With the new version of HQ, we are introducing licence. Every customer will receive licence separately.
Additional field acceptEULA has been introduced as well and has to be accepted otherwise HQ will fail on startup.
values.yaml
license:# -- (string) Enables usage of secret for licence.# **Required: false**referenceFromSecret:false# -- (string) Secret name where licence is stored.# **Required: false**secretName:""# -- (string) Secret key where within a secret where licence is sotred.# **Required: false**secretKeyName:""# Marks the end-user license agreement (EULA) as accepted.acceptEULA:true
values.yaml
license:stringData:""acceptEULA:true
2
New authentication method (Password based)
In the new release, password-based authentication has been introduced as an optional method alongside SAML / SSO.
lensesHq_auth:# -- Adds uses for password based auth# **Required: false**users: - username:admin# bcrypt("changeme").password:$2a$12$dTSwP3jgCQPoBNDYXNoLy.6l7fMcHYgonl0u8GYCOrkfGM4a.8jze
Existing property samlnow has new field saml.enabled which either enabled or disables SAML / SSO
In previous versions, SAML / SSO was a mandatory requirement for authentication. However, with the new release, it becomes optional, allowing you to choose between password-based authentication and SAML / SSO according to your needs.
Existing alpha users will have to introduce lensesHq.saml.enabled property into their values.yaml files
In this release, the ingress configuration has been enhanced to provide more flexibility.
Previously, the HQ chart supported a single ingress setting, but now you can define separate ingress configurations for HTTP and the agent.
This addition allows you to tailor ingress rules more specifically to your deployment needs, with dedicated rules for handling HTTP traffic and TCP-based agent connections.
The http ingress is intended only for HTTP/S traffic, while the agents ingress is designed specifically for TCP protocol. Ensure appropriate ingress configuration for your use case.
In the following example you will notice how ingress configuration has been broken into:
http - which covers main ingress for HQ and where users will be accessing HQ portal
agent - new and additional ingress which allows you to add new ingress with your custom implementation, whether it is Traefik or any other based.
By default both http and agent ingresses are disabled.
values.yaml
ingress:http:enabled:trueannotations:traefik.ingress.kubernetes.io/router.entrypoints:websecurehost:example.comagent:enabled:trueagentIngressConfig:apiVersion:traefik.containo.us/v1alpha1kind:IngressRouteTCPmetadata:name:agentsspec:entryPoints: - agentsroutes: - match:HostSNI(`example.com`)# HostSNI to match TLS for TCPservices: - name:lenses-hq# Replace with your service nameport:10000# Agent default TCP port tls: {}
Agent
Due to new changes in provisioning structure, the database to which agent is connected must be recreated.
Changes in provisioning connection to HQ
In the provisioning, there has been slight adjustment in connection naming with HQ.
Changes:
grpcServerhas been renamed to lensesHq
apiKey has been renamed to agentKey
values.yaml
lenses:provision:enabled:trueversion:"2"path:/mnt/provision-secretsconnections:grpcServer:# Property that has changed - name:lenses-hqversion:1tags: ['hq']configuration:server:value: [HQ_URL]port:value:10000apiKey:# Property that has changedvalue:${LENSESHQ_AGENT_KEY}
With the new version of Agent, HQ connection in provisioning has changed which requires complete recreation of database. Following log message will indicate it:
liquibase.exception.ValidationFailedException: Validation Failed: │
│ 1 change sets check sum │
│ io/lenses/store/jdbc/migration/6.0.0/02_new_template_data.xml::2::lenses was: 8:357e3bd4e93a5cc938420eb2521c4b7c but is now: 8:03dad3472f5facacdd10a985e5e02da3 │