Infra Helm Chart
The Infra Helm chart is the recommended way of installing Infra on Kubernetes.
Add Helm Repo
helm repo add infrahq https://helm.infrahq.com
helm repo update
Install Infra
helm upgrade --install infra infrahq/infra
Configuration Reference
helm show values infrahq/infra
Advanced Service Account Configuration
# example values.yaml
---
server:
serviceAccount:
annotations:
# Google Workload Identity
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
iam.gke.io/gcp-service-account: <GSA_NAME>@<PROJECT_ID>.iam.gserviceaccount.com
# AWS Service Account Role
# https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html
eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
Advanced Service Configuration
Internal Load Balancer
# example values.yaml
---
server:
service:
annotations:
# If using Google GKE
cloud.google.com/load-balancer-type: Internal
# If using AWS EKS
service.beta.kubernetes.io/aws-load-balancer-scheme: internal
# If using Azure AKS
service.beta.kubernetes.io/azure-load-balancer-internal: true
Health Check
# example values.yaml
---
server:
service:
annotations:
# If using AWS EKS
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: HTTPS
service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /healthz
# If using Azure AKS
service.beta.kubernetes.io/azure-load-balancer-health-probe-protocol: https # Kubernetes 1.20+
service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: healthz # Kubernetes 1.20+
# If using Digital Ocean
service.beta.kubernetes.io/do-loadbalancer-healthcheck-protocol: https
service.beta.kubernetes.io/do-loadbalancer-healthcheck-path: /healthz
Advanced Ingress Configuration
Infra server can be configured exposes port 80 (HTTP) and 443 (HTTPS). Use the following Ingress controller specific examples to configure Infra server Ingress.
Ambassador (Service Annotations)
# example values.yaml
---
server:
service:
type: ClusterIP
annotations:
getambassador.io/config: |-
apiVersion: getambassador.io/v2
kind: Mapping
name: infra-https-mapping
namespace: infrahq
host: infrahq.example.com # edit me
prefix: /
service: http://infra
AWS Application Load Balancer Controller (ALB)
# example values.yaml
---
server:
ingress:
enabled: true
hosts:
- infra.example.com # edit me
className: alb
paths:
- '/*'
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing # (optional: use "internal" for non-internet facing)
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/group.name: infra # (optional: edit me to use an existing shared load balanacer)
NGINX Ingress Controller
# example values.yaml
---
server:
ingress:
enabled: true
hosts:
- infra.example.com # edit me
servicePort: 80
className: nginx
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/proxy-http-version: "1.0"
cert-manager.io/issuer: "letsencrypt-prod" # edit me
tls:
- hosts:
- infra.example.com # edit me
secretName: com-example-infra # edit me
Uninstall Infra
# Remove Infra
helm uninstall infra
# Remove potential secrets created for Infra
kubectl delete secret/infra-okta
# Remove rolebindings & clusterrolebindings created by Infra connector
kubectl delete clusterrolebindings,rolebindings -l app.kubernetes.io/managed-by=infra --all-namespaces