side menu

Prepare embedded databases

For the BRIX On-Premises system to operate, database management systems such as PostgreSQL, MongoDB, Valkey, the service bus RabbitMQ, and an S3 compatible object storage are required. This article describes the installation of these databases and S3 storage in a Kubernetes cluster using the elma365-dbs chart. It's possible to install only the required components from the elma365-dbs, with unused ones being disabled.

начало примечание

Note
 
Use the elma365-dbs chart components: PostgreSQL, MongoDB, and S3 storage, for evaluation, testing, and some DEV/TEST scenarios. In a production environment, we recommend installing external PostgreSQL, MongoDB, and S3 storage. This will ensure the required service level and prevent the runtime environment from affecting data integrity. You will be able to promptly update external components to fix vulnerabilities and perform backups faster and more reliably.

 

конец примечание

The installation consists of four steps:

  1. Downloading the Helm chart and configuration file.
  2. Filling out the configuration file.
  3. Installing the elma365-dbs chart using helm in the Kubernetes cluster.
  4. Connecting to the databases and S3.

Step 1: Downloading the Helm chart and configuration file

To install via the internet, obtain the configuration file values-elma365-dbs.yaml by executing the following command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/elma365-dbs > values-elma365-dbs.yaml

Obtaining the configuration file for installation in a closed loop without internet access

 
First, download the file on a computer with internet access.

  1. Download the BRIX images and upload them to your local image registry. Read more in Download BRIX images.
  2. Download the latest version archive of the chart elma365-dbs from the elma365 repository by executing the following command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/elma365-dbs

  1. Copy the obtained chart archive elma365-dbs-X.Y.Z.tgz to the server where the installation will be carried out.
  1. Unpack the chart elma365-dbs-X.Y.Z.tgz on the server where the installation will take place and copy the default configuration file values.yaml to values-elma365-dbs.yaml:

tar -xf elma365-dbs-X.Y.Z.tgz
cp elma365-dbs/values.yaml values-elma365-dbs.yaml

Step 2: Filling out the configuration file

Fill out the configuration file values-elma365-dbs.yaml for the installation of databases and S3 storage.

This article will cover the installation of databases and S3 storage in a Kubernetes cluster using the chart elma365-dbs. For this, standard connection strings and passwords specified in the chart will be used.

In the chart elma365-dbs, there is the global section where the installation of components and chart sections is enabled or disabled. This is necessary for configuring parameters of each component: postgresql, mongodb, rabbitmq, valkey, seaweedfs, minio, elasticsearch. We will discuss the necessary parameters for installing databases and S3 storage for the sections of these components.

начало внимание

We recommend using SeaweedFS as your S3 storage solution, as MinIO has been transitioned to limited support mode since December, 2025. For more information, please see the official MinIO information.

конец внимание

  1. In the global section, enable the installation of necessary databases and S3 storage. To do this, select true in the enabled parameter for those components you want to install.

# Selecting databases to install
global:
  postgresql:
    # Installing postgres
    enabled: true
  mongodb:
    # Installing mongoDB
    enabled: true
  valkey:
    # Installing valkey
    enabled: true
  rabbitmq:
    # Installing rabbitmq
    enabled: true
  minio:
    # Installing minio for S3 storage
    enabled: false
  elasticsearch:
    # Installing Elasticsearch (is enabled for BRIX Bot)
    enabled: false
  seaweedfs:
    # Installing seaweedfs
    enabled: true

 

  1. Fill out configuration of the components for which you enabled installation.

PostgreSQL configuration parameters

If necessary, change the parameters:

  • database is the name of the database that will be created in PostgreSQL at the time of installation;
  • username is the name of the user for accessing the database specified in database. The user will be created in PostgreSQL at the time of installation;
  • postgresPassword is the password for the user specified in username;
  • size is the size of the data storage, selected individually.

# Selecting databases to install
global:
...
# postgres database settings
postgresql:
  auth:
    # database name
    database: elma365
    # user
    username: postgres
    # Postgres database password
    postgresPassword: pgpassword
    replicationUsername: repl_user
    replicationPassword: repl_password
    enablePostgresUser: true
    password: pgpassword
  primary:
    persistence:
      # data storage size (PVC)
      size: 100Gi
      enabled: true
...

Filling out clustering parameters for PostgreSQL

 
To configure fault tolerance, uncomment and fill in the parameters cluster Mode. For the parameter postgresql.readReplicas.replicaCount, specify the required number of replicas.
 

 
# Selecting databases to install
global:
...
# Postgres database settings
postgresql:
...
  # cluster Mode — uncomment the following lines
  architecture: replication
  readReplicas:
    replicaCount: 2
  replication:
    synchronousCommit: 'on'
    numSynchronousReplicas: 1
    applicationName: replication
...

Filling out connection parameters to the private registry for installation in a closed loop without internet access

 
To connect to a private registry, you need to:

  1. Specify the address and path to the private registry in the parameter postgresql.volumePermissions.image.repository for the initialization container.
  2. Indicate the name of the secret with access rights to the private registry in the parameter postgresql.volumePermissions.image.pullSecrets for the initialization container. The secret must be created manually and encrypted in Base64.
  3. Specify the address and path to the private registry in the parameter postgresql.image.repository.
  4. Indicate the name of the secret with access rights to the private registry in the parameter postgresql.image.pullSecrets. The secret must be created manually and encrypted in Base64.

# Selecting databases to install
global:
...
# Postgres database settings
postgresql:
...
  # Enabling the initialization container, which changes the owner and group of the volume mount point to `RunAsUser:fsGroup
  volumePermissions:
    enabled: true
    # address and secret for the private registry of initialization container images
    image:
      registry: registry.example.com/bitnami-shell
      # The secret with access rights to the private registry must be created manually, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName
...
  # Address and secret for the private registry
  image:
    registry: registry.example.com/postgresql
    # The secret with access rights to the private registry must be created manually, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
...

Where repository format is:

  • Address is registry.example.com.
  • Path is /postgresql (for initialization container /bitnami-shell).

MongoDB configuration parameters

If necessary, change the following parameters:

  • database is the name of the database to be created in MongoDB during installation;
  • username is the name of the user for accessing the specified database in database. The user will be created in MongoDB during installation;
  • password is the  password for the user mentioned in username;
  • size is the data storage size, which is selected individually.

# Selecting databases to install
global:
...
# MongoDB settings
mongodb:
  auth:
    # user
    username: elma365
    # database name
    database: elma365
    # database password
    password: mongopassword
    # root password
    rootPassword: mongorootpassword
    replicaSetKey: replicapassword
  persistence:
    # data storage size (PVC)
    size: 20Gi
...

Filling out clustering parameters for MongoDB

 
To configure fault tolerance, uncomment and fill in the parameters cluster Mode. For the parameter mongodb.replicaCount, specify the required number of nodes in the cluster.

 
# Selecting databases to install
global:
...
# MongoDB settings
mongodb:
...
  # cluster Mode — uncomment the following lines
  architecture: replicaset
  replicaCount: 3
...

Filling out parameters for connecting to a private registry for offline installation

 
To connect to a private registry, you need to:

  1. Specify the address and path to the private registry in the parameter mongodb.volumePermissions.image.repository for the initialization container.
  2. Indicate the name of the secret with access rights to the private registry in the parameter mongodb.volumePermissions.image.pullSecrets for the initialization container. The secret must be created manually and encrypted in Base64.
  3. Specify the address and path to the private registry in the parameter mongodb.image.repository.
  4. Indicate the name of the secret with access rights to the private registry in the parameter mongodb.image.pullSecrets. The secret must be created manually and encrypted in Base64.

# Selecting databases to install
global:
...
# MongoDB settings
mongodb:
...
  # Enabling the initialization container, which changes the owner and group of the volume mount point to `RunAsUser:fsGroup
  volumePermissions:
    enabled: true
    # address and secret for the private registry of initialization container images
    image:
      registry: registry.example.com/bitnami-shell
      # The secret with access rights to the private registry must be created manually, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName
...
  # address and secret for the private registry of initialization container images
  image:
    registry: registry.example.com/mongodb
    # The secret with access rights to the private registry must be created manually, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
...

Where repository format is:

  • Address is registry.example.com.
  • Path is /mongodb (for initialization container /bitnami-shell).

RabbitMQ configuration parameters

If necessary, change the following parameters:

  • vhost is the name of the database to be created in RabbitMQ during installation;
  • username is the name of the user for accessing the virtual host specified in vhost. The user will be created in RabbitMQ during installation;
  • password is the  password for the user mentioned in username;
  • size is the data storage size, which is selected individually.

# Selecting databases to install
global:
...
# rabbitMQ settings
rabbitmq:
  auth:
    # user
    username: elma365
    # vhost
    vhost: elma365
    # password
    password: rmqpassword
    erlangCookie: zk8Jdo2Kzz4ql
  persistence:
    data storage size (PVC)
    size: 5Gi
...

Filling out clustering parameters for RabbitMQ

 
To configure fault tolerance, uncomment and fill in the parameters cluster Mode. For the parameter rabbitmq.replicaCount, specify the required number of nodes in the cluster.

 
# Selecting databases to install
global:
...
# rabbitMQ settings
rabbitmq:
...
  # cluster Mode — uncomment the following lines
  replicaCount: 3
...

Filling out parameters for connecting to a private registry for offline installation

 
To connect to a private registry, you need to:

  1. Specify the address and path to the private registry in the parameter rabbitmq.volumePermissions.image.repository for the initialization container.
  2. Indicate the name of the secret with access rights to the private registry in the parameter rabbitmq.volumePermissions.image.pullSecrets for the initialization container. The secret must be created manually and encrypted in Base64.
  3. Specify the address and path to the private registry in the parameter rabbitmq.image.repository.
  4. Indicate the name of the secret with access rights to the private registry in the parameter rabbitmq.image.pullSecrets. The secret must be created manually and encrypted in Base64.

# Selecting databases to install
global:
...
# rabbitMQ settings
rabbitmq:
...
  # Enabling the initialization container, which changes the owner and group of the volume mount point to `RunAsUser:fsGroup
  volumePermissions:
    enabled: true
    # address and secret for the private registry of initialization container images
    image:
      registry: registry.example.com/bitnami-shell
      # The secret with access rights to the private registry must be created manually, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName
...
  # address and secret for the private registry
  image:
    registry: registry.example.com/rabbitmq
    # The secret with access rights to the private registry must be created manually, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
...

Where repository format is:

  • Address is registry.example.com.
  • Path is /rabbitmq (for initialization container /bitnami-shell).

Valkey confguration parameters

If necessary, change the data storage size in the parameter size, which is selected individually.

# Selecting databases to install
global:
...
# Valkey settings
valkey:
  master:
    persistence:
      # data storage size (PVC)
      size: 10Gi
      # If undefined, the default StorageClass is used
      # storageClass: "-"
...
  commonConfiguration: |-
    maxclients 20000
  replica:
    persistence:
      # data storage size (PVC)
      size: 10Gi
...

Filling out clustering parameters for Valkey

 
To configure fault tolerance, uncomment and fill in the parameters cluster Mode. For the parameter valkey.replica.replicaCount, specify the required number of nodes in the cluster.

 
Selecting databases to install.
global:
...
# Valkey settomgs
valkey:
...
  replica:
    persistence:
      ...
    replicaCount: 3
  # cluster Mode — uncomment the following lines
  architecture: replication
  sentinel:
    enabled: true
    quorum: 2
...

Filling out parameters for connecting to a private registry for offline installation

 
To connect to a private registry, you need to:

  1. Specify the address and path to the private registry in the parameter valkey.volumePermissions.image.repository for the initialization container.
  2. Indicate the name of the secret with access rights to the private registry in the parameter valkey.volumePermissions.image.pullSecrets for the initialization container. The secret must be created manually and encrypted in Base64.
  3. Specify the address and path to the private registry in the parameter valkey.image.repository.
  4. Indicate the name of the secret with access rights to the private registry in the parameter valkey.image.pullSecrets. The secret must be created manually and encrypted in Base64.

# Selecting databases to install
global:
...
# Valkey settings
valkey:
...
  # Enabling the initialization container, which changes the owner and group of the volume mount point to `RunAsUser:fsGroup
  volumePermissions:
    enabled: true
    # address and secret for the private registry of initialization container images
    image:
      registry: registry.example.com/bitnami-shell
      # The secret with access rights to the private registry must be created manually, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName
...
  # address and secret for the private registry
  image:
    registry: registry.example.com/valkey
    # The secret with access rights to the private registry must be created manually, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
...

Where repository format is:

  • address is registry.example.com;
  • path is /valkey (for initialization container /bitnami-shell).

SeaweedFS configuration parameters

  1. By default, a secret named my-s3-secret is created when SeaweedFS is installed. You can use your own secret instead and specify its name in the SeaweedFS configuration using the seaweedfs.s3.existingConfigSecret parameter.

Example secret:

 

apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: my-custom-s3-secret
namespace: <Namespace>
labels:
app.kubernetes.io/name: seaweedfs
app.kubernetes.io/component: s3
stringData:
seaweedfs_s3_config: '{"identities":[{"name":"anvAdmin","credentials":[{"accessKey":"<accessKey>","secretKey":"<secretKey>"}],"actions":["Admin","Read","Write"]}]}'

Where:

  • <accessKey> is the username for accessing S3 storage.
  • <secretKey> is the password for this user.

 

  1. If necessary, modify the SeaweedFS configuration parameters:
  • filer.s3.createBuckets.name is the name of the bucket that will be created in SeaweedFS during installation.
     
    Important: Create a bucket in S3 with a name following the s3elma365* format. Examples of S3 buckets: s3elma365, s3elma365-dev, s3elma365-prod.
  • seaweedfs.s3.existingConfigSecret. If you created your own secret with access credentials to your S3 storage, specify the name of this secret. You can leave the default value, my-s3-secret. A secret with this name will then be created automatically during SeaweedFS installation.
  • s3.iIngress.host is the domain name (FQDN) by which the S3 storage will be accessible. This article uses elma365_server.your_domain as an example.
  • size is the size of the data storage. Please specify a value based on the size of your data.

# Selecting DBs to install
global:
...
# SeaweedFS settings
seaweedfs:
# Master configuration parameters
master:
replicas: 1
# XYZ replication type for files:
# X number of replicas in other DCs
# Y number of replicas in other racks
# Z number of replicas on other volumes
defaultReplication: "000"
data:
# Master datastore size (PVC)
size: "10Gi"
# If not defined, the default StorageClass is used
# storageClass: ""
volume:
replicas: 1
dataDirs:
# Volume datastore size (PVC)
-size: "30Gi"
name: data1
type: "persistentVolumeClaim"
hostPathPrefix: /ssd maxVolumes: 0
# if not defined, the default StorageClass is used
# storageClass: ""
filer:
replicas: 1
# Type XYZ replications for metadata:
# X number of replicas in other DCs
# Y number of replicas in other racks
# Z number of replicas on other volumes
defaultReplicaPlacement: "000"
maxMB: 256
data:
# filer data storage size (PVC)
size: "30Gi"
# if not defined, the default StorageClass is used
# storageClass: ""
s3:
createBuckets:
# ELMA365 bucket
- name: s3elma365
anonymousRead: false
s3:
replicas: 1
existingConfigSecret: my-s3-secret
ingress:
## specify ingressClassName
className: ""
# include host in ingress (required for TLS)
# host: " elma365_server.your_domain "
# TLS settings
# tls:
# - hosts:
# - elma365_server.your_domain
# secretName: "elma365-onpremise-tls"
...

 

Filling out TLS/SSL parameters for SeaweedFS

 
To enable TLS/SSL support in SeaweedFS, follow these steps:

  1. Prepare a secret with a certificate for HTTPS. For more information, see Create a secret with a certificate for HTTPS operation.
  2. In the seaweedfs.s3.ingress.tls.hosts.secretName parameter, specify the name of the secret created in the previous step. This article uses the name elma365-onpremise-tls as an example.
  3. In the seaweedfs.s3.ingress.host parameter, specify the domain name (FQDN) by which the SeaweedFS S3 storage will be accessible. This article uses the name elma365_server.your_domain as an example.
  4. In the seaweedfs.s3.ingress.tls.hosts parameter for configuring TLS, also specify the domain name (FQDN) where the SeaweedFS S3 storage will be accessible. This article uses elma365_server.your_domain as an example.

# Selecting installed databases
global:
...
# SeaweedFS settings
seaweedfs:
...
s3:
ingress:
# specify ingressClassName
className: ""
# include host in ingress (required for TLS)
host: "elma365_server.your_domain"
# SeaweedFS TLS settings
tls:
- hosts:
- elma365_server.your_domain
secretName: "elma365-onpremise-tls"
...

 

If you used a self-signed certificate with OpenSSL or a certificate issued by a local CA when creating a secret with a certificate for HTTPS, configure trust support for the custom CA certificate. For embedded databases, you can use the Kyverno add-on module.

 

 

Filling out parameters for connecting to a private registry for offline installation

 
To connect to a private registry:

  1. In the seaweedfs.global.image.repository parameter, specify the address and path to the private registry.
  2. In the seaweedfs.global.imagePullSecrets parameter, specify the name of the secret with access rights to the private registry for the initial container. The secret must be manually created and Base64-encoded.

# Selecting databases to install
global:
...
# S3 storage settings
seaweedfs:
# Address and secret for the private registry of the initialization container images
global:
registry: registry.example.com
repository: "docker/databases"
imageName: "seaweedfs"
imagePullPolicy: IfNotPresent
# The secret with access rights to the private registry must be manually created and Base64-encoded
imagePullSecrets:
- name: yandexsecret-dbs
...

 

Where the repository format is the address: registry.example.com.

 

MinIO configuration parameters

If necessary, modify the following parameters:

  • rootUser is the name of the user for access to the S3 storage. The user will be created in MinIO during installation.
  • rootPassword is the password for the user specified in rootUser.
  • defaultBuckets is the name of the bucket that will be created in MinIO during installation.

Начало внимание

The bucket name in S3 must follow the format s3elma365*.

Examples:

  • s3elma365.
  • s3elma365-dev.
  • s3elma365-prod.

Конец внимание

  • apiIngress.apiIngress.path is the name of the bucket for Ingress, which must match defaultBuckets.
  • apiIngress.apiIngress.name is the domain name (FQDN) by which the S3 storage will be accessible. In the context of this article it is elma365_server.your_domain.
  • size is the data storage size, which is selected individually.

# Selecting databases to install
global:
...
# minio (S3 storage)settings
minio:
  auth:
    rootUser: "PZSF73JG72Ksd955JKU1HIA"
    rootPassword: "aFDkj28Jbs2JKbnvJH678MNwiz88zKjsuNBHHs"
  # BRIX bucket
  defaultBuckets: s3elma365
  # Additional buckets are enabled for BRIX + BRIX Bot
  # defaultBuckets: s3elma365,s3elma365bot,elma365bot-static-files,elma365bot-temporary-files
  apiIngress:
    extraHosts:
      - path: /s3elma365
        name: elma365_server.your_domain
...
  persistence:
    # data storage size (PVC)
    size: 100Gi
...

Filling out TLS/SSL enabling parameters for MinIO

 
To enable TLS/SSL support in MinIO, follow these steps:

  1. Prepare a secret with a certificate for HTTPS operation. Read more in Create a secret with a certificate for HTTPS operation.
  2. Fill in the TLS/SSL parameters for MinIO:

Selecting databases to install
global:
...
# minio (S3 storage) settings
minio:
...
  apiIngress:
    extraHosts:
      - path: /s3elma365
        # enabling host in ingress (necessary to specify for TLS)
        # for the app, enable hostEnabled in the file values-elma365.yaml
        name: elma365_server.your_domain
    # TLS settings for minio
    extraTls:
      - hosts:
          - elma365_server.your_domain
        secretName: "elma365-onpremise-tls"
...

where:

  • global.minio.extraTls.secretName is the name of the secret created in the previous step. In the context of this article it is elma365-onpremise-tls.
  • global.minio.extraHosts.name and global.minio.extraTls.hosts ishe domain name (FQDN) by which the MinIO S3 storage is accessible. In the context of this article it is elma365_server.your_domain.

If you used a self-signed certificate created with OpenSSL or a certificate issued by a local certification authority when creating the secret for HTTPS operation, you need to configure trust support for the user's CA certificate. For built-in databases, you can do this using the Kyverno add-ons module.

Filling out parameters for connecting to a private registry for offline installation

 
To connect to a private registry, you need to:

  1. Specify the address and path to the private registry in the parameter minio.volumePermissions.image.repository for the initialization container.
  2. Indicate the name of the secret with access rights to the private registry in the parameter minio.volumePermissions.image.pullSecrets for the initialization container. The secret must be created manually and encrypted in Base64.
  3. Specify the address and path to the private registry in the parameter minio.image.repository.
  4. Indicate the name of the secret with access rights to the private registry in the parameter minio.image.pullSecrets. The secret must be created manually and encrypted in Base64.

# Selecting databases to install
global:
...
# minio (S3 storage) settings
minio:
...
  # Enabling the initialization container, which changes the owner and group of the volume mount point to `RunAsUser:fsGroup
  volumePermissions:
    enabled: true
    # address and secret for the private registry of initialization container images
    image:
      registry: registry.example.com/bitnami-shell
      # The secret with access rights to the private registry must be created manually, encrypted in Base64
      pullSecrets:
        - myRegistryKeySecretName
...
  # address and secret for the private registry
  image:
    registry: registry.example.com/minio
    # The secret with access rights to the private registry must be created manually, encrypted in Base64
    pullSecrets:
      - myRegistryKeySecretName
...

Where repository format is:

  • Address is registry.example.com.
  • Path is /minio (for initialization container /bitnami-shell).

 

Step 3: Installing the elma365-dbs chart using helm in the Kubernetes cluster

Install the elma365-dbs chart in the elma365-dbs namespace.

For online installation:

helm upgrade --install elma365-dbs elma365/elma365-dbs -f values-elma365-dbs.yaml -n elma365-dbs --create-namespace

For offline installation without internet access, go to the directory with the downloaded chart and execute the command:

helm upgrade --install elma365-dbs ./elma365-dbs -f values-elma365-dbs.yaml -n elma365-dbs --create-namespace 

Step 4: Connecting to the databases and S3

The domain name for the Kubernetes cluster is assumed to be cluster.local.

Connection string for PostgreSQL:

postgresql://elma365:SecretPassword@postgres.elma365-dbs.svc.cluster.local:5432/elma365?sslmode=disable

Connection string for MongoDB:

mongodb://elma365:SecretPassword@mongo.elma365-dbs.svc.cluster.local:27017/elma365?ssl=false&replicaSet=rs0&readPreference=nearest

Connection string for RabbitMQ:

amqp://elma365user:SecretPassword@rabbitmq.elma365-dbs.svc.cluster.local:5672/elma365vhost

Connection string for Valkey:

redis://valkey.elma365-dbs.svc.cluster.local:6379/0

Connection string for Valkey for a cluster mode:

redis://valkey.elma365-dbs.svc.cluster.local:26379/0?masterName=myprimary

Connection string for S3:

  • address: elma365_your_domain.
  • bucket: s3elma365.
  • region: ru-central-1.
  • access key ID: PZSF73JG72Ksd955JKU1HIA.
  • secret access key: aFDkj28Jbs2JKbnvJH678MNwiz88zKjsuNBHHs.
  • upload method: PUT.
  • enable SSL: No.

Deleting elma365-dbs chart using helm in the Kubernetes cluster

Начало внимание

Before deleting the chart elma365-dbs, perform a backup of the databases and S3 storage. Deleting the chart elma365-dbs will lead to a complete loss of data by the BRIX application.

Конец внимание

Delete chart elma365-dbs in namespace elma365-dbs:

helm uninstall elma365-dbs -n elma365-dbs

 

fail-safe-kubernetes-cluster.html postgresql.html