Kubernetes Deployment
Overview
Prism ships as an OCI Helm chart hosted on GitHub Container Registry. No helm repo add needed — install directly from the registry.
Prerequisites: Kubernetes cluster (1.25+), Helm 3.8+.
Install with Helm
Install the chart directly from the OCI registry:
helm install prism oci://ghcr.io/fencio-dev/charts/prism --version <version>To install into a specific namespace:
helm install prism oci://ghcr.io/fencio-dev/charts/prism \
--version <version> \
--namespace prism \
--create-namespace
Access Locally
Since no LoadBalancer is provisioned by default, use kubectl port-forward to access services:
# Prism UI + management API
kubectl port-forward svc/prism-management-plane 47000:47000 &
# Proxy
kubectl port-forward svc/prism-proxy 47100:47100 47101:47101 &
Once port-forwarded, open http://localhost:47000 to access the Prism UI. The REST API is at /api/v2/ and Swagger at /docs.
CLI Access
The prism CLI is installed inside the management-plane pod. Run CLI commands without installing anything locally:
kubectl exec -it deploy/prism-management-plane -- prism agents list
kubectl exec -it deploy/prism-management-plane -- prism status
Trusting the Certificate
The proxy intercepts HTTPS traffic using a self-signed CA. The CA certificate is stored in a PersistentVolumeClaim and survives pod restarts and rolling updates — trust it once and you're done.
Step 1 — Get the proxy pod name
kubectl get pods -n prism -l app=prism-proxyStep 2 — Extract the certificate
kubectl cp prism/prism-proxy-<pod-name>:/app/data/certs/fencio-root-ca.pem fencio-root-ca.pemStep 3 — Trust it on macOS
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain fencio-root-ca.pemStep 4 — Trust it on Linux (Debian/Ubuntu)
sudo cp fencio-root-ca.pem /usr/local/share/ca-certificates/fencio-root-ca.pem
sudo update-ca-certificates
Cluster-Scoped CA Trust
To distribute the CA cert to pods inside the cluster without requiring each developer to trust it locally, store it as a Kubernetes Secret and mount it into workloads that need to trust the proxy.
Step 1 — Extract the cert and create the Secret
kubectl cp prism/prism-proxy-<pod-name>:/app/data/certs/fencio-root-ca.pem fencio-root-ca.pem
kubectl create secret generic prism-ca-cert \
--from-file=fencio-root-ca.pem=fencio-root-ca.pem \
--namespace prism
Step 2 — Mount into pods that need to trust the cert
volumes:
- name: prism-ca
secret:
secretName: prism-ca-cert
volumeMounts:
- name: prism-ca
mountPath: /usr/local/share/ca-certificates/fencio-root-ca.pem
subPath: fencio-root-ca.pem
Configuration
Key values you can override via --set or a custom values.yaml:
| Key | Default | Description |
|---|---|---|
| managementPlane.image.tag | latest | Management plane image version |
| dataPlane.image.tag | latest | Data plane image version |
| proxy.image.tag | latest | Proxy image version |
| proxy.persistence.enabled | true | Enable PersistentVolumeClaim for proxy CA certificate storage |
| proxy.persistence.size | 100Mi | Storage size for proxy certificate data |
| managementPlane.persistence.size | 1Gi | Persistent volume size for management plane data |
| proxy.service.type | ClusterIP | Kubernetes service type for the proxy |
| ingress.enabled | false | Enable Kubernetes Ingress for the management plane UI |
| ingress.host | "" | Hostname to route to the management plane |
| ingress.ingressClassName | "" | Ingress class name (e.g. nginx) |
Example override:
helm install prism oci://ghcr.io/fencio-dev/charts/prism \
--version <version> \
--set managementPlane.image.tag=0.1.0 \
--set proxy.service.type=LoadBalancer
Production Notes
- Set explicit image tags instead of
latestfor reproducible deployments. - To expose the Prism UI externally, set
ingress.enabled=trueand configureingress.host. To expose the proxy externally, setproxy.service.type=LoadBalancer. - The management plane and proxy both use PersistentVolumeClaims — ensure your cluster has a default StorageClass. The proxy PVC stores the CA certificate chain so it survives pod restarts and rolling updates.
- To upgrade:
helm upgrade prism oci://ghcr.io/fencio-dev/charts/prism --version <new-version>