Skip to content
Oriel

Kubernetes

Prerequisites

Section titled “Prerequisites”
  • Kubernetes cluster with a default StorageClass when bundled databases are used
  • Helm 3 or newer
  • Repository checkout with deploy/k8s
  • Oriel image available at arbor.klado.dev/oriel/oriel

The chart default image repository is arbor.klado.dev/oriel/oriel. Set image.tag to the pushed release tag for production installs.

Install

Section titled “Install”

Fetch chart dependencies:

Terminal window
helm dependency build deploy/k8s

Install Oriel with bundled PostgreSQL and ClickHouse:

Terminal window
helm install oriel deploy/k8s --namespace oriel --create-namespace --set image.tag=dev

The default install creates a Secret named oriel-db-auth for database passwords, Oriel DSNs, and ORIEL_AUTH_COOKIE_SECRET. Generated values are preserved on upgrade while the Secret remains in the cluster.

External Databases

Section titled “External Databases”

Create a Secret with the Oriel application DSNs:

Terminal window
kubectl create secret generic oriel-external \
  --namespace oriel \
  --from-literal=ORIEL_METADATA_DSN='postgres://oriel:...@postgres.example.com:5432/oriel' \
  --from-literal=ORIEL_CLICKHOUSE_DSN='clickhouse://oriel:...@clickhouse.example.com:9000/oriel' \
  --from-literal=ORIEL_VALKEY_DSN='valkey://:...@valkey.example.com:6379/0' \
  --from-literal=ORIEL_AUTH_COOKIE_SECRET='replace-with-a-stable-random-secret'

Install with bundled databases disabled:

Terminal window
helm install oriel deploy/k8s \
  --namespace oriel \
  --create-namespace \
  --set image.tag=dev \
  --set postgresql.enabled=false \
  --set clickhouse.enabled=false \
  --set valkey.enabled=false \
  --set oriel.secrets.existingAppSecret=oriel-external

Networking

Section titled “Networking”

The chart creates separate Services for API/UI, OTLP gRPC, and OTLP HTTP:

ServiceDefault port
API/UI6743
OTLP gRPC4317
OTLP HTTP4318

Services default to ClusterIP. Set service.*.type to NodePort or LoadBalancer when the cluster exposes traffic directly. Use ingress.api, ingress.otlpHttp, and ingress.otlpGrpc for controller-managed ingress.

Set oriel.config.server.publicUrl to the externally visible HTTPS URL when the UI/API is behind ingress or a proxy.

Runtime Roles

Section titled “Runtime Roles”

Default mode runs one Deployment:

oriel:
  roleMode: all

Split mode runs query, ingest, and worker Deployments:

oriel:
  roleMode: split
  replicas:
    query: 2
    ingest: 2
    worker: 1

In split mode, the API Service targets query pods and OTLP Services target ingest pods.

Verify

Section titled “Verify”

Run the Helm test:

Terminal window
helm test oriel -n oriel

Bootstrap the first admin:

Terminal window
kubectl exec -n oriel deploy/oriel -- \
  env ORIEL_BOOTSTRAP_PASSWORD='change-me' \
  oriel admin bootstrap --email you@example.com

Create a workspace:

Terminal window
kubectl exec -n oriel deploy/oriel -- oriel admin create-workspace --slug demo

Rollback/Recover

Section titled “Rollback/Recover”

Check pods and migration state:

Terminal window
kubectl get pods -n oriel
kubectl exec -n oriel deploy/oriel -- oriel migrate status

If readiness returns ORL-5002, run migrations with the same environment as the pods:

Terminal window
kubectl exec -n oriel deploy/oriel -- oriel migrate up

If login or OIDC callbacks fail, confirm oriel.config.server.publicUrl matches the external HTTPS URL.