Kubernetes Helm installation

To manage H2O.ai products on Kubernetes, Enterprise Steam needs to be installed as a Kubernetes operator. Helm chart is the recommend way of installing Enterprise Steam.

Requirements

  • Kubernetes 1.10+

  • Helm 2.11+ (Helm 3 recommended)

  • Existing Kubernetes StorageClass

Helm

While this Helm Chart supports Helm 2.11+, all the steps below describe installation using Helm v3.

Downloading the chart

Latest version of the chart is always available on the Enterprise Steam download page.

Installing the Chart

To install the chart with the release name my-release:

helm install my-release ./enterprise-steam-1.9.8.tgz

Alternatively, a YAML file that specifies the values can be provided while installing the chart.

helm install my-release -f values.yaml ./enterprise-steam-1.9.8.tgz

The command deploys Enterprise Steam on the Kubernetes cluster in the default configuration. The Values section lists the values that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the my-release deployment:

helm delete my-release

Common configuration

Here is a list of common configurations. Feel free to combine them and see the full list of values below.

Install Enterprise Steam into h2o namespace:

helm install my-release ./enterprise-steam-1.9.8.tgz \
  --namespace h2o

Set custom Enterprise Steam docker image name and tag:

helm install my-release ./enterprise-steam-1.9.8.tgz \
  --set image.repository=myrepo/enterprise-steam \
  --set image.tag=1.9.8

Set custom Enterprise Steam storage:

helm install my-release ./enterprise-steam-1.9.8.tgz \
  --set persistentVolume.size=256Gi

Set custom Enterprise Steam resources:

helm install my-release ./enterprise-steam-1.9.8.tgz \
  --set resources.limits.cpu=2 \
  --set resources.limits.memory=32Gi \
  --set resources.requests.cpu=1 \
  --set resources.requests.memory=8Gi

Set strict launch mode for Steam. In this mode, Steam pod fails to launch if OIDC or Kubernetes services won’t start:

helm install my-release ./enterprise-steam-1.9.8.tgz \
  --set strictLaunch=true

Spawn a Load Balancer for Enterprise Steam:

helm install my-release ./enterprise-steam-1.9.8.tgz \
  --set service.type=LoadBalancer

Ingress example

This advanced example shows Enterprise Steam exposed via a TLS secured Kubernetes Ingress.

  • my-storage-class is the StorageClass name that Steam will use to provision it’s storage

  • steam.mycluster.mycompany.com is the hostname where Enterprise Steam will be exposed

  • ingress-wildcard-cert is the name of Kubernetes Secret that contains TLS certificate valid for steam.mycluster.mycompany.com domain

  • nginx is the IngressClass

Note: You must specify the kubernetes.io/ingress.class: nginx annotation instead of className: nginx for Kubernetes < 1.18

persistentVolume:
  storageClassName: "my-storage-class"

ingress:
  enabled: true
  className: nginx
  hosts:
    - host: steam.mycluster.mycompany.com
      paths: ["/"]

  tls:
    - secretName: ingress-wildcard-cert
      hosts:
        - steam.mycluster.mycompany.com

Save the file as steam-config.yaml and run:

helm install -f steam-config.yaml my-release ./enterprise-steam-1.9.8.tgz

After installation

Follow the instructions listed after you run helm install. Continue with the Logging-in section for more information.

Values

This is the list of all available values and their description and default values.

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | Deployment affinity. |
| containerSecurityContext | object | `{"allowPrivilegeEscalation":false}` | Container security context. |
| extraEnv | list | `[]` | Extra 'env' passed to the container(s). |
| fullnameOverride | string | `""` | If you need override the fully qualified app name. |
| image.pullPolicy | string | `"Always"` | Docker image pull policy. |
| image.pullSecrets | list | `[]` | Optional list of references to secrets in the same namespace to use for pulling the image |
| image.repository | string | `"h2oai/enterprise-steam"` | Application Docker repository. |
| image.tag | string | `""` | Application Docker tag / version. Defaults to the chart appVersion. |
| ingress.annotations | object | `{}` | Ingress annotations. |
| ingress.className | string | `""` | IngressClass name |
| ingress.enabled | bool | `false` | Ingress enabled. |
| ingress.hosts | list | `[{"host":"enterprise-steam.cluster.local","paths":["/"]}]` | Set Ingress host and paths. |
| ingress.tls | list | `[]` | Ingress TLS setting. Optionally enable TLS for Ingress. |
| nameOverride | string | `""` | If you need to override the name of the chart from 'enterprise-steam' to something else. |
| nodeSelector | object | `{}` | Deployment node selector. |
| persistentVolume.resourcePolicy | string | `""` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart is deleted. |
| persistentVolume.accessModes | list | `["ReadWriteOnce"]` | PersistentVolume access modes. Must match those of existing PV or dynamic provisioner. |
| persistentVolume.annotations | object | `{}` | PersistentVolumeClaim annotations. |
| persistentVolume.existingClaim | string | `""` | Set to use an existing PersistentVolumeClaim. If left empty, a new PersistentVolumeClaim will be created. |
| persistentVolume.size | string | `"64Gi"` | PersistentVolume Size. |
| persistentVolume.storageClassName | string | `""` | StorageClass name. If left empty, no storageClassName spec is set, choosing the default provisioner (gp2 on AWS, standard on GKE, etc..). |
| podAnnotations | object | `{}` | Deployment Pod annotations. |
| podLabels | object | `{}` | Deployment Pod labels. |
| podSecurityContext | object | `{"fsGroup":955,"runAsGroup":955,"runAsUser":955}` | Deployment/Pod security context. |
| resources | object | `{"limits":{"cpu":2,"memory":"8Gi"},"requests":{"cpu":2,"memory":"8Gi"}}` | Resources requested for Enterprise Steam Pod. Please adjust them as you like. Listed is the minimum spec. |
| service.annotations | object | `{}` | Service annotations. Includes example for use with LoadBalancer service type. |
| service.loadBalancerIP | string | `""` | LoadBalancer IP. Ignored if the type is not LoadBalancer or if the IP is empty string. |
| service.name | string | `""` | Service name is user-configurable for maximum service discovery flexibility. Leave empty for default Service name. |
| service.port | int | `9555` | Service port. |
| service.type | string | `"ClusterIP"` | Service type. |
| serviceAccount.allowClusterRolePrivileges | bool | `false` | Set to grant Enterprise Steam read access to some cluster-wide resources. See rbac.tpl for detail on what RBAC privileges are granted. |
| serviceAccount.annotations | object | `{}` | Annotations to add to the created ServiceAccount. |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. If you choose to provide an existing ServiceAccount make sure it has all necessary roles. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated. |
| serviceAccount.openshift | bool | `false` | Creates special apiGroups required in case of an OpenShift deployment. |
| serviceAccount.openshiftResourceNames | list | `["privileged"]` | Configurable resourceNames for OpenShift apiGroups. |
| strictLaunch | bool | `false` | Optional flag to set strict launch for Steam. If set to true, Steam pod launch will fail if OIDC or kubernetes services fail to initialize |
| tolerations | list | `[]` | Deployment tolerations. |
| volumeMounts | list | `[]` | Deployment Pod volume mounts. |
| volumes | list | `[]` | Additional deployment Pod volumes. |