ProductsDownload Community Edition

Deploying an Agent

This page describes installing Lenses Agent in Kubernetes via Helm.

Lenses HQ must be installed before setting up an Agent.

Latest Agent container image is here on Docker Hub.

Helm Charts available here.

Run the following commands to add the charts to your Helm repo.

helm repo add lensesio https://helm.repo.lenses.io/
helm repo update

Prerequisites

  • Kubernetes 1.23+

  • Helm 3.8.0+

  • Available local Postgres database instance.

    • If you need to install Postgres on Kubernetes you can use one of many different publicly available Helm charts such as Bitnami's.

    • Or you can use a cloud provider's Postgres service such as one of these: AWS, Azure, or GCP.

    • See Lenses docs here for information on configuring Postgres to work with Agent.

  • Follow these steps to configure your Postgres database for Lenses Agent.

  • External Secrets Operator is the only supported secrets operator.

Configure an Agent

In order to configure an Agent, we have to understand the parameter groups that the Helm Chart offers.

Under the lensesAgent parameter there are some key parameter groups that are used to set up the connection to Lenses HQ:

  1. Storage

  2. HQ connection

  3. Provision

  4. Cluster RBACs

Moving forward, in the same order you can start configuring your Helm chart.

JSON Schema Support

You can use JSON schema support to help you configure the Values files for Helm. See JSON schema for support. Included in the repository is a JSON schema for the Agent Helm chart.

Configuring Agent chart

1

Configure storage (Postgres / H2 - Embedded database)

Postgres database is recommended for Production and Non-production workloads.

H2 embedded database is recommended to Evaluation purposes.

Running Agent with Postgres database

Prerequisite:

  • Running Postgres instance;

  • Created database for an Agent;

  • Username (and password) which has access to the created database;

In order to successfully run HQ, storage is within values.yaml has to be defined first.

The definition of storage object is as follows:

Alongside Postgres password, which can be referenced/created through Helm chart, there are a few more options which can help while setting up HQ.

There are two ways how username can be defined:

The most straightforward way, if the username is not being changed, is by just defining it within the username parameter such as

Password reference types

Postgres password can be handled in three ways using:

  1. Pre-created secret;

  2. Creating secrets on the spot through values.yaml;

Running Agent with H2 embedded database

Embedded database is not recommended to be used in Production or high load environments.

In order to run Agent with H2 embedded database there are few things to be aware about:

  • K8s cluster Agent will be deployed on has to support Persistent Volumes;

  • Postgres options in Helm chart has to be left out.

2

Configure HQ connection (agent key)

Connection to Lenses HQ is a straight forward process which requires two steps:

  1. Creating Environment and obtaining AGENT KEY in HQ as described here, if you already have not done so;

  2. Storing that same key in Vault or as a K8s secret.

The agent communicates with HQ via a secure custom binary protocol channel. To establish this channel and authenticate the Agent needs and AGENT KEY.

Once the AGENT KEY has been copied, store it inside of Vault or any other tool that has integration with Kubernetes secrets.

There are three available options how the agent key can be used:

  1. ExternalSecret via External Secret Operator (ESO)

  2. Pre-created secret

  3. Inline string

To use this option, the External Secret Operator (ESO) has to be installed and available for usage in K8s cluster your are deploying Agent.

When specifying secret.type: "externalSecret", the chart will:

  • create an ExternalSecret in the namespace where Agent is deployed;

  • a secret is mounted for Agent to use.

This secret will be fed into the provisioning.yaml. The HQ connection is specified below, where reference ${LENSESHQ_AGENT_KEY} is being set:

In order to enable TLS for secure communication between HQ and the Agent please refer to the following part of the page.

3

Configure provisioning (Kafka / SchemaRegistry / Kafka Connect)

Provisioning offers various connections starting with:

More about provisioning and more advanced configuration options for each of these components can be found on the following link.

4

Cluster RBACs

The Helm chart creates Cluster roles and bindings, that are used by SQL Processors, if the deployment mode is set to KUBERNETES. They are used so that Lenses can deploy and monitor SQL Processor deployments in namespaces.

To disable the creation of Kubernetes RBAC set: rbacEnabled: false

If you want to limit the permissions the Agent has against your Kubernetes cluster, you can use Role/RoleBinging resources instead. Follow this link in order to enable it.

If you are not using SQL Processors and want to limit permissions given to Agent's ServiceAccount, there are two options you can choose from:

  • rbacEnable: true - will enable the creation of ClusterRole and ClusterRoleBinding for service account mentioned above;

  • rbacEnable: true and namespaceScope: true - will enable the creation of Role and RoleBinding which is more restrictive;

(Optional) Enable TLS connection with HQ

In this case, TLS has to be enabled on HQ. In case you haven't yet enabled it, you can find details here to do it.

Enabling TLS in communication between HQ is being done in the provisioning part of values.yaml.

In order to successfully enable TLS for the Agent you would need to:

  • additionalVolume & additionalVolumeMounts - with which you will mount truststore with CA certificate that HQ is using and which Agent will need to successfully pass the handshake.

  • additionalEnv - which will be used to securely read passwords to unlock truststore.

  • Enable SSL in provision.

(Optional) Services

Enable a service resource in the values.yaml:

(Optional) Controlling resources

To control the resources used by the Agent:

In case LENSES_HEAP_OPTS is not set explicitly it will be set implicitly.

Examples:

  1. if no requests or limits are defined, LENSES_HEAP_OPTS will be set as -Xms1G -Xmx3G

  2. If requests and limits are defined above defined values, LENSES_HEAP_OPTS will be set by formula -Xms[-Xmx / 2] -Xmx[limits.memory - 2]

  3. If .Values.lenses.jvm.heapOpts it will override everything

Enabling SQL processors in K8s mode

To enable SQL processor in KUBERENTES mode and control the defaults:

To control the namespace Lenses can deploy processors, use the sql.namespaces value.

SQL Processor Role Binding

To achieve you need to create a Role and a RoleBinding resource in the namespace you want the processors deployed to.

For example:

  • Lenses namespace = lenses-ns

  • Processor namespace = lenses-proc-ns

Finally you need to define in the Agent configuration which namespaces the Agent has access to. Amend values.yaml to contain the following:

Persistence Volume

Persistence can be enabled for three purposes:

  • Use H2 embedded database

  • Logging

  • Provisioning

  • When using the Data Policies module to persist your data policies rules

  • When lenses.storage.enabled: false and an H2 local filesystem database is used instead of PostgreSQL

  • For non critical and NON PROD deployments

Configuration:

Prometheus metrics

Prometheus metrics are automatically exposed on port 9102 under /metrics.

At this very moment you can scrape it only via Service under port called http-metrics.

lenses.conf

The main configurable options for lenses.conf are available in the values.yaml under the lenses object. These include:

  • Authentication

  • Database connections

  • SQL processor configurations

To apply other static configurations use lenses.append.conf, for example:

Install the Chart

First, add the Helm Chart repository using the Helm command line:

LogoGitHub - lensesio/lenses-helm-charts: Helm Charts for Lenses.ioGitHub

Installing the Agent

Installing using cloned repository:

Installing using Helm repository:

Be aware that for the time being and alpha purposes usage of --version is mandatory when deploying Helm chart through Helm repository.

Example Values files

Be aware that example of values.yaml shows only how all parameters should look at the end. Please fill them with correct values otherwise Helm installation might not be successful.

Example of values.yaml

You can also find examples in the Helm chart repo.

PreviousDeploying HQNextDocker

Last updated

Was this helpful?