Post Deployment Advanced Configuration
After a successful install from the Single-Node K3s Installation Guide or Multi-Node Kubernetes Installation Guide, IVAAP runs with HTTP and local authentication. This is intentional — it lets you verify pods, health APIs, and login before adding production TLS and identity-provider configuration.
This guide covers the most common post-deployment steps and points to detailed references elsewhere in the documentation.
Bootstrap vs go-live¶
| Phase | Proxy protocol | TLS | Authentication | Purpose |
|---|---|---|---|---|
| Bootstrap (install guides) | http |
TLSSecret.enabled: false |
Local | Confirm deployment health, license, database connectivity |
| Go-live (this guide) | https |
Platform-appropriate certificate | Local or external IdP | Production browser access |
The generated deployment YAML (/opt/ivaap/ivaap.values.yaml on k3s, or the file from ivaap generate-yaml on multi-node clusters) ships with bootstrap defaults. Do not treat HTTP bootstrap as a production end state.
TLS¶
Single-node k3s — ivaap tls¶
On k3s single-host deployments, use the built-in TLS subcommand after install succeeds:
ivaap tls setup
Three modes are supported:
| Mode | When to use |
|---|---|
| BYO | You already have a certificate and private key (corporate CA or public CA). Most common for on-prem production. |
| Self-signed | Lab or isolated environments. Generates a CA + server cert under /opt/ivaap/certs/active. Java backends may need the root CA added to the JVM trust store — see Adding Self Signed Root CA to Java Keystore. |
| Let's Encrypt | Public DNS name with temporary port 80 access for cert-manager HTTP-01 challenge. |
Other TLS commands:
ivaap tls status # show current TLS mode and secret state
ivaap tls update-cert # replace cert/key on an existing BYO deployment
ivaap tls renew # renew Let's Encrypt certificates
ivaap tls disable # revert to HTTP bootstrap (not recommended for production)
After TLS is enabled, re-check backend health (ibhealth ivaap) and browse to https://<your-fqdn>/admin.
More detail on the Helm values involved: TLS Secret in General Helm Configuration.
Multi-node clusters — platform TLS¶
On AKS, EKS, and OpenShift, TLS is usually handled at the ingress or load-balancer layer rather than through ivaap tls. Use the platform-appropriate production path:
| Platform | Primary production TLS path | Guide |
|---|---|---|
| AWS EKS | ACM certificate on ALB via environment.type.aws.acm.{enabled,certificateArn}; set proxy to https |
AWS EKS |
| Azure AKS | cert-manager via environment.certbot.{enabled,issuer} + environment.TLSSecret.{enabled,secretName}; set proxy to https |
Azure AKS, IVAAP Operations |
| OpenShift | Platform route / ingress TLS | OpenShift |
| Fallback (all) | Manual kubectl create secret tls + TLSSecret.enabled: true |
TLS Secret |
Manual TLS Secret example (when not using a platform-integrated path):
kubectl create -n ivaap secret tls <secretName> \
--cert=path/to/cert.crt \
--key=path/to/private.key
Set .Values.environment.TLSSecret.enabled to true and .Values.configmap.proxy.IVAAP_HYPERTEXT_PROTOCOL to https in your deployment values YAML, then re-run Helm:
ivaap-restart
Or:
helm upgrade --install ivaap /opt/ivaap/IVAAPHelmTemplate \
-f /opt/ivaap/IVAAPHelmTemplate/values.yaml \
-f /opt/ivaap/ivaap.values.yaml \
-n ivaap
Authentication¶
Local authentication (default)¶
No deployment changes are required. Create users, groups, and domains in the IVAAP admin client (https://<your-fqdn>/admin once TLS is enabled, or http:// during bootstrap).
Default credentials from install:
- Super admin (
ivaaproot@int.com) — administration only,/adminpage. - DefaultAdmin — regular admin login for the dashboard.
Passwords are printed once at install and saved to /opt/ivaap/.installer/root_pw.txt on k3s.
External authentication¶
IVAAP supports external authentication via OpenID Connect (OIDC). Two providers are supported out of the box: AWS Cognito and Azure Entra ID (formerly Azure AD). The externalAuthType value (awsCognito or azureAD) selects which provider configuration the chart renders. To configure either:
- IVAAP Authentication
- External Authentication in General Helm Configuration
- Authentication Token Claims Configuration when custom claim mapping is required
External auth requires setting .Values.environment.authentication.externalAuthEnabled to true and configuring the adminserver VFS environment variables. Frontend image tags switch to externalTag (or osduTag for OSDU deployments).
Connector changes after install¶
Licensed connectors you did not enable at install time are staged under /opt/ivaap/connectors/disabled/. Activate or deactivate datanodes without a full reinstall:
ivaap nodes # list catalog nodes and status
ivaap enable <node> # re-probe license, import image, helm upgrade
ivaap disable <node> # remove connector from deployment
For witsmlnode, ivaap enable prompts for optional realtime scheduled tasks when the WITSML connector is licensed.
Operations and tuning¶
Once TLS and authentication are in place, refer to:
- IVAAP Configuration — application-level settings, VFS uploads, branding.
- IVAAP Operations — day-2 operations, HTTPS requirements, cert-manager patterns, pod management.
- Backend Environment Variable configuration — datanode and backend tuning.
- Troubleshooting — common failure modes.
- IVAAP Helpers —
ivaap-helpersaliases, log collection, image retagging scripts.
Upgrade¶
| Starting point | Guide |
|---|---|
2025.x (deploy-ivaap.sh, manual Helm) |
Upgrade from IVAAP 2025.x — manual operator-owned path using the 2026 ivaap binary for payload delivery |
Installer-managed (completed ivaap install, 2026.1+) |
Upgrade with IVAAP Binary — ./ivaap install --upgrade from a newer package |
For breaking chart and values changes, see Helm Chart Release Notes. Attach /opt/ivaap/.installer/state.json and ivaap status output when opening support tickets for installer-managed hosts.