Prerequisites

This section describes the prerequisites for installing TDP Kubernetes. Ensure every item is satisfied before you start installing the components.

Infrastructure requirements

Kubernetes cluster

• Kubernetes version 1.27 or higher
• Operational cluster with at least 3 worker nodes (recommended for high availability)
• Administrative access to the cluster via kubectl

Command-line tools

Tool	Minimum version	Description
kubectl	1.27+	Kubernetes CLI, configured for the target cluster
helm	3.2.0+	Kubernetes package manager used to install the charts

Check installed versions:

Terminal input

kubectl version --client
helm version

Storage classes

TDP Kubernetes requires Storage Classes configured in the cluster for dynamic provisioning of persistent volumes.

Access mode	Use	Required
ReadWriteOnce (RWO)	Used by most components (PostgreSQL, Kafka, ClickHouse, etc.)	Yes
ReadWriteMany (RWX)	Required for Apache Airflow (shared DAGs and logs across workers)	Conditional

note

ReadWriteMany (RWX) is mandatory only if Apache Airflow is installed in cluster mode. Solutions such as NFS, CephFS, or Azure Files can provide RWX support.

Check available Storage Classes in the cluster:

Terminal input

kubectl get storageclass

HTTP/HTTPS exposure for components

You need an HTTP/HTTPS ingress solution to expose the web UIs of some TDP Kubernetes components, such as Airflow, Superset, ArgoCD, NiFi, and JupyterHub.

Ingress controller

The environment may use an Ingress controller to publish web services in the cluster.

Common examples:

• NGINX Ingress Controller
• Traefik
• HAProxy
• AWS Load Balancer Controller

Check whether an Ingress controller is installed in the cluster. Example with NGINX Ingress Controller:

Terminal input

kubectl get ingressclass

Gateway API

The environment may also use Gateway API, provided the cluster already has the resources and a compatible controller installed.

Example check:

Terminal input

kubectl get gatewayclass

note

The Ingress API in Kubernetes is frozen and no longer receives new features. In addition, the Ingress NGINX project was retired in March 2026. Whether you use an Ingress controller or Gateway API should follow your environment strategy and the implementations supported on the cluster.

Networking

DNS

• Kubernetes cluster nodes must have working DNS resolution
• Configure DNS records for services exposed via Ingress (e.g. airflow.tdp.example.com, superset.tdp.example.com)

Network policies

• Ensure cluster Network Policies allow communication between pods in the namespace.
• TDP components must communicate freely within the same namespace
• If you use restrictive Network Policies, add rules that allow ingress and egress traffic between TDP pods

TLS/SSL certificates (optional)

To enable HTTPS on services exposed via Ingress:

• Provision TLS/SSL certificates for the configured domains
• Use cert-manager to automate certificates with Let's Encrypt or an internal CA
• Configure certificates on each component's Ingress resources

Authenticating to the OCI registry

TDP distributes its Helm charts¹ through an OCI registry at oci://registry.tecnisys.com.br/tdp/. This service is similar to a container image registry, but it is intended for storing and distributing Helm packages.

The oci://registry.tecnisys.com.br/tdp/ URI is the identifier used in Helm commands and other OCI-compatible tools to locate the registry.

Note

In GitOps workflows with Argo CD, registry authentication is configured directly in Argo CD itself. In that case, this CLI authentication procedure is not used.

Commands

1. Web portal — Open the Tecnisys registry portal with the credentials provided by Tecnisys. After you sign in, generate or copy the command-line credential shown in the portal as CLI Secret or access token.

   

   Figure 1 — Registry web login
   

   Figure 2 — Capturing the CLI secret

note

Normally, you only need to do this once per environment or context. After that, Helm reuses the authentication already stored on the local machine or CI agent.

2. Terminal — Authenticate Helm with the OCI registry to access the platform charts.

   Terminal input

   helm registry login registry.tecnisys.com.br -u <usuario@tecnisys...>

   When you run the command, the terminal will prompt for a password:

   Password:

   Enter the CLI secret / token from step 1.

   If authentication succeeds, Helm prints a login confirmation; from then on you can list and install charts available in the registry.

   Note

   Registry credentials must be obtained from Tecnisys. If you do not yet have access, contact the responsible team to request an authorized user and CLI credential.

   

   Figure 3 — Registry login via Helm

3. After authentication, verify access by showing an example chart:

   Terminal input

   helm show chart oci://registry.tecnisys.com.br/tdp/charts/tdp-spark
   

   Figure 4 — Show chart example

Videos

Registry web login

Web portal (CLI secret)

Obtaining the CLI secret

Checklist

Before proceeding to installation, confirm all items below:

• Kubernetes 1.27+ cluster operational
• kubectl configured and connected to the cluster
• helm 3.2.0+ installed
• Storage Class with ReadWriteOnce support available
• Storage Class with ReadWriteMany support available (if installing Airflow in cluster mode)
• HTTP/HTTPS ingress solution (Ingress controller or Gateway API) installed and operational
• Sufficient compute resources on cluster nodes
• DNS resolution configured for nodes
• Registry authentication (helm registry login registry.tecnisys.com.br) completed successfully
• TLS/SSL certificates provisioned (optional)

Footnotes

1. Helm chart: a package that bundles Kubernetes manifest templates and default values; Helm applies it in the cluster to create or update the component's resources, configurable through values files or flags. ↩