helm

Plugin Access Manager Helm Chart

This helm chart installs Plugin Acess Manager for Midaz, a high-performance and open-source ledger.

Install Plugin Access Manager Helm Chart:

To install Plugin Access Manager using Helm, run the following command:

$ helm install plugin-access-manager oci://registry-1.docker.io/lerianstudio/plugin-access-manager --version <> -n midaz-plugins --create-namespace

This will create a new namespace called midaz-plugins if it doesn’t already exist and deploy the Plugin Access Manager Helm chart.

After installation, you can verify that the release was successful by listing the Helm releases in the midaz-plugins namespaces:

$ helm list -n midaz-plugins

Configuring Ingress for Different Controllers

The Midaz Helm Chart optionally supports different Ingress Controllers for exposing services when necessary. It is possible to enable Ingress for the following services: Transaction, Onboarding and Console. Below are the configurations for commonly used controllers.

Note: Before configuring Ingress, ensure that you have an Ingress Controller installed in your cluster. The Ingress Controller is responsible for managing external access to the services. Examples of popular Ingress Controllers include NGINX, AWS ALB, and Traefik.

NGINX Ingress Controller

To use the NGINX Ingress Controller, configure the values.yaml as follows:

ingress:
  enabled: true
  className: "nginx"
  // The `annotations` field is used to add custom metadata to the Nginx resource.
  // Annotations are key-value pairs that can be used to attach arbitrary non-identifying metadata to objects.
  // These annotations can be used by various tools and libraries to augment the behavior of the Nginx resource.
  // See more https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
  annotations: {} 
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: midaz-tls  # Ensure this secret exists or is managed by cert-manager
      hosts:
        - midaz.example.com

AWS ALB (Application Load Balancer)

For AWS ALB Ingress Controller, use the following configuration:

ingress:
  enabled: true
  className: "alb"
  annotations:
    alb.ingress.kubernetes.io/scheme: internal  # Use "internet-facing" for public ALB
    alb.ingress.kubernetes.io/target-type: ip   # Use "instance" if targeting EC2 instances
    alb.ingress.kubernetes.io/group.name: "midaz"  # Group ALB resources under this name
    alb.ingress.kubernetes.io/healthcheck-path: "/healthz"  # Health check path
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'  # Listen on HTTP and HTTPS
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls: []  # TLS is managed by the ALB using ACM certificates

Traefik Ingress Controller

For Traefik, configure the values.yaml as follows:

ingress:
  enabled: true
  className: "traefik"
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: "web, websecure"  # Entrypoints defined in Traefik
    traefik.ingress.kubernetes.io/router.tls: "true"  # Enable TLS for this route
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: midaz-tls  # Ensure this secret exists and contains the TLS certificate
      hosts:
        - midaz.example.com

Plugin Access Manager Components:

Identity Service

Parameter	Description	Default
`replicaCount`	Number of replicas for the deployment	`1`
`image.repository`	Repository for the container image	`ghcr.io/lerianstudio/plugin-identity`
`image.pullPolicy`	Image pull policy	`Always`
`image.tag`	Image tag used for deployment	`1.2.0`
`imagePullSecrets`	Secrets for pulling images from a private registry	`[{"name": "regcred"}]`
`nameOverride`	Overrides the default generated name by Helm	`""`
`fullnameOverride`	Overrides the full name generated by Helm	`""`
`ingress.enabled`	Enable or disable ingress	`false`
`ingress.className`	Ingress class name	`""`
`ingress.annotations`	Additional ingress annotations	`{}`
`ingress.hosts`	Ingress host configuration	`[{"host": "", "paths": [{"path": "/", "pathType": "Prefix"}]}]`
`ingress.tls`	TLS configuration for ingress	`[]`
`service.type`	Kubernetes service type	`ClusterIP`
`service.port`	Service port	`4001`
`deploymentStrategy`	Deployment strategy	`{"type": "RollingUpdate", "rollingUpdate": {"maxSurge": 1, "maxUnavailable": 1}}`
`podSecurityContext`	Pod security context	`{}`
`securityContext`	Security context for the container	See `values.yaml`
`pdb.enabled`	Enable or disable PodDisruptionBudget	`true`
`pdb.maxUnavailable`	Maximum number of unavailable pods	`1`
`pdb.minAvailable`	Minimum number of available pods	`0`
`pdb.annotations`	Annotations for PodDisruptionBudget	`{}`
`resources`	CPU and memory limits for pods	See `values.yaml`
`autoscaling.enabled`	Enable or disable horizontal pod autoscaling	`true`
`autoscaling.minReplicas`	Minimum number of replicas	`1`
`autoscaling.maxReplicas`	Maximum number of replicas	`3`
`autoscaling.targetCPUUtilizationPercentage`	Target CPU utilization percentage for autoscaling	`80`
`autoscaling.targetMemoryUtilizationPercentage`	Target memory utilization percentage for autoscaling	`80`
`nodeSelector`	Node selector for scheduling pods	`{}`
`tolerations`	Tolerations for scheduling on tainted nodes	`{}`
`affinity`	Affinity rules for pod scheduling	`{}`
`extraEnvVars`	Extra environment variables to be added to the deployment	`{}`
`useExistingSecret`	Use an existing secret instead of creating a new one	`false`
`existingSecretName`	The name of the existing secret to use	`""`

Auth Service

Parameter	Description	Default
`replicaCount`	Number of replicas for the deployment	`3`
`image.repository`	Repository for the console service container image	`ghcr.io/lerianstudio/plugin-auth`
`image.pullPolicy`	Image pull policy	`Always`
`image.tag`	Image tag used for deployment	`1.2.0`
`imagePullSecrets`	Secrets for pulling images from a private registry	`[{"name": "regcred"}]`
`nameOverride`	Overrides the default generated name by Helm	`""`
`fullnameOverride`	Overrides the full name generated by Helm	`""`
`namespaceOverride`	Overrides the namespace for the service	`""`
`ingress.enabled`	Enable or disable ingress	`false`
`ingress.className`	Ingress class name	`""`
`ingress.annotations`	Additional ingress annotations	`{}`
`ingress.hosts`	Ingress host configuration	`[{"host": "", "paths": [{"path": "/", "pathType": "Prefix"}]}]`
`ingress.tls`	TLS configuration for ingress	`[]`
`service.type`	Kubernetes service type	`ClusterIP`
`service.port`	Service port	`4000`
`deploymentStrategy`	Deployment strategy	`{"type": "RollingUpdate", "rollingUpdate": {"maxSurge": 1, "maxUnavailable": 1}}`
`podSecurityContext`	Pod security context	`{}`
`securityContext`	Security context for the container	`{}`
`pdb.enabled`	Enable or disable PodDisruptionBudget	`true`
`pdb.maxUnavailable`	Maximum number of unavailable pods	`1`
`pdb.minAvailable`	Minimum number of available pods	`0`
`pdb.annotations`	Annotations for PodDisruptionBudget	`{}`
`resources`	CPU and memory limits for pods	See `values.yaml`
`autoscaling.enabled`	Enable or disable horizontal pod autoscaling	`true`
`autoscaling.minReplicas`	Minimum number of replicas	`3`
`autoscaling.maxReplicas`	Maximum number of replicas	`9`
`autoscaling.targetCPUUtilizationPercentage`	Target CPU utilization percentage for autoscaling	`80`
`autoscaling.targetMemoryUtilizationPercentage`	Target memory utilization percentage for autoscaling	`80`
`nodeSelector`	Node selector for scheduling pods	`{}`
`tolerations`	Tolerations for scheduling on tainted nodes	`{}`
`affinity`	Affinity rules for pod scheduling	`{}`
`extraEnvVars`	Extra environment variables to be added to the deployment	`{}`
`useExistingSecret`	Use an existing secret instead of creating a new one	`false`
`existingSecretName`	The name of the existing secret to use	`""`
`backend.replicaCount`	Number of replicas for the backend	`1`
`backend.name`	Name of the backend service	`plugin-access-manager-auth-backend`
`backend.autoscaling`	Autoscaling configuration for the backend	See `values.yaml`

Auth Database (PostgreSQL)

Parameter	Description	Default
`auth-database.enabled`	Enable the database dependency	`true`
`auth-database.auth.enabled`	Enable authentication for the database	`true`
`auth-database.auth.enablePostgresUser`	Enable the default postgres user	`false`
`auth-database.auth.username`	Username for the database	`auth`
`auth-database.auth.password`	Password for the database	`lerian`
`auth-database.auth.database`	Name of the database	`casdoor`
`auth-database.primary.persistence.size`	Persistence size for the primary node	`8Gi`
`auth-database.primary.resourcesPreset`	Resource preset for the primary node	`large`
`auth-database.primary.extendedConfiguration`	Extended PostgreSQL configuration	See `values.yaml`
`auth-database.primary.extraEnvVars`	Extra environment variables for the database	See `values.yaml`

Valkey (Redis)

Parameter	Description	Default
`valkey.enabled`	Enable the Valkey (Redis) dependency	`true`
`valkey.architecture`	Architecture for Valkey deployment	`standalone`
`valkey.auth.enabled`	Enable authentication for Valkey	`false`

OTEL Collector

Parameter	Description	Default
`otel-collector-lerian.enabled`	Enable the OpenTelemetry collector	`false`

`auth.deploymentStrategy.rollingUpdate.maxSurge`	Maximum number of pods that can be created over the desired number of pods.	`1`
`auth.deploymentStrategy.rollingUpdate.maxUnavailable`	Maximum number of pods that can be unavailable during the update.	`1`
`auth.pdb.enabled`	Specifies whether PodDisruptionBudget is enabled.	`true`
`auth.pdb.minAvailable`	Minimum number of available pods.	`0`
`auth.pdb.maxUnavailable`	Maximum number of unavailable pods.	`1`
`auth.pdb.annotations`	Annotations for the PodDisruptionBudget.	`{}`
`auth.resources.limits.cpu`	CPU limit allocated for the pods.	`1`
`auth.resources.limits.memory`	Memory limit allocated for the pods.	`"756Mi"`
`auth.resources.requests.cpu`	Minimum CPU request for the pods.	`"500m"`
`auth.resources.requests.memory`	Minimum memory request for the pods.	`"256Mi"`
`auth.autoscaling.enabled`	Specifies whether autoscaling is enabled.	`true`
`auth.autoscaling.minReplicas`	Minimum number of replicas for autoscaling.	`1`
`auth.autoscaling.maxReplicas`	Maximum number of replicas for autoscaling.	`3`
`auth.autoscaling.targetCPUUtilizationPercentage`	Target CPU utilization percentage for autoscaling.	`80`
`auth.autoscaling.targetMemoryUtilizationPercentage`	Target memory utilization percentage for autoscaling.	`80`
`auth.nodeSelector`	Node selectors for pod scheduling.	`{}`
`auth.tolerations`	Tolerations for pod scheduling.	`{}`
`auth.affinity`	Affinity rules for pod scheduling.	`{}`
`auth.configmap`	Additional configurations in ConfigMap.	See default values in the configuration.
`auth.secrets`	Additional secrets for the service.	See default values in the configuration.

Dependencies:

PostgreSQL

Version: 16.3.0
Repository: https://charts.bitnami.com/bitnami
How to disable: Set auth-database.enabled to false in the values file.
Note: If you have an existing PostgreSQL instance, you can disable this dependency and configure Midaz Components to use your external PostgreSQL, like this:

Important: When using an external Postgres instance, make sure to load the init SQL file 00_init.sql into your database.

auth:
  configmap:
    DB_HOST: { your-host }
    CASDOOR_DB_USER: { your-host-user }
    CASDOOR_DB_PORT: { your-host-port }
    
  secrets:
    DB_PASSWORD: { your-host-pass }

Valkey

Version: 2.4.7
Repository: https://charts.bitnami.com/bitnami
How to disable: Set valkey.enabled to false in the values file.

Note: If you have an existing Valkey or Redis instance, you can disable this dependency and configure Midaz Components to use your external instance, like this:

auth:
  configmap:
    REDIS_HOST: { your-host }
    REDIS_PORT: { your-host-port }
    REDIS_USER: { your-host-user }

  secrets:
    REDIS_PASSWORD: { your-host-pass }

This site is open source. Improve this page.