Home

Awesome

Mender

Mender is a robust and secure way to update all your software and deploy your IoT devices at scale with support for customization.

TL;DR;

Using helm:

helm install mender ./mender

Introduction

This chart bootstraps a Mender deployment on a Kubernetes cluster using the Helm package manager.

Prerequisites

Object storage setup

Supported object storage services are:

You can also use other S3-compatible object storage services like MinIO or SeaweedFS, for development and testing purposes only.

Following some setup sample. Please refer to the official documentation of the object storage service you are using for more information.

Amazon S3

Create a new bucket in Amazon S3, then a IAM user and its access key with the proper permissions to access the bucket.

You can find the required permissions in the Requirements section of the official documentation.

Then, export the following environment variables:

export AWS_ACCESS_KEY_ID="replace-with-your-access-key-id"
export AWS_SECRET_ACCESS="replace-with-your-secret-access-key"
export AWS_REGION="replace-with-your-aws-region"
export STORAGE_BUCKET="replace-with-your-bucket-name"

SeaweedFS

Alternatively to Amazon S3, you can install SeaweedFS, a compatible S3 solution.

Important: the following setup is intended for development and testing purposes only. For production usage, it's recommended to use an external object storage service like AWS S3 or Azure Blob Storage.

Installing SeaweedFS:

export STORAGE_CLASS="default"
export STORAGE_BUCKET="replace-with-your-bucket-name"

cat >seaweedfs.yml <<EOF
filer:
  s3:
    enabled: true
    enableAuth: true
    createBuckets:
      - name: "${STORAGE_BUCKET}"
  storageClass: ${STORAGE_CLASS}

s3:
  enabled: true
  enableAuth: true
EOF

helm repo add seaweedfs https://seaweedfs.github.io/seaweedfs/helm
helm repo update
helm install seaweedfs --wait -f seaweedfs.yml  seaweedfs/seaweedfs

Finally, export the following environment variables, needed for installing Mender:

export AWS_ACCESS_KEY_ID=$(kubectl get secret seaweedfs-s3-secret -o jsonpath='{.data.admin_access_key_id}' |base64 -d)
export AWS_SECRET_ACCESS_KEY=$(kubectl  get secret seaweedfs-s3-secret -o jsonpath='{.data.admin_secret_access_key}' |base64 -d)
export AWS_REGION="us-east-1"
export STORAGE_ENDPOINT="http://seaweedfs-s3:8333"

Installing Mender

This is the minimum configuration needed to install Mender:

export MENDER_SERVER_DOMAIN="mender.example.com"
export MENDER_SERVER_URL="https://${MENDER_SERVER_DOMAIN}"

cat >values.yaml <<EOF
global:
  s3:
    AWS_URI: "${MENDER_SERVER_URL}"
    AWS_BUCKET: "${STORAGE_BUCKET}"
    AWS_ACCESS_KEY_ID: "${AWS_ACCESS_KEY_ID}"
    AWS_SECRET_ACCESS_KEY: "${AWS_SECRET_ACCESS_KEY}"
  url: "${MENDER_SERVER_URL}"

ingress:
  enabled: true
  annotations:
    <your ingress controller specific annotations>
  hosts:
    - ${MENDER_SERVER_DOMAIN}
  tls:
    - secretName: <your-tls-secret>
      hosts:
        - ${MENDER_SERVER_DOMAIN}

api_gateway:
  storage_proxy:
    enabled: true
    url: "${STORAGE_ENDPOINT}"
    customRule: "PathRegexp(\`^/${STORAGE_BUCKET}\`)"

deployments:
  customEnvs:
    - name: DEPLOYMENTS_STORAGE_PROXY_URI
      value: "${MENDER_SERVER_URL}"

EOF

To install the chart with the release name my-release using helm:

helm install my-release -f values.yaml ./mender

The command deploys Mender on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Tip: List all releases using helm list

Upgrading from Helm Chart 5.x and Meneder Server 3.7.x

Please refer to this document for the upgrade procedure details.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

Complete list of parameters

The following table lists the global, default, and other parameters supported by the chart and their default values.

ParameterDescriptionDefault
global.enterpriseEnable the enterprise featurestrue
global.hostedEnabled Hosted Mender specific featuresfalse
global.priorityClassNameOptional pre-existing priorityClassName to be assigned to the workwloadsnil
global.image.registryGlobal Docker image registryregistry.mender.io
global.image.usernameGlobal Docker image registry usernamenil
global.image.passwordGlobal Docker image registry usernamepassword
global.image.tagGlobal Docker image registry tagmender-3.7.7
global.mongodb.existingSecretMongoDB existing secret with keys: MONGO and MONGO_URL both with MongoDB connection string formatnull
global.mongodb.URLMongoDB URLmongodb://mongodb
global.nats.existingSecretNATS existing secret with key: NATS_URI and NATS connection string nats://...null
global.nats.URLNATS URLnats://nats:4222
global.redis.URLOptional Redis URL, used with an external service when redis.enabled=falsenil
global.redis.existingSecretOptional Redis URL from a secret, used with an external service when redis.enabled=false. The key has to be REDIS_CONNECTION_STRINGnil
global.redis.usernameOptional Redis Username [Deprecated from 3.7.0: use global.redis.URL instead ]nil
global.redis.passwordOptional Redis Password [Deprecated from 3.7.0: use global.redis.URL instead ]nil
global.opensearch.URLsOpensearch URLshttp://opensearch-cluster-master:9200
global.storageArtifacts storage type (available types: aws and azure)aws
global.s3.AWS_URIAWS S3 / MinIO URIvalue from global.url
global.s3.AWS_EXTERNAL_URIExternal AWS S3 / MinIO URInull
global.s3.AWS_BUCKETAWS S3 / MinIO bucketminio-hosted-mender-artifacts
global.s3.AWS_REGIONAWS S3 regionus-east-1
global.s3.AWS_ACCESS_KEY_IDAWS S3 / MinIO key ID. An empty value will use credentials from the shared AWS credentials.myaccesskey
global.s3.AWS_SECRET_ACCESS_KEYAWS S3 / MinIO access keymysecretkey
global.s3.AWS_SERVICE_ACCOUNT_NAMEUse K8s service account instead of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to access the bucket.""
global.s3.AWS_FORCE_PATH_STYLESet the AWS S3 URI style to pathtrue
global.s3.AWS_TAG_ARTIFACTTag the artifact in the AWS S3 storage service with the tenant IDtrue
global.s3.existingSecretS3 existing secret containing the keys above: AWS_URI, AWS_BUCKET, AWS_REGION, ...null
global.azure.AUTH_CONNECTION_STRINGAzure Blob Storage connection string""
global.azure.AUTH_SHARED_KEY_ACCOUNT_NAMEAzure Blob Storage shared key account name""
global.azure.AUTH_SHARED_KEY_ACCOUNT_KEYAzure Blob Storage shared key account key""
global.azure.AUTH_SHARED_KEY_URIAzure Blob Storage shared key URI""
global.azure.CONTAINER_NAMEAzure Blob Storage container namemender-artifact-storage
global.smtp.existingSecretUse an existing secret to get the env varsnil
global.smtp.EMAIL_SENDERSMTP email senderroot@localhost
global.smtp.SMTP_HOSTSMTP server addresslocalhost:25
global.smtp.SMTP_AUTH_MECHANISMSMTP auth mechanism (Valid values: PLAIN, CRAM-MD5)PLAIN
global.smtp.SMTP_USERNAMESMTP server usernamenull
global.smtp.SMTP_PASSWORDSMTP server passwordnull
global.smtp.SMTP_SSLEnable the SSL connection to the SMTP serverfalse
global.urlPublic URL of the Mender Server, replace with your domainhttps://mender-api-gateway
default.affinityOptional affinity values that applies to all the resourcesnil
default.tolerationOptional toleration values that applies to all the resourcesnil
default.hpaHorizontalPodAutoscaler supportnil
default.hpa.enabledHorizontalPodAutoscaler enablednil
default.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
default.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
default.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
default.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
default.pdb.enabledPodDistruptionBudget enabledfalse
default.pdb.minAvailablePodDistruptionBudget minAvailable1
default.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
default.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
default.updateStrategyThe strategy to use to update existing podsrollingUpdate = { maxSurge = 25%, maxUnavailable = 0 }
default.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
default.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
default.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil
ingress.enabledOptional Mender Ingressfalse
dbmigration.enableHelm Chart hook that trigger a DB Migration utility just before an Helm Chart install or upgradetrue
device_license_count.enabledDevice license count feature - enterprise onlyfalse
serviceAccount.createCreate a custom ServiceAccountfalse
serviceAccount.nameCustom ServiceAccount namenil
serviceAccount.labelsServiceAccount labelsnil
serviceAccount.annotationsServiceAccount annotationsnil
fullnameOverrideUse a custom prefix for the resources, instead of using the helm chart name (default)nil
tests.enabledWhether or not to run the helm tests after the chart installfalse

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install my-release \
  --set mongodbRootPassword=secretpassword,mongodbUsername=my-user,mongodbPassword=my-password,mongodbDatabase=my-database \
  ./mender

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

helm install --name my-release -f values.yaml ./mender

Tip: You can use the default values.yaml

Parameters: api-gateway

The following table lists the parameters for the api-gateway component and their default values:

ParameterDescriptionDefault
api_gateway.enabledEnable the componenttrue
api_gateway.dashboardEnable the Traefik dashboard (port 8080)false
api_gateway.image.registryDocker image registrydocker.io
api_gateway.image.repositoryDocker image repositorytraefik
api_gateway.image.tagDocker image tagv2.5
api_gateway.image.imagePullPolicyDocker image pull policyIfNotPresent
api_gateway.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
api_gateway.nodeSelectorNode selection{}
api_gateway.podAnnotationsadd custom pod annotationsnil
api_gateway.replicasNumber of replicas1
api_gateway.affinityAffinity map for the POD{}
api_gateway.httpPortPort for the HTTP listener in the container9080
api_gateway.httpsPortPort for the HTTPS listener in the container9443
api_gateway.resources.limits.cpuResources CPU limit600m
api_gateway.resources.limits.memoryResources memory limit1Gi
api_gateway.resources.requests.cpuResources CPU request600m
api_gateway.resources.requests.memoryResources memory request512Mi
api_gateway.service.nameName of the servicemender-api-gateway
api_gateway.service.annotationsAnnotations map for the service{}
api_gateway.service.typeService typeClusterIP
api_gateway.service.loadBalancerIPService load balancer IPnil
api_gateway.service.loadBalancerSourceRangesService load balancer source rangesnil
api_gateway.service.httpPortPort for the HTTP service80
api_gateway.service.httpsPortPort for the HTTPS service443
api_gateway.service.httpNodePortNode port for the HTTP servicenil
api_gateway.service.httpsNodePortNode port for the HTTPS servicenil
api_gateway.env.SSLSSL termination flagtrue
api_gateway.minio.enabledEnable routing of S3 requests to the minio service. [Deprecated from 5.5.0, use `api_gateway.storage_proxy`` instead]true
api_gateway.minio.urlURL of the minio service. [Deprecated from 5.5.0, use `api_gateway.storage_proxy`` instead]http://minio:9000
api_gateway.storage_proxy.enabledEnable storage proxy to the S3/minio servicefalse
api_gateway.storage_proxy.urlURL of the storage proxy. Should point to the AWS Bucket/Minio URLnil
api_gateway.storage_proxy.customRuleCustom rules for the storage proxy.HostRegexp(`{domain:^artifacts.*$}`)
api_gateway.storage_proxy.passHostHeaderThe passHostHeader allows to forward client Host header to server.false
api_gateway.rateLimit.averageSee the Traefik rate limit configuration options100
api_gateway.rateLimit.burstSee the Traefik rate limit configuration options100
api_gateway.rateLimit.periodSee the Traefik rate limit configuration options1s
api_gateway.rateLimit.sourceCriterionSee the Traefik rate limit configuration options{"ipStrategy": {"depth": 1}}
api_gateway.extraArgsOptional list of additional args for the api_gateway container.null
api_gateway.authRateLimitOptional rate limiting for the Auth module only. See the Traefik rate limit configuration optionsnull
api_gateway.podSecurityContext.enabledEnable security contextfalse
api_gateway.podSecurityContext.runAsNonRootRun as non-root usertrue
api_gateway.podSecurityContext.runAsUserUser ID for the pod65534
api_gateway.containerSecurityContext.enabledEnable container security contextfalse
api_gateway.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
api_gateway.containerSecurityContext.runAsUserUser ID for the container65534
api_gateway.compressionEnable Traefik Compressiontrue
api_gateway.security_redirectCustom redirect to a company security pagenull
api_gateway.minio.customRuleCustom redirect for MinIO. Uses the default one if not specified. [Deprecated from 5.5.0, use `api_gateway.storage_proxy`` instead]null
api_gateway.hpaHorizontalPodAutoscaler supportnil
api_gateway.hpa.enabledHorizontalPodAutoscaler enablednil
api_gateway.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
api_gateway.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
api_gateway.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
api_gateway.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
api_gateway.pdb.enabledPodDistruptionBudget enablednil
api_gateway.pdb.minAvailablePodDistruptionBudget minAvailablenil
api_gateway.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
api_gateway.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
api_gateway.certscertificate managementnil
api_gateway.certs.certPublic certificate (with full chain optionally) in PEM formatnil
api_gateway.certs.keyPrivate key in PEM formatnil
api_gateway.certs.existingSecretPreexisting secret containing the Cert (key cert.crt) and the Key (key private.key)nil
api_gateway.updateStrategyThe strategy to use to update existing podsnil
api_gateway.accesslogsTraefik Access Logs, enabled by defaulttrue
api_gateway.podMonitor.enabledIf enabled, creates a PodMonitor resource for scraping Traefik metricsfalse
api_gateway.podMonitor.customLabelsPodMonitor custom labelsnil
api_gateway.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
api_gateway.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
api_gateway.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.3

Parameters: deployments

The following table lists the parameters for the deployments component and their default values:

ParameterDescriptionDefault
deployments.enabledEnable the componenttrue
deployments.automigrateEnable automatic database migrations at service start uptrue
deployments.image.registryDocker image registryregistry.mender.io if global.enterprise is true, else docker.io
deployments.image.repositoryDocker image repositorymendersoftware/deployments-enterprise if global.enterprise is true, else mendersoftware/deployments
deployments.image.tagDocker image tagnil
deployments.image.imagePullPolicyDocker image pull policyIfNotPresent
deployments.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
deployments.nodeSelectorNode selection{}
deployments.podAnnotationsadd custom pod annotationsnil
deployments.replicasNumber of replicas1
deployments.affinityAffinity map for the POD{}
deployments.directUpload.enabledEnable direct upload featuretrue
deployments.directUpload.jitterClock jitter - margin for removing expired objects"3s"
deployments.directUpload.skipVerifySkip verification of artifact uploaded through direct upload. Only advised if you verified the direct upload through other means.false
deployments.daemonScheduleCron schedule for running the storage daemon"15 * * * *"
deployments.resources.limits.cpuResources CPU limit300m
deployments.resources.limits.memoryResources memory limit128Mi
deployments.resources.requests.cpuResources CPU request300m
deployments.resources.requests.memoryResources memory request64Mi
deployments.service.nameName of the servicemender-deployments
deployments.service.annotationsAnnotations map for the service{}
deployments.service.typeService typeClusterIP
deployments.service.loadBalancerIPService load balancer IPnil
deployments.service.loadBalancerSourceRangesService load balancer source rangesnil
deployments.service.portPort for the service8080
deployments.service.nodePortNode port for the servicenil
deployments.env.DEPLOYMENTS_MIDDLEWARESet the DEPLOYMENTS_MIDDLEWARE variableprod
deployments.env.DEPLOYMENTS_PRESIGN_SECRETSet the secret for generating signed url, must be a base64 encoded secret.random value at start-up time
deployments.presignSecretExistingSecretSet the secret for generating signed url from an existing secret with the key PRESIGN_SECRET.nil
deployments.podSecurityContext.enabledEnable security contextfalse
deployments.podSecurityContext.runAsNonRootRun as non-root usertrue
deployments.podSecurityContext.runAsUserUser ID for the pod65534
deployments.containerSecurityContext.enabledEnable container security contextfalse
deployments.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
deployments.containerSecurityContext.runAsUserUser ID for the container65534
deployments.hpaHorizontalPodAutoscaler supportnil
deployments.hpa.enabledHorizontalPodAutoscaler enablednil
deployments.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
deployments.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
deployments.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
deployments.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
deployments.pdb.enabledPodDistruptionBudget enablednil
deployments.pdb.minAvailablePodDistruptionBudget minAvailablenil
deployments.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
deployments.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
deployments.migrationRestartPolicyMigration job: restartPolicy optionNever
deployments.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
deployments.updateStrategyThe strategy to use to update existing podsnil
deployments.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
deployments.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
deployments.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil
deployments.mongodbExistingSecretUse a different MongoDB secret for this servicenil

Parameters: device-auth

The following table lists the parameters for the device-auth component and their default values:

ParameterDescriptionDefault
device_auth.enabledEnable the componenttrue
device_auth.automigrateEnable automatic database migrations at service start uptrue
device_auth.image.registryDocker image registrydocker.io
device_auth.image.repositoryDocker image repositorymendersoftware/deviceauth
device_auth.image.tagDocker image tagnil
device_auth.image.imagePullPolicyDocker image pull policyIfNotPresent
device_auth.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
device_auth.nodeSelectorNode selection{}
device_auth.podAnnotationsadd custom pod annotationsnil
device_auth.replicasNumber of replicas1
device_auth.affinityAffinity map for the POD{}
device_auth.resources.limits.cpuResources CPU limit350m
device_auth.resources.limits.memoryResources memory limit128Mi
device_auth.resources.requests.cpuResources CPU request350m
device_auth.resources.requests.memoryResources memory request128Mi
device_auth.service.nameName of the servicemender-device-auth
device_auth.service.annotationsAnnotations map for the service{}
device_auth.service.typeService typeClusterIP
device_auth.service.loadBalancerIPService load balancer IPnil
device_auth.service.loadBalancerSourceRangesService load balancer source rangesnil
device_auth.service.portPort for the service8080
device_auth.service.nodePortNode port for the servicenil
device_auth.env.DEVICEAUTH_INVENTORY_ADDRSet the DEVICEAUTH_INVENTORY_ADDR variablehttp://mender-inventory:8080/
device_auth.env.DEVICEAUTH_ORCHESTRATOR_ADDRSet the DEVICEAUTH_ORCHESTRATOR_ADDR variablehttp://mender-workflows-server:8080
device_auth.env.DEVICEAUTH_JWT_ISSUERSet the DEVICEAUTH_JWT_ISSUER variableMender
device_auth.env.DEVICEAUTH_JWT_EXP_TIMEOUTSet the DEVICEAUTH_JWT_EXP_TIMEOUT variable604800
device_auth.env.DEVICEAUTH_MIDDLEWARESet the DEVICEAUTH_MIDDLEWARE variableprod
device_auth.env.DEVICEAUTH_REDIS_KEY_PREFIXSet the DEVICEAUTH_REDIS_KEY_PREFIX variabledeviceauth:v1
device_auth.env.DEVICEAUTH_REDIS_LIMITS_EXPIRE_SECSet the DEVICEAUTH_REDIS_LIMITS_EXPIRE_SEC variable3600
device_auth.env.DEVICEAUTH_REDIS_DBSet the DEVICEAUTH_REDIS_DB variable [Deprecated from 3.7.0]1
device_auth.env.DEVICEAUTH_REDIS_TIMEOUT_SECSet the DEVICEAUTH_REDIS_TIMEOUT_SEC variable [Deprecated from 3.7.0]1
device_auth.env.DEVICEAUTH_TENANTADM_ADDRSet the DEVICEAUTH_TENANTADM_ADDR variablehttp://mender-tenantadm:8080
device_auth.podSecurityContext.enabledEnable security contextfalse
device_auth.podSecurityContext.runAsNonRootRun as non-root usertrue
device_auth.podSecurityContext.runAsUserUser ID for the pod65534
device_auth.containerSecurityContext.enabledEnable container security contextfalse
device_auth.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
device_auth.containerSecurityContext.runAsUserUser ID for the container65534
device_auth.hpaHorizontalPodAutoscaler supportnil
device_auth.hpa.enabledHorizontalPodAutoscaler enablednil
device_auth.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
device_auth.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
device_auth.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
device_auth.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
device_auth.pdb.enabledPodDistruptionBudget enablednil
device_auth.pdb.minAvailablePodDistruptionBudget minAvailablenil
device_auth.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
device_auth.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
device_auth.certscertificate managementnil
device_auth.certs.keyPrivate key in PEM formatnil
device_auth.certs.existingSecretPreexisting secret containing the private key (key private.pem)nil
device_auth.migrationRestartPolicyMigration job: restartPolicy optionNever
device_auth.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
device_auth.updateStrategyThe strategy to use to update existing podsnil
device_auth.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
device_auth.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
device_auth.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: gui

The following table lists the parameters for the gui component and their default values:

ParameterDescriptionDefault
gui.enabledEnable the componenttrue
gui.image.registryDocker image registrydocker.io
gui.image.repositoryDocker image repositorymendersoftware/gui
gui.image.tagDocker image tagnil
gui.image.imagePullPolicyDocker image pull policyIfNotPresent
gui.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
gui.nodeSelectorNode selection{}
gui.podAnnotationsadd custom pod annotationsnil
gui.replicasNumber of replicas1
gui.affinityAffinity map for the POD{}
gui.resources.limits.cpuResources CPU limit20m
gui.resources.limits.memoryResources memory limit64Mi
gui.resources.requests.cpuResources CPU request5m
gui.resources.requests.memoryResources memory request16Mi
gui.service.nameName of the servicemender-gui
gui.service.annotationsAnnotations map for the service{}
gui.service.typeService typeClusterIP
gui.service.loadBalancerIPService load balancer IPnil
gui.service.loadBalancerSourceRangesService load balancer source rangesnil
gui.service.portPort for the service80
gui.service.nodePortNode port for the servicenil
gui.service.portErrorPort for the Error server block8080
gui.httpPortPort for the HTTP listener in the container80
gui.podSecurityContext.enabledEnable security contextfalse
gui.podSecurityContext.runAsNonRootRun as non-root usertrue
gui.podSecurityContext.runAsUserUser ID for the pod65534
gui.containerSecurityContext.enabledEnable container security contextfalse
gui.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
gui.containerSecurityContext.runAsUserUser ID for the container65534
gui.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
gui.updateStrategyThe strategy to use to update existing podsnil
gui.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
gui.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
gui.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil
gui.hpaHorizontalPodAutoscaler supportnil
gui.hpa.enabledHorizontalPodAutoscaler enablednil
gui.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
gui.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
gui.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
gui.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil

Parameters: inventory

The following table lists the parameters for the inventory component and their default values:

ParameterDescriptionDefault
inventory.enabledEnable the componenttrue
inventory.automigrateEnable automatic database migrations at service start uptrue
inventory.image.registryDocker image registryregistry.mender.io if global.enterprise is true, else docker.io
inventory.image.repositoryDocker image repositorymendersoftware/inventory-enterprise if global.enterprise is true, else mendersoftware/inventory
inventory.image.tagDocker image tagnil
inventory.image.imagePullPolicyDocker image pull policyIfNotPresent
inventory.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
inventory.nodeSelectorNode selection{}
inventory.podAnnotationsadd custom pod annotationsnil
inventory.replicasNumber of replicas1
inventory.affinityAffinity map for the POD{}
inventory.resources.limits.cpuResources CPU limit300m
inventory.resources.limits.memoryResources memory limit128Mi
inventory.resources.requests.cpuResources CPU request300m
inventory.resources.requests.memoryResources memory request128Mi
inventory.service.nameName of the servicemender-inventory
inventory.service.annotationsAnnotations map for the service{}
inventory.service.typeService typeClusterIP
inventory.service.loadBalancerIPService load balancer IPnil
inventory.service.loadBalancerSourceRangesService load balancer source rangesnil
inventory.service.portPort for the service8080
inventory.service.nodePortNode port for the servicenil
inventory.env.INVENTORY_MIDDLEWARESet the INVENTORY_MIDDLEWARE variableprod
inventory.env.INVENTORY_REDIS_KEY_PREFIXSet the INVENTORY_REDIS_KEY_PREFIX variableinventory:v1
inventory.env.INVENTORY_REDIS_CACHE_EXPIRE_SECSet the INVENTORY_REDIS_CACHE_EXPIRE_SEC variable1800
inventory.podSecurityContext.enabledEnable security contextfalse
inventory.podSecurityContext.runAsNonRootRun as non-root usertrue
inventory.podSecurityContext.runAsUserUser ID for the pod65534
inventory.containerSecurityContext.enabledEnable container security contextfalse
inventory.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
inventory.containerSecurityContext.runAsUserUser ID for the container65534
inventory.hpaHorizontalPodAutoscaler supportnil
inventory.hpa.enabledHorizontalPodAutoscaler enablednil
inventory.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
inventory.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
inventory.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
inventory.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
inventory.pdb.enabledPodDistruptionBudget enablednil
inventory.pdb.minAvailablePodDistruptionBudget minAvailablenil
inventory.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
inventory.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
inventory.migrationRestartPolicyMigration job: restartPolicy optionNever
inventory.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
inventory.updateStrategyThe strategy to use to update existing podsnil
inventory.mongodbExistingSecretUse a different MongoDB secret for this servicenil
inventory.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
inventory.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
inventory.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: reporting

The following table lists the parameters for the reporting component and their default values:

ParameterDescriptionDefault
reporting.enabledEnable the componenttrue
reporting.automigrateEnable automatic database migrations at service start upfalse
reporting.image.registryDocker image registrydocker.io
reporting.image.repositoryDocker image repositorymendersoftware/reporting
reporting.image.tagDocker image tagnil
reporting.image.imagePullPolicyDocker image pull policyIfNotPresent
reporting.nodeSelectorNode selection{}
reporting.image.podAnnotationsadd custom pod annotationsnil
reporting.replicasNumber of replicas1
reporting.affinityAffinity map for the POD{}
reporting.resources.limits.cpuResources CPU limit50m
reporting.resources.limits.memoryResources memory limit128Mi
reporting.resources.requests.cpuResources CPU request50m
reporting.resources.requests.memoryResources memory request128Mi
reporting.service.nameName of the servicemender-reporting
reporting.service.annotationsAnnotations map for the service{}
reporting.service.typeService typeClusterIP
reporting.service.loadBalancerIPService load balancer IPnil
reporting.service.loadBalancerSourceRangesService load balancer source rangesnil
reporting.service.portPort for the service8080
reporting.service.nodePortNode port for the servicenil

Parameters: tenantadm

The following table lists the parameters for the tenantadm component and their default values:

ParameterDescriptionDefault
tenantadm.enabledEnable the componenttrue
tenantadm.image.registryDocker image registryregistry.mender.io
tenantadm.image.repositoryDocker image repositorymendersoftware/tenantadm
tenantadm.image.tagDocker image tagnil
tenantadm.image.imagePullPolicyDocker image pull policyIfNotPresent
tenantadm.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
tenantadm.nodeSelectorNode selection{}
tenantadm.podAnnotationsadd custom pod annotationsnil
tenantadm.replicasNumber of replicas1
tenantadm.affinityAffinity map for the POD{}
tenantadm.resources.limits.cpuResources CPU limit150m
tenantadm.resources.limits.memoryResources memory limit128Mi
tenantadm.resources.requests.cpuResources CPU request150m
tenantadm.resources.requests.memoryResources memory request64Mi
tenantadm.service.nameName of the servicemender-tenantadm
tenantadm.service.annotationsAnnotations map for the service{}
tenantadm.service.typeService typeClusterIP
tenantadm.service.loadBalancerIPService load balancer IPnil
tenantadm.service.loadBalancerSourceRangesService load balancer source rangesnil
tenantadm.service.portPort for the service8080
tenantadm.service.nodePortNode port for the servicenil
tenantadm.env.TENANTADM_MIDDLEWARESet the TENANTADM_MIDDLEWARE variableprod
tenantadm.env.TENANTADM_SERVER_PRIV_KEY_PATHSet the TENANTADM_SERVER_PRIV_KEY_PATH variable/etc/tenantadm/rsa/private.pem
tenantadm.env.TENANTADM_ORCHESTRATOR_ADDRSet the TENANTADM_ORCHESTRATOR_ADDR variablehttp://mender-workflows-server:8080/
tenantadm.env.TENANTADM_RECAPTCHA_URL_VERIFYSet the TENANTADM_RECAPTCHA_URL_VERIFY variablehttps://www.google.com/recaptcha/api/siteverify
tenantadm.env.TENANTADM_DEFAULT_API_LIMITSSet the TENANTADM_DEFAULT_API_LIMITS variable, defining the default rate limitssee below for the default values
tenantadm.podSecurityContext.enabledEnable security contextfalse
tenantadm.podSecurityContext.runAsNonRootRun as non-root usertrue
tenantadm.podSecurityContext.runAsUserUser ID for the pod65534
tenantadm.containerSecurityContext.enabledEnable container security contextfalse
tenantadm.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
tenantadm.containerSecurityContext.runAsUserUser ID for the container65534
tenantadm.hpaHorizontalPodAutoscaler supportnil
tenantadm.hpa.enabledHorizontalPodAutoscaler enablednil
tenantadm.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
tenantadm.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
tenantadm.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
tenantadm.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
tenantadm.pdb.enabledPodDistruptionBudget enablednil
tenantadm.pdb.minAvailablePodDistruptionBudget minAvailablenil
tenantadm.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
tenantadm.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
tenantadm.certscertificate managementnil
tenantadm.certs.keyPrivate key in PEM formatnil
tenantadm.certs.existingSecretPreexisting secret containing the private key (key private.pem)nil
tenantadm.migrationRestartPolicyMigration job: restartPolicy optionNever
tenantadm.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
tenantadm.migrationArgsMigration job: optional migration args (list).["migrate"]
tenantadm.updateStrategyThe strategy to use to update existing podsnil
tenantadm.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
tenantadm.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
tenantadm.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

The default value for the rate limits are:

You can customize the default API limits setting a custom JSON document. See the default one here.

Parameters: useradm

The following table lists the parameters for the useradm component and their default values:

ParameterDescriptionDefault
useradm.enabledEnable the componenttrue
useradm.automigrateEnable automatic database migrations at service start uptrue
useradm.image.registryDocker image registryregistry.mender.io if global.enterprise is true, else docker.io
useradm.image.repositoryDocker image repositorymendersoftware/useradm-enterprise if global.enterprise is true, else mendersoftware/useradm
useradm.image.tagDocker image tagnil
useradm.image.imagePullPolicyDocker image pull policyIfNotPresent
useradm.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
useradm.nodeSelectorNode selection{}
useradm.podAnnotationsadd custom pod annotationsnil
useradm.replicasNumber of replicas1
useradm.affinityAffinity map for the POD{}
useradm.resources.limits.cpuResources CPU limit150m
useradm.resources.limits.memoryResources memory limit128Mi
useradm.resources.requests.cpuResources CPU request150m
useradm.resources.requests.memoryResources memory request64Mi
useradm.service.nameName of the servicemender-useradm
useradm.service.annotationsAnnotations map for the service{}
useradm.service.typeService typeClusterIP
useradm.service.loadBalancerIPService load balancer IPnil
useradm.service.loadBalancerSourceRangesService load balancer source rangesnil
useradm.service.portPort for the service8080
useradm.service.nodePortNode port for the servicenil
useradm.env.USERADM_PROXY_COUNTSet the number of proxy gateways from the backend to client.2
useradm.env.USERADM_JWT_ISSUERSet the USERADM_JWT_ISSUER variableMender Users
useradm.env.USERADM_JWT_EXP_TIMEOUTSet the USERADM_JWT_EXP_TIMEOUT variable604800
useradm.env.USERADM_MIDDLEWARESet the USERADM_MIDDLEWARE variableprod
useradm.env.USERADM_REDIS_KEY_PREFIXSet the USERADM_REDIS_KEY_PREFIX variableuseradm:v1
useradm.env.USERADM_REDIS_LIMITS_EXPIRE_SECSet the USERADM_REDIS_LIMITS_EXPIRE_SEC variable3600
useradm.env.USERADM_REDIS_DBSet the USERADM_REDIS_DB variable [Deprecated from 3.7.0]2
useradm.env.USERADM_REDIS_TIMEOUT_SECSet the USERADM_REDIS_TIMEOUT_SEC variable [Deprecated from 3.7.0]1
useradm.env.USERADM_TENANTADM_ADDRSet the USERADM_TENANTADM_ADDR variablehttp://mender-tenantadm:8080
useradm.env.USERADM_TOTP_ISSUERSet the USERADM_TOTP_ISSUER variableMender
useradm.podSecurityContext.enabledEnable security contextfalse
useradm.podSecurityContext.runAsNonRootRun as non-root usertrue
useradm.podSecurityContext.runAsUserUser ID for the pod65534
useradm.containerSecurityContext.enabledEnable container security contextfalse
useradm.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
useradm.containerSecurityContext.runAsUserUser ID for the container65534
useradm.hpaHorizontalPodAutoscaler supportnil
useradm.hpa.enabledHorizontalPodAutoscaler enablednil
useradm.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
useradm.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
useradm.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
useradm.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
useradm.pdb.enabledPodDistruptionBudget enablednil
useradm.pdb.minAvailablePodDistruptionBudget minAvailablenil
useradm.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
useradm.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
useradm.certscertificate managementnil
useradm.certs.keyPrivate key in PEM formatnil
useradm.certs.existingSecretPreexisting secret containing the private key (key private.pem)nil
useradm.migrationRestartPolicyMigration job: restartPolicy optionNever
useradm.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
useradm.updateStrategyThe strategy to use to update existing podsnil
useradm.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
useradm.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
useradm.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: workflows

The following table lists the parameters for the workflows-server component and their default values:

ParameterDescriptionDefault
workflows.enabledEnable the componenttrue
workflows.automigrateEnable automatic database migrations at service start uptrue
workflows.image.registryDocker image registryregistry.mender.io if global.enterprise is true, else docker.io
workflows.image.repositoryDocker image repositorymendersoftware/workflows-enterprise if global.enterprise is true, else mendersoftware/workflows
workflows.image.tagDocker image tagnil
workflows.image.imagePullPolicyDocker image pull policyIfNotPresent
workflows.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
workflows.nodeSelectorNode selection{}
workflows.podAnnotationsadd custom pod annotationsnil
workflows.replicasNumber of replicas1
workflows.affinityAffinity map for the POD{}
workflows.resources.limits.cpuResources CPU limit100m
workflows.resources.limits.memoryResources memory limit128Mi
workflows.resources.requests.cpuResources CPU request10m
workflows.resources.requests.memoryResources memory request64Mi
workflows.service.nameName of the servicemender-workflows-server
workflows.service.annotationsAnnotations map for the service{}
workflows.service.typeService typeClusterIP
workflows.service.loadBalancerIPService load balancer IPnil
workflows.service.loadBalancerSourceRangesService load balancer source rangesnil
workflows.service.portPort for the service8080
workflows.service.nodePortNode port for the servicenil
workflows.podSecurityContext.enabledEnable security contextfalse
workflows.podSecurityContext.runAsNonRootRun as non-root usertrue
workflows.podSecurityContext.runAsUserUser ID for the pod65534
workflows.containerSecurityContext.enabledEnable container security contextfalse
workflows.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
workflows.containerSecurityContext.runAsUserUser ID for the container65534
workflows.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
workflows.migrationRestartPolicyMigration job: restartPolicy optionNever
workflows.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
workflows.updateStrategyThe strategy to use to update existing podsnil
workflows.mountSecretsOptional volumeMounts and volumes to inject a credential files in the workflows servicenil
workflows.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
workflows.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
workflows.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: create_artifact_worker

The following table lists the parameters for the create-artifact-worker component and their default values:

ParameterDescriptionDefault
create_artifact_worker.enabledEnable the componenttrue
create_artifact_worker.automigrateEnable automatic database migrations at service start upfalse
create_artifact_worker.image.registryDocker image registrydocker.io
create_artifact_worker.image.repositoryDocker image repositorymendersoftware/create-artifact-worker
create_artifact_worker.image.tagDocker image tagnil
create_artifact_worker.image.imagePullPolicyDocker image pull policyIfNotPresent
create_artifact_worker.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
create_artifact_worker.nodeSelectorNode selection{}
create_artifact_worker.podAnnotationsadd custom pod annotationsnil
create_artifact_worker.replicasNumber of replicas1
create_artifact_worker.affinityAffinity map for the POD{}
create_artifact_worker.resources.limits.cpuResources CPU limit100m
create_artifact_worker.resources.limits.memoryResources memory limit1024Mi
create_artifact_worker.resources.requests.cpuResources CPU request100m
create_artifact_worker.resources.requests.memoryResources memory request128Mi
create_artifact_worker.podSecurityContext.enabledEnable security contextfalse
create_artifact_worker.podSecurityContext.runAsNonRootRun as non-root usertrue
create_artifact_worker.podSecurityContext.runAsUserUser ID for the pod65534
create_artifact_worker.containerSecurityContext.enabledEnable container security contextfalse
create_artifact_worker.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
create_artifact_worker.containerSecurityContext.runAsUserUser ID for the container65534
create_artifact_worker.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
create_artifact_worker.updateStrategyThe strategy to use to update existing podsnil

Parameters: auditlogs

The following table lists the parameters for the auditlogs component and their default values:

ParameterDescriptionDefault
auditlogs.enabledEnable the componenttrue
auditlogs.automigrateEnable automatic database migrations at service start uptrue
auditlogs.image.registryDocker image registryregistry.mender.io
auditlogs.image.repositoryDocker image repositorymendersoftware/auditlogs
auditlogs.image.tagDocker image tagnil
auditlogs.image.imagePullPolicyDocker image pull policyIfNotPresent
auditlogs.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
auditlogs.nodeSelectorNode selection{}
auditlogs.podAnnotationsadd custom pod annotationsnil
auditlogs.logRetentionSecondsSeconds before an audit event is evicted from the database7776000
auditlogs.replicasNumber of replicas1
auditlogs.affinityAffinity map for the POD{}
auditlogs.resources.limits.cpuResources CPU limit50m
auditlogs.resources.limits.memoryResources memory limit128Mi
auditlogs.resources.requests.cpuResources CPU request50m
auditlogs.resources.requests.memoryResources memory request128Mi
auditlogs.service.nameName of the servicemender-auditlogs
auditlogs.service.annotationsAnnotations map for the service{}
auditlogs.service.typeService typeClusterIP
auditlogs.service.loadBalancerIPService load balancer IPnil
auditlogs.service.loadBalancerSourceRangesService load balancer source rangesnil
auditlogs.service.portPort for the service8080
auditlogs.service.nodePortNode port for the servicenil
auditlogs.podSecurityContext.enabledEnable security contextfalse
auditlogs.podSecurityContext.runAsNonRootRun as non-root usertrue
auditlogs.podSecurityContext.runAsUserUser ID for the pod65534
auditlogs.containerSecurityContext.enabledEnable container security contextfalse
auditlogs.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
auditlogs.containerSecurityContext.runAsUserUser ID for the container65534
auditlogs.hpaHorizontalPodAutoscaler supportnil
auditlogs.hpa.enabledHorizontalPodAutoscaler enablednil
auditlogs.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
auditlogs.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
auditlogs.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
auditlogs.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
auditlogs.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
auditlogs.migrationRestartPolicyMigration job: restartPolicy optionNever
auditlogs.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
auditlogs.updateStrategyThe strategy to use to update existing podsnil
auditlogs.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
auditlogs.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
auditlogs.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: iot-manager

The following table lists the parameters for the iot-manager component and their default values:

ParameterDescriptionDefault
iot_manager.enabledEnable the componenttrue
iot_manager.automigrateEnable automatic database migrations at service start uptrue
iot_manager.image.registryDocker image registrydocker.io
iot_manager.image.repositoryDocker image repositorymendersoftware/iot-manager
iot_manager.image.tagDocker image tagnil
iot_manager.image.imagePullPolicyDocker image pull policyIfNotPresent
iot_manager.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
iot_manager.nodeSelectorNode selection{}
iot_manager.image.podAnnotationsadd custom pod annotationsnil
iot_manager.replicasNumber of replicas1
iot_manager.affinityAffinity map for the POD{}
iot_manager.resources.limits.cpuResources CPU limit50m
iot_manager.resources.limits.memoryResources memory limit128Mi
iot_manager.resources.requests.cpuResources CPU request50m
iot_manager.resources.requests.memoryResources memory request128Mi
iot_manager.service.nameName of the servicemender-iot_manager
iot_manager.service.annotationsAnnotations map for the service{}
iot_manager.service.typeService typeClusterIP
iot_manager.service.loadBalancerIPService load balancer IPnil
iot_manager.service.loadBalancerSourceRangesService load balancer source rangesnil
iot_manager.service.portPort for the service8080
iot_manager.service.nodePortNode port for the servicenil
iot_manager.podSecurityContext.enabledEnable security contextfalse
iot_manager.podSecurityContext.runAsNonRootRun as non-root usertrue
iot_manager.podSecurityContext.runAsUserUser ID for the pod65534
iot_manager.containerSecurityContext.enabledEnable container security contextfalse
iot_manager.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
iot_manager.containerSecurityContext.runAsUserUser ID for the container65534
iot_manager.hpaHorizontalPodAutoscaler supportnil
iot_manager.hpa.enabledHorizontalPodAutoscaler enablednil
iot_manager.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
iot_manager.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
iot_manager.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
iot_manager.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
iot_manager.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
iot_manager.migrationRestartPolicyMigration job: restartPolicy optionNever
iot_manager.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
iot_manager.updateStrategyThe strategy to use to update existing podsnil
iot_manager.aesEncryptionKey.existingSecretOptional secret containing the AES encryption key. The secret key must be AES_ENCRYPTION_KEYnil
iot_manager.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
iot_manager.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
iot_manager.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: deviceconnect

The following table lists the parameters for the deviceconnect component and their default values:

ParameterDescriptionDefault
deviceconnect.enabledEnable the componenttrue
deviceconnect.automigrateEnable automatic database migrations at service start uptrue
deviceconnect.image.registryDocker image registrydocker.io
deviceconnect.image.repositoryDocker image repositorymendersoftware/deviceconnect
deviceconnect.image.tagDocker image tagnil
deviceconnect.image.imagePullPolicyDocker image pull policyIfNotPresent
deviceconnect.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
deviceconnect.nodeSelectorNode selection{}
deviceconnect.podAnnotationsadd custom pod annotationsnil
deviceconnect.replicasNumber of replicas1
deviceconnect.affinityAffinity map for the POD{}
deviceconnect.resources.limits.cpuResources CPU limit100m
deviceconnect.resources.limits.memoryResources memory limit128Mi
deviceconnect.resources.requests.cpuResources CPU request100m
deviceconnect.resources.requests.memoryResources memory request128Mi
deviceconnect.service.nameName of the servicemender-deviceconnect
deviceconnect.service.annotationsAnnotations map for the service{}
deviceconnect.service.typeService typeClusterIP
deviceconnect.service.loadBalancerIPService load balancer IPnil
deviceconnect.service.loadBalancerSourceRangesService load balancer source rangesnil
deviceconnect.service.portPort for the service8080
deviceconnect.service.nodePortNode port for the servicenil
deviceconnect.podSecurityContext.enabledEnable security contextfalse
deviceconnect.podSecurityContext.runAsNonRootRun as non-root usertrue
deviceconnect.podSecurityContext.runAsUserUser ID for the pod65534
deviceconnect.containerSecurityContext.enabledEnable container security contextfalse
deviceconnect.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
deviceconnect.containerSecurityContext.runAsUserUser ID for the container65534
deviceconnect.hpaHorizontalPodAutoscaler supportnil
deviceconnect.hpa.enabledHorizontalPodAutoscaler enablednil
deviceconnect.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
deviceconnect.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
deviceconnect.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
deviceconnect.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
deviceconnect.gracefulShutdownTimeoutTimeout for the graceful shutdown60s
deviceconnect.terminationGracePeriodSecondsTermination grace period in seconds65
deviceconnect.pdb.enabledPodDistruptionBudget enablednil
deviceconnect.pdb.minAvailablePodDistruptionBudget minAvailablenil
deviceconnect.pdb.maxUnavailablePodDistruptionBudget maxUnavailablenil
deviceconnect.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
deviceconnect.migrationRestartPolicyMigration job: restartPolicy optionNever
deviceconnect.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
deviceconnect.updateStrategyThe strategy to use to update existing podsnil
deviceconnect.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
deviceconnect.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
deviceconnect.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: deviceconfig

The following table lists the parameters for the deviceconfig component and their default values:

ParameterDescriptionDefault
deviceconfig.enabledEnable the componenttrue
deviceconfig.automigrateEnable automatic database migrations at service start uptrue
deviceconfig.image.registryDocker image registrydocker.io
deviceconfig.image.repositoryDocker image repositorymendersoftware/deviceconfig
deviceconfig.image.tagDocker image tagnil
deviceconfig.image.imagePullPolicyDocker image pull policyIfNotPresent
deviceconfig.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
deviceconfig.nodeSelectorNode selection{}
deviceconfig.podAnnotationsadd custom pod annotationsnil
deviceconfig.replicasNumber of replicas1
deviceconfig.affinityAffinity map for the POD{}
deviceconfig.resources.limits.cpuResources CPU limit100m
deviceconfig.resources.limits.memoryResources memory limit128Mi
deviceconfig.resources.requests.cpuResources CPU request100m
deviceconfig.resources.requests.memoryResources memory request128Mi
deviceconfig.service.nameName of the servicemender-deviceconfig
deviceconfig.service.annotationsAnnotations map for the service{}
deviceconfig.service.typeService typeClusterIP
deviceconfig.service.loadBalancerIPService load balancer IPnil
deviceconfig.service.loadBalancerSourceRangesService load balancer source rangesnil
deviceconfig.service.portPort for the service8080
deviceconfig.service.nodePortNode port for the servicenil
deviceconfig.podSecurityContext.enabledEnable security contextfalse
deviceconfig.podSecurityContext.runAsNonRootRun as non-root usertrue
deviceconfig.podSecurityContext.runAsUserUser ID for the pod65534
deviceconfig.containerSecurityContext.enabledEnable container security contextfalse
deviceconfig.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
deviceconfig.containerSecurityContext.runAsUserUser ID for the container65534
deviceconfig.hpaHorizontalPodAutoscaler supportnil
deviceconfig.hpa.enabledHorizontalPodAutoscaler enablednil
deviceconfig.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
deviceconfig.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
deviceconfig.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
deviceconfig.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
deviceconfig.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
deviceconfig.migrationRestartPolicyMigration job: restartPolicy optionNever
deviceconfig.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
deviceconfig.updateStrategyThe strategy to use to update existing podsnil
deviceconfig.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
deviceconfig.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
deviceconfig.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: devicemonitor

The following table lists the parameters for the devicemonitor component and their default values:

ParameterDescriptionDefault
devicemonitor.enabledEnable the componenttrue
devicemonitor.automigrateEnable automatic database migrations at service start uptrue
devicemonitor.image.registryDocker image registryregistry.mender.io
devicemonitor.image.repositoryDocker image repositorymendersoftware/devicemonitor
devicemonitor.image.tagDocker image tagnil
devicemonitor.image.imagePullPolicyDocker image pull policyIfNotPresent
devicemonotor.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
devicemonitor.nodeSelectorNode selection{}
devicemonitor.podAnnotationsadd custom pod annotationsnil
devicemonitor.replicasNumber of replicas1
devicemonitor.affinityAffinity map for the POD{}
devicemonitor.resources.limits.cpuResources CPU limit100m
devicemonitor.resources.limits.memoryResources memory limit128Mi
devicemonitor.resources.requests.cpuResources CPU request100m
devicemonitor.resources.requests.memoryResources memory request128Mi
devicemonitor.service.nameName of the servicemender-devicemonitor
devicemonitor.service.annotationsAnnotations map for the service{}
devicemonitor.service.typeService typeClusterIP
devicemonitor.service.loadBalancerIPService load balancer IPnil
devicemonitor.service.loadBalancerSourceRangesService load balancer source rangesnil
devicemonitor.service.portPort for the service8080
devicemonitor.service.nodePortNode port for the servicenil
devicemonitor.env.DEVICEMONITOR_USERADM_URLSet the DEVICEMONITOR_USERADM_URL variablehttp://mender-useradm:8080/
devicemonitor.env.DEVICEMONITOR_WORKFLOWS_URLSet the DEVICEMONITOR_WORKFLOWS_URL variablehttp://mender-workflows-server:8080
devicemonitor.podSecurityContext.enabledEnable security contextfalse
devicemonitor.podSecurityContext.runAsNonRootRun as non-root usertrue
devicemonitor.podSecurityContext.runAsUserUser ID for the pod65534
devicemonitor.containerSecurityContext.enabledEnable container security contextfalse
devicemonitor.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
devicemonitor.containerSecurityContext.runAsUserUser ID for the container65534
devicemonitor.hpaHorizontalPodAutoscaler supportnil
devicemonitor.hpa.enabledHorizontalPodAutoscaler enablednil
devicemonitor.hpa.minReplicasHorizontalPodAutoscaler minReplicasnil
devicemonitor.hpa.maxReplicasHorizontalPodAutoscaler maxReplicasnil
devicemonitor.hpa.metricsHorizontalPodAutoscaler metrics as defined in the referencenil
devicemonitor.hpa.behaviorHorizontalPodAutoscaler behavior as defined in the referencenil
devicemonitor.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
devicemonitor.migrationRestartPolicyMigration job: restartPolicy optionNever
devicemonitor.migrationResourcesMigration job: optional K8s resources. If not specified, uses the deployment resourcesnil
devicemonitor.updateStrategyThe strategy to use to update existing podsnil
devicemonitor.probesOverrides.successThresholdOverride the successThreshold for every Readiness and Liveness probes.nil
devicemonitor.probesOverrides.timeoutSecondsOverride the timeoutSeconds for every Readiness and Liveness probes.nil
devicemonitor.probesOverrides.failureThresholdOverride the failureThreshold for every Readiness and Liveness probes.nil

Parameters: generate_delta_worker

Please notice that this feature is still under active development and it is disabled by default

The following table lists the parameters for the generate-delta-worker component and their default values:

ParameterDescriptionDefault
generate_delta_worker.enabledEnable the componentfalse
generate_delta_worker.automigrateEnable automatic database migrations at service start upfalse
generate_delta_worker.image.registryDocker image registryregistry.mender.io
generate_delta_worker.image.repositoryDocker image repositorymendersoftware/generate-delta-worker
generate_delta_worker.image.tagDocker image tagnil
generate_delta_worker.image.imagePullPolicyDocker image pull policyIfNotPresent
generate_delta_worker.imagePullSecretsOptional list of existing Image Pull Secrets in the format of - name: my-custom-secret[]
generate_delta_worker.nodeSelectorNode selection{}
generate_delta_worker.podAnnotationsadd custom pod annotationsnil
generate_delta_worker.replicasNumber of replicas1
generate_delta_worker.persistence.enabledEnable persistence of the work directory (PVC template)true
generate_delta_worker.persistence.accessModesAccess modes for the volumes created by the StatefulSet["ReadWriteOnce"]
generate_delta_worker.persistence.sizeSize of the volumes (per replica)40Gi
generate_delta_worker.persistence.storageClassStorage class for the volumes created by the StatefulSet"" (default)
generate_delta_worker.persistence.retention.whenDeletedVolume retention policy when StatefulSet is deleted"Retain"
generate_delta_worker.persistence.retention.whenScaledVolume retention policy when StatefulSet is scaled (down)"Delete"
generate_delta_worker.affinityAffinity map for the POD{}
generate_delta_worker.resources.limits.cpuResources CPU limit100m
generate_delta_worker.resources.limits.memoryResources memory limit1024Mi
generate_delta_worker.resources.requests.cpuResources CPU request100m
generate_delta_worker.resources.requests.memoryResources memory request128Mi
generate_delta_worker.priorityClassNameOptional pre-existing priorityClassName to be assigned to the resourcenil
generate_delta_worker.updateStrategyThe strategy to use to update existing podsnil

Parameters: redis

The following table lists the parameters for the redis component and their default values:

ParameterDescriptionDefault
redis.enabledEnable the componenttrue
redis.image.registryDocker image registrydocker.io
redis.image.repositoryDocker image repositoryredis
redis.image.tagDocker image tag6.0.16-alpine
redis.image.imagePullPolicyDocker image pull policyIfNotPresent
redis.replicasNumber of replicas1
redis.affinityAffinity map for the POD{}
redis.resources.limits.cpuResources CPU limit50m
redis.resources.limits.memoryResources memory limit64Mi
redis.resources.requests.cpuResources CPU request100m
redis.resources.requests.memoryResources memory request128Mi
redis.service.nameName of the servicemender-redis
redis.service.annotationsAnnotations map for the service{}
redis.service.typeService typeClusterIP
redis.service.loadBalancerIPService load balancer IPnil
redis.service.loadBalancerSourceRangesService load balancer source rangesnil
redis.service.portPort for the service6379
redis.service.nodePortNode port for the servicenil
redis.podSecurityContext.enabledEnable security contextfalse
redis.podSecurityContext.runAsNonRootRun as non-root usertrue
redis.podSecurityContext.runAsUserUser ID for the pod999
redis.containerSecurityContext.enabledEnable container security contextfalse
redis.containerSecurityContext.allowPrivilegeEscalationAllow privilege escalation for containerfalse
redis.containerSecurityContext.runAsUserUser ID for the container999

Create a tenant and a user from command line

Enterprise version

You can create a tenant from the command line of the tenantadm pod; the value printed is the newly generated tenant ID:

tenantadm create-org --name demo --username "admin@mender.io" --password "adminadmin" --plan enterprise
5dcd71624143b30050e63bed

You can create additional useres from the command line of the useradm pod:

useradm-enterprise create-user --username "demo@mender.io" --password "demodemo" --tenant-id "5dcd71624143b30050e63bed"
187b8101-4431-500f-88da-54709f51f2e6

Open Source version

If you are running the Open Source version of Mender, you won't have the tenantadm service. You can create users directly in the useradm pod:

useradm create-user --username "demo@mender.io" --password "demodemo"
187b8101-4431-500f-88da-54709f51f2e6

Test the service through the GUI

You can port-forward the mender-api-gateway Kubernetes service to verify the system is up and running:

kubectl port-forward service/mender-api-gateway 443:443

Contributing

We welcome and ask for your contribution. If you would like to contribute to Mender, please read our guide on how to best get started contributing code or documentation.

License

Mender is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Security disclosure

We take security very seriously. If you come across any issue regarding security, please disclose the information by sending an email to security@mender.io. Please do not create a new public issue. We thank you in advance for your cooperation.

Connect with us