Ilum Core

Ilum Core helm chart config.

TL;DR

$ helm repo add ilum https://charts.ilum.cloud
$ helm install ilum-core ilum/ilum-core

Installing the Chart

To install the chart with the release name ilum-core:

$ helm install ilum-core ilum/ilum-core

The command deploys ilum-core on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.

Uninstalling the Chart

To uninstall/delete the ilum-core deployment:

$ helm delete ilum-core

The command removes all the Kubernetes components associated with the chart and deletes the release.

Parameters

Common parameters

Name	Description	Value
nameOverride	String to partially override ilum-core.fullname template (will maintain the release name)	""
fullnameOverride	String to fully override ilum-core.fullname template	""

ilum-core deployment parameters

Name	Description	Value
image	ilum-core image	ilum/core:6.0.0
pullPolicy	ilum-core image pull policy	IfNotPresent

ilum-core communication parameters

Name	Description	Value
communication.type	ilum-core communication type with spark jobs, available options: grpc, kafka	grpc

ilum-core service parameters

Name	Description	Value
service.type	ilum-core service type	ClusterIP
service.port	ilum-core service port	9888
service.nodePort	ilum-core service node port - required when type is LoadBalancer or NodePort	""
service.clusterIP	ilum-core service cluster IP - required when type is ClusterIP	""
service.loadBalancerIP	ilum-core service load balancer IP - required when type is LoadBalancer	""

ilum-core ingress parameters

Name	Description	Value
ingress.enabled	ilum-core ingress enabled flag	false
ingress.version	ilum-core ingress version	v1
ingress.className	ilum-core ingress class name	""
ingress.host	ilum-core ingress host	host
ingress.tls	ilum-core ingress tls configuration	[]
ingress.tls[x].secretName	ilum-core ingress secret name to apply for a single tls configuration entry
ingress.tls[x].hosts	ilum-core ingress hosts list to apply for a single tls configuration entry
ingress.annotations	ilum-core ingress annotations in yaml format	nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/proxy-body-size: "600m" nginx.org/client-max-body-size: "600m"
ingress.path	ilum-core ingress path	/(.*)
ingress.pathType	ilum-core ingress pathType	Prefix

ilum-core livenessProbe/readinessProbe parameters

Name	Description	Value
readinessProbe	ilum-core readinessProbe configuration	readinessProbe: failureThreshold: 3 httpGet: path: /api/dev/reactive/health port: http scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1
livenessProbe	ilum-core livenessProbe configuration	livenessProbe: failureThreshold: 3 httpGet: path: /api/dev/reactive/health port: http scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1

ilum-core mongo parameters

Name	Description	Value
mongo.instances	ilum-core mongo instances to connect to	mongo:27017
mongo.replicaSetName	ilum-core mongo replica set name	rs0

ilum-core kafka parameters

Name	Description	Value
kafka.address	ilum-core kafka address to connect to	kafka:9092

ilum-core grpc service parameters

Name	Description	Value
grpc.service.type	ilum-core grpc service type	ClusterIP
grpc.service.port	ilum-core grpc service port	9999
grpc.service.nodePort	ilum-core grpc service node port - required when type is LoadBalancer or NodePort	""
grpc.service.clusterIP	ilum-core grpc service cluster IP - required when type is ClusterIP	""
grpc.service.loadBalancerIP	ilum-core grpc service load balancer IP - required when type is LoadBalancer	""

ilum-core grpc parameters for spark job

Name	Description	Value
grpc.job.host	ilum-core grpc host for spark job to connect to	ilum-grpc
grpc.job.port	ilum-core grpc port for spark job to connect to	9999

ilum-core kubernetes cluster initializer parameters

Name	Description	Value
kubernetes.initClusterOnStartup	ilum-core default kubernetes cluster initialization flag	true
kubernetes.api.url	ilum-core default kubernetes cluster api url	https://kubernetes.default.svc
kubernetes.container.image	ilum-core default kubernetes cluster container image	ilum/spark:3.4.1
kubernetes.sparkNamespace	ilum-core default kubernetes cluster namespace to store spark resources	{{ .Release.Namespace }}
kubernetes.s3.host	ilum-core default kubernetes cluster S3 storage host to store spark resources	s3
kubernetes.s3.port	ilum-core default kubernetes cluster S3 storage port to store spark resources	7000
kubernetes.s3.bucket	ilum-core default kubernetes cluster S3 storage bucket to store spark resources	ilum-files
kubernetes.s3.accessKey	ilum-core default kubernetes cluster S3 storage access key to store spark resources	""
kubernetes.s3.secretKey	ilum-core default kubernetes cluster S3 storage secret key to store spark resources	""

Important! Make sure S3 bucket is already created and reachable!

ilum-core security parameters

Name	Description	Value
security.type	ilum-core authentication type, available options: internal, ldap, oauth2	internal
security.jwt.issuerUrl	ilum-core frontend URI used in the jwt iss claim	https://ilum.cloud
security.jwt.timeToLive	ilum-core jwt time to live in specified time units	8h
security.jwt.publicKey	ilum-core base64 encoded string containing the X.509 RSA 2048 bit public key	""
security.jwt.privateKey	ilum-core base64 encoded string containing the PKCS8 RSA 2048 bit private key	""
security.authorities	ilum-core authorities mapping rules configuration. Used when authorization is ldap or oauth2. Allows to translate external auth provider groups and scopes to ilum roles	authorities: roles: prefix: ROLE_ claim-name: groups scopes: prefix: SCOPE__ claim-name: scp
security.authorities.roles.prefix	ilum-core authentication role prefix	ROLE_
security.authorities.roles.claimName	ilum-core external authentication provider ID of the jwt claim which contains list of roles/groups	groups
security.authorities.roles.mappings	ilum-core role mapping definitions in form of a map external_role: ilum_role	{}
security.authorities.scopes.prefix	ilum-core authentication scope prefix	SCOPE_
security.authorities.scopes.claimName	ilum-core external authentication provider ID of the jwt claim which contains list of scopes	scp
security.authorities.scopes.mappings	ilum-core scope mapping definitions in form of a map external_scope: ilum_scope	{}

Internal config-map based authentication parameters

Name	Description	Value
security.internal.users	ilum-core internal users configuration	users: - username: "admin" password: "admin" roles: - "ADMIN"
security.internal.users[].username	ilum-core user username	""
security.internal.users[].password	ilum-core user plain password	""
security.internal.users[].roles	ilum-core user roles, available options: ADMIN, USER, VIEWER	[]

LDAP based authentication parameters

Name	Description	Value
security.ldap.urls	ilum-core LDAP URLs of the server	[]
security.ldap.base	ilum-core LDAP base suffix from which all operations should originate	""
security.ldap.username	ilum-core LDAP login username of the server	""
security.ldap.password	ilum-core LDAP login password of the server	""
security.ldap.passwordEncoder	ilum-core LDAP password encoder. LDAP server authenticates users (bind operations) if empty, available options: adaptive - password encoder that delegates to another encoder based upon a prefixed identifier bcrypt md5 sha256	""
security.ldap.userSearch.base	ilum-core LDAP base DN from which the search for an user should be performed	""
security.ldap.userSearch.filter	ilum-core LDAP pattern to be used for the user search. {0} is the username	uid={0}
security.ldap.userSearch.passwordAttr	ilum-core LDAP ID of the attribute which contains the password of a user	userPassword
security.ldap.groupSearch.base	ilum-core LDAP base DN from which the search for group membership should be performed	""
security.ldap.groupSearch.filter	ilum-core LDAP pattern to be used for the group search. {0} is the user's DN	(member={0})
security.ldap.groupSearch.roleAttr	ilum-core LDAP ID of the attribute which contains the role name for a group	cn

OAuth2 based authentication parameters

Name	Description	Value
security.oauth2.clientId	ilum-core oauth2 Client ID	""
security.oauth2.issuerUri	ilum-core oauth2 URI that can either be an OpenID Connect discovery endpoint or an OAuth 2.0 Authorization Server Metadata endpoint defined by RFC 8414.	""

ilum-core license parameters

Name	Description	Value
license.privateKey	ilum license key	""

ilum-core external spark submit parameters

Name	Description	Value
externalSparkSubmit.enabled	ilum-core external spark-submit flag	false
externalSparkSubmit.image	ilum-core external spark-submit base images	ilum/spark-launcher:spark-3.4.1
externalSparkSubmit.resources	ilum-core external spark-submit pod kubernetes resources	limits: memory: "500Mi" requests: memory: "300Mi"

Generating RSA Private and Public Key

In order to create 2048-bit RSA keys in an unencrypted Base64 PEM PKCS#8 format for authentication configuration, openssl was used.

Generate private key

openssl genpkey -algorithm RSA \
    -pkeyopt rsa_keygen_bits:2048 \
    -pkeyopt rsa_keygen_pubexp:65537 | \
  openssl pkcs8 -topk8 -nocrypt -outform pem > private-key.p8

The contents of the private key should look like the following:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsRnE83rm6BJya
nTyzVqX0SG+D4zBjkyWsOmGG+CoDdgQ6Z8AaocmnjP1SbRykQsQSMf6SeW+fdpH+
ccmzuHe7pZIa2o2Mg8xbk/UszJDaPztwoQbUt/2gHi/rZP8cIVkquzhnN/yxrMls
...
-----END PRIVATE KEY-----

In order to use private key as the setting security.jwt.privateKey, remove header and footer from the key.

Extract public key

openssl pkey -pubout -inform pem -outform pem -in private-key.p8 -out public-key.spki

The contents of the public key should look like the following:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEZxPN65ugScmp08s1al
9Ehvg+MwY5MlrDphhvgqA3YEOmfAGqHJp4z9Um0cpELEEjH+knlvn3aR/nHJs7h3
u6WSGtqNjIPMW5P1LMyQ2j87cKEG1Lf9oB4v62T/HCFZKrs4Zzf8sazJbMN3E/mJ
...
-----END PUBLIC KEY-----

In order to use public key as the setting security.jwt.publicKey, remove header and footer from the key.