Deployment Guide

Kubernetes + Meridian

Deploy Meridian's licensing backend alongside your workloads. A single sidecar container handles validation, heartbeat, and offline grace caching with zero external dependencies beyond your cluster.

Prerequisites

  • Kubernetes 1.27+ cluster with kubectl configured
  • Meridian API key with license:validate scope
  • Container runtime with linux/amd64 or linux/arm64 support

Step 1 — Store Your API Key

Create a Kubernetes Secret so the sidecar can authenticate without hardcoding credentials in your deployment manifest.

kubectl create secret generic meridian-api-key \
  --from-literal=key=mrd_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \
  --namespace=production

Replace mrd_live_... with your actual key from the dashboard. Use a dedicated namespace for production workloads.

Step 2 — Add the Sidecar

Mount the Secret as an environment variable and add the Meridian sidecar container to your existing Deployment. The sidecar exposes a local HTTP endpoint on port 4190.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-licensed-app
  namespace: production
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-licensed-app
  template:
    metadata:
      labels:
        app: my-licensed-app
    spec:
      containers:
        - name: app
          image: my-registry/my-app:v2.1.0
          ports:
            - containerPort: 8080
          env:
            - name: MERIDIAN_SIDECAR_URL
              value: "http://localhost:4190"
        - name: meridian-sidecar
          image: getnimbus/meridian-sidecar:latest
          ports:
            - containerPort: 4190
          env:
            - name: MERIDIAN_API_KEY
              valueFrom:
                secretKeyRef:
                  name: meridian-api-key
                  key: key
            - name: MERIDIAN_PRODUCT_ID
              value: "prod_9a7f3c2e1b"
          resources:
            requests:
              cpu: 50m
              memory: 32Mi
            limits:
              cpu: 200m
              memory: 64Mi
          readinessProbe:
            httpGet:
              path: /health
              port: 4190
            initialDelaySeconds: 2
            periodSeconds: 5

Step 3 — Validate from Your App

Your application calls the sidecar at startup and periodically thereafter. The sidecar handles retries, circuit breaking, and offline grace caching automatically.

curl -s http://localhost:4190/v1/validate \
  -H "Content-Type: application/json" \
  -d '{"license_key": "NMB-XXXX-XXXX-XXXX"}'

Expected response: {"valid":true,"tier":"pro","expires":"2026-08-14T00:00:00Z"}. On failure the sidecar returns a structured error with aretry_after hint.

Offline Grace Caching

When the Meridian API is unreachable, the sidecar serves cached validation results signed with an HMAC derived from your product secret. The cache remains valid for the duration configured in your dashboard (default: 72 hours).

# Override cache duration via environment variable
- name: MERIDIAN_OFFLINE_GRACE_HOURS
  value: "168"

Set this to 0 to disable offline grace entirely — every validation will require a live API call.