how-to
117 pagesAccess secure logs
Once secure logs for your team are enabled, they will become available in Securelogs dataview. The members of the corresponding Nais team should get access to those logs automatically when they log…
Accessing OpenSearch from an application outside Nais
This guide will show you how to access an OpenSearch instance from an application outside of supported Nais clusters.
Accessing topics from an application
This guide shows you how to access Kafka topics from your application. You need an existing topic to access. See Create a Kafka topic for how to create a topic.
Accessing topics from an application outside Nais
This guide will show you how to access a Kafka topic from an application outside Nais clusters. Make the values available to your application.
Additional users
You can add users to your database by setting database configuration option: .spec.gcp.sqlInstances[].databases[].users[].name. Additional users needs to manually be given access to the database and…
Advanced: Secrets with binary data
Nais Console only supports secrets with string values. You can work around this by Base64-encoding the binary data and store the resulting string, though it also requires that your application does…
Audit logs
Most applications where a user processes data related to another user need to log audit statements, detailing which user did what action on which subject. These logs need to follow a specific format…
Avro and schema
This guide will show you how to do various schema operations on your Kafka topics. To register the first version of a schema under the subject "team.test-key" using Avro schema:
Build and deploy with GitHub Actions
This how-to guide shows you how to build and deploy your application using GitHub Actions and the Nais deploy action.
Certification sync issues
If you have deleted your application and recreate it, there might be an issue that your new app will not be able to create a client certificate because the old one still exists. Your deploy may fail…
Change the tier of your database instance
Choosing an appropriate tier depends on your application's requirements such as: The tier you choose will affect the performance and cost of your database.
Communicate with other workloads
This guide shows you how to communicate with other workloads inside the same environment or cluster via service discovery.
Connect to a cloned database
If you have for some reason cloned a database in the console, you need to do some manually changes on the new database to be allowed to connect to it with your.
Consume external API using Maskinporten
This how-to guides you through the steps required to consume an API secured with Maskinporten: Declare all the scopes that you want to consume in your application's Nais manifest so that your…
Consume internal API as an application
This how-to guides you through the steps required to consume an API secured with Entra ID as an application (or a machine user). This is also known as the machine-to-machine (M2M) or client…
Consume internal API on behalf of a citizen
This how-to guides you through the steps required to consume an API secured with TokenX: Enable TokenX in your application:
Consume internal API on behalf of an employee
This how-to guides you through the steps required to consume an API secured with Entra ID on behalf of an employee. This is also known as the on-behalf-of (OBO) flow.
Correlate traces and logs
Learn how to correlate traces with logs in Grafana Tempo.
Create a bucket
This guide will show you how to create a Google Cloud Storage bucket. You create the bucket through the Nais application manifest.
Create a dashboard in Grafana
Create a dashboard in Grafana for your application
Create a Kafka topic
This guide will show you how to create a Kafka topic. The fully qualified topic name is the name of the Topic resource prefixed with your team namespace:
Create a Nais team
This how-to guide shows you how to create a Nais team. Your team will now be created, and you will be the owner.
Create a Valkey instance explicitly (legacy)
We recommend creating your Valkey instances in their own workflow for more control over configuration, especially if you intend for multiple applications using the same Valkey instance, or if you…
Create alert in Grafana
Learn how to create an alert for your application in Grafana.
Create alert with Prometheus
Create alerts for your application using Prometheus.
Create alerts in nav-logs (OpenSearch Dashboards)
This guide will help you create alerts in nav-logs (OpenSearch Dashboards).
Create an instance of BigQuery
Below is a minimal working example for a Nais Application manifest.
Create an OpenSearch instance (legacy)
Explicitly creating an OpenSearch instance is done by adding a OpenSearch resource to your namespace with detailed configuration in a GCP cluster. In your Application or Naisjob specifications, you…
Create and manage secrets in Console
This how-to guide shows you how to create and manage a secret in the Nais Console. 🎯 Learn how to use a secret in your workload
Create application
This how-to guide will show you how to create a Nais manifest for your application. Inside your application repository, create a .nais-folder.
Create job
This how-to guide will show you how to create a Nais manifest for your job. Inside your job repository, create a .nais-folder.
Create OpenSearch
This guide will show you how to create a OpenSearch instance for your team using Nais Console. Creating the OpenSearch instance will take a few minutes. The Status column will show you the current…
Create Valkey
This guide will show you how to create a Valkey instance for your team using Nais Console. Creating the Valkey instance will take a few minutes. The Status column will show you the current state.
Customize Prometheus alerts
Advanced guide to customized Prometheus alerts
Debugging
When issues arise with your Cloud SQL instance, you can use the following steps to troubleshoot the problem.
Debugging
When issues arise with your Postgres cluster, you can use the following steps to troubleshoot the problem.
Debugging workloads
A useful place to start when you have problems getting your pods running is the troubleshooting guide.
Delete Kafka topic and data
When you want to delete a Kafka topic and it's data, the Topic resource in Nais needs to be annotated.
Delete OpenSearch
This page guides you through the steps required to delete an OpenSearch instance. Ensure that all references to the opensearch instance are removed from your workload manifests:
Delete Valkey
This page guides you through the steps required to delete a Valkey instance. Ensure that all references to the Valkey instance are removed from your workload manifests:
Delete your application
Delete your job
Deleting a bucket
Delete unused buckets to avoid incurring unnecessary costs. A bucket is deleted by enabling cascading deletion, and deleting the application.
Deleting the database
The database is not automatically removed when deleting your Nais application. Remove unused databases to avoid incurring unnecessary costs. This is done by setting cascadingDelete in your…
Deleting the database
The database is not automatically removed when deleting your Nais application or the Postgres resource. Remove unused databases to avoid incurring unnecessary costs. This is done by setting…
Dependabot with auto-merge
Dependabot is a security tool offered by GitHub. Dependabot scans your repositories for vulnerabilities and outdated dependencies, and may automatically open pull requests to bump dependency…
Disable persistent application logs
Disable log storage for a specific application
Disable read-only file system
This how-to shows how to disable read-only root file system in your workloads. Re-deploy your workload to apply the changes.
Enable audit logging
This guide describes how to enable audit logging in your postgreSQL database. The following steps need to be taken to enable the logging.
Enable Leader Election
This guide will show you how to enable leader election for your application. 👷 Help Wanted! Please contribute with examples on how to use the Server Sent Events API.
Enable secure logs
This guide will show you how to enable shipping of secure logs for your application. If your Nais team has already at any point produced secure logs, you can skip this step.
Expose an application
This guide will show you how to expose your application to end-users or applications in other environments by using an ingress.
Expose FSS apps with KrakenD
KrakenD is an open-source API Gateway that sits in front of your Maskinporten APIs and provides a single point of entry for API clients.
Expose metrics from your application
Expose metrics from your application
Failing to assign private IP to an existing Cloud SQL instance
If you have deleted your application and recreate it, there might be an issue that your new app will not be able to create a client certificate because the old one still exists. Your deploy may fail…
Generate a token from Entra ID for development
This how-to guides you through the steps required to generate a token that you can use against an API secured with Entra ID in the development environments.
Generate a token from TokenX for development
This how-to guides you through the steps required to generate a token that you can use against an API secured with TokenX in the development environments.
Generate SBOM
Simply add nais/docker-build-push to your workflow. ??? note Opt-out Opt-out from salsa
Get access to the dashboard
Each OpenSearch instance in Aiven comes with a built-in dashboard for visualizing your data. To get access to this dashboard you need to follow these steps:
Get started with auto-instrumentation
Get started with auto-instrumentation for your applications with OpenTelemetry data for Tracing, Metrics and Logs using the OpenTelemetry Agent.
Get started with Grafana Loki
Get started with Grafana Loki, the default and preferred log aggregation system for all Nais application
Get started with Grafana Tempo
Grafana Tempo is an open-source, easy-to-use, high-scale, and cost-effective distributed tracing backend that stores and queries traces in a way that is easy to understand and use. It is fully…
Get started with nav-logs
This guide will help you get started with nav-logs (OpenSearch Dashboards).
Get started with Team Logs
Get started with Team Logs, a private logging solution leveraging Google Cloud Logs.
How to turn on Tiered Storage for your Kafka topic
This guide shows you how to enable tiered storage for your Kafka topic. You need to own an existing topic in nais. Check Create a Kafka topic for how to create a topic.
Install Kolide
The Kolide agent will be added to your Slack app, and let you know when there are recommended updates or security issues you need to address - and how to address them. Slack apps are located in the…
Install nais-cli
Install naisdevice
A macOS systray exemplifying a red-colored naisdevice icon. When you have opened naisdevice, you may be concerned that nothing happened. The little naisdevice icon has appeared in your Systray (where…
Kafka metrics
This guide will show you how to monitor your Kafka topics with Grafana. This is a user-generated list of metrics that can be used with Grafana to monitor your Kafka topics.
Log in a citizen
This how-to guides you through the steps required to ensure that only citizens authenticated with ID-porten can access your application.
Log in an employee
This how-to guides you through the steps required to ensure that only employees authenticated with Entra ID can access your application.
Log in users
This guide shows you how to log in users to your application with the login proxy. Before you begin, ensure that you have:
Manage access
This guide will show you how to manage access to your topic. Example of various ACLs:
Manage CDN assets
This how-to guide shows you how to list and manage assets on the CDN. In most cases you only need to upload new assets through the GitHub Action. In the rare case you need to manage the assets…
Migrate OpenSearch management to Nais Console
This guide will help you migrate an existing OpenSearch instance to instead be managed via Nais Console.
Migrate to new instance
This guide describes how to migrate your PostgreSQL database to a new SQLInstance. The process can be summarized as follows:
Migrate Valkey management to Nais Console
This guide will help you migrate an existing Valkey instance to instead be managed via Nais Console.
Migrating databases to GCP
Suggested patterns for moving on-prem databases to GCP postgreSQL. Disclaimer: These are options for migrations to GCP postgreSQL. Others may work better for your team.
Migrating to GCP
Our GCP clusters use a zero trust security model, implying that the application must specify both incoming and outgoing connections in order to receive or send traffic at all. This is expressed using…
Overriding user and group that runs container process
This how-to shows you how to override the default user and group (1069) that will run your container process.
Personal database access
Databases should always be accessed using a personal account, and the access should ideally be temporary.
Postgres database metrics
All Postgres databases running on Google Cloud Platform are integrated with Cloud Monitoring to provide metrics and alerts. You can use these metrics to monitor the health and performance of your…
Postgres database metrics
All PostgreSQL databases running in the cluster export metrics using the Prometheus postgres exporter.
Push metrics to Prometheus
Push metrics to Prometheus
Redirect a client
To redirect traffic from one domain to another, you need to define an ingress from the old domain that redirects to the new domain, with .spec.redirects[].
Remove access to topics from an application
This guide will show you how to remove your application's access to a Kafka topic. Remove the ACL that grants your application access to the topic.
Renew credentials for non-Nais applications
Eventually the credentials created in Accessing topics from an application outside Nais will expire. Well in advance of this, Aiven will issue a notification to the technical contacts, and we route…
Reset database credentials
To reset the database credentials for your application (if application name, database name or envVarPrefix has been changed), you need to first delete the secret and sqluser for the database:
Secure your API with Entra ID
This how-to guides you through the steps required to secure your API using Entra ID: Depending on who your consumers are, you must grant access to either applications, users, or both.
Secure your API with Maskinporten
This how-to guides you through the steps required to secure your API using Maskinporten: A scope represents a permission that a given consumer has access to.
Secure your API with TokenX
This how-to guides you through the steps required to secure your API using TokenX: Specify inbound access policies to authorize your consumers:
Set up access policies
This guide will show you how to define access policies for your workload. For app <MY-APP> to be able to receive incoming requests from <MY-OTHER-APP> in the same namespace, this specification is…
Set up tracing for your pipeline
To further support DORA metrics we use tracing directly in the build pipeline. This will allow you to measure the time it takes for your team to deliver new code to production.
Setup command line access
This guide shows you how to set up command line tools for accessing Nais clusters Follow Googles instructions on how to install gcloud for your OS
Show Grafana on infoscreen
How to show Grafana on an infoscreen
Templating
In nais/deploy we use Handlebars 3.0 syntax as templating language. Both the template and variable file supports either YAML or JSON syntax.
Trace context propagation
Learn how to propagate trace context across process boundaries in a few common scenarios.
Tracing data in Elastic APM
This guide will help you get started with sending tracing data to Elastic APM.
Troubleshooting
When something is wrong with your application, these kubectl commands should be the first things you check out:
Troubleshooting
When you get a topic authorization failed error in your application, it means that the application has authenticated correctly with the cluster, but does not have the necessary permissions to access…
Troubleshooting nais-cli
If you get an error message like this (the path may vary): which is the shim hiding the actual error message:
Troubleshooting naisdevice
Restart your default browser.
Uninstall Kolide
When the program has been removed from your device, let an admin know in #naisdevice Slack channel. This is necessary so that the record of your device can be purged from our Kolide systems.…
Uninstall naisdevice
When the program has been removed from your device, let an admin know in #naisdevice Slack channel. This is necessary so that the record of your device can be purged from our Kolide systems.
Update naisdevice
Upgrade major version
This page describes how to upgrade the major version of your PostgreSQL database. Before doing a major version upgrade, consult the Google Cloud SQL documentation for any preparation that needs to be…
Upgrade major version
This page describes how to upgrade the major version of your PostgreSQL database. Before doing a major version upgrade, consult the PostgreSQL Release Notes for any preparation that needs to be done.
Upgrade major version
When the OpenSearch instance was created, it was set up with the major version that was current at the time. You can upgrade the OpenSearch instance to a newer major version via Nais Console.
Upload assets to the CDN
This how-to guide shows you how to upload assets to the CDN. In your Github Workflow, add the following step to upload your assets to the CDN.
Use a secret in your workload
This how-to guide shows you how to reference and use a secret in your workload. A secret can be made available as environment variables or files, or both.
Use OpenSearch in your workload
This guide will show you how to connect your workload to a previously created OpenSearch instance. In your workload manifest, add the following lines to reference the OpenSearch instance:
Use Valkey in your workload
This guide will show you how to connect your workload to a previously created Valkey instance. In your workload manifest, add the following lines to reference the Valkey instance:
Using BigQuery from your application
When connecting your BigQuery client you need to specify the project ID and the dataset ID. The project ID is available in the GCP_TEAM_PROJECT_ID environment variable. There's no automatic…
Using Kafka Streams with internal topics
This guide will show you how to use Kafka Streams with internal topics. Select a pool from one of the available pools.
Using the image outside of Nais
When using the nais/docker-build-push action, the image is pushed to a registry that is meant for use within the Nais platform. If you wish to use this image for anything else than deploying with the…
View logs from the command line
View logs from the command line using kubectl.
Workaround for password synchronization issues
We recommend using nais-cli for rotating password for your Postgres database user. Retrieve the password from the secret google-sql-MYAPP in your namespace (the password is base64 encoded):