Installing an agent in an OpenShift/Kubernetes cluster#

UrbanCode Deploy Agent is a tool for automating application deployments through your environments. It is designed to facilitate rapid feedback and continuous delivery in agile development while providing the audit trails, versioning and approvals needed in production.


This chart deploys a single instance of the UrbanCode Deploy agent that may be scaled to multiple instances.

Chart Details


  1. Kubernetes 1.9+; kubectl and oc CLI; Helm/Tiller 2.9.1;
  2. Image and Helm Chart - The UrbanCode Deploy agent image and helm chart can be accessed either via the Entitled Registry and public Helm repository, or by downloading a Passport Advantage archive (PPA) and loading the image and helm chart into your own image registry and helm repository.

    • Entitled Registry
      • The public Helm chart repository can be accessed at and directions for accessing the UrbanCode Deploy server chart is discussed in Installing the Chart section below.
      • Get a key to the entitled registry
        • Log in to MyHCL Container Software Library with the HCLid and password that are associated with the entitled software.
        • In the Entitlement keys section, select Copy key to copy the entitlement key to the clipboard.
        • An imagePullSecret must be created to be able to authenticate and pull images from the Entitled Registry. Once this secret has been created you will specify the secret name as the value for the image.secret parameter in the values.yaml you provide to 'helm install ...' Note: Secrets are namespace scoped, so they must be created in every namespace you plan to install UCD into. Example Docker registry secret to access Entitled Registry with an Entitlement key. ``` oc create secret docker-registry entitledregistry-secret --docker-username=cp --docker-password=


    • Passport Advantage archive
    • The UrbanCode agent must have a UrbanCode Deploy server or relay to connect to.
    • A PersistentVolume that will hold the conf directory for the UrbanCode Deploy agent is required. If your cluster supports dynamic volume provisioning you will not need to create a PersistentVolume (PV) or PersistentVolumeClaim (PVC) before installing this chart. If your cluster does not support dynamic volume provisioning, you will need to either ensure a PV is available or you will need to create one before installing this chart. You can optionally create the PVC to bind it to a specific PV, or you can let the chart create a PVC and bind to any available PV that meets the required size and storage class. Sample YAML to create the PV and PVC are provided below.

apiVersion: v1
kind: PersistentVolume
name: ucda-conf-vol
volume: ucda-conf-vol
storage: 10Mi
- ReadWriteOnce
path: /volume1/k8/ucda-conf
kind: PersistentVolumeClaim
apiVersion: v1
name: ucda-conf-volc
storageClassName: ""
- "ReadWriteOnce"
storage: 10Mi
volume: ucda-conf-vol

Example setup scripts to create the Persistent Volume and Persistent Volume Claim are included in the Helm chart under pak_extensions/pre-install/persistentStorageAdministration directory.

PodSecurityPolicy Requirements

If you are running on OpenShift, skip this section and continue to the SecurityContextConstraints Requirements section below.

This chart requires a PodSecurityPolicy to be bound to the target namespace prior to installation. Choose either a predefined PodSecurityPolicy or have your cluster administrator create a custom PodSecurityPolicy for you.

The predefined PodSecurityPolicy named ibm-restricted-psp has been verified for this chart, if your target namespace is bound to this PodSecurityPolicy you can proceed to install the chart.

This chart also defines a custom PodSecurityPolicy which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom PodSecurityPolicy using the Cluster Console user interface or the supplied instructions/scripts in the pak_extension pre-install directory.

SecurityContextConstraints Requirements

If running in a Red Hat OpenShift cluster, this chart requires a SecurityContextConstraints to be bound to the target namespace prior to installation. To meet this requirement there may be cluster scoped as well as namespace scoped pre and post actions that need to occur.

The predefined SecurityContextConstraints name: ibm-restricted-scc has been verified for this chart, if your target namespace is bound to this SecurityContextConstraints resource you can proceed to install the chart.

This chart defines a custom SecurityContextConstraints which can be used to finely control the permissions/capabilities needed to deploy this chart. You can enable this custom SecurityContextConstraints resource using the supplied instructions or scripts in the pak_extensions/pre-install directory.

Resources Required

Installing the Chart

Add the Entitled Registry helm chart repository to the local client.

Get a copy of the values.yaml file from the helm chart so you can update it with values used by the install.

Edit the file myvalues.yaml to specify the parameter values to use when installing the UrbanCode Deploy agent instance. The configuration section lists the parameter values that can be set.

To install the chart into namespace 'ucdtest' with the release name my-ucda-release and use the values from myvalues.yaml:

Tip: List all releases using helm list .

Verifying the Chart

Check the Resources->Agents page of the UrbanCode Deploy server UI to verify the agent has connected successfully.

Uninstalling the Chart

To uninstall/delete the my-ucda-release deployment:

$ helm delete my-ucda-release

The command removes all the Kubernetes components associated with the chart and deletes the release.


Helm chart configuration parameters for agent


See the Prerequisites section of this page for storage information.

Parent topic: Installing agents