Prerequisites and Configuration#
This page covers the shared prerequisites and configuration that apply to all phases of the standalone chart installation.
Required Tools#
The following tools must be installed on your deployment machine:
kubectl — configured for your target Kubernetes cluster
helm >= 3.12
Warning
Ensure your kubectl version matches or is within one minor version of your target Kubernetes cluster version.
Note
Unlike the Helmfile-based installation, the standalone approach does not require Helmfile or the helm-diff plugin.
Access Requirements#
kubectl configured to the Kubernetes cluster you are deploying to
Personal NGC API Key from ngc.nvidia.com authenticated with
nvcf-onpremorganization only if you pull artifacts directly from NGC or use NGC as your registryRegistry credentials for your container registry (ECR, NGC, etc.) — see Working with Third-Party Registries for setup instructions
Local Helm authentication to your container registry where NVCF charts are stored.
helm upgrade --installpulls OCI charts during deployment, so your local environment must be authenticated:AWS ECR:
aws ecr get-login-password --region <region> | helm registry login --username AWS --password-stdin <account-id>.dkr.ecr.<region>.amazonaws.comNGC:
docker login nvcr.io -u '$oauthtoken' -p <NGC_API_KEY>Other registries: Use
docker loginorhelm registry loginas appropriate for your registry
Artifacts must be available in a registry that your Kubernetes cluster can access. See Artifact Manifest and Image Mirroring.
Note
See EKS Cluster Terraform (Optional) for instructions on deploying a Kubernetes cluster on EKS or other CSPs if you don’t have one already.
Namespace Requirements#
Each Helm chart in the NVCF stack must be installed into a specific namespace. These namespace assignments are fixed and must not be changed — service-to-service cluster DNS addressing and Vault (OpenBao) authentication claims depend on this layout.
Namespace |
Services |
|---|---|
|
nats |
|
openbao-server |
|
cassandra |
|
api, invocation-service, grpc-proxy, notary-service |
|
api-keys, admin-issuer-proxy |
|
ess-api |
|
sis |
|
ingress (nvcf-gateway-routes) |
|
nvca-operator |
Warning
Installing a chart into the wrong namespace will cause authentication failures such as
error validating claims: claim "/kubernetes.io/namespace" does not match any associated bound claim values.
If you see this error, verify that every release is deployed in the namespace shown above.
Create Namespaces#
Create all required namespaces up front:
kubectl create namespace nats-system
kubectl create namespace vault-system
kubectl create namespace cassandra-system
kubectl create namespace nvcf
kubectl create namespace api-keys
kubectl create namespace ess
kubectl create namespace sis
kubectl create namespace envoy-gateway-system
kubectl create namespace envoy-gateway
Label the namespaces that require Gateway API routing:
kubectl label namespace envoy-gateway nvcf/platform=true
kubectl label namespace api-keys nvcf/platform=true
kubectl label namespace sis nvcf/platform=true
kubectl label namespace ess nvcf/platform=true
kubectl label namespace nvcf nvcf/platform=true
Image Pull Secrets#
Kubernetes needs credentials to pull NVCF container images from your private registry. Whether you need explicit image pull secrets depends on how your cluster authenticates to the registry:
AWS ECR (same account): If you used
nvcf-baseTerraform to create your EKS cluster, the node IAM role already includesAmazonEC2ContainerRegistryReadOnly. Nodes can pull images from ECR in the same account without additional pull secrets. Skip this step.NGC or other third-party registries: You must create an image pull secret in every namespace that runs NVCF control plane pods.
NAMESPACES="nats-system vault-system cassandra-system nvcf api-keys ess sis envoy-gateway-system"
for ns in $NAMESPACES; do
kubectl create secret docker-registry nvcf-pull-secret \
--namespace "$ns" \
--docker-server="$REGISTRY" \
--docker-username="<username>" \
--docker-password="<password>" \
--dry-run=client -o yaml | kubectl apply -f -
done
Note
For NGC, use $oauthtoken as the username and your NGC API key as the password.
Secrets Configuration#
Several charts require sensitive values. Prepare these before starting the installation.
Cassandra Password#
The default Cassandra superuser password is used by the OpenBao migration job to store credentials in the vault. Keep this consistent across the OpenBao and Cassandra configurations:
export CASSANDRA_PASSWORD="ch@ng3m3" # Change for production
Registry Credential (Base64)#
The NVCF API bootstrap job and OpenBao migrations require a base64-encoded NGC registry credential. This credential is stored in OpenBao and used by the NVCF API to pull function container images and Helm charts at deployment time.
Generate the credential using your NGC API key:
# Replace YOUR_NGC_API_KEY with your personal NGC API key from ngc.nvidia.com
export NGC_API_KEY="YOUR_NGC_API_KEY"
export REGISTRY_CREDENTIAL_B64=$(echo -n "\$oauthtoken:${NGC_API_KEY}" | base64 -w 0)
Note
This credential is used for function deployments (pulling user function containers and charts), not for pulling the NVCF control plane images. Even if your control plane images are mirrored to ECR, NGC credentials are still needed here as the default source for function artifacts.
Additional registries (ECR, VolcEngine, Harbor, etc.) can be added after installation using the NVCF CLI or API. See Working with Third-Party Registries for details.
These variables will be referenced in the values files for individual charts in subsequent installation phases.
Next Steps#
Once you have completed the prerequisites, proceed to Phase 1: Infrastructure Dependencies to install the infrastructure dependencies (NATS, OpenBao, Cassandra).