Deploy ThunderID on Kubernetes
This guide walks you through deploying ThunderID to a Kubernetes cluster using Helm charts. It covers a quick single-command install for development and a production-ready setup with external PostgreSQL.
Architecture Overview
The diagram above shows the ThunderID deployment in Kubernetes, including the application pods, ingress controller, and database configuration.
Prerequisites
Before you begin, ensure the following are available:
Infrastructure:
- A running Kubernetes cluster (v1.19 or later). You can use minikube or kind locally, or a managed service such as EKS, GKE, or AKS for production.
- An NGINX Ingress Controller or a compatible alternative.
- Valid TLS certificates for production deployments.
Required Tools:
| Tool | Installation Guide | Version Check |
|---|---|---|
| Git | Install Git | git --version |
| Helm | Install Helm | helm version |
| kubectl | Install kubectl | kubectl version |
| Docker | Install Docker | docker --version |
Verify cluster access before proceeding:
kubectl cluster-info
helm version
kubectl get pods -n ingress-nginx
Install ThunderID
Step 1: Install the Helm Chart
Install ThunderID from the GitHub Container Registry:
helm install thunderid oci://ghcr.io/asgardeo/helm-charts/thunderid
To install a specific version:
helm install thunderid oci://ghcr.io/asgardeo/helm-charts/thunderid --version 0.11.0
Step 2: Verify the Installation
# Check pod status
kubectl get pods -l app.kubernetes.io/name=thunderid
# Check services
kubectl get services -l app.kubernetes.io/name=thunderid
# Check ingress
kubectl get ingress
Step 3: Access ThunderID
- Get the external IP address of your NGINX Ingress Controller.
- Add an entry to your
/etc/hostsfile that maps the IP address tothunderid.local. - Open ThunderID at
http://thunderid.local.
If you are using a cloud provider, the load balancer assigns the external IP automatically.
Installation Options
Option 1: Inline Value Overrides
Pass configuration values directly on the command line. The following example installs ThunderID with SQLite for development or testing:
helm install thunderid oci://ghcr.io/asgardeo/helm-charts/thunderid \
--set configuration.database.config.type=sqlite \
--set configuration.database.runtime.type=sqlite
Option 2: Custom Values File
For production deployments, use a values file to manage configuration:
-
Create a
custom-values.yamlfile:deployment:
replicaCount: 3
resources:
requests:
cpu: 500m
memory: 512Mi
limits:
cpu: 2
memory: 1Gi
ingress:
hostname: thunderid.example.com
configuration:
database:
config:
type: postgres
host: postgres.default.svc.cluster.local
port: 5432
name: configdb
username: thunderid_user
password: <config-db-password>
sslmode: require
runtime:
type: postgres
host: postgres.default.svc.cluster.local
port: 5432
name: runtimedb
username: thunderid_user
password: <runtime-db-password>
sslmode: require
user:
type: postgres
host: postgres.default.svc.cluster.local
port: 5432
name: userdb
username: thunderid_user
password: <user-db-password>
sslmode: require -
Install using the values file:
helm install thunderid oci://ghcr.io/asgardeo/helm-charts/thunderid -f custom-values.yaml
Database Setup
ThunderID supports both PostgreSQL and SQLite. PostgreSQL is recommended for production.
PostgreSQL
Before deploying ThunderID, prepare the PostgreSQL instance:
-
Create the three required databases:
CREATE DATABASE configdb;
CREATE DATABASE runtimedb;
CREATE DATABASE userdb; -
Create a dedicated user:
CREATE USER thunderid_user WITH PASSWORD '<secure-password>'; -
Grant the required privileges in each database:
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO thunderid_user;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO thunderid_user; -
Run the initialization scripts from
backend/dbscriptsto create the schema.
For a PostgreSQL setup using Helm, refer to the Bitnami PostgreSQL Helm Chart.
Once the databases are ready, configure ThunderID to connect to them:
configuration:
database:
config:
type: postgres
host: postgres.example.com
port: 5432
name: configdb
username: thunderid_user
password: <config-db-password>
sslmode: require
runtime:
type: postgres
host: postgres.example.com
port: 5432
name: runtimedb
username: thunderid_user
password: <runtime-db-password>
sslmode: require
user:
type: postgres
host: postgres.example.com
port: 5432
name: userdb
username: thunderid_user
password: <user-db-password>
sslmode: require
SQLite
For development or testing, configure ThunderID to use SQLite:
configuration:
database:
config:
type: sqlite
sqlitePath: repository/database/configdb.db
sqliteOptions: "_journal_mode=WAL&_busy_timeout=5000&_pragma=foreign_keys(1)"
runtime:
type: sqlite
sqlitePath: repository/database/runtimedb.db
sqliteOptions: "_journal_mode=WAL&_busy_timeout=5000&_pragma=foreign_keys(1)"
user:
type: sqlite
sqlitePath: repository/database/userdb.db
sqliteOptions: "_journal_mode=WAL&_busy_timeout=5000&_pragma=foreign_keys(1)"
Upgrade and Rollback
To upgrade to a new version:
helm upgrade thunderid oci://ghcr.io/asgardeo/helm-charts/thunderid \
--version 0.12.0 \
-f custom-values.yaml
To roll back to a previous release:
helm rollback thunderid 1
Next Steps
- Production Deployment Guidelines — Apply security hardening for production: replace TLS certificates, generate a unique encryption key, configure a CORS allowlist, and set up Redis caching for multi-pod deployments.
- Deploy ThunderID on OpenChoreo — Deploy ThunderID on the OpenChoreo platform.
- Deploy ThunderID with Docker — Run ThunderID locally using Docker.
