Helm Charts
Prerequisites
-
helmcommand line tool. -
kubectlcommand line tool. -
Access to a Kubernetes enviroment (cloud, on-prem, or local with a
LoadBalancerresource implementation).
NOM server Helm Chart
-
Download the NOM server Helm Chart from Neo4j Download Center.
-
Following is the reference
values.yamlfor NOM server Helm Chart:
# Default values for neo4j-ops-manager-server.
# Refer to "https://neo4j.com/docs/ops-manager/current/installation/server/#config_ref"
config:
logFileName: ""
logLevel: "info"
maxHeapSize: "8g"
jwtTTL: "2h"
grpcAdvertisedHost: "" # this needs to be set if a different IP assigned to GRPC
grpcAdvertisedPort: "" # this needs to be set if a different IP assigned to GRPC
# An optional reference to a secret that contains some or all values for NOM secrets
# Secret name and key should be specified
secretsFromSecrets:
# storage keys
storageUri:
secretName: ""
key: "" # key in Secret for Storage URI
storageUsername:
secretName: ""
key: "" # key in Secret for Storage username
storagePassword:
secretName: ""
key: "" # key in Secret for Storage URI
# tls keys
tlsPassword:
secretName: ""
key: "" # key in Secret for tls password
tlsPkcs12CertFileContent:
secretName: ""
key: "" # key in Secret for tls pkcs12CertFileContent
# jwt keys
jwtSecret:
secretName: ""
key: "" # key in Secret for jwt secret
# mTls keys
mTlsAgentCerts:
secretName: ""
key: "" # key in Secret for mTls agentCerts
secrets:
# storage
storageUri: ""
storageUsername: ""
storagePassword: ""
# tls
tlsPassword: ""
tlsPkcs12CertFileContent: ""
# jwt
jwtSecret: ""
# mTls
mTlsAgentCerts: ""
service:
http:
# annotations for http service
# For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
# internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
# the K8s environment
annotations: { }
port: 443
loadBalancerIP: "" # optional static load balancer IP
grpc:
# annotations for grpc service
# For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
# internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
# the K8s environment
annotations: { }
port: 9090
loadBalancerIP: "" # optional static load balancer IP
image:
name: neo4j/neo4j-ops-manager-server
pullPolicy: Always
hpa:
spec:
targetCPUUtilizationPercentage: 70
nameOverride:
additionalVolumeMounts:
resources:
limits:
cpu: "2"
memory: "8G"
requests:
cpu: "0.2"
memory: "4G"
nodeSelector: {}
tolerations: []
affinity: {}
-
Run the following command to install the NOM server to your Kubernetes cluster
helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
-
If agents are self-registered, set the additional trusted agent certificates on the server before deploying the agents
helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) --set secrets.mTlsAgentCerts=$(cat localhost.pem | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
-
If the command doesn’t report any error, check if the NOM server pod and services are running with
kubectlcommand. -
An example
values.yamlfile is given below for quick render tests of the chart using following command:
helm template nom /path/to/neo4j-ops-manager-server-<VERSION>.tgz -f values.yaml
server:
config:
logFileName: "app.log"
logLevel: info
maxHeapSize: 8g
jwtTTL: 2h
grpc:
advertisedHost: "https://localhost:9090"
secrets:
# storage
storageUri: "neo4j://localhost:7687"
storageUsername: "neo4j"
storagePassword: "passw0rd"
# tls
tlsPassword: "changeit"
tlsPkcs12CertFileContent: "<base64 encoded string of pkcs12 server cert content>"
# jwt
jwtSecret: ""
# mTls
mTlsAgentCerts: ""
service:
http:
ipAddress: "https://localhost:8080"
grpc:
ipAddress: "https://localhost:9090"
port: 9090
image:
name: neo4j/neo4j-ops-manager-server
pullPolicy: Always
hpa:
spec:
targetCPUUtilizationPercentage: 70
nameOverride:
resources:
limits:
cpu: "2"
memory: "8G"
requests:
cpu: "0.2"
memory: "4G"
nodeSelector: {}
tolerations: []
affinity: {}Using pre-configured secrets
Adding senstive information as plain text in values.yaml is less secure in some environments.
Such environments would have secrets being configured externally by privileged users or secure service agents such as Hashicorp Vault agent.
These securely pre-configured secrets can be used to set sensitive values for NOM server helm chart using secretsFromSecrets configuration.
This value requires a secretName and a key for a NOM secret value.
Following is an example values snippet that demonstrates this usecase with inline comments:
secretsFromSecrets:
storageUri:
secretName: "secret1"
key: "uri"
storageUsername:
secretName: "secret2"
key: "name"
storagePassword: # This is the NOM value reference to map the secret value to which would translate to storage.uri
secretName: "secret3" # Name of the secret to map from
key: "password" # The key to retrieve value from mapped secret which holds the required NOM secret value|
Accessing K8s secrets which are not created by the chart uses Helm’s |