NOM server helm chart using secretsFromSecrets configuration. This value requires a secretName and a key for a NOM secret value. Following is an example values snippet that demonstrates this usecase with inline comments:

secretsFromSecrets:
  storageUri:
    secretName: "secret1"
    key: "uri"
  storageUsername:
    secretName: "secret2"
    key: "name"
  storagePassword: # This is the NOM value reference to map the secret value to which would translate to storage.uri
    secretName: "secret3" # Name of the secret to map from
    key: "password" # The key to retrieve value from mapped secret which holds the required NOM secret value

Accessing K8s secrets which are not created by the chart uses Helm’s lookup template function. In some environments lookups are disabled or permissions to access secrets are more restrictive. To handle such cases it’s advised to pass in the references to existing secrets using command line arguments to helm install as follows:

helm install -f values.yaml --set secrets.<NOM secret type such as `storage`>.<NOM secret key such as `password`>=$(kubectl get secret <secretName> -o jsonpath='{.data.<secretKey>}' | base64 -d) --set secrets.tls.pkcs12CertFileContent=$(cat server.pfx | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz

Ingress support

  • An Ingress resource can be deployed using the NOM server charts to support domain routing and SSL termination.

  • Enabling Ingress support using values.yaml with SSL termination:

secrets:
  ingressTlsCert: "<cert file conent as PEM encoded string>"
  ingressTlsKey: "<key file content as PEM encoded string>"

ingress:
  enabled: true
  sslPassthrough: false
  ingressClassName: "<your ingress controller class name e.g nginx>"
  annotations: { }
  httpHostName: "<Hostname/domain for NOM server http endpoints>"
  grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"
  • Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. To enable TLS handling, additional secrets need to be configured as shown in the previous example. It’s common practice to use something like Cert Manager to handle the provisioning and renewal of certificate secrets.

  • annotations can be used to further customize the Ingress controller based on your requirements.

Disabling SSL termination

  • If you would not like Ingress resource to handle SSL termination and only use it for domain routing and load balancing, Ingress needs to allow SSL passthrough, and NOM server needs to be configured with the certificates as described previously. An example of SSL passthrough:

ingress:
  enabled: true
  sslPassthrough: true
  ingressClassName: "<your ingress controller class name e.g nginx>"
  annotations: { }
  httpHostName: "<Hostname/domain for NOM server http endpoints>"
  grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"