AS4 Microservices Kubernetes Deployment Dokumentation
Das AS4 System kann über Docker Images und Helm Charts in Kubernetes Clustern betrieben werden. Wir empfehlen für den produktiven Einsatz den Betrieb in einem Kubernetes Cluster.
Es folgt die Template-Struktur eines unserer Kubernetes Entwicklungssysteme für eigene Deployments.
AS4-Services
Anmerkungen
Die AS4-Services erfordern Zugriff auf RabbitMQ. Hierfür werden von Bitnami/RabbitMQ ebenfalls Docker Images und Helm-Charts bereitgestellt.
Zur Absicherung der REST-APIs per OAuth2 kann Keycloak genutzt werden.
AS4-Services im Kubernetes
Das folgende Helm-Chart yaml Datei beinhaltet die AS4 Services für ein Deployment aller AS4 Microservices im Kubernetes Cluster. Als kann als Beispiel/Template für eigene Installationen genutzt werden.
values.yaml Konfigurationsdatei
as4-address-service-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
env:
TZ: "Europe/Berlin"
RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
RABBITMQ_PORT: '5672'
RABBITMQ_USERNAME: 'rabbitmq-admin'
RABBITMQ_PASSWORD: '***'
DATASOURCE_URL: 'jdbc:postgresql://as4-postgres.as4-dev.svc.cluster.local:5432/as4?currentSchema=as4_address'
DATASOURCE_USERNAME: 'as4'
DATASOURCE_PASSWORD: '***'
DATASOURCE_TYPE: "postgres"
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
AUTOCONFIRMRELATION: 'true'
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-address-service/actuator/health
port: 8080
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-address-service/actuator/health
port: 8080
startup:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-address-service/actuator/health
port: 8080
failureThreshold: 120
periodSeconds: 5
as4-crypto-operations-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
env:
TZ: 'Europe/Berlin'
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
SERVER_PORT: '8080'
SPRING_RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
SPRING_RABBITMQ_PORT: '5672'
SPRING_RABBITMQ_USERNAME: 'rabbitmq-admin'
SPRING_RABBITMQ_PASSWORD: '***'
SPRING_PROFILES_ACTIVE: 'scaling'
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /actuator/health
port: 8080
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /actuator/health
port: 8080
startup:
enabled: true
custom: true
spec:
httpGet:
path: /actuator/health
port: 8080
failureThreshold: 120
periodSeconds: 5
as4-cryptography-csr-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 250m
memory: 500Mi
requests:
cpu: 250m
memory: 500Mi
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /as4-crypto-csr/api/v1/actuator/health
port: 3333
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /as4-crypto-csr/api/v1/actuator/health
port: 3333
startup:
enabled: true
custom: true
spec:
httpGet:
path: /as4-crypto-csr/api/v1/actuator/health
port: 3333
failureThreshold: 900
periodSeconds: 5
env:
TZ: 'Europe/Berlin'
DATASOURCE_URL: 'jdbc:postgresql://as4-postgres.as4-dev.svc.cluster.local:5432/as4?currentSchema=as4_csr'
DATASOURCE_USERNAME: 'as4'
DATASOURCE_PASSWORD: '***'
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
USER_HOME: '/opt/out'
JDK_JAVA_OPTIONS: "-Djdk.tls.namedGroups=brainpoolP384r1,brainpoolP256r1,secp384r1,secp256r1"
as4-inbound-endpoint-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
ingress:
enabled: true
ingressClassName: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
hosts:
- host: 9900000000008.level-365.com
paths:
- path: /
pathType: Prefix
- host: 9900000000009.level-365.com
paths:
- path: /
pathType: Prefix
env:
TZ: 'Europe/Berlin'
RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
RABBITMQ_PORT: '5672'
RABBITMQ_USERNAME: 'rabbitmq-admin'
RABBITMQ_PASSWORD: '***'
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
ADDRESSSERVICEURL: 'http://as4-dev-as4-address-service.as4-dev:8080/aep-as4-address-service'
PARTNERTENANTRELATIONVALIDATION: 'true'
SERVER_SERVLET_CONTEXTPATH: '/aep-as4-inbound-endpoint'
SPRING_PROFILES_ACTIVE: 'scaling'
STARTUPSSLCHECK: 'true'
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-inbound-endpoint/actuator/health
port: 8080
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-inbound-endpoint/actuator/health
port: 8080
startup:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-inbound-endpoint/actuator/health
port: 8080
failureThreshold: 120
periodSeconds: 5
service:
enabled: true
type: ClusterIP
port:
port: 8443
name: http
protocol: TCP
as4-message-service-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 500m
memory: 1000Mi
requests:
cpu: 500m
memory: 1000Mi
env:
TZ: 'Europe/Berlin'
DATASOURCE_URL: 'jdbc:postgresql://as4-postgres.as4-dev.svc.cluster.local:5432/as4?currentSchema=as4_messages'
DATASOURCE_USERNAME: 'as4'
DATASOURCE_PASSWORD: '***'
DATASOURCE_TYPE: 'postgres'
RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
RABBITMQ_PORT: '5672'
RABBITMQ_USERNAME: 'rabbitmq-admin'
RABBITMQ_PASSWORD: '***'
DELETION_OLDERTHAN: 'P0Y3M'
DATASOURCE_DRIVER: 'org.postgresql.Driver'
DATASOURCE_DRIVERDELEGATECLASS: 'org.quartz.impl.jdbcjobstore.PostgreSQLDelegate'
DELETION_CRON: '0 45 * * * ?'
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-message-service/actuator/health
port: http
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-message-service/actuator/health
port: http
startup:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-message-service/actuator/health
port: http
failureThreshold: 900
periodSeconds: 5
as4-outbound-market-message-service-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
env:
TZ: 'Europe/Berlin'
RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
RABBITMQ_PORT: '5672'
RABBITMQ_USERNAME: 'rabbitmq-admin'
RABBITMQ_PASSWORD: '***'
ADDRESSSERVERURL: 'http://as4-dev-as4-address-service.as4-dev.svc.cluster.local:8080/aep-as4-address-service/as4-address'
SPRING_CLOUD_STREAM_RABBIT_BINDINGS_CONSUMEOUTBOUNDREQUESTEVENTIN0_CONSUMER_BINDINGROUTINGKEY: 'https://www.bdew.de/as4/communication/services/FP,default,https://www.bdew.de/as4/communication/services/MP'
SPRING_CLOUD_STREAM_RABBIT_BINDINGS_CONSUMEOUTBOUNDREQUESTEVENTIN0_CONSUMER_BINDINGROUTINGKEYDELIMITER: ','
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: aep-as4-outbound-market-message-service/actuator/health
port: 8080
readiness:
enabled: true
custom: true
spec:
httpGet:
path: aep-as4-outbound-market-message-service/actuator/health
port: 8080
startup:
enabled: true
custom: true
spec:
httpGet:
path: aep-as4-outbound-market-message-service/actuator/health
port: 8080
failureThreshold: 120
periodSeconds: 5
as4-outbound-sender-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
env:
RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
RABBITMQ_PORT: '5672'
RABBITMQ_USERNAME: 'rabbitmq-admin'
RABBITMQ_PASSWORD: '***'
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
ADDRESSSERVICEURL: 'http://as4-dev-as4-address-service.as4-dev:8080/aep-as4-address-service'
JDK_JAVA_OPTIONS: "-Djdk.tls.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_BRAINPOOLP384R1,TLS_ECDHE_ECDSA_WITH_BRAINPOOLP256R1,TLS_ECDHE_ECDSA_WITH_SECP384R1,TLS_ECDHE_ECDSA_WITH_SECP256R1 -Djdk.tls.namedGroups=brainpoolP384r1,brainpoolP256r1,secp384r1,secp256r1 -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"
RECEIPTCRYPTOEXCHANGENAME: 'as4.verify'
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /actuator/health
port: 8080
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /actuator/health
port: 8080
startup:
enabled: true
custom: true
spec:
httpGet:
path: /actuator/health
port: 8080
failureThreshold: 120
periodSeconds: 5
as4-receipt-service-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
env:
TZ: 'Europe/Berlin'
RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
RABBITMQ_PORT: '5672'
RABBITMQ_USERNAME: 'rabbitmq-admin'
RABBITMQ_PASSWORD: '***'
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-receipt-service/actuator/health
port: 8080
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-receipt-service/actuator/health
port: 8080
startup:
enabled: true
custom: true
spec:
httpGet:
path: /aep-as4-receipt-service/actuator/health
port: 8080
failureThreshold: 120
periodSeconds: 5
crl-downloader-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
env:
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
rabbitmq-cluster-operator:
enabled: true
rabbitmqImage:
repository: bitnamilegacy/rabbitmq
clusterOperator:
image:
repository: bitnamilegacy/rabbitmq-cluster-operator
metrics:
service:
enabled: true
replicaCount: 1
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
msgTopologyOperator:
image:
repository: bitnamilegacy/rmq-messaging-topology-operator
replicaCount: 1
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
extraDeploy:
- apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
name: rabbitmq-cluster
spec:
persistence:
storage: 128G
storageClassName: "rabbitmq-node-storage"
replicas: 3
rabbitmq:
additionalPlugins:
- rabbitmq_shovel
- rabbitmq_shovel_management
- rabbitmq_top
additionalConfig: |
raft.wal_max_size_bytes = 16000000
cluster_formation.target_cluster_size_hint = 3
vm_memory_high_watermark.relative = 0.7
max_message_size = 33554432
envConfig: |
RABBITMQ_DEFAULT_USER=rabbitmq-admin
RABBITMQ_DEFAULT_PASS=***
resources:
limits:
cpu: '1'
memory: 1800Mi
requests:
cpu: '500m'
memory: 1800Mi
certificate-manager-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-certificate-manager/actuator/health
port: http
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /aep-certificate-manager/actuator/health
port: http
startup:
enabled: true
custom: true
spec:
httpGet:
path: /aep-certificate-manager/actuator/health
port: http
failureThreshold: 900
periodSeconds: 5
env:
TZ: 'Europe/Berlin'
SPRING_RABBITMQ_HOST: 'rabbitmq-cluster.as4-dev.svc.cluster.local'
SPRING_RABBITMQ_PORT: '5672'
SPRING_RABBITMQ_USERNAME: 'rabbitmq-admin'
SPRING_RABBITMQ_PASSWORD: '***'
AS4ADDRESSSERVICEURL: 'http://as4-dev-as4-address-service.as4-dev:8080/aep-as4-address-service'
FSS_SERVER_API_URL: 'http://fss.as4-dev.svc.cluster.local:3331/fss/api/v1'
LDAPS_ENABLED: 'true'
CERTMANAGER_SUBCAURL_0_: 'ldaps://ldap.sm-pki.atos.net'
CERTMANAGER_SUBCAURL_1_: 'ldaps://ldap.energyca.telesec.de'
CERTMANAGER_SUBCAURL_2_: 'ldaps://ldap.cc-gwa.de'
CERTMANAGER_SUBCAURL_3_: 'ldaps://ldap.sub-ca.da-rz.net'
CERTMANAGER_SUBCAURL_4_: 'ldaps://ldap.smpki.schleupen.cloud'
CERTMANAGER_SUBCAURL_5_: 'ldaps://ldap.gwadriga.de'
CERTMANAGER_SUBCAURL_6_: 'ldaps://ldaps.smartserviceca.sm-pki.smartservice.de'
DOWNLOADPARTNERCERTIFICATESCHEDULER: '0 0 17 * * *'
fss-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
type: statefulset
resources:
limits:
cpu: 800m
memory: 1600Mi
requests:
cpu: 800m
memory: 1600Mi
service:
enabled: true
type: ClusterIP
port:
port: 3331
name: http
protocol: HTTP
forcePodRecreationOnHelmUpdate: false
env:
TZ: 'Europe/Berlin'
SPRING_PROFILES_ACTIVE: 'nosecure'
DB_DRIVER: 'org.postgresql.Driver'
DB_URL: 'jdbc:postgresql://as4-postgres.as4-dev.svc.cluster.local:5432/as4?currentSchema=fss'
DB_USERNAME: 'as4'
DB_PASSWORD: '***'
DB_DIALECT: 'org.hibernate.dialect.PostgreSQLDialect'
NO_DEFAULT_CERT_PURPOSE: 'true'
SERVER_PORT: '3331'
CLUSTER_USE_CLUSTERNODE_HOSTNAME: 'true'
JAVA_OPTS: "-Dcluster.service.period=30 -Dverify.filter.mapping=/opt/securityserver/conf/verifyFilterMapping.properties -Drevision.info.server.url=http://changeme -Djavax.net.ssl.trustStoreType=JKS -Dhsm.slot.connection.inactivity.timeout=3 -DHSM_MIN_EVICTABLE_IDLE_MILLIS=180000 -DHSM_MIN_IDLE_CONNECTIONS_PER_SLOT=1 -DHSM_MAX_IDLE_CONNECTIONS_PER_SLOT=3 -DHSM_POOL_EVICTION_PERIOD=60000 -DHSM_MAX_POOLED_CONNECTIONS=3000 -Xmx2048m -Xms512m"
hsm-simulator-helm:
enabled: true
replicaCount: 1
autoscaling:
enabled: false
resources:
limits:
cpu: 400m
memory: 800Mi
requests:
cpu: 400m
memory: 800Mi
podSecurityContext:
fsGroup: 5000 # Ensures mounted volume is writable by this group
Chart.yaml Konfigurationsdatei
Die Versionen der Helm-Charts und Docker-Images sind in der Chart.yaml Datei angegeben, wie zum Beispiel hier:
apiVersion: v2
name: deployment
type: application
version: 2025-12-02
appVersion: "1.0.0"
dependencies:
- name: as4-address-service-helm
version: 2025-10-14
condition: as4-address-service-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-crypto-operations-helm
version: 2025-10-14
condition: as4-crypto-operations-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-cryptography-csr-helm
version: 2025-11-19-02
condition: as4-cryptography-csr-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-inbound-endpoint-helm
version: 2025-10-22
condition: as4-inbound-endpoint-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-message-service-helm
version: 2025-10-14
condition: as4-message-service-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-outbound-market-message-service-helm
version: 2025-10-14
condition: as4-outbound-market-message-service-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-outbound-sender-helm
version: 2025-10-14
condition: as4-outbound-sender-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: as4-receipt-service-helm
version: 2025-10-16
condition: as4-receipt-service-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/as4"
- name: crl-downloader-helm
version: 2025-10-22
condition: crl-downloader-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/crypto"
- name: certificate-manager-helm
version: 2025-11-21
condition: certificate-manager-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/crypto"
- name: rabbitmq-cluster-operator
version: 4.4.34
condition: rabbitmq-cluster-operator.enabled
repository: https://raw.githubusercontent.com/bitnami/charts/index/bitnami
- name: fss-helm
version: 2025-10-31
condition: fss-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/b2b"
- name: hsm-simulator-helm
version: 2024-06-26
condition: hsm-simulator-helm.enabled
repository: "oci://devnortheuropemgmtacr.azurecr.io/aep/crypto"
UIs
Die Installation der B2B/AS4 UIs im Kubernetes Cluster finden sie hier.
View Me Edit Me