Helm Charts
Prerequisites
-
helmcommand line tool. -
kubectlcommand line tool. -
Access to a Kubernetes enviroment (cloud, on-prem, or local with a
LoadBalancerresource implementation).
NOM server Helm Chart
-
Download the NOM server Helm Chart from Neo4j Deployment Center.
-
Following is the reference
values.yamlfor NOM server Helm Chart:
# Default values for neo4j-ops-manager-server.
# Refer to "https://neo4j.com/docs/ops-manager/current/installation/server/#config_ref"
config:
logFileName: ""
logLevel: "info"
maxHeapSize: "8g"
jwtTTL: "2h"
grpcAdvertisedHost: "" # this needs to be set if a different IP assigned to GRPC
grpcAdvertisedPort: "" # this needs to be set if a different IP assigned to GRPC
corsAllowedOrigins: ""
corsAllowedHeaders: ""
usernamePasswordLoginEnabled: "true"
# overrides for any environment variable
overrides: {}
# Single Sign-On configurations. Refer to "https://neo4j.com/docs/ops-manager/current/installation/server/#sso_configuration"
ssoConfigs: {}
# An optional reference to a secret that contains some or all values for NOM secrets
# Secret name and key should be specified
secretsFromSecrets:
# storage keys
storageUri:
secretName: ""
key: "" # key in Secret for Storage URI
storageUsername:
secretName: ""
key: "" # key in Secret for Storage username
storagePassword:
secretName: ""
key: "" # key in Secret for Storage URI
# tls keys
tlsPassword:
secretName: ""
key: "" # key in Secret for tls password
tlsPkcs12CertFileContent:
secretName: ""
key: "" # key in Secret for tls pkcs12CertFileContent
# jwt keys
jwtSecret:
secretName: ""
key: "" # key in Secret for jwt secret
# mTls keys
mTlsAgentCerts:
secretName: ""
key: "" # key in Secret for mTls agentCerts
ingressTlsCert:
secretName: ""
key: "" # key in Secret for mTls agentCerts
ingressTlsKey:
secretName: ""
key: "" # key in Secret for mTls agentCerts
secrets:
# storage
storageUri: ""
storageUsername: ""
storagePassword: ""
# tls
tlsPassword: ""
tlsPkcs12CertFileContent: ""
# jwt
jwtSecret: ""
# mTls
mTlsAgentCerts: "" # pem encoded string
# ingress tls
ingressTlsCert: "" # pem encoded string
ingressTlsKey: "" # pem encoded string
service:
http:
# annotations for http service
# For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
# internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
# the K8s environment
annotations: { }
port: 443
loadBalancerIP: "" # optional static load balancer IP
grpc:
# annotations for grpc service
# For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
# internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
# the K8s environment
annotations: { }
port: 9090
loadBalancerIP: "" # optional static load balancer IP
ingress:
enabled: false
sslPassthrough: false
ingressClassName: "nginx"
annotations: { }
httpHostName: ""
grpcHostName: ""
nameOverride:
additionalVolumeMounts: []
image:
name: neo4j/neo4j-ops-manager-server
pullPolicy: IfNotPresent
hpa:
spec:
targetCPUUtilizationPercentage: 70
resources:
limits:
cpu: "2"
memory: "8G"
requests:
cpu: "0.2"
memory: "4G"
affinity: {}
nodeSelector: {}
tolerations: []
securityContext:
runAsNonRoot: true
runAsUser: 7474
runAsGroup: 7474
fsGroup: 7474
Using pre-configured secrets
Adding senstive information as plain text in values.yaml is less secure in some environments.
Such environments would have secrets being configured externally by privileged users or secure service agents such as Hashicorp Vault agent.
These securely pre-configured secrets can be used to set sensitive values for NOM server helm chart using secretsFromSecrets configuration.
This value requires a secretName and a key for a NOM secret value.
Following is an example values snippet that demonstrates this usecase with inline comments:
secretsFromSecrets:
storageUri:
secretName: "secret1"
key: "uri"
storageUsername:
secretName: "secret2"
key: "name"
storagePassword: # This is the NOM value reference to map the secret value to which would translate to storage.uri
secretName: "secret3" # Name of the secret to map from
key: "password" # The key to retrieve value from mapped secret which holds the required NOM secret value|
Accessing K8s secrets which are not created by the chart uses Helm’s |
Ingress support
-
An Ingress resource can be deployed using the NOM server charts to support domain routing and SSL termination.
-
Enabling Ingress support using
values.yamlwith SSL termination:
secrets:
ingressTlsCert: "<cert file conent as PEM encoded string>"
ingressTlsKey: "<key file content as PEM encoded string>"
ingress:
enabled: true
sslPassthrough: false
ingressClassName: "<your ingress controller class name e.g nginx>"
annotations: { }
httpHostName: "<Hostname/domain for NOM server http endpoints>"
grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"
-
Terminating SSL at Ingress means the TLS is handled by the Ingress resource itself. To enable TLS handling, additional secrets need to be configured as shown in the previous example. It’s common practice to use something like Cert Manager to handle the provisioning and renewal of certificate secrets.
-
annotationscan be used to further customize the Ingress controller based on your requirements.
Disabling SSL termination
-
If you would not like Ingress resource to handle SSL termination and only use it for domain routing and load balancing, Ingress needs to allow SSL passthrough, and NOM server needs to be configured with the certificates as described previously. An example of SSL passthrough:
ingress:
enabled: true
sslPassthrough: true
ingressClassName: "<your ingress controller class name e.g nginx>"
annotations: { }
httpHostName: "<Hostname/domain for NOM server http endpoints>"
grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"
Single Sign-on configuration
NOM server now provides Single Sign-on support for select few Identity providers (Refer to SSO Configuration).
To simplify configuring NOM server in the chart, following values can be set in values.yaml under ssoConfigs to be translated to NOM server SSO configuration:
Each SSO configuration is added as a key in ssoConfigs map referred here as <CONFIG>.
|
| Key | Type | Target SSO Config |
|---|---|---|
|
boolean |
If true adds the SSO <CONFIG> name to APP_SSO_ACTIVE_CONFIGURATIONS |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_DISPLAY_NAME |
|
enum ( |
APP_SSO_CONFIGURATIONS_<CONFIG>_IDP_TYPE |
|
enum ( |
APP_SSO_CONFIGURATIONS_<CONFIG>_GRANT_TYPE |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_ADMIN_CHECK |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_READ_ONLY_USER_CHECK |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_USERNAME_CLAIM |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_EMAIL_CLAIM |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_FIRSTNAME_CLAIM |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_LASTNAME_CLAIM |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_CLIENT_ID |
|
string or dict (Can be mapped from an existing secret) |
APP_SSO_CONFIGURATIONS_<CONFIG>_CLIENT_SECRET |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_ISSUER |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_AUTHORITY |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_SCOPES |
|
string |
APP_SSO_CONFIGURATIONS_<CONFIG>_AUDIENCE |
An example SSO configuration for ENTRA_ID based SSO:
ssoConfigs:
entraid1:
isActive: true
displayName: "Entra ID PKCE"
idpType: "ENTRA_ID"
grantType: "PKCE"
adminCheck: "['groups'].?[ {'group-id-1', 'group-id-2'}.contains(#this) ].size() > 0"
readOnlyUserCheck: "['groups']?.contains('group-id-1')"
usernameClaim: "['unique_name']"
emailClaim: "['email']"
firstnameClaim: "['given_name']"
lastnameClaim: "['family_name']"
clientId: "client-id"
clientSecret:
secretName: "nom-secrets"
key: "password"
issuer: "https://login.microsoftonline.com/tenant-id/v2.0"
authority: "https://login.microsoftonline.com/tenant-id"
scopes: "api://client-id/nomserver"
audience: "client-id"
The default username & password login can be disabled by setting config.usernamePasswordLoginEnabled to false.
|