Deploy AKKO from Harbor¶

For production deployments, AKKO images and Helm chart are delivered through the AKKO Harbor registry at harbor.akko-ai.com. Clients install AKKO without cloning the Git repository or building images locally.

Prerequisites¶

A reachable Kubernetes cluster (v1.28+). Tested targets: k3s, OpenShift 4.14+, Outscale OKS, OVHcloud Managed Kubernetes, EKS, AKS, GKE.
kubectl configured against the target cluster
helm ≥ 3.14
DNS for your chosen base domain pointing to the cluster ingress
(Optional) A read-only Harbor account if your project is private

One-command install¶

curl -fsSL https://raw.githubusercontent.com/AKKO-p/AKKO/main/helm/scripts/deploy-from-harbor.sh \
  -o deploy-akko.sh

AKKO_DOMAIN=akko.my-company.example \
AKKO_VERSION=2026.04 \
  bash deploy-akko.sh

That's it. The script:

Logs into Harbor (if credentials are provided)
Creates the akko namespace + Harbor pull secret
Generates values-domain.yaml and realm-domain.json derived from your domain
Generates dev secrets on first run
Runs helm upgrade --install akko oci://harbor.akko-ai.com/akko-charts/akko --version <VERSION>
Waits for the critical workloads to become ready
Prints the cockpit URL

Install from the OCI Helm registry (manual, multi-cluster)¶

The one-command script above is the easiest path. For operators who want direct control — for example to install AKKO on a fleet of clusters from a single workstation — pull the chart artifact directly:

# Optional: log in if your Harbor project is private.
helm registry login harbor.akko-ai.com

# 1. Pull a pinned chart version locally.
helm pull oci://harbor.akko-ai.com/akko-charts/akko \
  --version 2026.4.1 \
  --untar -d /tmp/akko-chart

# 2. Inspect what is inside (optional but recommended).
helm show chart  /tmp/akko-chart/akko
helm show values /tmp/akko-chart/akko | head -100

# 3. Install on cluster A.
kubectl --context cluster-a create namespace akko --dry-run=client -o yaml | \
  kubectl --context cluster-a apply -f -

helm --kube-context cluster-a install akko /tmp/akko-chart/akko \
  --namespace akko \
  -f values-cluster-a.yaml \
  --wait --timeout 20m

# 4. Install on cluster B with a different domain — same chart bytes.
helm --kube-context cluster-b install akko /tmp/akko-chart/akko \
  --namespace akko \
  -f values-cluster-b.yaml \
  --wait --timeout 20m

Or, for a one-shot install without untar:

helm install akko oci://harbor.akko-ai.com/akko-charts/akko \
  --version 2026.4.1 \
  --namespace akko --create-namespace \
  -f values-domain.yaml \
  -f values-dev-secrets.yaml

This is the same path the --from-oci flag of helm/scripts/deploy-netcup-full.sh exercises end-to-end on the AKKO production cluster (Sprint 46 stream A4 / ADR-034 (ADR-034)).

Why OCI and not an HTTP repository?¶

Single registry surface (the same Harbor that hosts the AKKO container images).
Content-addressed by digest — deterministic re-installs.
Native cosign signing (Sprint 46 stream A1).
No index.yaml to maintain; no second backup target; no public-CDN dependency.

See ADR-034 (ADR-034) for the full reasoning and the multi-channel plan (stable / beta / nightly tags).

What is pulled from Harbor?¶

Artefact	Source	Signature
Helm chart `akko`	`oci://harbor.akko-ai.com/akko-charts/akko`	Cosign keyless
`akko-cockpit` image	`harbor.akko-ai.com/akko/akko-cockpit:2026.04`	Cosign keyless
`akko-postgres` image	`harbor.akko-ai.com/akko/akko-postgres:2026.04`	Cosign keyless
`akko-spark` image	`harbor.akko-ai.com/akko/akko-spark:2026.04`	Cosign keyless
`akko-trino` image (plugin)	`harbor.akko-ai.com/akko/akko-trino:2026.04`	Cosign keyless
`akko-ai-service` image	`harbor.akko-ai.com/akko/akko-ai-service:2026.04`	Cosign keyless
`akko-aden` image	`harbor.akko-ai.com/akko/akko-aden:2026.04`	Cosign keyless
`akko-mlflow` image	`harbor.akko-ai.com/akko/akko-mlflow:2026.04`	Cosign keyless
`akko-mcp-trino` / `akko-mcp-openmetadata`	`harbor.akko-ai.com/akko/akko-mcp-*:2026.04`	Cosign keyless
`akko-docs` image	`harbor.akko-ai.com/akko/akko-docs:2026.04`	Cosign keyless
Third-party images (Keycloak, Airflow, Superset, Ollama, OpenMetadata, ...)	Upstream registries	Upstream signatures

All images are Trivy-scanned at publish time. Builds failing on CRITICAL CVEs never reach Harbor.

Verify signatures (optional but recommended)¶

cosign verify \
  --certificate-identity-regexp "ci\.akko-ai\.com/AKKO-p/AKKO/\.woodpecker/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  harbor.akko-ai.com/akko/akko-cockpit:2026.04

Upgrade¶

Re-run the same script with a newer AKKO_VERSION. The chart is idempotent and preserves existing secrets through lookup.

AKKO_DOMAIN=akko.my-company.example \
AKKO_VERSION=2026.05 \
  bash deploy-akko.sh

Offline / air-gapped¶

If your cluster cannot reach the public Harbor:

On an online machine, helm pull oci://harbor.akko-ai.com/akko-charts/akko --version 2026.04
Mirror all images listed above into your internal registry
Override global.image.registry via a custom values file:

global:
  image:
    registry: internal-registry.corp.example

Install the chart from the local tarball:

helm install akko ./akko-2026.04.tgz \
  -f values-internal-registry.yaml \
  -f values-domain.yaml \
  -f values-dev-secrets.yaml

Troubleshooting¶

Symptom	Check
`ImagePullBackOff`	`kubectl describe pod` — Harbor login, pull secret, project visibility
Chart not found	Harbor login: `helm registry login harbor.akko-ai.com`
Signature verification fails	Cosign keyless needs Rekor reachable — try `--insecure-ignore-tlog=true` for testing
Resources not reconciling	`kubectl describe deployment/<name>` — CPU/memory limits, node capacity

Commercial note¶

Images and charts published on harbor.akko-ai.com are distributed under the AKKO distribution terms. Binaries bundle several permissively-licensed open-source components (Apache 2.0, MIT, BSD). A per-component inventory is available at docs/licenses/inventory.md.