Helm-Based installation

Helm provides a packaged, repeatable installation model that mirrors the existing manifests but simplifies configuration and upgrades.

Overview

The Delphix Containerized Masking Helm chart packages the same components as the Direct Kubernetes Installation into a versioned, configurable release.

Prerequisites

To deploy Containerized Masking via Helm, the following components are required:

Requirement Recommended Version Comments
Kubernetes Cluster 1.25 or above Any Certified Kubernetes platform
Helm 3.9.0 or above Installation instructions: helm.sh/docs/intro/install/
kubectl 1.25.0 or above Used to interact with the Kubernetes cluster

Additional requirements

Obtaining the Helm chart

Charts are available from the Containerized Masking S3 Helm repository. Download the chart tarball:

Copy 
curl -XGET https://delphix-masking-helm.s3.amazonaws.com/delphix-containerized-masking-<version>.tgz \ 
  -o delphix-containerized-masking-<version>.tgz

Optional integrity check:

Copy 
curl -XGET https://delphix-masking-helm.s3.amazonaws.com/index.yaml -o index.yaml 
shasum -a 256 delphix-containerized-masking-<version>.tgz

Verify the SHA-256 output matches the digest value for the same chart version in index.yaml.

Installation

  1. Extract and Configure. Extract the chart and edit values-prod.yaml:

    Copy 
    tar -xzf delphix-containerized-masking-<version>.tgz 
    cd delphix-containerized-masking

    The extracted chart has the following structure:

    Copy 
    delphix-containerized-masking 
    ├── Chart.yaml 
    ├── README.md 
    ├── values.yaml 
    ├── values-prod.yaml 
    ├── values.schema.json 
    └── templates 
      ├── NOTES.txt 
      ├── docker-registry-secret.yaml 
      ├── namespace.yaml 
      ├── persistentvolume-nfs.yaml 
      ├── persistentvolumeclaim-nfs.yaml 
      ├── service-masking.yaml 
      ├── service-masking-debugging.yaml 
      └── statefulset.yaml


    Configure the following settings in values-prod.yaml:

    • Registry credentials (imageCredentials.username, imageCredentials.password): Set values from download.delphix.com

    • Storage size (storage.persistent.size): Use 50Gi minimum for production

    • Storage class (storage.persistent.storageClassName): Set if your cluster requires it

    • Image tags (images.database.tag, images.app.tag, images.proxy.tag): Release charts are pre-set to matching tags; change only when intentionally overriding images (for example, air-gapped or custom registry workflows)

    • Init permissions (initPermissions.enabled): Enable when storage classes do not honor fsGroup

    • Remote file access (storage.nfs): Configure when NFS-based remote mounts are required

    • Custom TLS certificates (proxyCerts): Configure to use custom proxy certificates

    • Container resources (resources): Set CPU/memory per resource requirements

  2. Install the Release

    Copy 
    helm upgrade --install delphix-masking \ 
      delphix-containerized-masking-<version>.tgz \ 
      --namespace delphix-masking \ 
      --create-namespace \ 
      --values <directory path of the extracted chart>/values-prod.yaml

  3. Verify Deployment

    Copy 
    helm status delphix-masking --namespace delphix-masking 
    kubectl get pods --namespace delphix-masking

    Wait for pod delphix-masking-0 to reach Running status (it may take several minutes).

Key configuration options

Image sourcing

Registry-based (with credentials):

Copy 
imageCredentials: 
  registry: "masking.download.delphix.com/delphix-containerized-masking" 
  username: "<username>" 
  password: "<password>" 
imagePullPolicy: IfNotPresent

Air-gapped (pre-loaded images):

Copy 
imageCredentials: 
  registry: "" 
imagePullPolicy: Never 
images: 
  database: 
    repository: "delphix-masking-database" 
  app: 
    repository: "delphix-masking-app"   
  proxy: 
    repository: "delphix-masking-proxy"

For image loading procedures, see Direct Kubernetes Installation.

Storage and resources

All storage and resource configuration follows the same requirements as Direct Kubernetes Installation. Key values-prod.yaml settings:

  • storage.persistent.size - PVC size (50Gi minimum)

  • storage.persistent.storageClassName - Storage class (leave empty for cluster default)

  • initPermissions.enabled - Enable for storage classes that don't honor fsGroup

  • resources.app, resources.database, resources.proxy - CPU/memory requests

For sizing guidance, see Resource Requirements.

Network access

Default service configuration

Copy 
services: 
  masking: 
    type: NodePort 
    nodePorts: 
      http: 30080 
      https: 30443

Access the application at https://<node-ip>:30443/masking.

Change type: ClusterIP or type: NodePort as needed for your environment.

Upgrades and Rollbacks

Upgrading

  1. Download new chart version

  2. Update image tags in your values file (all three must match release version)

  3. Run upgrade:

    Copy 
    helm upgrade delphix-masking \ 
      path/to/delphix-containerized-masking-<new-version>.tgz \ 
      --namespace delphix-masking \ 
      --values path/to/delphix-containerized-masking/values-prod.yaml

    PersistentVolumeClaims are preserved during upgrades, maintaining application state.

Rolling back

Rolling back is not recommended after upgrading.

Advanced configuration

Rendering manifests

Copy 
helm template delphix-masking \ 
  path/to/delphix-containerized-masking-<version>.tgz \ 
  --namespace delphix-masking \ 
  --values path/to/delphix-containerized-masking/values-prod.yaml > my-manifest.yaml

Deploy with: kubectl apply -f my-manifest.yaml.

This bypasses Helm release management (no upgrade/rollback capability).

Custom TLS certificates and LDAP Truststore

Create secret with certificates

Copy 
kubectl create secret generic proxy-certs \ 
  --namespace delphix-masking \ 
  --from-file=server.crt --from-file=server.key

Reference in values

Copy 
proxyConfig: 
  enabled: false 
  configMapName: "" 
  mountPath: "/etc/config" 

proxyCerts: 
  enabled: true 
  secretName: "proxy-certs" 
  mountPath: "/etc/config/nginx/ssl" 

ldapSsl: 
  enabled: false 
  configMapName: "ldap-ssl-config" 
  fileName: ".masking_certs" 
  mountPath: "/var/delphix/ssl/.masking_certs"

Per-Container resources

Specify resource requests/limits in values.yaml.

Copy 
resources: 
  database: 
    requests: 
      cpu: 4 
      memory: 32Gi 
  app: 
    requests: 
      cpu: 8 
      memory: 128Gi 
    limits: 
      memory: 128Gi  # Must equal request for app container 
  proxy: 
    requests: 
      cpu: 1 
      memory: 1Gi

Troubleshooting

Common diagnostics

Copy 
kubectl get pods --namespace delphix-masking 
kubectl describe pod delphix-masking-0 --namespace delphix-masking 
kubectl logs delphix-masking-0 --namespace delphix-masking --container app

Helm-specific issues

  • Image pull errors: Verify imageCredentials in values file; check secret with kubectl get secret -n delphix-masking.

  • Permission errors: Set initPermissions.enabled: true for storage classes that don't honor fsGroup.

  • Chart validation errors: Run helm lint on the chart directory before installing.

For general Containerized Masking troubleshooting, see Direct Kubernetes Installation.

Uninstalling

Copy 
helm uninstall delphix-masking --namespace delphix-masking
PVCs are retained. To delete all data:
Copy 
kubectl delete pvc --namespace delphix-masking --all 
kubectl delete namespace delphix-masking

Additional resources