Helm & Kubernetes

This guide explains how to deploy Rafiki using Helm charts on a Kubernetes cluster. Helm is a package manager for Kubernetes that allows you to define, install, and upgrade complex Kubernetes applications through Helm charts.

Rafiki uses the following key components:

Tigerbeetle: High-performance accounting database used for financial transaction processing and ledger management
PostgreSQL: Used for storing application data and metadata
Redis: Used for caching and messaging between components

Prerequisites

Before you begin, ensure you have the following:

Kubernetes cluster deployed
kubectl installed and configured
Helm installed

Install Rafiki using Helm

Add the Interledger Helm repository

Add the official Interledger Helm repository which contains the Rafiki charts:

helm repo add interledger https://interledger.github.io/charts
helm repo update

Create yaml file

Create a values.yaml file to customize your Rafiki deployment.

Click to expand

# Rafiki values.yaml for Kubernetes deployment

# =====================================================================

# REQUIRED CONFIGURATION:

# The following sections contain values that MUST be customized

# for your specific environment before deployment

# =====================================================================

# Global settings

global:
imageRegistry: "" # OPTIONAL: Specify if using a private registry
imagePullSecrets: [] # REQUIRED: If using private registry, add your pull secrets here
storageClass: "" # REQUIRED: Set to your cluster's storage class

# Backend service configuration

backend:
enabled: true
image:
repository: ghcr.io/interledger/rafiki/backend
tag: latest # REQUIRED: Change to specific version for production
pullPolicy: IfNotPresent
replicaCount: 1 # CONSIDER: Adjust based on your load requirements
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
service:
type: ClusterIP # CONSIDER: May need LoadBalancer or NodePort depending on your setup
port: 3000
ingress:
enabled: false # REQUIRED: Set to true if exposing outside the cluster
annotations: {} # REQUIRED: Add annotations for your ingress controller (nginx, traefik, etc.)
hosts: - host: rafiki-backend.local # REQUIRED: Change to your actual domain
paths: ["/"]
tls: [] # REQUIRED: Configure if using HTTPS
env: # Environment variables for backend
NODE_ENV: production
DATABASE_URL: "postgresql://postgres:postgres@rafiki-postgresql:5432/rafiki" # REQUIRED: Update credentials
REDIS_URL: "redis://rafiki-redis:6379" # REQUIRED: Update if using auth with Redis
AUTH_SERVER_GRANT_TYPES: "authorization_code,refresh_token"
AUTH_SERVER_DOMAIN: "http://rafiki-auth-server" # REQUIRED: Update to your auth server URL
OPEN_PAYMENTS_URL: "https://wallet.example.com/open-payments" # REQUIRED: Update to your Open Payments URL # TigerBeetle configuration
USE_TIGERBEETLE: "true" # REQUIRED: Enable TigerBeetle for accounting
TIGERBEETLE_CLUSTER_ID: "0" # REQUIRED: Must match tigerbeetle.config.clusterID
TIGERBEETLE_REPLICA_ADDRESSES: "tigerbeetle-0.tigerbeetle:3004,tigerbeetle-1.tigerbeetle:3004,tigerbeetle-2.tigerbeetle:3004" # REQUIRED: List all TigerBeetle replicas

# Auth server configuration

authServer:
enabled: true
image:
repository: ghcr.io/interledger/rafiki/auth
tag: latest # REQUIRED: Change to specific version for production
pullPolicy: IfNotPresent
replicaCount: 1 # CONSIDER: Adjust based on your load requirements
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
service:
type: ClusterIP # CONSIDER: May need LoadBalancer or NodePort depending on your setup
port: 3001
ingress:
enabled: false # REQUIRED: Set to true if exposing outside the cluster
annotations: {} # REQUIRED: Add annotations for your ingress controller
hosts: - host: rafiki-auth.local # REQUIRED: Change to your actual domain
paths: ["/"]
tls: [] # REQUIRED: Configure if using HTTPS
env:
NODE_ENV: production
DATABASE_URL: "postgresql://postgres:postgres@rafiki-postgresql:5432/rafiki" # REQUIRED: Update credentials
REDIS_URL: "redis://rafiki-redis:6379" # REQUIRED: Update if using auth with Redis
BACKEND_URL: "http://rafiki-backend:3000" # REQUIRED: Must match your backend service name

# Frontend configuration

frontend:
enabled: true
image:
repository: ghcr.io/interledger/rafiki/frontend
tag: latest # REQUIRED: Change to specific version for production
pullPolicy: IfNotPresent
replicaCount: 1
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
service:
type: ClusterIP # CONSIDER: May need LoadBalancer or NodePort depending on your setup
port: 3002
ingress:
enabled: false # REQUIRED: Set to true and configure for user access
annotations: {} # REQUIRED: Add annotations for your ingress controller
hosts: - host: rafiki.local # REQUIRED: Change to your actual domain
paths: ["/"]
tls: [] # REQUIRED: Configure if using HTTPS
env:
NODE_ENV: production
BACKEND_URL: "http://rafiki-backend:3000" # REQUIRED: Must match your backend service configuration
AUTH_SERVER_URL: "http://rafiki-auth-server:3001" # REQUIRED: Must match your auth server configuration

# Connector configuration

connector:
enabled: true
image:
repository: ghcr.io/interledger/rafiki/connector
tag: latest # REQUIRED: Change to specific version for production
pullPolicy: IfNotPresent
replicaCount: 1 # CONSIDER: Adjust based on your traffic needs
resources:
requests:
cpu: 200m
memory: 256Mi
limits:
cpu: 1000m
memory: 512Mi
service:
type: ClusterIP
port: 3003
env:
NODE_ENV: production
DATABASE_URL: "postgresql://postgres:postgres@rafiki-postgresql:5432/rafiki" # REQUIRED: Update credentials
REDIS_URL: "redis://rafiki-redis:6379" # REQUIRED: Update if using auth with Redis
BACKEND_URL: "http://rafiki-backend:3000" # REQUIRED: Must match your backend service name
ILP_ADDRESS: "test.rafiki" # REQUIRED: Set to your production ILP address
CONNECTOR_URL: "http://0.0.0.0:3003" # REQUIRED: Set to your connector's publicly accessible URL for ILP peers # TigerBeetle configuration
USE_TIGERBEETLE: "true" # REQUIRED: Enable TigerBeetle for accounting
TIGERBEETLE_CLUSTER_ID: "0" # REQUIRED: Must match tigerbeetle.config.clusterID
TIGERBEETLE_REPLICA_ADDRESSES: "tigerbeetle-0.tigerbeetle:3004,tigerbeetle-1.tigerbeetle:3004,tigerbeetle-2.tigerbeetle:3004" # REQUIRED: List all TigerBeetle replicas

# PostgreSQL configuration

postgresql:
enabled: true # Set to false if using external PostgreSQL
auth:
username: postgres # REQUIRED: Change for production
password: postgres # REQUIRED: Change for production - USE A STRONG PASSWORD
database: rafiki
primary:
persistence:
enabled: true
size: 8Gi # REQUIRED: Adjust based on your data volume
service:
ports:
postgresql: 5432

# Redis configuration

redis:
enabled: true # Set to false if using external Redis
architecture: standalone # CONSIDER: Use replication for production
auth:
enabled: false # REQUIRED: Set to true and configure password for production
password: "" # REQUIRED: Set a strong password if auth is enabled
master:
persistence:
enabled: true
size: 8Gi # REQUIRED: Adjust based on your data volume
service:
ports:
redis: 6379

# Monitoring

monitoring:
enabled: false # CONSIDER: Enable for production environments
prometheus:
enabled: false # CONSIDER: Enable for production monitoring
grafana:
enabled: false # CONSIDER: Enable for production dashboards

# Persistence configuration for data that needs to be persisted

persistence:
enabled: true
storageClass: "" # REQUIRED: Set to your cluster's storage class
accessMode: ReadWriteOnce
size: 10Gi # REQUIRED: Adjust based on your data volume

# Security settings

securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000

# Pod Security settings

podSecurityContext:
enabled: true

# Network policy settings

networkPolicy:
enabled: false # CONSIDER: Enable for production to restrict pod communication

# Configure service accounts

serviceAccount:
create: true
name: "rafiki" # REQUIRED: Change if conflicts with existing service accounts
annotations: {} # REQUIRED: Add annotations if using IAM roles for service accounts

# Configure pod disruption budget

podDisruptionBudget:
enabled: false # CONSIDER: Enable for production for high availability
minAvailable: 1

# Resource requests and limits for init containers

initContainers:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi

# =====================================================================

# TIGERBEETLE CONFIGURATION:

# Configuration for TigerBeetle as the accounting database

# =====================================================================

tigerbeetle:
enabled: true # REQUIRED: Set to true to use TigerBeetle for accounting
image:
repository: ghcr.io/tigerbeetle/tigerbeetle
tag: 0.14.2 # REQUIRED: Check for the latest compatible version
pullPolicy: IfNotPresent
replicaCount: 3 # REQUIRED: For production, use at least 3 replicas for consensus
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
cpu: 2000m
memory: 4Gi
service:
type: ClusterIP
port: 3004
persistence:
enabled: true
storageClass: "" # REQUIRED: Set to your cluster's storage class
size: 20Gi # REQUIRED: Adjust based on expected transaction volume
accessMode: ReadWriteOnce
config:
clusterID: 0 # REQUIRED: Set a unique cluster ID
replicaCount: 3 # Should match replicaCount above # For consensus algorithm (1f+1 redundancy where f is number of failures tolerated) # 1 replica: 0 fault tolerance # 3 replicas: 1 fault tolerance (recommended minimum for production) # 5 replicas: 2 fault tolerance (recommended for critical systems)

Configure environment variables

Each Rafiki service can be configured via environment variables. Below are the main environment variables for each service:

Auth service

The Rafiki auth service is responsible for handling authentication and authorization for your application. It connects to a Postgres database to store auth-related resources and a Redis database for storing session data. See Auth service for more information.

Ports exposed:

3003 (ADMIN_PORT) is used for the Auth Admin API
3006 (AUTH_PORT) is used for the Open Payments authorization server

Required values

Helm variable	Default	Description
`auth.postgresql.host`, `auth.postgresql.port`, `auth.postgresql.username`, `auth.postgresql.database`, `auth.postgresql.password`	`postgresql://postgres:password@localhost:5432/auth_development`	The URL of the Postgres database storing your Open Payments grant data. For Helm, these components are provided individually.
`auth.server.domain`	undefined	The public endpoint for your Rafiki instance’s public Open Payments routes.
`auth.cookieKey`	undefined	The koa KeyGrip key that is used to sign cookies for an interaction session.
`auth.identityServer.domain`	undefined	The URL of your IdP’s server, used by the authorization server to inform an Open Payments client of where to redirect the end-user to start interactions.
`auth.identityServer.secret`	undefined	A shared secret between the authorization server and the IdP server; the authorization server will use the secret to secure its IdP-related endpoints. When the IdP server sends requests to the authorization server, the IdP server must provide the secret via an `x-idp-secret` header.
`auth.redis.host`, `auth.redis.port`	`redis://127.0.0.1:6379`	The connection URL for Redis. For Helm, these components are provided individually.

Conditionally required values

Helm value name	Default	Description
`auth.trustProxy`	`false`	Must be set to `true` when running Rafiki behind a proxy. When `true`, the `X-Forwarded-Proto` header is used to determine if connections are secure.

Optional values

Helm value name	Default	Description
`auth.accessToken.deletionDays`	`30`	The days until expired and/or revoked access tokens are deleted.
`auth.accessToken.expirySeconds`	`600` (10 minutes)	The expiry time, in seconds, for access tokens.
`auth.adminApi.signatureVersion`	`1`	The version of the request signing algorithm used to generate signatures.
`auth.adminAPI.signatureTtlSeconds`	`30`	The TTL, in seconds, for which a request’s signature will be valid.
`auth.port.admin`	`3003`	The port of your Rafiki Auth Admin API server.
`auth.port.auth`	`3006`	The port of your Open Payments authorization server.
`auth.workers.cleanup`	`1`	The number of workers processing expired or revoked access tokens.
`auth.enableManualMigrations`	`false`	When `true`, you must run the auth Postgres database manually with the command `npm run knex – migrate:latest –envproduction`
`auth.interaction.incomingPayment`	`false`	When `true`, incoming Open Payments grant requests are interactive
`auth.interactionExpirySeconds`	`600` (10 minutes)	The time, in seconds, for which a user can interact with a grant request before the request expires.
`auth.port.interaction`	`3009`	The port number of your Open Payments interaction-related APIs.
`auth.port.introspection`	`3007`	The port of your Open Payments access token introspection server.
`auth.interaction.listAll`	`true`	When `true`, grant requests that include a `list-all` action will require interaction. In these requests, the client asks to list resources that it did not create.
`auth.logLevel`	`info`	Pino log level
`auth.nodeEnv`	`development`	The type of node environment: `development`, `test`, or `production`.
`auth.interaction.quote`	`false`	When `true`, quote grants are interactive.
`auth.redis.tlsCaFile`	`''`	Redis TLS config
`auth.redis.tlsCertFile`	`''`	Redis TLS config
`auth.redis.tlsKeyFile`	`''`	Redis TLS config
`auth.grant.waitSeconds`	`5`	The wait time, in seconds, included in a grant request response (`grant.continue`).

Backend service

The Rafiki backend service handles business logic and external communication. It exposes the Open Payments APIs and an Interledger connector for sending and receiving packets. It connects to a Redis database for caching, a Postgres database for Open Payments resources, and TigerBeetle for accounting liquidity. See Backend service for more information.

Ports exposed:

3000 (OPEN_PAYMENTS_PORT) is used for the Open Payments resource server
3001 (ADMIN_PORT) is used for the Backend Admin API
3002 (CONNECTOR_PORT) is used for the ILP connector to send and receive ILP packets

Required values

Helm value name	Default	Description
`backend.serviceUrls.AUTH_SERVER_GRANT_URL`	undefined	The endpoint on your Open Payments authorization server to grant a request.
`backend.serviceUrls.AUTH_SERVER_INTROSPECTION_URL`	undefined	The endpoint on your Open Payments authorization server to introspect an access token.
`backend.postgresql.host`, `backend.postgresql.port`, `backend.postgresql.username`, `backend.postgresql.database`, `backend.postgresql.password`	`postgresql://postgres:password@localhost:5432/development`	The Postgres database URL of the database storing your resource data. For Helm, these components are provided individually.
`backend.serviceUrls.EXCHANGE_RATES_URL`	undefined	The endpoint your Rafiki instance uses to request exchange rates.
`backend.ilp.address`	undefined	The ILP address of your Rafiki instance.
`backend.ilp.connectorUrl`	undefined	The ILP connector address where ILP packets are received.
`backend.key.id`	undefined	Your Rafiki instance’s client key ID.
`backend.serviceUrls.OPEN_PAYMENTS_URL`	undefined	The public endpoint of your Open Payments resource server.
`backend.redis.host`, `backend.redis.port`	`redis://127.0.0.1:6379`	The Redis URL of the database handling ILP packet data. For Helm, these components are provided individually.
`backend.use.tigerbeetle`	`true`	When `true`, a TigerBeetle database is used for accounting. When `false`, a Postgres database is used.
`backend.serviceUrls.WEBHOOK_URL`	undefined	Your endpoint that consumes webhook events.

Conditionally required values

Helm value name	Default	Description
`backend.instance.name`	undefined	Your Rafiki instance’s name used to communicate for auto-peering and/or telemetry. Required when auto-peering and/or telemetry is enabled
`backend.trustProxy`	`false`	Must be set to `true` when running Rafiki behind a proxy. When `true`, the `X-Forwarded-Proto` header is used to determine if connections are secure.

Optional values

Helm value name	Default	Description
`backend.port.admin`	`3001`	The port of your Backend Auth API server.
`backend.autoPeering.serverPort`	`3005`	If auto-peering is enabled, the server will use this port.
`backend.port.connector`	`3002`	The port of the ILP connector for sending packets via ILP over HTTP.
`backend.enable.autoPeering`	`false`	When `true`, auto-peering is enabled.
`backend.enableManualMigrations`	`false`	When `true`, you must run the database manually with the command `npm run knex – migrate:latest –env production`
`backend.enable.spspPaymentPointers`	`true`	When `true`, the SPSP route is enabled.
`backend.lifetime.exchangeRate`	`15_000`	The time, in milliseconds, the exchange rates you provide via the `EXCHANGE_RATES_URL` are valid.
`backend.idempotency.keyLockMs`	`2000`	The TTL, in milliseconds, for `idempotencyKey` concurrency lock on GraphQL mutations on the Backend Admin API.
`backend.idempotency.keyTTL`	`86400000` (24 hours)	The TTL, in milliseconds, for `idempotencyKey` on GraphQL mutations on the Backend Admin API.
`backend.incomingPayment.expiryMaxMs`	`2592000000` (30 days)	The maximum into the future, in milliseconds, incoming payments expiry can be set to on creation.
`backend.workerIdle`	`200`	The time, in milliseconds, that workers will wait until checking an empty queue again.
`backend.workers.incomingPayment`	`1`	The number of workers processing incoming payment requests.
`backend.logLevel`	`info`	Pino log level
`backend.nodeEnv`	`development`	The type of node environment: `development`, `test`, or `production`.
`backend.port.openPayments`	`3003`	The port of your Open Payments resource server.
`backend.workers.outgoingPayment`	`4`	The number of workers processing outgoing payment requests.
`backend.key.file`	undefined	The path to your Rafiki instance’s client private key.
`backend.lifetime.quote`	`5 * 60_000` (5 minutes)	The time, in milliseconds, an Open Payments quote is valid for.
`backend.redis.tlsCaFile`	`''`	Redis TLS config
`backend.redis.tlsCertFile`	`''`	Redis TLS config
`backend.redis.tlsKeyFile`	`''`	Redis TLS config
`backend.quoteSignatureSecret`	undefined	The secret to generate request header signatures for webhook event requests.
`backend.signatureVersion`	`1`	The version number to generate request header signatures for webhook events.
`backend.ilp.slippage`	`0.01` (1%)	The accepted ILP rate fluctuation.
`backend.ilp.streamSecret`	undefined	The seed secret to generate shared STREAM secrets.
`backend.walletAddress.deactivationPaymentGratePeriodMs`	`86400000` (24 hours)	The time into the future, in milliseconds, to set expiration of Open Payments incoming payments when deactivating a wallet address.
`backend.walletAddress.lookupTimeoutMs`	`1500`	The time, in milliseconds, you have to create a missing wallet address before timeout.
`backend.walletAddress.pollingFrequencyMs`	`100`	The frequency of polling while waiting for you to create a missing wallet address.
`backend.serviceUrls.WALLET_ADDRESS_URL`	`http://127.0.0.1:3001/.well-known/pay`	Your Rafiki instance’s internal wallet address.
`backend.workers.walletAddress`	`1`	The number of workers processing wallet address requests.
`backend.webhookMaxRetry`	`10`	The maximum number of times your Rafiki instance’s backend retries sending a certain webhook event to your configured `WEBHOOK_URL`.
`backend.lifetime.webhook`	`2000` (2 seconds)	The time, in milliseconds, that your Rafiki instance will wait for a `200` response from your webhook endpoint. If a `200` response is not received, Rafiki will time out and try to send the webhook event again.
`backend.workers.webhook`	`1`	The number of workers processing webhook events.
`backend.withdrawalThrottleDelay`	undefined	The delay in liquidity withdrawal processing.

Frontend service

The Rafiki frontend service provides an internal admin interface for managing your Rafiki instance. It communicates with the Backend Admin API to facilitate administrative tasks. See Frontend service for more information.

Ports exposed:

3005 (PORT) is used to host the Rafiki Admin app

Required Values

Helm value name	Default	Description
`frontend.serviceUrls.GRAPHQL_URL`	undefined	URL for Rafiki’s GraphQL Auth Admin API
`frontend.serviceUrls.OPEN_PAYMENTS_URL`	undefined	Your Open Payments API endpoint
`frontend.port`	undefined	Port from which to host the Rafiki Remix app

Conditionally required values

The following values are required only when frontend.authEnabled is set to true.

Helm value name	Default	Description
`frontend.kratos.adminUrl`	undefined	The admin endpoint/container address for Kratos
`frontend.kratos.containerPublicUrl`	undefined	The URL for you to access the Kratos Docker container from within the Docker network. This is used for backend calls to Kratos.
`frontend.kratos.browserPublicUrl`	undefined	The URL for you to access the Kratos Docker container from a browser outside of the Docker network. This is used for calls from a browser (what you see in the Rafiki Admin UI) to the Kratos server on the backend.

Optional values

Helm value name	Default	Description
`frontend.authEnabled`	`true`	When `true`, only authenticated users can be granted access to Rafiki Admin by an administrator
`frontend.quoteSignatureSecret`	undefined	The signature secret used to authenticate requests to the Backend Admin API.
`frontend.signatureVersion`	`1`	The signature version number used to authenticate requests to the Backend Admin API.
`frontend.enableInsecureMessageCookie`	`true`	When set to `true`, `t`, or `1`, cookie will be transmitted over insecure HTTP connection. Insecure message cookies are required for flash messages to work over HTTP.
`frontend.nodeEnv`	`production`	The type of node environment: `development`, `test`, or `production`.
`frontend.logLevel`	`info`	Pino log level

Install Rafiki

Install Rafiki using the following command:

helm install rafiki interledger/rafiki -f values.yaml

This will deploy all Rafiki components to your Kubernetes cluster with the configurations specified in your values.yaml file.

If you want to install to a specific namespace:

kubectl create namespace rafiki
helm install rafiki interledger/rafiki -f values.yaml -n rafiki

Verify the deployment

Check the status of your deployment with the following commands:

# Check all resources deployed by Helm
helm status rafiki

# Check the running pods
kubectl get pods

# Check the deployed services
kubectl get services

Configure ingress with NGINX Ingress Controller

To expose Rafiki services outside the cluster using NGINX Ingress Controller:

Install NGINX Ingress Controller

If you don’t already have NGINX Ingress Controller installed, you can install it using Helm:

# Add the ingress-nginx repository
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

# Install the ingress-nginx controller
helm install nginx-ingress ingress-nginx/ingress-nginx \
  --set controller.publishService.enabled=true

Wait for the Load Balancer to be provisioned:

kubectl get services -w nginx-ingress-ingress-nginx-controller

Configure DNS

Once the Load Balancer has an external IP or hostname assigned, create DNS records:

auth.example.com pointing to the Load Balancer IP/hostname
backend.example.com pointing to the Load Balancer IP/hostname

Apply the configuration

Apply your updated configuration:

helm upgrade rafiki interledger/rafiki -f values.yaml

Verify ingress configuration

Check if your ingress resources were created correctly:

kubectl get ingress

You should find entries for the auth server and backend API ingress resources.

Port forwarding

If you don’t want to use ingress to access Rafiki services, you can use port forwarding to directly access the services:

Service	Port-Forward Command
Auth Server	`kubectl port-forward svc/rafiki-auth-server 3000:3000`
Backend API	`kubectl port-forward svc/rafiki-backend-api 3001:3001`
Admin UI	`kubectl port-forward svc/rafiki-backend-api 3001:3001`
PostgreSQL	`kubectl port-forward svc/rafiki-postgresql 5432:5432`
Redis	`kubectl port-forward svc/rafiki-redis-master 6379:6379`

Upgrade Rafiki

To upgrade your Rafiki deployment to a newer version:

# Update the Helm repository
helm repo update

# Upgrade Rafiki
helm upgrade rafiki interledger/rafiki -f values.yaml

Uninstall Rafiki

To uninstall Rafiki from your cluster:

helm uninstall rafiki

Note that this won’t delete Persistent Volume Claims (PVC) created by the PostgreSQL and Redis deployments. If you want to delete them as well:

kubectl delete pvc -l app.kubernetes.io/instance=rafiki

Troubleshooting

Check pod logs

If a component isn’t working correctly, you can check its logs:

# List all pods
kubectl get pods

# Check logs for a specific pod
kubectl logs pod/rafiki-auth-server-0

Check resources and logs

# List pods and their status
kubectl get pods

# Check logs for a specific pod
kubectl logs pod/rafiki-auth-server-0

# Get details about a pod
kubectl describe pod/rafiki-auth-server-0

# Check services and their endpoints
kubectl get services

# Check Persistent Volume Claims
kubectl get pvc

# Check ingress resources
kubectl get ingress

Common issues

Database connection errors

Check if PostgreSQL pods are running:

kubectl get pods -l app.kubernetes.io/name=postgresql

Check PostgreSQL logs:
```
kubectl logs pod/rafiki-postgresql-0
```
Verify that the database passwords match those in your values.yaml

Tigerbeetle initialization failures

Check Tigerbeetle logs:
```
kubectl logs pod/tigerbeetle-0
```
Ensure that the PVC for Tigerbeetle has been created correctly
```
kubectl get pvc -l app.kubernetes.io/name=tigerbeetle
```
Verify that the cluster ID is consistent across all components

Ingress issues

Verify NGINX Ingress Controller is running:
```
kubectl get pods -n ingress-nginx
```
Check if your DNS records are correctly pointing to the ingress controller’s external IP
Check the ingress resource:
```
kubectl get ingress
```

Check ingress controller logs:

kubectl logs -n ingress-nginx deploy/nginx-ingress-ingress-nginx-controller

Verify that TLS secrets exist if HTTPS is enabled:
```
kubectl get secrets
```

TLS certificate problems

If using cert-manager, check if certificates are properly issued:
```
kubectl get certificates
```

Check certificate status:

kubectl describe certificate [certificate-name]

Check cert-manager logs:

kubectl logs -n cert-manager deploy/cert-manager

Service unavailable

Check if services are running:
```
kubectl get services
```
Verify pod health:
```
kubectl describe pod [pod-name]
```
Check for resource constraints:
```
kubectl top pods
```

Connectivity between components

Ensure all required services are running:
```
kubectl get services
```
Verify service endpoints:
```
kubectl get endpoints
```

Test connectivity between pods using temporary debugging pods:

kubectl run -it --rm debug --image=busybox -- sh
# Inside the pod
wget -q -O- http://rafiki-auth-server:3000/health

Security considerations

When deploying Rafiki in production, consider the following security practices:

Use secure passwords: Replace all default passwords with strong, unique passwords
Enable TLS: Use HTTPS for all external communications
Implement network policies: Use Kubernetes network policies to restrict traffic between pods
Use RBAC: Use Kubernetes Role-Based Access Control to limit access to your cluster
Use secrets management: Consider using a secrets management solution
Perform regular updates: Keep your Rafiki deployment updated

# Forward PostgreSQL port to local machine
kubectl port-forward svc/rafiki-postgresql 5432:5432

# Use pg_dump to create a backup
pg_dump -h localhost -U rafiki -d rafiki > rafiki_pg_backup.sql

Tigerbeetle backup

Tigerbeetle is designed to be fault-tolerant with its replication mechanism. However, to create a backup of Tigerbeetle data, you can use the following approach:

# Create a snapshot of the Tigerbeetle PVC
kubectl get pvc tigerbeetle-data-tigerbeetle-0 -o yaml > tigerbeetle-pvc.yaml

# Create a volume snapshot
cat <<EOF | kubectl apply -f -
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:
  name: tigerbeetle-snapshot
spec:
  volumeSnapshotClassName: csi-hostpath-snapclass
  source:
    persistentVolumeClaimName: tigerbeetle-data-tigerbeetle-0
EOF

Database recovery

PostgreSQL recovery

To restore from a PostgreSQL backup:

# Forward PostgreSQL port to local machine
kubectl port-forward svc/rafiki-postgresql 5432:5432

# Use psql to restore from backup
psql -h localhost -U rafiki -d rafiki < rafiki_pg_backup.sql

Tigerbeetle recovery

To restore Tigerbeetle from a snapshot:

# Create a new PVC from the snapshot
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: tigerbeetle-data-restored
spec:
  dataSource:
    name: tigerbeetle-snapshot
    kind: VolumeSnapshot
    apiGroup: snapshot.storage.k8s.io
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
EOF

# Update the Tigerbeetle StatefulSet to use the restored PVC
kubectl patch statefulset tigerbeetle -p '{"spec":{"template":{"spec":{"volumes":[{"name":"data","persistentVolumeClaim":{"claimName":"tigerbeetle-data-restored"}}]}}}}'