Guides

Deploying using Helm

Suggest Edits

This guide provides instructions on how to install and configure a Midaz environment for Kubernetes using Helm, covering key aspects such as Ingress controllers, observability, and dependencies.


Before you start

Before deploying Midaz with Helm, ensure you have the following:

For better understanding of every dependency and architecture layer, we recommend reading about the Midaz components architecture documentation.


How to deploy Midaz

To install Midaz using Helm, run the following command:

$ helm install midaz oci://registry-1.docker.io/lerianstudio/midaz-helm --version <version> -n midaz --create-namespace

This will create a new namespace called midaz, if it doesn't already exist, and deploy the Midaz Helm chart.

After installation, you can verify that the release was successful by listing the Helm releases in the midaz namespace:

$ helm list -n midaz

👍

Helm Chart Source

The Helm chart used in this guide is available at GitHub in the helm repository . Check it out if you need to modify values or extend functionality.


Configuring Ingress for Different Controllers

If needed, the Midaz Helm Chart supports different Ingress Controllers for exposing services when necessary. You can enable Ingress for the following services: Transaction, Ledger, and Console.

Before configuring Ingress, make sure you have an Ingress Controller installed in your cluster. Use the values.yaml file to configure the ingress, according to the controller.

In the following codes, you can find the configurations or commonly used controllers.

ingress:
  enabled: true
  className: "nginx"
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"  # Ensure this issuer exists in your cluster
    nginx.ingress.kubernetes.io/rewrite-target: /
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: midaz-tls  # Ensure this secret exists or is managed by cert-manager
      hosts:
        - midaz.example.com


ingress:
  enabled: true
  className: "alb"
  annotations:
    alb.ingress.kubernetes.io/scheme: internal  # Use "internet-facing" for public ALB
    alb.ingress.kubernetes.io/target-type: ip   # Use "instance" if targeting EC2 instances
    alb.ingress.kubernetes.io/group.name: "midaz"  # Group ALB resources under this name
    alb.ingress.kubernetes.io/healthcheck-path: "/healthz"  # Health check path
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'  # Listen on HTTP and HTTPS
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls: []  # TLS is managed by the ALB using ACM certificates


ingress:
  enabled: true
  className: "traefik"
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: "web, websecure"  # Entrypoints defined in Traefik
    traefik.ingress.kubernetes.io/router.tls: "true"  # Enable TLS for this route
  hosts:
    - host: midaz.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: midaz-tls  # Ensure this secret exists and contains the TLS certificate
      hosts:
        - midaz.example.com


Configuring Observability

We use Grafana Docker OpenTelemetry LGTM for the observability within Midaz. This component helps in collecting, processing, and exporting telemetry data like traces and metrics.

Accessing Grafana dashboard

To access the observability dashboard, forward the Grafana port with the following command:

$ kubectl port-forward svc/midaz-otel 3000:3000 -n midaz

After running the command, you will be able to navigate to the dashboard at http://localhost:3000.


Allowing access through DNS to the Grafana dashboard

If you want to access the observability dashboard internally using a custom DNS (e.g., within your Kubernetes cluster or private network), you need to enable and configure the Ingress for the otel component in the values.yaml file.

Here's an example configuration for an internal Ingress:

otel:
  enabled: true
  name: otel

  ingress:
    enabled: true
    className: "nginx"  # Use an internal Ingress class (e.g., nginx-internal)
    annotations:
      nginx.ingress.kubernetes.io/rewrite-target: /
      # Optional: Use the following annotation to restrict access to internal networks
      nginx.ingress.kubernetes.io/whitelist-source-range: ""
    hosts:
      - host: "midaz-ote.example.com"  # Replace with your custom internal DNS
        paths:
          - path: /
            pathType: Prefix
    tls: []  # TLS is optional for internal access

Disabling observability

If necessary, the deployment of this component can be disabled by setting otel.enabled to false in the values file.

otel:
  enabled: false

Configuring Dependencies

This installation has a series of dependencies, enabled by default, for the project's default installation.

Depending on your setup, you can disable these dependencies in the values file, under the enabled boolean flag and configure Midaz Components to use your existing instances.

DependenciesVersionEnabled FlagRepository
Redis19.3.4redis.enabledhttps://charts.bitnami.com/bitnami
PostgreSQL16.3.0postgresql.enabledhttps://charts.bitnami.com/bitnami
PostgreSQL (Alias: casdoordb)16.3.0casdoordb.enabledhttps://charts.bitnami.com/bitnami
MongoDB15.4.5mongodb.enabledhttps://charts.bitnami.com/bitnami
MariaDB20.2mariadb.enabledhttps://charts.bitnami.com/bitnami
RabbitMQ16.0.0rabbitmq.enabledhttps://charts.bitnami.com/bitnami
Casdoor Helm Charts1.799.0Learn more ate (Midaz Security)[https://docs.lerian.studio/docs/midaz-security]oci://registry-1.docker.io/casbin

Midaz Components

The Midaz system runs on four distinct layers that work together, distributed in segregated workloads:

Ledger

ParameterDescriptionDefault Value
ledger.nameResource name."ledger"
ledger.replicaCountNumber of replicas.2
ledger.image.repositoryDocker image repository for Ledger."lerianstudio/midaz-ledger"
ledger.image.pullPolicyDocker image pull policy."IfNotPresent"
ledger.image.tagDocker image tag. Overrides the chart appVersion."1.45.0"
ledger.imagePullSecretsSecrets for pulling images from private registries.[]
ledger.nameOverrideOverrides the name of the release.""
ledger.fullnameOverrideOverrides the full name of the release.""
ledger.podAnnotationsAnnotations for the pods.[]
ledger.podSecurityContextSecurity context applied at the pod level.{}
ledger.securityContextSecurity context applied at the container level.{}
ledger.service.typeService type."ClusterIP"
ledger.service.portService port.3000
ledger.service.grpcPortgRPC service port.3001
ledger.ingress.enabledSpecifies whether Ingress is enabled.false
ledger.ingress.classNameIngress class.""
ledger.ingress.annotationsAnnotations for Ingress, including ALB configurations.[]
ledger.ingress.hostsConfigured hosts for Ingress and associated paths.""
ledger.ingress.tlsTLS configurations for Ingress.[]
ledger.resources.limits.cpuCPU limit allocated for the pods."200m"
ledger.resources.limits.memoryMemory limit allocated for the pods."256Mi"
ledger.resources.requests.cpuMinimum CPU request for the pods."100m"
ledger.resources.requests.memoryMinimum memory request for the pods."128Mi"
ledger.autoscaling.enabledSpecifies whether autoscaling is enabled.true
ledger.autoscaling.minReplicasMinimum number of replicas for autoscaling.1
ledger.autoscaling.maxReplicasMaximum number of replicas for autoscaling.3
ledger.autoscaling.targetCPUUtilizationPercentageTarget CPU utilization percentage for autoscaling.80
ledger.nodeSelectorNode selectors for pod scheduling.{}
ledger.tolerationsTolerations for pod scheduling.{}
ledger.affinityAffinity rules for pod scheduling.{}
ledger.configmapAdditional configurations in ConfigMap.{}
ledger.secretsAdditional secrets for the service.{}
ledger.serviceAccount.createSpecifies whether the service account should be created.true
ledger.serviceAccount.annotationsAnnotations for the service account.{}
ledger.serviceAccount.nameService account name. If not defined, it will be generated automatically.""

Transaction

ParameterDescriptionDefault Value
transaction.nameTransaction resource name."transaction"
transaction.replicaCountNumber of service replicas.1
transaction.image.repositoryDocker image repository for Transaction."lerianstudio/midaz-transaction"
transaction.image.pullPolicyDocker image pull policy."IfNotPresent"
transaction.image.tagDocker image tag."1.45.0"
transaction.podAnnotationsAnnotations for the pods.{}
transaction.service.typeService type."ClusterIP"
transaction.service.portService port.3002
transaction.ingress.enabledSpecifies whether Ingress is enabled.false
transaction.ingress.classNameIngress class.""
transaction.ingress.annotationsAnnotations for Ingress.{}
transaction.ingress.hostsConfigured hosts for Ingress and associated paths.""
transaction.ingress.tlsTLS configurations for Ingress.[]
transaction.resources.limits.cpuCPU limit allocated for the pods."200m"
transaction.resources.limits.memoryMemory limit allocated for the pods."256Mi"
transaction.resources.requests.cpuMinimum CPU request for the pods."100m"
transaction.resources.requests.memoryMinimum memory request for the pods."128Mi"
transaction.autoscaling.enabledSpecifies whether autoscaling is enabled.true
transaction.autoscaling.minReplicasMinimum number of replicas for autoscaling.1
transaction.autoscaling.maxReplicasMaximum number of replicas for autoscaling.3
transaction.autoscaling.targetCPUUtilizationPercentageTarget CPU utilization percentage for autoscaling.80
transaction.nodeSelectorNode selectors for pod scheduling.{}
transaction.tolerationsTolerations for pod scheduling.{}
transaction.affinityAffinity rules for pod scheduling.{}
transaction.configmapAdditional configurations in ConfigMap.{}
transaction.secretsAdditional secrets for the service.{}
transaction.serviceAccount.createSpecifies whether the service account should be created.true
transaction.serviceAccount.annotationsAnnotations for the service account.{}
transaction.serviceAccount.nameService account name. If not defined, it will be generated automatically.""

Audit

ParameterDescriptionDefault Value
audit.nameApplication deployment name."audit"
audit.replicaCountNumber of application replicas.1
audit.image.repositoryDocker image repository for the application."lerianstudio/midaz-audit"
audit.image.pullPolicyDocker image pull policy."IfNotPresent"
audit.image.tagDocker image tag."1.45.0"
audit.imagePullSecretsImage pull secrets.[]
audit.nameOverrideApplication name override.""
audit.fullnameOverrideFull application name override.""
audit.podAnnotationsAdditional annotations for the pods.[]
audit.podSecurityContextSecurity context for the pods.{}
audit.securityContextSecurity context for the container.{}
audit.service.typeKubernetes service type."ClusterIP"
audit.service.portHTTP service port.3005
audit.ingress.enabledEnable or disable Ingress.false
audit.ingress.classNameIngress class.""
audit.ingress.annotationsAdditional annotations for Ingress.{}
audit.ingress.hostsList of configured hosts for Ingress."chart-example.local"
audit.ingress.tlsTLS configuration for Ingress.[]
audit.resources.limits.cpuCPU limit for the main container."200m"
audit.resources.limits.memoryMemory limit for the main container."256Mi"
audit.resources.requests.cpuCPU request for the main container."100m"
audit.resources.requests.memoryMemory request for the main container."128Mi"
audit.server.image.repositoryTrillian Log Server image repository."gcr.io/trillian-opensource-ci/log_server"
audit.server.service.httpPortServer HTTP port.8091
audit.server.service.grpcPortServer gRPC port.8090
audit.server.resources.limits.cpuCPU limit for the server."200m"
audit.server.resources.limits.memoryMemory limit for the server."256Mi"
audit.server.resources.requests.cpuCPU request for the server."100m"
audit.server.resources.requests.memoryMemory request for the server."128Mi"
audit.signer.image.repositoryTrillian Log Signer image repository."gcr.io/trillian-opensource-ci/log_signer"
audit.signer.service.httpPortSigner HTTP port.8092
audit.signer.service.grpcPortSigner gRPC port.8093
audit.signer.resources.limits.cpuCPU limit for the signer."200m"
audit.signer.resources.limits.memoryMemory limit for the signer."256Mi"
audit.signer.resources.requests.cpuCPU request for the signer."100m"
audit.signer.resources.requests.memoryMemory request for the signer."128Mi"
audit.autoscaling.enabledEnable horizontal autoscaling.true
audit.autoscaling.minReplicasMinimum number of replicas for autoscaling.1
audit.autoscaling.maxReplicasMaximum number of replicas for autoscaling.3
audit.autoscaling.targetCPUUtilizationPercentageCPU utilization percentage for autoscaling.80
audit.nodeSelectorNode selector for pod scheduling.{}
audit.tolerationsTolerations for pod scheduling.{}
audit.affinityAffinity configuration for pod scheduling.{}
audit.configmapAdditional configurations for ConfigMap.{}
audit.secretsAdditional configurations for Secrets.{}
audit.serviceAccount.createCreate a ServiceAccount for the pods.true
audit.serviceAccount.annotationsAnnotations for the ServiceAccount.{}
audit.serviceAccount.nameServiceAccount name.""

Console

ParameterDescriptionDefault Value
console.nameResource name."console"
console.replicaCountNumber of replicas.1
console.image.repositoryDocker image repository for Console."lerianstudio/midaz-console"
console.image.pullPolicyDocker image pull policy."IfNotPresent"
console.image.tagDocker image tag. Overrides the default chart appVersion."1.2.0"
console.imagePullSecretsSecrets for pulling Docker images.[]
console.nameOverrideOverrides the resource name.""
console.fullnameOverrideOverrides the full resource name.""
console.podAnnotationsAnnotations for the pods.{}
console.podSecurityContextSecurity context applied at the pod level.{}
console.securityContextSecurity context applied at the container level.{}
console.service.typeService type."ClusterIP"
console.service.portService port.8081
console.ingress.enabledSpecifies whether Ingress is enabled.false
console.ingress.classNameIngress class.""
console.ingress.annotationsAnnotations for Ingress, including ALB configurations.[]
console.ingress.hostsConfigured hosts for Ingress and associated paths.""
console.ingress.tlsTLS configurations for Ingress.[]
console.resources.limits.cpuCPU limit allocated for the pods."200m"
console.resources.limits.memoryMemory limit allocated for the pods."256Mi"
console.resources.requests.cpuMinimum CPU request for the pods."100m"
console.resources.requests.memoryMinimum memory request for the pods."128Mi"
console.autoscaling.enabledSpecifies whether autoscaling is enabled.true
console.autoscaling.minReplicasMinimum number of replicas for autoscaling.1
console.autoscaling.maxReplicasMaximum number of replicas for autoscaling.3
console.autoscaling.targetCPUUtilizationPercentageTarget CPU utilization percentage for autoscaling.80
console.nodeSelectorNode selectors for pod scheduling.{}
console.tolerationsTolerations for pod scheduling.{}
console.affinityAffinity rules for pod scheduling.{}
console.configmapAdditional configurations in ConfigMap.{ "NEXTAUTH_URL": "http://localhost:8081" }
console.secretsAdditional secrets for the service.{}
console.serviceAccount.createSpecifies whether the service account should be created.true
console.serviceAccount.annotationsAnnotations for the service account.{}
console.serviceAccount.nameService account name. If not defined, it will be generated automatically.""

Updated 7 days ago