Production Installation

This topic shows how to install Space On-Premises to a custom Kubernetes cluster using Helm.

Installation requirements

Kubernetes	Version 1.21 or later
Helm	Version 3.6.0 or later
Cluster workers	The cluster has at least five workers. OS: Linux Platform: x86_64/amd64 Recommended min resources: 4 CPU cores and 8GB memory
Namespace	A dedicated Kubernetes namespace.
Ingress controller	An Ingress controller already exists in the cluster and watches for objects of a specific IngressClass.
Ingress TCP Proxy Mode	In addition to Server Name Indication (SNI), the Ingress controller also supports proxying of TCP traffic.
DNS	The domain names of the Space application, Packages, and VCS services already exist as well as the corresponding TLS certificates.
Storage	MinIO or another S3-compatible storage, Elasticsearch, PostgreSQL, and Redis already exist, the corresponding access credentials are already configured. Supported versions: MinIO RELEASE.2021-09-09T21-37-07Z – RELEASE.2022-03-05T06-32-39Z Elasticsearch 7.11.1 – 8.2.3 PostgreSQL 12.2 – 14.3 Redis 4.0.2 – 7.0.2
User permissions	You have administrator permissions to the Kubernetes namespace.

Plan your installation

For the successful operation of Space On-Premises, we recommend that you think through some technical decisions in advance.

Storage organization

The storage organization is crutially important when it comes to the system scalability. Space On-Premises supports two ways to organize storage subsystems:

Shared: Space On-Premises components (the Space application, Packages, VCS) share the same storage subsystems (the event bus, the search database, the application database). This way is easier to implement, but over time, the performance of such a solution will decrease. Nevertheless, it may be a viable option for small organizations.
Distributed: Space On-Premises components use different storage subsystems. Depending on the load, storage can scale. Planning is essential for deploying a distributed storage:
- Estimate the storage needs for every Space component at least three years in advance.
- When planning, be sure to consider future maintenance efforts.

Data backup and recovery

At the moment, Space On-Premises doesn't offer any built-in tools for data backup or recovery. We recommend that you follow the industry best practices for each Space storage subsystem.

Basic considerations:

PostgreSQL, MinIO/S3-compatible storage – user data that must be backed up.
Elasticsearch – index of PostgreSQL and MinIO/S3-compatible storage data. Although the database index can be rebuilt, it can take considerable time. We recommend backing up Elasticsearch content if you have a significant amount of data stored in PostgreSQL and/or MinIO/S3-compatible storage.
Redis – only temporary user data. No need to back up.
When planning the backup solution from the infrastructural point of view, take the need to store 1 petabyte of data as a starting assumption. This will help you find the best approach and evaluate the constraints of your existing procedures and tools.
PostgreSQL, MinIO/S3-compatible storage, and Elasticsearch are backed up separately. The data in the backups depend on each other. That's why, when restoring these data, it is important that the restored MinIO backup is made later than the PostgreSQL backup, and the Elasticsearch backup later than the MinIO backup.

Rotation of secrets

During the Space On-Premises installation, almost every user-provided input is treated as a secret: The Space configuration populates a corresponding Kubernetes secret object. During the deployment, Kubernetes injects this object to the most-appropriate Space application component.

If required, you can overwrite the internal secret object with user-managed secrets using the externalSecretName key. Make sure that each external secret contains all necessary keys and values. Otherwise, a particular Space application component will fail to start.

For the information on which keys are required for particular secrets, refer to the /space/templates/space/secrets directory in the Space On-Premises Helm chart.

For instance, to overwrite the S3-storage configuration for the Space application, create an external secret based on the s3.secret.yaml file (the values must be Base64-encoded):

            apiVersion: v1
            kind: Secret
            type: Opaque
            metadata:
              name: my-new-space-s3
              namespace: kube-space
              labels:
                app.kubernetes.io/component: space
            data:
              SPACE_STORAGE_REGION: "ZXUtd2VzdC0xCg=="
              SPACE_STORAGE_BUCKET_NAME: "YnVja2V0LW5hbWU="
              SPACE_STORAGE_BUCKET_CREATED: "dHJ1ZQ=="
              SPACE_STORAGE_URL: "aHR0cHM6Ly9zMy5hd3MuY29t"
              SPACE_STORAGE_ACCESS_KEY: "SUFJRUlVQUlkaGFranNkbmFrbGpzZG4=
              SPACE_STORAGE_SECRET_KEY: "QVg8Pk5JTEpTT0lISlJPTEFLIlM6TCJMPkRtYW5rZWl3dWZyZGg="
        

Perform production installation of Space On-Premises

The instructions below imply the following names (they will be different for your installation):

The Kubernetes namespace is kube-space.
The domain names of the Space application components are:
- Space application: portal.space.local
- Packages: packages.space.local
- VCS: git.space.local

Create and save the space.masterSecret key:
openssl rand -base64 32
Sample output:
RMmPPfeJMOUkUpPHncPduaB/q/zae0D1/pzkyyqsBWg=
Create and save the space.webHookSecret key:
openssl rand -base64 32
Sample output:
TNyTnI/cJB+RNfrtLJ+a1tB8J6IUOTLSL0qWatzbbhU=
Create and save the space.oauth.messageEncodingKey key:
openssl rand -base64 16
Sample output:
P7fD4x3s5t4Gtor1dYgpjw==
Create and save the space.oauth.encodingKey2fa key
openssl rand -base64 16
Sample output:
iHKa0NUFgNYNhECbREGeLA==
Create and save the space.oauth.encodingKey key:
openssl rand -base64 16
Sample output:
UesLKkayxPdzFhkcMazXZA==
Create and save the space.oauth.messageSigningRsaPrivate and space.oauth.messageSigningRsaPublic certificates:
openssl genrsa 4096 2> /dev/null | openssl pkcs8 -topk8 -nocrypt > messageSigningRsa.key cat messageSigningRsa.key| openssl rsa -pubout 2> /dev/null
Sample output (the public key):
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+fhiHhMEXFb9GvG5B3lFSTSZ4Rk9nIHXogvk4Kb16H5GIBeil2T+maOF0FT6xMu+Qxc90iZ4CAmkUcTMUyda5J+W6lYdkEKwg9o5WERsHfxIr3e63DgasGBpDemgJwpUOhBjjFCaOcAN0ivP03grkKKdHXaT6vWqShGJKiaPaz56bDPtPR1XNnB8GfUtAAy0T6rx86h5NKUd3W1ms3i355BEhPji9TUbcXxspIWj5wQpkiPZ/QI3uIkpdizlaXNbZQHkxXL/J65QkNbSioVY0ggTna0TiTPEic2/QvV8LD6e066PP6fyN54F1JTKTdT6HlKF+5EG5NOXe6gTclgef0F4XtiSSngxqx/khi9vVLX6vtYYrQiIVn62XBEAm6pAQzNWt7IcFXQnF2lw3J7hlcwhJBFTDoiKoXGBkqOG/+TlwvXIRDMZp5SkEqOpYNYdsTZGUgf1Hc9/lKXeq9OSbTSLQtfWNHC25UO58X+w4ceuUIrRfnWK3qX5jTeENzM8MHo7dz1r815kDOUGnpyZqsC5UwXch9xUMAxRShtN998xw7kCYcNxckPDvMMjdKgPDU8oaMybW5+GVD5qakM0ZqrPr6uPjzoUYmm1zD9L08CAwEAAQ== -----END PUBLIC KEY-----
The private key is saved to messageSigningRsa.key.
Create and save the space.oauth.accessTokenRsaPrivate and space.oauth.accessTokenRsaPublic certificates:
openssl genrsa 4096 2> /dev/null | openssl pkcs8 -topk8 -nocrypt > accessTokenRsa.key cat accessTokenRsa.key | openssl rsa -pubout 2> /dev/null
Sample output (the public key):
-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArzdHZTfdMxCPONs/ASKxoLZhSqwn81nY9WsLBkbKnKG3HDEQY0hy1odYWi/O1LDHHjGEOFHpJxjT1k119Wy0RcUik42BLUcpwUiZoPKetlJQV27vxkGJk/KhYqIuinUTRVCLx1B4ES/9De/j8AySNvonsyohjTNFI5Bn1AJZH7Ch7fc8mKaXd/vhCYCCEF8NcCcAsV9a3zDc4lzAVL+YsOY/FCC9WMT/Qq7zbYTrpBCir2ql+oxWaoa6fB3wtTjabTgDdIFg3COy9+6Z5KR21kKCuuC/I/sn7LXBs32NyHQcDYjuzo5xoHUPY7Q3TGnPfCr98pxhL7041fqVmfN+wM37n/+VGX5tT71DgN9yB+Q+32IwmBLGcmE3Hx8fzZhXT96ATyXN06UyQPCf6a5pgi4qGk1tJrLxGVSympyHZ/gGX52JFJQAtH3XR7aOl2Fv6sYQLP7ZUOQ6oNTa2bSL56ZlHy7NV+RDpROYxhsg5Z/kHYedA0PZ292mQqz/2QTcLKAz0IC4K6IAxyFQhsIcrdBBt/kPzjjz0+9rjSAKf7K9esegqOFGwPiI6Jz8Yu9hKK6N+d+unsbHEXswonjwIBmBZ8+p4o+io+7tzmOm2ViBc4SnzW1Ojl6OkUxK0f1oTD2YCHafmV4ICILK6EbL8e8CLJ9fWYIo6YpBqIQk5P8CAwEAAQ== -----END PUBLIC KEY-----
The private key is saved to accessTokenRsa.key.
Create and save the space.vcs.token key:
openssl rand -base64 32
Sample output:
T+a5yNn8VUf8VslAKXsJ8qFyo6Txxm92k6Khnd9RbaY=
Create and save the space.packages.oauth.clientSecret key:
openssl rand -base64 32
Sample output:
7I3b50sJz6q0g1GUa4GHQDJQypxKPiWKJtdSQSA+u1s=
Provide data for the local administrator account. The local administrator will be the first administrator account in your Space On-Premises instance. The most important account settings are space.localAdministrator.username and space.localAdministrator.password: You will need these credentials to log in to Space after the installation is finished.
For the space.localAdministrator.password key, you can use your own password or generate a random one with:
openssl rand -base64 8
Sample output:
waPL7YEhAxw=
When logging in to Space, provide this value as is – although the output is a Base64-encoded value, you must not decode it back.
Create a values.yaml file with deployment configuration. In the file, specify the generated key and certificate values from previous steps. For instance, in our example, the file will look like follows:
space: ingress: hostname: "portal.space.local" enabled: true selfSigned: true tls: true masterSecret: "RMmPPfeJMOUkUpPHncPduaB/q/zae0D1/pzkyyqsBWg=" webHookSecret: "TNyTnI/cJB+RNfrtLJ+a1tB8J6IUOTLSL0qWatzbbhU=" localAdministrator: firstName: "Administrator" lastName: "Administrator" username: "admin" password: "waPL7YEhAxw=" email: "admin@space.local" oauth: messageEncodingKey: "P7fD4x3s5t4Gtor1dYgpjw==" encodingKey2fa: "iHKa0NUFgNYNhECbREGeLA==" encodingKey: "UesLKkayxPdzFhkcMazXZA==" messageSigningRsaPublic: "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAt+fhiHhMEXFb9GvG5B3lFSTSZ4Rk9nIHXogvk4Kb16H5GIBeil2T+maOF0FT6xMu+Qxc90iZ4CAmkUcTMUyda5J+W6lYdkEKwg9o5WERsHfxIr3e63DgasGBpDemgJwpUOhBjjFCaOcAN0ivP03grkKKdHXaT6vWqShGJKiaPaz56bDPtPR1XNnB8GfUtAAy0T6rx86h5NKUd3W1ms3i355BEhPji9TUbcXxspIWj5wQpkiPZ/QI3uIkpdizlaXNbZQHkxXL/J65QkNbSioVY0ggTna0TiTPEic2/QvV8LD6e066PP6fyN54F1JTKTdT6HlKF+5EG5NOXe6gTclgef0F4XtiSSngxqx/khi9vVLX6vtYYrQiIVn62XBEAm6pAQzNWt7IcFXQnF2lw3J7hlcwhJBFTDoiKoXGBkqOG/+TlwvXIRDMZp5SkEqOpYNYdsTZGUgf1Hc9/lKXeq9OSbTSLQtfWNHC25UO58X+w4ceuUIrRfnWK3qX5jTeENzM8MHo7dz1r815kDOUGnpyZqsC5UwXch9xUMAxRShtN998xw7kCYcNxckPDvMMjdKgPDU8oaMybW5+GVD5qakM0ZqrPr6uPjzoUYmm1zD9L08CAwEAAQ==" messageSigningRsaPrivate: "MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQC35+GIeEwRcVv0a8bkHeUcCkOVxjIT2pA/ixlY2lQH9/u5dS0b+5d/QBoB9wXdJJ5uii4vb2s6YXPll885fO0VJNJnhGT2cgdeiC+TgpvXofkYgF6KXZP6Zo4XQVPrEy75DFz3SJngICaRRxMxTJ1rkn5bqVh2QQrCD2jlYRGwd/Eivd7rcOBqwYGkN6aAnClQ6EGOMUJo5wA3SK8/TeCuQop0ddpPq9apKEYkqJo9rPnpsM+09HVc2cHwZ9S0ADLRPqvHzqHk0pR3dbWazeLfnkESE+OL1NRtxfGykhaPnBCmSI9n9Aje4iSl2LOVpc1tlAeTFcv8nrlCQ1tKKhVjSCBOdrROJM8SJzb9C9XwsPp7Tro8/p/I3ngXUlMpN1PoeUoX7kQbk05d7qBNyWB5/QXhe2JJKeDGrH+SGL29Utfq+1hitCIhWfrZcEQCbqkBDM1a3shwVdCcXaXDcnuGVzCEkEVMOiIqhcYGSo4b/5OXC9chEMxmnlKQSo6lg1h2xNkZSB/Udz3+Upd6r05JtNItC19Y0cLblQ7nxf7Dhx65QitF+dYrepfmNN4Q3Mzwwejt3PWvzXmQM5QaenJmqwLlTBdyH3FQwDFFKG0333zHDuQJhw3FyQ8O8wyN0qA8NTyhozJtbn4ZUPmpqQzRmqs+vq4+POhRiabXMP0vTwIDAQABAoICAQCeVKXIX4FmFwmLAmtGpDJHFNMhFHSywR4lhvU4mSd1gNuYzLgcelvw81gwzuKehNNd6dtffXZ82b/1L+D55oMbDAuVkdd2ka+khG0pe23+lPWnUYWTbINlNnwoq1a7cVWkly9Gupu36RYrR1zPud1h6sqc0cxWayL+9lNiAFNBcdIKDhvo6dJcNuMNZdgUq92qSXt/FwvM0uxNrGcsgjjo7mLTZ0+f/hqeogzZrMq2RMEYn+ADM+ADI3skJdBrdCxMF7+/Ezgwj9fAjXffolgsG8x76uGh1odZRu0Sx1FjLILtFlVYszIb6eiRXGMoeInHSIXI7SAlCuYGlYT38glcbVFtpDYHH08Fmz+3oKh23Duj0ZtjtmaPZ7AS3T+sHga+Iqq60esQLYHc91VJy25eWUGhqNjELbl7hCaJnYdVq+0ifVQ5oM6pnrgN4EVWRYhRjRbnsOPQYT6BHNUMYlFVKef5kid38pWHyU+TMqMJGLQ70QQkvA9uO+QDkrHx2h8cNbO/SYx/WKcN9iw8OJvgryESe0QzPvPsDG4hBJh9MdnpOPtd123Uz4atubpVImXQOfxP4BT8bn9VuXXiK5kcplkY0bnD9tn1n2adiupW29SagDI7UFZ3jMDFbbuLZiAMnjuz6t1z+GKwb9SWpUfRzFxDasrSdbaF2fuDcJV94QKCAQEA5gERMfLy/LFk2PZQI1sC5gW/jv1JIPKIr1uhh1CAQoEEumHiKT9EW/4zxSWvSmxedd9X7fxn1px2cwgICmDhSAJ4XlVj0uSFrj1y7TxDZEqeVR0482U2p83KTbX5C5Rm21HYgm3C36la4CAy1K9tZMbKoi4mIvp8VEMT3+ToI8S8L+hNefiYmmLZTAisLPInPfLWMsIKzXQfcLmPdcZ5//ylNc5hBbOxEB7lvDGc5ksvC2JNPvxQukriRY2RKLX/NezJB2doWsLKg8TtCpnyRNjnTCKchBS1aNMEu1YubaJBMu/A+Cm7lQ/AZT7XKEMrBHfvAnNbEg34l57wpZHZvwKCAQEAzLEBN2Y/mwX3V35Mtani12rThu+9djp0/am+o9/+lBHOPy/MtEp7J5GrhkkN/R4WGBg6PZwxwfvtLhU+KtVoBqo+NitUxcofNLIF6OXFAeikN/cJH/Y92DYt9yLHOWtK72Tu96xXo7jem1ZzYEfvrFkk3QyaimtQrF7X4xX+avAy+eIrGjXpefG21c9Kn7SuMfRAtTQSeHHELPZVunpQGJuE/yuxuJOwMEyvsKOjTgm1sxNAr6pErPFvlMNm2lSPpBCzjTF8EfDXgiv+dJEyw9gwxcmgbuPikVoyk/B2FO+9Ug2QwKkxXxQ+qEs84cDytwD5BC8H1+VHiLjHmvRucQKCAQBgEBoKbpomCEFCjL2zxpNTVxtGsWsVo7aK5w5z4Z9wJ0q+PZuj9pSqh2U/9hlcUB6zxHCJKV6FOBwQt04EZ6ov1ThIzgk/T8q1l1yk0QKkpLW0ftwGbEODmmPgSRyXRYggGfL/prA5khYufcQ9KHfcG1sOmY+8FDpRRyLJ5GVAay7eI3wYcUfrU1XGd+jRbOIO8Zmc4YZ5gQKQpi/Q1PCnhfHKo0PKid5uCTmSfHY3iTdA3fG9WMyuwg/3VMVH55uL/jWILhxbq/fBSUJnpxyUvLL+DYapc6zA90GGrNv/VkE88P37qBJ8k3Ob1b8vRb51w1HECEIFLGijivKfdGcpAoIBAQCFZV1bk0EkcFDvLhoj0eFJbg8IQzj/0bzoizT4a0Pnj2sP9sC7RkbYVLCpxPZe3LqdXTynZiFvQBUkESgAli9DGLOObdLDS6PmnZYIX6VyRwCukEncEIfhXf26r2mSW//r36V0t1YuFo7MQRzTxE3HzhieDlawmptqmiyri2vQmVU/UEuyuyu7EvGKiZsiVYeoenupG5Rl9g5ZFvhrnMaSItgby4f4uBb8gx2ESkBk3SMS3xsq4BX9dyK2mllvM+igjVnWTEeFEaYA6Vbc9LtWso+mdm4dllnTTCrmCrGJl2uUC88oH5tTUUg8OTwmC66h4Ppn5ZaA9qUVzwYWT/GhAoIBAQDKdV0NooYH2uKpN9KRNDl44UTMsIdmW7qB2ZUGK1UkNJtXR89YHbBdJFpLRGKyIGcRdWjMIRXrnRXWTZ0IDoNhZzRs1iDoFfRvGYIuPFTLnYNZpbzQPJ0WtLw2SKTFAcxHb6/1VsKTWHClnM4pdtNPXyPpyCJEzmnUXPojPo66R07MTmkO/o2Sx6XEOEX1JYD/nTngSQtabvCUFkP/H/m/IcavLgPBR0ca8e/umSWN7FmDm6tCc8o8GC+zrKynTXsiC4hlyyLDP5TfPw8Oq87PPO8xq2HzoIDNAU3eMmkXIZAsYCz+9juV1jiEuS2w4qN8da/41wrN3lbMr4F6oREQ" accessTokenRsaPublic: "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArzdHZTfdMxCPONs/ASKxoLZhSqwn81nY9WsLBkbKnKG3HDEQY0hy1odYWi/O1LDHHjGEOFHpJxjT1k119Wy0RcUik42BLUcpwUiZoPKetlJQV27vxkGJk/KhYqIuinUTRVCLx1B4ES/9De/j8AySNvonsyohjTNFI5Bn1AJZH7Ch7fc8mKaXd/vhCYCCEF8NcCcAsV9a3zDc4lzAVL+YsOY/FCC9WMT/Qq7zbYTrpBCir2ql+oxWaoa6fB3wtTjabTgDdIFg3COy9+6Z5KR21kKCuuC/I/sn7LXBs32NyHQcDYjuzo5xoHUPY7Q3TGnPfCr98pxhL7041fqVmfN+wM37n/+VGX5tT71DgN9yB+Q+32IwmBLGcmE3Hx8fzZhXT96ATyXN06UyQPCf6a5pgi4qGk1tJrLxGVSympyHZ/gGX52JFJQAtH3XR7aOl2Fv6sYQLP7ZUOQ6oNTa2bSL56ZlHy7NV+RDpROYxhsg5Z/kHYedA0PZ292mQqz/2QTcLKAz0IC4K6IAxyFQhsIcrdBBt/kPzjjz0+9rjSAKf7K9esegqOFGwPiI6Jz8Yu9hKK6N+d+unsbHEXswonjwIBmBZ8+p4o+io+7tzmOm2ViBc4SnzW1Ojl6OkUxK0f1oTD2YCHafmV4ICILK6EbL8e8CLJ9fWYIo6YpBqIQk5P8CAwEAAQ==" accessTokenRsaPrivate: "MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCvN0dlN90zEI842z8BIrGgtmFKrCfzWdj1awsGRsqcobccMRBjSHLWh1haL87UsMceMYQ4UeknGNPWTXX1bLRFxSKTjYEtRynBSJmg8p62UlBXbu/GQYmT8qFioi6KdRNFUIvHUHgRL/0N7+PwDJI2+iezKiGNM0UjkGfUAlkfsKHt9zyYppd3++EJgIIQXw1wJwCxX1rfMNziXMBUv5iw5j8UIL1YxP9CrvNthOukEKKvaqX6jFZqhrp8HfC1ONptOAN0gWDcI7L37pnkpHbWQoK64L8j+yfstcGzfY3IdBwNiO7OjnGgdQ9jtDdMac98Kv3ynGEvvTjV+pWZ837Azfuf/5UZfm1PvUOA33IH5D7fYjCYEsZyYTcfHx/NmFdP3oBPJc3TpTJA8J/prmmCLioaTW0msvEZVLKanIdn+AZfnYkUlAC0fddHto6XYW/qxhAs/tlQ5Dqg1NrZtIvnpmUfLs1X5EOlE5jGGyDln+Qdh50DQ9nb3aZCrP/ZBNwsoDPQgLgrogDHIVCGwhyt0EG3+Q/OOPPT72uNIAp/sr16x6Co4UbA+IjonPxi72Eoro35366exscRezCiePAgGYFnz6nij6Kj7u3OY6bZWIFzhKfNbU6OXo6RTErR/WhMPZgIdp+ZXggIgsroRsvx7wIsn19ZgijpikGohCTk/wIDAQABAoICAFZtdwsnhjX1GiCajTZ7LZEvxUf3KXGxRQKxvWtoKfMfFdqTHRlMGFFXy64Y3PYvCNkM5cJ+LPq7FWslJGVeLIIp3odYCnsSGjecHyOz6bPXYIfwUdfCZiGTUiX8B+cGHu5W78vuFnur5zAjv5SeLtVtiX2n74rd2mHTjlOWoO2vzAA8ryhBLH/jv7pXKFD5AgDrTD0x4voq+RmzVK+5HpFL0ZuVFrEd4ye6cpr4MN/p0MWkXqD67nl3Ya9teVl65MtxEMs8MlIETfhcOo78zR2dCy0xRTdzYNszQIvQB8rz8w5+GAXNX6EdfOzabViE7PK7pi4xEwNgXBO4mmipIkEZp8HuGRYkOUPrFQBmNkXU6rFcupyJZzLOtYqTHb/eTULzRhvSzCn+2VRbze6PjtDHJE6jZGJQHZ34JODj9+5lYN41iqrztH95m3MdYzmwv+XLhGtfLocgj5dxFqRtbZLevNpSDoscMdUuvs4LM0CxJetu2WjhYNNRr0u+6q27LPUJZPyz6HAIGNUEpNVfzxSyoh0gQhCSqc8UgN6F0a/vtFn9N0Yd11316SLGKZmKepTTQSKBGq0DoNOF3+i2YfIZ2mf3vnMAvWUKNwvy0mbdvPX+8M+59R4Z7qKa+G8rX9VrGBkRDBjDbMe+Z0+Yr8kVRLTvo7f+f012A37xShlpAoIBAQDVU4aejogXM0OmLk6yogF9dyCD+G/ks/M5Lz9rUQjs28mtD+mvK96SofY7Rx2fEspyhzRZ48uI56lD0EGU45R04JFTK+F0Xb7xsxeQGCTcHhfNlo+RAv0O4ClPk+pNGMUIbwh8/fBtz2IfUc4eegz9BJ4dGsgLCeagsUAdUhaagPudjarSEUy1rfe8h633Z5bh0rcMcFrD0uB7onKiEE0LnLA9wTr2/LJaCjZ4MbrEGC0cEIm/neUiDBRgpnabTpdHCLFZUHOUgfBvzhAwPqVK2mTNY+KK3QdHktBMmmt4idqxnRLczX67lN9yRKqwtpC5wroLzqTvisy4T8SOqTj9AoIBAQDSRB28UxaPX40ElZ+vr5SIFW/7l2fPRGSk30tTSZPREL/Q5alIevksq5ZVonUczFZMBjB66bnHAmWjb5GCiZpv4uqpSn+0vcWQncGLuKJmU97u3A7RSy/VJEzlDsLVwSrdwnKo1sR/g5cCuMJ0NCWtgOZVjluKlkklBU/dl1fjoaVSrdPzRP/Yr2w+Ok2mB9Dv2kT4UVzBdSobdulC/IkyhHSGZOspkyDEd1Nhtcrgtc3jbFvDbzj61ffAs8oUJAVsKTTlqBZ50mgwcoEC2jd9NcDhSxpOSWSyY7QP6DJ58tAkB8l5gG2dTFLsX5RjJR3jMy/tPl2emtGN/+JCDWSrAoIBACrWIuoj5OADw0nTcqocLgBrs3PMp2tdVzHccvexxgEKAW1nDJ3ISWFYdIFivmf69fwZekGypGRRYIPlhcXIDT+K+KOi5Brh2D3goJKmxoAM6uq1mQ6dcwNRr/ny0dG5b5dJ9IJk26qxQhrX6nPkPkdwbe+aOSE+U7lg3mcE3NUZoWz5zZtxLd4tmNmaxSww+PNPxMISrac06S7qZ+pzK4VxaVJ9QsHl7Ep4UofANKi70hMYnxCDPEeh9VWTF64IEgiJjlNI/GyNyyIoVsfZTIfDYwp7TDpmN9f/eyRmvb3usKOJzwfXm+M++b+QWlYx0s36dDF6xVP0ozc/jVC4WmECggEAUGAxbbflO9Euur3nWOUpRgvLzsTFrfla75tb0+6gTp60dEoWN9qqPWUqBnofgm6p3k3PYmzN00EbUSpo2Rl4q6R2R1hvEMwqJWnoflyJ18vfwDbmgyLWmgdSTY0i9Urt8+9MnTXbz1Kh+yxdSMZWUMihQ7szSvq/4yLwsKgVtLIp3D0OdEO/+Ti1i+QFop4CRG2PR8zyRBFhkzYVXMHkQCdZ07XoHvBa6j8i5Ir1johwt6rIOSDfCyOXnVYcvS431Gy8B74FOXQw17QtlMWNyJMvs+9dkueDUp3CSwJbqTokTmGbppJtVF/Eow62Tl/12M/MVkgsyWAtErbp6o3sGQKCAQB03vwtlI1q/ACGUtiFxR+zPZ8ZtNiG4Ujme8tDHecieOyLbpt7v7b3FoZmIvNlaZnE6va++3LQiGyYySNLbc/FZBMlw4Vh10h7tODCqDRSys2fSt9dYbXRacCkw+PmxiWZZApUrBc+K57eG3ZvQU2TzDjX73aX7BHKRhPq+AjG9IR3nFwppnc8Z6tAxlQ+/k6KgV0Agf4syR1tCdLzvIgvozgWG0Y6IDXN53bZ4Bvc26tTV3rYwS63X3hU2G1E4eTeVaTXufIef5bwEmeU8l74dKCikvbFDKB5M8zHJgx9EwRtyJo3Wrmei6WQNbv6wokt/cVepSPObQgzq6Swy4WR" database: name: "space" hostname: "postgresql" port: "5432" username: "spaceServiceAccount" password: "password" organization: name: "Company &Co" eventbus: hostname: "redis" port: "6379" objectStorage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" mail: enabled: true username: "spaceMailUser" password: "MailServerPassword" hostname: "mail.space.local" port: "1025" settings: fromAddress: "mailer@no-reply.space.local" elastic: search: hostname: "elasticsearch" port: "9200" audit: hostname: "elasticsearch" port: "9200" metrics: hostname: "elasticsearch" port: "9200" vcs: token: "T+a5yNn8VUf8VslAKXsJ8qFyo6Txxm92k6Khnd9RbaY=" externalUrl: "https://portal.space.local" altUrls: "http://portal.space.local" packages: oauth: clientId: "space-to-packages" clientSecret: "7I3b50sJz6q0g1GUa4GHQDJQypxKPiWKJtdSQSA+u1s=" externalUrl: "https://packages.space.local" automation: logs: storage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" worker: storage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" dslCompiler: storage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" packages: ingress: hostname: "packages.space.local" enabled: true selfSigned: true tls: true database: name: "space" hostname: "postgresql" port: "5432" username: "spaceServiceAccount" password: "password" eventbus: hostname: "redis" port: "6379" objectStorage: region: "us-west-1" bucketName: "space-packages" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" elastic: search: hostname: "elasticsearch" port: "9200" externalUrl: "https://packages.space.local" oauth: clientId: "space-to-packages" clientSecret: "7I3b50sJz6q0g1GUa4GHQDJQypxKPiWKJtdSQSA+u1s=" space: externalUrl: "https://portal.space.local" vcs: storage: eventbus: hostname: "redis" port: "6379" objectStorage: region: "us-west-1" bucketName: "space-vcs" url: "http://minio:9000" accessKey: "spaceServiceAccount" secretKey: "password" database: name: "space" hostname: "postgresql" port: "5432" username: "spaceServiceAccount" password: "password" secrets: spaceAccessKey: "T+a5yNn8VUf8VslAKXsJ8qFyo6Txxm92k6Khnd9RbaY=" externalUrl: "https://git.space.local" spaceExternalUrl: "https://portal.space.local" ingress: hostname: "git.space.local" enabled: true selfSigned: true tls: true
Deploy the created configuration:
- Add the chart repository:
  helm repo add jetbrains-space-onpremises \ https://charts.on-premises.service.jetbrains.space/stable
- Run the deployment:
  helm install jb-space jetbrains-space-onpremises/space --namespace kube-space -f values.yaml
export HELM_EXPERIMENTAL_OCI=1 helm install jb-space \ oci://public.registry.jetbrains.space/p/space-on-premises/public/space \ --version 2022.1.0 \ --namespace kube-space \ -f values.yaml
Configure the TCP proxy for the VCS Ingress, namely, configure the Ingress Controller map. If you use Kubernetes Nginx Ingress Controller, follow this guide.
Verify that all Space domain names resolve to the Ingress load balancer:
nslookup portal.space.local nslookup packages.space.local nslookup git.space.local
Verify the state of Space pods:
kubectl -n kube-space get po
The Space pods must have the Running state. On average, it takes about 2 minutes after deployment for a pod to become active. If the pods are not Running, you can try finding the cause with the following commands:
kubectl -n kube-space get event
and
kubectl -n kube-space describe po "${POD_NAME}"
Open your Space On-Premises instance in a browser. When logging in to Space, use the credentials created in one of the previous steps.
Perform post-installation administration activities:
- Upload a product license.
- If you want to use Space on mobile clients, configure push notifications.
- If you want to use Space Automation (CI/CD), configure self-hosted Automation workers. Currently, Space On-Premises doesn't support cloud Automation workers.

Last modified: 25 November 2022