From 1fd04f244ba598f362b0ceb51138f991d945dded Mon Sep 17 00:00:00 2001 From: John Jeffers Date: Tue, 24 Dec 2024 14:32:30 -0700 Subject: [PATCH 1/3] update readme --- chart/README.md | 615 +++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 528 insertions(+), 87 deletions(-) diff --git a/chart/README.md b/chart/README.md index 0d33ba8..ffbc422 100644 --- a/chart/README.md +++ b/chart/README.md @@ -4,6 +4,18 @@ [FusionAuth](https://fusionauth.io/) is a modern platform for Customer Identity and Access Management (CIAM). FusionAuth provides APIs and a responsive web user interface to support login, registration, localized email, multi-factor authentication, reporting, and much more. + +## Important Upgrade Info + +* **In `1.0.0` and later, the FusionAuth app version will now default to the latest available at the time of the chart's release.** Release notes will indicate the FusionAuth version included in the chart. + +⚠️ You can (and probably should) override the `image.tag` field in `values.yaml` to pin the desired version of the FusionAuth application. This ensures that upgrading the helm chart doesn't unexpectedly upgrade the FusionAuth version. + + +* **In `0.8.0`, the `environment` value is now an array instead of an object.** Make sure to reformat your values when you update. + +* **In `0.4.0`, the external postgresql and elasticsearch charts were dropped.** You will need to maintain those dependencies on your own. + ## Installing the Chart You can read the official instructions, including install steps for AWS, GCP, and Azure, in the [FusionAuth Kubernetes installation guide](https://fusionauth.io/docs/get-started/download-and-install/kubernetes/fusionauth-deployment). @@ -19,110 +31,539 @@ You can read the official instructions, including install steps for AWS, GCP, an To install the chart with the release name `my-fusionauth`: -```console -$ helm repo add fusionauth https://fusionauth.github.io/charts -$ helm install my-fusionauth fusionauth/fusionauth \ +```shell +helm repo add fusionauth https://fusionauth.github.io/charts +helm install my-fusionauth fusionauth/fusionauth \ --set database.host=[database host] \ --set database.user=[database username] \ --set database.password=[database password] \ --set search.host=[elasticsearch host] ``` -📝 For test deployments, you can remove `--set search.host` and add `--set search.engine=database` to configure FusionAuth to use the database for search instead of a dedicated search host. This is **not recommended** for real-world use, as search performance will be greatly reduced. -### Uninstallation +## Setting Up a Test Deployment + +This will install FusionAuth and its prerequisites in a single kubernetes namespace, with a configuration suitable for evaluation and testing. **This configuration is not suitable for production.** + +Set a few environment variables. +``` +export FA_NS=fusionauth-test # Namespace we will deploy everything to +export FA_APP_HELM=fusionauth # Name of the FusionAuth helm installation +export FA_PSQL_HELM=postgres # Name of the Postgres helm installation +export FA_SRCH_HELM=opensearch # Name of the Opensearch helm installation +``` -To uninstall/delete the `my-fusionauth` release: +Create and switch to the test namespace. +```shell +kubectl create namespace $FA_NS +kubectl config set-context --current --namespace=$FA_NS +``` -```console -$ helm delete my-fusionauth +### Install PostgreSQL +```shell +helm install -n $FA_NS $FA_PSQL_HELM oci://registry-1.docker.io/bitnamicharts/postgresql ``` -## Versions +### Install Opensearch -The helm chart is versioned independently from FusionAuth app releases. However, the latest version of the helm chart will default to the latest version of FusionAuth. +Opensearch is optional, but highly recommended. See the note below. +```shell +helm repo add opensearch https://opensearch-project.github.io/helm-charts/ +helm install -n $FA_NS $FA_SRCH_HELM opensearch/opensearch \ +--set singleNode=true \ +--set-json 'extraEnvs=[{"name":"DISABLE_SECURITY_PLUGIN","value":"true"}]' +``` -📝 You can and probably should override the `image.tag` field in `values.yaml` to run your desired version of the FusionAuth application. +### Install FusionAuth -## Important Upgrade Info +Wait for the Postgres and Opensearch pods to be ready, then install FusionAuth. +```shell +export FA_PSQL_PASS=$(kubectl get secret postgres-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d) +helm repo add fusionauth https://fusionauth.github.io/charts +helm install -n $FA_NS $FA_APP_HELM fusionauth/fusionauth \ +--set database.host=$FA_PSQL_HELM-postgresql \ +--set database.user=fusionauth \ +--set database.password=$FA_PSQL_PASS \ +--set search.host=$FA_SRCH_HELM-cluster-master +``` -* **In `1.0.0` and later, the FusionAuth app version will now default to the latest available.** Release notes will indicate if the chart includes a newer version of FusionAuth. If you wish to override this behavior, set `image.tag` when deploying. +📝 For test deployments, you can remove `--set search.host` and add `--set search.engine=database` to configure FusionAuth to use the database for search instead of a dedicated search host. This is **not recommended** for real-world use, as search performance will be greatly reduced. -* **In `0.8.0`, the `environment` value is now an array instead of an object.** Make sure to reformat your values when you update. +### Connect to FusionAuth + +Create a port forward to connect to the FusionAuth app. +```shell +kubectl port-forward svc/$FA_APP_HELM-fusionauth 9011:9011 +``` + +You should now be able to connect to the FusionAuth application at http://localhost:9011 to start the initial setup. + +📝 You may wish to set up an ingress instead of using a port forward. See the table below for how to configure the FusionAuth chart values to add an ingress. -* **In `0.4.0`, the external postgresql and elasticsearch charts were dropped.** You will need to maintain those dependencies on your own. ## Chart Values -| Key | Type | Default | Description | -| ------------------------------- | ------ | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -| affinity | object | `{}` | Configure affinity rules for the fusionauth Deployment. | -| annotations | object | `{}` | Define annotations for fusionauth Deployment. | -| app.memory | string | `"256M"` | Configures the amount of memory to allocate to the Java VM (sets `FUSIONAUTH_APP_MEMORY`). | -| app.runtimeMode | string | `"development"` | Configures runtime mode (sets `FUSIONAUTH_APP_RUNTIME_MODE`). Must be `development` or `production`. | -| app.silentMode | bool | `false` | Configures silent mode (sets `FUSIONAUTH_APP_SILENT_MODE`). Must be `true` or `false`. | -| autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaling. See the values file for more HPA parameters. | -| autoscaling.minReplicas | int | `2` | Minimum number of running instances when HPA is enabled. Ignored when `autoscaling.enabled` is `false`. | -| autoscaling.maxReplicas | int | `5` | Maximum number of running instances when HPA is enabled. Ignored when `autoscaling.enabled` is `false`. | -| autoscaling.targetCPU | int | `50` | CPU use % threshold to trigger a HPA scale up. Ignored when `autoscaling.enabled` is `false`. | -| database.existingSecret | string | `""` | The name of an existing Kubernetes Secret that contains the database passwords. | -| database.host | string | `""` | Hostname or IP address of the fusionauth database. | -| database.name | string | `"fusionauth"` | Name of the fusionauth database. | -| database.password | string | `""` | Database password for fusionauth to use in normal operation - not required if `database.existingSecret` is configured. | -| database.port | int | `5432` | Port used by the fusionauth database. | -| database.protocol | string | `"postgresql"` | Should either be `postgresql` or `mysql`. Protocol for jdbc connection to database. | -| database.root.password | string | `""` | Database password for fusionauth to use during initial bootstrap - not required if `database.existingSecret` is configured. | -| database.root.user | string | `""` | Database username for fusionauth to use during initial bootstrap - not required if you have manually bootstrapped your database. | -| database.tls | bool | `false` | Configures whether or not to use tls when connecting to the database. | -| database.tlsMode | string | `"require"` | If tls is enabled, this configures the mode. | -| database.user | string | `""` | Database username for fusionauth to use in normal operation. | -| dnsConfig | object | `{}` | Define `dnsConfig` for fusionauth pods. | -| dnsPolicy | string | `"ClusterFirst"` | Define `dnsPolicy` for fusionauth pods. | -| environment | list | `[]` | Configure additional environment variables. | -| extraVolumeMounts | list | `[]` | Define mount paths for `extraVolumes`. | -| extraContainers | list | `[]` | Create containers for the pods. Can be used for sidecars, ambassador, and adapter patterns. | -| extraInitContainers | list | `[]` | Add extra init containers. Can be used for setup or wait for other dependent services. | -| extraVolumes | list | `[]` | Define extra volumes to mount in the deployment. | -| fullnameOverride | string | `""` | Overrides full resource names. | -| image.pullPolicy | string | `"IfNotPresent"` | Kubernetes image pullPolicy to use for fusionauth-app. | -| image.repository | string | `"fusionauth/fusionauth-app"` | The image repository to use for fusionauth-app. | -| image.tag | string | `"${APP_VERSION}"` | The image tag to pull for fusionauth-app (this is the fusionauth-app version). | -| imagePullSecrets | list | `[]` | Configures Kubernetes secrets to use for pulling images from private repositories. | -| ingress.annotations | object | `{}` | Configure annotations to add to the ingress object. | -| ingress.enabled | bool | `false` | Enables ingress creation for fusionauth. | -| ingress.extraPaths | list | `[]` | Define path objects which will be inserted before regular paths. Can be useful for things like ALB Ingress Controller actions. | -| ingress.hosts | list | `[]` | List of hostnames to configure the ingress with. | -| ingress.ingressClassName | string | `""` | Specify the `ingressClass` to be used by the Ingress. | -| ingress.paths | list | `[]` | Paths to be used by the Ingress. | -| ingress.tls | list | `[]` | List of secrets used to configure TLS for the ingress. | -| initContainers.waitForDb | bool | `true` | Create an init container which waits for the database to be ready. | -| initContainers.waitForEs | bool | `true` | Create an init container which waits for elasticsearch to be ready. | -| initContainers.image.repository | string | `"busybox"` | Image to use for `initContainers` docker image. | -| initContainers.image.tag | string | `"1.36.1"` | Tag to use for `initContainers` docker image. | -| initContainers.resources | object | `{}` | Resource requests and limits to use for `initContainers`. | -| kickstart.data | object | `{}` | Fusionauth [kickstart settings](https://fusionauth.io/docs/get-started/download-and-install/development/kickstart). | -| kickstart.enabled | bool | `false` | Enable fusionauth kickstart settings. | -| lifecycle | object | `{}` | Define custom `lifecycle` settings for the deployment. | -| livenessProbe | object | `{"failureThreshold":3,"httpGet":{"path":"/","port":"http"},"periodSeconds":30,"timeoutSeconds":5}` | Configures a `livenessProbe` to ensure fusionauth is running. | -| nameOverride | string | `""` | Overrides resource names. | -| nodeSelector | object | `{}` | Define `nodeSelector` for kubernetes to use when scheduling fusionauth pods. | -| podAnnotations | object | `{}` | Define `annotations` for fusionauth pods. | -| podDisruptionBudget.enabled | bool | `false` | Enables creation of a `PodDisruptionBudget`. | -| readinessProbe | object | `{"failureThreshold":5,"httpGet":{"path":"/","port":"http"},"timeoutSeconds":5}` | Configures a `readinessProbe` to ensure fusionauth is ready for requests. | -| replicaCount | int | `1` | The number of fusionauth-app instances to run. | -| resources | object | `{}` | Define resource requests and limits for fusionauth-app. | -| search.engine | string | `"elasticsearch"` | Protocol to use when connecting to elasticsearch. Ignored when `search.engine` is NOT `elasticsearch`. | -| search.host | string | `""` | Hostname or ip to use when connecting to elasticsearch. Ignored when `search.engine` is NOT `elasticsearch`. | -| search.port | int | `9200` | Port to use when connecting to elasticsearch. Ignored when `search.engine` is NOT `elasticsearch`. | -| search.protocol | string | `"http"` | Protocol to use when connecting to elasticsearch. Ignored when `search.engine` is NOT `elasticsearch`. | -| service.annotations | object | `{}` | Extra annotations to add to the service object. | -| service.port | int | `9011` | Port for the Kubernetes service to expose. | -| service.spec | object | `{}` | Any extra fields to add to the service object spec. | -| service.type | string | `"ClusterIP"` | Type of Kubernetes service to create. | -| serviceAccount.annotations | object | `{}` | Extra annotations to add to the service account object. | -| serviceAccount.automount | bool | `false` | Automatically mount a service account's API credentials. | -| serviceAccount.create | bool | `false` | If set to `true`, service account will be created. Otherwise, the `default` serviceaccount will be used. | -| serviceAccount.name | string | `""` | The name of the service account to use. If not set and `create` is `true`, a name is generated using the fullname template. | -| startupProbe | object | `{"failureThreshold":20,"httpGet":{"path":"/","port":"http"},"periodSeconds":10,"timeoutSeconds":5}` | Configures a `startupProbe` to ensure fusionauth has finished starting up. | -| tolerations | list | `[]` | Define `tolerations` for kubernetes to use when scheduling fusionauth pods. | -| topologySpreadConstraints | list | `[]` | Define `topologySpreadConstraints` for kubernetes to use when scheduling fusionauth pods. | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
KeyTypeDefaultDescription
affinityobject{}Configure affinity rules for the fusionauth Deployment.
annotationsobject{}Define annotations for fusionauth Deployment.
app.memorystring"256M"Configures the amount of memory to allocate to the Java VM (sets FUSIONAUTH_APP_MEMORY).
app.runtimeModestring"development"Configures runtime mode (sets FUSIONAUTH_APP_RUNTIME_MODE). Must be development or production.
app.silentModeboolfalseConfigures silent mode (sets FUSIONAUTH_APP_SILENT_MODE). Must be true or false.
autoscaling.enabledboolfalseEnable Horizontal Pod Autoscaling. See the values file for more HPA parameters.
autoscaling.minReplicasint2Minimum number of running instances when HPA is enabled. Ignored when autoscaling.enabled is false.
autoscaling.maxReplicasint5Maximum number of running instances when HPA is enabled. Ignored when autoscaling.enabled is false.
autoscaling.targetCPUint50CPU use % threshold to trigger a HPA scale up. Ignored when autoscaling.enabled is false.
database.existingSecretstring""The name of an existing Kubernetes Secret that contains the database passwords.
database.hoststring""Hostname or IP address of the fusionauth database.
database.namestring"fusionauth"Name of the fusionauth database.
database.passwordstring""Database password for fusionauth to use in normal operation - not required if database.existingSecret is configured.
database.portint5432Port used by the fusionauth database.
database.protocolstring"postgresql"Should either be postgresql or mysql. Protocol for jdbc connection to database.
database.root.passwordstring""Database password for fusionauth to use during initial bootstrap - not required if database.existingSecret is configured.
database.root.userstring""Database username for fusionauth to use during initial bootstrap - not required if you have manually bootstrapped your database.
database.tlsboolfalseConfigures whether or not to use tls when connecting to the database.
database.tlsModestring"require"If tls is enabled, this configures the mode.
database.userstring""Database username for fusionauth to use in normal operation.
dnsConfigobject{}Define dnsConfig for fusionauth pods.
dnsPolicystring"ClusterFirst"Define dnsPolicy for fusionauth pods.
environmentlist[]Configure additional environment variables.
extraVolumeMountslist[]Define mount paths for extraVolumes.
extraContainerslist[]Create containers for the pods. Can be used for sidecars, ambassador, and adapter patterns.
extraInitContainerslist[]Add extra init containers. Can be used for setup or wait for other dependent services.
extraVolumeslist[]Define extra volumes to mount in the deployment.
fullnameOverridestring""Overrides full resource names.
image.pullPolicystring"IfNotPresent"Kubernetes image pullPolicy to use for fusionauth-app.
image.repositorystring"fusionauth/fusionauth-app"The image repository to use for fusionauth-app.
image.tagstring"${APP_VERSION}"The image tag to pull for fusionauth-app (this is the fusionauth-app version).
imagePullSecretslist[]Configures Kubernetes secrets to use for pulling images from private repositories.
ingress.annotationsobject{}Configure annotations to add to the ingress object.
ingress.enabledboolfalseEnables ingress creation for fusionauth.
ingress.extraPathslist[]Define path objects which will be inserted before regular paths. Can be useful for things like ALB Ingress Controller actions.
ingress.hostslist[]List of hostnames to configure the ingress with.
ingress.ingressClassNamestring""Specify the ingressClass to be used by the Ingress.
ingress.pathslist[]Paths to be used by the Ingress.
ingress.tlslist[]List of secrets used to configure TLS for the ingress.
initContainers.waitForDbbooltrueCreate an init container which waits for the database to be ready.
initContainers.waitForEsbooltrueCreate an init container which waits for elasticsearch to be ready.
initContainers.image.repositorystring"busybox"Image to use for initContainers docker image.
initContainers.image.tagstring"1.36.1"Tag to use for initContainers docker image.
initContainers.resourcesobject{}Resource requests and limits to use for initContainers.
kickstart.dataobject{}Fusionauth kickstart settings.
kickstart.enabledboolfalseEnable fusionauth kickstart settings.
lifecycleobject{}Define custom lifecycle settings for the deployment.
livenessProbeobject + 
+{
+  "failureThreshold": 3,
+  "httpGet": {
+    "path": "/",
+    "port": "http"
+  },
+  "periodSeconds": 30,
+  "timeoutSeconds": 5
+}
+ 		Configures a livenessProbe to ensure fusionauth is running.
nameOverridestring""Overrides resource names.
nodeSelectorobject{}Define nodeSelector for kubernetes to use when scheduling fusionauth pods.
podAnnotationsobject{}Define annotations for fusionauth pods.
podDisruptionBudget.enabledboolfalseEnables creation of a PodDisruptionBudget.
readinessProbeobject + 
+{
+  "failureThreshold": 5,
+  "httpGet": {
+    "path": "/",
+    "port": "http"
+  },
+  "timeoutSeconds": 5
+}
+ 		Configures a readinessProbe to ensure fusionauth is ready for requests.
replicaCountint1The number of fusionauth-app instances to run.
resourcesobject{}Define resource requests and limits for fusionauth-app.
search.enginestring"elasticsearch"Protocol to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch.
search.hoststring""Hostname or ip to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch.
search.portint9200Port to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch.
search.protocolstring"http"Protocol to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch.
service.annotationsobject{}Extra annotations to add to the service object.
service.portint9011Port for the Kubernetes service to expose.
service.specobject{}Any extra fields to add to the service object spec.
service.typestring"ClusterIP"Type of Kubernetes service to create.
serviceAccount.annotationsobject{}Extra annotations to add to the service account object.
serviceAccount.automountboolfalseAutomatically mount a service account's API credentials.
serviceAccount.createboolfalseIf set to true, service account will be created. Otherwise, the default serviceaccount will be used.
serviceAccount.namestring""The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
startupProbeobject + 
+{
+  "failureThreshold": 20,
+  "httpGet": {
+    "path": "/",
+    "port": "http"
+  },
+  "periodSeconds": 10,
+  "timeoutSeconds": 5
+}
+ 		Configures a startupProbe to ensure fusionauth has finished starting up.
tolerationslist[]Define tolerations for kubernetes to use when scheduling fusionauth pods.
topologySpreadConstraintslist[]Define topologySpreadConstraints for kubernetes to use when scheduling fusionauth pods.
From 1cca72a78bc8b14b1aaad58036eb58a4ba0534b7 Mon Sep 17 00:00:00 2001 From: John Jeffers Date: Tue, 24 Dec 2024 15:08:20 -0700 Subject: [PATCH 2/3] update readme --- chart/README.md | 195 +++++++++++++++++++++++------------------------- 1 file changed, 93 insertions(+), 102 deletions(-) diff --git a/chart/README.md b/chart/README.md index ffbc422..2ec5528 100644 --- a/chart/README.md +++ b/chart/README.md @@ -114,453 +114,444 @@ You should now be able to connect to the FusionAuth application at http://localh - affinity + affinity object {} Configure affinity rules for the fusionauth Deployment. - annotations + annotations object {} Define annotations for fusionauth Deployment. - app.memory + app.memory string "256M" Configures the amount of memory to allocate to the Java VM (sets FUSIONAUTH_APP_MEMORY). - app.runtimeMode + app.runtimeMode string "development" Configures runtime mode (sets FUSIONAUTH_APP_RUNTIME_MODE). Must be development or production. - app.silentMode + app.silentMode bool false Configures silent mode (sets FUSIONAUTH_APP_SILENT_MODE). Must be true or false. - autoscaling.enabled + autoscaling.enabled bool false Enable Horizontal Pod Autoscaling. See the values file for more HPA parameters. - autoscaling.minReplicas + autoscaling.minReplicas int 2 Minimum number of running instances when HPA is enabled. Ignored when autoscaling.enabled is false. - autoscaling.maxReplicas + autoscaling.maxReplicas int 5 Maximum number of running instances when HPA is enabled. Ignored when autoscaling.enabled is false. - autoscaling.targetCPU + autoscaling.targetCPU int 50 CPU use % threshold to trigger a HPA scale up. Ignored when autoscaling.enabled is false. - database.existingSecret + database.existingSecret string "" The name of an existing Kubernetes Secret that contains the database passwords. - database.host + database.host string "" Hostname or IP address of the fusionauth database. - database.name + database.name string "fusionauth" Name of the fusionauth database. - database.password + database.password string "" Database password for fusionauth to use in normal operation - not required if database.existingSecret is configured. - database.port + database.port int 5432 Port used by the fusionauth database. - database.protocol + database.protocol string "postgresql" Should either be postgresql or mysql. Protocol for jdbc connection to database. - database.root.password + database.root.password string "" Database password for fusionauth to use during initial bootstrap - not required if database.existingSecret is configured. - database.root.user + database.root.user string "" Database username for fusionauth to use during initial bootstrap - not required if you have manually bootstrapped your database. - database.tls + database.tls bool false Configures whether or not to use tls when connecting to the database. - database.tlsMode + database.tlsMode string "require" If tls is enabled, this configures the mode. - database.user + database.user string "" Database username for fusionauth to use in normal operation. - dnsConfig + dnsConfig object {} Define dnsConfig for fusionauth pods. - dnsPolicy + dnsPolicy string "ClusterFirst" Define dnsPolicy for fusionauth pods. - environment + environment list [] Configure additional environment variables. - extraVolumeMounts + extraVolumeMounts list [] Define mount paths for extraVolumes. - extraContainers + extraContainers list [] Create containers for the pods. Can be used for sidecars, ambassador, and adapter patterns. - extraInitContainers + extraInitContainers list [] Add extra init containers. Can be used for setup or wait for other dependent services. - extraVolumes + extraVolumes list [] Define extra volumes to mount in the deployment. - fullnameOverride + fullnameOverride string "" Overrides full resource names. - image.pullPolicy + image.pullPolicy string "IfNotPresent" Kubernetes image pullPolicy to use for fusionauth-app. - image.repository + image.repository string "fusionauth/fusionauth-app" The image repository to use for fusionauth-app. - image.tag + image.tag string "${APP_VERSION}" The image tag to pull for fusionauth-app (this is the fusionauth-app version). - imagePullSecrets + imagePullSecrets list [] Configures Kubernetes secrets to use for pulling images from private repositories. - ingress.annotations + ingress.annotations object {} Configure annotations to add to the ingress object. - ingress.enabled + ingress.enabled bool false Enables ingress creation for fusionauth. - ingress.extraPaths + ingress.extraPaths list [] Define path objects which will be inserted before regular paths. Can be useful for things like ALB Ingress Controller actions. - ingress.hosts + ingress.hosts list [] List of hostnames to configure the ingress with. - ingress.ingressClassName + ingress.ingressClassName string "" Specify the ingressClass to be used by the Ingress. - ingress.paths + ingress.paths list [] Paths to be used by the Ingress. - ingress.tls + ingress.tls list [] List of secrets used to configure TLS for the ingress. - initContainers.waitForDb + initContainers.waitForDb bool true Create an init container which waits for the database to be ready. - initContainers.waitForEs + initContainers.waitForEs bool true Create an init container which waits for elasticsearch to be ready. - initContainers.image.repository + initContainers.image.repository string "busybox" Image to use for initContainers docker image. - initContainers.image.tag + initContainers.image.tag string "1.36.1" Tag to use for initContainers docker image. - initContainers.resources + initContainers.resources object {} Resource requests and limits to use for initContainers. - kickstart.data + kickstart.data object {} Fusionauth kickstart settings. - kickstart.enabled + kickstart.enabled bool false Enable fusionauth kickstart settings. - lifecycle + lifecycle object {} Define custom lifecycle settings for the deployment. - livenessProbe + livenessProbe object - 
-{
-  "failureThreshold": 3,
-  "httpGet": {
-    "path": "/",
-    "port": "http"
-  },
-  "periodSeconds": 30,
-  "timeoutSeconds": 5
-}
- + 
+livenessProbe:
+  httpGet:
+    path: /
+    port: http
+  failureThreshold: 3
+  periodSeconds: 30
+  timeoutSeconds: 5
Configures a livenessProbe to ensure fusionauth is running. - nameOverride + nameOverride string "" Overrides resource names. - nodeSelector + nodeSelector object {} Define nodeSelector for kubernetes to use when scheduling fusionauth pods. - podAnnotations + podAnnotations object {} Define annotations for fusionauth pods. - podDisruptionBudget.enabled + podDisruptionBudget.enabled bool false Enables creation of a PodDisruptionBudget. - readinessProbe + readinessProbe object - 
-{
-  "failureThreshold": 5,
-  "httpGet": {
-    "path": "/",
-    "port": "http"
-  },
-  "timeoutSeconds": 5
-}
- + 
+readinessProbe:
+  httpGet:
+    path: /
+    port: http
+  failureThreshold: 5
+  timeoutSeconds: 5
Configures a readinessProbe to ensure fusionauth is ready for requests. - replicaCount + replicaCount int 1 The number of fusionauth-app instances to run. - resources + resources object {} Define resource requests and limits for fusionauth-app. - search.engine + search.engine string "elasticsearch" Protocol to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch. - search.host + search.host string "" Hostname or ip to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch. - search.port + search.port int 9200 Port to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch. - search.protocol + search.protocol string "http" Protocol to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch. - service.annotations + service.annotations object {} Extra annotations to add to the service object. - service.port + service.port int 9011 Port for the Kubernetes service to expose. - service.spec + service.spec object {} Any extra fields to add to the service object spec. - service.type + service.type string "ClusterIP" Type of Kubernetes service to create. - serviceAccount.annotations + serviceAccount.annotations object {} Extra annotations to add to the service account object. - serviceAccount.automount + serviceAccount.automount bool false Automatically mount a service account's API credentials. - serviceAccount.create + serviceAccount.create bool false If set to true, service account will be created. Otherwise, the default serviceaccount will be used. - serviceAccount.name + serviceAccount.name string "" The name of the service account to use. If not set and create is true, a name is generated using the fullname template. - startupProbe + startupProbe object - 
-{
-  "failureThreshold": 20,
-  "httpGet": {
-    "path": "/",
-    "port": "http"
-  },
-  "periodSeconds": 10,
-  "timeoutSeconds": 5
-}
- + 
+startupProbe:
+  httpGet:
+    path: /
+    port: http
+  failureThreshold: 20
+  periodSeconds: 10
+  timeoutSeconds: 5
Configures a startupProbe to ensure fusionauth has finished starting up. - tolerations + tolerations list [] Define tolerations for kubernetes to use when scheduling fusionauth pods. - topologySpreadConstraints + topologySpreadConstraints list [] Define topologySpreadConstraints for kubernetes to use when scheduling fusionauth pods. From ad4a3d576a1a81fba8d31d37d4719e8d00323d6c Mon Sep 17 00:00:00 2001 From: John Jeffers Date: Tue, 24 Dec 2024 19:50:19 -0700 Subject: [PATCH 3/3] update readme --- chart/README.md | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/chart/README.md b/chart/README.md index 2ec5528..227ad0a 100644 --- a/chart/README.md +++ b/chart/README.md @@ -16,6 +16,7 @@ * **In `0.4.0`, the external postgresql and elasticsearch charts were dropped.** You will need to maintain those dependencies on your own. + ## Installing the Chart You can read the official instructions, including install steps for AWS, GCP, and Azure, in the [FusionAuth Kubernetes installation guide](https://fusionauth.io/docs/get-started/download-and-install/kubernetes/fusionauth-deployment). @@ -29,11 +30,11 @@ You can read the official instructions, including install steps for AWS, GCP, an ### Installation -To install the chart with the release name `my-fusionauth`: +To install the chart with the release name `fusionauth`: ```shell helm repo add fusionauth https://fusionauth.github.io/charts -helm install my-fusionauth fusionauth/fusionauth \ +helm install fusionauth fusionauth/fusionauth \ --set database.host=[database host] \ --set database.user=[database username] \ --set database.password=[database password] \ @@ -45,23 +46,15 @@ helm install my-fusionauth fusionauth/fusionauth \ This will install FusionAuth and its prerequisites in a single kubernetes namespace, with a configuration suitable for evaluation and testing. **This configuration is not suitable for production.** -Set a few environment variables. -``` -export FA_NS=fusionauth-test # Namespace we will deploy everything to -export FA_APP_HELM=fusionauth # Name of the FusionAuth helm installation -export FA_PSQL_HELM=postgres # Name of the Postgres helm installation -export FA_SRCH_HELM=opensearch # Name of the Opensearch helm installation -``` - Create and switch to the test namespace. ```shell -kubectl create namespace $FA_NS -kubectl config set-context --current --namespace=$FA_NS +kubectl create namespace fusionauth-test +kubectl config set-context --current --namespace=fusionauth-test ``` ### Install PostgreSQL ```shell -helm install -n $FA_NS $FA_PSQL_HELM oci://registry-1.docker.io/bitnamicharts/postgresql +helm install postgres oci://registry-1.docker.io/bitnamicharts/postgresql ``` ### Install Opensearch @@ -69,7 +62,7 @@ helm install -n $FA_NS $FA_PSQL_HELM oci://registry-1.docker.io/bitnamicharts/po Opensearch is optional, but highly recommended. See the note below. ```shell helm repo add opensearch https://opensearch-project.github.io/helm-charts/ -helm install -n $FA_NS $FA_SRCH_HELM opensearch/opensearch \ +helm install opensearch opensearch/opensearch \ --set singleNode=true \ --set-json 'extraEnvs=[{"name":"DISABLE_SECURITY_PLUGIN","value":"true"}]' ``` @@ -80,11 +73,11 @@ Wait for the Postgres and Opensearch pods to be ready, then install FusionAuth. ```shell export FA_PSQL_PASS=$(kubectl get secret postgres-postgresql -o jsonpath="{.data.postgres-password}" | base64 -d) helm repo add fusionauth https://fusionauth.github.io/charts -helm install -n $FA_NS $FA_APP_HELM fusionauth/fusionauth \ ---set database.host=$FA_PSQL_HELM-postgresql \ +helm install fusionauth fusionauth/fusionauth \ +--set database.host=postgres-postgresql \ --set database.user=fusionauth \ --set database.password=$FA_PSQL_PASS \ ---set search.host=$FA_SRCH_HELM-cluster-master +--set search.host=opensearch-cluster-master ``` 📝 For test deployments, you can remove `--set search.host` and add `--set search.engine=database` to configure FusionAuth to use the database for search instead of a dedicated search host. This is **not recommended** for real-world use, as search performance will be greatly reduced. @@ -93,7 +86,7 @@ helm install -n $FA_NS $FA_APP_HELM fusionauth/fusionauth \ Create a port forward to connect to the FusionAuth app. ```shell -kubectl port-forward svc/$FA_APP_HELM-fusionauth 9011:9011 +kubectl port-forward svc/fusionauth 9011:9011 ``` You should now be able to connect to the FusionAuth application at http://localhost:9011 to start the initial setup.