Overview
RPI is distributed as container images deployable on Kubernetes using the RPI Helm Chart. This guide covers container configuration, health checks, and application settings.
Container images
The following container images are included in the RPI Helm Chart:
|
Image |
Service |
Description |
|---|---|---|
|
|
Interaction API |
Client-facing API for campaign management and execution |
|
|
Integration API |
Third-party integration endpoints |
|
|
Execution Service |
Workflow and campaign execution engine |
|
|
Node Manager |
Distributed execution coordination |
|
|
Queue Reader |
Queue draining and realtime event processing |
|
|
Callback API |
Asynchronous callback processing |
|
|
Realtime API |
Realtime decisioning, caching, and visitor profiling |
|
|
Deployment API |
Database schema management and licensing |
|
|
Redis |
Internal cache for Queue Reader distributed processing |
|
|
RabbitMQ |
Internal message queue for distributed processing |
All images are pulled from a single registry using a shared tag:
global:
deployment:
images:
registry: rg1acrpub.azurecr.io/docker/redpointglobal/releases
tag: "7.7.20260325.1521"
The chart constructs each image path as {registry}/{service-name}:{tag}.
Application settings
RPI services are configured through two mechanisms:
-
Environment variables: set via the Helm overrides file. The chart translates your overrides into the correct environment variables for each service.
-
Cloud secret managers (SDK provider): sensitive values read directly from Azure Key Vault, AWS Secrets Manager, or Google Secret Manager at runtime.
For the complete list of all configurable settings, defaults, and descriptions, use the Helm Assistant Values Reference (Reference tab).
How the Helm Chart manages settings
In v7.x, all application settings are managed by the Helm chart. You do not need to create appsettings.json override files. Instead, configure settings in your overrides file and the chart translates them to the correct environment variables.
For example, to configure the execution service:
executionservice:
internalCache:
enabled: true
provider: filesystem
backupToOpsDBInterval: "00:00:20"
maxNumberRetries: "100"
maxRetryDelay: "00:02:00"
jobExecution:
maxThreadsPerExecutionService: 50
taskTimeout: 60
The chart translates these to environment variables like InternalCache__BackupToOpsDBInterval, RPIExecution__MaxThreadsPerExecutionService, etc.
Connection strings
All services require connection strings to the operational and logging databases. How these are provided depends on your secrets management provider:
|
Provider |
How connection strings are provided |
|---|---|
|
kubernetes |
Stored in a K8s Secret, injected via |
|
csi |
Synced from vault to K8s Secret via CSI driver, injected via |
|
sdk |
Read directly from cloud vault at runtime (no K8s Secret). |
File output directory
All RPI services that produce file output (CSV exports, reports) require access to a shared directory. This is configured via the storage.persistentVolumeClaims.FileOutputDirectory section in your overrides:
storage:
persistentVolumeClaims:
FileOutputDirectory:
enabled: true
claimName: rpifileoutputdir
mountPath: /rpifileoutputdir
The mount path can be overridden per tenant via the FileOutputDirectory system configuration setting in the RPI client interface.
TLS and ingress
HTTPS is terminated at the ingress controller. RPI services listen on HTTP (port 8080) internally, and the ingress controller handles TLS termination for all external traffic.
The TLS certificate can be provided in several ways depending on your setup:
|
Method |
How it works |
|---|---|
|
K8s TLS Secret |
Create with |
|
cert-manager |
Automatically provisions and renews certificates from Let's Encrypt or internal CAs. |
|
Cloud load balancer |
Terminate TLS at the cloud load balancer (e.g., AWS ACM, Azure Application Gateway). |
Example ingress configuration:
ingress:
className: nginx
domain: example.com
tls:
- secretName: ingress-tls
hosts:
- rpi-interactionapi.example.com
- rpi-deploymentapi.example.com
hosts:
config: rpi-deploymentapi
client: rpi-interactionapi
realtime: rpi-realtimeapi
The chart creates Ingress resources with the specified TLS configuration. No TLS configuration is needed on the RPI containers themselves.
Health checks
RPI services expose HTTP health check endpoints for Kubernetes liveness and readiness probes:
|
Endpoint |
Purpose |
|---|---|
|
|
Readiness - is the service ready to accept traffic? |
|
|
Liveness - is the service process alive? |
What each endpoint checks
|
Service |
Readiness |
Liveness |
|---|---|---|
|
Interaction API |
API + Pulse database available |
API available |
|
Deployment API |
API available |
API available |
|
Execution Service |
Heartbeat updated |
Heartbeat updated |
|
Node Manager |
Heartbeat updated |
Heartbeat updated |
|
Queue Reader |
Heartbeat updated |
Heartbeat updated |
|
Realtime API |
API + Agent + Cache + OAuth DB (if configured) |
API available |
|
Callback API |
API available |
API available |
|
Integration API |
API available |
API available |
Example response
{
"status": "Healthy",
"results": {
"NodeManagerHeartbeat": {
"status": "Healthy"
}
}
}
Probe configuration
The Helm chart configures probes automatically with tuned defaults. You can override probe settings per service if needed, but the defaults are suitable for most deployments.
Secrets management
v7.7 supports three secrets management providers. Choose based on your infrastructure:
|
Provider |
How it works |
|---|---|
|
kubernetes |
Chart creates K8s Secrets from values or CLI input. |
|
csi |
CSI Secrets Store Driver syncs from cloud vault to K8s Secret. |
|
sdk (recommended for cloud) |
Services read secrets directly from vault at runtime. |
For full details, see the Secrets Management Guide.
Cloud identity
RPI services authenticate to cloud resources using workload identity:
|
Platform |
Mechanism |
|---|---|
|
Azure |
Workload Identity Federation (Managed Identity + ServiceAccount annotation) |
|
AWS |
IRSA (IAM Role + ServiceAccount annotation) |
|
|
GKE Workload Identity (GCP Service Account + ServiceAccount annotation) |
Configure in your overrides:
cloudIdentity:
enabled: true
serviceAccount:
mode: shared # shared | per-service
name: redpoint-rpi
azure:
managedIdentityClientId: "..."
tenantId: "..."
In per-service mode, cloud identity annotations are opt-in per service:
executionservice:
cloudIdentity: true # only this service gets workload identity
Logging
Logging levels are configurable per service. The chart defaults all channels to Error. Override per service:
executionservice:
logging:
default: Error
database: Error
rpiTrace: Error
rpiError: Error
console: Error
The Realtime API has additional logging channels:
realtimeapi:
logging:
realtimeagent:
default: Error
database: Error
rpiTrace: Error
rpiError: Error
console: Error
realtimeapi:
default: Error
endpoint: Error
shared: Error
plugins: Error
other: Error
console: "false"
Diagnostics
Enable .NET diagnostics tools for troubleshooting:
diagnosticsMode:
dotNetTools:
enabled: true
useGcDump: true
useCounters: false
When turned on, the chart adds DOTNET_BUNDLE_EXTRACT_BASE_DIR and RPI__Diagnostics__UseDotNetTools__* environment variables to all applicable services.
ServiceMesh (Linkerd)
The chart supports Linkerd integration for mTLS and traffic policy:
serviceMesh:
enabled: true
provider: linkerd
podAnnotations:
config.linkerd.io/skip-outbound-ports: "443"
config.linkerd.io/proxy-outbound-connect-timeout: 240000ms
servers:
- name: aks-rpi-interactionapi
- name: aks-rpi-executionservice
Per-service opt-out: deploymentapi: { serviceMesh: false }
Additional resources
-
Helm Chart Repository: chart source and documentation
-
Upgrade Guide: upgrading from v7.6 to v7.7
-
Secrets Management: required vault keys and provider configuration
-
Helm Assistant: AI-assisted configuration and troubleshooting
-
RPI Product Docs: application documentation