Post-deployment
After deploying Connect on Kubernetes, complete the following steps to prepare your installation for production use.
Custom content container image preparation
Most organizations exercise control over the container images used for content execution rather than simply using the public images which Posit makes available.
If this is applicable to your installation, see the Content Image Appendix for more information.
Implement high availability
With the Helm Chart values.yaml file created earlier, the deployment of Connect was configured with one replica so that traffic for a single connection is always routed to the same Connect pod.
To implement multiple replicas of the Connect pod, you need to update the replicas count in your values.yaml file and then run helm upgrade. For example, the following change would enable three running replicas:
values.yaml
# Controls how many instances of Connect are created.
replicas: 3When enabling High Availability for Connect, an Ingress Controller with Sticky Sessions enabled is required. This configuration is described in the Configure external access section below.
Configure external access
For users to access your installation of Posit Connect running in Kubernetes, you need to configure an Ingress. There are many different ways to accomplish this, and the steps may vary depending on the requirements of your organization.
This guide uses the Traefik v2 Ingress Controller with locally managed TLS certificates. The examples use connect.example.com as the public domain name. Replace this with your own domain.
It is also possible to use external certificate management tools (like cert-manager, Amazon ACM, etc.) if you prefer not to manage local certificates, but configuration depends on your Ingress Controller and certificate manager. The Posit Helm chart repository contains some examples of different types of Ingress configurations that can be useful.
Step 1: Install the Traefik Ingress Controller
The Traefik documentation contains detailed installation instructions, but the simplest installation steps are:
Terminal
helm repo add traefik https://traefik.github.io/charts
helm repo update
helm install traefik traefik/traefikStep 2: Create TLS secrets
Replace connect.crt and connect.key with the local path to your TLS certificate files.
Terminal
kubectl create secret tls connect-tls \
--cert connect.crt \
--key connect.keyStep 3: Configure the Ingress in your Helm chart values
values.yaml
# Controls how many instances of Posit Connect are created.
replicas: 1
service:
# For High Availability installations of Posit Connect, where
# multiple `replicas` of the Connect pod are in play, it is
# necessary to enable "sticky sessions" so that traffic for a
# single connection is always routed to the same Connect pod.
annotations:
traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
traefik.ingress.kubernetes.io/service.sticky.cookie.name: RSC-SESSION-COOKIE
traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"
traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: "none"
traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: traefik
hosts:
- host: connect.example.com
paths:
- /
# Tell the ingress controller to use your TLS secret
tls:
- secretName: connect-tls
hosts:
- connect.example.com
config:
Server:
# Server.Address must match the FQDN in your TLS certificate.
Address: "https://connect.example.com"Step 4: Apply the changes
Run helm upgrade with your updated values.yaml.
Step 5: Create public DNS records for your installation
To access Connect through the Ingress, create a public DNS record. There are many different DNS service providers to choose from, or you can host your own DNS servers. Creating the DNS records is out of scope for this guide as the process most likely varies for each organization.
A common way to do this in Kubernetes is automating the provisioning of DNS records by using a tool like external-dns.
For this guide, the EXTERNAL-IP of the Traefik Ingress Controller Service must resolve to connect.example.com. To obtain the EXTERNAL-IP of the Ingress Controller, inspect the Service that was created by the Traefik Helm chart.
Terminal
kubectl get svc traefikYou should see output like the following:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
traefik LoadBalancer 10.110.77.164 <xx.xx.xx.xx> 80:31869/TCP,443:31047/TCP 20sIf you want to test ahead of public DNS records being created, see the Temporary DNS Records appendix.
Once your DNS records are in place, you can use netcat to make sure your new DNS records resolve to the correct host. In the example below, update your host path for connect.example.com:
Terminal
nc -vz connect.example.com 443Output:
Connection to connect.example.com port 443 [tcp/https] succeeded!Step 6: Connect to the dashboard
You should now be able to visit the Connect dashboard through your web browser.
Verify your installation
For Posit Team deployments (Connect, Workbench, and Package Manager), we strongly recommend using the Verified Installation of Posit (VIP) tool to verify that your installation and configuration are correct. VIP performs automated checks to ensure all Posit products are properly configured and can communicate with each other.