Helm charts for deploying Galasa components to Kubernetes, including the complete Galasa Ecosystem.
- Helm 3 or 4 installed
- Access to a Kubernetes cluster (v1.30.3 or later recommended)
kubectlconfigured to access your cluster
-
Add the Galasa Helm repository:
helm repo add galasa https://galasa-dev.github.io/helm helm repo update
-
Download and configure values:
curl -O https://raw.githubusercontent.com/galasa-dev/helm/main/charts/ecosystem/values.yaml
Edit
values.yamland set:galasaVersion: Your desired Galasa version (see releases)externalHostname: The hostname for accessing your ecosystem (e.g.,galasa.example.com)
-
Configure network access:
Choose either Ingress (default) or Gateway API. For Ingress, update:
ingress: enabled: true ingressClassName: nginx # Change to your IngressClass
For Gateway API or HTTPS setup, see Network Access.
-
Configure authentication (Dex):
Update the
dexsection invalues.yaml:dex: config: issuer: https://galasa.example.com/dex # Use your hostname connectors: - type: github # Or another supported connector id: github name: GitHub config: clientID: $GITHUB_CLIENT_ID clientSecret: $GITHUB_CLIENT_SECRET redirectURI: https://galasa.example.com/dex/callback
See Configuring Authentication for detailed setup.
-
Install the ecosystem:
helm install my-galasa galasa/ecosystem -f values.yaml --wait
-
Verify the installation:
helm test my-galasa
Your Galasa Ecosystem is now accessible at https://galasa.example.com/api/bootstrap
- Galasa Helm Charts
If RBAC is enabled on your cluster, configure user permissions:
For chart versions after 0.23.0: RBAC is configured automatically during installation.
For chart version 0.23.0 and earlier: Apply RBAC manually:
kubectl apply -f https://raw.githubusercontent.com/galasa-dev/helm/ecosystem-0.23.0/charts/ecosystem/rbac.yamlAdmin access: Update rbac-admin.yaml to grant users the galasa-admin role for managing the Helm chart. Replace the placeholder username with actual usernames or add multiple subjects as needed.
Choose one method to expose your Galasa services:
Most common for production deployments. Configure in values.yaml:
ingress:
enabled: true
ingressClassName: nginx # Change to your IngressClass
# For HTTPS, add:
tls:
- hosts:
- galasa.example.com
secretName: galasa-tls-secretSee Kubernetes Ingress documentation for TLS setup.
Prerequisites:
- Gateway Controller installed
- Gateway API CRDs installed
For clusters with Gateway API support:
gateway:
enabled: true
gatewayClassName: my-gateway-class
# For HTTPS, add:
tls:
certificateRefs:
- kind: Secret
group: ""
name: my-certificate-secretGalasa uses Dex for authentication. Configure a connector to your identity provider:
-
Create a GitHub OAuth App:
- Go to GitHub OAuth Apps
- Set Homepage URL to your external hostname (e.g.,
https://galasa.example.com) - Set Callback URL to
https://galasa.example.com/dex/callback - Generate a client secret and save both the client ID and secret
-
Configure Dex in values.yaml:
dex: config: issuer: https://galasa.example.com/dex connectors: - type: github id: github name: GitHub config: clientID: $GITHUB_CLIENT_ID clientSecret: $GITHUB_CLIENT_SECRET redirectURI: https://galasa.example.com/dex/callback # Optional: Restrict to organization/team orgs: - name: my-org teams: - my-team
-
Store credentials securely (recommended):
kubectl create secret generic github-oauth-credentials \ --from-literal=GITHUB_CLIENT_ID="your-client-id" \ --from-literal=GITHUB_CLIENT_SECRET="your-client-secret"
Then reference the secret in
values.yaml:dex: envFrom: - secretRef: name: github-oauth-credentials
Dex supports many connectors including Microsoft, LDAP, OIDC, and more. See the Dex connectors documentation for configuration examples.
If your cluster requires a specific StorageClass:
storageClass: my-storage-classTo publish Galasa events to Kafka:
-
Create a secret with your Kafka token:
apiVersion: v1 kind: Secret metadata: name: event-streams-token data: GALASA_EVENT_STREAMS_TOKEN: <base64-encoded-token>
-
Apply the secret before installing the chart
See Kafka extension documentation for details.
Customize log format by setting log4j2Properties in values.yaml:
log4j2Properties: |
status = error
name = Default
appender.console.type = Console
appender.console.name = stdout
appender.console.layout.type = PatternLayout
appender.console.layout.pattern = %d{dd/MM/yyyy HH:mm:ss.SSS} %-5p %c{1.} - %m%n
rootLogger.level = debug
rootLogger.appenderRef.stdout.ref = stdoutFor JSON templates, create a ConfigMap and reference it:
log4jJsonTemplatesConfigMapName: my-json-layoutsFor connecting to servers with internal or corporate certificates:
-
Create a ConfigMap with your certificates:
kubectl create configmap my-certificates \ --from-file=/path/to/certificate1.pem \ --from-file=/path/to/certificate2.pem
-
Reference it in
values.yaml:certificatesConfigMapName: my-certificates
Follow the Quick Start guide above, ensuring you've configured:
- Network access (Ingress or Gateway API)
- Authentication (Dex)
- Any optional features you need
- Minikube installed and running
- Verify with:
minikube status
-
Enable Ingress:
minikube addons enable ingress -
Configure /etc/hosts:
# Add this line (replace IP with output of 'minikube ip') 192.168.49.2 galasa.local -
Configure values.yaml:
- Set
externalHostname: galasa.local - Configure Dex and Ingress as described above
- Set
-
Install:
helm install my-galasa ./charts/ecosystem -f values.yaml --wait
-
Verify:
kubectl get pods # Wait for all pods to be Ready helm test my-galasa
-
Enable Ingress:
minikube addons enable ingress -
Configure /etc/hosts:
# Add this line 127.0.0.1 galasa.local -
Configure CoreDNS for internal resolution:
a. Get Minikube IP:
minikube ip # Note this IP (e.g., 192.168.49.2)b. Edit CoreDNS ConfigMap:
kubectl -n kube-system edit configmap coredns
c. Add this entry (replace IP with your Minikube IP):
galasa.local:53 { hosts { 192.168.49.2 galasa.local fallthrough } }
d. Restart CoreDNS:
kubectl -n kube-system rollout restart deployment coredns
-
Configure values.yaml:
- Set
externalHostname: galasa.local - Configure Dex and Ingress as described above
- Set
-
Install:
helm install my-galasa ./charts/ecosystem -f values.yaml --wait
-
Start tunnel (keep running):
minikube tunnel
-
Verify (in another terminal):
kubectl get pods # Wait for all pods to be Ready helm test my-galasa
After installation, verify your ecosystem is working:
helm test <release-name>Expected output:
TEST SUITE: my-galasa-validate
Last Started: Mon Mar 3 11:44:24 2025
Last Completed: Mon Mar 3 11:45:45 2025
Phase: Succeeded
Access your ecosystem:
- Bootstrap URL:
https://<your-hostname>/api/bootstrap - Web UI:
https://<your-hostname>
Monitor pods:
kubectl get podsAll pods should show Running status and 1/1 ready.
To upgrade to a newer Galasa version:
helm repo update
helm upgrade <release-name> galasa/ecosystem \
--reuse-values \
--set galasaVersion=0.38.0 \
--waitOr update your values.yaml and run:
helm upgrade <release-name> galasa/ecosystem -f values.yaml --waithelm uninstall <release-name>This removes all Kubernetes resources created by the chart.
Galasa encrypts credentials using AES-256-GCM. To rotate encryption keys:
kubectl(v1.30.3+)galasactl(0.38.0+)openssl(3.3.2+)- Permissions to manage Secrets in your namespace
- Valid personal access token for Galasa
galasactl secrets get --format yaml > backup.yamlUse the provided script:
./rotate-encryption-keys.sh \
--release-name my-galasa \
--namespace default \
--bootstrap https://galasa.example.com/api/bootstrapThe script will:
- Generate a new encryption key
- Update the Kubernetes Secret
- Restart API and engine controller pods
- Re-encrypt all existing credentials
- Clean up fallback keys
Click to expand manual steps
-
Backup existing secrets:
galasactl secrets get --format yaml > backup.yaml -
Find the encryption secret:
kubectl get secrets # Look for: <release-name>-encryption-secret -
Get current encryption keys:
kubectl get secret <encryption-secret-name> \ --output jsonpath='{ .data.encryption-keys\.yaml }' | \ openssl base64 -d -A > current-keys.yaml
-
Generate new key:
openssl rand -base64 32
-
Update keys file: Edit
current-keys.yamlto move the old key to fallback and add the new key:encryptionKey: <new-key-from-step-4> fallbackDecryptionKeys: - <old-key-from-step-3>
-
Encode and update secret:
NEW_KEYS=$(openssl base64 -in current-keys.yaml | tr -d '\n') kubectl patch secret <encryption-secret-name> \ --type='json' \ -p="[{'op': 'replace', 'path': '/data/encryption-keys.yaml', 'value': '$NEW_KEYS'}]"
-
Restart services:
kubectl rollout restart deployment <release-name>-api kubectl rollout status deployment <release-name>-api kubectl rollout restart deployment <release-name>-engine-controller kubectl rollout status deployment <release-name>-engine-controller
-
Re-encrypt credentials:
galasactl resources apply -f backup.yaml
-
Verify:
galasactl secrets get --format yaml # Compare with backup.yaml to ensure secrets are readable
To install the latest development version:
-
Clone this repository:
git clone https://github.com/galasa-dev/helm.git cd helm -
Configure values.yaml for development:
galasaVersion: main galasaRegistry: ghcr.io/galasa-dev galasaBootImage: galasa-boot-embedded pullPolicy: Always galasaWebUiImage: webui architecture: amd64 # or arm64 externalHostname: galasa.local # For Minikube
-
Configure Ingress and Dex as described in the Configuration Guide
-
Install from local chart:
helm install my-galasa ./charts/ecosystem -f values.yaml --wait
- Documentation: galasa.dev
- Issues: GitHub Issues
- Releases: Galasa Releases