CertAutoPilot logo CertAutoPilot
Get started

Helm chart

Production Kubernetes deployment with split API / worker / scheduler workloads, leader election, External Secrets integration, and an opinionated PodDisruptionBudget for upgrades.

01Install

helm repo add certautopilot https://charts.cloudnativeworks.com
helm repo update

helm install cap certautopilot/certautopilot \
  --namespace cap --create-namespace \
  --version 1.4.0 \
  -f values.yaml

02Minimum values.yaml

image:
  tag: "1.4.0"

mongo:
  uri: mongodb://mongo-rs-0.mongo:27017,mongo-rs-1.mongo:27017,mongo-rs-2.mongo:27017/certautopilot?replicaSet=rs0
  uriSecretRef: cap-mongo

kek:
  secretRef: cap-kek
  secretKey: kek.bin

api:
  replicas: 3
  ingress:
    enabled: true
    host: certs.example.com
    tls:
      secretName: cap-tls

worker:
  replicas: 4

scheduler:
  replicas: 2   # leader-elected; only one is active

03Workloads

The chart deploys three Deployments, one Service, one Ingress, and (optionally) one ServiceMonitor.

WorkloadModeHPA?Notes
cap-apiapiyesStateless. Targeted by Ingress.
cap-workerworkeryesScales on Mongo job-queue depth (custom metric).
cap-schedulerschedulernoLeader-elected via Mongo. Run 2 for HA.

04External Secrets

The chart never asks for plaintext secrets in values.yaml. Provide the Mongo URI and KEK as kubernetes.io/Opaque Secrets and reference them by name. Most users wire them up via External Secrets Operator pulling from AWS Secrets Manager, GCP SM, or Vault.

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata: {name: cap-kek, namespace: cap}
spec:
  refreshInterval: 1h
  secretStoreRef: {name: aws-sm, kind: ClusterSecretStore}
  target: {name: cap-kek}
  data:
    - secretKey: kek.bin
      remoteRef: {key: certautopilot/prod/kek}

05PodDisruptionBudget

The chart ships a PDB per workload with maxUnavailable: 1. For upgrades during cluster autoscaling or node drains, this prevents losing all API replicas at once.

06Metrics

Prometheus is exposed on port 9090 of every pod. Set metrics.serviceMonitor.enabled=true to deploy the ServiceMonitor for Prometheus Operator users.

07Upgrade

helm upgrade cap certautopilot/certautopilot \
  --namespace cap \
  --version 1.4.1 \
  -f values.yaml \
  --atomic --wait

Migrations run inside an init job before the new pods start. --atomic rolls back if the job or rollout fails.