/
Deploy Hermod 3.x on Kubernetes
Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Deploy Hermod 3.x on Kubernetes

Owned by Ylva Andersson
Last updated: Nov 27, 2024Version comment
3 min read

This article describes how to deploy a Hermod image on Kubernetes.

Prerequisites for Hermod deployment

  • A Kubernetes service subscription where you must create and deploy Hermod

  • A public DNS name which devices can reach

  • Matching certificates for the public address

  • An installed/deployed instance of an SQL server, for example, PostgreSQL, Microsoft SQL Server, Maria DB, or Oracle

Step-by-step instruction

Download the Hermod docker image and file structure

  1. Sign in to Nexus Support portal.

  2. Go to Nexus Smart ID Clients (Personal and Hermod) > Smart ID Messaging  and select a Hermod version to download the *.zip file. 

  3. Unpack the *.zip file.

  4. Open the extracted folder, for example, 3.x.y.RELEASE
    The folder contains the Hermod installation file and a simple-setup file to set up a default configuration. 

  5. Unpack simple-setup.zip

  6. Place the docker image on a location where the Kubernetes cluster can access and pull the image from.

Create the storage yml file

Edit the file hermod-config with the correct values for your environment. It will be used to store Hermod configuration file.

Example: hermod-config.yml

apiVersion: v1 kind: PersistentVolumeClaim metadata: annotations: finalizers: - kubernetes.io/pvc-protection name: hermod-config namespace: test spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: default volumeMode: Filesystem volumeName: hermod-config

Create the Hermod deployment yml file

Edit the file hermod-deployment with the correct values for your environment.

Important! The actual values must match the specific deployment scenarios. The hermod-depoyment code below is only intended as an example. 

Example: hermod-deployment.yml

apiVersion: v1 items: - apiVersion: apps/v1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "2" generation: 3 labels: app: hermod name: hermod namespace: test spec: replicas: 1 revisionHistoryLimit: 2 selector: matchLabels: app: hermod strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate template: metadata: labels: app: hermod configmap-version: "1" annotations: prometheus.io/scrape: "true" prometheus.io/scheme: "http" prometheus.io/path: "prometheus" prometheus.io/port: "20400" name: hermod spec: containers: - args: image: nexusgocontainerregistry.azurecr.io/nexus-personal/hermod:3.7.0.RELEASE imagePullPolicy: Always args: - --spring.profiles.active=native - --spring.datasource.url=${DB_URI} - --spring.datasource.username=${DB_USERNAME} - --spring.datasource.password=${DB_PASSWORD} name: hermod ports: - containerPort: 20400 protocol: TCP resources: {} env: - name: JAVA_OPTS value: -Xms256m -Xmx512m -XX:MaxMetaspaceSize=512m -XX:CompressedClassSpaceSize=64m -Xss256k -Xmn8m -XX:InitialCodeCacheSize=4m -XX:ReservedCodeCacheSize=64m -XX:MaxDirectMemorySize=64m - name: DB_URI valueFrom: secretKeyRef: key: DB_URI name: hermod-secret-test-postgres - name: DB_USERNAME valueFrom: secretKeyRef: key: DB_USERNAME name: hermod-secret-test-postgres - name: DB_PASSWORD valueFrom: secretKeyRef: key: DB_PASSWORD name: hermod-secret-test-postgres readinessProbe: httpGet: path: /ms port: 20400 initialDelaySeconds: 20 timeoutSeconds: 5 periodSeconds: 30 securityContext: privileged: false runAsNonRoot: true runAsUser: 1000 terminationMessagePath: /dev/termination-log volumeMounts: - name: hermod-config mountPath: /home/docker/config volumes: - name: hermod-config configMap: name: hermod dnsPolicy: ClusterFirst restartPolicy: Always securityContext: {} terminationGracePeriodSeconds: 30 kind: List metadata: {} resourceVersion: "" selfLink: ""

 

Create the Hermod configuration yml file

Edit the file hermod-configuration with the correct values for your environment.

Important!  The actual values must match the specific deployment scenarios such as configure clientId, public URL, TLS/SSL and url, username, password for the specified database. The code below is only intended as an example. 

Example: hermod-configuration.yml

kind: ConfigMap apiVersion: v1 metadata: name: hermod namespace: test data: application.yml: |- logging: level: org.springframework.context.annotation.AnnotationConfigApplicationContext: ERROR org.springframework.boot.SpringApplication: ERROR org.springframework.cloud.config.client: ERROR org.springframework.web.reactive.function.client.WebClient: TRACE com.netflix: INFO reactor.netty.http.client: TRACE com.nexusgroup: TRACE com.relayrides: INFO org.mongodb.driver: TRACE com.nexusgroup.plugout.message.server.filters.VersionHttpFilter: ERROR com.nexusgroup.cod.hermod.service.MessagePlugoutService: ERROR org.hibernate.stat: DEBUG #org.apache.http: TRACE pattern: console: "%d{yyyy-MM-dd}T%d{HH:mm:ss.SSS}Z ${LOG_LEVEL_PATTERN:- %5p} [%t] %-40.40logger{39} [%mdc] : %m%n${LOG_EXCEPTION_CONVERSION_WORD:%wEx}" server: servlet: context-path: / error: include-message: always include-binding-errors: never include-stacktrace: never include-exception: false springdoc: override-with-generic-response: false api-docs: enabled: false swagger-ui: enabled: false spring: jpa: properties: hibernate: show-sql: false format-sql: true generate-statistics: false hibernate: ddl-auto: validate cloud: kubernetes: reload: enabled: true management: info: env: enabled: true endpoints: web: exposure: include: health, info, refresh, prometheus endpoint: prometheus: enabled: true application: rest: client: keep-a-live-timeout: -1 connection-timeout: 8 hermod: scheduler: exec: threads: 100 rest: uribase: hide-exceptions: false # Hide sensitive/long data in event logs? events: hide-sensitive: true allowed-clients: # X-Api-Key: aGVybW9kLXRlc3QtY2xpZW50Ojc5YjY1NzUwODc3NzQwOGJhNDA2ZjM1NDNjYTg3ZmFkYjc0MmNmNmM3NjEzNDc0MTg5ZGJlZjI5NWEyNTIzMmM= - client-id: hermod-test-client key: 56UGzk8qZm67YDhkzwuEfpYkLMubram8P9KryXGG9PEa76Xnku5Z6B7c8MKAf66X # Optional username:password to be supplied for basic authentication in callbacks # callback-basic-auth: username:password # The callback URL base for this specific client callback-url: http://hermod:20400 # Message server library settings message-server-library: public-url: https://<my-hermod-server>:20400/ms

Create the Hermod service yml file

Edit the file hermod-service with the correct values for your environment.

Example: hermod-service.yml

Optional: Create the Hermod database secret YML file

Edit the file hermod-secret with the correct values for your environment.

Example: hermod-secret.yml

Deploy yml files

You can deploy the yml files on Kubernetes by using the following command:
kubectl --kubeconfig <kubernetes-config> apply -f <file_name>.yml

 

Related content

Install Hermod 3.x (docker)
Install Hermod 3.x (docker)
Nexus Documentation
More like this
High availability architecture for Identity Manager
High availability architecture for Identity Manager
Nexus Documentation
Read with this
Deploy Hermod 4.x on Kubernetes
Deploy Hermod 4.x on Kubernetes
Nexus Documentation
More like this
Install Hermod 4.x (docker)
Install Hermod 4.x (docker)
Nexus Documentation
More like this
Release note Hermod 3.1.2
Release note Hermod 3.1.2
Nexus Documentation
More like this
Install Hermod 3.x (WAR file)
Install Hermod 3.x (WAR file)
Nexus Documentation
More like this

Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions