Getting the Images and Helm Chart
The Enterprise Development Kit Deployment repository uses published images only. The public customer deployment surface is the deployment repository: Compose, Helm, gateway examples, Postman, and provisioning scripts.
The enterprise service images are published as:
nexus.sphereon.com/edk-docker/enterprise-platformnexus.sphereon.com/edk-docker/enterprise-tenant-kmsnexus.sphereon.com/edk-docker/enterprise-didnexus.sphereon.com/edk-docker/enterprise-tenant-asnexus.sphereon.com/edk-docker/enterprise-issuernexus.sphereon.com/edk-docker/enterprise-verifiernexus.sphereon.com/edk-docker/admin-console
The six JVM service images run as a non-root user, expose REST on port 8080 unless documented otherwise, and read their configuration from mounted YAML and environment variables. The admin-console image is a Next.js server on port 3000 and is routed at /admin-console on the platform host. Database credentials, JWT issuers, license material, and public hostnames are never baked into the images.
The enterprise images are served from the private Nexus Docker repository nexus.sphereon.com/edk-docker. The Helm chart is served from the private Nexus Helm repository https://nexus.sphereon.com/repository/edk-helm. Sphereon supplies credentials for both repositories during onboarding.
Installing with Helm
The edk-enterprise chart in the deployment repository, at helm/edk-enterprise, deploys the platform, tenant runtime services, and admin console with hardened defaults: non-root pods, read-only root filesystems, network policies, and a public/internal ingress split that keeps the KMS and the administrative APIs off the public ingress.
kubectl create secret docker-registry sphereon-pull \
--docker-server=nexus.sphereon.com \
--docker-username=<username> --docker-password=<token>
kubectl create secret generic edk-platform-postgres \
--from-literal=username=<platform-db-user> --from-literal=password=<platform-db-password>
kubectl create secret generic edk-tenant-postgres \
--from-literal=username=<tenant-db-user> --from-literal=password=<tenant-db-password>
helm upgrade --install edk helm/edk-enterprise \
--set global.imagePullSecrets[0].name=sphereon-pull \
--set database.platform.host=<platform-postgres-host> \
--set database.platform.name=<platform-db-name> \
--set database.platform.existingSecret=edk-platform-postgres \
--set database.tenant.host=<tenant-postgres-host> \
--set database.tenant.name=<tenant-db-name> \
--set database.tenant.existingSecret=edk-tenant-postgres \
--set database.tenant.isolation=schema \
--set database.tenant.schemaPattern='tenant_{id}'
The chart does not deploy PostgreSQL. Point it at a platform database for the platform service and a tenant workload database for tenant-KMS, DID, tenant-AS, issuer, and verifier. The tenant workload database uses one schema per tenant by default. Example values files under helm/edk-enterprise/examples cover external managed Postgres, JWT service authentication, mesh mTLS, and OpenTelemetry export.
Once the pods report ready, continue with platform onboarding. After first run completes and the license is active, operators sign in at https://platform.<base-domain>/admin-console.