Kubernetes Deployment

Enterprise

Zephyr's Kubernetes deployment option allows you to run the Zephyr edge worker on your own Kubernetes infrastructure. This deployment model provides maximum control over your infrastructure while leveraging Zephyr's deployment and versioning capabilities.

Enterprise Only

Kubernetes deployment is available exclusively for Enterprise customers. If you're interested in deploying Zephyr on your own K8S infrastructure, please contact our sales team to discuss your requirements.

Overview

The Kubernetes edge worker is a containerized service that handles asset uploads and serves your deployed applications. It integrates with:

S3-compatible storage (AWS S3, MinIO, Ceph, etc.) for asset storage
Redis-compatible KV store for environment configuration and snapshots

Configuration

The recommended way to configure the worker is using a JSON config file mounted as a Kubernetes Secret. This approach keeps all your configuration in one place and makes it easier to manage secrets securely.

Alternatively, you can use environment variables directly, though this is less recommended for production deployments.

JSON Config File (Recommended)

Create a JSON file containing all your configuration. All keys use the ZE_WORKER_ prefix:

// Example configuration
{
  "ZE_WORKER_JWT_SECRET": "your-secret-key",
  "ZE_WORKER_S3_ENDPOINT": "https://s3.amazonaws.com",
  "ZE_WORKER_S3_REGION": "us-east-1",
  "ZE_WORKER_S3_ACCESS_KEY_ID": "AKIAIOSFODNN7EXAMPLE",
  "ZE_WORKER_S3_SECRET_ACCESS_KEY": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "ZE_WORKER_S3_BUCKET": "zephyr-assets",
  "ZE_WORKER_S3_FORCE_PATH_STYLE": "false",
  "ZE_WORKER_REDIS_HOST": "redis.default.svc.cluster.local",
  "ZE_WORKER_REDIS_PORT": "6379",
  "ZE_WORKER_REDIS_PASSWORD": "your-redis-password",
  "ZE_WORKER_REDIS_TLS": "true",
  "ZE_WORKER_PORT": "8080",
  "ZE_WORKER_LOG_LEVEL": "info",
  "ZE_WORKER_DELIMITER": "-",
}

Health Check Endpoints

The worker exposes the following health check endpoints for Kubernetes probes:

Endpoint	Type	Description
`GET /healthz`	Liveness probe	Always returns `200` if the process is running
`GET /readyz`	Readiness probe	Checks S3 and Redis connectivity; returns `200` if healthy, `503` if not

Configuration Reference

Below is the complete reference for all available configuration options. These can be set in your JSON config file or as environment variables.

Required Options

Key	Description	Example
`ZE_WORKER_JWT_SECRET`	Secret key for JWT token validation	`your-secret-key-here`
`ZE_WORKER_S3_ENDPOINT`	S3-compatible storage endpoint URL	`https://s3.amazonaws.com` or `http://minio:9000`
`ZE_WORKER_S3_ACCESS_KEY_ID`	S3 access key ID	`AKIAIOSFODNN7EXAMPLE`
`ZE_WORKER_S3_SECRET_ACCESS_KEY`	S3 secret access key	`wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`
`ZE_WORKER_S3_BUCKET`	S3 bucket name for storing assets	`zephyr-assets`
`ZE_WORKER_REDIS_HOST`	Redis-compatible KV store hostname	`redis.default.svc.cluster.local`

Server Options

Key	Description	Default	Example
`ZE_WORKER_PORT`	HTTP server port	`8080`	`3000`
`ZE_WORKER_LOG_LEVEL`	Logging level	`info`	`debug`, `trace`, `warn`, `error`, `fatal`
`ZE_WORKER_DELIMITER`	Delimiter for hostname parsing	`-`	`.` or `_`

S3 Options

Key	Description	Default	Example
`ZE_WORKER_S3_REGION`	S3 region	`us-east-1`	`eu-west-1`
`ZE_WORKER_S3_FORCE_PATH_STYLE`	Use path-style URLs (required for MinIO/Ceph)	`true`	`false`

Redis Options

Key	Description	Default	Example
`ZE_WORKER_REDIS_PORT`	Redis port	`6379`	`6380`
`ZE_WORKER_REDIS_PASSWORD`	Redis password (if required)	(empty)	`your-redis-password`
`ZE_WORKER_REDIS_TLS`	Enable TLS for Redis connection	`false`	`true`
`ZE_WORKER_REDIS_DB`	Redis database number	`0`	`1`, `2`, etc.
`ZE_WORKER_REDIS_PREFIX_ENVS`	Key prefix for environment variables	`{ze-k8s-worker}:envs:`	`{myapp}:envs:`
`ZE_WORKER_REDIS_PREFIX_SNAPSHOTS`	Key prefix for snapshots	`{ze-k8s-worker}:snapshots:`	`{myapp}:snapshots:`

Redis Key Prefixes

The curly braces {} in the default prefixes enable Redis Cluster hash tags. This ensures all keys with the same hash tag are stored on the same cluster node, enabling multi-key operations, transactions, and better performance. For standalone Redis instances, the braces have no special meaning but don't cause issues.

Replication Options

Key	Description	Default	Example
`ZE_WORKER_REPLICA_NAME`	Name for this replica instance (enables replication)	(empty)	`us-east-1`, `eu-west-1`
`ZE_WORKER_REPLICAS_URLS`	List of replica worker URLs to sync to (JSON array or comma-separated)	(empty)	`["https://a.example.com", "https://b.example.com"]`

Replication Mode

Replication is enabled when ZE_WORKER_REPLICA_NAME is set. The replica name identifies this worker instance in logs.

Using Environment Variables

While the JSON config file is recommended, you can also configure the worker using environment variables directly. This can be useful for simple setups or when integrating with external secret management systems.

Set ZE_WORKER_CONFIG_JSON to the path of your config file. If both are provided, values in the JSON file take precedence over environment variables.

env:
  - name: ZE_WORKER_JWT_SECRET
    valueFrom:
      secretKeyRef:
        name: ze-worker-secrets
        key: jwt-secret
  - name: ZE_WORKER_S3_ENDPOINT
    value: 'https://s3.us-west-2.amazonaws.com'
  - name: ZE_WORKER_S3_ACCESS_KEY_ID
    valueFrom:
      secretKeyRef:
        name: ze-worker-secrets
        key: s3-access-key
  # ... additional environment variables

Scaling and Replication

Zephyr workers support two scaling modes that can be used independently or combined:

Mode	Storage	Replication	Use Case
Same-region scaling	Shared S3/Redis	None needed	Horizontal scaling, high availability
Multi-region	Separate per region	HTTP sync between regions	Low latency, geo-distribution

Check worker logs on startup to verify replication:

# Workers with REPLICAS_URLS set (replicate to other regions)
[K8s Worker] Replica mode enabled
[K8s Worker] Replica name: us-east-1
[K8s Worker] Replicating to 1 replica(s): https://ze.eu.example.com

# Workers without REPLICAS_URLS (receive-only, share storage with primary)
[K8s Worker] Replica mode enabled
[K8s Worker] Replica name: us-east-2
[K8s Worker] No replica URLs configured (receive-only mode)

Same-Region Scaling

Multiple workers sharing the same S3 bucket and Redis instance. All workers read/write to the same storage, so no data replication is needed.

All workers use identical config. Only ZE_WORKER_REPLICA_NAME differs:

// US East - Worker 1
{
  "ZE_WORKER_REPLICA_NAME": "us-east-1-worker-1",
  "ZE_WORKER_S3_BUCKET": "zephyr-us-east",
  "ZE_WORKER_REDIS_HOST": "redis-us-east.example.com",
}

Multi-Region Replication

Each region has its own S3 and Redis. One primary worker per region replicates data to other regions' primaries via HTTP sync.

Each region lists other regions' load balancer URLs:

// US East
{
  "ZE_WORKER_REPLICA_NAME": "us-east-1",
  "ZE_WORKER_REPLICAS_URLS": [
    "https://ze.eu.example.com",
    "https://ze.ap.example.com",
  ],
  "ZE_WORKER_S3_BUCKET": "zephyr-us-east",
  "ZE_WORKER_REDIS_HOST": "redis-us-east.example.com",
}

Combined: Multi-Region with Scaling

Multiple workers per region (shared storage) + cross-region replication. All workers in a region replicate to one worker per other region.

All workers have ZE_WORKER_REPLICAS_URLS pointing to other regions' load balancers:

Worker	`ZE_WORKER_REPLICA_NAME`	`ZE_WORKER_REPLICAS_URLS`
US Worker 1	`us-east-1`	`["https://ze.eu.example.com"]`
US Worker 2	`us-east-2`	`["https://ze.eu.example.com"]`
EU Worker 1	`eu-west-1`	`["https://ze.us.example.com"]`
EU Worker 2	`eu-west-2`	`["https://ze.us.example.com"]`

Important

Same JWT secret: All workers across all regions must share ZE_WORKER_JWT_SECRET
One target per region: Include only one URL per region in ZE_WORKER_REPLICAS_URLS (typically the load balancer)
Eventual consistency: Cross-region replication is asynchronous

Troubleshooting

Common Issues

Worker fails to start

Verify all required configuration options are set
Check that S3 endpoint is reachable from within the cluster
Ensure Redis host is resolvable and accessible
Check the worker logs using kubectl

Readiness probe failing

Check S3 bucket exists and credentials have read/write access
Verify Redis connection (host, port, password, TLS settings)
Review worker logs for specific error messages

Assets not serving correctly

Confirm ZE_WORKER_DELIMITER matches your DNS configuration
Verify S3 bucket policy allows the worker to read objects
Check that the Ingress or load balancer is routing traffic correctly

Getting Help

If you encounter issues with your Kubernetes deployment, reach out to your Zephyr account representative or contact us on Discord.

#Kubernetes Deployment

#Overview

#Configuration

#JSON Config File (Recommended)

#Health Check Endpoints

#Configuration Reference

#Required Options

#Server Options

#S3 Options

#Redis Options

#Replication Options

#Using Environment Variables

#Scaling and Replication

#Same-Region Scaling

#Multi-Region Replication

#Combined: Multi-Region with Scaling

#Troubleshooting

#Common Issues

#Worker fails to start

#Readiness probe failing

#Assets not serving correctly

#Getting Help