This document describes how to set up a deployment of Inrupt Enterprise Solid Server (ESS). To set up a deployment, ESS provides various Kustomize overlays that can act as the base configuration for your deployment.

See also Release Notes.


Starting in ESS 2.1, the image reference to PostgreSQL, in Inrupt’s non-production overlay (i.e., the standalone overlay), has been upgraded from version 14 to 15. Customers who are using Inrupt’s standalone overlay need to reset their state or upgrade Postgres.

This change does NOT affect those deployments that use the production overlay (i.e., the scalable-cloud overlay). Customers using the scalable-cloud overlay use their own stateful services and are not impacted by the change.

PodSpaces (Developer Preview)

Inrupt provides hosted versions of the Enterprise Solid Server, eliminating the installation overhead. For more information, see Inrupt PodSpaces.



The tutorial follows the Infrastructure as Code (IaC) practice for managing the system and assumes the installation directory is under source control. Specifically, since secrets are stored in the configuration files, the tutorial assumes the directory is stored in a private repository and kept secure.

Entitlement Token#

To login to Inrupt’s private Docker registry and download the ESS Docker images, your enterprise needs to obtain an entitlement token from Inrupt.

For inquiries (including pricing inquiries) about obtaining the token, you can either:


The installation uses Linux Docker images. If Docker is not installed, refer to its official documentation to install.

Kubernetes Version#

ESS supports Kubernetes versions 1.21+.

Kubernetes Management Tool#

To deploy and manage the Kubernetes cluster, install a Kubernetes deployment tool (if not already installed).

This tutorial uses kubectl. To install kubectl, use the directions at

Kubernetes Environment#

For your Kubernetes Environment, ensure that the following features are enabled:

To enable these features for your Kubernetes environment, refer to your Kubernetes-specific documentation.

For an example, see Prepare a Local Kubernetes Environment to set up a local Kubernetes environment.

OIDC-Compliant Identity Provider#

ESS integrates with your OpenID Connect (OIDC) compliant Identity Provider (IdP). In addition, as part of the provided standalone overlay, ESS includes Keycloak. When using the provided Keycloak, your usernames should be alphanumeric.

To use your OIDC-compliant IdP, refer to your IdP’s official site to set up an OIDC application. When configuring the OIDC application:

Callback/Redirect URL

Set to https://openid.<ESS Domain>/callback.

OAuth 2.0 Flow

Set to Authorization code grant. For more information, see The OAuth 2.0 Authorization Framework.

OIDC Scopes

Must include openid and profile.


Contact Inrupt Support Center for guidance setting up an OIDC application with your IdP.

Publicly Accessible#

ESS services are designed to be accessible from and have access to the Internet. For example,

  • JSON Web Key Set (JWKS) may be hosted on external services, and ESS services would need access to those when running in an open Solid ecosystem.

  • If running ESS with certificates from LetsEncrypt, common LetsEncrypt validation challenges require Internet access.

  • With Internet access, ESS can also integrate with 3rd party services such as Identity Providers, Cloud Logging, Metrics, Telemetry systems.


Step 1: Initialize the Installation Directory#

  1. Start Docker.

  2. Open a terminal shell and login to Inrupt’s private Docker registry. When prompted for your password, enter your entitlement token:

    docker login  --username <userid>
  3. Get the latest 2.1 version of the inrupt-kustomizer:

    docker pull
  4. Initialize an empty installation directory with a base overlay for your environment:


    The tutorial follows the Infrastructure as Code (IaC) practice for managing the system and assumes the installation directory is under source control. Specifically, since secrets are stored in the configuration files, the tutorial assumes the directory is stored in a private repository and kept secure.

    As such, the steps include committing the directory and its files to your source control.

    1. Run the inrupt-kustomizer, specifying the absolute path to the installation directory.


      • If the specified directory does not exist, the operation creates the directory.

      • If the specified directory exists, ensure that the directory is empty. If the directory is not empty, the inrupt-kustomizer does not attempt to initialize the directory with the base configuration files.

      docker run -it -v ${HOME}/ess:/kustomize

      The operation prompts you to select from one of the available overlays provided by Inrupt as a base overlay:

      It appears that this environment hasn't been initialized.
      You can choose an overlay that you'd like to base this environment on.
      For more details please see:
      The available overlays are:
          ESS Scalable Cloud with external storage, queues and identity provider
          ESS Standalone with in-cluster storage, queues and identity provider
    2. Enter the overlay to use. For example, to use the ESS 2.1 Scalable Cloud overlay as the base, enter scalable-cloud:

      Please enter the overlay you would like to use [scalable-cloud]: scalable-cloud


      You may choose to run ESS on other Kubernetes environments. To install ESS as a standalone on a local environment, contact Inrupt for technical assistance.

      The operation populates the specified installation directory with various files needed to set up your environment.

      Extracting inputs required for overlay "scalable-cloud"...
      The inputs for "scalable-cloud" are now in the "inputs" folder
      Generating "kustomization.yaml" to allow you to fine-tune your environment...
      Please refer to the readme.txt file that was generated. It contains instructions on how to set up your environment.
    3. Place the directory under source control in a private repo.


      Secrets are placed in the files contained within the directory. Ensure the directory is in a private repo.

Step 2: Update Inputs and Build#

During the initialization, Inrupt generates a readme.txt file in the installation directory. The file provides instructions on updating inputs for your deployment and building the deployment file.

  1. Go to the installation directory.

    cd ${HOME}/ess
  2. Using the instructions in the readme.txt file, update the inputs in the base overlay for your deployment.

    Tip on Kafka Message Encryption

    ESS’ services communicate with each other by sending messages through Kafka.

    By default, Inrupt enables data encryption for all data that pass through the Kafka messaging system.

    As part of updating the inputs for your deployment, define the data encryption keys for Kafka. Specifically, in the kafka-credentials.env file, downloaded as part of the installation:

    • Set INRUPT_KAFKA_SOLIDRESOURCE_CIPHER_PASSWORD to a strong password. This is used for encrypting and decrypting Solid resource notification events.

    • Set INRUPT_KAFKA_AUDITV1EVENTSENCRYPTED_CIPHER_PASSWORD to a strong password. This is used for encrypting and decrypting Audit events.

    • Set INRUPT_KAFKA_SOLIDACCESSCONTROLRESOURCE_CIPHER_PASSWORD to a strong password. This is used for encrypting and decrypting Access Control Resource (ACR) notification events.


    You MUST set the data encryption key values to a strong password.

    Update any other input(s) as specified in the kafka-credentials.env file.

    For more information on the Kafka configurations in the kafka-credentials.env file, see ESS’ Kafka Configuration.

  3. After updating the inputs, build the deployment file per the instructions in the readme.txt file.

  4. Commit all changes in the directory to source control.


    Ensure that the repo is private.

Step 3: Optional. Customize Your Deployment Configuration#

Optionally, you can further customize your ESS deployment using Kustomize overlays, such as to use certificates from an official Certificate Authority (CA).


You can opt to customize after setting up a base deployment.

For examples on customizing your deployment with overlays, see Customize ESS.

Step 4: Deploy#

After you have built the deployment file, you can deploy.

  1. If not already, go to the installation directory:

    cd ${HOME}/ess
  2. Deploy to your Kubernetes environment:

    kubectl apply -f kustomized.yaml


    The deploy operation is idempotent. If the deploy operation does not complete successfully, you can safely retry the operation.

    Warning: Self-signed Certificates

    The provided base overlays create self-signed certificates. These self-signed certificates are for development purposes only. In production, ESS should be run with certificates from an official Certificate Authority (CA). For an example of how you can customize your deployment to use your production certificates, see Use Official Certificate Authority.

  3. You can view the ESS components and services that are running:

    kubectl -n ess get all
  4. For local standalone deployments, add the ESS service domains to the /etc/hosts file on your local machine.

    The following steps are specific to Linux operating system.

    1. Get your local Kubernetes cluster IP address:

      K8_IP=$(kubectl get nodes -o jsonpath="{.items[*].status.addresses[?(@.type=='InternalIP')].address}")
    2. Get a list of the ESS service domains:

      ESS_DOMAINS=$(grep "host: " kustomized.yaml | awk '{print $3}' | sort -u | tr -d '\r' | tr '\n' ' ')
    3. Backup your /etc/hosts file:

      sudo cp /etc/hosts /etc/hosts.bak
    4. Update the /etc/hosts:

      sudo sed -n -e '/# ESS-DOMAINS-BEGIN/,/# ESS-DOMAINS-END/!p' -e '$a# ESS-DOMAINS-BEGIN\n'"$K8_IP $ESS_DOMAINS"'\n# ESS-DOMAINS-END' -i /etc/hosts
  5. To verify, go to https://start.{ESS DOMAIN}/.


Delete ESS#

Because ESS deploys to a namespace (ess), you can delete ESS by deleting the ess namespace:

kubectl delete namespace ess


Ensure that no other components have been deployed to the namespace.