Deploying to Kubernetes

This article describes setting up PrivX on Kubernetes.

  1. Create a Kubernetes cluster for PrivX. The cluster version must be 1.19 or later.

  2. Create the privx namespace:

    kubectl create namespace privx
    
  3. Set up storage for PrivX data. This involves creating a persistent-volume claim (PVC).

    • For PrivX-configuration files: Create a PVC with accessModes set to ReadWriteMany. The PVC should be named privx-claim, and located in the privx namespace.

    📘

    Note

    This step varies depending on the persistent-volume (PV) configuration.

  4. Set up PrivX-TLS and Authorizer secrets.

    privx-tls: TLS-certificate data, required later for the ingress load balancer. The type of the secret must be kubernetes.io/tls. The secret must be in the privx namespace. The required secret contents are:

    • tls.crt: The TLS certificate.
    • tls.key: The corresponding private key.
    • ca.crt (optional): The certificate of the CA that issued the TLS certificate.

    You may generate the privx-tls secret similarly to the following:

    kubectl create secret tls privx-tls --cert=<Path to cert file> --key=<Path to key file> -n privx
    

    privx-ca-secret: The Authorizer certificate, used to issue certificates for certificate-based authentication. The secret type must be Opaque. The secret must be in the privx namespace. The required secret contents are:

    • ca.crt: The CA certificate (can be valid for longer time).

    You may generate the privx-ca-secret secret similarly to the following:

    kubectl create secret generic privx-ca-secret --from-file=ca.crt=<Path to ca cert file> -n privx
    

    📘

    Note

    Ensure that the secrets and their contents are named exactly as described.

  5. Install the nginx-ingress controller, used for load balancing:

    helm install \
     -n ingress --create-namespace \
     -f values-overrides/ingress.yaml \
     ingress charts/nginx-ingress-controller/
    

    You will then need to set up the nginx-ingress load balancer with an external IP, and to add a DNS record for pointing to that IP. For provider-specific setup instructions, see the nginx-ingress Installation Guide.

    📘

    Note

    The values-overrides/ingress.yaml overrides some of the default values used in the helm chart for the Ingress controller. The file contains extra configurations and headers that are essential for PrivX to work correctly.

  6. (Optional) We recommend installing Reloader to automatically update certificates upon renewals:

    helm repo add stakater https://stakater.github.io/stakater-charts
    helm repo update
    helm install secrets-watcher stakater/reloader
    

    📘

    Note

    In the reloader's absence, the trust has to be updated manually.

  7. For production environments we recommend setting up a dedicated PostgreSQL cluster with replication.

    For evaluation purposes only, you may create a database within the Kubernetes cluster as follows:

    1. Create the db namespace.

      kubectl create namespace db
      
    2. Create a PV and PVC with accessModes set to ReadWriteMany. The PVC should be named db-psql-claim, and located in the db namespace.

    3. Install the database in the db namespace.

      kubectl apply -f db-psql-deployment.yaml -n db
      
  8. Install PrivX

    Duplicate a file like values-overrides/privx.yaml for your environment and change the ingress.common.host to match the DNS Domain that was created earlier.

    If a database external to the cluster is used,

    db.address (postgresql server dns name or ip)
    db.port (database port)
    db.name (privx database name, will be created by installer)
    db.sslmode (database sslmode (optional: default value=`require`))
    db.admin.name (database admin username)
    db.admin.password (database admin password)
    db.user.name (database privx user, will be created by installer)
    db.user.password (database privx user password, will be created by installer)
    

    Specify Privx admin credentials

    #admin username for PrivX UI login (required)
    username: 
    #admin password for PrivX UI login (required)
    password:
    #admin email for PrivX UI login (required)
    email: 
    

    (Optional) Replace the placeholder value of the license in ms.licensemanager.licenseCode.prod.value.

    Then run:

    PRIVX_RELEASE_NAME=privx
    VALUE_OVERRIDES=values-overrides/privx.yaml
    helm install \
        -f $VALUE_OVERRIDES \
        -n privx \
        $PRIVX_RELEASE_NAME charts/privx/
    

    📘 Note
    Privx is inaccessible unless the host setting matches the DNS domain.

    After successful installation, PrivX should be accessible from the browser using the domain.

    The helm chart creates and installs the following:

    • Creates configmaps that store information about privx internal settings (Only done when installing
      the helm chart for the first time. Upgrades have no effect).

    • Runs the installer job, which creates all the necessary resources for PrivX
      to run (for example volume mounts for directories like /opt/privx/, creates db etc).
      (Only done when installing the helm chart for the first time.
      Upgrades have no effect).

    • Creates deployments and pods for all microservices.

    • Creates kubernetes services for each microservices.

    • Creates ingress resources for accessing pods and services from outside
      the cluster.


Did this page help you?