This page describes installing Lenses Agent in Kubernetes via Helm.
Kubernetes 1.23+
Helm 3.8.0+
Running Postgres instance
External secret operator (in case of ExternalSecret usage)
First, add the Helm Chart repository using the Helm command line:
Installing using cloned repository:
Installing using Helm repository:
Be aware that for the time being and for alpha purposes usage of --version
is mandatory when deploying Helm chart through Helm repository.
For more information on provisioning see here.
To automatically provision the connections to Kafka, HQ and other systems set the .Values.lenses.provision.connections to be the YAML definition of your connections.
The chart will render the full YAML specified under this setting as the provisioning.yaml file.
Alternatively you can use a second YAML file, which contains only the connections pass them at the command line when installing:
The chart uses:
Secrets to store Postgres credentials and authentication credentials
Secrets to store connection credentials such as Kafka SASL_SCRAM password or password for SSL JKS stores.
Secrets to hold the base64 encoded values of the JKS stores
Secrets to store AGENT KEY for connection to Lenses HQ
ConfigMap for Lenses configuration overrides
Cluster roles and role bindings (optional).
Secrets and config maps are mounted as files under the mount /mnt:
settings - holds the lenses.conf
provision-secrets - holds the secrets for connections in the provisioning.yaml file
provision-secrets/files - holds any file needed for a connection, e.g. JKS files.
If you are curious about Provisioning API specs which can help you understand connection configs, you can find the same under page Provisioning API reference.
Connection to Lenses HQ is straight forward process which requires two steps:
Creating Environment and obtaining AGENT KEY in HQ as described here, if you already have not done so.
Storing that same key in Vault or as a K8s secret
The agent communicates with HQ via a secure custom binary protocol channel. To establish this channel and authenticate the Agent needs and AGENT KEY.
Once the AGENT KEY has been copied, store it inside of Vault or any other tool that has integration with Kubernetes secrets.
There are three available options how agent key can be used:
ExternalSecret via External Secret Operator (ESO)
Pre-created secret
Inline string
To use this option, the External Secret Operator (ESO) has to be installed and available for usage in K8s cluster your are deploying Agent.
When specifying secret.type: "externalSecret", the chart will:
create an ExternalSecret in the namespace where Agent is deployed;
a secret is mounted for Agent to use.
Make sure that secret you are going to use is already created in namespace where Agent will be installed.
This option is NOT for PRODUCTION usage but rather just for demo / testing.
The chart will create a secret with defined values below and the same secret will be read by Agent to connect to HQ.
This secret will be fed into the provisioning.yaml. The HQ connection is specified at line 30, below, where reference ${LENSESHQ_AGENT_KEY} is being set:
The Helm chart creates Cluster roles and bindings, that are used by SQL Processors, if the deployment mode is set to KUBERNETES. They are used so that Lenses can deploy and monitor SQL Processor deployments in namespaces.
To disable the creation of Kubernetes RBAC set: rbacEnabled: false
If you want to limit the permissions the Agent has against your Kubernetes cluster, you can use Role/RoleBinging resources instead. Follow this link in order to enable it.
If you are not using SQL Processors and want to limit permissions given to Agent's ServiceAccount, there are two options you can choose from:
rbacEnable: true - will enable the creation of ClusterRole and ClusterRoleBinding for service account mentioned above;
rbacEnable: true and namespaceScope: true - will enable creation of Role and RoleBinding which is more restrictive.
To use Postgres as the backing store for the Agent set the details in the lenses.storage.postgres object.
The chart relies on secrets for sensitive information such as Passwords. Secrets can rotate and are commonly stored in an external store such as Azure KeyVault, Hashicorp Vault or AWS Secrets Manager.
For Postgres, add additional ENV variables via the lenses.additionalEnv object to point to your secret and set the username and password to external in the Postgres section.
Enable a service resource in the values.yaml:
To control the resources used by the Agent:
In case LENSES_HEAP_OPTS is not set explicitly it will be set implicitly.
Examples:
if no requests or limits are defined, LENSES_HEAP_OPTS will be set as -Xms1G -Xmx3G
If requests and limits are defined above defined values, LENSES_HEAP_OPTS will be set by formula -Xms[-Xmx / 2] -Xmx[limits.memory - 2]
If .Values.lenses.jvm.heapOpts it will override everything
To enable SQL processor in KUBERENTES mode and control the defaults:
To control the namespace Lenses can deploy processors, use the sql.namespaces value.
To achieve you need to create a Role and a RoleBinding resource in the namespace you want the processors deployed to.
For example:
Lenses namespace = lenses-ns
Processor namespace = lenses-proc-ns
Finally you need to define in the Agent configuration which namespaces the Agent has access to. Amend values.yaml to contain the following:
Prometheus metrics are automatically exposed on port 9102 under /metrics.
The main configurable options for lenses.conf are available in the values.yaml under the lenses object. These include:
Authentication
Database connections
SQL processor configurations
To apply other static configurations use lenses.append.conf, for example:
You can also find examples in the Helm chart repo.