Warning

This documentation is actively being updated as the project evolves and may not be complete in all areas.

Production Deployment

For production deployments, you can install Jumpstarter on Kubernetes or OpenShift clusters with proper ingress, monitoring, and security configurations.

Prerequisites

Before installing in production, ensure you have:

• A production Kubernetes cluster available

• kubectl installed and configured to access your cluster

• Helm (version 3.x or newer)

• Administrator access to your cluster (required for CRD installation)

• Domain name for service endpoints

• Ingress controller installed (for Kubernetes) or Routes configured (for OpenShift)

Note

global.baseDomain creates these service hostnames with jumpstarter.example.com:

• grpc.jumpstarter.example.com

• router.jumpstarter.example.com (for router endpoints)

TLS and gRPC Configuration

Jumpstarter uses gRPC for communication, which has specific requirements for production deployments:

gRPC Requirements

• HTTP/2 Support: gRPC requires HTTP/2, ensure your ingress controller or load balancer supports it

• gRPC Protocol: Some ingress controllers require specific annotations for gRPC traffic

• Keep-Alive Settings: Long-lived gRPC connections may need keep-alive configuration

• Load Balancing: Use consistent hashing or session affinity for gRPC connections

TLS Termination Options

Choose one of these TLS termination approaches:

Option 1: TLS Termination at Ingress/Route (Recommended)

• Terminate TLS at the ingress controller or OpenShift route

• Simpler certificate management

• Better performance with fewer encryption hops

Option 2: End-to-End TLS

• TLS from client to Jumpstarter service

• Higher security but more complex certificate management

• Required for strict compliance environments

Warning

gRPC over HTTP/1.1 is not supported. Ensure your ingress controller supports HTTP/2 and is properly configured for gRPC traffic.

Install with Helm

Install Jumpstarter on a Kubernetes/OpenShift cluster using Helm:

Kubernetes

$ helm upgrade jumpstarter --install oci://quay.io/jumpstarter-dev/helm/jumpstarter \
        --create-namespace --namespace jumpstarter-lab \
        --set global.baseDomain=jumpstarter.example.com \
        --set global.metrics.enabled=true \
        --set jumpstarter-controller.grpc.mode=ingress \
        --version=0.7.0-dev-8-g83e23d3

OpenShift

$ helm upgrade jumpstarter --install oci://quay.io/jumpstarter-dev/helm/jumpstarter \
        --create-namespace --namespace jumpstarter-lab \
        --set global.baseDomain=jumpstarter.example.com \
        --set global.metrics.enabled=true \
        --set jumpstarter-controller.grpc.mode=route \
        --version=0.7.0-dev-8-g83e23d3

OpenShift Route TLS Configuration:

OpenShift automatically creates secure routes with TLS termination. For custom certificates:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: jumpstarter-grpc
  annotations:
    haproxy.router.openshift.io/balance: source
    haproxy.router.openshift.io/timeout: 300s
spec:
  host: grpc.jumpstarter.example.com
  tls:
    termination: edge
    certificate: |
      -----BEGIN CERTIFICATE-----
      # Your certificate here
      -----END CERTIFICATE-----
    key: |
      -----BEGIN PRIVATE KEY-----
      # Your private key here
      -----END PRIVATE KEY-----
  to:
    kind: Service
    name: jumpstarter-controller-grpc
    weight: 100

Install with ArgoCD

You can use ArgoCD to install Jumpstarter in your production cluster. Below are examples for different platforms:

Kubernetes

Install with ArgoCD on Kubernetes (Amazon EKS)

First, create a namespace for Jumpstarter:

$ kubectl create namespace jumpstarter-lab

If your ArgoCD installation requires namespace labeling for management, add the appropriate label:

$ kubectl label namespace jumpstarter-lab argocd.argoproj.io/managed-by=argocd

For ArgoCD to manage Jumpstarter CRDs, create this ClusterRole and ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: argocd-application-controller-crd
rules:
- apiGroups:
  - 'apiextensions.k8s.io'
  resources:
  - 'customresourcedefinitions'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argocd-application-controller-crd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argocd-application-controller-crd
subjects:
- kind: ServiceAccount
  name: argocd-application-controller
  namespace: argocd  # Replace with your ArgoCD namespace

Create an ArgoCD Application to deploy Jumpstarter:

Warning

The secrets jumpstarter-controller.controllerSecret and jumpstarter-controller.routerSecret must be unique for each installation. While Helm can auto-generate these, ArgoCD cannot - you must manually create these in your Jumpstarter namespace.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: jumpstarter
  namespace: argocd  # Replace with your ArgoCD namespace
spec:
  destination:
    name: in-cluster
    namespace: jumpstarter-lab
  project: default
  source:
    chart: jumpstarter
    helm:
      parameters:
      - name: global.baseDomain
        value: jumpstarter.example.com
      - name: global.metrics.enabled
        value: "true"
      - name: jumpstarter-controller.controllerSecret
        value: "pick-a-secret-DONT-USE-THIS-DEFAULT"
      - name: jumpstarter-controller.routerSecret
        value: "again-pick-a-secret-DONT-USE-THIS-DEFAULT"
      - name: jumpstarter-controller.grpc.mode
        value: "ingress"
    repoURL: quay.io/jumpstarter-dev/helm
    targetRevision: "0.7.0-dev-8-g83e23d3"
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true

OpenShift

Install with ArgoCD on OpenShift

First, create and label a namespace for Jumpstarter:

$ kubectl create namespace jumpstarter-lab
$ kubectl label namespace jumpstarter-lab argocd.argoproj.io/managed-by=openshift-gitops

For ArgoCD to manage Jumpstarter CRDs, create this ClusterRole and ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  name: openshift-gitops-argocd-appcontroller-crd
rules:
- apiGroups:
  - 'apiextensions.k8s.io'
  resources:
  - 'customresourcedefinitions'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    argocds.argoproj.io/name: openshift-gitops
    argocds.argoproj.io/namespace: openshift-gitops
  name: openshift-gitops-argocd-appcontroller-crd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-gitops-argocd-appcontroller-crd
subjects:
- kind: ServiceAccount
  name: openshift-gitops-argocd-application-controller
  namespace: openshift-gitops

Create an ArgoCD Application to deploy Jumpstarter:

Warning

The secrets jumpstarter-controller.controllerSecret and jumpstarter-controller.routerSecret must be unique for each installation. While Helm can auto-generate these, ArgoCD cannot - you must manually create these in your Jumpstarter namespace.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: jumpstarter
  namespace: openshift-gitops
spec:
  destination:
    name: in-cluster
    namespace: jumpstarter-lab
  project: default
  source:
    chart: jumpstarter
    helm:
      parameters:
      - name: global.baseDomain
        value: jumpstarter.example.com
      - name: global.metrics.enabled
        value: "true"
      - name: jumpstarter-controller.controllerSecret
        value: "pick-a-secret-DONT-USE-THIS-DEFAULT"
      - name: jumpstarter-controller.routerSecret
        value: "again-pick-a-secret-DONT-USE-THIS-DEFAULT"
      - name: jumpstarter-controller.grpc.mode
        value: "route"
    repoURL: quay.io/jumpstarter-dev/helm
    targetRevision: "0.7.0-dev-8-g83e23d3"