Helm Charts
Prerequisites
-
helm
command line tool. -
kubectl
command line tool. -
Access to a Kubernetes enviroment (cloud, on-prem, or local with a
LoadBalancer
resource implementation).
NOM server Helm Chart
-
Download the NOM server Helm Chart from Neo4j Deployment Center.
-
Following is the reference
values.yaml
for NOM server Helm Chart:
# Default values for neo4j-ops-manager-server. # Refer to "https://neo4j.com/docs/ops-manager/current/installation/server/#config_ref" config: logFileName: "" logLevel: "info" maxHeapSize: "8g" jwtTTL: "2h" grpcAdvertisedHost: "" # this needs to be set if a different IP assigned to GRPC grpcAdvertisedPort: "" # this needs to be set if a different IP assigned to GRPC # An optional reference to a secret that contains some or all values for NOM secrets # Secret name and key should be specified secretsFromSecrets: # storage keys storageUri: secretName: "" key: "" # key in Secret for Storage URI storageUsername: secretName: "" key: "" # key in Secret for Storage username storagePassword: secretName: "" key: "" # key in Secret for Storage URI # tls keys tlsPassword: secretName: "" key: "" # key in Secret for tls password tlsPkcs12CertFileContent: secretName: "" key: "" # key in Secret for tls pkcs12CertFileContent # jwt keys jwtSecret: secretName: "" key: "" # key in Secret for jwt secret # mTls keys mTlsAgentCerts: secretName: "" key: "" # key in Secret for mTls agentCerts secrets: # storage storageUri: "" storageUsername: "" storagePassword: "" # tls tlsPassword: "" tlsPkcs12CertFileContent: "" # jwt jwtSecret: "" # mTls mTlsAgentCerts: "" service: http: # annotations for http service # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for # the K8s environment annotations: { } port: 443 loadBalancerIP: "" # optional static load balancer IP grpc: # annotations for grpc service # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for # the K8s environment annotations: { } port: 9090 loadBalancerIP: "" # optional static load balancer IP image: name: neo4j/neo4j-ops-manager-server pullPolicy: Always hpa: spec: targetCPUUtilizationPercentage: 70 nameOverride: additionalVolumeMounts: resources: limits: cpu: "2" memory: "8G" requests: cpu: "0.2" memory: "4G" nodeSelector: {} tolerations: [] affinity: {}
-
Run the following command to install the NOM server to your Kubernetes cluster
helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
-
If agents are self-registered, set the additional trusted agent certificates on the server before deploying the agents
helm install -f values.yaml --set secrets.tlsPkcs12CertFileContent=$(cat server.pfx | base64) --set secrets.mTlsAgentCerts=$(cat localhost.pem | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz
-
If the command doesn’t report any error, check if the NOM server pod and services are running with
kubectl
command. -
An example
values.yaml
file is given below for quick render tests of the chart using following command:
helm template nom /path/to/neo4j-ops-manager-server-<VERSION>.tgz -f values.yaml
server:
config:
logFileName: "app.log"
logLevel: info
maxHeapSize: 8g
jwtTTL: 2h
grpc:
advertisedHost: "https://localhost:9090"
secrets:
# storage
storageUri: "neo4j://localhost:7687"
storageUsername: "neo4j"
storagePassword: "passw0rd"
# tls
tlsPassword: "changeit"
tlsPkcs12CertFileContent: "<base64 encoded string of pkcs12 server cert content>"
# jwt
jwtSecret: ""
# mTls
mTlsAgentCerts: ""
service:
http:
ipAddress: "https://localhost:8080"
grpc:
ipAddress: "https://localhost:9090"
port: 9090
image:
name: neo4j/neo4j-ops-manager-server
pullPolicy: Always
hpa:
spec:
targetCPUUtilizationPercentage: 70
nameOverride:
resources:
limits:
cpu: "2"
memory: "8G"
requests:
cpu: "0.2"
memory: "4G"
nodeSelector: {}
tolerations: []
affinity: {}
Using pre-configured secrets
Adding senstive information as plain text in values.yaml
is less secure in some environments.
Such environments would have secrets being configured externally by privileged users or secure service agents such as Hashicorp Vault agent.
These securely pre-configured secrets can be used to set sensitive values for NOM server helm chart using secretsFromSecrets
configuration.
This value requires a secretName
and a key
for a NOM secret value.
Following is an example values snippet that demonstrates this usecase with inline comments:
secretsFromSecrets:
storageUri:
secretName: "secret1"
key: "uri"
storageUsername:
secretName: "secret2"
key: "name"
storagePassword: # This is the NOM value reference to map the secret value to which would translate to storage.uri
secretName: "secret3" # Name of the secret to map from
key: "password" # The key to retrieve value from mapped secret which holds the required NOM secret value
Accessing K8s secrets which are not created by the chart uses Helm’s
|