OpenShift and Kubernetes

This page contains detailed instructions for deploying Rasa X using OpenShift or Kubernetes (K8S).

Rasa X is available as a Helm Chart for a quick and easy cluster setup. If you are not using Helm in your cluster, you can still use the Helm command-line interface to generate the Kubernetes / OpenShift object configurations.


  1. Check that Helm is installed on your machine. If this is not the case, see this guide for instructions on how to install Helm.

  2. Get the Rasa X Helm chart

    export RASA_X_VERSION="Rasa X version you want to use"
    wget -qO rasa-x-helm.tgz${RASA_X_VERSION}/rasa-x-${RASA_X_VERSION}.tgz
  3. Make sure kubectl or oc are connected with your cluster and are using the right namespace.

Configuring the Helm Chart

The Rasa X Helm Chart comes with a default configuration. However, especially in a cluster environment, you might want to adapt some of these default settings to your infrastructure. You can see which values are configurable in the Rasa X chart by running this on your command line:

$ helm inspect values <chart file>

There are different ways to change the default parameters:

  • --values (or -f): Specify a YAML file with overrides for the values.
  • --set (and its variants --set-string and --set-file): Specify overrides in the command line.

Our recommended option is to specify your configurations in a separate YAML file. Please see the following sections for examples.

OpenShift / Kubernetes Specific Configuration

The Helm chart is compatible with both Kubernetes and OpenShift. However, depending on your cluster configuration, it might be necessary to to adjust the security permissions for the deployments:

securityContext: ""
  # fsGroup to use (e.g. when deploying on Kubernetes)
  fsGroup: 0

Using Rasa X EE

By default, the Helm chart is configured to use the Rasa X CE image. To use the Rasa X EE image add this to your override file:

  name: ""

The next step is to configure the pull secret, which Kubernetes / OpenShift will use to pull the image from the private registry:

  1. Copy everything between the outer " of the docker_registry_license key in your Rasa X EE license to a file gcr-auth.json. The contents of gcr-auth.json should look like this:

      "type": "service_account",
      "project_id": "rasa-platform",
      "private_key_id": "sdferw234qadst423qafdgxhw",
      "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvfwrt423qwadsfghtzw0BAQEFAASCBKgwggSkAgEAAoIBAQCgt338FkWbW13dghtzew4easdf5wAi15jrA9t4uOk8dghrtze4weasfgdhtAFZNfrLgvr2\nPBTu1lAJDLo136ZGTdMKi+/TuRqrIMg/sr8q0Ungish8v6t5Jb4gsjBi9StytCT4\nhWXDL3qeadfsgeDOudl6c3iMzylBws+VffrFfaZWjDpGtxmlYwIUa2e\noNSe7BYLnY9tDrX3zrP/wu/6FPbbGkBjguDG1l3Kx7l1wmiPtK5lIhjt+k7Oyx/u\nd6+gvfs+7RX9wUxnZT/tLggybYdsr8BA1Pqr0hDmhdDl7tjXVTmGLG+1/+lXVGFc\nqKEg+uLXAgMBAAECggEAESzwRK0Cp62LgBjInk+jvTmMI4lYP/XTnfk0TNwyiLxd\nT7mkw/TzkSVRifZ37lBQ6BS6BiqBJherh1N4xI+DF9HUN/wHR93QTyu7p8umlcxC\nlPV0KE4b5ZMfWvRG4y236cRGly9urcBNGoFzFHl8pd2iS5DMqZOYpSXY+qvkXTKE\nUOm5mVSs4S4Qa9cHL+jWXCvY0789fG1GrT+L3Fn+StKacgQuBnN1krYFYBSjCAh8\nsnSdjkvGguw/6OApPHd8HqkHtjU0PD67uU5QIm5N1bmz9KT4s9Pm+WbCinEstIiN\nIfln5ikmHcMAiIS0gzSnZavsY21PsDHBkD8SUO7CTQKBgQDgMPhx0TsB/oVH/SnU\nt3oTME+tfAKI69tozX02jHj6DY/vDpI1hXNmb4oMOos5+3ulborHqnso9za1RgV7\nm2N04QQVfzYEuZzJzXL11SHvBYVjHkXYy6HR5GhnPmwA+CzrDNy2/oYxlaqH7TBA\nR+f7IHToIPKGCVrhCJztlAgzIwKBgQC3hQNclIQ5Iw0gm9Rr8zAP/YoRJdiUSYtv\nNBmav+dTTSkPh51Bomj/J4Rrg8OLvHG5U79pmzbQdIFGYGKlR0l4/QepKpbaGm7x\nM/gRp/GXu9sN8LgI+h+FskCYi4cuqDjQ9L2S0gwMre4witmeVSIiBxLWxS7mvkZX\nWRW58ml2vQKBgBozPuW2SQobn6HhIUFdy+NwMu+YXYd44ORnl2mHkx/N8/NBJa8h\nkHH5OQ3izaCSFkooGAnrj4cjFP6sVzmx2DaxkVOd0UdOFdezreqy5MtVPthtkkYa\nzieEZPsj3WVjm4RAtY6hQjeLQSmve4MXpDHCAkeaih1F/Jvt8MEHGso3AoGBAJez\nTioTYpFQliNkbN2nMw2kyaKPJE6/1JDiAmBXTcMgP1blBWsh86UnZ2DwlI5IAcHu\npoWHlnIOPGaOejyhhuyKTPDbkcNMonSkPuVpbF2/Hb6SQ664A6KizJ7Mh7xbtkuU\nY7igBPHePMzHmkg1m3eBXWNHsBNxKfg+XaVN6zwJAoGBAN6VhGMmyDcn0GqkkP6d\nrSsQ0Ig7L4PnU633oYWoGWa8q/XYiFbcACMFynMbrmHG+/0c3Iwt32bi3th60Cwb\nT66yqmv4MaT72+EfQHxiLxnUxhqSpBXM0eoXbyvDg97Zp/slsYvGGLjONmmretlE\nsjAsuAH4Iz1XdfdenzGnyBZH\n-----END PRIVATE KEY-----\n",
      "client_email": "",
      "client_id": "114123456713428149",
      "auth_uri": "",
      "token_uri": "",
      "auth_provider_x509_cert_url": "",
      "client_x509_cert_url": ""
  2. Log in to the docker registry:

    $ sudo docker login  -u _json_key -p "$(cat gcr-auth.json)"
  3. Create an image pull secret from the docker config.json following the Kubernetes guide or the OpenShift guide.

  4. Add the secret name in your override file:

      - <name of the created secret>

Using Your Own Custom Action Server Image

To use your own custom action server image, put the following in the override file:

  name: "name of your image"
  tag: "tag you want to use"

Specifying Volume Sizes

Rasa X requires two volume claims: one for Rasa X, and one for the database. You can define the claim sizes by setting the storage of these services in your override file:

  storage: "10Gi"
  storage: "100Gi"

Providing Access Credentials / Using an External Secret

Rasa uses passwords and tokens to secure the communication between services. If you don’t specify these, Helm will generate some and include them in a secret object which is then used by the individual services to access the required values.

If you e.g. want to specify the database password, add this to your override file:

  password: "<your password>"

You can also provide your own secret instead of having the Helm chart generate one for you. To do so, specify the rasaSecret name in the override file:

rasaSecret: "<name of your secret>"

Your external secret should look like this (with replaced <your value> entries):

apiVersion: "v1"
kind: "Secret"
  name: "<name of your secret>"
type: "Opaque"
  rasaToken: {{ <your value> | b64enc | quote }}
  rasaXToken: {{ <your value>| b64enc | quote }}
  passwordSalt: {{ <your value> | b64enc | quote }}
  jwtSecret: {{<your value> | b64enc | quote }}
  databasePassword: {{ <your value> | b64enc | quote }}
  rabbitPassword: {{ <your value> | b64enc | quote }}
  redisPassword: {{ <your value> | b64enc | quote }}


We recommend that you enable HTTPS on your server by adding SSL certificates (for example using Let’s encrypt).

To do so, you need a PEM-encoded private key file (privkey.pem) and a PEM-encoded certificate chain file (fullchain.pem). Provide their content in a secret, which looks like the following:

apiVersion: "v1"
kind: "Secret"
  name: <your secret name>
type: "Opaque"
  privkey.pem: <content of the private key file>
  fullchain.pem: <content of the certificate chain file>

Then specify the name of this secret in your override file:

  certificateSecret: "<your secret name>"

This will automatically be mounted in the correct place within the Nginx pod.

Debug Mode

Sometimes it’s helpful to have more log messages in the Rasa pods. To activate the debug mode for all Rasa and Rasa X pods, use the following configuration:

debugMode: "true"

Separate Event Consumer

By default, the Helm chart is configured to launch the event-service as a separate service. This means it is a replicable pod, and this is the recommended setting for high-load setups. For smaller cluster setups, you can configure Rasa X to launch an event consumer automatically as a suprocess. To do this, add the following line to your override file:

separateEventService: "false"

Deploying With Helm

If your cluster has Helm configured, you can install the Rasa X chart with the command:

$ helm install --values <path to your override file> <name of downloaded Rasa X chart>

Using Helm to Generate Object Configurations

Even if Helm is not configured in your cluster, you can still use Helm to generate the OpenShift / Kubernetes object configurations for Rasa X with your custom overrides:

$ helm template --values <path to your override file> <chart name> > generated.yml

Then create the object configurations based on this file:

$ kubectl create -f generated.yml  # Kubernetes
$ oc create -f generated.yml       # OpenShift

Logging in for the First Time

Rasa X CE

If you are using Rasa X CE, please set your admin password by executing this within the Rasa X pod:

$ kubectl exec -it <Rasa X pod name> bash  # Kubernetes
$ oc exec -it <Rasa X pod name> bash       # OpenShift

$ cd scripts
$ python create --update me <your password> admin

Rasa X EE

You can create a new user by using the terminal of the Rasa X pod:

$ kubectl exec -it <Rasa X pod name> bash  # Kubernetes
$ oc exec -it <Rasa X pod name> bash       # OpenShift

$ cd scripts
$ python create [username] [password] [role]

Possible values for role are admin, annotator, and tester.