Please note the code snippets in this section reuses the environment variables you set up when progressing through the tutorial, including the optional step of installing Minio. Please make sure you correctly define them or adapt the snippet to your specific use case.
The Mender Helm chart is packaged with required external services:
Using these packages is fine for test or PoC setups. For production setups, however, it's recommended to use external dedicated services.
The Mender Server deployment requires generating keys that are used for user and
device authentication. The following snippet uses openssl
to generate the
required keys:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 | openssl rsa -out device_auth.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 | openssl rsa -out useradm.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 | openssl rsa -out device_auth.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 | openssl rsa -out useradm.key
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 | openssl rsa -out tenantadm.key
Before installing the Mender Server on the Kubernetes cluster using the Mender Helm chart, add the Mender Helm Chart repository:
helm repo add mender https://charts.mender.io
helm repo update
You can now install the Mender Server. You also have to decide how to expose the Mender API Gateway service. This Helm Chart includes a configurable Ingress resource for your convenience. Some sample Ingress values are detailed in the later section.
export MENDER_SERVER_DOMAIN="mender.example.com"
export MENDER_SERVER_URL="https://${MENDER_SERVER_DOMAIN}"
export MENDER_VERSION_TAG="mender-3.7.7"
export MONGODB_ROOT_PASSWORD=$(pwgen 32 1)
export MONGODB_REPLICA_SET_KEY=$(pwgen 32 1)
cat >mender-3.7.7.yml <<EOF
global:
enterprise: false
image:
tag: ${MENDER_VERSION_TAG}
mongodb:
URL: ""
nats:
URL: ""
s3:
AWS_URI: "https://${MINIO_DOMAIN_NAME}"
AWS_BUCKET: "mender-artifact-storage"
AWS_ACCESS_KEY_ID: "${MINIO_ACCESS_KEY}"
AWS_SECRET_ACCESS_KEY: "${MINIO_SECRET_KEY}"
url: "${MENDER_SERVER_URL}"
# This enables bitnami/mongodb sub-chart
mongodb:
enabled: true
auth:
enabled: true
rootPassword: ${MONGODB_ROOT_PASSWORD}
replicaSetKey: ${MONGODB_REPLICA_SET_KEY}
# This enabled nats sub-chart
nats:
enabled: true
api_gateway:
env:
SSL: false
device_auth:
certs:
key: |-
$(cat device_auth.key | sed -e 's/^/ /g')
useradm:
certs:
key: |-
$(cat useradm.key | sed -e 's/^/ /g')
EOF
helm upgrade --install mender mender/mender -f mender-3.7.7.yml
The following deployment requires access to the Mender Enterprise Container Registry. Please email contact@mender.io to receive an evaluation account.
export MENDER_REGISTRY_USERNAME="replace-with-your-username"
export MENDER_REGISTRY_PASSWORD="replace-with-your-password"
export MENDER_SERVER_DOMAIN="mender.example.com"
export MENDER_SERVER_URL="https://${MENDER_SERVER_DOMAIN}"
export MENDER_VERSION_TAG="mender-3.7.7"
export MONGODB_ROOT_PASSWORD=$(pwgen 32 1)
export MONGODB_REPLICA_SET_KEY=$(pwgen 32 1)
cat >mender-3.7.7.yml <<EOF
global:
enterprise: true
image:
username: "${MENDER_REGISTRY_USERNAME}"
password: "${MENDER_REGISTRY_PASSWORD}"
tag: ${MENDER_VERSION_TAG}
mongodb:
URL: ""
nats:
URL: ""
s3:
AWS_URI: "https://${MINIO_DOMAIN_NAME}"
AWS_BUCKET: "mender-artifact-storage"
AWS_ACCESS_KEY_ID: "${MINIO_ACCESS_KEY}"
AWS_SECRET_ACCESS_KEY: "${MINIO_SECRET_KEY}"
url: "${MENDER_SERVER_URL}"
# This enables bitnami/mongodb sub-chart
mongodb:
enabled: true
auth:
enabled: true
rootPassword: ${MONGODB_ROOT_PASSWORD}
replicaSetKey: ${MONGODB_REPLICA_SET_KEY}
# This enabled nats sub-chart
nats:
enabled: true
api_gateway:
env:
SSL: false
device_auth:
certs:
key: |-
$(cat device_auth.key | sed -e 's/^/ /g')
tenantadm:
certs:
key: |-
$(cat tenantadm.key | sed -e 's/^/ /g')
useradm:
certs:
key: |-
$(cat useradm.key | sed -e 's/^/ /g')
EOF
helm upgrade --install mender mender/mender -f mender-3.7.7.yml
We support the following Docker image tags:
mender-X.Y.Z
(recommended)mender-X.Y
mender-X
latest
mender-master
Mender supports the following Artifact storage types:
To store the Mender Artifacts in an AWS S3 bucket instead of relying on a Minio service, update the examples above as follows:
global: s3: AWS_URI: "https://s3.<your-aws-region>.amazonaws.com" AWS_BUCKET: "<name-of-your-bucket>" AWS_REGION: "<your-aws-region>" AWS_ACCESS_KEY_ID: "<your-access-key-id>" AWS_SECRET_ACCESS_KEY: "<your-secret-access-key>" AWS_FORCE_PATH_STYLE: "false"
To store the Mender Artifacts in an Azure Blob Storage container using a connection string, update the values file as follows:
global:
storage: "azure"
azure:
AUTH_CONNECTION_STRING: "BlobEndpoint=https://<name-of-your-storage>.blob.core.windows.net;SharedAccessSignature=..."
CONTAINER_NAME: "<name-of-your-container>"
Instead of a connection string, you can also specify the following parameters:
global: storage: "azure" azure: AUTH_SHARED_KEY_ACCOUNT_NAME: "<account-name>" AUTH_SHARED_KEY_ACCOUNT_KEY: "<account-key>" CONTAINER_NAME: "<name-of-your-container>"
You must configure an Ingress or a Load Balancer to expose the Mender Server outside the Kubernetes cluster.
Required configuration:
/ui
${MENDER_SERVER_DOMAIN}
must exists as a secret named mender-ingress-tls
, or
you already have configured the Cert-manager resourceapi_gateway.env.SSL=false
option:
api_gateway:
env:
SSL: false
You can refer to your Infrastructure Provider's documentation for creating an Ingress resource. Starting from the Mender Helm Chart version 5.1.0, a sample Ingress resource is included.
For example, here's an Ingress for the AWS EKS Provider:
cat <<-EOF >> mender-3.7.7.yml
ingress:
enabled: true
annotations:
cert-manager.io/issuer: "letsencrypt"
alb.ingress.kubernetes.io/healthcheck-path: /ui/
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig":{ "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/load-balancer-attributes: routing.http2.enabled=true,idle_timeout.timeout_seconds=600
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01
alb.ingress.kubernetes.io/target-type: ip
ingressClassName: alb
path: /
extraPaths:
- path: /
backend:
serviceName: ssl-redirect
servicePort: use-annotation
hosts:
- ${MENDER_SERVER_DOMAIN}
tls:
# this secret must exists or it can be created from a working cert-manager instance
- secretName: mender-ingress-tls
hosts:
- ${MENDER_SERVER_DOMAIN}
EOF
For example, here's an Ingress for Azure AKS Provider:
cat <<-EOF >> mender-3.7.4.yml
ingress:
enabled: true
annotations:
appgw.ingress.kubernetes.io/backend-protocol: http
appgw.ingress.kubernetes.io/health-probe-path: /ui/
appgw.ingress.kubernetes.io/request-timeout: "600"
appgw.ingress.kubernetes.io/ssl-redirect: "true"
ingressClassName: azure/application-gateway
path: /
hosts:
- ${MENDER_SERVER_DOMAIN}
tls:
# this secret must exists or it can be created from a working cert-manager instance
- secretName: mender-ingress-tls
hosts:
- ${MENDER_SERVER_DOMAIN}
EOF
For example, here's an Ingress for the Ingress-NGinx Provider:
cat <<-EOF >> mender-3.7.4.yml
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-buffering: "off"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
path: /
ingressClassName: nginx
hosts:
- ${MENDER_SERVER_DOMAIN}
tls:
# this secret must exists or it can be created from a working cert-manager instance
- secretName: mender-ingress-tls
hosts:
- ${MENDER_SERVER_DOMAIN}
EOF
You can now update the Helm Chart with the included ingress:
helm upgrade --install mender mender/mender -f mender-3.7.7.yml
Alternatively, you can create your own Ingress resource. Some references:
Some users have reported that when using the nginx ingress controller, the troubleshoot add-on may not work properly. If you encounter this issue, you can try using the following annotation:
metadata:
annotations:
nginx.org/client-max-body-size: 128m
nginx.org/websocket-services: mender-api-gateway
Create the initial user using the useradm
pod:
USERADM_POD=$(kubectl get pod -l 'app.kubernetes.io/component=useradm' -o name | head -1)
kubectl exec $USERADM_POD -- useradm create-user --username "demo@mender.io" --password "demodemo"
Create the administrator user using the tenantadm
pod:
TENANTADM_POD=$(kubectl get pod -l 'app.kubernetes.io/component=tenantadm' -o name | head -1)
TENANT_ID=$(kubectl exec $TENANTADM_POD -- tenantadm create-org --name demo --username "admin@mender.io" --password "adminadmin" --plan enterprise)
You can create additional users from the command line of the useradm
pod:
USERADM_POD=$(kubectl get pod -l 'app.kubernetes.io/component=useradm' -o name | head -1)
kubectl exec $USERADM_POD -- useradm-enterprise create-user --username "demo@mender.io" --password "demodemo" --tenant-id $TENANT_ID
To use a pre-release (master) version of the backend, please refer to the Development section of the documentation.
© 2024 Northern.tech AS