4.3
Helm
The official Helm chart is available on GitHub . Find bellow documentation and examples:
Key | Description | Type | Default | Required |
---|---|---|---|---|
replicaCount | Number of pods/instances to deploy | int | 1 | yes |
image.repository | The Lenses docker image name | string | lensesio/lenses | no |
image.tag | The Lenses docker image tag | string | 4.2 | no |
monitoring.enabled | Set to true to add add Prometheus annotations to the pod for metric scraping | boolean | true | no |
monitoring.pipeline | Label to attach to the pods for JMX monitoring | string | lenses | no |
monitoring.port | The port for Prometheus JMX metrics exporter | int | 9102 | no |
monitoring.path | The path that exposes the prometheus metrics | string | /metrics | no |
resources.limits.memory | The k8 resource memory limit for the pod | string | 5Gi | no |
resources.requests.memory | The k8 resource memory request for the pod | string | 4Gi | no |
rbacEnable | If k8 cluster has RBAC enabled, create cluster roles and bindings | boolean | true | no |
restPort | The port for Lenses APIs and UI | int | 3030 | no |
servicePort | The service port | int | 80 | no |
serviceAccount | The k8 service account Lenses will use to deploy resources. It must be patched with the image pull secret for Streaming SQL on K8 | string | default | no |
persistence.enabled | Create a persistence volume claim | boolean | false | no |
persistence.accessModes | The access modes for the persistence volume | list | ReadWriteOnce | yes |
persistence.size | The size of the persistence volume | string | 5Gi | yes |
persistence.existingClaim | If true use your own Persistent volume claim | boolean | false | yes |
persistence.storageClass | If set to ‘-’, storageClassName: "" it disables dynamic provisioning. If undefined or set to null, no storageClassName spec is set and chooses the default provisioner (gp2 on AWS, standard on GKE, Azure, Openstack) | string | no | |
service.enabled | Create a service for Lenses | boolean | true | no |
service.type | K8 service type | string | ClusterIP | no |
service.annotations | Annotations to add to the service | map | {} | no |
ingress.enabled | If true an ingress resource will be created | boolean | false | no |
ingress.host | The host or ip of the external load balancer | string | yes | |
ingress.annotations | The annotations to add to the ingress resource | map | kubernetes.io/ingress.class: traefik | |
ingress.tls.enabled | Enable ingress TLS | boolean | false | no |
ingress.tls.crt | The ingress TLS certificate base64 encoded | base64 | ||
ingress.tls.key | The ingress TLS key base64 encoded | base64 | no | |
lenses.lensesOpts | For additional generic JVM settings | string | no | |
lenses.jvm.heapOpts | Additional JVM heap options for Lenses | string | no | |
lenses.jvm.logBackOpts | Additional Logback options | string | no | |
lenses.jvm.performanceOpts | Additional JVM performance options for Lenses | string | no | |
lenses.opts.trustStoreFileData | The contents of the truststore base64 encoded | base64 | no | |
lenses.opts.trustStorePassword | The truststore password base64 encoded | base64 | no | |
lenses.opts.keyStoreFileData | The contents of the keystore base64 encoded | base64 | no | |
lenses.opts.keyStorePassword | The keystore password base64 encoded | base64 | no | |
lenses.append.conf | Additional custom values will be appended to lenses configuration | string | no | |
lenses.kafka | List of Kafka brokers | string | yes | |
lenses.zookeepers.enabled | Enable Zookeeper connection (optional) | boolean | no | |
lenses.zookeepers | List of Zookeepers | string | yes | |
lenses.schemaRegistries | List of Schema Registries | string | yes | |
lenses.connectClusters | List of Connect Clusters | string | yes | |
lenses.sql | See Streaming SQL options | string | no | |
lenses.grafanaUrl | The url of Grafana | string | no | |
lenses.topics.suffix | Suffix to add to system topics | string | no | |
lenses.security.ldap.enabled | Enable LDAP. Learn more for LDAP | boolean | false | no |
lenses.security.ldap.url | The LDAP url | string | no | |
lenses.security.ldap.base | The LDAP user search base settings | string | no | |
lenses.security.ldap.filter | The LDAP user search filter | string | no | |
lenses.security.ldap.user | The LDAP username | string | no | |
lenses.security.ldap.password | The LDAP password for the above user | string | no | |
lenses.security.ldap.plugin.class | FQDN class for the LDAP plugin | string | no | |
lenses.security.ldap.plugin.memberOfKey | string | no | ||
lenses.security.ldap.plugin.groupExtractRegex | string | no | ||
lenses.security.ldap.plugin.personNameKey | string | no | ||
lenses.security.kerberos.enabled | Flag to enable Kerberos | string | no | |
lenses.security.kerberos.service.principal | The Kerberos principal | string | no | |
lenses.security.kerberos.keyTabData | The Kerberos keytab data | string | no | |
lenses.security.kerberos.debug | Enable Kerberos debug | boolean | no | |
lenses.security.append.conf | Additional custom values will be appended to lenses security configuration | string | no | |
lenses.sidecarContainers | List of sidecar containers ( API ) | list | no | |
lenses.license | The Lenses license data | string | no | |
lenses.licenseUrl | Url to fetch the license from | string | no | |
lenses.configOverrides | Allows for additional configurations i.e. lenses.interval.summary=1000 | list of dictionaries | no |
License
Add the contents of the license file under the lenses.license
YAML property:
# Add the contents of your license file
lenses:
license: |-
{"source":"Lenses.io","clientId":"123ab789-abc..","key":"eyJhb.."}
Bootstrap servers
lenses.brokers
contains the broker options. Multiple brokers are
supported.
Key | Description | Type | Default | Required |
---|---|---|---|---|
ssl.enabled | SSL is enabled on the brokers | boolean | false | no |
ssl.truststoreFileData | The base64 encoded contents of the truststore | base64 | no | |
ssl.keystoreFileData | The base64 encoded contents of the keystore | base64 | no | |
ssl.truststorePassword | The truststore password | string | no | |
ssl.keystorePassword | The keystore password | string | no | |
sasl.enabled | If SASL is enabled on the brokers | boolean | false | no |
sasl.keyTabData | The base64 encoded contents of the keytab file if sasl enabled with GSSAPI | base64 | no | |
sasl.jaasFileData | The contents of the jaas.conf file if SASL is enabled | string | no | |
sasl.mechanism | The security.mechanism to use.GSSAPI, SCRAM or PLAINTEXT | string | GSSAPI | no |
sasl.krb5Conf | The contents of the krb5Conf file if the SASL mechanism is GSSAPI | string | no |
bootstrapServers
is a list of brokers, names and ports.
Key | Description | Type | Default | Required |
---|---|---|---|---|
bootstrapServers.name | Host name of the broker | string | yes | |
bootstrapServers.port | The PLAINTEXT default Kafka port | int | 9092 | yes |
bootstrapServers.sslPort | The SSL Kafka port | int | 9093 | yes |
bootstrapServers.saslPort | The SASL_SSL Kafka port | int | 9094 | yes |
bootstrapServers.saslPlainTextPort | The SASL_PLAINTEXT Kafka port | int | 9095 | yes |
metrics
used to monitor the health of your cluster and show metrics
and information.
Field | Description | Type | Default | Required |
---|---|---|---|---|
metrics.type | The type of metrics to use: JMX , AWS , JOLOKIAP or JOLOKIAG | string | no | |
metrics.ssl | Enable SSL if metrics type has enabled | boolean | false | no |
metrics.username | The username when metrics are secured | string | no | |
metrics.password | The password when metrics are secured | string | no | |
metrics.port | Default port to monitor for all brokers | int | no | |
metrics.ports | List of port, host and broker ID to override default for particular broker | list | no |
Example:
lenses:
kafka:
ssl:
enabled: false
trustStoreFileData:
keyStoreFileData:
trustStorePassword:
keyStorePassword:
keyPassword:
sasl:
enabled: false
# keyTabData is the base64 encoded contents kerberos keytab file is using kerberos mounted in /mnt/secrets
keyTabData: |-
# jaasFileData is the contents of the kafka jaas file mounted in /mnt/secrets
jaasFileData: |-
# mechanism is the sasl authentication mechanism GSSAPI, SCRAM or PLAIN
mechanism: "GSSAPI"
# krb5Conf is the Kerberos config data to be mounted into /etc
krb5Conf: |-
metrics:
type: "JMX"
ssl: true
username: admin
password: admin
ports:
- id: 1
port: 9581
host: "host1"
- id: 2
port: 9581
host: "host2"
bootstrapServers:
- name: kafka
port: 9092
sslPort: 9093
saslSslPort: 9094
saslPlainTextPort: 9095
Zookeepers
If you have one of more Zookeeper services, use the lenses.zookeepers.hosts options.
Key | Description | Type | Default | Required |
---|---|---|---|---|
host | The hostname of the Zookeeper instance | string | zookeeper | yes |
port | The port for the zookeeper instance | int | 2181 | yes |
metrics.type | The type of metrics to use: JMX , JOLOKIAP or JOLOKIAG | string | no | |
metrics.ssl | Enable SSL if metrics type has enabled | boolean | false | no |
metrics.username | The username when metrics are secured | string | no | |
metrics.password | The password when metrics are secured | string | no | |
metrics.port | The metrics port for zookeeper | int | no |
Example:
lenses:
zookeepers:
hosts:
- host: zookeeper-1
port: 2181
metrics:
type: "JMX"
port: 9102
username:
password:
ssl:
- host: zookeeper-2
port: 2181
metrics:
type: "JMX"
port: 9102
username: admin
password: admin
ssl: true
Schema Registries
If you have one of more Schema Registry services, use the lenses.schemaRegistries options.
Key | Description | Type | Default | Required |
---|---|---|---|---|
enabled | Enable schema registry support | boolean | false | no |
host | The host name of the schema registry instance | string | schema-registry | yes |
protocol | The HTTP protocol, http or https | string | http | yes |
port | The port of the schema registry instance | int | 2181 | yes |
metrics.type | The type of metrics to use: JMX , JOLOKIAP or JOLOKIAG | string | no | |
metrics.ssl | Use SSL to fetch metrics | boolean | false | no |
metrics.username | The username when metrics are secured | string | no | |
metrics.password | The password when metrics are secured | string | no | |
metrics.port | The metrics port for Schema Registry | int | no | |
security.enabled | Enable schema registry security support | boolean | false | no |
security.authType | Authentication type: NONE , URL , USER_INFO or SASL_INHERIT | string | no | |
security.username | Authentication username | string | no | |
security.password | Authentication password | string | no | |
security.kerberos.enabled | Enable schema registry Kerberos support | boolean | false | no |
security.kerberos.principal | The principal to use for Kerberos SPNEGO eg. HTTP@myservice | string | false | no |
security.kerberos.keyTabData | The base64 encoded contents of the keytab file if SASL enabled with GSSAPI | base64 | no | |
security.kerberos.jaasFileData | The contents of the jaas.conf file if SASL is enabled | string | no |
Example:
lenses:
schemaRegistries:
enabled: true
hosts:
- host: schema-registry-1
protocol: http
port: 8081
metrics:
type: "JMX"
port: 9102
username:
password:
ssl:
- host: schema-registry-2
protocol: http
port: 8081
metrics:
type: "JMX"
port: 9102
username:
password:
ssl:
Kafka Connect clusters
If you have one of more Kafka Connect clusters, us the lenses.connectClusters options and define your Connect clusters providing the cluster name, ports, backing topics and worker hosts.
Key | Description | Type | Default | Required |
---|---|---|---|---|
enabled | Enable Kafka Connect support | boolean | true | yes |
name | The name/alias for the cluster | string | yes | |
hosts | List of connect worker host names | list | yes | |
port | The connect worker rest port | int | 8083 | yes |
protocol | The HTTP protocol, http or https | string | http | yes |
offsetsTopic | The offset backing topic for the cluster | string | connect-offsets | yes |
statusTopic | The statuses backing topic for the cluster | string | connect-statuses | yes |
configsTopic | The configs backing topic for the cluster | string | connect-configs | yes |
authType | The Worker authentication type URL, NONE, SASL_INHERIT or USER_INFO | string | NONE | no |
username | Username to authenticate with the workers | string | no | |
password | Password to authenticate with the workers | string | no | |
metrics.type | The type of metrics to use: JMX , JOLOKIAP or JOLOKIAG | string | no | |
metrics.ssl | Get metrics via SSL | boolean | false | no |
metrics.username | The username when metrics are secured | string | no | |
metrics.password | The password when metrics are secured | string | no | |
metrics.port | The metrics port for the workers | list | no |
Example:
connectClusters:
enabled: true
clusters:
- name: datascience
protocol: http
port: 8083
jmxPort: 9102
offsetsTopic: connect-offsets-datascience
statusTopic: connect-statuses-datascience
configTopic: connect-configs-datascience
hosts:
- host: worker-ds-1
metrics:
type: "JMX"
port: 9102
username:
password:
ssl:
- host: worker-ds-1
metrics:
type: "JMX"
port: 9102
username:
password:
ssl:
- host: worker-ds-1
metrics:
type: "JMX"
port: 9102
username:
password:
ssl:
- name: dataengineering
protocol: http
port: 8083
jmxPort: 9102
offsetsTopic: connect-offsets-dataengineering
statusTopic: connect-statuses-dataengineering
configTopic: connect-configs-dataengineering
hosts:
- host: worker-de-1
- host: worker-de-1
- host: worker-de-1
auth: URL
username: myusername
password: mypassword
Streaming SQL options
To configure Streaming SQL options for Lenses use the lenses.sql options:
Key | Description | Type | Default | Required |
---|---|---|---|---|
mode | The Streaming SQL scaling mode, IN_PROCESS, CONNECT or KUBERNETES | string | IN_PROCESS | yes |
processorImage | The image to use for Streaming SQL | string | lensesioextra/sql-processor | no |
processorImageTag | The image tag | string | 4.2 | no |
heap | The heap space for the sql processors | string | 900M | no |
memLimit | The Kubernetes memory resource limit for the sql processors | string | 1152M | no |
memRequest | The Kubernetes memory resource request for the sql processors | string | 128M | no |
truststoreFileData | The base64 encoded contents of the truststore | base64 | no | |
keystoreFileData | The base64 encoded contents of the keystore | base64 | no | |
truststorePassword | The truststore password | string | no | |
keystorePassword | The keystore password | string | no | |
enabled | If SASL is enabled on the brokers | boolean | false | no |
keyTabData | The base64 encoded contents of the keytab file if sasl enabled with GSSAPI | base64 | no | |
jaasFileData | The contents of the jaas.conf file if sasl is enabled | string | no | |
sasl.mechanism | The security.mechanism to use.GSSAPI, SCRAM or PLAINTEXT | string | GSSAPI | no |
sasl.krb5Conf | The contents of the krb5Conf file if the sasl mechanism is GSSAPI | string | no |
Example:
lenses:
sql:
mode: KUBERNETES
heap: 900M
memLimit: 1152M
memRequest: 128M
ssl:
trustStoreFileData: |-
keyStoreFileData: |-
trustStorePassword:
keyStorePassword:
keyPassword:
Lenses HTTPS (TLS)
lenses.tls
contains tls options for configuring Lenses with TLS termination.
Key | Description | Type | Default | Required |
---|---|---|---|---|
lenses.tls.enabled | Enable TLS Termination | boolean | false | no |
lenses.tls.truststoreFileData | The base64 encoded contents of the truststore | base64 | no | |
lenses.tls.keystoreFileData | The base64 encoded contents of the keystore | base64 | no | |
lenses.tls.truststorePassword | The base64 encoded truststore password | base64 | no | |
lenses.tls.keystorePassword | The base64 encoded keystore password | base64 | no | |
lenses.tls.keyPassword | The password for the key within the keystore | base64 | no | |
lenses.tls.clientAuth | Enable client auth via tls | boolean | false | no |
Example:
lenses:
tls:
enabled: true
# base64 encoded keystore data
# openssl base64 < keystore.jks | tr -d '\n'
keyStoreFileData: |-
/u3+7QAAAAIAAAACAAAAAgAGY2Fyb290...==
# base64 keystore password
# echo "$password" | tr -d '\n' | base64
keyStorePassword: |-
YWRtaW4xMjM0
# base64 encoded truststore data
# openssl base64 < truststore.jks | tr -d '\n'
trustStoreFileData: |-
/u3+7QAAAAIAAAABAAAAAgAGY2Fyb290...==
# base64 truststore password
# echo "$password" | tr -d '\n' | base64
trustStorePassword: |-
YWRtaW4xMjM0
# base64 key password
# echo "$password" | tr -d '\n' | base64
keyPassword: |-
YWRtaW4xMjM0
clientAuth: false
Single Sign On ( SAML 2.0 )
Users can authenticate via SSO (Single Sign On) using the SAML 2.0 protocol using one of the supported integrations . To use SSO remember to also enable TLS .
Key | Description | Type |
---|---|---|
lenses.security.saml.enabled | Set true to enable SAML 2.0 | boolean |
lenses.security.saml.baseUrl | The base URL of Lenses | string |
lenses.security.saml.provider | The SAML type azure , google , keycloak , okta or onelogin | string |
lenses.security.saml.keyStoreFileData | The base64 encoded contents of the keystore | string |
lenses.security.saml.keyStorePassword | The keystore password | string |
lenses.security.saml.keyPassword | The password for the SAML key within the keystore | string |
lenses.security.saml.keyAlias | (Optional) Define which key to use within the keystore. This is only required when the keystore has multiple keys | string |
lenses.security.saml.metadataFileData | The base64 encoded content of the XML file provided by the Identity Provider | string |
Example:
lenses:
security:
saml:
enabled: true
baseUrl: "https://lenses-prod.eastus2.cloudapp.azure.com"
provider: "azure"
keyStoreFileData: |-
YmFzZTY0IG9mIGtleXN0b3JlIA==
keyStorePassword: "password"
keyPassword: "password"
metadataFileData: |-
LUlkUCBiYXNlNjQgWE1MIGZpbGUgY29udGVudC0=
Default admin user
The security user contains the default username and password for the super administrator. See how to secure your admin account .
Key | Description | Type | Default | Required |
---|---|---|---|---|
lenses.security.user | Default admin username | string | admin | no |
lenses.security.password | Default admin password | string | admin | no |
Example:
lenses:
security:
defaultUser:
username: admin
password: admin
Sidecar containers
With sidecar containers configuration you may deploy supporting containers such as data extractors/generators, etc. alongside Lenses container. You can read more about sidecars .
# Simple example
sidecarContainers:
- name: sidecar-example
image: alpine
command: ["sh", "-c", "watch datetime"]
Running Kafka, ZK, KC on Kubernetes
This allows the pods to have stable network identifiers. Each pods address should be added as an entry. The address takes the form of:
<statefulset-name-<pod ordinal identifier.<servicename.<namespace.svc.cluster.local
For example, if using statefulset of replicas called with a headless service the addresses would be:
zookeeper-0.zookeeper.defaut.svc.cluster.local zookeeper-1.zookeeper.defaut.svc.cluster.local zookeeper-2.zookeeper.defaut.svc.cluster.local schema-registry-0.schema.default.svc.cluster.local schema-registry-1.schema.default.svc.cluster.local connect-worker-0.connect.defaut.svc.cluster.local connect-worker-1.connect.defaut.svc.cluster.local
If you only have one instance of a service you can set the service name.