Skip to main content
Version: 1.3.2

Kubernetes deployment

Prerequisites

Kubernetes

  • Kubernetes 1.14+
  • Helm 3.1.0+
  • (optional: PersistentVolume (PV) provisioner support in the underlying infrastructure - if job metadata are stored in the MariaDB)
  • (optional: sealed secrets )

Container Image Access

Because the images used in this chart are from a private container registry you need to have

  • access to the container registry registry.jadice.com
  • OR access to a proxy registry of registry.jadice.com

Since the used Helm charts come from a private container registry, they also require

  • access to the helm registry artifacts.jadice.com

For details see image pull secrets.


Installing the Chart

On this page we showcase how to install a jadice flow product via its corresponding Helm Chart.

Download Helm Chart

There is the option to download a Helm Chart with the command:

$ helm pull levigo/jf-ocr-bundle

Install from jadice helm repository

In this case our release name will be my-release:

$ helm repo add levigo https://artifacts.jadice.com/repository/helm-charts/ --username <username>
Password: <enter your password>
$ helm install my-release levigo/jf-ocr-bundle

These commands deploy the OCR (optical character recognition) product (described here as an example product) on the Kubernetes cluster with the default configuration.

The first command adds a Helm repository to your repositories. You now have access to the Helm chart in your helm cli. The second command install the chart with the release name my-release.

Detailed instructions for products can be found in the products section. The configuration section lists the parameters that can be configured - in this case for the ocr product.

Tip: Show all installed (deployed) releases using helm list

Uninstalling the Chart

To uninstall and delete the deployment you can execute the command:

$ helm uninstall my-release

This command removes all the Kubernetes components associated with the chart and deletes the Helm release.

Parameters

Required Parameters

By default, the jadice flow products use the eureka storage backend and an embedded H2 database. This means only the access to the jadice container registry must be configured as described below.

On how-to replace eureka with S3 or WebDAV see in the optional parameters section and secrets and if you don't want to use the embedded H2 database follow the instructions in database.

Image pull secrets

To access the container registry with the jadice flow images you have the following three options:

  1. provide the name of an existing Kubernetes registry-secret via jadiceFlow.image.pullSecrets.

    For instructions on how to create a Kubernetes docker-registry secret check out the Documentation or the output of kubectl create secret docker-registry --help

  2. provide the credentials to the registry via the following parameters:

ParameterDescriptionDefault
secrets.imageRegistry.serverserver of the container Registryregistry.jadice.com
secrets.imageRegistry.usernameusername for the container Registrynil
secrets.imageRegistry.passwordpassword for the container Registrynil
  1. For sealed secrets, you can encrypt the content of a ~/.docker/config.json file as a String and provide this as the value for the parameter secrets.imageRegistry.dockerconfigjson.

    To create this String you could run the following command:

    kubectl create secret docker-registry registry-secret \
    --docker-username=<user> \
    --docker-password=<password> \
    --docker-server=registry.jadice.com \
    --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]' | base64 -d | kubeseal --raw --from-file=/dev/stdin --namespace <namespace> --name registry-secret

    Note:

    • requires jq and kubeseal
    • replace <user>, <password>, <namespace> with the respective values.

Optional Parameters

Global Parameters

Global Parameters

These values can be defined globally, overwriting the values defined for each component, including the MariaDB chart.

ParameterDescriptionDefault
global.imageRegistryGlobal Docker image registrynil
global.imagePullSecretsGlobal Docker registry secret names as an array[] (does not add image pull secrets to deployed pods)
global.storageClassGlobal storage class for dynamic provisioningnil
global.jadiceFlow.storageTypeDefine what type of storage to use ("eureka","s3","webdav").eureka
jadiceFlow

jadiceFlow

These parameters configure all jadice flow components but not the MariaDB. They overwrite the component-specific parameters for "jf-controller" and "jfWorker".

ParameterDescriptionDefault
jadiceFlow.serviceAccount.createSets whether a ServiceAccount name shall be created automaticallytrue
jadiceFlow.serviceAccount.nameIf not set and jadiceFlow.serviceAccount.create is true, a name is generated using the filename templatenil
jadiceFlow.serviceAccount.annotationsAdditional annotations for configuring the ServiceAccountnil
secrets

secrets

If you want to use your own storage or database, you can provide the credentials via the following values.

The charts also support the use of Sealed Secrets instead of regular Kubernetes secrets. Simply set secrets.useSealedSecrets to true and use the encrypted values for the parameters below.

ParameterDescriptionDefault
secrets.useSealedSecretsusage of sealed secretesfalse
secrets.controller.accessTokenthe jadice flow access tokennil
secrets.controller.database.passwordthe controller DB passwordnil
secrets.controller.database.usernamethe controller DB usernamenil
secrets.s3.bucketthe S3 bucketnil
secrets.s3.endpointthe URL of the S3 servernil
secrets.s3.accessKeythe S3 access keynil
secrets.s3.secretKeythe S3 secret keynil
secrets.s3.protocolHTTP or HTTPShttps
secrets.webdav.endpointthe URL of the WebDAV servernil
secrets.webdav.usernamethe username for the WebDAV servernil
secrets.webdav.passwordthe password for the WebDAV servernil
secrets.webdav.outputPaththe WebDAV path where the result are putnil
secrets.eureka.usernamethe username for the eureka servernil
secrets.eureka.passwordthe password for the eureka servernil
jf-controller

jf-controller

These parameters configure the jadice flow controller component.

ParameterDescriptionDefault
jf-controller.image.registryjf container registryregistry.jadice.com
jf-controller.image.repositoryimage namejf-controller
jf-controller.image.tagimage tag1.0.0
jf-controller.image.pullPolicyimage pull policyIfNotPresent
jf-controller.ingress.enabledEnable / Disable the ingress for the jf-controller service. In order for this service to work user access is needed, hence some kind of access for an operator has to be provided.true
jf-controller.ingress.annotationsAdditional annotations for configuring the ingress (in this case an nginx ingress).Depends on the specific ingress implementation.
jf-controller.ingress.hostsThe hostname of the jf-controller service and eventual path rewrites. In this case most likely on the hostname has to be adjusted to the new stack.Desired hostname
jf-controller.ingress.tlsFor configuring the corresponding TLS secrets of the previously defined hostnames.Related tls secrets for the previous hostnames
jf-controller.ingress.classNameThe ingress class name.nil
jf-controller.jobtemplatesConfigMapuse this ConfigMap instead of the default 'jobtemplates.yaml'nil
jf-controller.workersConfigMapuse this ConfigMap instead of the default 'workers.yaml'nil
jf-controller.concurrentWorkerInvocationsPerTypeset concurrent worker invocations per type1
jf-controller.concurrentJobCountset concurrent job count4

If you want access the bundle from outside the cluster you can define Ingress resources that could look like this:

Ingress Example
jf-controller:
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/configuration-snippet: |
server_tokens off;
location /actuator {
deny all;
return 403;
}
hosts:
- host: jf-controller.acme.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: jf-controller.acme.com
hosts:
- jf-controller.acme.com

Keep in mind this is only an example making certain assumptions. E.g. this assumes you are using Cert Manager and have defined a cluster-issuer with the name of letsencrypt-prod. For more information on Cert Manager and how to create a certificate, see Certificate. It also hides the actuator endpoints from external access. Depending on your monitoring solution this may not be feasible.

jf-worker

jf-worker

All workers support the following parameters. Worker specific parameters are described in the worker section.

worker example: jf-worker-tessocr:

ParameterDescriptionDefault
jf-worker-tessocr.image.registryjf container registryregistry.jadice.com
jf-worker-tessocr.image.repositoryimage namejf-worker-tessocr
jf-worker-tessocr.image.tagimage tag1.0.0
jf-worker-tessocr.image.pullPolicyimage pull policyIfNotPresent
jf-worker-tessocr.replicaCountNumber of replicas to start1
jf-worker-tessocr.worker.monitoring.enabledEnable Prometheus monitoringfalse
jf-worker-tessocr.worker.tracing.enabledEnable Jaeger tracingfalse
Database

Database

The default database is an embedded H2-Database. If required, jadice flow controller can be configured to use a different database. To use an existing external database set these parameters:

ParameterDescriptionDefault
secrets.controller.database.passwordthe controller DB passwordnil
secrets.controller.database.usernamethe controller DB usernamenil
jf-controller.datasource.jdbcUrlexample: "jdbc:mariadb://mariadb/jadice-flow-db"nil
Data Storage

Data Storage

The default data store for job results is a eureka service, but other types like S3 and WebDAV are also supported. It requires zero configuration for test installations. It's also possible to enabling persistence and configuring other storage backends.

By default, the expiration time of saved job results is 3 minutes. The expiryTimeMinutes can be configured in the values.yaml:

eureka:
storage:
ehcache:
# enabled: true
# rootPath: ${user.dir}/neverpile-eureka_default
# heapEntries: 500
# diskSize: 1024
expiryTimeMinutes: 5

Sample values.yaml configuration

A minimal values.yaml containing only the necessary parameters:

minimal-values.yaml
secrets:
imageRegistry:
server: registry.jadice.com
username: <username>
password: <password>

Further customization options, as well as the default values file can be found in the repository in the values.yaml, as well as in the products section or the README.md of the respective product.

$ helm pull "levigo/jf-ocr-bundle" --untar
$ cat jf-ocr-bundle/README.md

Validate Installation with Postman

To validate your deployment you can use the Postman collection jadice-flow tutorial ocr.postman_collection.json that is part of this Helm chart. For instructions on how to import a collection see Importing data into Postman.

After you have imported the collection you need to create a variable JF_CONTROLLER_URL pointing to your jf-controller (e.g. https://jf-controller.email.acme.com) and add your access token as a Bearer Token to the collection. Information about the jadice flow REST-API can be found here.