6.0 Preview

New

Lenses 6.0 introduces a new service, called HQ, acting as portal for multi-kafka environments.

• New HQ service

• IAM (Identity & Access Management). This has moved from each Lenses instant to a global location in the new HQ service

• Global SQL Studio

• Global Data Catalogue

• Community License: You can now use Lenses without a license (community license key is bundled in the docker-compose) or expiry but the following restrictions apply:

  • No SSO

  • Maximum of two environments (Kafka clusters) can be connected

  • Two Users with one an admin user

  • Two Service Accounts

  • Two Groups

  • Two Roles

  • No Backup / Restore for topics to S3

Breaking

1. H2 embedded database is no longer support.

2. Lenses 5.x permission model is replaced by global IAM. You must recreate the roles and groups in HQ

3. Connection management in the agent is via file Provisioning only.

Packages

• We have made new alpha release 20:

  • Agent image:

    • Copy

      lensting/lenses-agent:6.0.0-alpha.6

  • HQ image:

    • Copy

      lensting/lenses-hq:6.0.0-alpha.20

  • HQ CLI image

    • Copy

      lensting/lenses-cli:6.0.0-alpha.20

• New Helm version 20 for agent and for the HQ:

• Archive installation:

HQ Changelog

Small bugfixes

• Service account annotations were wrongly referenced and were not taking into account upon creation of a new service account

• In case authenSignReq was enabled and secrets were not placed it would create environment variable with null values - now it skips creation of environment variables

Agent changelog

Improvements

• External secret supports now:

  • Changeable External Secret Store type: SecretStore | ClusterSecretStore hq:

    values.yaml

    Copy

    lensesAgent:  
      hq:
        agentKey:
          secret:
            type: "externalSecret"
            # Secret name where agentKey will be read from
            name: hq-password
            # Key name under secret where agentKey is stored
            key: key
            externalSecret:
              secretStoreRef:
                type: ClusterSecretStore # ClusterSecretStore | SecretStore
                name: [secretstore_name]

  • additionalSpecs

    values.yaml

    Copy

    lensesHq:
      storage:
        postgres:
          enabled: true
          host: postgres-postgresql.hq-agent-test.svc.cluster.local
          port: 5432
          username: postgres
          database: hq
          passwordSecret:
            type: "externalSecret"
            name: postgres-aurora
            key:  password
            externalSecret:
              additionalSpecs:
                refreshInterval: 12h
              secretStoreRef:
                  type: ClusterSecretStore
                  name: enjoy3-secrets

Small bugfixes

• Service account annotations were wrongly referenced and were not taking into account upon creation of a new service account

HQ

New features

1. Control how you map SSO groups (including underscores!)

You can freely map a Group to any SSO group including any characters in the name.

• Before, a Group was mapped to SSO via its resource-name . That was limiting you to SSO groups with only characters and -dashes.

• Now 2 things happen:

  • By default, the SSO name is the Group name (not the resource-name). This is most of the time what you'd expect.

  • For the special cases when your SSO name is something specific or cryptic (e.g. a UUID) you can override the mapping by setting the SSO mapping nameto anything you want.

2. IAM: permissions for global topic rules

Before, you could set configuration rules for your topics for each of your environments. E.g. enforce topic naming conventions (only dashes) or a maximum number of partitions.

Now, you can control who can access and set these rules with IAM permissions.

The resource type is governance:rule.

Here's an example for read/write access to this rules for environment eu-stg-env:

- effect: allow
  action: 
    - governance:GetRuleDetails
    - governance:UpdateRule
  resource: governance:request:eu-stg-env/*

Find more information in the IAM section.

3. Global SQL Studio: see execution details

See what's happening under the hood of your SQL queries. Learn about your query's performance:

• Which partitions were read and how much of them.

• How many records were scanned, skipped and offered as results.

• Timing and size.

• Configuration details that you can tweak.

4. Global SQL Studio: see bad records

The Global SQL Studio will now show you any bad records it cannot understand. These records may be of incorrect formats (e.g. String in an AVRO topic) or have invalid schemas.

Improvements

• IAM permissions editor: improved IntelliSense

  • For a more IDE-like experience. Get tab completion specific to each segment that you're working on.

• Global SQL Studio: improved performance.

Fixes

• SSO: fixed offboarding SSO users. When a user has no SSO groups that map to Lenses, Lenses ensures that the user also has no Lenses groups. This is useful when offboarding users to ensure that they won't have Lenses access.

• Global SQL Studio: fixed syntax highlighting.

Packages

• We have made new alpha release 19:

  • Agent image:

    • Copy

      lensting/lenses-agent:6.0.0-alpha.5

  • HQ image:

    • Copy

      lensting/lenses-hq:6.0.0-alpha.19

  • HQ CLI image

    • Copy

      lensting/lenses-cli:6.0.0-alpha.19

• New Helm version 19 for agent and for the HQ: https://lenses.jfrog.io/ui/native/helm-charts-preview/

HQ Changelog

Added support for certificate / signature verification

In case SAML IdP requires certificate verification, same can be now provided.

lensesHq:
  auth:
    saml:
      authnRequestSignature:
        enabled: false
        authnRequestSigningCert:
          referenceFromSecret: true
          secretName: hq-agent-test-authority
          secretKeyName: hq-tls-test.crt.pem
        authnRequestSigningKey:
          secret:
            name: saml-test
            key: privatekey.key

lensesHq:
  auth:
    saml:
      authnRequestSignature:
        enabled: false
        authnRequestSigningCert:
          stringData: |
            -----BEGIN CERTIFICATE-----
            ....
            -----END CERTIFICATE-----
        authnRequestSigningKey:
          secret:
            name: saml-test
            key: privatekey.key

Small bugfixes

• HQ on AutnRequest does not send self-signed certificate to avoid validation issues

Packages

• We have made new alpha release 18:

  • Agent image:

    • Copy

      lensting/lenses-agent:6.0.0-alpha.4

  • HQ image:

    • Copy

      lensting/lenses-hq:6.0.0-alpha.18

  • HQ CLI image

    • Copy

      lensting/lenses-cli:6.0.0-alpha.18

• New Helm version 18 for agent and for the HQ: https://lenses.jfrog.io/ui/native/helm-charts-preview/

HQ

New features

• Agent Metrics are available in overview screen

• Introduction of Lenses Resource name in the HQ screens

• Added Role description

Improvements

• "Roles" panel improved by getting right side panel, detailed view

• Dark mode coloring improved

Fixes

• Authentication error flashing

Agent

New features

• Introduction of Lenses Resource name key resources like: topic, consumers, schemas

• Added "Admin Overview" in the Agent menu

Improvements

Fixes

• Fixed bad records view

HQ

New features

• Permissions IntelliSense
• New admin permissions to control who can access Lenses Logs

name: nologs
policy:
  - action: administration:GetLensesLogs
    resource: administration:lenses-logs:*
    effect: deny

• SQL Studio redesigned view

  • scanned partitions progress

  • additional statistics

  • split tab left and right for SQL queries to compare data.

Improvements

• Policy changes are now effective as soon as they are saved, re-login is not necessary anymore

HQ Changelog

Support for ESO SecretStore

In the past only ClusterSecretStore when handling external secret was support. With a new version you can choose to pick either ClusterSecretStore or a SecretStore when creating external secret.

lensesHq:
  storage:
    postgres:
      enabled: true
      host: postgres.host.url
      port: 5432
      username: postgres
      database: hq
      passwordSecret:
        type: "externalSecret"
        name: postgres
        key:  password
        externalSecret:
          secretStoreRef:
              type: ClusterSecretStore
              name: css-secrets

lensesHq:  
  storage:
    postgres:
      enabled: true
      host: postgres.host.url
      port: 5432
      username: postgres
      database: hq
      passwordSecret:
        type: "externalSecret"
        name: postgres
        key:  password
        externalSecret:
          secretStoreRef:
              type: SecretStore
              name: ss-secrets

ESO additional specs

New property has been added to external secret template called additionalSpecs where you can add or change any of the specs that would normally be added in ExternalSecret resource.

Example:

lensesHq:  
  storage:
    postgres:
      enabled: true
      host: postgres.host.url
      port: 5432
      username: postgres
      database: hq
      passwordSecret:
        type: "externalSecret"
        name: postgres
        key:  password
        externalSecret:
          additionalSpecs:
            refreshInterval: 12h
          secretStoreRef:
              type: ClusterSecretStore
              name: css-secrets

Small bugfixes

• lensesHq.http.tls property was referencing wrong properties within defined values.yaml

HQ

New features

• LRN UX for HQ IAM.

  • See & copy the LRN of an IAM resource (User, Group, Service Account, Role).

  • LRN is also an available column in all IAM listing pages. You can enable it in the column selector of the table.

• Environments + metrics columns.

• Tables UX update: powerful grid

  • Multi sort

  • Reorder of columns + column selection

  • Filters

  • Preferences are saved for the user

  • CLI

    • Provide shell completion for agent --env flag

Improvements

• IAM - Updated permissions syntax.

  • Renaming. Some services and resources have been renamed. This is to simplify and make the IAM model more consistent. You can find the latest spec here. You may need to adjust your policy YAML definitions. Reach out to us if you need help.

  • Prefix/infix wildcard support. You can now use * in a prefix or infix position for resource-id path segments. Use this to express things like "environments that end in -dev" (*-dev) or "topics whose name starts with fraud and ends with analytics" (fraud*analytics).

• Improved Global SQL studio UX

  • Topic navigator IDE experience.

  • See latest topic messages by default, ordered by time, with latest messages 1st.

• Dark mode for sign-in page

Fixes

• User Profile page now correctly save changes.

Agent

New features

• Expose Agent dashboard metrics via API.

Improvements

• Improved Agent-level navigation bar.

Fixes

Packages

• We have made new alpha release 17:

  • Agent image:

    • Copy

      lensting/lenses-agent:6.0.0-alpha.3

  • HQ image:

    • Copy

      lensting/lenses-hq:6.0.0-alpha.17

  • HQ CLI image

    • Copy

      lensting/lenses-cli:6.0.0-alpha.17

• New Helm version 17 for agent and for the HQ:

HQ Changelog

Support for additional environment variables

When working on software projects, there often arises a need to create additional environment variables for various purposes. One common scenario for this is when users need to securely handle sensitive information, such as passwords or API keys. By storing a user password in a secret, the system ensures that such sensitive information is not exposed to unauthorized access, and this practice offers enhanced security.

lensesHq:
  # Additional env variables appended to deployment
  # Follows the format of [EnvVar spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#envvar-v1-core)
  additionalEnv:
    - name: ADMIN_USER
      valueFrom:
        secretKeyRef:
          name: multi-credentials-secret
          key: user1-username
    - name: ADMIN_USER_PWD
      valueFrom:
        secretKeyRef:
          name: multi-credentials-secret
          key: user1-password

lensesHq:
  auth:
    users:
      - username: $(ADMIN_USER)
        password: $(ADMIN_USER_PWD)
  additionalEnv:
    - name: ADMIN_USER
      valueFrom:
        secretKeyRef:
          name: multi-credentials-secret
          key: user1-username
    - name: ADMIN_USER_PWD
      valueFrom:
        secretKeyRef:
          name: multi-credentials-secret
          key: user1-password

Rest port consolidation

Property restPorthas been removed and replaced by lensesHq.http.address

Small bugfixes

Agent changelog

Syntax changes

In the provisioning, there has been slight adjustment in the parent agent configuration parameter.

Changes:

• lenses has been renamed to lensesAgent

lenses:
  provision:
    enabled: true
    version: "2"
    path: /mnt/provision-secrets
    connections:
      grpcServer:     # Property that has changed
        - name: lenses-hq
          version: 1
          tags: ['hq']
          configuration:
            server:
              value: [HQ_URL]
            port:
              value: 10000
            apiKey:     # Property that has changed
              value: ${LENSESHQ_AGENT_KEY}

lensesAgent:   # Renamed property
  provision:
    path: /mnt/provision-secrets
    connections:
      lensesHq:
        - name: lenses-hq
          version: 1
          tags: ['hq']
          configuration:
            server:
              value: [HQ_URL]
            port:
              value: 10000
            agentKey:   
              value: ${LENSESHQ_AGENT_KEY}

Provisioning changes

As provisioning with the latest version (2) is mandatory for successful running of the agent, both configs are removed.

lensesAgent:   # Renamed property
  provision:
    path: /mnt/provision-secrets
    connections:
      lensesHq:
        - name: lenses-hq
          version: 1
          tags: ['hq']
          configuration:
            server:
              value: [HQ_URL]
            port:
              value: 10000
            agentKey:   
              value: ${LENSESHQ_AGENT_KEY}

Removal of H2 database support

In the the past it was possible to use H2 database which would be instantly deployed and ready to use alongside the agent.

Due to certain performance limitations which come with H2 database which can impact the agent functionality, we decided to completely remove H2 support.

However, persistence parameter still remains and can be used to enable extra volume creation dedicated specifically just logs.

persistence:
  log:
    # -- (boolean) Extra volume creation dedicated for logs.
    # @section -- Persistence scope values
    enabled: true
    # -- (boolean) Annotations dedicated for logs.
    # @section -- Persistence scope values
    annotations: {}
    # -- (list) Access mode rights for created persistence volumes.
    # @section -- Persistence scope values
    accessModes:
      - ReadWriteOnce
    # -- (string) Size of persistence that will be created.
    # @section -- Persistence scope values
    size: 5Gi

Packages

• We have made new alpha release 16:

  • Agent image:

    • Copy

      public.ecr.aws/q8a6e1s5/public-agent:v6.0.0-alpha.1-8-g22f83c3e4

    • Copy

      lenses/public-agent:v6.0.0-alpha.1-8-g22f83c3e4

  • HQ image:

    • Copy

      public.ecr.aws/q8a6e1s5/public-hq:v6.0.0-alpha.16

    • Copy

      lenses/public-hq:v6.0.0-alpha.16

• New Helm version 16 for agent and for the HQ: https://lenses.jfrog.io/ui/native/helm-charts-preview/

HQ Changelog

license:
  # -- (string) Enables usage of secret for licence.
  # **Required: false**
  referenceFromSecret: false
  # -- (string) Secret name where licence is stored.
  # **Required: false**
  secretName: ""
  # -- (string) Secret key where within a secret where licence is sotred.
  # **Required: false**
  secretKeyName: ""
  # Marks the end-user license agreement (EULA) as accepted.
  acceptEULA: true

license:
  stringData: ""
  acceptEULA: true

lensesHq_
  auth:
    # -- Adds uses for password based auth
    # **Required: false**
    users:
      - username: admin
        # bcrypt("changeme").
        password: $2a$12$dTSwP3jgCQPoBNDYXNoLy.6l7fMcHYgonl0u8GYCOrkfGM4a.8jze

lensesHq:
  auth:
    saml:
      # -- Enables SAML / SSO authentication
      # **Required: true**
      enabled: false

lensesHq:
  auth:
    administrators:
      - admin@example.com
      - admin
    users:
      - username: admin
        # bcrypt("admin").
        password: $2a$10$DPQYpxj4Y2iTWeuF1n.ItewXnbYXh5/E9lQwDJ/cI/.gBboW2Hodm
    sessionDuration: "23h"
    saml:
      enabled: true
      baseURL: "https://your.hq.url"
      entityID: "https://your.hq.url"
      # -- Example: <?xml version="1.0" ... (big blob of xml) </md:EntityDescriptor>
      metadata:
        referenceFromSecret: true
        secretName: hq-saml-metadata
        secretKeyName: metadata.xml

lensesHq:
  auth:
    saml:
      # -- Enables SAML / SSO authentication
      # **Required: true**
      enabled: false

ingress:
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.middlewares: common-traefik-basic-auth@kubernetescrd
  enabled: true
  host: example.com

ingress:
  http:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
    host: example.com

  agent:
    enabled: true
    agentIngressConfig:
      apiVersion: traefik.containo.us/v1alpha1
      kind: IngressRouteTCP
      metadata:
        name: agents
      spec:
        entryPoints:
          - agents
        routes:
          - match: HostSNI(`example.com`)  # HostSNI to match TLS for TCP
            services:
              - name: lenses-hq            # Replace with your service name
                port: 10000                # Agent default TCP port  
        tls: {}

Agent

Changes in provisioning connection to HQ

In the provisioning, there has been slight adjustment in connection naming with HQ.

Changes:

• grpcServer has been renamed to lensesHq

• apiKey has been renamed to agentKey

lenses:
  provision:
    enabled: true
    version: "2"
    path: /mnt/provision-secrets
    connections:
      grpcServer:     # Property that has changed
        - name: lenses-hq
          version: 1
          tags: ['hq']
          configuration:
            server:
              value: [HQ_URL]
            port:
              value: 10000
            apiKey:     # Property that has changed
              value: ${LENSESHQ_AGENT_KEY}

lenses:
  provision:
    enabled: true
    version: "2"
    path: /mnt/provision-secrets
    connections:
      lensesHq:    # Renamed property
        - name: lenses-hq
          version: 1
          tags: ['hq']
          configuration:
            server:
              value: [HQ_URL]
            port:
              value: 10000
            agentKey:    # Renamed property
              value: ${LENSESHQ_AGENT_KEY}

Known issues

With the new version of Agent, HQ connection in provisioning has changed which requires complete recreation of database. Following log message will indicate it:

 liquibase.exception.ValidationFailedException: Validation Failed:                                                                                                           │
│      1 change sets check sum                                                                                                                                                │
│           io/lenses/store/jdbc/migration/6.0.0/02_new_template_data.xml::2::lenses was: 8:357e3bd4e93a5cc938420eb2521c4b7c but is now: 8:03dad3472f5facacdd10a985e5e02da3   │

HQ Changelog

HQ configuration file TOML -> YAML

In the past, HQ has been using TOML file format. As we want to reduce differences in file formats between Agent and HQ as much as possible, this was the first step.

Postgres changes

• Postgres connection URI is not being built within config.yaml but in backend runtime;

  • parameter group has changed from postgres to storage.postgres.*

• In the previous version, schema was defined as a part of extraParamSpecs. In the new version schema is now defined as a separate property storage.postgres.database.schema;

• Property extraParamSpecs is renamed to params;

Parameter group api changes

Parameter group api has been renamed to http and following parameters are not part of it anymore:

• administrators;

• saml;

New parameter auth

Property auth is being derived from property api (now. http).

Parameters that has been moved from http to auth are following:

• administrators;

• saml;

Aurora support

HQ has been tested against Aurora (Postgres) and is compatible.

Pod restart on configmap checksum change

In case of any changes in ConfigMap and after executing helm upgrade HQ pod will be automatically restarted as well therefore no need for manual interventions.

TL; DR Changes in values.yaml

lensesHq:
  auth:
    administrators:
      - admin@example.com
      - admin2@example.com
    saml:
      baseURL: "https://"
      entityID: "https://"
      # -- Example: <?xml version="1.0" ... (big blob of xml) </md:EntityDescriptor>
      metadata:
        referenceFromSecret: false
        secretName: hq-tls-mock-saml-metadata
        secretKeyName: metadata.xml
        stringData: |
          <?xml version="1.0" encoding="UTF-8" standalone="no"?>
          <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2034-09-23T08:10:34.764Z">
            <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:X509Data>
                    <ds:X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
          ...
          m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==</ds:X509Certificate>
                  </ds:X509Data>
                </ds:KeyInfo>
              </md:KeyDescriptor>
              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
              <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>
              <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>
            </md:IDPSSODescriptor>
          </md:EntityDescriptor>
      userCreationMode: "sso"
      usersGroupMembershipManagementMode: "manual"
    tls:
      enabled: false
      cert:
        referenceFromSecret: false
        stringData: |
          -----BEGIN CERTIFICATE-----
          MIIECDCCAvCgAwIBAgIRAIiph6RQMbGCABOaJO94PbowDQYJKoZIhvcNAQELBQAw
          ...
          -----END CERTIFICATE-----
      privateKey:
        secret:
          name: hq-agent-test-authority
          key: hq-tls-test.key.pem
  agents:
    address: ":10000"
    tls:
      enabled: false
      verboseLogs: false
      cert:
        referenceFromSecret: false
        secretName: hq-agent-test-authority
        secretKeyName: hq-tls-test.crt.pem
        stringData: |
          -----BEGIN CERTIFICATE-----
          MIIECDCCAvCgAwIBAgIRAIiph6RQMbGCABOaJO94PbowDQYJKoZIhvcNAQELBQAw
          gYUxFTATBgNVBAYTDEFua2gtTW9ycG9yazEaMBgGA1UEChMRVW5zZWVuIFVuaXZl
          .....
          -----END CERTIFICATE-----
      privateKey:
        secret:
          name: hq-agent-test-authority
          key: hq-tls-test.key.pem
  http:
    address: ":8080"
    accessControlAllowOrigin:
      - https://
      - http://
  storage:
    postgres:
      #host: postgres-postgresql.postgres.svc.cluster.local
      host: 
      port: 5432
      #username: lenses
      username: postgres
      database: hq
      passwordSecret:
        type: "externalSecret"
        name: postgres-aurora
        key:  password
        externalSecret:
          secretStoreRef:
            clusterSecretStore:
              name: enjoy3-secrets
  logger:
    mode: "text"
    level: "debug"

  # Additional env variables appended to deployment
  # Follows the format of [EnvVar spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#envvar-v1-core)
  additionalEnv:
    # - name: FOO
    #   value: bar

  # Disable livenessProbe, used while debugging
  livenessProbe:
    enabled: false

  # Pause execution of Lenses start up script to allow the user to login into the container and
  # check the running environment, used while debugging
  pauseExec:
    enabled: false

  monitoring:
    port: 9090

lensesHq:
  agents:
    address: ":10000"
    tls:
      enabled: false
  api:
    address: ":8080"
    accessControlAllowOrigin: '["http://localhost:8080"]'
    administrators: '["admin@example.com"]'
    saml:
      baseUrl: "http://localhost:8080"
      entityId: "http://localhost:8080"
      # -- Example: <?xml version="1.0" ... (big blob of xml) </md:EntityDescriptor>
      metadata:
        referenceFromSecret: false
        stringData: |
          <?xml version="1.0" encoding="UTF-8" standalone="no"?>
          <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://saml.example.com/entityid" validUntil="2034-09-23T08:10:34.764Z">
            <md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
              <md:KeyDescriptor use="signing">
                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:X509Data>
                    <ds:X509Certificate>MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV
          SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4
          MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK
          DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD
          ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0
          RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd
          4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V
          pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b
          2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ
          NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF
          AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW
          5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4
          khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX
          UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L
          r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M
          m0eo2USlSRTVl7QHRTuiuSThHpLKQQ==</ds:X509Certificate>
                  </ds:X509Data>
                </ds:KeyInfo>
              </md:KeyDescriptor>
              <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
              <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://mocksaml.com/api/saml/sso"/>
              <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://mocksaml.com/api/saml/sso"/>
            </md:IDPSSODescriptor>
          </md:EntityDescriptor>
      userCreationMode: "sso"
      usersGroupMembershipManagementMode: "sso"
    tls:
      enabled: false
  # Find more details in https://docs.lenses.io/current/installation/kubernetes/helm/#helm-storage
  ## Postgres template example: "postgres://[username]:[pwd]@[host]:[port]/[database]?sslmode=require"
  postgres:
    host: postgres-postgresql.postgres.svc.cluster.local
    port: 5432
    username: lenses
    database: hq
    #extraParamSpecs: "?sslmode=disable"
    passwordSecret:
      type: "externalSecret"
      name: postgres
      key:  password
      externalSecret:
        secretStoreRef:
          clusterSecretStore:
            name: [CLUSTER_SECRET_STORE_NAME]

  logger:
    mode: "text"
    level: "debug"

  # Additional env variables appended to deployment
  # Follows the format of [EnvVar spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/#envvar-v1-core)
  additionalEnv:
    # - name: FOO
    #   value: bar

  # Disable livenessProbe, used while debugging
  livenessProbe:
    enabled: true

  monitoring:
    port: 9090

Agent Changelog

Agent Key reference change

Previously environment variable known as LENSES_HQ_AGENT_KEY that was referenced in provisioning.yaml and stores the agentKey value has been renamed to LENSESHQ_AGENT_KEY.

Known issues

Since newest version of Lenses HQ and Agent bring breaking changes following issues can happen.

Database migration

Upon doing helm upgrade HQ can fail with following error log:

Fatal: Init db error" err="migrate database: database has been migrated beyond what we understand: the current is 17; the target is 2" version=v6.0.0-alpha.14

In order to fix it, following command has to be run on the postgres database:

DELETE FROM goose_db_version WHERE id > 2;

In case SQL command cannot be run, database has to be cleared as if one is starting from scratch.