ProductsDownload Community Edition

Deploying HQ

This page describes installing Lenses HQ in Kubernetes via Helm.

Lenses HQ is prerequisite for installation of Lenses Agent

Latest images:

Latest HQ image available here from Docker Hub.

Latest Lenses CLI as tarball or as a container.

Prerequisites

  • Kubernetes 1.23+

  • Helm 3.8.0+

  • Available local Postgres database instance:

    • If you need to install Postgres on Kubernetes you can use one of the many publicly available Helm charts such as Bitnami's.

    • Or you can use one of the cloud provider's Postgres services such as one of these: AWS, Azure, or GCP.

    • See Lenses docs here for information on configuring Postgres to work with HQ .

    • username (and password) that has access to HQ database;

  • External Secrets Operator is the only supported secrets operator.

Configure HQ

To configure Lenses HQ properly we have to understand the parameter groups that the Chart offers.

Under the lensesHq parameter there are some key parameter groups that are used to set up HQ:

  1. storage

    • definition of connection towards database (Postgres is the only storage option)

  2. auth

    • Password based authentication configuration

    • SAML / SSO configuration

    • definition of administrators or first users to access the HQ

  3. http

    • defines port under which HQ will be available for end users

    • defines values of special headers and cookies

    • types of connection such as TLS and non-TLS definitions

  4. agents

    • defines connection between HQ and the Agent such as port where HQ will be listening for agent connections.

    • types of connection such as TLS and non-TLS definitions

  5. license

  6. monitoring

    • controls the metrics settings where Prometheus alike metrics will be exposed

  7. loggers

    • definition of logging level for HQ

Moving forward, in the same order you can start configuring your Helm chart.

1

Configure storage (Postgres)

Postgres is the only available storage option.

Prerequisite:

  • Running Postgres instance;

  • Created database for HQ;

  • Username (and password) which has access to the created database;

In order to successfully run HQ, storage within values.yaml has to be defined first.

Definition of storage object is as follows:

Alongside Postgres password, which can be referenced / created through Helm chart, there are few more options which can help while setting up HQ.

Username reference types

There are two ways how username can be defined:

The most straightforward way, if the username is not being changed, is by just defining it within the username parameter such as

Password reference types

Postgres password can be handled in three ways using:

  1. External Secret via ExternalSecretOperator;

  2. Pre-created secret;

  3. Creating secret on the spot through values.yaml;

To use this option, the External Secret Operator (ESO) has to be installed and available for usage in K8s cluster your are deploying HQ.

When specifying passwordSecret.type: "externalSecret", the chart will:

  • create an ExternalSecret in the namespace where HQ is deployed;

  • a secret is mounted for HQ to use.

Advanced Postgres settings

Sometimes to form the correct connection URI special parameters are needed. You can set the extra settings using params.

Example:

2

Configure AUTH endpoint

SAML / SSO is available only with Enterprise license.

The second pre-requirement to successfully run HQ is setting initial authentication.

You can choose between:

  • password-based authentication, which requires users to provide a username and password;

  • and SAML/SSO (Single Sign-On) authentication, which allows users to authenticate through an external identity provider for a seamless and secure login experience.

Assertion Consumer Service endpoint is following

The definition of auth object is as follows:

First to cover is the users property. Users Property: The users property is defined as an array, where each entry includes a username and a password. Passwords must be hashed using bcrypt before being placed within the password property, for security purposes, ensuring that they are stored correctly and securely.

Second, to cover will be administrators. It serves as the definition of user emails have the highest level of permissions upon authentication to HQ.

Third attribute is saml.metadata field, needed for setting SAML / SSO authentication. In this step, you will need metadata.xml file which can be set in two ways:

  1. Referencing metadata.xml file through pre-created secret;

  2. Placing metadata.xml contents inline as a string.

In case SAML IdP requires certificate verification, same can be enabled and provided in the following way:

3

Configure HTTP endpoint

The third pre-requirement to successfully run HQ is the http definition. As previously mentioned, this parameter defines everything around the HTTP endpoint of the HQ itself and how users will interact with it.

Definition of HTTP object is as follows:

Second part of HTTP definition would be enabling TLS and TLS definition itself. As previously defined for lensesHq.agents.tls same way of configuring TLS can be used for lensesHq.http.tls definition as well.

4

Configure agent's connection endpoint

After correctly configuring the authentication strategy and connection endpoint, the agent handling is the last most important box to tick.

The Agent's object is defined as follows:

Enabling TLS

By default TLS for the communication between Agent and HQ is disabled. In case the requirement is to enable it, fthe ollowing has to be set:

  • lensesHq.agents.tls - certificates to manage the connection between HQ and the Agents

  • lensesHq.http.tls- certificates to manage connection with HQ's API

Unlike private keys which can be referenced and obtained only through a secret, Certificates can be referenced directly in values.yaml file as a string or as a secret.

5

Configure license

In demo purposes and testing the product you can use our community license

License can be read in multiple ways:

  • from a pre-created secret

  • directly as a string defined in values.yaml file

6

Configure metrics endpoint

Metrics are optionally available in a Prometheus format and by default served on port 9090.

The port can be changed in the following way:

(Optional) Configure Ingress & Services

Whilst the chart supports setting TLS on Lenses HQ itself we recommend placing it on the Ingress resource

Ingress and service resources are optionally supported.

The http ingress is intended only for HTTP/S traffic, while the agents ingress is designed specifically for TCP protocol. Ensure appropriate ingress configuration for your use case.

Enable an Ingress resource in the values.yaml:

Enable a service resource in the values.yaml:

(Optional) Configure Service Accounts

Lenses HQ, by default, uses the default Kubernetes service account but you can choose to use a specific one.

If the user defines the following:

The chart will create a new service account in the defined namespace for HQ to use.

(Optional) Enable RBAC

There are two options you can choose between:

  1. rbacEnable: true - will enable the creation of ClusterRole and ClusterRoleBinding for the service account mentioned in the snippet above\

  2. rbacEnable: true and namespaceScope: true - will enable the creation of Role and RoleBinding which is more restrictive.

Configure logging

There are different logging modes and levels that can be adjusted.

Add chart repository

First, add the Helm Chart repository using the Helm command line:

LogoGitHub - lensesio/lenses-helm-charts at release/6.0GitHub

Installing HQ

Be aware that for the time being and for alpha purposes usage of --versionis mandatory when deploying Helm chart through Helm repository.

Example Values files

Be aware that example of values.yaml shows only how all parameters should look at the end. Please fill them with correct values otherwise Helm installation might not be successful.

Example of values.yaml

More about default values for Lenses HQ Helm Chart can be found in values.yaml. An example is below:

What's next?

After the successful configuration and installation of HQ, the next steps would be:

  1. Deploying and Agent

  2. Configuring IAM roles / groups / policies

PreviousKubernetes - HelmNextDeploying an Agent

Last updated

Was this helpful?