Installing an agent relay in a Kubernetes cluster#

  1. The UrbanCode agent relay must have a UrbanCode Deploy server to connect to.
  2. A PersistentVolume (PV) that will hold the conf directory for the UrbanCode Deploy agent relay is required. This same PV is used to persist the agent relay cache data if caching is enabled and persisted. If your cluster supports dynamic volume provisioning you will not need to create a PV or PersistentVolumeClaim (PVC) before installing this chart. If your cluster does not support dynamic volume provisioning, you will need to either ensure a PV is available or you will need to create one before installing this chart. You can optionally create the PVC to bind it to a specific PV, or you can let the chart create a PVC and bind to any available PV that meets the required size and storage class. Sample YAML to create the PV and PVC are provided below.

    apiVersion: v1 kind: PersistentVolume metadata: name: ucdr-conf-vol labels: volume: ucdr-conf-vol spec: capacity: storage: 10Mi accessModes: ReadWriteOnce nfs: server: path: /volume1/k8/ucdr-conf kind: PersistentVolumeClaim apiVersion: v1 metadata: name: ucdr-conf-volc spec: storageClassName: "" accessModes: "ReadWriteOnce" resources: requests: storage: 10Mi selector: matchLabels: volume: ucdr-conf-vol

    Example setup scripts to create the Persistent Volume and Persistent Volume Claim are included in the Helm chart under pak_extensions/pre-install/persistentStorageAdministration directory.

  3. Secret - A Kubernetes Secret object must be created to store the CodeStation authentication token. The authentication token is retrieved during Helm chart installation. By default, the chart will look for a secret named 'HelmReleaseName-secrets' where 'HelmReleaseName' is the release name you give when installing this Helm chart. You can also create a secret with a different name and specify it in the field.

    The secret can be created either by using the Cluster Console or using the kubectl CLI.

    • Through the Cluster Console, create Secret objects in the target namespace.

      • Click on Configuration->Secrets in the left navigation view
      • Click the New Secret button
      • On the General tab:
        • Enter the name of the secret object. For example: MyRelease-secrets
        • Choose the namespace where the chart is to be installed.
      • On the Data tab:
        • Enter 'cspassword' in the Name field.
        • Use your favorite base64 encoding tool to encode the CodeStation authentication token and paste it into the Value field.
      • Click the Create button.
        • Through the kubectl CLI, create a Secret object in the target namespace. Generate the base64 encoded value for the CodeStation authentication token.


    echo -n 255b21b7-ca48-4f2e-95c0-048fdbff4197 | base64 MjU1YjIxYjctY2E0OC00ZjJlLTk1YzAtMDQ4ZmRiZmY0MTk3


    Create a file named secret.yaml with the following contents, using your Helm Relese name and base64 encoded values.


    apiVersion: v1 kind: Secret metadata: name: MyRelease-secrets type: Opaque data: cspassword: MjU1YjIxYjctY2E0OC00ZjJlLTk1YzAtMDQ4ZmRiZmY0MTk3


    Create the Secret using kubectl apply


    kubectl apply -f ./secret.yaml


    Delete or shred the secret.yaml file.

PodSecurityPolicy Requirements

This chart requires a PodSecurityPolicy to be bound to the target namespace prior to installation. Choose either a predefined PodSecurityPolicy or have your cluster administrator create a custom PodSecurityPolicy for you.

The predefined PodSecurityPolicy named ibm-restricted-psp has been verified for this chart, if your target namespace is bound to this PodSecurityPolicy you can proceed to install the chart.

This chart also defines a custom PodSecurityPolicy which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom PodSecurityPolicy using the Cluster Console user interface or the supplied instructions/scripts in the pak_extension pre-install directory.

Red Hat OpenShift SecurityContextConstraints Requirements

If running in a Red Hat OpenShift cluster, this chart requires a SecurityContextConstraints to be bound to the target namespace prior to installation. To meet this requirement there may be cluster scoped as well as namespace scoped pre and post actions that need to occur.

The predefined SecurityContextConstraints name: ibm-restricted-scc has been verified for this chart, if your target namespace is bound to this SecurityContextConstraints resource you can proceed to install the chart.

This chart defines a custom SecurityContextConstraints which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom SecurityContextConstraints resource using the supplied instructions or scripts in the pak_extensions/pre-install directory.

Resources Required

Kubernetes 1.9

  1. Complete the steps in Before you begin.

  2. Install the chart into the namespace 'default', with the release name my-ucdrelay, and reading all remaining installation values from a file named my-agent-values.yaml:

    $ helm install ibm-ucdr-prod-@helmchartversion@.tgz --namespace default --name my-ucdrelay -f my-relay-values.yaml --tls

    The below configuration section links to a list the parameters that can be set during installation.

    Tip: List all releases using helm list.

  3. To uninstall/delete the my-ucdrelay deployment:

    $ helm delete --purge my-ucdrelay --tls

    The command removes all the Kubernetes components associated with the chart and deletes the release.


Helm chart configuration parameters


See the Prerequisites section of this page for storage information.

Parent topic: Installing agent relays