diff --git a/content/en/docs/deployment/private-cloud/private-cloud-cluster/_index.md b/content/en/docs/deployment/private-cloud/private-cloud-cluster/_index.md index 855f60a830e..4eb4dbd4e12 100644 --- a/content/en/docs/deployment/private-cloud/private-cloud-cluster/_index.md +++ b/content/en/docs/deployment/private-cloud/private-cloud-cluster/_index.md @@ -26,6 +26,7 @@ To create a cluster in your OpenShift context, you need the following: * A supported Kubernetes platform; for more information, see [Supported Versions](/developerportal/deploy/private-cloud-supported-environments/#supported-versions) * An administration account for your OpenShift or Kubernetes platform * **OpenShift CLI** installed (see [Getting started with the CLI](https://docs.openshift.com/container-platform/4.1/cli_reference/getting-started-cli.html) on the Red Hat OpenShift website for more information) if you are creating clusters on OpenShift +* **STACKIT CLI** [installed](https://github.com/stackitcloud/stackit-cli/blob/main/INSTALLATION.md) if you are creating clusters on STACKIT * **Kubectl** installed if you are deploying to another Kubernetes platform (see [Install and Set Up kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on the Kubernetes webside for more information) * A command line terminal that supports the console API and mouse interactions. In Windows, this could be PowerShell or the Windows Command Prompt. See [Terminal limitations](#terminal-limitations), below, for a more detailed explanation. diff --git a/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-registry.md b/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-registry.md index 16308b23ec4..fb5482d5879 100644 --- a/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-registry.md +++ b/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-registry.md @@ -25,6 +25,7 @@ Some examples of such container registries are: * Docker Hub * Azure ACR [admin account](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account) * Self-hosted registries such as [Sonartype Nexus](https://www.sonatype.com/products/nexus-repository) +* STACKIT container registry However, static credentials are often considered insecure, and cloud providers offer alternative authentication methods based on short-lived tokens. For example, pushing an image to ECR requires getting a short-lived token from the AWS API. For more details about specific container registries, see the [Configuring the Registry](#configure-registry) section. @@ -279,6 +280,27 @@ To access quay.io, you will need to create a robot account, and give this accoun Check your image registry documentation to see if repositories can be created automatically (on push) or need to be pre-created. Some registries impose limitations on repository names, for example the repository path cannot have more than three parts. +**STACKIT container registry** + +| Field | Value | +| ------------------- | -----------------------------------------------------------------------------------------------| +| Push URL | registry.onstackit.cloud | +| Pull URL | registry.onstackit.cloud | +| Registry name | `/`, where `` is the registry you created in STACKIT | +| With authentication | enabled | +| User | Username for the registry robot account | +| Password | Token (password) for the robot account | + +Before pushing images to container registry, you must first create the registry. + +Example: + + ```shell + kubectl patch serviceaccount default -n -p '{"imagePullSecrets": [{"name": ""}]}' + ``` +In order to fetch the container images from container registry, make sure to patch the `default` service account with the registry credentials. +Both mxpc-cli and mx-ops-cli automatically generate a secret named mendix-generic-registry-secret. This secret holds the necessary registry credentials, enabling pods to pull images. + ### Existing Docker Registry Secret If you already have a existing `~/.docker/config.json` file, you can use it directly by choosing the `docker-secret` option. diff --git a/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-storage-plans.md b/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-storage-plans.md index 054820bcff2..decd3db21f2 100644 --- a/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-storage-plans.md +++ b/content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-storage-plans.md @@ -215,6 +215,10 @@ If you would like to have more control over database configuration, consider usi If your provider is AWS, [Postgres IAM authentication](#database-postgres-iam) can be used instead to increase security. If your provider is Azure, [Postgres managed identity authentication](#database-postgres-azwi) can be used instead to increase security. +{{% alert color="info" %}} +In case of STACKIT PostgreSQL Flex, the Mendix on-demand PostgreSQL provisioner cannot be used directly. STACKIT PostgreSQL Flex does not expose the `CREATEROLE` privilege, which is necessary for Mendix to automatically create database users with SQL commands. In order to facilitate the use of Postgres, switch to [JDBC plan](#database-jdbc) and create a dedicated database user for the new Mendix environment using the STACKIT CLI or API. +{{% /alert %}} + ##### Prerequisites * A Postgres server - for example, an RDS instance, or a Postgres server installed from a Helm chart @@ -764,6 +768,10 @@ Azure workload identities allow a Kubernetes Service Account to authenticate its JDBC databases are dedicated, basic databases. The **Dedicated JDBC** plan enables you to enter the [database configuration parameters](/refguide/custom-settings/) for an existing database directly, as supported by the Mendix Runtime. This plan allows to configure and use any database supported by the Mendix Runtime, including Oracle. +{{% alert color="info" %}} +In order to use **STACKIT PostgreSQL Flex** db, use the JDBC plan and provide the connection details as per the STACKIT documentation. Use the STACKIT CLI or API to create a dedicated database user for the new Mendix environment. +{{% /alert %}} + #### Prerequisites * A database server, for example Postgres or Oracle. @@ -1884,6 +1892,54 @@ In the Ceph plan configuration, enter the following details: * **Access Key** and **Secret Key** - Credentials to access the bucket. * **Type** - Specifies if the container can be shared between environments (create an on-demand storage plan); or that the container can only be used by one environment (create a dedicated storage plan). To increase security and prevent environments from being able to access each other's data, select **Dedicated**. +### STACKIT Object Storage {#stackit-object-storage} + +This basic, dedicated option allows to attach an existing S3-compatible bucket and credentials (access and secret keys) to one or more environments. +All apps (environments) will use the same bucket and credentials (access and secret keys). However, with this approach, environments share a common storage namespace, which can lead to potential data isolation issues and increased security risks if not managed carefully. +Another option is to use a dedicated object storage bucket for each environment. + +#### Prerequisites + +* A S3-compatible bucket. +* An Access and Secret key with permissions to access the bucket. + +#### Limitations + +* Access/Secret keys used by existing environments can only be rotated manually. +* No isolation between environments using the storage plan if using same bucket for all environments +* Configuration parameters will not be validated and will be provided to the Mendix app as-is. If the arguments are not valid or there is an issue with permissions, the Mendix Runtime will fail to start, and the deployment will appear to hang with **Replicas running** and **Runtime** showing a spinner. + +#### Environment Isolation + +* The S3-compatible bucket and credentials (access and secret keys) are shared between all environments using this plan. +* An environment can access data from other environments using this Storage Plan. +* By creating a dedicated bucket per environment, isolation between the environments can be achieved. + +#### Create Workflow + +When a new environment is created, the Mendix Operator performs the following actions: + +* Generate a unique prefix based on the environment's name, so that each environment stores files in a separate prefix (directory). +* Create a Kubernetes secret to provide connection details to the new app environment - to automatically configure the new environment. + +#### Delete Workflow + +When an existing environment is deleted, the Mendix Operator performs the following actions: + +* Delete that environment's Kubernetes blob file storage credentials secret. + +#### Configuring the Plan + +In the S3 plan configuration, enter the following details: + +* **IRSA Authentication** - Set to **no**. +* **Create bucket per environment** - Set to **No**. +* **Create account (IAM user) per environment** - Set to **No**. +* **Endpoint** - The S3 bucket's endpoint address. +* **Access Key** and **Secret Key** - The credentials for the environment user account. +* **Autogenerate prefix** - Leave it empty +* **Share bucket between environments** - Specifies if the bucket can be shared between environments (create an on-demand storage plan); Enable this option and the bucket will be shared between multiple environments. + ## Walkthroughs This section provides instructions how to set up storage for the most typical use cases. diff --git a/content/en/docs/deployment/private-cloud/private-cloud-supported-environments.md b/content/en/docs/deployment/private-cloud/private-cloud-supported-environments.md index f4310608221..d28d7a2485a 100644 --- a/content/en/docs/deployment/private-cloud/private-cloud-supported-environments.md +++ b/content/en/docs/deployment/private-cloud/private-cloud-supported-environments.md @@ -27,6 +27,11 @@ If you want to deploy your app to Amazon EKS, consider using the Mendix for Amaz * [minikube](https://minikube.sigs.k8s.io/docs/) * [Google Cloud Platform](https://cloud.google.com/) * [Google Kubernetes Engine- Autopilot](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview). For more information, see [Mendix on Kubernetes Cluster: GKE Autopilot Workarounds](/developerportal/deploy/private-cloud-cluster/#gke-autopilot-workarounds) +* [STACKIT Kubernetes Engine](https://stackit.com/en/products/runtime/stackit-kubernetes-engine) + +For STACKIT Kubernetes Engine, customers provision the SKE cluster, PostgreSQL Flex database(s), and Object Storage bucket(s) themselves before deploying Mendix. + +Any Kubernetes version offered by SKE that falls within the [Supported Versions](#supported-versions) range is supported. {{% alert color="warning" %}} If deploying to Red Hat OpenShift, you need to specify that specifically when creating your deployment. All other cluster types use generic Kubernetes operations. @@ -160,6 +165,10 @@ Mendix Operator supports registry authentication with [workload identity](https: When used together with an [Azure Kubernetes Service](https://azure.microsoft.com/en-us/products/kubernetes-service), Mendix Operator can use [managed identity authentication](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity) assigned to the Mendix Operator's Kubernetes service account. +### STACKIT Container Registry + +[STACKIT Container Registry](https://docs.stackit.cloud/products/developer-platform/container-registry/) is a cloud-native registry that enables you to store, manage and deploy container images securely and efficiently within the STACKIT Cloud. With this tool, you can easily manage the entire lifecycle of your container images (if static credential authentication is used). + ## Databases{#databases} The following databases are supported, and provide the features listed. @@ -208,6 +217,7 @@ The following managed PostgreSQL databases are supported: * [Azure Database for PostgreSQL](https://azure.microsoft.com/en-us/services/postgresql/). * [Google Cloud SQL for PostgreSQL](https://cloud.google.com/sql/docs/postgres). * [Amazon RDS Aurora for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.AuroraPostgreSQL.html) +* [STACKIT PostgreSQL Flex](https://stackit.com/en/products/database/stackit-postgresql-flex) Amazon PostgreSQL instances require additional firewall configuration to allow connections from the Kubernetes cluster. @@ -243,6 +253,10 @@ The Mendix Operator allows you to specify custom Certificate Authorities to trus Strict TLS mode should only be used with apps created in Mendix 8.15.2 (or later versions), earlier Mendix versions will fail to start when validating the TLS certificate. {{% /alert %}} +{{% alert color="info" %}} +When using STACKIT PostgreSQL Flex, the Mendix on-demand PostgreSQL provisioner cannot be used directly. STACKIT PostgreSQL Flex does not expose the CREATEROLE privilege, which is necessary for Mendix to automatically create database users via SQL commands. Hence, a database user needs to be created per environment before deployment. +{{% /alert %}} + ### Microsoft SQL Server This refers to a SQL Server database which is automatically provisioned by the Operator. If you are connecting to an existing database, you should use the [Dedicated JDBC database](#jdbc) option described below. @@ -346,6 +360,10 @@ Mendix Operator will need the endpoint, access key, and secret key to access the [Ceph](https://ceph.io/en/) is supported with the S3-compatible interface [Ceph Object Gateway](https://docs.ceph.com/en/mimic/radosgw/). The Mendix Operator will need the endpoint, access key, and secret key to access the storage. Please check the Ceph documentation for information on how to get the credentials. +### STACKIT Object Storage (S3 compatible) + +STACKIT's S3-compatible object storage does not implement APIs such as `CreateUser`, `CreatePolicy`, or `CreateBucket`. Because of that, you must first create a bucket which will be shared with your environments. You can also create separate buckets for each environment. + ## Networking {{% alert color="info" %}} diff --git a/content/en/docs/releasenotes/deployment/mendix-for-private-cloud.md b/content/en/docs/releasenotes/deployment/mendix-for-private-cloud.md index 5029cca17a7..f8d0b80725d 100644 --- a/content/en/docs/releasenotes/deployment/mendix-for-private-cloud.md +++ b/content/en/docs/releasenotes/deployment/mendix-for-private-cloud.md @@ -12,6 +12,16 @@ For information on the current status of deployment to Mendix on Kubernetes and ## 2026 +### May 20, 2026 + +#### STACKIT support + +* We now officially support deploying Mendix apps to [STACKIT Kubernetes Engine (SKE)](https://stackit.com/en/products/runtime/stackit-kubernetes-engine), with support for [STACKIT PostgreSQL Flex](https://stackit.com/en/products/database/stackit-postgresql-flex), [STACKIT Object Storage](https://docs.stackit.cloud/products/storage/object-storage/) (S3-compatible), and the [STACKIT Container Registry](https://docs.stackit.cloud/products/developer-platform/container-registry/). +* Customers provision the SKE cluster, PostgreSQL Flex database(s), and Object Storage bucket(s) themselves before deploying Mendix. For configuration details, see [Supported Providers](/developerportal/deploy/private-cloud-supported-environments/) and [Storage Plans](/developerportal/deploy/private-cloud-storage-plans/). +* **Known limitations on STACKIT:** + * STACKIT PostgreSQL Flex does not expose the `CREATEROLE` privilege, so the on-demand PostgreSQL provisioner cannot create users automatically. Use the [Dedicated JDBC plan](/developerportal/deploy/private-cloud-storage-plans/#database-jdbc) and create a dedicated database user per environment using the STACKIT CLI or API. + * STACKIT Object Storage does not implement `CreateUser`, `CreatePolicy`, or `CreateBucket`, so buckets must be created up front. You can either share one bucket across environments or pre-create a bucket per environment. + ### May 7, 2026 #### Portal Improvements