This feature is available in the Enterprise Edition of The Formance Platform.

Requirements

  • Kubernetes
  • Helm
  • Ingress Controller
  • SSL Certificate
  • Oauth2 / OIDC Provider (eg: Dex)
  • Enterprise Edition (EE) license

Deployment Membership on Kubernetes

We will start by creating the values.yaml file, which will contain the configuration values for our deployment. This will make our deployment more flexible and allow us to reuse this file for other deployments. In this example, we will deploy a CloudPrem application consisting of several services:
  • Dex (OAuth2 / OIDC Provider)
  • Membership (Management API)
  • Console (Graphical Interface)
  • PostgreSQL (Database)
Please note, the following values are examples and must be adapted to your environment. The PostgreSQL configuration does not provide any data persistence.
You can retrieve the values.yaml file with the following command: 
# helm show values oci://ghcr.io/formancehq/helm/cloudprem --version v3.0.0 > values.yaml
You can adapt the configuration to your own needs, however, there are some minimum values that you need to replace. If you want more information about the values, please refer to the helm documentation. 
export YOUR_LICENCE=$YOUR_LICENCE_KEY
export YOUR_CLUSTER_ID=$YOUR_CLUSTER_ID
export BASE_DOMAIN=example.com
export BASE_DOMAIN_WILDCARD_CERTIFICATE=example-com-wildcard-certificate-tls

helm install cloudprem oci://ghcr.io/formancehq/helm/cloudprem \
  --version v3.0.0 \
  --namespace formance-system \
  --create-namespace \
  --set global.licence.token=$YOUR_LICENCE_KEY \
  --set global.licence.clusterID=$YOUR_CLUSTER_ID \
  --set global.serviceHost=$BASE_DOMAIN \
  --set membership.ingress.tls[0].secretName=$BASE_DOMAIN_WILDCARD_CERTIFICATE \
  --set portal.ingress.tls[0].secretName=$BASE_DOMAIN_WILDCARD_CERTIFICATE \
  --set console.ingress.tls[0].secretName=$BASE_DOMAIN_WILDCARD_CERTIFICATE \
  --set dex.ingress.tls[0].secretName=$BASE_DOMAIN_WILDCARD_CERTIFICATE
The use of this feature requires an Enterprise Edition (EE) license. Please ensure you have the appropriate license before enabling it.

Configuration of Membership

Create a valid Dex configuration

By default, we deploy a Dex as an OIDC / oAuth2 provider. This allows us to create default users that you can use. It also enables us to connect protocols such as SAMLv2 to OIDC. To do this, you need to follow Dex’s documentation to create a valid configuration.
You can also choose not to deploy Dex and modify Membership’s OIDC configuration to talk directly to the OIDC provider of your choice.

Login to the cluster

fctl --profile demo login --membership-uri https://membership.BASE_URL/api
This will create a new organization and a user.

Add a domain for Auto Login

fctl cloud organizations list
fctl cloud organizations update ORGANIZATION_ID --domain=DOMAIN_NAME --default-organization-role=GUEST --default-stack-role=GUEST
fctl cloud organizations list
The possible values are GUEST or ADMIN. This allows assigning default rights to a user who logs in with an email from the DOMAIN_NAME domain.

Init databases

We will now create a region and a stack in the Membership database. To do this, replace BASE_URL with the domain of your choice.
By default, all communications between Console and your Stack remain internal to the Kubernetes cluster.
insert into membership."regions" (id, base_url, name, creator_id, created_at, production, active) values (
    gen_random_uuid(),
    'https://BASE_URL',
    'default',
    (select id from membership."users" where id = (
        select owner_id from membership."organizations" limit 1
    )),
    now(),
    true,
    true
);
insert into membership."stacks" (name, organization_id, id, region_id, created_at, updated_at, stargate_enabled, client_secret, state, status, expected_status) values (
    'default',
     (select id from membership."organizations" limit 1),
     'demo', -- update if needed, this is your stack id
     (select id from membership."regions" limit 1),
     now(),
     now(),
     false,
     gen_random_uuid(),
     'ACTIVE',
     'READY',
     'READY'
);

Next Steps

Be sure to save your OrganizationID and StackID, as you’ll need them when you create your Stack.
You now have an Organization containing a default region and a stack. In the next steps, you’ll be able to deploy the Operator and then your Stack.