This Helm chart deploys infrastructure components, platform services, and key resource APIs for the LFX platform.
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure (if persistence is enabled)
Some subcharts require Kubernetes secrets to exist in the namespace before installing the chart. These secrets are only needed if the corresponding subchart is enabled.
To check whether a subchart is enabled, look for its enabled field in
charts/lfx-platform/values.yaml:
grep -A1 "lfx-v2-voting-service:" charts/lfx-platform/values.yaml
# enabled: false ← skip secret creation if falseSecret values are stored in the LFX V2 vault in 1Password under the note LFX Platform Chart Values Secrets - Local Development.
Requires an Auth0 client ID and RSA private key.
kubectl create secret generic lfx-v2-voting-service -n lfx \
--from-literal=ITX_CLIENT_ID="<from-1password>" \
--from-file=ITX_CLIENT_PRIVATE_KEY=/path/to/private.keyRequires an Auth0 client ID and RSA private key.
kubectl create secret generic lfx-v2-survey-service -n lfx \
--from-literal=ITX_CLIENT_ID="<from-1password>" \
--from-file=ITX_CLIENT_PRIVATE_KEY=/path/to/private.keyRequires an Auth0 client ID and RSA private key.
kubectl create secret generic meeting-secrets -n lfx \
--from-literal=auth0_client_id="<from-1password>" \
--from-file=auth0_client_private_key=/path/to/private.keyRequires Groups.io credentials and a webhook secret.
kubectl create secret generic lfx-v2-mailing-list-service -n lfx \
--from-literal=GROUPSIO_EMAIL="<from-1password>" \
--from-literal=GROUPSIO_PASSWORD="<from-1password>" \
--from-literal=GROUPSIO_WEBHOOK_SECRET="<from-1password>"First, create the namespace (recommended):
kubectl create namespace lfx# Install the latest version of the chart.
helm install -n lfx lfx-platform \
oci://ghcr.io/linuxfoundation/lfx-v2-helm/chart/lfx-platformFor reproducible installs or when debugging a specific release, pin the version
with --version:
helm install -n lfx lfx-platform \
oci://ghcr.io/linuxfoundation/lfx-v2-helm/chart/lfx-platform \
--version <version>Clone the repository before running the following commands from the root of the working directory.
# Pull down chart dependencies.
helm dependency update charts/lfx-platform
# Install the chart.
helm install -n lfx lfx-platform \
./charts/lfx-platformThe default values.yaml is configured for local development. To override
specific values for your own environment without committing them, copy the
bundled example file:
cp charts/lfx-platform/values.local.example.yaml charts/lfx-platform/values.local.yamlvalues.local.yaml is gitignored, so you can freely modify it. Pass it when
installing from OCI or from source:
# From OCI registry
helm install -n lfx lfx-platform \
oci://ghcr.io/linuxfoundation/lfx-v2-helm/chart/lfx-platform \
--values charts/lfx-platform/values.local.yaml
# From source
helm install -n lfx lfx-platform ./charts/lfx-platform \
--values charts/lfx-platform/values.local.yamlLater --values files take precedence over earlier ones, so you can also layer
additional overrides on top:
helm install -n lfx lfx-platform \
oci://ghcr.io/linuxfoundation/lfx-v2-helm/chart/lfx-platform \
--values charts/lfx-platform/values.local.yaml \
--values my-overrides.yamlRefer to the Configuration section and the inline comments
in values.yaml for all available parameters.
To uninstall/delete the lfx-platform deployment:
helm uninstall lfx-platform -n lfx
# Optional: delete the namespace to delete any persistent resources.
kubectl delete namespace lfxYou can override any value in your values.local.yaml or by using --set
when installing the chart. The canonical reference for all available parameters
is the inline comments in values.yaml.
| Parameter | Description | Default |
|---|---|---|
lfx.domain |
Domain for services | k8s.orb.local |
lfx.image.registry |
Global Docker image registry | linuxfoundation |
lfx.image.pullPolicy |
Global Docker image pull policy | IfNotPresent |
Each subchart can be enabled or disabled via its enabled key. Refer to the
linked documentation for the full set of configuration options.
| Subchart | Key | Enabled by default | Documentation |
|---|---|---|---|
| Traefik | traefik |
true |
Traefik Helm Chart |
| OpenFGA | openfga |
true |
OpenFGA Helm Chart · Local docs |
| Heimdall | heimdall |
true |
Heimdall Helm Chart |
| NATS | nats |
true |
NATS Helm Chart |
| NACK | nack |
true |
NACK documentation |
| OpenSearch | opensearch |
true |
OpenSearch Helm Chart |
| Authelia | authelia |
true |
Authelia documentation |
| Mailpit | mailpit |
true |
Mailpit documentation |
| External Secrets Operator | external-secrets |
true |
External Secrets Helm Chart |
| cert-manager | cert-manager |
false |
cert-manager Helm Chart |
| fga-operator | fga-operator |
true |
— |
| Subchart | Key | Enabled by default | Chart |
|---|---|---|---|
| lfx-v2-auth-service | lfx-v2-auth-service |
true |
lfx-v2-auth-service Helm Chart |
| lfx-v2-fga-sync | lfx-v2-fga-sync |
true |
lfx-v2-fga-sync Helm Chart |
| lfx-v2-access-check | lfx-v2-access-check |
true |
lfx-v2-access-check Helm Chart |
| lfx-v2-indexer-service | lfx-v2-indexer-service |
true |
lfx-v2-indexer-service Helm Chart |
| lfx-v2-query-service | lfx-v2-query-service |
true |
lfx-v2-query-service Helm Chart |
| lfx-v2-project-service | lfx-v2-project-service |
true |
lfx-v2-project-service Helm Chart |
| lfx-v2-committee-service | lfx-v2-committee-service |
true |
lfx-v2-committee-service Helm Chart |
| lfx-v2-voting-service | lfx-v2-voting-service |
true |
lfx-v2-voting-service Helm Chart |
| lfx-v2-survey-service | lfx-v2-survey-service |
true |
lfx-v2-survey-service Helm Chart |
| lfx-v2-meeting-service | lfx-v2-meeting-service |
true |
lfx-v2-meeting-service Helm Chart |
| lfx-v2-mailing-list-service | lfx-v2-mailing-list-service |
true |
lfx-v2-mailing-list-service Helm Chart |
When working on a specific service, you can disable its subchart here and deploy it directly from the service repository instead. This lets you iterate on local code changes without affecting the rest of the platform.
For example, to develop lfx-v2-query-service locally:
Disable it in your values.local.yaml:
lfx-v2-query-service:
enabled: falseFollow the local development instructions in the service repository to build and deploy it against the running platform.
To use an external PostgreSQL database with OpenFGA:
- Create a secret with the PostgreSQL connection string:
kubectl create secret generic openfga-postgresql-client \
--from-literal="uri=postgres://username:password@postgres-host:5432/dbname?sslmode=disable" \
-n lfx- Configure OpenFGA in your values file:
openfga:
postgres:
enabled: false
datastore:
existingSecret: openfga-postgresql-clientJaeger provides distributed tracing capabilities for the LFX platform.
It should be installed in a separate observability namespace.
Add the Jaeger Helm repository:
helm repo add jaegertracing https://jaegertracing.github.io/helm-charts
helm repo updateInstall Jaeger using the all-in-one chart (suitable for development/testing):
helm install jaeger jaegertracing/jaeger \
-n observability \
--create-namespace \
--set allInOne.enabled=true \
--set agent.enabled=false \
--set collector.enabled=false \
--set query.enabled=false \
--set storage.type=memory \
--set provisionDataStore.cassandra=falseEither update charts/lfx-platform/values.yaml directly or create a new
tracing-values.yaml file with the following values to enable traces to
be sent to Jaeger.
traefik:
tracing:
otlp:
enabled: trueopenfga:
telemetry:
trace:
enabled: trueheimdall:
env:
HEIMDALLCFG_TRACING_ENABLED: "true"Then upgrade the helm deployment.
helm upgrade lfx-platform charts/lfx-platformIf using a values file, pass it to the command:
helm upgrade -f tracing-values.yaml lfx-platform charts/lfx-platformTo access the Jaeger UI locally:
kubectl port-forward -n observability svc/jaeger-query 16686:16686Then open http://localhost:16686 in your browser.