ignition-scaleout

A Helm chart for failover Ignition Gateway with scalable frontend client functionality. This chart deploys separate backend (controller) and frontend (agent) sets of Ignition Gateways to support high-scale architectures.

Initialization Process

The following diagram illustrates how the chart initializes the distributed architecture, establishing trust and connectivity between the Frontend and Backend layers.

Note: The Backend StatefulSet includes two headless services (-backend-primary and -backend-backup) targeting specific nodes for direct diagnostics.

sequenceDiagram
    participant K8s as Kubernetes
    participant Certs as Cert Manager
    participant Backend as Backend (Controller)
    participant Frontend as Frontend (Agent)
    
    par Backend Initialization
        K8s->>Backend: Start Pod
        Backend->>Certs: Request GAN Certs
        Certs-->>Backend: Mount Secrets (TLS/CA)
        Backend->>Backend: Initialize as Controller
    and Frontend Initialization
        K8s->>Frontend: Start Pod
        Frontend->>Certs: Request GAN Certs
        Certs-->>Frontend: Mount Secrets (TLS/CA)
        Frontend->>Frontend: Initialize as Agent
    end
    
    Frontend->>Backend: Open GAN Connection (Mutual TLS)
    Backend-->>Frontend: Accept Connection
    Frontend->>Frontend: Mount Proxy Tags & Projects

Configuration

The following sections list the configurable parameters of the ignition-scaleout chart.

General Settings

Global settings applicable to the entire chart.

Parameter	Type	Default
`applicationName`	string	`"ignition-scaleout"`
`image.repository`	string	`"inductiveautomation/ignition"`
`image.tag`	string	`"8.3"`
`image.pullPolicy`	string	`"IfNotPresent"`
`affinity.enabled`	bool	`false`
`affinity.topologyKey`	string	`"kubernetes.io/hostname"`
`certManager.issuer.name`	string	`"cluster-issuer"`
`certManager.issuer.kind`	string	`"ClusterIssuer"`
`serviceAccount.create`	bool	`false`
`serviceAccount.name`	string	`""`
`serviceAccount.annotations`	object	`{}`

Backend Configuration

The Backend acts as the controller and primary data processor.

Ignition Settings (Backend)

Parameter	Type	Default
`backend.config`	object	(See below)
`backend.args`	list	(See below)
`backend.logging.level`	string	`"INFO"`
`backend.eam.role`	string	`"Controller"`
`backend.tls.keystorePassword`	string	`"ignition"`
`backend.gan.keystorePassword`	string	`"metro"`

Default backend.config:

ACCEPT_IGNITION_EULA: "Y"
DISABLE_QUICKSTART: "true"
GATEWAY_ADMIN_USERNAME: "admin"
GATEWAY_MODULES_ENABLED: "alarm-notification,modbus-driver-v2,opc-ua,reporting,siemens-drivers,sql-bridge,tag-historian,udp-tcp-drivers"
GATEWAY_NETWORK_REQUIRETWOWAYAUTH: "true"
GATEWAY_NETWORK_SECURITYPOLICY: "Unrestricted"
IGNITION_EDITION: "standard"

Default backend.args:

- "-m"
- "1024"
- "-n"
- "$(GATEWAY_SYSTEM_NAME)"
- "--"
- "gateway.useProxyForwardedHeader=true"

Web Server SSL/TLS (Backend)

Parameter	Type	Default
`backend.ssl.enabled`	bool	`false`
`backend.ssl.secretName”	string	`""`

Security & Monitoring (Backend)

Parameter	Type	Default
`backend.networkPolicy.enabled`	bool	`false`
`backend.serviceMonitor.enabled`	bool	`false`
`backend.serviceMonitor.interval`	string	`"30s"`

Redundancy (Backend)

Parameter	Type	Default
`backend.redundancy.enabled`	bool	`false`
`backend.redundancy`	object	(See below)

Default backend.redundancy:

backupFailoverTimeout: 10000
enableSsl: true
enabled: true
httpConnectTimeout: 10000
httpReadTimeout: 60000
joinWaitTime: 30000
masterRecoveryMode: "Automatic"
maxDiskMb: 100
pingMaxMissed: 10
pingRate: 1000
pingTimeout: 300
syncTimeoutSecs: 60
websocketTimeout: 10000

Persistence (Backend)

Parameter	Type	Default
`backend.persistence.size`	string	`"3Gi"`
`backend.persistence.accessModes`	list	`["ReadWriteOnce"]`
`backend.persistence.storageClassName`	string	`""`
`backend.localMounts`	list	`[]`
`backend.restore.enabled`	bool	`false`
`backend.restore.url`	string	`""`

Networking (Backend)

Parameter	Type	Default
`backend.service.type”	string	`"NodePort"`
`backend.service.ports`	object	`{"gan":8060,"http":8088,"https":8043}`
`backend.service.nodePorts`	object	`{}`
`backend.service.sessionAffinity`	string	`"None"`
`backend.ingress.enabled`	bool	`false`
`backend.ingress.tls`	list	`[]`

Resources & Security (Backend)

Parameter	Type	Default
`backend.resources.requests`	object	`{"cpu":"500m","memory":"1Gi"}`
`backend.resources.limits.cpu`	string	`"1000m"`
`backend.resources.limits.memory`	string	`"2Gi"`
`backend.securityContext`	object	`{"fsGroup":2003,"runAsGroup":2003,"runAsNonRoot":true,"runAsUser":2003}`
`backend.secrets`	object	`{"GATEWAY_ADMIN_PASSWORD":"admin","IGNITION_GAN_KEYSTORE_PASSWORD":"metro","IGNITION_WEB_KEYSTORE_PASSWORD":"ignition"}`
`backend.sealedSecrets`	bool	`false`

Probes (Backend)

Parameter	Type	Default
`backend.livenessProbe`	object	(See below)
`backend.readinessProbe`	object	(See below)

Default backend.livenessProbe:

command: ["/config/scripts/health-check.sh"]
enabled: true
failureThreshold: 3
initialDelaySeconds: 120
periodSeconds: 10
timeoutSeconds: 5

Default backend.readinessProbe:

command: ["/config/scripts/health-check.sh"]
enabled: true
failureThreshold: 10
initialDelaySeconds: 120
periodSeconds: 5
timeoutSeconds: 3

Frontend Configuration

The Frontend acts as the agent, serving client sessions (Perspective, Vision).

Ignition Settings (Frontend)

Parameter	Type	Default
`frontend.config`	object	(See below)
`frontend.args`	list	(See below)
`frontend.logging.level`	string	`"INFO"`
`frontend.eam.role`	string	`"Agent"`
`frontend.tls.keystorePassword`	string	`"ignition"`
`frontend.gan.keystorePassword`	string	`"metro"`

Default frontend.config:

ACCEPT_IGNITION_EULA: "Y"
DISABLE_QUICKSTART: "true"
GATEWAY_ADMIN_USERNAME: "admin"
GATEWAY_MODULES_ENABLED: "perspective,symbol-factory"
GATEWAY_NETWORK_REQUIRETWOWAYAUTH: "true"
GATEWAY_NETWORK_SECURITYPOLICY: "Unrestricted"
IGNITION_EDITION: "standard"

Default frontend.args:

- "-m"
- "1024"
- "-n"
- "$(GATEWAY_SYSTEM_NAME)"
- "--"
- "gateway.useProxyForwardedHeader=true"

Web Server SSL/TLS (Frontend)

Parameter	Type	Default
`frontend.ssl.enabled`	bool	`false`
`frontend.ssl.secretName`	string	`""`

Security & Monitoring (Frontend)

Parameter	Type	Default
`frontend.networkPolicy.enabled`	bool	`false`
`frontend.serviceMonitor.enabled`	bool	`false`
`frontend.serviceMonitor.interval`	string	`"30s"`

Scaling & HPA (Frontend)

Parameter	Type	Default
`frontend.redundancy.replicas`	int	`1`
`frontend.hpa.enabled`	bool	`false`
`frontend.hpa.minReplicas`	int	`1`
`frontend.hpa.maxReplicas`	int	`10`
`frontend.hpa.targetCPUUtilizationPercentage`	int	`80`

Networking (Frontend)

Parameter	Type	Default
`frontend.service.type`	string	`"NodePort"`
`frontend.service.ports`	object	`{"gan":8060,"http":8088,"https":8043}`
`frontend.service.nodePorts`	object	`{}`
`frontend.service.sessionAffinity`	string	`"None"`
`frontend.ingress.enabled`	bool	`false`
`frontend.ingress.tls`	list	`[]`

Resources & Security (Frontend)

Parameter	Type	Default
`frontend.resources.requests`	object	`{"cpu":"500m","memory":"1Gi"}`
`frontend.resources.limits.cpu`	string	`"1000m"`
`frontend.resources.limits.memory`	string	`"2Gi"`
`frontend.localMounts`	list	`[]`
`frontend.securityContext`	object	`{"fsGroup":2003,"runAsGroup":2003,"runAsNonRoot":true,"runAsUser":2003}`
`frontend.secrets`	object	`{"GATEWAY_ADMIN_PASSWORD":"admin"}`
`frontend.sealedSecrets`	bool	`false`

Probes (Frontend)

Parameter	Type	Default
`frontend.livenessProbe`	object	(See below)
`frontend.readinessProbe`	object	(See below)

Default frontend.livenessProbe:

command: ["/config/scripts/health-check.sh"]
enabled: true
failureThreshold: 3
initialDelaySeconds: 120
periodSeconds: 10
timeoutSeconds: 5

Default frontend.readinessProbe:

command: ["/config/scripts/health-check.sh"]
enabled: true
failureThreshold: 10
initialDelaySeconds: 15
periodSeconds: 5
timeoutSeconds: 3