Mender blog
engineering

Official Helm chart for Mender 2.5

| 7 min read

We are excited to announce the release of the official Helm chart for Mender 2.5.

Prerequisites

  • Kubernetes 1.12+
  • Helm 2.11+ or Helm 3.0-beta3+

The version of helm used in this tutorial is 3. If you are using helm version 2, please adapt the helm install commands accordingly.

Installing the dependencies

Before proceeding with the installation of Mender, we need to install its dependencies if not already available outside of your Kubernetes cluster. Mender uses a MongoDB server as primary storage engine, and S3 or, optionally, a MINIO server to store the artifacts.

MongoDB

You can install MongoDB using the bitnami Helm chart:

$ helm repo add bitnami https://charts.bitnami.com/bitnami
$ helm repo update
$ helm install mongodb --set "auth.enabled=false" bitnami/mongodb

MINIO

You can install MINIO using the official Helm chart:

$ helm repo add minio https://helm.min.io/
$ helm repo update
$ helm install minio minio/minio --version 6.0.5 --set "accessKey=myaccesskey,secretKey=mysecretkey"

Replace myaccesskey and mysecretkey with two randomly generated strings, and take note of them as you'll have to enter them in the values.yaml file we'll use when installing the Mender chart.

Verify the services

You can now verify the MongoDB and MINIO installations:

$ helm list
NAME    NAMESPACE   REVISION    UPDATED                                 STATUS      CHART           APP VERSION
minio   default     1           2020-09-28 15:50:47.184129 +0200 CEST   deployed    minio-6.0.5     master
mongodb default     1           2020-09-28 15:50:37.711659 +0200 CEST   deployed    mongodb-9.2.1   4.4.1

Please, also verify the two corresponding pods are up and running:

$ kubectl get pods
NAME                       READY   STATUS        RESTARTS   AGE
minio-5896b4f56f-26sgq     1/1     Running       0          76s
mongodb-688b7bdb9d-47dk6   1/1     Running       0          86s

Generating the HTTPS certificate and the private keys

Before installing Mender, we need to generate the certificate used by the API gateway to terminate the HTTPS traffic, as well as the private keys used by the device-auth, tenantadm (enterprise-only) and useradm services.

If you don't have ready-to-use HTTPS certificate and Diffie-Hellman parameters, you can generate your dhparam.pem, certificate.crt and private.key for api-gareway using openssl:

$ openssl dhparam -out dhparam.pem 2048
$ openssl req -x509 -sha256 -nodes -days 3650 -newkey ec:<(openssl ecparam -name prime256v1) -keyout private.key -out certificate.crt -subj /CN="your.host.name"

You can generate the RSA private keys for device-auth, tenantadm (enterprise-only) and useradm using openssl:

$ for key in device-auth tenantadm useradm; do \
    openssl genpkey -algorithm RSA -out ${key}.key -pkeyopt rsa_keygen_bits:3072; \
    openssl rsa -in ${key}.key -out ${key}_converted.key; \
    mv ${key}_converted.key ${key}.key; \
  done

Installing the Chart

We are now ready to proceed with the installation of the Mender server.

The chart is available in our official Helm repository, which you can add running the following commands:

$ helm repo add mender https://charts.mender.io
"mender" has been added to your repositories

$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...
...Successfully got an update from the "mender" chart repository
...
Update Complete. ⎈ Happy Helming!⎈

To install the Enterprise version of the Mender server, create the values.yaml file containing the credentials to access our private Docker registry registry.mender.io, the X509 certificate and the private keys generated before.

Remember also to replace the values for MongoDB and S3 based on your setup.

global:
  image:
    username: <your_user>
    password: <your_password>
  mongodb:
    URL: mongodb://mongodb
  s3:
    AWS_URI: http://minio:9000
    AWS_BUCKET: mender-artifacts
    AWS_ACCESS_KEY_ID: myaccesskey
    AWS_SECRET_ACCESS_KEY: mysecretkey

api_gateway:
  certs:
    dhparam: |- LS0...     cert: |- -----BEGIN CERTIFICATE----- MIIFcjCCBFq... -----END RSA PRIVATE KEY-----     key: |- -----BEGIN PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY----- 
device_auth:
  certs:
    key: |- -----BEGIN RSA PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY----- 
tenantadm:
  certs:
    key: |- -----BEGIN RSA PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY----- 
useradm:
  certs:
    key: |- -----BEGIN RSA PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY-----

If you are installing the Open Source version of Mender, create the values.yaml file as follows:

lobal:
  enterprise: false
  multitenancy: false
  mongodb:
    URL: mongodb://mongodb
  s3:
    AWS_URI: http://minio:9000
    AWS_BUCKET: mender-artifacts
    AWS_ACCESS_KEY_ID: myaccesskey
    AWS_SECRET_ACCESS_KEY: mysecretkey

api_gateway:
  certs:
    dhparam: |- LS0...     cert: |- -----BEGIN CERTIFICATE----- MIIFcjCCBFq... -----END RSA PRIVATE KEY-----     key: |- -----BEGIN PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY----- 
deployments:
  image:
    registry: docker.io
    repository: mendersoftware/deployments

device_auth:
  certs:
    key: |- -----BEGIN RSA PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY----- 
inventory:
  image:
    registry: docker.io
    repository: mendersoftware/inventory

useradm:
  image:
    registry: docker.io
    repository: mendersoftware/useradm
  certs:
    key: |- -----BEGIN RSA PRIVATE KEY----- MIIEvgIBADA... -----END RSA PRIVATE KEY----- 
workflows:
  image:
    registry: docker.io
    repository: mendersoftware/workflows

Please refer to the complete list of parameters for further customization and configuration.

Proceed now with the installation of the Helm chart, running:

$ helm install mender mender/mender -f values.yaml
NAME: mender
LAST DEPLOYED: Mon Sep 28 16:10:36 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Mender v2.5.0 has been deployed!

Thank you for using Mender.
Release name: mender

Verify the Helm chart installation completed successfully:

$ helm list
NAME    NAMESPACE   REVISION    UPDATED                                 STATUS      CHART           APP VERSION
mender  default     1           2020-09-28 16:10:36.76924 +0200 CEST    deployed    mender-2.5.0    2.5.0
...

Please, also verify the list of running pods:

$ kubectl get pods
NAME                                      READY   STATUS    RESTARTS   AGE
api-gateway-dc89c448d-6zhqq               1/1     Running   0          36s
create-artifact-worker-755dc87f68-b9xkh   1/1     Running   0          36s
deployments-754c5cbb98-w2n9l              1/1     Running   0          36s
device-auth-7857d5c4ff-v7tp2              1/1     Running   0          36s
gui-6c6858fb8f-qkqdt                      1/1     Running   0          36s
inventory-54fc8ccdb-mwdpn                 1/1     Running   0          36s
minio-5896b4f56f-26sgq                    1/1     Running   0          20m
mongodb-688b7bdb9d-47dk6                  1/1     Running   0          20m
useradm-5fb9d766f5-cp8ph                  1/1     Running   0          36s
workflows-server-7846bb9498-7ktqj         1/1     Running   0          36s
workflows-worker-5777b6cc7d-smhlw         1/1     Running   0          36s

Create a tenant and a user from the command line

Enterprise version

You can create a tenant from the command line of the tenantadm pod; the value printed is the newly generated tenant ID:

$ tenantadm create-org --name demo --username "admin@mender.io" --password "adminadmin" --plan enterprise
5dcd71624143b30050e63bed

You can create additional users from the command line of the useradm pod:

$ useradm create-user --username "demo@mender.io" --password "demodemo" --tenant-id "5dcd71624143b30050e63bed"
187b8101-4431-500f-88da-54709f51f2e6

Open Source version

If you are running the Open Source version of Mender, you don't have the tenantadm service running. You can create users directly in the useradm pod:

$ useradm create-user --username "demo@mender.io" --password "demodemo"
187b8101-4431-500f-88da-54709f51f2e6

Test the service through the GUI

You can access the Mender UI port-forwarding the mender-api-gateway Kubernetes service as follows:

$ kubectl port-forward service/mender-api-gateway 443:443

Open your browser and point it to the Mender UI.

Links
engineering

Recent articles

cybersecurity
Driving secure innovation: ISO/SAE 21434 & UNECE compliance

Driving secure innovation: ISO/SAE 21434 & UNECE compliance

ISO/SAE 21434 and UNECE R155/R156 standards reshape cybersecurity in software-defined vehicles. Compliance with these frameworks is essential for protecting consumers, ensuring vehicle safety, and driving innovation in the automotive industry.
| 6 min read
CVE
CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

CVE-2024-46947 & CVE-2024-47190 - SSRF issues in Mender Enterprise Server

Recently discovered security vulnerabilities in Mender Server have been fixed.
| 3 min read
CVE
CVE-2024-46948 - Missing filtering based on RBAC device groups

CVE-2024-46948 - Missing filtering based on RBAC device groups

A customer recently notified us of a security issue in Mender. For users of RBAC and device groups, one specific API did not filter devices correctly.
| 1 min read
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

Why Mender
 
sales-pipeline_295756365