Helm 图表

先决条件

  • helm 命令行工具。

  • kubectl 命令行工具。

  • 访问 Kubernetes 环境(云、内部部署或使用 LoadBalancer 资源实现的本地环境)。

NOM 服务器 Helm 图表

  • Neo4j 部署中心 下载 NOM 服务器 Helm 图表。

  • 以下是 NOM 服务器 Helm 图表的参考 values.yaml

# Default values for neo4j-ops-manager-server.

# Refer to "https://neo4j.ac.cn/docs/ops-manager/current/installation/server/#config_ref"
config:
  logFileName: ""
  logLevel: "info"
  maxHeapSize: "8g"
  jwtTTL: "2h"
  grpcAdvertisedHost: "" # this needs to be set if a different IP assigned to GRPC
  grpcAdvertisedPort: "" # this needs to be set if a different IP assigned to GRPC

# An optional reference to a secret that contains some or all values for NOM secrets
# Secret name and key should be specified
secretsFromSecrets:
  # storage keys
  storageUri:
    secretName: ""
    key: "" # key in Secret for Storage URI
  storageUsername:
    secretName: ""
    key: "" # key in Secret for Storage username
  storagePassword:
    secretName: ""
    key: "" # key in Secret for Storage URI
  # tls keys
  tlsPassword:
    secretName: ""
    key: "" # key in Secret for tls password
  tlsPkcs12CertFileContent:
    secretName: ""
    key: "" # key in Secret for tls pkcs12CertFileContent
  # jwt keys
  jwtSecret:
    secretName: ""
    key: "" # key in Secret for jwt secret
  # mTls keys
  mTlsAgentCerts:
    secretName: ""
    key: "" # key in Secret for mTls agentCerts
  ingressTlsCert:
    secretName: ""
    key: "" # key in Secret for mTls agentCerts
  ingressTlsKey:
    secretName: ""
    key: "" # key in Secret for mTls agentCerts

secrets:
  # storage
  storageUri: ""
  storageUsername: ""
  storagePassword: ""
  # tls
  tlsPassword: ""
  tlsPkcs12CertFileContent: ""
  # jwt
  jwtSecret: ""
  # mTls
  mTlsAgentCerts: "" # pem encoded string
  # ingress tls
  ingressTlsCert: "" # pem encoded string
  ingressTlsKey: "" # pem encoded string

service:
  http:
    # annotations for http service
    # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
    # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
    # the K8s environment
    annotations: { }
    port: 443
    loadBalancerIP: "" # optional static load balancer IP
  grpc:
    # annotations for grpc service
    # For example, `service.beta.kubernetes.io/azure-load-balancer-internal: "true"` is an annotation used to enable
    # internal load balancers in Azure Kubernetes Service (AKS) when public external IP addresses are less secure for
    # the K8s environment
    annotations: { }
    port: 9090
    loadBalancerIP: "" # optional static load balancer IP

ingress:
  enabled: false
  sslPassthrough: false
  ingressClassName: "nginx"
  annotations: { }
  httpHostName: ""
  grpcHostName: ""

nameOverride:

additionalVolumeMounts: []

image:
  name: neo4j/neo4j-ops-manager-server
  pullPolicy: IfNotPresent

hpa:
  spec:
    targetCPUUtilizationPercentage: 70

resources:
  limits:
    cpu: "2"
    memory: "8G"
  requests:
    cpu: "0.2"
    memory: "4G"

affinity: {}

nodeSelector: {}

tolerations: []

使用预配置的密钥

values.yaml 中添加纯文本形式的敏感信息在某些环境中安全性较低。此类环境会通过特权用户或安全服务代理(如 Hashicorp Vault 代理)在外部配置密钥。这些安全预配置的密钥可用于使用 secretsFromSecrets 配置为 NOM 服务器 helm 图表设置敏感值。此值需要 secretNamekey 用于 NOM 密钥值。以下是一个演示此用例的示例值片段,并带有内联注释

secretsFromSecrets:
  storageUri:
    secretName: "secret1"
    key: "uri"
  storageUsername:
    secretName: "secret2"
    key: "name"
  storagePassword: # This is the NOM value reference to map the secret value to which would translate to storage.uri
    secretName: "secret3" # Name of the secret to map from
    key: "password" # The key to retrieve value from mapped secret which holds the required NOM secret value

访问图表未创建的 K8s 密钥使用 Helm 的 lookup 模板函数。在某些环境中,查找被禁用或访问密钥的权限更加严格。为了处理此类情况,建议使用以下方法通过命令行参数将对现有密钥的引用传递给 helm install

helm install -f values.yaml --set secrets.<NOM secret type such as `storage`>.<NOM secret key such as `password`>=$(kubectl get secret <secretName> -o jsonpath='{.data.<secretKey>}' | base64 -d) --set secrets.tls.pkcs12CertFileContent=$(cat server.pfx | base64) <Helm release name> /path/to/neo4j-ops-manager-server-<VERSION>.tgz

Ingress 支持

  • 可以使用 NOM 服务器图表部署 Ingress 资源以支持域路由和 SSL 终止。

  • 使用 values.yaml 并启用 SSL 终止以启用 Ingress 支持

secrets:
  ingressTlsCert: "<cert file conent as PEM encoded string>"
  ingressTlsKey: "<key file content as PEM encoded string>"

ingress:
  enabled: true
  sslPassthrough: false
  ingressClassName: "<your ingress controller class name e.g nginx>"
  annotations: { }
  httpHostName: "<Hostname/domain for NOM server http endpoints>"
  grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"

  • 在 Ingress 处终止 SSL 意味着 TLS 由 Ingress 资源本身处理。要启用 TLS 处理,需要配置其他密钥,如前一个示例所示。通常的做法是使用类似于 Cert Manager 的工具来处理证书密钥的供应和续订。

  • annotations 可用于根据您的要求进一步定制 Ingress 控制器。

禁用 SSL 终止

  • 如果您不希望 Ingress 资源处理 SSL 终止,而只想使用它进行域路由和负载均衡,Ingress 需要允许 SSL 直通,并且需要使用前面所述的证书配置 NOM 服务器。以下是一个 SSL 直通的示例

ingress:
  enabled: true
  sslPassthrough: true
  ingressClassName: "<your ingress controller class name e.g nginx>"
  annotations: { }
  httpHostName: "<Hostname/domain for NOM server http endpoints>"
  grpcHostName: "<Hostname/domain for NOM server grpc endpoints>"