To use this option, the External Secret Operator (ESO) has to be installed and available for usage in K8s cluster your are deploying HQ.
When specifying passwordSecret.type: "externalSecret", thechart will:
create an ExternalSecretin the namespace where HQ is deployed;
a secret is mounted for HQ to use.
values.yaml
lensesHq:storage:postgres:enabled:truehost:postgres-postgresql.playground.svc.cluster.localport:5432username:lensesdatabase:lenseshqpasswordSecret:type:"externalSecret"# Secret name where database password will be read fromname:hq-password# Key name under secret where database password is storedkey:passwordexternalSecret:secretStoreRef:clusterSecretStore:name:enjoy2-secrets
Make sure that secret you are going to use is already created in namespace where HQ will be installed.
values.yaml
lensesHq:storage:postgres:enabled:truehost:postgres-postgresql.playground.svc.cluster.localport:5432username:lensesdatabase:lenseshqpasswordSecret:type:"precreated"# Secret name where database password will be read fromname:hq-password# Key from secret's data where database password is being storedkey:postgres-password
This option is NOT for PRODUCTION usage but rather just for demo / testing.
The chart will create a secret with defined values below and the same secret will be read by HQ in order to connect to Postgres.
values.yaml
lensesHq:storage:postgres:enabled:truehost: [POSTGRES_HOSTNAME]port:5432username:lensesdatabase:lenseshqpasswordSecret:type:"createNew"# name of a secret that will be createdname: [K8s_SECRET_NAME]# Database passwordpassword: [DATABASE_USER_PASSWORD]
Advanced Postgres settings
Sometimes to form correct connection URI special parameters are needed. In order to od the same you can set extra settings using params.
SAML / SSO is available only with Enterprise license.
Second pre-requirement to successfully run HQ is setting initial authentication.
You can choose between:
password-based authentication, which requires users to provide a username and password;
and SAML/SSO (Single Sign-On) authentication, which allows users to authenticate through an external identity provider for a seamless and secure login experience.
First to cover is users property. Users Property: The users property is defined as an array, where each entry includes a username and a password. The passwords need to be hashed using bcrypt before placed within password property for security purposes, ensuring that they are stored correctly and securely.
Second to cover will be administrators. It serves as definition of user emails which will have highest level of permissionsupon authentication to HQ.
Third attribute is saml.metadata field needed for setting SAML / SSO authentication. In this step, you will need metadata.xml file which can be set in two ways:
Referencing metadata.xml file through pre-created secret;
Third pre-requirement to successfully run HQ is the http definition. As previously mentioned, this parameter defines everything around HTTP endpoint of the HQ itself and how users will interact with.
Second part of HTTP definition would be enabling TLS and TLS definition itself. As previously defined for lensesHq.agents.tlssame way of configuring TLS can be used for lensesHq.http.tls definition as well.
4
Configure agents connection endpoint
After correctly configuring authentication strategy and connection endpoint , agent handling is the last most important box to tick.
The Agent's object is defined as follows:
lensesHq:agents:# which port to listen on for agent requestsaddress:":10000"tls:enabled:falseverboseLogs:falsecert:privateKey:
Enabling TLS
By default TLS for the communication between Agent and HQ is disabled. In case requirement is to enabled it, following has to be set:
lensesHq.agents.tls - certificates to manage connection between HQ and the Agents
lensesHq.http.tls- certificates to manage connection with HQ's API
Unlike private keys which can be referenced and obtained only through a secret, Certificates can be referenced directly in values.yamlfile as a string or as a secret.
Metrics are optionally available in a Prometheus format and by default served on port 9090.
Port can be changed in a following way:
values.yaml
lensesHq:metrics:prometheusAddress:":9090"
(Optional) Configure Ingress & Services
Whilst the chart supports setting TLS on Lenses HQ itself we recommend placing it on the Ingress resource
Ingress and service resources are optionally supported.
The http ingress is intended only for HTTP/S traffic, while the agents ingress is designed specifically for TCP protocol. Ensure appropriate ingress configuration for your use case.
Enable an Ingress resource in the values.yaml:
values.yaml
ingress:http:enabled:trueannotations:traefik.ingress.kubernetes.io/router.entrypoints:websecurehost:example.comagent:enabled:trueagentIngressConfig:apiVersion:traefik.containo.us/v1alpha1kind:IngressRouteTCPmetadata:name:agentsspec:entryPoints: - agentsroutes: - match:HostSNI(`example.com`)# HostSNI to match TLS for TCPservices: - name:lenses-hq# Replace with your service nameport:10000# Agent default TCP port tls: {}