esthesis CORE - Documentation Help

Kubernetes

Esthesis CORE can be deployed on Kubernetes using the publicly available Helm charts. The Helm charts are available on the [TBC].

Esthesis CORE comes with a variety of different Helm charts. Some of the provided Helm charts pertain to mandatory components, while others are optional. During the installation you can choose which components you want to install by enabling the relevant configuration options. You can also choose to use already existing resources, such as a database or a message broker, instead of the ones provided in the Helm charts.

Please note that Helm charts come with reasonable defaults; we strongly advise to review them, so you can customize them to your needs.

Requirements

  • A Kubernetes cluster with a minimum of 3 nodes and support for Load Balancer service types as well as Ingress support (you can, optionally, install an nginx ingress controller using this chart).

  • Helm

Configuration parameters

The following parameters can be defined from variables contained on vaules.yaml during installation:

General

timezone

The container's timezone to set (note, some containers do not respect this setting).
Default: Europe/Athens

esthesisLogLevel

The log level to be used for the esthesis components (i.e. does not affect third-party components installed by the Helm chart).
Default: WARN

imagePullSecret

The name of the Kubernetes Secret to use when pulling container images.

ingressClassName

The name of the ingress class to use for ingress rules.

Accounts

esthesisAdminUsername

The username of the Esthesis administrator.
Default: esthesis-admin

esthesisAdminPassword

The password for the Esthesis administrator.
Default: esthesis-admin

esthesisSystemUsername

The system-level user for Esthesis services and third-party components.
Default: esthesis-system

esthesisSystemPassword

The password for the system-level user.
Default: esthesis-system

esthesisKubernetesServiceCreateRBAC

Whether to create Kubernetes RBAC resources automatically.
Default: true

Keycloak

keycloak.enabled

Whether to deploy Keycloak.
Default: true

keycloak.ingress.hostname

The external hostname for Keycloak.

keycloak.certManager.clusterIssuer

Cluster-wide Cert Manager issuer name. Mutually exclusive with keycloak.certManager.issuer.

keycloak.certManager.issuer

Namespace-scoped Cert Manager issuer name. Mutually exclusive with keycloak.certManager.clusterIssuer.

MongoDB

mongodb.enabled

Whether to deploy MongoDB.
Default: true

mongodb.urlCluster

Internal MongoDB connection URL for Esthesis components.
Default: mongodb://mongodb:27017

mongodb.database

Name of the MongoDB database.
Default: esthesiscore

mongodb.username

MongoDB user (usually inherits from esthesisSystemUsername).

mongodb.password

MongoDB password (usually inherits from esthesisSystemPassword).

MongoDB

mongodb.enabled

Whether to deploy MongoDB.
Default: true

mongodb.urlCluster

Internal MongoDB connection URL for Esthesis components.
Default: mongodb://mongodb:27017

mongodb.database

Name of the MongoDB database.
Default: esthesiscore

mongodb.username

MongoDB user (usually inherits from esthesisSystemUsername).

mongodb.password

MongoDB password (usually inherits from esthesisSystemPassword).

NGINX Ingress

ingressNginx.enabled

Whether to install the nginx ingress controller.
Default: false

ingressNginx.sslCertArn

ARN of the wildcard certificate to use.

User Interface

esthesisHostname

External hostname for Esthesis UI.

esthesisUi.logoutUrl

Path to redirect users to after logout.
Default: /logout

esthesisUi.certManager.clusterIssuer

Cert Manager cluster-wide issuer for UI TLS.

esthesisUi.certManager.issuer

Cert Manager namespace-scoped issuer for UI TLS.

Redis

redis.enabled

Whether to deploy Redis.
Default: true

redis.hosts

List of Redis endpoints.
Default: redis-master:6379/0

Mosquitto

mosquitto.enabled

Whether to deploy Mosquitto.
Default: true

mosquitto.mutualTls

Enable mutual TLS for Mosquitto.
Default: false

mosquitto.superuser

Super-user account (should match certificate CN when TLS is enabled).
Default: esthesis

mosquitto.caCert

Base64-encoded CA certificate.

mosquitto.serverCert

Base64-encoded Mosquitto server certificate.

mosquitto.serverKey

Base64-encoded Mosquitto private key.

mosquitto.serviceType

Kubernetes service type to expose Mosquitto.
Default: ClusterIP

InfluxDB

influxdb.enabled

Whether to deploy InfluxDB.
Default: true

influxdb.size

Persistent volume size for InfluxDB.
Default: 32Gi

Kafka

kafka.enabled

Whether to deploy Kafka.
Default: true

kafka.bootstrapServers

List of Kafka bootstrap servers.
Default: kafka:9092

Camunda

camunda.enabled

Whether to deploy Camunda.
Default: true

camunda.gatewayUrlCluster

Internal gateway URL for Camunda Zeebe.
Default: camunda-zeebe-gateway:26500

Installation

esthesis CORE comes in two Helm charts, one installing all the required dependencies and another one installing the application components. You can enable/disable which specific dependencies you want to install by setting the corresponding charts_enabled.<service> parameter to true or false. Do note that although the provided dependencies are adequate to have esthesis CORE up and running, you might want to tune their properties or replace them altogether with your own resources to support your specific production use case.

Environment variables

The following list is a starting point of variables on vaulues.yaml to set before you proceed on both helm charts with the installation, you need to amend them to match your own environment:

Esthesis-core values.yaml:

esthesisHostname: esthesis.domain.com timezone: "Europe/Athens" esthesisAdminUsername: "esthesis-admin" esthesisAdminPassword: "esthesis-admin" esthesisSystemUsername: "esthesis-system" esthesisSystemPassword: "esthesis-system" esthesisReportedOidcAuthority: "http://keycloak.<enter_your_namespace_here>.svc.cluster.local/realms/esthesis" esthesisReportedOidcPostLogoutUrl: "http://esthesis-core.<enter_your_namespace_here>.svc.cluster.local/logout" oidcAuthServerUrl: "http://keycloak.<enter_your_namespace_here>.svc.cluster.local/realms/esthesis" oidcClientAuthServerUrl: "http://keycloak.<enter_your_namespace_here>.svc.cluster.local/realms/esthesis" redisHosts: "redis://redis-headless.<enter_your_namespace_here>.svc.cluster.local:6379" camundaGatewayUrlCluster: "zeebe-gateway.<enter_your_namespace_here>.svc.cluster.local:26500" kafkaBootstrapServers: "kafka.<enter_your_namespace_here>.svc.cluster.local:9092" mongoDbUrlCluster: "mongodb://mongodb-0.mongodb-headless.<enter_your_namespace_here>.svc.cluster.local:27017,mongodb-1.mongodb-headless.<enter_your_namespace_here>.svc.cluster.local:27017"

Esthesis-core-deps values.yaml:

timezone: "Europe/Athens" esthesisAdminUsername: "esthesis-admin" esthesisAdminPassword: "esthesis-admin" esthesisSystemUsername: "esthesis-system" esthesisSystemPassword: "esthesis-system" keycloak.ingress.hostname: "keycloak.esthesis.domain.com" mosquittoServiceType: "LoadBalancer"

Supporting infrastructure

  • Add the Esthesis Helm repository:

    helm repo add esthesis https://esthes.is/helm helm repo update

  • Install the supporting dependencies (e.g. Keycloak, MongoDB, Redis, etc.):

    helm install esthesis-core-deps esthesis/esthesis-core-deps \ --namespace <your-namespace> \ --create-namespace \ -f values-deps.yaml

    Replace values-deps.yaml with your customized values file if needed.

Application

  • Install the main Esthesis CORE application components:

    helm install esthesis-core esthesis/esthesis-core \ --namespace <your-namespace> \ -f values.yaml

    Again, replace values.yaml with your specific Helm values file.

Notes

  1. You need to access the UI via HTTPS, accessing it via HTTP will not work.

  2. The UI is exposed under the domain you specified in the environmental variable esthesisHostname.

  3. If you are using a self-signed certificate which is not imported into your local system, before trying to log in into the application you need to visit the Keycloak URL first and accept the certificate. Otherwise, the login will fail.

  4. esthesis-core-srv-kubernetes needs to be able to list all namespaces as well as schedule pods via deployments, configure HPA, etc. A Service Account esthesis-core-srv-kubernetes is automatically created and configured with the necessary permissions. If you do not have the necessary permissions to properly configure this Service Account during the installation of the Helm chart, you can disable the automatic creation of the Service Account by setting the esthesisKubernetesServiceCreateRBAC variable from esthesis-core helm chart to false and create the Service Account manually. The resources that need to be manually created can be found in esthesis-core-srv-kubernetes and need to be available and properly configured before the installation of the Helm chart.

Cert Manager integration

If you have Cert Manager installed in your cluster, you can use it to automatically generate and renew certificates for esthesis UI and Keycloak. To do so, you need to set the following environmental variables:

esthesisUiCertManagerClusterIssuer: "letsencrypt-prod"

If you are using namespace scoped issuers, you can alternatively specify:

esthesisUiCertManagerIssuer: "letsencrypt-prod"

Make sure you specify only one of the two variants, otherwise the installation will fail. Do not forget to change letsencrypt-prod to the value of your own issuer.

Wildcard Certificate integration

If you have a wildcard certificate installed on you cluster as a secret for your domain, and you want the included ingress-nginx controller to use it, you will need to set the following environmental variables:

ingress-nginx.controller.service.externalIPs: "192.168.1.60"

Do not forget to change 192.168.1.60 to your external load balancer IP and wildcard-tls to the name of your secret.

Last modified: 06 May 2025
Installation guideAmazon Web Services (AWS)