Mender
June 8, 2026 · View on GitHub
Mender is a robust and secure way to update all your software and deploy your IoT devices at scale with support for customization.
Installation
Please follow the official documentation for comprehensive installation guidelines.
Upgrading from Helm Chart 5.x and Meneder Server 3.7.x
Please refer to this document for the upgrade procedure details, or follow the official documentation.
Uninstalling the Chart
To uninstall/delete the my-release deployment:
helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
Complete list of parameters
The following table lists the global, default, and other parameters supported by the chart and their default values.
| Parameter | Description | Default |
|---|---|---|
global.enterprise | Enable the enterprise features | true |
global.hosted | Enabled Hosted Mender specific features | false |
global.priorityClassName | Optional pre-existing priorityClassName to be assigned to the workwloads | nil |
global.image.registry | Global Docker image registry | registry.mender.io |
global.image.username | Global Docker image registry username | nil |
global.image.password | Global Docker image registry username | password |
global.image.tag | Global Docker image registry tag | mender-3.7.7 |
global.mongodb.existingSecret | MongoDB existing secret with keys: MONGO and MONGO_URL both with MongoDB connection string format | null |
global.mongodb.URL | MongoDB URL | mongodb://mongodb |
global.nats.existingSecret | NATS existing secret with key: NATS_URI and NATS connection string nats://... | null |
global.nats.URL | NATS URL | nats://nats:4222 |
global.redis.URL | Optional Redis URL, used with an external service when redis.enabled=false | nil |
global.redis.existingSecret | Optional Redis URL from a secret, used with an external service when redis.enabled=false. The key has to be REDIS_CONNECTION_STRING | nil |
global.opensearch.URLs | Opensearch URLs | http://opensearch-cluster-master:9200 |
global.storage | Artifacts storage type (available types: aws and azure) | aws |
global.s3.AWS_URI | AWS S3 / MinIO URI | value from global.url |
global.s3.AWS_EXTERNAL_URI | External AWS S3 / MinIO URI | null |
global.s3.AWS_BUCKET | AWS S3 / MinIO bucket | minio-hosted-mender-artifacts |
global.s3.AWS_REGION | AWS S3 region | us-east-1 |
global.s3.AWS_ACCESS_KEY_ID | AWS S3 / MinIO key ID. An empty value will use credentials from the shared AWS credentials. | myaccesskey |
global.s3.AWS_SECRET_ACCESS_KEY | AWS S3 / MinIO access key | mysecretkey |
global.s3.AWS_SERVICE_ACCOUNT_NAME | Use K8s service account instead of AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to access the bucket. | "" |
global.s3.AWS_FORCE_PATH_STYLE | Set the AWS S3 URI style to path | true |
global.s3.AWS_TAG_ARTIFACT | Tag the artifact in the AWS S3 storage service with the tenant ID | true |
global.s3.existingSecret | S3 existing secret containing the keys above: AWS_URI, AWS_BUCKET, AWS_REGION, ... | null |
global.azure.AUTH_CONNECTION_STRING | Azure Blob Storage connection string | "" |
global.azure.AUTH_SHARED_KEY_ACCOUNT_NAME | Azure Blob Storage shared key account name | "" |
global.azure.AUTH_SHARED_KEY_ACCOUNT_KEY | Azure Blob Storage shared key account key | "" |
global.azure.AUTH_SHARED_KEY_URI | Azure Blob Storage shared key URI | "" |
global.azure.CONTAINER_NAME | Azure Blob Storage container name | mender-artifact-storage |
global.smtp.existingSecret | Use an existing secret to get the env vars | nil |
global.smtp.EMAIL_SENDER | SMTP email sender | root@localhost |
global.smtp.SMTP_HOST | SMTP server address | localhost:25 |
global.smtp.SMTP_AUTH_MECHANISM | SMTP auth mechanism (Valid values: PLAIN, CRAM-MD5) | PLAIN |
global.smtp.SMTP_USERNAME | SMTP server username | null |
global.smtp.SMTP_PASSWORD | SMTP server password | null |
global.smtp.SMTP_SSL | Enable the SSL connection to the SMTP server | false |
global.url | Public URL of the Mender Server, replace with your domain | https://mender-api-gateway |
default.affinity | Optional affinity values that applies to all the resources | nil |
default.toleration | Optional toleration values that applies to all the resources | nil |
default.hpa | HorizontalPodAutoscaler support | nil |
default.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
default.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
default.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
default.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
default.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
default.pdb.enabled | PodDistruptionBudget enabled | false |
default.pdb.minAvailable | PodDistruptionBudget minAvailable | 1 |
default.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
default.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
default.updateStrategy | The strategy to use to update existing pods | rollingUpdate = { maxSurge = 25%, maxUnavailable = 0 } |
default.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
default.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
default.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
default.minReadySeconds | Wait before considering the new pod available | 0 |
ingress.enabled | Optional Mender Ingress | false |
dbmigration.enable | Helm Chart hook that trigger a DB Migration utility just before an Helm Chart install or upgrade | true |
device_license_count.enabled | Device license count feature - enterprise only | true |
serviceAccount.create | Create a custom ServiceAccount | false |
serviceAccount.name | Custom ServiceAccount name | nil |
serviceAccount.labels | ServiceAccount labels | nil |
serviceAccount.annotations | ServiceAccount annotations | nil |
fullnameOverride | Use a custom prefix for the resources, instead of using the helm chart name (default) | nil |
tests.enabled | Whether or not to run the helm tests after the chart install | false |
Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
helm install my-release \
--set mongodbRootPassword=secretpassword,mongodbUsername=my-user,mongodbPassword=my-password,mongodbDatabase=my-database \
./mender
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
helm install --name my-release -f values.yaml ./mender
Tip: You can use the default values.yaml
Parameters: api-gateway
The following table lists the parameters for the api-gateway component and their default values:
| Parameter | Description | Default |
|---|---|---|
api_gateway.enabled | Enable the component | true |
api_gateway.dashboard | Enable the Traefik dashboard (port 8080) | false |
api_gateway.image.registry | Docker image registry | docker.io |
api_gateway.image.repository | Docker image repository | traefik |
api_gateway.image.tag | Docker image tag | v2.5 |
api_gateway.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
api_gateway.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
api_gateway.nodeSelector | Node selection | {} |
api_gateway.deploymentAnnotations | add custom deployment annotations | nil |
api_gateway.podAnnotations | add custom pod annotations | nil |
api_gateway.replicas | Number of replicas | 1 |
api_gateway.affinity | Affinity map for the POD | {} |
api_gateway.httpPort | Port for the HTTP listener in the container | 9080 |
api_gateway.httpsPort | Port for the HTTPS listener in the container | 9443 |
api_gateway.resources.limits.cpu | Resources CPU limit | 600m |
api_gateway.resources.limits.memory | Resources memory limit | 1Gi |
api_gateway.resources.requests.cpu | Resources CPU request | 600m |
api_gateway.resources.requests.memory | Resources memory request | 512Mi |
api_gateway.service.name | Name of the service | mender-api-gateway |
api_gateway.service.annotations | Annotations map for the service | {} |
api_gateway.service.type | Service type | ClusterIP |
api_gateway.service.loadBalancerIP | Service load balancer IP | nil |
api_gateway.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
api_gateway.service.httpPort | Port for the HTTP service | 80 |
api_gateway.service.httpsPort | Port for the HTTPS service | 443 |
api_gateway.service.httpNodePort | Node port for the HTTP service | nil |
api_gateway.service.httpsNodePort | Node port for the HTTPS service | nil |
api_gateway.env.SSL | SSL termination flag | true |
api_gateway.minio.enabled | Enable routing of S3 requests to the minio service. [Deprecated from 5.5.0, use `api_gateway.storage_proxy`` instead] | true |
api_gateway.minio.url | URL of the minio service. [Deprecated from 5.5.0, use `api_gateway.storage_proxy`` instead] | http://minio:9000 |
api_gateway.storage_proxy.enabled | Enable storage proxy to the S3/minio service | false |
api_gateway.storage_proxy.url | URL of the storage proxy. Should point to the AWS Bucket/Minio URL | nil |
api_gateway.storage_proxy.customRule | Custom rules for the storage proxy. | HostRegexp(`{domain:^artifacts.*$}`) |
api_gateway.storage_proxy.passHostHeader | The passHostHeader allows to forward client Host header to server. | false |
api_gateway.rateLimit.average | See the Traefik rate limit configuration options | 100 |
api_gateway.rateLimit.burst | See the Traefik rate limit configuration options | 100 |
api_gateway.rateLimit.period | See the Traefik rate limit configuration options | 1s |
api_gateway.rateLimit.sourceCriterion | See the Traefik rate limit configuration options | {"ipStrategy": {"depth": 1}} |
api_gateway.extraArgs | Optional list of additional args for the api_gateway container. | null |
api_gateway.authRateLimit | Optional rate limiting for the Auth module only. See the Traefik rate limit configuration options | null |
api_gateway.podSecurityContext.enabled | Enable security context | false |
api_gateway.podSecurityContext.runAsNonRoot | Run as non-root user | true |
api_gateway.podSecurityContext.runAsUser | User ID for the pod | 65534 |
api_gateway.containerSecurityContext.enabled | Enable container security context | false |
api_gateway.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
api_gateway.containerSecurityContext.runAsUser | User ID for the container | 65534 |
api_gateway.compression | Enable Traefik Compression | true |
api_gateway.security_redirect | Custom redirect to a company security page | null |
api_gateway.minio.customRule | Custom redirect for MinIO. Uses the default one if not specified. [Deprecated from 5.5.0, use `api_gateway.storage_proxy`` instead] | null |
api_gateway.hpa | HorizontalPodAutoscaler support | nil |
api_gateway.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
api_gateway.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
api_gateway.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
api_gateway.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
api_gateway.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
api_gateway.pdb.enabled | PodDistruptionBudget enabled | nil |
api_gateway.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
api_gateway.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
api_gateway.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
api_gateway.certs | certificate management | nil |
api_gateway.certs.cert | Public certificate (with full chain optionally) in PEM format | nil |
api_gateway.certs.key | Private key in PEM format | nil |
api_gateway.certs.existingSecret | Preexisting secret containing the Cert (key cert.crt) and the Key (key private.key). Deprecation notice: these keys will be moved to tls.crt and tls.key respectively in the next releases. If you want to use it in advance, please enable featureGates.k8sTlsSecrets | nil |
api_gateway.updateStrategy | The strategy to use to update existing pods | nil |
api_gateway.accesslogs | Traefik Access Logs, enabled by default | true |
api_gateway.podMonitor.enabled | If enabled, creates a PodMonitor resource for scraping Traefik metrics | false |
api_gateway.podMonitor.customLabels | PodMonitor custom labels | nil |
api_gateway.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
api_gateway.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
api_gateway.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | 3 |
api_gateway.minReadySeconds | Wait before considering the new pod available | nil |
api_gateway.lifecycle | Container lifecycle hooks. Default preStop sleep gives the load balancer time to deregister the pod before SIGTERM. | {"preStop":{"sleep":{"seconds":30}}} |
api_gateway.terminationGracePeriodSeconds | Pod termination grace period. Must cover preStop sleep + drain time. | 60 |
Parameters: deployments
The following table lists the parameters for the deployments component and their default values:
| Parameter | Description | Default |
|---|---|---|
deployments.enabled | Enable the component | true |
deployments.automigrate | Enable automatic database migrations at service start up | false |
deployments.image.registry | Docker image registry | registry.mender.io if global.enterprise is true, else docker.io |
deployments.image.repository | Docker image repository | mendersoftware/deployments-enterprise if global.enterprise is true, else mendersoftware/deployments |
deployments.image.tag | Docker image tag | nil |
deployments.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
deployments.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
deployments.nodeSelector | Node selection | {} |
deployments.podAnnotations | add custom pod annotations | nil |
deployments.replicas | Number of replicas | 1 |
deployments.affinity | Affinity map for the POD | {} |
deployments.directUpload.enabled | Enable direct upload feature | true |
deployments.directUpload.jitter | Clock jitter - margin for removing expired objects | "3s" |
deployments.directUpload.skipVerify | Skip verification of artifact uploaded through direct upload. Only advised if you verified the direct upload through other means. | false |
deployments.daemonSchedule | Cron schedule for running the storage daemon | "15 * * * *" |
deployments.resources.limits.cpu | Resources CPU limit | 300m |
deployments.resources.limits.memory | Resources memory limit | 128Mi |
deployments.resources.requests.cpu | Resources CPU request | 300m |
deployments.resources.requests.memory | Resources memory request | 64Mi |
deployments.service.name | Name of the service | mender-deployments |
deployments.service.annotations | Annotations map for the service | {} |
deployments.service.type | Service type | ClusterIP |
deployments.service.loadBalancerIP | Service load balancer IP | nil |
deployments.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
deployments.service.port | Port for the service | 8080 |
deployments.service.nodePort | Node port for the service | nil |
deployments.env.DEPLOYMENTS_MIDDLEWARE | Set the DEPLOYMENTS_MIDDLEWARE variable | prod |
deployments.env.DEPLOYMENTS_PRESIGN_SECRET | Set the secret for generating signed url, must be a base64 encoded secret. | random value at start-up time |
deployments.presignSecretExistingSecret | Set the secret for generating signed url from an existing secret with the key PRESIGN_SECRET. | nil |
deployments.podSecurityContext.enabled | Enable security context | false |
deployments.podSecurityContext.runAsNonRoot | Run as non-root user | true |
deployments.podSecurityContext.runAsUser | User ID for the pod | 65534 |
deployments.containerSecurityContext.enabled | Enable container security context | false |
deployments.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
deployments.containerSecurityContext.runAsUser | User ID for the container | 65534 |
deployments.hpa | HorizontalPodAutoscaler support | nil |
deployments.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
deployments.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
deployments.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
deployments.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
deployments.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
deployments.pdb.enabled | PodDistruptionBudget enabled | nil |
deployments.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
deployments.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
deployments.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
deployments.migrationRestartPolicy | Migration job: restartPolicy option | Never |
deployments.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
deployments.updateStrategy | The strategy to use to update existing pods | nil |
deployments.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
deployments.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
deployments.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
deployments.mongodbExistingSecret | Use a different MongoDB secret for this service | nil |
deployments.minReadySeconds | Wait before considering the new pod available | nil |
deployments.storageMaxImageSize | Maximum Artifacts image size in bytes. | 10737418240 |
deployments.storageMaxGenerateDataSize | Maximum data size for requests to generate artifacts in bytes. | 536870912 |
Parameters: device-auth
The following table lists the parameters for the device-auth component and their default values:
| Parameter | Description | Default |
|---|---|---|
device_auth.enabled | Enable the component | true |
device_auth.automigrate | Enable automatic database migrations at service start up | false |
device_auth.image.registry | Docker image registry | docker.io |
device_auth.image.repository | Docker image repository | mendersoftware/deviceauth |
device_auth.image.tag | Docker image tag | nil |
device_auth.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
device_auth.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
device_auth.nodeSelector | Node selection | {} |
device_auth.podAnnotations | add custom pod annotations | nil |
device_auth.replicas | Number of replicas | 1 |
device_auth.affinity | Affinity map for the POD | {} |
device_auth.resources.limits.cpu | Resources CPU limit | 350m |
device_auth.resources.limits.memory | Resources memory limit | 128Mi |
device_auth.resources.requests.cpu | Resources CPU request | 350m |
device_auth.resources.requests.memory | Resources memory request | 128Mi |
device_auth.service.name | Name of the service | mender-device-auth |
device_auth.service.annotations | Annotations map for the service | {} |
device_auth.service.type | Service type | ClusterIP |
device_auth.service.loadBalancerIP | Service load balancer IP | nil |
device_auth.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
device_auth.service.port | Port for the service | 8080 |
device_auth.service.nodePort | Node port for the service | nil |
device_auth.env.DEVICEAUTH_JWT_ISSUER | Set the DEVICEAUTH_JWT_ISSUER variable | Mender |
device_auth.env.DEVICEAUTH_JWT_EXP_TIMEOUT | Set the DEVICEAUTH_JWT_EXP_TIMEOUT variable | 604800 |
device_auth.env.DEVICEAUTH_MIDDLEWARE | Set the DEVICEAUTH_MIDDLEWARE variable | prod |
device_auth.env.DEVICEAUTH_REDIS_KEY_PREFIX | Set the DEVICEAUTH_REDIS_KEY_PREFIX variable | deviceauth:v1 |
device_auth.env.DEVICEAUTH_REDIS_LIMITS_EXPIRE_SEC | Set the DEVICEAUTH_REDIS_LIMITS_EXPIRE_SEC variable | 3600 |
device_auth.env.DEVICEAUTH_REDIS_DB | Set the DEVICEAUTH_REDIS_DB variable [Deprecated from 3.7.0] | 1 |
device_auth.env.DEVICEAUTH_REDIS_TIMEOUT_SEC | Set the DEVICEAUTH_REDIS_TIMEOUT_SEC variable [Deprecated from 3.7.0] | 1 |
device_auth.podSecurityContext.enabled | Enable security context | false |
device_auth.podSecurityContext.runAsNonRoot | Run as non-root user | true |
device_auth.podSecurityContext.runAsUser | User ID for the pod | 65534 |
device_auth.containerSecurityContext.enabled | Enable container security context | false |
device_auth.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
device_auth.containerSecurityContext.runAsUser | User ID for the container | 65534 |
device_auth.hpa | HorizontalPodAutoscaler support | nil |
device_auth.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
device_auth.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
device_auth.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
device_auth.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
device_auth.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
device_auth.pdb.enabled | PodDistruptionBudget enabled | nil |
device_auth.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
device_auth.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
device_auth.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
device_auth.certs | certificate management | nil |
device_auth.certs.key | Private key in PEM format | nil |
device_auth.certs.existingSecret | Preexisting secret containing the private key (key private.pem) | nil |
device_auth.migrationRestartPolicy | Migration job: restartPolicy option | Never |
device_auth.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
device_auth.updateStrategy | The strategy to use to update existing pods | nil |
device_auth.mountSecrets | Optional volumeMounts and volumes to inject a credential files in the workflows service | nil |
device_auth.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
device_auth.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
device_auth.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
device_auth.cronjobs.enabled | Enable optional maintenance cronjobs | false |
device_auth.cronjobs.jobs | List of optional maintenance cronjobs | nil |
device_auth.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: gui
The following table lists the parameters for the gui component and their default values:
| Parameter | Description | Default |
|---|---|---|
gui.enabled | Enable the component | true |
gui.image.registry | Docker image registry | docker.io |
gui.image.repository | Docker image repository | mendersoftware/gui |
gui.image.tag | Docker image tag | nil |
gui.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
gui.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
gui.nodeSelector | Node selection | {} |
gui.podAnnotations | add custom pod annotations | nil |
gui.replicas | Number of replicas | 1 |
gui.affinity | Affinity map for the POD | {} |
gui.resources.limits.cpu | Resources CPU limit | 20m |
gui.resources.limits.memory | Resources memory limit | 64Mi |
gui.resources.requests.cpu | Resources CPU request | 5m |
gui.resources.requests.memory | Resources memory request | 16Mi |
gui.service.name | Name of the service | mender-gui |
gui.service.annotations | Annotations map for the service | {} |
gui.service.type | Service type | ClusterIP |
gui.service.loadBalancerIP | Service load balancer IP | nil |
gui.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
gui.service.port | Port for the service | 80 |
gui.service.nodePort | Node port for the service | nil |
gui.httpPort | Port for the HTTP listener in the container | 80 |
gui.podSecurityContext.enabled | Enable security context | false |
gui.podSecurityContext.runAsNonRoot | Run as non-root user | true |
gui.podSecurityContext.runAsUser | User ID for the pod | 65534 |
gui.containerSecurityContext.enabled | Enable container security context | false |
gui.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
gui.containerSecurityContext.runAsUser | User ID for the container | 65534 |
gui.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
gui.updateStrategy | The strategy to use to update existing pods | nil |
gui.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
gui.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
gui.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
gui.probesOverrides.initialDelaySeconds | Override the initialDelaySeconds for every Readiness and Liveness probes. | 2 |
gui.probesOverrides.periodSeconds | Override the periodSeconds for every Readiness and Liveness probes. | 5 |
gui.hpa | HorizontalPodAutoscaler support | nil |
gui.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
gui.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
gui.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
gui.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
gui.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
gui.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: inventory
The following table lists the parameters for the inventory component and their default values:
| Parameter | Description | Default |
|---|---|---|
inventory.enabled | Enable the component | true |
inventory.automigrate | Enable automatic database migrations at service start up | false |
inventory.image.registry | Docker image registry | registry.mender.io if global.enterprise is true, else docker.io |
inventory.image.repository | Docker image repository | mendersoftware/inventory-enterprise if global.enterprise is true, else mendersoftware/inventory |
inventory.image.tag | Docker image tag | nil |
inventory.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
inventory.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
inventory.nodeSelector | Node selection | {} |
inventory.podAnnotations | add custom pod annotations | nil |
inventory.replicas | Number of replicas | 1 |
inventory.affinity | Affinity map for the POD | {} |
inventory.resources.limits.cpu | Resources CPU limit | 300m |
inventory.resources.limits.memory | Resources memory limit | 128Mi |
inventory.resources.requests.cpu | Resources CPU request | 300m |
inventory.resources.requests.memory | Resources memory request | 128Mi |
inventory.service.name | Name of the service | mender-inventory |
inventory.service.annotations | Annotations map for the service | {} |
inventory.service.type | Service type | ClusterIP |
inventory.service.loadBalancerIP | Service load balancer IP | nil |
inventory.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
inventory.service.port | Port for the service | 8080 |
inventory.service.nodePort | Node port for the service | nil |
inventory.env.INVENTORY_MIDDLEWARE | Set the INVENTORY_MIDDLEWARE variable | prod |
inventory.env.INVENTORY_REDIS_KEY_PREFIX | Set the INVENTORY_REDIS_KEY_PREFIX variable | inventory:v1 |
inventory.env.INVENTORY_REDIS_CACHE_EXPIRE_SEC | Set the INVENTORY_REDIS_CACHE_EXPIRE_SEC variable | 1800 |
inventory.podSecurityContext.enabled | Enable security context | false |
inventory.podSecurityContext.runAsNonRoot | Run as non-root user | true |
inventory.podSecurityContext.runAsUser | User ID for the pod | 65534 |
inventory.containerSecurityContext.enabled | Enable container security context | false |
inventory.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
inventory.containerSecurityContext.runAsUser | User ID for the container | 65534 |
inventory.hpa | HorizontalPodAutoscaler support | nil |
inventory.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
inventory.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
inventory.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
inventory.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
inventory.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
inventory.pdb.enabled | PodDistruptionBudget enabled | nil |
inventory.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
inventory.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
inventory.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
inventory.migrationRestartPolicy | Migration job: restartPolicy option | Never |
inventory.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
inventory.updateStrategy | The strategy to use to update existing pods | nil |
inventory.mongodbExistingSecret | Use a different MongoDB secret for this service | nil |
inventory.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
inventory.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
inventory.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
inventory.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: tenantadm
The following table lists the parameters for the tenantadm component and their default values:
| Parameter | Description | Default |
|---|---|---|
tenantadm.enabled | Enable the component | true |
tenantadm.image.registry | Docker image registry | registry.mender.io |
tenantadm.image.repository | Docker image repository | mendersoftware/tenantadm |
tenantadm.image.tag | Docker image tag | nil |
tenantadm.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
tenantadm.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
tenantadm.nodeSelector | Node selection | {} |
tenantadm.podAnnotations | add custom pod annotations | nil |
tenantadm.replicas | Number of replicas | 1 |
tenantadm.affinity | Affinity map for the POD | {} |
tenantadm.resources.limits.cpu | Resources CPU limit | 150m |
tenantadm.resources.limits.memory | Resources memory limit | 128Mi |
tenantadm.resources.requests.cpu | Resources CPU request | 150m |
tenantadm.resources.requests.memory | Resources memory request | 64Mi |
tenantadm.service.name | Name of the service | mender-tenantadm |
tenantadm.service.annotations | Annotations map for the service | {} |
tenantadm.service.type | Service type | ClusterIP |
tenantadm.service.loadBalancerIP | Service load balancer IP | nil |
tenantadm.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
tenantadm.service.port | Port for the service | 8080 |
tenantadm.service.nodePort | Node port for the service | nil |
tenantadm.env.TENANTADM_MIDDLEWARE | Set the TENANTADM_MIDDLEWARE variable | prod |
tenantadm.env.TENANTADM_SERVER_PRIV_KEY_PATH | Set the TENANTADM_SERVER_PRIV_KEY_PATH variable | /etc/tenantadm/rsa/private.pem |
tenantadm.env.TENANTADM_RECAPTCHA_URL_VERIFY | Set the TENANTADM_RECAPTCHA_URL_VERIFY variable | https://www.google.com/recaptcha/api/siteverify |
tenantadm.env.TENANTADM_DEFAULT_API_LIMITS | Set the TENANTADM_DEFAULT_API_LIMITS variable, defining the default rate limits | see below for the default values |
tenantadm.podSecurityContext.enabled | Enable security context | false |
tenantadm.podSecurityContext.runAsNonRoot | Run as non-root user | true |
tenantadm.podSecurityContext.runAsUser | User ID for the pod | 65534 |
tenantadm.containerSecurityContext.enabled | Enable container security context | false |
tenantadm.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
tenantadm.containerSecurityContext.runAsUser | User ID for the container | 65534 |
tenantadm.hpa | HorizontalPodAutoscaler support | nil |
tenantadm.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
tenantadm.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
tenantadm.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
tenantadm.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
tenantadm.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
tenantadm.pdb.enabled | PodDistruptionBudget enabled | nil |
tenantadm.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
tenantadm.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
tenantadm.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
tenantadm.certs | certificate management | nil |
tenantadm.certs.key | Private key in PEM format | nil |
tenantadm.certs.existingSecret | Preexisting secret containing the private key (key private.pem) | nil |
tenantadm.migrationRestartPolicy | Migration job: restartPolicy option | Never |
tenantadm.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
tenantadm.migrationArgs | Migration job: optional migration args (list). | ["migrate"] |
tenantadm.updateStrategy | The strategy to use to update existing pods | nil |
tenantadm.mountSecrets | Optional volumeMounts and volumes to inject a credential files in the workflows service | nil |
tenantadm.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
tenantadm.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
tenantadm.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
tenantadm.cronjobs.enabled | Enable optional maintenance cronjobs | false |
tenantadm.cronjobs.jobs | List of optional maintenance cronjobs | nil |
tenantadm.minReadySeconds | Wait before considering the new pod available | nil |
The default value for the rate limits are:
- Management APIs rate limits, per user:
- 600 API calls/minute/user
- Device APIs rate limits, per device:
- 60 API calls/minute
- 1 API call/5 seconds for each API end-point
You can customize the default API limits setting a custom JSON document. See the default one here.
Parameters: useradm
The following table lists the parameters for the useradm component and their default values:
| Parameter | Description | Default |
|---|---|---|
useradm.enabled | Enable the component | true |
useradm.automigrate | Enable automatic database migrations at service start up | false |
useradm.image.registry | Docker image registry | registry.mender.io if global.enterprise is true, else docker.io |
useradm.image.repository | Docker image repository | mendersoftware/useradm-enterprise if global.enterprise is true, else mendersoftware/useradm |
useradm.image.tag | Docker image tag | nil |
useradm.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
useradm.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
useradm.nodeSelector | Node selection | {} |
useradm.podAnnotations | add custom pod annotations | nil |
useradm.replicas | Number of replicas | 1 |
useradm.affinity | Affinity map for the POD | {} |
useradm.resources.limits.cpu | Resources CPU limit | 150m |
useradm.resources.limits.memory | Resources memory limit | 128Mi |
useradm.resources.requests.cpu | Resources CPU request | 150m |
useradm.resources.requests.memory | Resources memory request | 64Mi |
useradm.service.name | Name of the service | mender-useradm |
useradm.service.annotations | Annotations map for the service | {} |
useradm.service.type | Service type | ClusterIP |
useradm.service.loadBalancerIP | Service load balancer IP | nil |
useradm.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
useradm.service.port | Port for the service | 8080 |
useradm.service.nodePort | Node port for the service | nil |
useradm.env.USERADM_PROXY_COUNT | Set the number of proxy gateways from the backend to client. | 2 |
useradm.env.USERADM_JWT_ISSUER | Set the USERADM_JWT_ISSUER variable | Mender Users |
useradm.env.USERADM_JWT_EXP_TIMEOUT | Set the USERADM_JWT_EXP_TIMEOUT variable | 604800 |
useradm.env.USERADM_MIDDLEWARE | Set the USERADM_MIDDLEWARE variable | prod |
useradm.env.USERADM_REDIS_KEY_PREFIX | Set the USERADM_REDIS_KEY_PREFIX variable | useradm:v1 |
useradm.env.USERADM_REDIS_LIMITS_EXPIRE_SEC | Set the USERADM_REDIS_LIMITS_EXPIRE_SEC variable | 3600 |
useradm.env.USERADM_REDIS_DB | Set the USERADM_REDIS_DB variable [Deprecated from 3.7.0] | 2 |
useradm.env.USERADM_REDIS_TIMEOUT_SEC | Set the USERADM_REDIS_TIMEOUT_SEC variable [Deprecated from 3.7.0] | 1 |
useradm.env.USERADM_TOTP_ISSUER | Set the USERADM_TOTP_ISSUER variable | Mender |
useradm.podSecurityContext.enabled | Enable security context | false |
useradm.podSecurityContext.runAsNonRoot | Run as non-root user | true |
useradm.podSecurityContext.runAsUser | User ID for the pod | 65534 |
useradm.containerSecurityContext.enabled | Enable container security context | false |
useradm.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
useradm.containerSecurityContext.runAsUser | User ID for the container | 65534 |
useradm.hpa | HorizontalPodAutoscaler support | nil |
useradm.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
useradm.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
useradm.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
useradm.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
useradm.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
useradm.pdb.enabled | PodDistruptionBudget enabled | nil |
useradm.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
useradm.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
useradm.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
useradm.certs | certificate management | nil |
useradm.certs.key | Private key in PEM format | nil |
useradm.certs.existingSecret | Preexisting secret containing the private key (key private.pem) | nil |
useradm.migrationRestartPolicy | Migration job: restartPolicy option | Never |
useradm.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
useradm.updateStrategy | The strategy to use to update existing pods | nil |
useradm.mountSecrets | Optional volumeMounts and volumes to inject a credential files in the workflows service | nil |
useradm.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
useradm.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
useradm.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
useradm.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: workflows
The following table lists the parameters for the workflows-server component and their default values:
| Parameter | Description | Default |
|---|---|---|
workflows.enabled | Enable the component | true |
workflows.automigrate | Enable automatic database migrations at service start up | false |
workflows.image.registry | Docker image registry | registry.mender.io if global.enterprise is true, else docker.io |
workflows.image.repository | Docker image repository | mendersoftware/workflows-enterprise if global.enterprise is true, else mendersoftware/workflows |
workflows.image.tag | Docker image tag | nil |
workflows.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
workflows.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
workflows.nodeSelector | Node selection | {} |
workflows.nats.replicas | Number of NATS replicas | 3 |
workflows.podAnnotations | add custom pod annotations | nil |
workflows.replicas | Number of replicas | 1 |
workflows.affinity | Affinity map for the POD | {} |
workflows.resources.limits.cpu | Resources CPU limit | 100m |
workflows.resources.limits.memory | Resources memory limit | 128Mi |
workflows.resources.requests.cpu | Resources CPU request | 10m |
workflows.resources.requests.memory | Resources memory request | 64Mi |
workflows.service.name | Name of the service | mender-workflows-server |
workflows.service.annotations | Annotations map for the service | {} |
workflows.service.type | Service type | ClusterIP |
workflows.service.loadBalancerIP | Service load balancer IP | nil |
workflows.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
workflows.service.port | Port for the service | 8080 |
workflows.service.nodePort | Node port for the service | nil |
workflows.podSecurityContext.enabled | Enable security context | false |
workflows.podSecurityContext.runAsNonRoot | Run as non-root user | true |
workflows.podSecurityContext.runAsUser | User ID for the pod | 65534 |
workflows.containerSecurityContext.enabled | Enable container security context | false |
workflows.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
workflows.containerSecurityContext.runAsUser | User ID for the container | 65534 |
workflows.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
workflows.migrationRestartPolicy | Migration job: restartPolicy option | Never |
workflows.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
workflows.updateStrategy | The strategy to use to update existing pods | nil |
workflows.mountSecrets | Optional volumeMounts and volumes to inject a credential files in the workflows service | nil |
workflows.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
workflows.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
workflows.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
workflows.minReadySeconds | Wait before considering the new pod available | nil |
workflows.hpa | HorizontalPodAutoscaler support. Please use an external metric targeting the NATS queue for it1. | nil |
Prometheus Adapter Configuration for workflows HPA
Prometheus Adapter configuration (e.g., in your prometheus-adapter Helm values):
prometheus:
url: http://prometheus-operated.monitoring.svc.cluster.local
port: 9090
rules:
default: false
custom: []
external:
- seriesQuery: 'nats_consumer_num_pending{stream_name=~".+"}'
resources:
overrides:
namespace: {resource: "namespace"}
name:
as: "nats_consumer_lag"
metricsQuery: 'sum(nats_consumer_num_pending{<<.LabelMatchers>>}) by (stream_name, consumer_name, namespace)'
Example HPA configuration for the workflows service:
workflows:
hpa:
enabled: true
minReplicas: 1
maxReplicas: 5
metrics:
- type: External
external:
metric:
name: nats_consumer_lag
selector:
matchLabels:
consumer_name: workflows-worker
target:
type: Value
value: "50" # Scale up when 50+ messages are pending
This configuration will automatically scale the workflows worker pods based on the NATS queue depth, ensuring efficient processing of pending workflow jobs.
Parameters: create_artifact_worker
The following table lists the parameters for the create-artifact-worker component and their default values:
| Parameter | Description | Default |
|---|---|---|
create_artifact_worker.enabled | Enable the component | true |
create_artifact_worker.automigrate | Enable automatic database migrations at service start up | false |
create_artifact_worker.image.registry | Docker image registry | docker.io |
create_artifact_worker.image.repository | Docker image repository | mendersoftware/create-artifact-worker |
create_artifact_worker.image.tag | Docker image tag | nil |
create_artifact_worker.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
create_artifact_worker.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
create_artifact_worker.nodeSelector | Node selection | {} |
create_artifact_worker.podAnnotations | add custom pod annotations | nil |
create_artifact_worker.replicas | Number of replicas | 1 |
create_artifact_worker.affinity | Affinity map for the POD | {} |
create_artifact_worker.resources.limits.cpu | Resources CPU limit | 100m |
create_artifact_worker.resources.limits.memory | Resources memory limit | 1024Mi |
create_artifact_worker.resources.requests.cpu | Resources CPU request | 100m |
create_artifact_worker.resources.requests.memory | Resources memory request | 128Mi |
create_artifact_worker.podSecurityContext.enabled | Enable security context | false |
create_artifact_worker.podSecurityContext.runAsNonRoot | Run as non-root user | true |
create_artifact_worker.podSecurityContext.runAsUser | User ID for the pod | 65534 |
create_artifact_worker.containerSecurityContext.enabled | Enable container security context | false |
create_artifact_worker.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
create_artifact_worker.containerSecurityContext.runAsUser | User ID for the container | 65534 |
create_artifact_worker.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
create_artifact_worker.updateStrategy | The strategy to use to update existing pods | nil |
create_artifact_worker.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: auditlogs
The following table lists the parameters for the auditlogs component and their default values:
| Parameter | Description | Default |
|---|---|---|
auditlogs.enabled | Enable the component | true |
auditlogs.automigrate | Enable automatic database migrations at service start up | false |
auditlogs.image.registry | Docker image registry | registry.mender.io |
auditlogs.image.repository | Docker image repository | mendersoftware/auditlogs |
auditlogs.image.tag | Docker image tag | nil |
auditlogs.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
auditlogs.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
auditlogs.nodeSelector | Node selection | {} |
auditlogs.podAnnotations | add custom pod annotations | nil |
auditlogs.logRetentionSeconds | Seconds before an audit event is evicted from the database | 7776000 |
auditlogs.replicas | Number of replicas | 1 |
auditlogs.affinity | Affinity map for the POD | {} |
auditlogs.resources.limits.cpu | Resources CPU limit | 50m |
auditlogs.resources.limits.memory | Resources memory limit | 128Mi |
auditlogs.resources.requests.cpu | Resources CPU request | 50m |
auditlogs.resources.requests.memory | Resources memory request | 128Mi |
auditlogs.service.name | Name of the service | mender-auditlogs |
auditlogs.service.annotations | Annotations map for the service | {} |
auditlogs.service.type | Service type | ClusterIP |
auditlogs.service.loadBalancerIP | Service load balancer IP | nil |
auditlogs.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
auditlogs.service.port | Port for the service | 8080 |
auditlogs.service.nodePort | Node port for the service | nil |
auditlogs.podSecurityContext.enabled | Enable security context | false |
auditlogs.podSecurityContext.runAsNonRoot | Run as non-root user | true |
auditlogs.podSecurityContext.runAsUser | User ID for the pod | 65534 |
auditlogs.containerSecurityContext.enabled | Enable container security context | false |
auditlogs.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
auditlogs.containerSecurityContext.runAsUser | User ID for the container | 65534 |
auditlogs.hpa | HorizontalPodAutoscaler support | nil |
auditlogs.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
auditlogs.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
auditlogs.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
auditlogs.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
auditlogs.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
auditlogs.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
auditlogs.migrationRestartPolicy | Migration job: restartPolicy option | Never |
auditlogs.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
auditlogs.updateStrategy | The strategy to use to update existing pods | nil |
auditlogs.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
auditlogs.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
auditlogs.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
auditlogs.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: iot-manager
The following table lists the parameters for the iot-manager component and their default values:
| Parameter | Description | Default |
|---|---|---|
iot_manager.enabled | Enable the component | true |
iot_manager.automigrate | Enable automatic database migrations at service start up | false |
iot_manager.image.registry | Docker image registry | docker.io |
iot_manager.image.repository | Docker image repository | mendersoftware/iot-manager |
iot_manager.image.tag | Docker image tag | nil |
iot_manager.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
iot_manager.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
iot_manager.nodeSelector | Node selection | {} |
iot_manager.image.podAnnotations | add custom pod annotations | nil |
iot_manager.replicas | Number of replicas | 1 |
iot_manager.affinity | Affinity map for the POD | {} |
iot_manager.resources.limits.cpu | Resources CPU limit | 50m |
iot_manager.resources.limits.memory | Resources memory limit | 128Mi |
iot_manager.resources.requests.cpu | Resources CPU request | 50m |
iot_manager.resources.requests.memory | Resources memory request | 128Mi |
iot_manager.service.name | Name of the service | mender-iot-manager |
iot_manager.service.annotations | Annotations map for the service | {} |
iot_manager.service.type | Service type | ClusterIP |
iot_manager.service.loadBalancerIP | Service load balancer IP | nil |
iot_manager.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
iot_manager.service.port | Port for the service | 8080 |
iot_manager.service.nodePort | Node port for the service | nil |
iot_manager.podSecurityContext.enabled | Enable security context | false |
iot_manager.podSecurityContext.runAsNonRoot | Run as non-root user | true |
iot_manager.podSecurityContext.runAsUser | User ID for the pod | 65534 |
iot_manager.containerSecurityContext.enabled | Enable container security context | false |
iot_manager.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
iot_manager.containerSecurityContext.runAsUser | User ID for the container | 65534 |
iot_manager.hpa | HorizontalPodAutoscaler support | nil |
iot_manager.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
iot_manager.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
iot_manager.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
iot_manager.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
iot_manager.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
iot_manager.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
iot_manager.migrationRestartPolicy | Migration job: restartPolicy option | Never |
iot_manager.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
iot_manager.updateStrategy | The strategy to use to update existing pods | nil |
iot_manager.aesEncryptionKey.existingSecret | Optional secret containing the AES encryption key. The secret key must be AES_ENCRYPTION_KEY | nil |
iot_manager.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
iot_manager.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
iot_manager.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
iot_manager.cronjobs.enabled | Enable optional maintenance cronjobs | false |
iot_manager.cronjobs.jobs | List of optional maintenance cronjobs | nil |
iot_manager.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: deviceconnect
The following table lists the parameters for the deviceconnect component and their default values:
| Parameter | Description | Default |
|---|---|---|
deviceconnect.enabled | Enable the component | true |
deviceconnect.automigrate | Enable automatic database migrations at service start up | false |
deviceconnect.image.registry | Docker image registry | docker.io |
deviceconnect.image.repository | Docker image repository | mendersoftware/deviceconnect |
deviceconnect.image.tag | Docker image tag | nil |
deviceconnect.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
deviceconnect.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
deviceconnect.nodeSelector | Node selection | {} |
deviceconnect.podAnnotations | add custom pod annotations | nil |
deviceconnect.replicas | Number of replicas | 1 |
deviceconnect.affinity | Affinity map for the POD | {} |
deviceconnect.resources.limits.cpu | Resources CPU limit | 100m |
deviceconnect.resources.limits.memory | Resources memory limit | 128Mi |
deviceconnect.resources.requests.cpu | Resources CPU request | 100m |
deviceconnect.resources.requests.memory | Resources memory request | 128Mi |
deviceconnect.service.name | Name of the service | mender-deviceconnect |
deviceconnect.service.annotations | Annotations map for the service | {} |
deviceconnect.service.type | Service type | ClusterIP |
deviceconnect.service.loadBalancerIP | Service load balancer IP | nil |
deviceconnect.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
deviceconnect.service.port | Port for the service | 8080 |
deviceconnect.service.nodePort | Node port for the service | nil |
deviceconnect.podSecurityContext.enabled | Enable security context | false |
deviceconnect.podSecurityContext.runAsNonRoot | Run as non-root user | true |
deviceconnect.podSecurityContext.runAsUser | User ID for the pod | 65534 |
deviceconnect.containerSecurityContext.enabled | Enable container security context | false |
deviceconnect.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
deviceconnect.containerSecurityContext.runAsUser | User ID for the container | 65534 |
deviceconnect.hpa | HorizontalPodAutoscaler support | nil |
deviceconnect.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
deviceconnect.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
deviceconnect.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
deviceconnect.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
deviceconnect.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
deviceconnect.gracefulShutdownTimeout | Timeout for the graceful shutdown | 60s |
deviceconnect.terminationGracePeriodSeconds | Termination grace period in seconds | 65 |
deviceconnect.pdb.enabled | PodDistruptionBudget enabled | nil |
deviceconnect.pdb.minAvailable | PodDistruptionBudget minAvailable | nil |
deviceconnect.pdb.maxUnavailable | PodDistruptionBudget maxUnavailable | nil |
deviceconnect.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
deviceconnect.migrationRestartPolicy | Migration job: restartPolicy option | Never |
deviceconnect.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
deviceconnect.updateStrategy | The strategy to use to update existing pods | nil |
deviceconnect.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
deviceconnect.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
deviceconnect.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
deviceconnect.minreadyseconds | wait before considering the new pod available | nil |
Parameters: deviceconfig
The following table lists the parameters for the deviceconfig component and their default values:
| Parameter | Description | Default |
|---|---|---|
deviceconfig.enabled | Enable the component | true |
deviceconfig.automigrate | Enable automatic database migrations at service start up | false |
deviceconfig.image.registry | Docker image registry | docker.io |
deviceconfig.image.repository | Docker image repository | mendersoftware/deviceconfig |
deviceconfig.image.tag | Docker image tag | nil |
deviceconfig.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
deviceconfig.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
deviceconfig.nodeSelector | Node selection | {} |
deviceconfig.podAnnotations | add custom pod annotations | nil |
deviceconfig.replicas | Number of replicas | 1 |
deviceconfig.affinity | Affinity map for the POD | {} |
deviceconfig.resources.limits.cpu | Resources CPU limit | 100m |
deviceconfig.resources.limits.memory | Resources memory limit | 128Mi |
deviceconfig.resources.requests.cpu | Resources CPU request | 100m |
deviceconfig.resources.requests.memory | Resources memory request | 128Mi |
deviceconfig.service.name | Name of the service | mender-deviceconfig |
deviceconfig.service.annotations | Annotations map for the service | {} |
deviceconfig.service.type | Service type | ClusterIP |
deviceconfig.service.loadBalancerIP | Service load balancer IP | nil |
deviceconfig.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
deviceconfig.service.port | Port for the service | 8080 |
deviceconfig.service.nodePort | Node port for the service | nil |
deviceconfig.podSecurityContext.enabled | Enable security context | false |
deviceconfig.podSecurityContext.runAsNonRoot | Run as non-root user | true |
deviceconfig.podSecurityContext.runAsUser | User ID for the pod | 65534 |
deviceconfig.containerSecurityContext.enabled | Enable container security context | false |
deviceconfig.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
deviceconfig.containerSecurityContext.runAsUser | User ID for the container | 65534 |
deviceconfig.hpa | HorizontalPodAutoscaler support | nil |
deviceconfig.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
deviceconfig.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
deviceconfig.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
deviceconfig.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
deviceconfig.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
deviceconfig.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
deviceconfig.migrationRestartPolicy | Migration job: restartPolicy option | Never |
deviceconfig.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
deviceconfig.updateStrategy | The strategy to use to update existing pods | nil |
deviceconfig.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
deviceconfig.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
deviceconfig.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
deviceconfig.minreadyseconds | wait before considering the new pod available | nil |
Parameters: devicemonitor
The following table lists the parameters for the devicemonitor component and their default values:
| Parameter | Description | Default |
|---|---|---|
devicemonitor.enabled | Enable the component | true |
devicemonitor.automigrate | Enable automatic database migrations at service start up | false |
devicemonitor.image.registry | Docker image registry | registry.mender.io |
devicemonitor.image.repository | Docker image repository | mendersoftware/devicemonitor |
devicemonitor.image.tag | Docker image tag | nil |
devicemonitor.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
devicemonotor.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
devicemonitor.nodeSelector | Node selection | {} |
devicemonitor.podAnnotations | add custom pod annotations | nil |
devicemonitor.replicas | Number of replicas | 1 |
devicemonitor.affinity | Affinity map for the POD | {} |
devicemonitor.resources.limits.cpu | Resources CPU limit | 100m |
devicemonitor.resources.limits.memory | Resources memory limit | 128Mi |
devicemonitor.resources.requests.cpu | Resources CPU request | 100m |
devicemonitor.resources.requests.memory | Resources memory request | 128Mi |
devicemonitor.service.name | Name of the service | mender-devicemonitor |
devicemonitor.service.annotations | Annotations map for the service | {} |
devicemonitor.service.type | Service type | ClusterIP |
devicemonitor.service.loadBalancerIP | Service load balancer IP | nil |
devicemonitor.service.loadBalancerSourceRanges | Service load balancer source ranges | nil |
devicemonitor.service.port | Port for the service | 8080 |
devicemonitor.service.nodePort | Node port for the service | nil |
devicemonitor.podSecurityContext.enabled | Enable security context | false |
devicemonitor.podSecurityContext.runAsNonRoot | Run as non-root user | true |
devicemonitor.podSecurityContext.runAsUser | User ID for the pod | 65534 |
devicemonitor.containerSecurityContext.enabled | Enable container security context | false |
devicemonitor.containerSecurityContext.allowPrivilegeEscalation | Allow privilege escalation for container | false |
devicemonitor.containerSecurityContext.runAsUser | User ID for the container | 65534 |
devicemonitor.hpa | HorizontalPodAutoscaler support | nil |
devicemonitor.hpa.enabled | HorizontalPodAutoscaler enabled | nil |
devicemonitor.hpa.minReplicas | HorizontalPodAutoscaler minReplicas | nil |
devicemonitor.hpa.maxReplicas | HorizontalPodAutoscaler maxReplicas | nil |
devicemonitor.hpa.metrics | HorizontalPodAutoscaler metrics as defined in the reference | nil |
devicemonitor.hpa.behavior | HorizontalPodAutoscaler behavior as defined in the reference | nil |
devicemonitor.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
devicemonitor.migrationRestartPolicy | Migration job: restartPolicy option | Never |
devicemonitor.migrationResources | Migration job: optional K8s resources. If not specified, uses the deployment resources | nil |
devicemonitor.updateStrategy | The strategy to use to update existing pods | nil |
devicemonitor.probesOverrides.successThreshold | Override the successThreshold for every Readiness and Liveness probes. | nil |
devicemonitor.probesOverrides.timeoutSeconds | Override the timeoutSeconds for every Readiness and Liveness probes. | nil |
devicemonitor.probesOverrides.failureThreshold | Override the failureThreshold for every Readiness and Liveness probes. | nil |
devicemonitor.minreadyseconds | wait before considering the new pod available | nil |
Parameters: generate_delta_worker
Please notice that this feature is still under active development and it is disabled by default
The following table lists the parameters for the generate-delta-worker component and their default values:
| Parameter | Description | Default |
|---|---|---|
generate_delta_worker.enabled | Enable the component | false |
generate_delta_worker.automigrate | Enable automatic database migrations at service start up | false |
generate_delta_worker.image.registry | Docker image registry | registry.mender.io |
generate_delta_worker.image.repository | Docker image repository | mendersoftware/generate-delta-worker |
generate_delta_worker.image.tag | Docker image tag | nil |
generate_delta_worker.image.imagePullPolicy | Docker image pull policy | IfNotPresent |
generate_delta_worker.imagePullSecrets | Optional list of existing Image Pull Secrets in the format of - name: my-custom-secret | [] |
generate_delta_worker.nodeSelector | Node selection | {} |
generate_delta_worker.podAnnotations | add custom pod annotations | nil |
generate_delta_worker.replicas | Number of replicas | 1 |
generate_delta_worker.persistence.enabled | Enable persistence of the work directory (PVC template) | true |
generate_delta_worker.persistence.accessModes | Access modes for the volumes created by the StatefulSet | ["ReadWriteOnce"] |
generate_delta_worker.persistence.size | Size of the volumes (per replica) | 40Gi |
generate_delta_worker.persistence.storageClass | Storage class for the volumes created by the StatefulSet | "" (default) |
generate_delta_worker.persistence.retention.whenDeleted | Volume retention policy when StatefulSet is deleted | "Retain" |
generate_delta_worker.persistence.retention.whenScaled | Volume retention policy when StatefulSet is scaled (down) | "Delete" |
generate_delta_worker.affinity | Affinity map for the POD | {} |
generate_delta_worker.resources.limits.cpu | Resources CPU limit | 100m |
generate_delta_worker.resources.limits.memory | Resources memory limit | 1024Mi |
generate_delta_worker.resources.requests.cpu | Resources CPU request | 100m |
generate_delta_worker.resources.requests.memory | Resources memory request | 128Mi |
generate_delta_worker.priorityClassName | Optional pre-existing priorityClassName to be assigned to the resource | nil |
generate_delta_worker.updateStrategy | The strategy to use to update existing pods | nil |
generate_delta_worker.minReadySeconds | Wait before considering the new pod available | nil |
Parameters: redis
The following table lists the parameters for the redis component and their default values:
| Parameter | Description | Default |
|---|---|---|
redis.enabled | Enable the component | false |
redis.image.repository | Docker image repository | redis |
redis.image.tag | Docker image tag | 8.2.1-alpine |
redis.image.pullPolicy | Docker image pull policy | IfNotPresent |
redis.imagePullSecrets | List of pre-existing secrets, with the format of - name: my-secret | nil |
redis.auth.enabled | Whether to enable the authentication | true |
redis.auth.password | Default sample password to be changed | changemeplease |
redis.maxMemory | Memory Tuning | 256mb |
redis.maxMemoryPolicy | Memory Tuning | allkeys-lru |
redis.persistence.enabled | Whether to enable persistence | false |
redis.persistence.size | Persistence size | 8Gi |
redis.persistence.accessMode | Storage access mode | ReadWriteOnce |
redis.resources.limits.cpu | Deployment resources | 500m |
redis.resources.limits.memory | Deployment resources | 512Mi |
redis.resources.requests.cpu | Deployment resources | 100m |
redis.resources.requests.memory | Deployment resources | 256Mi |
redis.securityContext.enabled | Whether to enable the securityContext | true |
redis.securityContext.runAsUser | SecurityContext runAsUser | 999 |
redis.securityContext.fsGroup | SecurityContext fsGroup | 999 |
redis.extraFlags | Optional extra Flags for redis | nil |
redis.config | Optional extra config for redis | nil |
Parameters: mongodb
The following table lists the parameters for the mongodb component and their default values:
| Parameter | Description | Default |
|---|---|---|
mongodb.enabled | Enable the component | true |
mongodb.image.repository | Docker image repository | mongo |
mongodb.image.tag | Docker image tag | `8.0.13 |
mongodb.image.pullPolicy | Docker image pull policy | IfNotPresent |
mongodb.imagePullSecrets | List of pre-existing secrets, with the format of - name: my-secret | nil |
mongodb.auth.enabled | Whether to enable the authentication | true |
mongodb.auth.rootUsername | Default root user | root |
mongodb.auth.rootPassword | Default sample root password to be changed | changemeplease |
mongodb.auth.database | Default database | mender |
mongodb.resources.limits.cpu | Deployment resources | 1 |
mongodb.resources.limits.memory | Deployment resources | 1Gi |
mongodb.resources.requests.cpu | Deployment resources | 500m |
mongodb.resources.requests.memory | Deployment resources | 512Mi |
mongodb.persistence.enabled | Whether to enable persistence | false |
mongodb.persistence.size | Persistence size | 8Gi |
mongodb.persistence.accessMode | Storage access mode | ReadWriteOnce |
mongodb.initScripts | Optional initScripts | nil |
Parameters: featureGates
The special parameter featureGates is used to enable specific features
that are still under development or are going to replace existing ones.
The following table lists the parameters:
| Parameter | Description | Default |
|---|---|---|
featureGates.k8sTlsSecrets | Use K8s TLS Secret type for the API Gateway: tls.crt and tls.key instead of cert.crt and private.key | false |
Create a tenant and a user from command line
Enterprise version
You can create a tenant from the command line of the tenantadm pod; the value printed is the newly generated tenant ID:
tenantadm create-org --name demo --username "admin@mender.io" --password "adminadmin" --plan enterprise
5dcd71624143b30050e63bed
You can create additional useres from the command line of the useradm pod:
useradm-enterprise create-user --username "demo@mender.io" --password "demodemo" --tenant-id "5dcd71624143b30050e63bed"
187b8101-4431-500f-88da-54709f51f2e6
Open Source version
If you are running the Open Source version of Mender, you won't have the tenantadm service.
You can create users directly in the useradm pod:
useradm create-user --username "demo@mender.io" --password "demodemo"
187b8101-4431-500f-88da-54709f51f2e6
Test the service through the GUI
You can port-forward the mender-api-gateway Kubernetes service to verify the system is up and running:
kubectl port-forward service/mender-api-gateway 443:443
Contributing
We welcome and ask for your contribution. If you would like to contribute to Mender, please read our guide on how to best get started contributing code or documentation.
License
Mender is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.
Security disclosure
We take security very seriously. If you come across any issue regarding security, please disclose the information by sending an email to security@mender.io. Please do not create a new public issue. We thank you in advance for your cooperation.
Connect with us
- Join the Mender Hub discussion forum
- Follow us on Twitter. Please feel free to tweet us questions.
- Fork us on Github
- Create an issue in the bugtracker
- Email us at contact@mender.io
- Connect to the #mender IRC channel on Libera
Footnotes
-
To use the HPA with external metrics based on NATS queue depth, you need to configure the Prometheus Adapter to expose the NATS consumer lag as an external metric. Below is a sample configuration: ↩