Install on Kubernetes

This guide covers the necessary steps to install and configure the Grey Matter service mesh on a cloud based Kubernetes cluster. While these instructions should support all versions of Kubernetes, they have been tested and confirmed against versions 1.15, 1.16, 1.17, 1.18.

Warning: The Grey Matter mesh installed at the end of this guide is not intended for production use. Contact Grey Matter Customer Support for more information on a Production deployment.


  1. helm v3

  2. eksctl

  3. kubectl

  4. Grey Matter credentials requested via Grey Matter Support


1. Create Kubernetes Cluster

NOTE: If you already have a Kubernetes cluster up and running, move to Step 2. Just verify you can connect to the cluster with a command like kubectl get nodes.

Amazon EKS
Google GKE
Microsoft AKS
Amazon EKS

For this deployment, we'll use Amazon EKS to automatically provision a Kubernetes cluster for us. eksctl will use your preconfigured default AWS credentials to create master and worker nodes to our specifications, and configure kubectl so we can manipulate the cluster.

The regions, node type/size and other settings can be tuned to your use case. The values given are basic settings. Run, the following command:

eksctl create cluster \
--name production \
--version 1.17 \
--nodegroup-name workers \
--node-type m5.2xlarge \
--nodes=2 \
--node-ami auto \
--region us-east-1 \
--zones us-east-1a,us-east-1b \
--profile default

After 10 - 15 minutes, your cluster should be ready. You can test that your configuration is correct by running:

eksctl get cluster --region us-east-1 --profile default
eksctl get nodegroup --region us-east-1 --profile default --cluster production
Google GKE

For this deployment, we'll use Google GKE to automatically provision a Kubernetes cluster for us. gcloud will create master and worker nodes to our specifications, and configure kubectl so we can manipulate the cluster.

The regions, node type/size and other settings can be tuned to your use case. The values given are basic settings. Run, the following command:

gcloud container clusters create production \
--machine-type e2-standard-8 \
--num-nodes 2 \
--cluster-version 1.17 \
--zone us-central1-a \
--node-locations us-central1-a

After 3-5 minutes, your cluster should be ready. You can test that your configuration is correct by running:

gcloud container clusters list
Microsoft AKS

For this deployment, we'll use Microsoft AKS to automatically provision a Kubernetes cluster for us. az will create master and worker nodes to our specifications, and configure kubectl so we can manipulate the cluster.

The regions, node type/size and other settings can be tuned to your use case. The values given are basic settings. Run, the following commands:

az group create --name production --location eastus
az aks create --resource-group production \
--name production \
--node-vm-size standard_b8ms \
--node-count 2 \
--kubernetes-version 1.17.13 \
--enable-addons monitoring \

Now we'll use az to retrieve our credentials and setup kubectl for access to the cluster.

az aks get-credentials --resource-group production --name production

After 3-5 minutes, your cluster should be ready. You can test that your configuration is correct by running:

az aks list

2. Set up Credentials

The credentials identified in the prerequisite steps are used to create a Kubernetes Image Pull Secret that grants access to the Grey Matter Docker images in the Grey Matter Nexus Repository.

If you do not have credentials yet, please contact Grey Matter support.

3. Get the Grey Matter Helm Charts

The Grey Matter Helm Charts are available from our GitHub helm-charts repository. Run the following command to add our helm charts repository.

helm repo add greymatter
helm repo update

4. Set up Secrets

Using your credentials, create the following file and save it as credentials.yaml.

- registry:
email: <username>
username: <username>
password: <password>

5. Generate Configurations

Run the following to download the base configuration file:


This file is where you can specify any custom configurations for the installation. The file downloaded as is will install Grey Matter with all default values. If you wish to modify the defaults, make changes to any existing values in global.yaml.

Some configuration changes will change the installation process.

If you set global.spire.enabled to false, skip the server and agent release installations in step 6.

If you set to true, you will need to add the data installation to part 3 of step 6, helm install data greymatter/data -f global.yaml --set=global.environment=eks --set=global.waiter.service_account.create=false.

To set more complex configurations like image versions, service environment variables, etc., check out the values files in each of the Grey Matter helm charts. Any additional configurations you wish to set can be added to the global.yaml file with the same directory structure as found in the <chart>/values.yaml file.

For example, to set the version of the Grey Matter proxy for the edge proxy, just simply replace the version as indicated below:

version: '<desired-version>'

6. Install

Grey Matter is made up of a handful of components, each handling different pieces of the overall platform. Once you have set up your credentials.yaml and global.yaml files, run the following steps in order:

  1. Install the necessary secrets

    Grey Matter requires several Kubernetes secrets. The necessary secrets have been extracted into a single helm-chart for ease of installation.

    helm install secrets greymatter/secrets --version 2.4.2 -f credentials.yaml -f global.yaml
  2. Install SPIRE server and agent

    This guide will use SPIRE to issue certificates to enable mTLS through the mesh. These commands will install the SPIRE server and agents into the spire namespace.

    helm install spire-server greymatter/server --version 2.3.0 -f global.yaml

    Before installing the agent, watch the server pod come up:

    kubectl get pods -n spire -w

    Wait until the server pod is 2/2:

    server-0 2/2 Running 1 3h54m

    Then, install the spire agent:

    helm install spire-agent greymatter/agent --version 2.3.0 -f global.yaml

    Verify SPIRE installation

    kubectl get pods -n spire -w

    The SPIRE agent runs as a DaemonSet, so the number of Agent pods is directly related to how many nodes are in your cluster.

    agent-5d7q4 1/1 Running 0 3h54m
    agent-8c9lq 1/1 Running 0 3h54m
    agent-s2svz 1/1 Running 0 3h54m
    server-0 2/2 Running 1 3h54m
  3. Install Grey Matter Charts

    At this point, we're ready to install Grey Matter. Grey Matter is installed through a series of Helm Charts that install the different components of Grey Matter. You'll notice we're also setting a few values on the command line. These could be updated in the global.yaml file, but we wanted to call them to your attention here.

    • global.environment: This is set to eks to drive EKS specific configurations

    • edge.ingress.type: This is set to LoadBalancer to update the Edge service to modify it to a type of LoadBalancer.

    • global.waiter.service_account.create: This is set to false to prevent the Sense helm-chart from attempting to create the waiter service account.

    helm install fabric greymatter/fabric --version 3.0.16 -f global.yaml --set=global.environment=eks
    helm install edge greymatter/edge --version 3.0.6 -f global.yaml --set=global.environment=eks --set=edge.ingress.type=LoadBalancer
    helm install sense greymatter/sense --version 3.0.11 -f global.yaml --set=global.environment=eks --set=global.waiter.service_account.create=false

    Notice in the edge installation we are setting --set=edge.ingress.type=LoadBalancer, this value sets the service type for edge. The default is ClusterIP. In this example we want an AWS ELB to be created automatically for edge ingress (see below), thus we are setting it to LoadBalancer. See the Kubernetes publishing services docs for guidance on what this value should be in your specific installation.

    If you receive Error: could not find tiller after running the above helm commands, then you're running an older version of Helm and must install Helm v3. If you need to manage multiple versions of Helm, we highly recommend using helmenv to easily switch between versions.

    While these are being installed, you can use the kubectl command to check if everything is running. When all pods are Running or Completed, the install is finished and Grey Matter is ready to go.

    kubectl get pods

    The running output will look like the following:

    catalog-75d4c66477-h9nnr 2/2 Running 0 49s
    catalog-init-v778j 0/1 Completed 0 49s
    control-78f8ccf5f6-krlbd 1/1 Running 0 111s
    control-api-0 2/2 Running 0 111s
    control-api-init-pblsb 0/1 Completed 0 111s
    dashboard-dd95bddbc-hrzm5 2/2 Running 0 49s
    edge-d56fd6795-qdctl 1/1 Running 0 63s
    jwt-redis-6b84846ffc-fkpjg 1/1 Running 0 111s
    jwt-security-7bc8bfb9f-jbz6l 2/2 Running 0 111s
    mesh-redis-0 1/1 Running 0 111s
    postgres-slo-0 1/1 Running 0 49s
    prometheus-0 2/2 Running 0 49s
    slo-d98698db9-p7ksz 2/2 Running 0 49s

7. Accessing the Application

  1. Get the User Certificate

    By default, Grey Matter leverages mutual TLS (mTLS) communications for all traffic, including inbound traffic to the mesh. This means that all https requests must include TLS certificates whether that be via a web browser or RESTful client. The Grey Matter helm charts have the ability to generate random Ingress and User certificates to ensure unique certificates every time a cluster is launched. For web based authentication, these certificates can then be imported into a web browser, to access resources in the mesh.

    Following the instructions in this guide, Grey Matter will automatically provision the required mTLS certificates for the server and the user.

    To get the user certificate, run these commands:

    kubectl get secret greymatter-user-cert -o jsonpath="{.data['tls\.crt']}" | base64 -d > tls.crt
    kubectl get secret greymatter-user-cert -o jsonpath="{.data['tls\.key']}" | base64 -d > tls.key
    kubectl get secret greymatter-user-cert -o jsonpath="{.data['ca\.crt']}" | base64 -d > ca.crt

    Then create a new p12 certificate and load it into your browser:

    openssl pkcs12 -export -out greymatter.p12 -inkey tls.key -in tls.crt -certfile ca.crt -passout pass:password

    If you want to provide your own valid certificates for ingress, set to false and provide the cert information in the secrets chart, at .Values.edge.certificate.ingress. You will need to ensure you have a valid User certificate from the same Certificate Authority for Grey Matter to authenticate the user.

  2. Access Grey Matter

    An Amazon ELB will be created automatically when we specified the flags --set=global.environment=eks and --set=edge.ingress.type=LoadBalancer during installation. The ELB is accessible through the randomly created URL attached to the edge service:

    kubectl get svc edge

    The output will look like the following:

    edge LoadBalancer 10808:31098/TCP,8081:31216/TCP 4m

    Visit the url listed under EXTERNAL-IP (e.g. in the browser to access the Grey Matter application:

    Grey Matter application

Configure the Grey Matter CLI

In order to add or modify service configurations, make sure you have the greymatter CLI installed.

To configure it for this installation, replace {edge-amazon-elb-dns} with the edge service external IP from step 5, and replace <path/to/greymatter/helm-charts> with the path on your machine to the Grey Matter Helm Charts directory in the block below:

export EDITOR=vim
export GREYMATTER_API_HOST={edge-amazon-elb-dns}:10808
export GREYMATTER_API_PREFIX=/services/control-api/latest
export GREYMATTER_API_SSLCERT=<path/to/greymatter/helm-charts>/certs/quickstart.crt
export GREYMATTER_API_SSLKEY=<path/to/greymatter/helm-charts>/certs/quickstart.key
export GREYMATTER_CATALOG_HOST={edge-amazon-elb-dns}:10808
export GREYMATTER_CATALOG_PREFIX=/services/catalog/latest
export GREYMATTER_CATALOG_SSLCERT=<path/to/greymatter/helm-charts>/certs/quickstart.crt
export GREYMATTER_CATALOG_SSLKEY=<path/to/greymatter/helm-charts>/certs/quickstart.key
export GREYMATTER_CATALOG_ZONENAME=zone-default-zone

Now if you can run greymatter list cluster and greymatter list catalog_cluster and there are no errors, the CLI is properly configured.


Delete the Grey Matter Installation

helm uninstall sense edge fabric spire-agent spire-server secrets

Delete The Kubernetes Cluster

NOTE: this deletion actually takes longer than the output would indicate to terminate all resources. Attempting to create a new cluster with the same name will fail for some time until all resources are purged.

Amazon EKS
Google GKE
Microsoft AKS
Amazon EKS
eksctl delete cluster --name production
[] using region us-east-1
[] deleting EKS cluster "production"
[] kubeconfig has been updated
[] cleaning up LoadBalancer services
[] 2 sequential tasks: { delete nodegroup "workers", delete cluster control plane "prod" [async] }
[] will delete stack "eksctl-production-nodegroup-workers"
[] waiting for stack "eksctl-production-nodegroup-workers" to get deleted
[] will delete stack "eksctl-production-cluster"
[] all cluster resources were deleted
Google GKE
gcloud container clusters delete production --quiet
Deleting cluster production...done.
Deleted [].
Microsoft AKS
az aks delete --resource-group production --name production -y