Ilum Core
Ilum Core helm chart config.
TL;DR
$ helm repo add ilum https://charts.ilum.cloud
$ helm install ilum-core ilum/ilum-core
Installing the Chart
To install the chart with the release name ilum-core
:
$ helm install ilum-core ilum/ilum-core
The command deploys ilum-core
on the Kubernetes cluster in the default configuration. The Parameters
section lists the parameters that can be configured during installation.
Uninstalling the Chart
To uninstall/delete the ilum-core
deployment:
$ helm delete ilum-core
The command removes all the Kubernetes components associated with the chart and deletes the release.
Parameters
Common parameters
Name | Description | Value |
---|---|---|
nameOverride | String to partially override ilum-core.fullname template (will maintain the release name) | "" |
replicaCount | Number of ilum-core replicas | 1 |
fullnameOverride | String to fully override ilum-core.fullname template | "" |
nodeSelector | ilum-core node selection constraint | |
tolerations | ilum-core pods tolerations | [] |
affinity | ilum-core node affinity |
ilum-core deployment parameters
Name | Description | Value |
---|---|---|
image | ilum-core image | ilum/core:6.2.0 |
pullPolicy | ilum-core image pull policy | IfNotPresent |
imagePullSecrets | ilum-core image pull secrets | [] |
ilum-core communication parameters
Name | Description | Value |
---|---|---|
communication.type | ilum-core communication type with spark jobs, available options: grpc , kafka | grpc |
ilum-core service parameters
Name | Description | Value |
---|---|---|
service.type | ilum-core service type | ClusterIP |
service.port | ilum-core service port | 9888 |
service.nodePort | ilum-core service node port - required when type is LoadBalancer or NodePort | "" |
service.clusterIP | ilum-core service cluster IP - required when type is ClusterIP | "" |
service.loadBalancerIP | ilum-core service load balancer IP - required when type is LoadBalancer | "" |
service.annotations | ilum-core service annotations | {} |
ilum-core ingress parameters
Name | Description | Value |
---|---|---|
ingress.enabled | ilum-core ingress enabled flag | false |
ingress.version | ilum-core ingress version | v1 |
ingress.className | ilum-core ingress class name | "" |
ingress.host | ilum-core ingress host | host |
ingress.tls | ilum-core ingress tls configuration | [] |
ingress.tls[x].secretName | ilum-core ingress secret name to apply for a single tls configuration entry | |
ingress.tls[x].hosts | ilum-core ingress hosts list to apply for a single tls configuration entry | |
ingress.annotations | ilum-core ingress annotations in yaml format | nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/proxy-body-size: "600m" nginx.org/client-max-body-size: "600m" |
ingress.path | ilum-core ingress path | /(.*) |
ingress.pathType | ilum-core ingress pathType | Prefix |
ilum-core livenessProbe/readinessProbe parameters
Name | Description | Value |
---|---|---|
readinessProbe | ilum-core readinessProbe configuration | readinessProbe: |
livenessProbe | ilum-core livenessProbe configuration | livenessProbe: |
ilum-core mongo parameters
Name | Description | Value |
---|---|---|
mongo.instances | ilum-core mongo instances to connect to | mongo:27017 |
mongo.replicaSetName | ilum-core mongo replica set name | rs0 |
mongo.statusProbe.enanbled | ilum-core mongo healthcheck flag | true |
mongo.statusProbe.image | ilum-core mongo healthcheck image | ilum/mongodb:6.0.5 |
ilum-core kafka parameters
Name | Description | Value |
---|---|---|
kafka.address | ilum-core kafka address to connect to | kafka:9092 |
kafka.requestSize | ilum-core kafka max.request.size parameter for ilum jobs kafka producers | 20000000 |
kafka.maxPollRecords | ilum-core kafka max.poll.records parameter for ilum jobs kafka consumers | 500 |
kafka.maxPollInterval | ilum-core kafka max.poll.interval.ms parameter for ilum jobs kafka consumers | 60000 |
kafka.statusProbe.enanbled | ilum-core kafka healthcheck flag | true |
kafka.statusProbe.image | ilum-core kafka healthcheck image | bitnami/kafka:3.4.1 |
ilum-core grpc service parameters
Name | Description | Value |
---|---|---|
grpc.service.type | ilum-core grpc service type | ClusterIP |
grpc.service.port | ilum-core grpc service port | 9999 |
grpc.service.nodePort | ilum-core grpc service node port - required when type is LoadBalancer or NodePort | "" |
grpc.service.clusterIP | ilum-core grpc service cluster IP - required when type is ClusterIP | "" |
grpc.service.loadBalancerIP | ilum-core grpc service load balancer IP - required when type is LoadBalancer | "" |
grpc.service.annotations | ilum-core grpc service annotations | {} |
ilum-core grpc parameters for spark job
Name | Description | Value |
---|---|---|
grpc.job.host | ilum-core grpc host for spark job to connect to | ilum-grpc |
grpc.job.port | ilum-core grpc port for spark job to connect to | 9999 |
ilum-core kubernetes cluster initializer parameters
Name | Description | Value |
---|---|---|
kubernetes.initClusterOnStartup | ilum-core default kubernetes cluster initialization flag | true |
kubernetes.upgradeClusterOnStartup | ilum-core default kubernetes cluster upgrade from values in config map flag | false |
kubernetes.api.url | ilum-core default kubernetes cluster api url | https://kubernetes.default.svc |
kubernetes.container.image | ilum-core default kubernetes cluster container image | ilum/spark:3.5.2-delta |
kubernetes.sparkNamespace | ilum-core default kubernetes cluster namespace to store spark resources | {{ .Release.Namespace }} |
kubernetes.storage.type | ilum-core default kubernetes cluster storage type, available options: s3 , gcs , wasbs , hdfs | s3 |
s3 kubernetes storage parameters
Name | Description | Value |
---|---|---|
kubernetes.s3.host | ilum-core default kubernetes cluster S3 storage host to store spark resources | s3 |
kubernetes.s3.port | ilum-core default kubernetes cluster S3 storage port to store spark resources | 7000 |
kubernetes.s3.sparkBucket | ilum-core default kubernetes cluster S3 storage bucket to store spark resources | ilum-files |
kubernetes.s3.dataBucket | ilum-core default kubernetes cluster S3 storage bucket to store ilum tables | ilum-tables |
kubernetes.s3.accessKey | ilum-core default kubernetes cluster S3 storage access key to store spark resources | "" |
kubernetes.s3.secretKey | ilum-core default kubernetes cluster S3 storage secret key to store spark resources | "" |
gcs kubernetes storage parameters
Name | Description | Value |
---|---|---|
kubernetes.gcs.clientEmail | ilum-core default kubernetes cluster GCS storage client email | "" |
kubernetes.gcs.sparkBucket | ilum-core default kubernetes cluster GCS storage bucket to store spark resources | "ilum-files" |
kubernetes.gcs.dataBucket | ilum-core default kubernetes cluster GCS storage bucket to store ilum tables | "ilum-tables" |
kubernetes.gcs.privateKey | ilum-core default kubernetes cluster GCS storage private key to store spark resources | "" |
kubernetes.gcs.privateKeyId | ilum-core default kubernetes cluster GCS storage private key id to store spark resources | "" |
wasbs kubernetes storage parameters
Name | Description | Value |
---|---|---|
kubernetes.wasbs.accountName | ilum-core default kubernetes cluster WASBS storage account name | "" |
kubernetes.wasbs.accessKey | ilum-core default kubernetes cluster WASBS storage access key to store spark resources | "" |
kubernetes.wasbs.sparkContainer | ilum-core default kubernetes cluster WASBS storage container name to store spark resources | "ilum-files" |
kubernetes.wasbs.dataContainer | ilum-core default kubernetes cluster WASBS storage container name to store ilum tables | "ilum-tables" |
hdfs kubernetes storage parameters
Name | Description | Value |
---|---|---|
kubernetes.hdfs.hadoopUsername | ilum-core default kubernetes cluster HDFS storage hadoop username | "" |
kubernetes.hdfs.config | ilum-core default kubernetes cluster HDFS storage dict of config files with name as key and base64 encoded content as value | "" |
kubernetes.hdfs.sparkCatalog | ilum-core default kubernetes cluster HDFS storage catalog to store spark resources | "ilum-files" |
kubernetes.hdfs.dataCatalog | ilum-core default kubernetes cluster HDFS storage catalog to store ilum-tables | "ilum-tables" |
kubernetes.hdfs.keyTab | ilum-core default kubernetes cluster HDFS storage keytab file base64 encoded content | "" |
kubernetes.hdfs.principal | ilum-core default kubernetes cluster HDFS storage principal name | "" |
kubernetes.hdfs.krb5 | ilum-core default kubernetes cluster HDFS storage krb5 file base64 encoded content | "" |
kubernetes.hdfs.trustStore | ilum-core default kubernetes cluster HDFS storage trustStore file base64 encoded content | "" |
kubernetes.hdfs.logDirectory | ilum-core default kubernetes cluster HDFS storage directory path to store eventLog for history server | "" |
Important! Make sure S3/GCS buckets or WASBS containers are already created and reachable! Important! Make sure HDFS logDirectory is absolute path of configured sparkCatalog with /ilum/logs suffix! Eg hdfs://name-node/user/username/spark-catalog/ilum/logs
ilum-core security parameters
Name | Description | Value |
---|---|---|
security.type | ilum-core authentication type, available options: internal , ldap , oauth2 | internal |
security.jwt.issuerUrl | ilum-core frontend URI used in the jwt iss claim | https://ilum.cloud |
security.jwt.timeToLive | ilum-core jwt time to live in specified time units | 8h |
security.jwt.publicKey | ilum-core base64 encoded string containing the X.509 RSA 2048 bit public key | "" |
security.jwt.privateKey | ilum-core base64 encoded string containing the PKCS8 RSA 2048 bit private key | "" |
security.authorities | ilum-core authorities mapping rules configuration. Used when authorization is ldap or oauth2 . Allows to translate external auth provider groups and scopes to ilum roles | authorities: |
security.authorities.roles.prefix | ilum-core authentication role prefix | ROLE_ |
security.authorities.roles.claimName | ilum-core external authentication provider ID of the jwt claim which contains list of roles/groups | groups |
security.authorities.roles.mappings | ilum-core role mapping definitions in form of a map external_role: ilum_role | {} |
security.authorities.scopes.prefix | ilum-core authentication scope prefix | SCOPE_ |
security.authorities.scopes.claimName | ilum-core external authentication provider ID of the jwt claim which contains list of scopes | scp |
security.authorities.scopes.mappings | ilum-core scope mapping definitions in form of a map external_scope: ilum_scope | {} |
Internal config-map based authentication parameters
Name | Description | Value |
---|---|---|
security.internal.users | ilum-core internal users configuration | users: |
security.internal.users[].username | ilum-core user username | "" |
security.internal.users[].password | ilum-core user plain password | "" |
security.internal.users[].roles | ilum-core user roles, available options: ADMIN , USER , VIEWER | [] |
LDAP based authentication parameters
Name | Description | Value |
---|---|---|
security.ldap.urls | ilum-core LDAP URLs of the server | [] |
security.ldap.base | ilum-core LDAP base suffix from which all operations should originate | "" |
security.ldap.username | ilum-core LDAP login username of the server | "" |
security.ldap.password | ilum-core LDAP login password of the server | "" |
security.ldap.passwordEncoder | ilum-core LDAP password encoder. LDAP server authenticates users (bind operations) if empty, available options: adaptive - password encoder that delegates to another encoder based upon a prefixed identifier bcrypt md5 sha256 | "" |
security.ldap.userSearch.base | ilum-core LDAP base DN from which the search for an user should be performed | "" |
security.ldap.userSearch.filter | ilum-core LDAP pattern to be used for the user search. 0 is the username | uid={0} |
security.ldap.userSearch.passwordAttr | ilum-core LDAP ID of the attribute which contains the password of a user | userPassword |
security.ldap.groupSearch.base | ilum-core LDAP base DN from which the search for group membership should be performed | "" |
security.ldap.groupSearch.filter | ilum-core LDAP pattern to be used for the group search. 0 is the user's DN | (member={0}) |
security.ldap.groupSearch.roleAttr | ilum-core LDAP ID of the attribute which contains the role name for a group | cn |
OAuth2 based authentication parameters
Name | Description | Value |
---|---|---|
security.oauth2.clientId | ilum-core oauth2 Client ID | "" |
security.oauth2.clientSecret | ilum-core oauth2 Client SECRET | "" |
security.oauth2.issuerUri | ilum-core oauth2 URI that can either be an OpenID Connect discovery endpoint or an OAuth 2.0 Authorization Server Metadata endpoint defined by RFC 8414. | "" |
ilum-core license parameters
Name | Description | Value |
---|---|---|
license.privateKey | ilum license key | "" |
ilum-core external spark submit parameters
Name | Description | Value |
---|---|---|
externalSparkSubmit.enabled | ilum-core external spark-submit flag | false |
externalSparkSubmit.image | ilum-core external spark-submit base images | ilum/spark-launcher:spark-3.5.1 |
externalSparkSubmit.resources | ilum-core external spark-submit pod kubernetes resources | <pre>limits:<br/> memory: "500Mi"<br/>requests:<br/> memory: "300Mi"</pre> |
ilum-core spark history server parameters
Name | Description | Value |
---|---|---|
historyServer.enabled | ilum-core spark history server flag | true |
historyServer.image | ilum-core spark history server image | ilum/spark-launcher:spark-3.5.1 |
historyServer.address | ilum-core spark history server address | http://ilum-history-server:9666 |
historyServer.pullPolicy | ilum-core spark history server image pull policy | IfNotPresent |
historyServer.imagePullSecrets | ilum-core spark history server image pull secrets | [] |
historyServer.parameters | ilum-core spark history server custom spark parameters | spark.history.fs.cleaner.enabled: true |
historyServer.resources | ilum-core spark history server pod resources | limits: |
historyServer.service.type | ilum-core spark history server service type | ClusterIP |
historyServer.service.port | ilum-core spark history server service port | 9666 |
historyServer.service.nodePort | ilum-core spark history server service nodePort | "" |
historyServer.service.clusterIP | ilum-core spark history server service clusterIP | "" |
historyServer.service.loadBalancerIP | ilum-core spark history server service loadbalancerIP | "" |
historyServer.service.annotations | ilum-core history server service annotations | {} |
historyServer.ingress.enabled | ilum-core spark history server ingress flag | false |
historyServer.ingress.version | ilum-core spark history server ingress version | "v1" |
historyServer.ingress.className | ilum-core spark history server ingress className | "" |
historyServer.ingress.host | ilum-core spark history server ingress host | "host" |
historyServer.ingress.path | ilum-core spark history server ingress path | "/(.*)" |
historyServer.ingress.pathType | ilum-core spark history server ingress pathType | Prefix |
historyServer.ingress.annotations | ilum-core spark history server annotations | nginx.ingress.kubernetes.io/rewrite-target: /$1 nginx.ingress.kubernetes.io/proxy-body-size: "600m" nginx.org/client-max-body-size: "600m" |
historyServer.statusProbe.enabled | ilum-core spark history server ilum-core healthcheck flag | true |
historyServer.statusProbe.image | ilum-core spark history server ilum-core healthcheck image | curlimages/curl:8.5.0 |
historyServer.nodeSelector | ilum-core spark history server nodeSelector | |
historyServer.tolerations | ilum-core spark history server tolerations | [] |
historyServer.affinity | ilum-core spark history server affinity |
ilum-core job parameters
Name | Description | Value |
---|---|---|
job.retain.hours | ilum-core spark jobs retention hours limit | 168 |
job.prometheus.enabled | ilum-core spark jobs prometheus enabled flag | true |
job.healthcheck.enabled | ilum-core spark jobs healthcheck enabled flag | true |
job.healthcheck.interval | ilum-core spark jobs healthcheck interval in seconds | 300 |
job.healthcheck.tolerance | ilum-core spark jobs healthcheck response time tolerance in seconds | 120 |
job.memorysettings.executors | ilum-core spark jobs executor count | 2 |
job.memorysettings.executorMemory | ilum-core spark jobs executor memory allocation | 1g |
job.memorysettings.driverMemory | ilum-core spark jobs driver memory allocation | 1g |
job.memorysettings.executorCores | ilum-core spark jobs executor core count | 1 |
job.memorysettings.driverCores | ilum-core spark jobs driver core count | 1 |
job.memorysettings.dynamicAllocationEnabled | ilum-core spark jobs dynamic allocation enabled flag | false |
job.memorysettings.minExecutors | ilum-core spark jobs minimum number of executors | 0 |
job.memorysettings.initialExecutors | ilum-core spark jobs initial number of executors | 0 |
job.memorysettings.maxExecutors | ilum-core spark jobs maximum number of executors | 20 |
ilum-core default metastore parameters
Name | Description | Value |
---|---|---|
hiveMetastore.enabled | ilum-core default hive metastore enabled flag | false |
hiveMetastore.address | ilum-core default hive metastore address | thrift://ilum-hive-metastore:9083 |
hiveMetastore.version | ilum-core default hive metastore version | 3.1.3 |
ilum-core auto pausing settings
Name | Description | Value |
---|---|---|
job.autoPause.enabled | ilum-core group auto pausing flag | true |
job.autoPause.idleTime | ilum-core auto pausing minimum group idle time in seconds | 3600 |
job.autoPause.period | ilum-core time between checks of group idleness in seconds | 180 |
Generating RSA Private and Public Key
In order to create 2048-bit RSA keys in an unencrypted Base64 PEM PKCS#8 format for authentication configuration, openssl was used.
Generate private key
openssl genpkey -algorithm RSA \
-pkeyopt rsa_keygen_bits:2048 \
-pkeyopt rsa_keygen_pubexp:65537 | \
openssl pkcs8 -topk8 -nocrypt -outform pem > private-key.p8
The contents of the private key should look like the following:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsRnE83rm6BJya
nTyzVqX0SG+D4zBjkyWsOmGG+CoDdgQ6Z8AaocmnjP1SbRykQsQSMf6SeW+fdpH+
ccmzuHe7pZIa2o2Mg8xbk/UszJDaPztwoQbUt/2gHi/rZP8cIVkquzhnN/yxrMls
...
-----END PRIVATE KEY-----
In order to use private key as the setting security.jwt.privateKey
, remove header and footer from the key.
Extract public key
openssl pkey -pubout -inform pem -outform pem -in private-key.p8 -out public-key.spki
The contents of the public key should look like the following:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEZxPN65ugScmp08s1al
9Ehvg+MwY5MlrDphhvgqA3YEOmfAGqHJp4z9Um0cpELEEjH+knlvn3aR/nHJs7h3
u6WSGtqNjIPMW5P1LMyQ2j87cKEG1Lf9oB4v62T/HCFZKrs4Zzf8sazJbMN3E/mJ
...
-----END PUBLIC KEY-----
In order to use public key as the setting security.jwt.publicKey
, remove header and footer from the key.