JetBrains Space Help

Install Space in Kubernetes Cluster

This guide shows how to install Space On-Premises to a local Kubernetes cluster using Helm.

Installation requirements

Kubernetes

Version 1.21 or later

Helm

Version 3.6.0 or later

Cluster workers

The cluster has at least five workers.

  • OS: Linux

  • Platform: x86_64/amd64

  • Recommended min resources: 4 CPU cores and 8GB memory

Namespace

A dedicated Kubernetes namespace.

Ingress controller

An Ingress controller already exists in the cluster and watches for objects of a specific IngressClass.

Ingress TCP Proxy Mode

In addition to Server Name Indication (SNI), the Ingress controller also supports proxying of TCP traffic.

DNS

The domain names of the Space application, Packages, and VCS services already exist as well as the corresponding TLS certificates.

Storage

MinIO or another S3-compatible storage, Elasticsearch, PostgreSQL, and Redis already exist, the corresponding access credentials are already configured.

Supported versions:

  • MinIO RELEASE.2021-09-09T21-37-07Z – RELEASE.2022-03-05T06-32-39Z

  • Elasticsearch 7.11.1 – 8.2.3 (AWS OpenSearch is not supported)

  • PostgreSQL 12.2 – 14.3

  • Redis 4.0.2 – 7.0.2

User permissions

You have administrator permissions to the Kubernetes namespace.

Plan your installation

For the successful operation of Space On-Premises, we recommend that you think through some technical decisions in advance.

Storage organization

The storage organization is crucially important when it comes to the system scalability. Space On-Premises supports two ways to organize storage subsystems:

Shared

Space On-Premises components (the Space application, Packages, VCS) share the same storage subsystems (the event bus, the search database, the application database). This way is easier to implement, but over time, the performance of such a solution will decrease. Nevertheless, it may be a viable option for small organizations.

Distributed

Space On-Premises components use different storage subsystems. Depending on the load, storage can scale. Planning is essential for deploying a distributed storage:

  • When planning, be sure to consider future maintenance efforts.

  • Estimate the storage needs for every Space component at least three years in advance. The ObjectStorage available space should be sensible compared to the expected usage, keeping in mind that it is used for packages, repositories, images, files, etc.

  • The ObjectStorage ingress, if any, should have a permissive body size limit.

  • Persistent volumes should be autoscaling compatible.

Data backup and recovery

At the moment, Space On-Premises doesn't offer any built-in tools for data backup or recovery. We recommend that you follow the industry best practices for each Space storage subsystem.

Basic considerations:

  • PostgreSQL, MinIO/S3-compatible storage – user data that must be backed up.

  • Elasticsearch – index of PostgreSQL and MinIO/S3-compatible storage data. Although the database index can be rebuilt, it can take considerable time. We recommend backing up Elasticsearch content if you have a significant amount of data stored in PostgreSQL and/or MinIO/S3-compatible storage.

  • Redis – only temporary user data. No need to back up.

  • When planning the backup solution from the infrastructural point of view, take the need to store 1 petabyte of data as a starting assumption. This will help you find the best approach and evaluate the constraints of your existing procedures and tools.

  • PostgreSQL, MinIO/S3-compatible storage, and Elasticsearch are backed up separately. The data in the backups depend on each other. That's why, when restoring these data, it is important that the restored MinIO backup is made later than the PostgreSQL backup, and the Elasticsearch backup later than the MinIO backup.

Rotation of secrets

During the Space On-Premises installation, almost every user-provided input is treated as a secret: The Space configuration populates a corresponding Kubernetes secret object. During the deployment, Kubernetes injects this object to the most-appropriate Space application component.

If required, you can overwrite the internal secret object with user-managed secrets using the externalSecretName key. Make sure that each external secret contains all necessary keys and values. Otherwise, a particular Space application component will fail to start.

For the information on which keys are required for particular secrets, refer to the /space/templates/space/secrets directory in the Space On-Premises Helm chart.

For instance, to overwrite the S3-storage configuration for the Space application, create an external secret based on the s3.secret.yaml file (the values must be Base64-encoded):

apiVersion: v1 kind: Secret type: Opaque metadata: name: my-new-space-s3 namespace: kube-space labels: app.kubernetes.io/component: space data: SPACE_STORAGE_REGION: "ZXUtd2VzdC0xCg==" SPACE_STORAGE_BUCKET_NAME: "YnVja2V0LW5hbWU=" SPACE_STORAGE_BUCKET_CREATED: "dHJ1ZQ==" SPACE_STORAGE_URL: "aHR0cHM6Ly9zMy5hd3MuY29t" SPACE_STORAGE_ACCESS_KEY: "SUFJRUlVQUlkaGFranNkbmFrbGpzZG4=" SPACE_STORAGE_SECRET_KEY: "QVg8Pk5JTEpTT0lISlJPTEFLIlM6TCJMPkRtYW5rZWl3dWZyZGg="

Space Automation workers

Space Automation is a Space CI/CD server. The Space On-Premises version of Automation supports two types of workers (machines that run CI/CD jobs):

  • Self-hosted workers – machines hosted by Space users. In this case, users take full responsibility for configuring and registering such machines in their Space instance. Support for self-hosted workers comes out of the box – no additional configuration during the installation is required.

  • Kubernetes workers – This is a counterpart of Space cloud workers. In the case of Space On-Premises, the workers are created on-demand inside the Kubernetes cluster by Compute-service. By default, Compute-service is disabled. Therefore, if you want to use Kubernetes workers in your Space On-Premises instance, you must explicitly enable the service.

If you decide to go with Kubernetes workers, take the following considerations into account.

Compute-service pod resources

Compute-service creates worker pods for Automation containers in one of the three possible configurations:

  • regular: 2 vCPU, 7800 MB

  • large: 4 vCPU, 15600 MB

  • xLarge: 8 vCPU, 31200 MB

It makes sense to allocate resources for Compute-service in multiples of the configurations listed above. For example, if a job doesn't request any resources explicitly, Space will create a regular pod with 2 vCPU and 7800 MB. If a job requests 3 vCPU and 8000 MB, Space will create a large pod with 4 vCPU and 15600 MB. So, a node with 8 vCPU and 32 GB can run four regular, two large, and one xLarge jobs.

Autoscaling policy

As a cluster administrator, you are responsible for defining the auto-scaling policy for the nodes in that cluster. For this purpose, you can use any existing auto-scaler plugin for Kubernetes. The recommended approach is to auto-scale based on the resource usage (CPU/memory) when less than 20-30% of resources are left free. The auto-scaling policy affects how fast new Automation jobs will be started.

Privileged mode for worker containers

The work of Space Automation is arranged by a worker application that runs in a Kubernetes pod. The application starts Automation run environments in the pod and manages dynamic volumes with environment data. The run environments are also Docker containers, meaning that the worker application has to start these nested containers in the --privileged mode (the mode is required for Docker in Docker). The containers and user processes in these containers are isolated by the Kubernetes pod bounds. This might be a potential security issue if your company employs a zero-trust policy. In this case, you can use Sysbox for the isolation of worker containers (the --privileged mode will not be required).

K8s workers
CSI storage

Compute-service can operate Kubernetes volumes and snapshots via the Container Storage Interface (CSI). This can be any CSI-compatible storage provided by AWS, GCP, Azure, and so on. Though using the CSI is optional, it allows moving IOPS load from Kubernetes nodes to isolated volumes and changing disk space for workers on the flight. To get these features, you must set up the CSI driver in your target Kubernetes cluster before installing Space.

Mail server

Space uses a mail server to send notifications to users via email. Space On-Premises comes without a built-in mail server, but you can use any SMTP server of your choice. You can provide the SMTP server settings either during the installation (see space.mail in values.yaml) or later in the Space administration settings.

Install Space On-Premises in a local Kubernetes cluster

The instructions below use the following names (they will be different for your installation):

  • The Kubernetes namespace is kube-space.

  • The domain names of the Space application components are:

    • Space application: portal.space.local

    • Packages: packages.space.local

    • VCS: git.space.local

  1. Create and save the space.masterSecret key:

    openssl rand -base64 32

    Sample output:

    RMmPPfeJMOUkUpPHncPduaB/q/zae0D1/pzkyyqsBWg=

  2. Create and save the space.vcs.token and vcs.secrets.spaceAccessKey keys (both keys must have the same value):

    openssl rand -base64 32

    Sample output:

    T+a5yNn8VUf8VslAKXsJ8qFyo6Txxm92k6Khnd9RbaY=

  3. Create and save the space.packages.oauth.clientSecret and packages.oauth.clientSecret keys (both keys must have the same value):

    openssl rand -base64 32

    Sample output:

    7I3b50sJz6q0g1GUa4GHQDJQypxKPiWKJtdSQSA+u1s=

  4. Provide data for the local administrator account. The local administrator will be the first administrator account in your Space On-Premises instance. The most important account settings are space.localAdministrator.username and space.localAdministrator.password: You will need these credentials to log in to Space after the installation is finished.

    For the space.localAdministrator.password key, you can use your own password or generate a random one with:

    openssl rand -base64 8

    Sample output:

    waPL7YEhAxw=

    When logging in to Space, provide this value as is – although the output is a Base64-encoded value, you must not decode it back.

  5. Create a values.yaml file with deployment configuration. In the file, specify the generated key and certificate values from previous steps. For instance, in our example, the file will look like follows:

    space: ingress: hostname: "portal.space.local" enabled: true selfSigned: true tls: true masterSecret: "RMmPPfeJMOUkUpPHncPduaB/q/zae0D1/pzkyyqsBWg=" webHookSecret: "TNyTnI/cJB+RNfrtLJ+a1tB8J6IUOTLSL0qWatzbbhU=" localAdministrator: firstName: "Administrator" lastName: "Administrator" username: "admin" password: "waPL7YEhAxw=" email: "admin@space.local" oauth: messageEncodingKey: "P7fD4x3s5t4Gtor1dYgpjw==" encodingKey2fa: "iHKa0NUFgNYNhECbREGeLA==" encodingKey: "UesLKkayxPdzFhkcMazXZA==" messageSigningRsaPublic: "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+fhiHhMEXFb9GvG5B3lFSTSZ4Rk9nIHXogvk4Kb16H5GIBeil2T+maOF0FT6xMu+Qxc90iZ4CAmkUcTMUyda5J+W6lYdkEKwg9o5WERsHfxIr3e63DgasGBpDemgJwpUOhBjjFCaOcAN0ivP03grkKKdHXaT6vWqShGJKiaPaz56bDPtPR1XNnB8GfUtAAy0T6rx86h5NKUd3W1ms3i355BEhPji9TUbcXxspIWj5wQpkiPZ/QI3uIkpdizlaXNbZQHkxXL/J65QkNbSioVY0ggTna0TiTPEic2/QvV8LD6e066PP6fyN54F1JTKTdT6HlKF+5EG5NOXe6gTclgef0F4XtiSSngxqx/khi9vVLX6vtYYrQiIVn62XBEAm6pAQzNWt7IcFXQnF2lw3J7hlcwhJBFTDoiKoXGBkqOG/+TlwvXIRDMZp5SkEqOpYNYdsTZGUgf1Hc9/lKXeq9OSbTSLQtfWNHC25UO58X+w4ceuUIrRfnWK3qX5jTeENzM8MHo7dz1r815kDOUGnpyZqsC5UwXch9xUMAxRShtN998xw7kCYcNxckPDvMMjdKgPDU8oaMybW5+GVD5qakM0ZqrPr6uPjzoUYmm1zD9L08CAwEAAQ==" messageSigningRsaPrivate: "MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC35+GIeEwRcVv0a8bkHeUcCkOVxjIT2pA/ixlY2lQH9/u5dS0b+5d/QBoB9wXdJJ5uii4vb2s6YXPll885fO0VJNJnhGT2cgdeiC+TgpvXofkYgF6KXZP6Zo4XQVPrEy75DFz3SJngICaRRxMxTJ1rkn5bqVh2QQrCD2jlYRGwd/Eivd7rcOBqwYGkN6aAnClQ6EGOMUJo5wA3SK8/TeCuQop0ddpPq9apKEYkqJo9rPnpsM+09HVc2cHwZ9S0ADLRPqvHzqHk0pR3dbWazeLfnkESE+OL1NRtxfGykhaPnBCmSI9n9Aje4iSl2LOVpc1tlAeTFcv8nrlCQ1tKKhVjSCBOdrROJM8SJzb9C9XwsPp7Tro8/p/I3ngXUlMpN1PoeUoX7kQbk05d7qBNyWB5/QXhe2JJKeDGrH+SGL29Utfq+1hitCIhWfrZcEQCbqkBDM1a3shwVdCcXaXDcnuGVzCEkEVMOiIqhcYGSo4b/5OXC9chEMxmnlKQSo6lg1h2xNkZSB/Udz3+Upd6r05JtNItC19Y0cLblQ7nxf7Dhx65QitF+dYrepfmNN4Q3Mzwwejt3PWvzXmQM5QaenJmqwLlTBdyH3FQwDFFKG0333zHDuQJhw3FyQ8O8wyN0qA8NTyhozJtbn4ZUPmpqQzRmqs+vq4+POhRiabXMP0vTwIDAQABAoICAQCeVKXIX4FmFwmLAmtGpDJHFNMhFHSywR4lhvU4mSd1gNuYzLgcelvw81gwzuKehNNd6dtffXZ82b/1L+D55oMbDAuVkdd2ka+khG0pe23+lPWnUYWTbINlNnwoq1a7cVWkly9Gupu36RYrR1zPud1h6sqc0cxWayL+9lNiAFNBcdIKDhvo6dJcNuMNZdgUq92qSXt/FwvM0uxNrGcsgjjo7mLTZ0+f/hqeogzZrMq2RMEYn+ADM+ADI3skJdBrdCxMF7+/Ezgwj9fAjXffolgsG8x76uGh1odZRu0Sx1FjLILtFlVYszIb6eiRXGMoeInHSIXI7SAlCuYGlYT38glcbVFtpDYHH08Fmz+3oKh23Duj0ZtjtmaPZ7AS3T+sHga+Iqq60esQLYHc91VJy25eWUGhqNjELbl7hCaJnYdVq+0ifVQ5oM6pnrgN4EVWRYhRjRbnsOPQYT6BHNUMYlFVKef5kid38pWHyU+TMqMJGLQ70QQkvA9uO+QDkrHx2h8cNbO/SYx/WKcN9iw8OJvgryESe0QzPvPsDG4hBJh9MdnpOPtd123Uz4atubpVImXQOfxP4BT8bn9VuXXiK5kcplkY0bnD9tn1n2adiupW29SagDI7UFZ3jMDFbbuLZiAMnjuz6t1z+GKwb9SWpUfRzFxDasrSdbaF2fuDcJV94QKCAQEA5gERMfLy/LFk2PZQI1sC5gW/jv1JIPKIr1uhh1CAQoEEumHiKT9EW/4zxSWvSmxedd9X7fxn1px2cwgICmDhSAJ4XlVj0uSFrj1y7TxDZEqeVR0482U2p83KTbX5C5Rm21HYgm3C36la4CAy1K9tZMbKoi4mIvp8VEMT3+ToI8S8L+hNefiYmmLZTAisLPInPfLWMsIKzXQfcLmPdcZ5//ylNc5hBbOxEB7lvDGc5ksvC2JNPvxQukriRY2RKLX/NezJB2doWsLKg8TtCpnyRNjnTCKchBS1aNMEu1YubaJBMu/A+Cm7lQ/AZT7XKEMrBHfvAnNbEg34l57wpZHZvwKCAQEAzLEBN2Y/mwX3V35Mtani12rThu+9djp0/am+o9/+lBHOPy/MtEp7J5GrhkkN/R4WGBg6PZwxwfvtLhU+KtVoBqo+NitUxcofNLIF6OXFAeikN/cJH/Y92DYt9yLHOWtK72Tu96xXo7jem1ZzYEfvrFkk3QyaimtQrF7X4xX+avAy+eIrGjXpefG21c9Kn7SuMfRAtTQSeHHELPZVunpQGJuE/yuxuJOwMEyvsKOjTgm1sxNAr6pErPFvlMNm2lSPpBCzjTF8EfDXgiv+dJEyw9gwxcmgbuPikVoyk/B2FO+9Ug2QwKkxXxQ+qEs84cDytwD5BC8H1+VHiLjHmvRucQKCAQBgEBoKbpomCEFCjL2zxpNTVxtGsWsVo7aK5w5z4Z9wJ0q+PZuj9pSqh2U/9hlcUB6zxHCJKV6FOBwQt04EZ6ov1ThIzgk/T8q1l1yk0QKkpLW0ftwGbEODmmPgSRyXRYggGfL/prA5khYufcQ9KHfcG1sOmY+8FDpRRyLJ5GVAay7eI3wYcUfrU1XGd+jRbOIO8Zmc4YZ5gQKQpi/Q1PCnhfHKo0PKid5uCTmSfHY3iTdA3fG9WMyuwg/3VMVH55uL/jWILhxbq/fBSUJnpxyUvLL+DYapc6zA90GGrNv/VkE88P37qBJ8k3Ob1b8vRb51w1HECEIFLGijivKfdGcpAoIBAQCFZV1bk0EkcFDvLhoj0eFJbg8IQzj/0bzoizT4a0Pnj2sP9sC7RkbYVLCpxPZe3LqdXTynZiFvQBUkESgAli9DGLOObdLDS6PmnZYIX6VyRwCukEncEIfhXf26r2mSW//r36V0t1YuFo7MQRzTxE3HzhieDlawmptqmiyri2vQmVU/UEuyuyu7EvGKiZsiVYeoenupG5Rl9g5ZFvhrnMaSItgby4f4uBb8gx2ESkBk3SMS3xsq4BX9dyK2mllvM+igjVnWTEeFEaYA6Vbc9LtWso+mdm4dllnTTCrmCrGJl2uUC88oH5tTUUg8OTwmC66h4Ppn5ZaA9qUVzwYWT/GhAoIBAQDKdV0NooYH2uKpN9KRNDl44UTMsIdmW7qB2ZUGK1UkNJtXR89YHbBdJFpLRGKyIGcRdWjMIRXrnRXWTZ0IDoNhZzRs1iDoFfRvGYIuPFTLnYNZpbzQPJ0WtLw2SKTFAcxHb6/1VsKTWHClnM4pdtNPXyPpyCJEzmnUXPojPo66R07MTmkO/o2Sx6XEOEX1JYD/nTngSQtabvCUFkP/H/m/IcavLgPBR0ca8e/umSWN7FmDm6tCc8o8GC+zrKynTXsiC4hlyyLDP5TfPw8Oq87PPO8xq2HzoIDNAU3eMmkXIZAsYCz+9juV1jiEuS2w4qN8da/41wrN3lbMr4F6oREQ" accessTokenRsaPublic: "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArzdHZTfdMxCPONs/ASKxoLZhSqwn81nY9WsLBkbKnKG3HDEQY0hy1odYWi/O1LDHHjGEOFHpJxjT1k119Wy0RcUik42BLUcpwUiZoPKetlJQV27vxkGJk/KhYqIuinUTRVCLx1B4ES/9De/j8AySNvonsyohjTNFI5Bn1AJZH7Ch7fc8mKaXd/vhCYCCEF8NcCcAsV9a3zDc4lzAVL+YsOY/FCC9WMT/Qq7zbYTrpBCir2ql+oxWaoa6fB3wtTjabTgDdIFg3COy9+6Z5KR21kKCuuC/I/sn7LXBs32NyHQcDYjuzo5xoHUPY7Q3TGnPfCr98pxhL7041fqVmfN+wM37n/+VGX5tT71DgN9yB+Q+32IwmBLGcmE3Hx8fzZhXT96ATyXN06UyQPCf6a5pgi4qGk1tJrLxGVSympyHZ/gGX52JFJQAtH3XR7aOl2Fv6sYQLP7ZUOQ6oNTa2bSL56ZlHy7NV+RDpROYxhsg5Z/kHYedA0PZ292mQqz/2QTcLKAz0IC4K6IAxyFQhsIcrdBBt/kPzjjz0+9rjSAKf7K9esegqOFGwPiI6Jz8Yu9hKK6N+d+unsbHEXswonjwIBmBZ8+p4o+io+7tzmOm2ViBc4SnzW1Ojl6OkUxK0f1oTD2YCHafmV4ICILK6EbL8e8CLJ9fWYIo6YpBqIQk5P8CAwEAAQ==" accessTokenRsaPrivate: "MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCvN0dlN90zEI842z8BIrGgtmFKrCfzWdj1awsGRsqcobccMRBjSHLWh1haL87UsMceMYQ4UeknGNPWTXX1bLRFxSKTjYEtRynBSJmg8p62UlBXbu/GQYmT8qFioi6KdRNFUIvHUHgRL/0N7+PwDJI2+iezKiGNM0UjkGfUAlkfsKHt9zyYppd3++EJgIIQXw1wJwCxX1rfMNziXMBUv5iw5j8UIL1YxP9CrvNthOukEKKvaqX6jFZqhrp8HfC1ONptOAN0gWDcI7L37pnkpHbWQoK64L8j+yfstcGzfY3IdBwNiO7OjnGgdQ9jtDdMac98Kv3ynGEvvTjV+pWZ837Azfuf/5UZfm1PvUOA33IH5D7fYjCYEsZyYTcfHx/NmFdP3oBPJc3TpTJA8J/prmmCLioaTW0msvEZVLKanIdn+AZfnYkUlAC0fddHto6XYW/qxhAs/tlQ5Dqg1NrZtIvnpmUfLs1X5EOlE5jGGyDln+Qdh50DQ9nb3aZCrP/ZBNwsoDPQgLgrogDHIVCGwhyt0EG3+Q/OOPPT72uNIAp/sr16x6Co4UbA+IjonPxi72Eoro35366exscRezCiePAgGYFnz6nij6Kj7u3OY6bZWIFzhKfNbU6OXo6RTErR/WhMPZgIdp+ZXggIgsroRsvx7wIsn19ZgijpikGohCTk/wIDAQABAoICAFZtdwsnhjX1GiCajTZ7LZEvxUf3KXGxRQKxvWtoKfMfFdqTHRlMGFFXy64Y3PYvCNkM5cJ+LPq7FWslJGVeLIIp3odYCnsSGjecHyOz6bPXYIfwUdfCZiGTUiX8B+cGHu5W78vuFnur5zAjv5SeLtVtiX2n74rd2mHTjlOWoO2vzAA8ryhBLH/jv7pXKFD5AgDrTD0x4voq+RmzVK+5HpFL0ZuVFrEd4ye6cpr4MN/p0MWkXqD67nl3Ya9teVl65MtxEMs8MlIETfhcOo78zR2dCy0xRTdzYNszQIvQB8rz8w5+GAXNX6EdfOzabViE7PK7pi4xEwNgXBO4mmipIkEZp8HuGRYkOUPrFQBmNkXU6rFcupyJZzLOtYqTHb/eTULzRhvSzCn+2VRbze6PjtDHJE6jZGJQHZ34JODj9+5lYN41iqrztH95m3MdYzmwv+XLhGtfLocgj5dxFqRtbZLevNpSDoscMdUuvs4LM0CxJetu2WjhYNNRr0u+6q27LPUJZPyz6HAIGNUEpNVfzxSyoh0gQhCSqc8UgN6F0a/vtFn9N0Yd11316SLGKZmKepTTQSKBGq0DoNOF3+i2YfIZ2mf3vnMAvWUKNwvy0mbdvPX+8M+59R4Z7qKa+G8rX9VrGBkRDBjDbMe+Z0+Yr8kVRLTvo7f+f012A37xShlpAoIBAQDVU4aejogXM0OmLk6yogF9dyCD+G/ks/M5Lz9rUQjs28mtD+mvK96SofY7Rx2fEspyhzRZ48uI56lD0EGU45R04JFTK+F0Xb7xsxeQGCTcHhfNlo+RAv0O4ClPk+pNGMUIbwh8/fBtz2IfUc4eegz9BJ4dGsgLCeagsUAdUhaagPudjarSEUy1rfe8h633Z5bh0rcMcFrD0uB7onKiEE0LnLA9wTr2/LJaCjZ4MbrEGC0cEIm/neUiDBRgpnabTpdHCLFZUHOUgfBvzhAwPqVK2mTNY+KK3QdHktBMmmt4idqxnRLczX67lN9yRKqwtpC5wroLzqTvisy4T8SOqTj9AoIBAQDSRB28UxaPX40ElZ+vr5SIFW/7l2fPRGSk30tTSZPREL/Q5alIevksq5ZVonUczFZMBjB66bnHAmWjb5GCiZpv4uqpSn+0vcWQncGLuKJmU97u3A7RSy/VJEzlDsLVwSrdwnKo1sR/g5cCuMJ0NCWtgOZVjluKlkklBU/dl1fjoaVSrdPzRP/Yr2w+Ok2mB9Dv2kT4UVzBdSobdulC/IkyhHSGZOspkyDEd1Nhtcrgtc3jbFvDbzj61ffAs8oUJAVsKTTlqBZ50mgwcoEC2jd9NcDhSxpOSWSyY7QP6DJ58tAkB8l5gG2dTFLsX5RjJR3jMy/tPl2emtGN/+JCDWSrAoIBACrWIuoj5OADw0nTcqocLgBrs3PMp2tdVzHccvexxgEKAW1nDJ3ISWFYdIFivmf69fwZekGypGRRYIPlhcXIDT+K+KOi5Brh2D3goJKmxoAM6uq1mQ6dcwNRr/ny0dG5b5dJ9IJk26qxQhrX6nPkPkdwbe+aOSE+U7lg3mcE3NUZoWz5zZtxLd4tmNmaxSww+PNPxMISrac06S7qZ+pzK4VxaVJ9QsHl7Ep4UofANKi70hMYnxCDPEeh9VWTF64IEgiJjlNI/GyNyyIoVsfZTIfDYwp7TDpmN9f/eyRmvb3usKOJzwfXm+M++b+QWlYx0s36dDF6xVP0ozc/jVC4WmECggEAUGAxbbflO9Euur3nWOUpRgvLzsTFrfla75tb0+6gTp60dEoWN9qqPWUqBnofgm6p3k3PYmzN00EbUSpo2Rl4q6R2R1hvEMwqJWnoflyJ18vfwDbmgyLWmgdSTY0i9Urt8+9MnTXbz1Kh+yxdSMZWUMihQ7szSvq/4yLwsKgVtLIp3D0OdEO/+Ti1i+QFop4CRG2PR8zyRBFhkzYVXMHkQCdZ07XoHvBa6j8i5Ir1johwt6rIOSDfCyOXnVYcvS431Gy8B74FOXQw17QtlMWNyJMvs+9dkueDUp3CSwJbqTokTmGbppJtVF/Eow62Tl/12M/MVkgsyWAtErbp6o3sGQKCAQB03vwtlI1q/ACGUtiFxR+zPZ8ZtNiG4Ujme8tDHecieOyLbpt7v7b3FoZmIvNlaZnE6va++3LQiGyYySNLbc/FZBMlw4Vh10h7tODCqDRSys2fSt9dYbXRacCkw+PmxiWZZApUrBc+K57eG3ZvQU2TzDjX73aX7BHKRhPq+AjG9IR3nFwppnc8Z6tAxlQ+/k6KgV0Agf4syR1tCdLzvIgvozgWG0Y6IDXN53bZ4Bvc26tTV3rYwS63X3hU2G1E4eTeVaTXufIef5bwEmeU8l74dKCikvbFDKB5M8zHJgx9EwRtyJo3Wrmei6WQNbv6wokt/cVepSPObQgzq6Swy4WR" database: name: "space" hostname: "postgresql" port: "5432" username: "spaceServiceAccount" password: "password" eventbus: hostname: "redis" port: "6379" objectStorage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" mail: enabled: true username: "spaceMailUser" password: "MailServerPassword" hostname: "mail.space.local" port: "1025" settings: fromAddress: "mailer@no-reply.space.local" elastic: search: hostname: "elasticsearch" port: "9200" audit: hostname: "elasticsearch" port: "9200" metrics: hostname: "elasticsearch" port: "9200" vcs: token: "T+a5yNn8VUf8VslAKXsJ8qFyo6Txxm92k6Khnd9RbaY=" externalUrl: "https://portal.space.local" altUrls: "http://portal.space.local" automation: logs: storage: region: "us-west-1" bucketName: "space-data" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" worker: storage: region: "us-west-1" bucketName: "space-data" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" dslCompiler: storage: region: "us-west-1" bucketName: "space-data" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" packages: externalUrl: "https://packages.space.local" packages: ingress: hostname: "packages.space.local" enabled: true selfSigned: true tls: true database: name: "space" hostname: "postgresql" port: "5432" username: "spaceServiceAccount" password: "password" eventbus: hostname: "redis" port: "6379" objectStorage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" elastic: search: hostname: "elasticsearch" port: "9200" externalUrl: "https://packages.space.local" oauth: clientId: "space-to-packages" clientSecret: "7I3b50sJz6q0g1GUa4GHQDJQypxKPiWKJtdSQSA+u1s=" space: externalUrl: "https://portal.space.local" vcs: storage: eventbus: hostname: "redis" port: "6379" objectStorage: region: "us-west-1" bucketName: "space-vcs" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" database: name: "space" hostname: "postgresql" port: "5432" username: "spaceServiceAccount" password: "password" secrets: spaceAccessKey: "T+a5yNn8VUf8VslAKXsJ8qFyo6Txxm92k6Khnd9RbaY=" externalUrl: "https://git.space.local" spaceExternalUrl: "https://portal.space.local" ingress: hostname: "git.space.local" enabled: true selfSigned: true tls: true
  6. (Optional) Enable Compute-service to make available running Automation workers inside the Kubernetes cluster. You can skip this step and enable Compute-service at any time after the installation is complete.

  7. Make sure your object storage has the CORS policy that allows users to download packages from the repository pages in Space.

  8. Deploy the created configuration:

    1. Add the chart repository:

      helm repo add jetbrains-space-onpremises \ https://charts.on-premises.service.jetbrains.space/stable
    2. Run the deployment:

      helm install jb-space jetbrains-space-onpremises/space --namespace kube-space -f values.yaml
    export HELM_EXPERIMENTAL_OCI=1 helm install jb-space \ oci://public.registry.jetbrains.space/p/space-on-premises/helm/space \ --version 2024.2.2 \ --namespace kube-space \ -f values.yaml
  9. Configure the TCP proxy for the VCS Ingress, namely, configure the Ingress Controller map. If you use Kubernetes Nginx Ingress Controller, follow this guide.

  10. Verify that all Space domain names resolve to the Ingress load balancer:

    nslookup portal.space.local nslookup packages.space.local nslookup git.space.local

  11. Verify the state of Space pods:

    kubectl -n kube-space get po

    The Space pods must have the Running state. On average, it takes about 2 minutes after deployment for a pod to become active. If the pods are not Running, you can try finding the cause with the following commands:

    kubectl -n kube-space get event

    and

    kubectl -n kube-space describe po "${POD_NAME}"
  12. Open your Space On-Premises instance in a browser. When logging in to Space, use the credentials created in one of the previous steps.

  13. Perform post-installation administration activities:

(Optional) Enable Compute-service

You can enable Compute-service during the Space On-Premises installation or at any time later. This is required only if you want Space to run Automation workers inside the Kubernetes cluster. See considerations on Kubernetes workers.

Prerequisites
  1. Compute-service requires creating the additional {space-namespace}-automation-jobs namespace. Do one of the following:

    • Provide helm with permission to create additional namespaces. In this case, {space-namespace}-automation-jobs will be created automatically.

    • Manually create {space-namespace}-automation-jobs and provide helm with administrator permissions for this namespace.

  2. Define an auto-scaling policy for the cluster, e.g., using static nodes or an auto-scaling plugin. See considerations

  1. (Optional) Set up the Container Storage Interface (CSI) driver.

    Compute-service can operate Kubernetes volumes via the CSI which gives several benefits. To set up the CSI driver, create instances of VolumeSnapshotClass and StorageClass with required parameters and pass their names to computeservice.storageClassName and computeservice.volumeSnapshotClassName in your values.yaml file.

    For example, for AWS:

    --- apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: ebs-sc provisioner: ebs.csi.aws.com volumeBindingMode: WaitForFirstConsumer
  2. (Optional) Set up Sysbox.

    By default, Space will run Automation worker containers in the --privileged mode (the containers will have root privileges on the host system). If you want to avoid this due to security reasons, you can use Sysbox as an alternative. See considerations

    The Sysbox installation process depends on the type of your Kubernetes cluster. Follow the official Sysbox installation instructions

  3. Create and save the computeservice.oauth.clientSecret key:

    openssl rand -base64 32

    Sample output:

    Lz4JawsX4v7zRvFpzhxGGWH8UhNmtz7+xqsn6dtn+Ys=

  4. Enable Compute-service by adding the following configuration to values.yaml:

    computeservice: enabled: true oauth: clientSecret: "Lz4JawsX4v7zRvFpzhxGGWH8UhNmtz7+xqsn6dtn+Ys=" database: name: "crcltdevdb" hostname: "postgresql" port: "5432" username: "root" password: "circlet"
  5. If you use CSI storage in your cluster (see step 1), add the following lines to the computeservice configuration in values.yaml:

    computeservice: worker: defaultVolumeGb: 50

    The defaultVolumeGb defines how much disk space in GB is allocated in the CSI storage. The value should be approximately equal to the planned user workload. This space will be shared between all running Automation jobs, i.e., this is total space required for downloaded project references, compilation process, and so on.

    If defaultVolumeGb is 0 or not specified, Space will allocate disk space for Automation jobs on the Compute-service nodes inside the cluster.

  6. If you use Sysbox (see step 2), add the following lines to the computeservice configuration in values.yaml:

    computeservice: worker: sysbox: enabled: true
  7. (Optional) Change the default Docker registry* from the public JetBrains registry to your custom registry. This change makes sense if you want to isolate your Space instance from external access.

    To change the default registry:

    1. Add the following lines to the computeservice configuration in values.yaml:

      computeservice: worker: image: registry: "custom.registry.mycompany.com" repository: "space-automation-worker-k8s" tag: "2024.2.2.177"

      Here registry, repository, and tag define the URL of your custom registry, the repository name, and the image tag.

    2. If the registry requires authentication, follow the official Kubernetes instructions to create a secret for storing registry credentials. Suppose, the secret name is docker-credentinals-1. Add the imagePullSecrets parameter to the configuration:

      computeservice: worker: image: registry: "custom.registry.mycompany.com" repository: "space-automation-worker-k8s" tag: "2024.2.2.177" imagePullSecrets: "docker-credentinals-1"

(Case-specific) Enable manual downloads in Space Packages

Make sure your custom object storage has the CORS policy that allows receiving GET requests from any origin:

Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: *

Otherwise, users will not be able to manually download packages from the repository page in Space. Clicking the Download button will result in an error.

For example, if you use Amazon S3, follow these steps to configure the CORS policy:

  1. Sign in to the AWS Management Console and open the Amazon S3 console.

  2. Open the S3 bucket used for Space Packages.

  3. Open the Permissions tab and add the following configuration to the CORS section:

    [ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET" ], "AllowedOrigins": [ "*" ], "ExposeHeaders": [] } ]
  4. Save the changes.

Last modified: 05 August 2024