Ilum Core helm chart config.
TL;DR
$ helm repo add ilum https://charts.ilum.cloud
$ helm install ilum-core ilum/ilum-core
Installing the Chart
To install the chart with the release name ilum-core
:
$ helm install ilum-core ilum/ilum-core
The command deploys ilum-core
on the Kubernetes cluster in the default configuration. The Parameters
section lists the parameters that can be configured during installation.
Uninstalling the Chart
To uninstall/delete the ilum-core
deployment:
The command removes all the Kubernetes components associated with the chart and deletes the release.
Parameters
Common parameters
Name | Description | Value |
---|
nameOverride | String to partially override ilum-core.fullname template (will maintain the release name) | "" |
fullnameOverride | String to fully override ilum-core.fullname template | "" |
ilum-core deployment parameters
Name | Description | Value |
---|
image | ilum-core image | ilum/core:6.0.0 |
pullPolicy | ilum-core image pull policy | IfNotPresent |
ilum-core communication parameters
Name | Description | Value |
---|
communication.type | ilum-core communication type with spark jobs, available options: grpc , kafka | grpc |
ilum-core service parameters
Name | Description | Value |
---|
service.type | ilum-core service type | ClusterIP |
service.port | ilum-core service port | 9888 |
service.nodePort | ilum-core service node port - required when type is LoadBalancer or NodePort | "" |
service.clusterIP | ilum-core service cluster IP - required when type is ClusterIP | "" |
service.loadBalancerIP | ilum-core service load balancer IP - required when type is LoadBalancer | "" |
ilum-core ingress parameters
Name | Description | Value |
---|
ingress.enabled | ilum-core ingress enabled flag | false |
ingress.version | ilum-core ingress version | v1 |
ingress.className | ilum-core ingress class name | "" |
ingress.host | ilum-core ingress host | host |
ingress.tls | ilum-core ingress tls configuration | [] |
ingress.tls[x].secretName | ilum-core ingress secret name to apply for a single tls configuration entry | |
ingress.tls[x].hosts | ilum-core ingress hosts list to apply for a single tls configuration entry | |
ingress.annotations | ilum-core ingress annotations in yaml format | nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/proxy-body-size: "600m"
nginx.org/client-max-body-size: "600m" |
ingress.path | ilum-core ingress path | /(.*) |
ingress.pathType | ilum-core ingress pathType | Prefix |
ilum-core livenessProbe/readinessProbe parameters
Name | Description | Value |
---|
readinessProbe | ilum-core readinessProbe configuration | readinessProbe: failureThreshold: 3 httpGet: path: /api/dev/reactive/health port: http scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1
|
livenessProbe | ilum-core livenessProbe configuration | livenessProbe: failureThreshold: 3 httpGet: path: /api/dev/reactive/health port: http scheme: HTTP initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1
|
ilum-core mongo parameters
Name | Description | Value |
---|
mongo.instances | ilum-core mongo instances to connect to | mongo:27017 |
mongo.replicaSetName | ilum-core mongo replica set name | rs0 |
ilum-core kafka parameters
Name | Description | Value |
---|
kafka.address | ilum-core kafka address to connect to | kafka:9092 |
ilum-core grpc service parameters
Name | Description | Value |
---|
grpc.service.type | ilum-core grpc service type | ClusterIP |
grpc.service.port | ilum-core grpc service port | 9999 |
grpc.service.nodePort | ilum-core grpc service node port - required when type is LoadBalancer or NodePort | "" |
grpc.service.clusterIP | ilum-core grpc service cluster IP - required when type is ClusterIP | "" |
grpc.service.loadBalancerIP | ilum-core grpc service load balancer IP - required when type is LoadBalancer | "" |
ilum-core grpc parameters for spark job
Name | Description | Value |
---|
grpc.job.host | ilum-core grpc host for spark job to connect to | ilum-grpc |
grpc.job.port | ilum-core grpc port for spark job to connect to | 9999 |
ilum-core kubernetes cluster initializer parameters
Name | Description | Value |
---|
kubernetes.initClusterOnStartup | ilum-core default kubernetes cluster initialization flag | true |
kubernetes.api.url | ilum-core default kubernetes cluster api url | https://kubernetes.default.svc |
kubernetes.container.image | ilum-core default kubernetes cluster container image | ilum/spark:3.4.1 |
kubernetes.sparkNamespace | ilum-core default kubernetes cluster namespace to store spark resources | {{ .Release.Namespace }} |
kubernetes.s3.host | ilum-core default kubernetes cluster S3 storage host to store spark resources | s3 |
kubernetes.s3.port | ilum-core default kubernetes cluster S3 storage port to store spark resources | 7000 |
kubernetes.s3.bucket | ilum-core default kubernetes cluster S3 storage bucket to store spark resources | ilum-files |
kubernetes.s3.accessKey | ilum-core default kubernetes cluster S3 storage access key to store spark resources | "" |
kubernetes.s3.secretKey | ilum-core default kubernetes cluster S3 storage secret key to store spark resources | "" |
Important! Make sure S3 bucket is already created and reachable!
ilum-core security parameters
Name | Description | Value |
---|
security.type | ilum-core authentication type, available options: internal , ldap , oauth2 | internal |
security.jwt.issuerUrl | ilum-core frontend URI used in the jwt iss claim | https://ilum.cloud |
security.jwt.timeToLive | ilum-core jwt time to live in specified time units | 8h |
security.jwt.publicKey | ilum-core base64 encoded string containing the X.509 RSA 2048 bit public key | "" |
security.jwt.privateKey | ilum-core base64 encoded string containing the PKCS8 RSA 2048 bit private key | "" |
security.authorities | ilum-core authorities mapping rules configuration. Used when authorization is ldap or oauth2 . Allows to translate external auth provider groups and scopes to ilum roles | authorities: roles: prefix: ROLE_ claim-name: groups scopes: prefix: SCOPE__ claim-name: scp
|
security.authorities.roles.prefix | ilum-core authentication role prefix | ROLE_ |
security.authorities.roles.claimName | ilum-core external authentication provider ID of the jwt claim which contains list of roles/groups | groups |
security.authorities.roles.mappings | ilum-core role mapping definitions in form of a map external_role: ilum_role | {} |
security.authorities.scopes.prefix | ilum-core authentication scope prefix | SCOPE_ |
security.authorities.scopes.claimName | ilum-core external authentication provider ID of the jwt claim which contains list of scopes | scp |
security.authorities.scopes.mappings | ilum-core scope mapping definitions in form of a map external_scope: ilum_scope | {} |
Internal config-map based authentication parameters
Name | Description | Value |
---|
security.internal.users | ilum-core internal users configuration | users: - username: "admin" password: "admin" roles: - "ADMIN"
|
security.internal.users[].username | ilum-core user username | "" |
security.internal.users[].password | ilum-core user plain password | "" |
security.internal.users[].roles | ilum-core user roles, available options: ADMIN , USER , VIEWER | [] |
LDAP based authentication parameters
Name | Description | Value |
---|
security.ldap.urls | ilum-core LDAP URLs of the server | [] |
security.ldap.base | ilum-core LDAP base suffix from which all operations should originate | "" |
security.ldap.username | ilum-core LDAP login username of the server | "" |
security.ldap.password | ilum-core LDAP login password of the server | "" |
security.ldap.passwordEncoder | ilum-core LDAP password encoder. LDAP server authenticates users (bind operations) if empty, available options:
adaptive - password encoder that delegates to another encoder based upon a prefixed identifier bcrypt md5 sha256 | "" |
security.ldap.userSearch.base | ilum-core LDAP base DN from which the search for an user should be performed | "" |
security.ldap.userSearch.filter | ilum-core LDAP pattern to be used for the user search. {0} is the username | uid={0} |
security.ldap.userSearch.passwordAttr | ilum-core LDAP ID of the attribute which contains the password of a user | userPassword |
security.ldap.groupSearch.base | ilum-core LDAP base DN from which the search for group membership should be performed | "" |
security.ldap.groupSearch.filter | ilum-core LDAP pattern to be used for the group search. {0} is the user's DN | (member={0}) |
security.ldap.groupSearch.roleAttr | ilum-core LDAP ID of the attribute which contains the role name for a group | cn |
OAuth2 based authentication parameters
Name | Description | Value |
---|
security.oauth2.clientId | ilum-core oauth2 Client ID | "" |
security.oauth2.issuerUri | ilum-core oauth2 URI that can either be an OpenID Connect discovery endpoint or an OAuth 2.0 Authorization Server Metadata endpoint defined by RFC 8414. | "" |
ilum-core license parameters
Name | Description | Value |
---|
license.privateKey | ilum license key | "" |
ilum-core external spark submit parameters
Name | Description | Value |
---|
externalSparkSubmit.enabled | ilum-core external spark-submit flag | false |
externalSparkSubmit.image | ilum-core external spark-submit base images | ilum/spark-launcher:spark-3.4.1 |
externalSparkSubmit.resources | ilum-core external spark-submit pod kubernetes resources | limits: memory: "500Mi" requests: memory: "300Mi"
|
Generating RSA Private and Public Key
In order to create 2048-bit RSA keys in an unencrypted Base64 PEM PKCS#8 format for authentication configuration, openssl was used.
Generate private key
openssl genpkey -algorithm RSA \
-pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_keygen_pubexp:65537 | \
openssl pkcs8 -topk8 -nocrypt -outform pem > private-key.p8
The contents of the private key should look like the following:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsRnE83rm6BJya
nTyzVqX0SG+D4zBjkyWsOmGG+CoDdgQ6Z8AaocmnjP1SbRykQsQSMf6SeW+fdpH+
ccmzuHe7pZIa2o2Mg8xbk/UszJDaPztwoQbUt/2gHi/rZP8cIVkquzhnN/yxrMls
...
-----END PRIVATE KEY-----
In order to use private key as the setting security.jwt.privateKey
, remove header and footer from the key.
openssl pkey -pubout -inform pem -outform pem -in private-key.p8 -out public-key.spki
The contents of the public key should look like the following:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEZxPN65ugScmp08s1al
9Ehvg+MwY5MlrDphhvgqA3YEOmfAGqHJp4z9Um0cpELEEjH+knlvn3aR/nHJs7h3
u6WSGtqNjIPMW5P1LMyQ2j87cKEG1Lf9oB4v62T/HCFZKrs4Zzf8sazJbMN3E/mJ
...
-----END PUBLIC KEY-----
In order to use public key as the setting security.jwt.publicKey
, remove header and footer from the key.