Try with Helm
This page describes how to deploy Casdoor on Kubernetes using Helm.
先决条件
- A running Kubernetes cluster (1.19+)
- Helm v3.8+
Installation
Step 1: Install the Casdoor chart
Install the Casdoor Helm chart:
helm install casdoor oci://registry-1.docker.io/casbin/casdoor-helm-charts --version <version>
To install with a custom values file:
helm install casdoor oci://registry-1.docker.io/casbin/casdoor-helm-charts \
--version <version> \
-f my-values.yaml
Step 2: Access Casdoor
After installation, use the service URL provided by your cluster to access Casdoor.
Customization
Override values.yaml to customize the deployment. Key parameters:
| 参数 | 描述 | 默认值 |
|---|---|---|
replicaCount | 运行 Casdoor 应用的副本数量。 | 1 |
image.repository | Casdoor Docker 图像的仓库。 | casbin |
image.name | Casdoor Docker 图像的名称。 | casdoor |
image.pullPolicy | Casdoor Docker 图像的拉取策略。 | IfNotPresent |
image.tag | Casdoor Docker 图像的标签。 | "" |
config | Casdoor 应用的配置设置。 | See values.yaml |
database.driver | Database driver to use (mysql, postgres, cockroachdb, sqlite). | sqlite |
database.user | 数据库用户名。 | "" |
database.password | 数据库密码。 | "" |
database.host | 数据库主机。 | "" |
database.port | 数据库端口�。 | "" |
database.databaseName | Casdoor 使用的数据库名称。 | casdoor |
database.sslMode | 数据库连接的 SSL 模式。 | disable |
service.type | Type of Kubernetes service (ClusterIP, NodePort, LoadBalancer). | ClusterIP |
service.port | Casdoor 服务的端口号。 | 8000 |
ingress.enabled | 是否启用 Casdoor 的 Ingress。 | false |
ingress.annotations | Ingress 资源的注解。 | {} |
ingress.hosts | Ingress 资源的主机名。 | [] |
resources | Casdoor 容器的资源请求和限制。 | {} |
autoscaling.enabled | 是否启用 Casdoor 的水平 Pod 自动扩展。 | false |
autoscaling.minReplicas | Minimum number of replicas for HPA. | 1 |
autoscaling.maxReplicas | Maximum number of replicas for HPA. | 100 |
autoscaling.targetCPUUtilizationPercentage | Target CPU utilization percentage for HPA. | 80 |
nodeSelector | Pod 分配的节点标签。 | {} |
tolerations | Pod 分配的容忍标签。 | [] |
affinity | Pod 分配的亲和性设置。 | {} |
extraContainersEnabled | 是否启用额外的边车容器。 | false |
extraContainers | 额外的边�车容器。 | "" |
extraVolumeMounts | Casdoor 容器的额外卷挂载。 | [] |
extraVolumes | Casdoor 容器的额外卷。 | [] |
envFromSecret | Environment variables from individual Secret keys. | [] |
envFromConfigmap | Environment variables from individual ConfigMap keys. | [] |
envFrom | Environment variables from entire Secrets or ConfigMaps. | [] |
Exposing Casdoor
Option 1: Ingress (classic)
Enable and configure Ingress:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: casdoor.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: casdoor-tls
hosts:
- casdoor.example.com
Option 2: Gateway API (modern)
The Kubernetes Gateway API is the next-generation successor to Ingress, officially GA since Kubernetes 1.31. It is supported by Istio, Envoy Gateway, Cilium, Kong, NGINX Gateway Fabric, and others.
提示
Prerequisites
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
You also need a compatible Gateway controller running in your cluster.
Attach to an existing Gateway
If you already have a Gateway resource in your cluster, point the HTTPRoute at it:
gatewayApi:
enabled: true
parentRefs:
- name: my-gateway
namespace: gateway-system
sectionName: https
hostnames:
- casdoor.example.com
Create a new Gateway (e.g. with Istio)
Let the chart create a Gateway and HTTPRoute together:
gatewayApi:
enabled: true
createGateway: true
hostnames:
- casdoor.example.com
gateway:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
Create a Gateway with HTTP→HTTPS redirect
Enable TLS termination and automatic HTTP-to-HTTPS redirect:
gatewayApi:
enabled: true
createGateway: true
hostnames:
- casdoor.example.com
gateway:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
- name: https
protocol: HTTPS
port: 443
tls:
certificateRefs:
- name: casdoor-tls
kind: Secret
allowedRoutes:
namespaces:
from: Same
httpsRedirect:
enabled: true
Gateway API parameters
| Parameter | Description | Default |
|---|---|---|
gatewayApi.enabled | Enable HTTPRoute creation | false |
gatewayApi.createGateway | Also create a Gateway resource | false |
gatewayApi.annotations | Annotations for the HTTPRoute | {} |
gatewayApi.labels | Extra labels for the HTTPRoute | {} |
gatewayApi.parentRefs | Parent Gateway references | [] |
gatewayApi.hostnames | Hostnames to match (Host header) | [] |
gatewayApi.rules | Routing rules (matches, filters, backendRefs) | PathPrefix / |
gatewayApi.gateway.name | Gateway name (defaults to chart fullname) | "" |
gatewayApi.gateway.gatewayClassName | GatewayClass name (required when createGateway=true) | "" |
gatewayApi.gateway.listeners | Gateway listeners | HTTP:80 |
gatewayApi.httpsRedirect.enabled | Enable HTTP→HTTPS redirect HTTPRoute | false |
gatewayApi.httpsRedirect.statusCode | Redirect response code | 301 |
gatewayApi.httpsRedirect.hostnames | Hostnames for redirect route | [] |
gatewayApi.httpsRedirect.parentRefs | Override parentRefs for redirect route | [] |
Managing the deployment
Upgrade:
helm upgrade casdoor oci://registry-1.docker.io/casbin/casdoor-helm-charts --version <version>
Uninstall:
helm uninstall casdoor
For more options, see the Helm and Kubernetes documentation.