Appearance
Prerequisites
Versions
- Kubernetes 1.27+ — vanilla, managed (GKE, EKS, AKS, DOKS), or bare-metal. Anything you're already running.
- PostgreSQL 14+ — one database per Moodle pod (hub plus each spoke). Managed Postgres is fine.
- Redis 6+ — shared across the cluster. Used for the federation event stream and session storage.
- Helm 3.12+ — for installing the
nucleus-moodlechart per tenant. - Moodle 5.1 LTS — the plugins target 5.1; older Moodle versions are not supported. Each tenant Moodle runs the same major.
Cluster add-ons
The chart assumes these are present on the cluster:
bash
# ingress-nginx
helm upgrade --install ingress-nginx ingress-nginx \
--repo https://kubernetes.github.io/ingress-nginx \
--namespace ingress-nginx --create-namespace
# cert-manager (for per-tenant Let's Encrypt)
helm upgrade --install cert-manager cert-manager \
--repo https://charts.jetstack.io \
--namespace cert-manager --create-namespace \
--set installCRDs=true
# metrics-server (for `kubectl top pod` used by MetricsService)
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yamlA ClusterIssuer named letsencrypt-prod backed by the HTTP-01 solver is referenced by the chart; provision it separately, or override the issuer name via Helm values if you already have one.
Storage
A StorageClass with VolumeSnapshot support. Needed if you enable the backup CronJob — see Backups. Most managed-Kubernetes default StorageClasses have it (DOKS, EKS gp3, GCE PD).
DNS
Two records:
A cp.your-domain→ control-plane host IPA *.your-domain→ cluster ingress IP
The wildcard target comes from kubectl get svc -n ingress-nginx after ingress-nginx lands.
SMTP
Any provider that lets you send from your domain — Office 365, AWS SES, Postmark, SendGrid, or a self-hosted MTA. Used for first-run admin emails and tenant notifications. The control plane reads SMTP creds from env vars; details on the Install page.
TLS
cert-manager + Let's Encrypt is the standard path. Customer-managed certs work via the chart's TLS secret override.
Ingress controller
Nginx, Traefik, or whatever you already run. The chart ships nginx-flavoured annotations by default; override ingress.className for other controllers.