jprdonnelly/wellsky-poc
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
This repository has been archived on 2023-12-10. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
master
wellsky-poc/qliksense
History
Justin Donnelly a29e7fb2fe init
2020-11-08 10:04:30 -05:00
..
charts
init
2020-11-08 10:04:30 -05:00
templates
init
2020-11-08 10:04:30 -05:00
.helmignore
init
2020-11-08 10:04:30 -05:00
Chart.yaml
init
2020-11-08 10:04:30 -05:00
README.md
init
2020-11-08 10:04:30 -05:00
requirements.yaml
init
2020-11-08 10:04:30 -05:00
values.yaml
init
2020-11-08 10:04:30 -05:00

README.md

Qlik Sense Enterprise

Introduction

This chart bootstraps a Qlik Sense Enterprise on a Kubernetes cluster using the Helm package manager.

Installing the Chart

Run these prerequisite steps to download the chart and install the custom resource definitions. Should only be performed once per cluster.

helm install --name qliksense-init qlik/qliksense-init

To install the chart with the release name qliksense:

helm install --name qliksense qlik/qsefe

For a local development install, do the following:

helm upgrade --install qliksense qlik/qsefe --set devMode.enabled=true,engine.acceptEULA="yes",edge-auth.deployment.oidc.enabled=true

The command deploys qliksense on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation.

Uninstalling the Chart

The command removes all the Kubernetes components associated with the chart and deletes the release. To uninstall/delete the qliksense deployment:

helm delete qliksense

To uninstall/delete init chart you cannot have any qliksense charts left in the cluster (all namespaces):

helm delete qliksense-init

Global chart Configuration

The following table lists the global configurable parameters of the qliksense chart and their default values. These values will propagate to all sub-components that utilize such configurations so they need only be defined once to apply to everything. For the full list of available options, see values.yaml.

Parameter Description Default
global.imageRegistry Docker image registry to use to pull all images (e.g. if you have a self-hosted registry with all the images) nil
global.ingressClass Global ingress class used for all the qliksense ingresses as well as the nginx-ingress-controller. Change this if you have multiple controllers that might otherwise pick up on these ingresses "qlik-nginx"
global.certs.enabled enable/disable the usage of a global CA certificate file, replacing all existing trusted CAs false
global.certs.configMap.create enable/disable creating a CA certificate ConfigMap false
global.certs.configMap.certs The global CA certificate chain - use this to supply a FULL CA certificate chain that your qliksense installation should trust See values.yaml
global.certs.volume.hostPath Mounts a CA certificate file or directory from the host nodes filesystem into the Pod nil
global.persistence.storageClass Defines the name of a global Persistent Volume Storage Class. This can be a pre-existing SC defined in the cluster "-"
global.persistence.internalStorageClass.enabled Enable/disable deploying a storage class as part of the qliksense chart false
global.persistence.internalStorageClass.definition Definition of the internal StorageClass. Configuration includes provider and parameters. Only needed if the internal StorageClass is enabled. {}

Configuration

The following table lists some of the configurable parameters of the qliksense chart and their default values. For the full list of available options, see values.yaml.

Parameter Description Default
engine.acceptEULA Agree to the Qlik sense engine EULA in order to activate it "no"
engine.replicaCount The number of replicas of the Qlik Sense Engine to deploy "no"
engine.persistence Defines the persistence layer of the engine - ReadWriteMany is required for multiple engines
devMode.enabled activates "devMode" for local development and deploys a mongodb chart (e.g. with minikube) false
mongodb.uri The uri (with credentials) to the mongodb to use. Not used if devMode is active.
messaging.nats.auth.users[].user User is used to authenticate nats-streaming (Should be set in a production cluster) natsClient
messaging.nats.auth.users[].password Password is used to authenticate nats-streaming (Should be set in a production cluster) clientPass
messaging.nats.clusterAuth.password Password is used to authenticate nats-to-nats communication (Should be set in a production cluster) clusterPass

NATS to NATS-Streaming password rotation

The nats chart supports an array of users (messaging.nats.auth.users) used for authenticating NATS-Streaming to NATS. NATS-Streaming will use the first entry in the array to authenticate to NATS. Any additional entries can still be used to authenticate against.

How to rotate

In this example we have a deployed cluster with a NATS-Streaming that is authenticated using user user1 with password password1 from the following config. We want to update this to use password2.

auth:
  users:
  - user: user1
    password: password1
  1. Add new user/password to the first entry in the array, but leave the old entry as second in the list. Then helm update your release.
auth:
  users:
  - user: user2
    password: password2
  - user: user1
    password: password1
  1. NATS will now have both user/passwords configured, but NATS-Streaming will still be using the original entry to authenticate. NATS-Streaming servers will need to be restarted to pickup the new password from the first entry in messaging.nats.auth.users.
kubectl delete pod {Release.Name}-nats-streaming-2 #wait for new pod to become ready
kubectl delete pod {Release.Name}-nats-streaming-1 #wait for new pod to become ready
kubectl delete pod {Release.Name}-nats-streaming-0 #wait for new pod to become ready
  1. Finally remove the old user from the messaging.nats.auth.users array and helm update to remove authentication for the old user.
auth:
  users:
  - user: user2
    password: password2

Identity provider, authentication and tenant configuration

The following table lists the authentication, tenant and identity provider configurations. You will need to configure an identity provider to be able to login and use QlikSense.

Parameter Description Default
edge-auth.configs.enforceTLS When enabled edge-auth will reject non-TLS requests on it's external endpoints true
edge-auth.configs.secureCookies Restrict cookies to only be sent over SSL false
edge-auth.configs.sessionTTLSeconds The length of time in seconds that a session will live passed the last interaction 1800
edge-auth.configs.sessionMaxLifetimeSeconds The maximum length of time in seconds that a session can exist 86400 (one day)
edge-auth.configs.loginStateLifetime The length of time between initiating and completing login is allowed to take 5m
edge-auth.secrets.cookieKeys Array of strings used for signing cookies ["A secret key"]
edge-auth.secrets.stringData.tokenAuthPrivateKey RSA or EC Private signing key for internal JWTs Generate EC 384 private key ssh-keygen -t ecdsa -b 384 -f jwtPrivateKey -N ''
edge-auth.secrets.stringData.loginStateKey The key with which to sign the state parameter (encoded in base64), must be larger than 256 bits To generate use openssl rand -base64 32
identity-providers.secrets.create Create the secret resource for identity-providers true
identity-providers.secrets.idpConfigs Array of configs for Identity providers See following
identity-providers.secrets.idpConfigs[].allowedClientIds An array of the IDs of allowed API clients, only client tokens with these client IDs will be allowed access, if no value is provided then any client with the correct claims will be allowed access nil
identity-providers.secrets.idpConfigs[].audience The audience value that tokens from the IdP will be asserted to be issued for, default is qlik.api qlik.api
identity-providers.secrets.idpConfigs[].claimsMapping How to map the IdP's userinfo to internal fields (See Claims Mappings) {sub: "sub", name: "name"}
identity-providers.secrets.idpConfigs[].claimsMapping.name userinfo field to be mapped to internal name field nil
identity-providers.secrets.idpConfigs[].claimsMapping.sub userinfo field to be mapped to internal sub field nil
identity-providers.secrets.idpConfigs[].clientId IdP client ID foo
identity-providers.secrets.idpConfigs[].clientSecret IdP client secret bar
identity-providers.secrets.idpConfigs[].clockToleranceSec The clock tolerance in seconds, this is to compensate for clock skew between the IdP and this service, default is 5 nil
identity-providers.secrets.idpConfigs[].discoveryUrl IdP discovery URL http://localhost:32123/.well-known/openid-configuration
identity-providers.secrets.idpConfigs[].hostname Requests to this hostname will use this IdP elastic.example
identity-providers.secrets.idpConfigs[].issuerConfig IdP issuer config See following
identity-providers.secrets.idpConfigs[].issuerConfig.authorization_endpoint IdP authorization_endpoint URI nil
identity-providers.secrets.idpConfigs[].issuerConfig.end_session_endpoint IdP end_session_endpoint URI nil
identity-providers.secrets.idpConfigs[].issuerConfig.introspection_endpoint IdP introspection_endpoint URI nil
identity-providers.secrets.idpConfigs[].issuerConfig.issuer IdP issuer URI
identity-providers.secrets.idpConfigs[].issuerConfig.jwks_uri IdP jwks_uri URI
identity-providers.secrets.idpConfigs[].issuerConfig.token_endpoint IdP token_endpoint URI
identity-providers.secrets.idpConfigs[].issuerConfig.userinfo_endpoint IdP userinfo_endpoint URI
identity-providers.secrets.idpConfigs[].postLogoutRedirectUri URI to redirect to on logout, this only takes effect when end_session_endpoint is not configured
identity-providers.secrets.idpConfigs[].primary Boolean denoting if this IdP is the primary one for the hostname. Primary IdPs are those for which will be used for the interactive login, non-primary IdPs can only exchange tokens, default is true
identity-providers.secrets.idpConfigs[].realm realm name to associate with IdP users simple
identity-providers.secrets.idpConfigs[].staticKeys An array of public keys. This allows IdP JWT verifier to use a static set (one or more) of public keys to verify external JWTs (identity token) []
identity-providers.secrets.idpConfigs[].staticKeys[].kid The key id
identity-providers.secrets.idpConfigs[].staticKeys[].pem The pem format key

Encryption

An encryption backend should be configured before starting to use QlikSense. Currently the system supports running with encryption disabled, but the system does not currently support enabling encryption on an already running QlikSense install.

This means if encryption is disabled and then enabled, any data added to the system before encryption was enabled may become inaccessible.

At this time Vault is the only support encryption backend.

Parameter Description Default
encryption.enabled Should encryption be enabled true
encryption.backend.type Backend to use. Set this to vault
encryption.backend.uri URI where vault is located
encryption.backend.auth.type type of auth to use when communicating with Vault. Set this to token
encryption.backend.auth.token Token to use when communicating with Vault
encryption.backend.auth.tokenRenew Should encryption auto-renew the token
encryption.backend.auth.tokenRenewFrequency How often should the token be auto-renewed
encryption.backend.auth.tokenRenewTTL How long should the renewed token be good for
Reference in New Issue View Git Blame Copy Permalink