Ga naar hoofdinhoud

Helm chart 2.0.0

App version: 3.0.1

Introduction

This Helm chart installs Linksight nodes in a Kubernetes cluster, including:

  • Data station
  • Analysis Hub

Prerequisites

  • Kubernetes cluster 1.20+
  • Helm 3
  • Harbor (container image and helm charts registry) login from Linksight
  • A user account on the Governance Hub (https://linksight.network) with the Organization admin role

Installation

Add Helm repository

helm repo add linksight --username <harbor_username> https://registry.linksight.network/chartrepo/linksight

Configure the chart

Create a values.yaml file for your release, to override values of the values.yaml in this chart (recommended). Alternatively, you can also override values of this chart during deployment:

helm install --set foo=bar --set baz.bar=newbar my-release linksight/linksight

Read more here: https://helm.sh/docs/helm/helm_install/#helm-install

Check out the values.yaml file of this chart to explore all configuration options.

Required

Image pull secret

Define the image registry credential as follows in your values:

registryCredentials:
endpoint: https://registry.linksight.network
username: xxxxx
token: xxxxx

Alternatively, the registry credential can also be applied to the cluster as secret of type kubernetes.io/dockerconfigjson, under the key .dockerconfigjson.

---
apiVersion: v1
kind: Secret
metadata:
name: my-registry-secret
data:
.dockerconfigjson: <base64 of {"auths":{"registry.linksight.network":{"auth":"<base64 of REGISTRY_USERNAME:REGISTRY_TOKEN>"}}} >
type: kubernetes.io/dockerconfigjson

Then set imagePullSecrets:

imagePullSecrets:
- name: my-registry-secret
Data station host

This is the external public hostname/IP of the data station where other (external) data station can reach the data station. It can be set in datastation.config.host:

datastation:
config:
host: 4.2.4.2
Identity Provider

Depending on the chosen identity provider (see https://docs.linksight.network/3.0.x/docs/deploy-linksight/configure/user-identity-management), some values need to be adjusted.

For identity providers that use OIDC (all but local credentials), it is important to set the analysisHub.backend.config.frontend.host and analysisHub.backend.config.frontend.port variables correctly to the host and port where the frontend is reachable on from the outside:

analysisHub:
backend:
config:
frontend:
host: your-host # If not filled in, the value of `analysisHub.frontend.ingress.host` (if set) is used
port: 443 # default

When enabling ingress, the host is set automatically.

Linksight Identity Provider

No adjustments necessary.

Microsoft OIDC Provider

To use the Microsoft OIDC Provider, set analysisHub.backend.config.auth.provider to microsoft and fill in the values in the analysisHub.backend.config.auth.oidc.microsoft:

analysisHub:
backend:
config:
auth:
provider: microsoft
oidc:
microsoft:
tenantid: my-tentant-id
clientid: my-client-id
clientsecret: my-client-secret

Alternatively, the client secret can also be supplied using a secret with key 'client-secret':

analysisHub:
backend:
secrets:
auth:
oidc:
microsoft:
clientSecretSecretName: my-secret
Custom OIDC Provider

To use the Custom OIDC Provider, set analysisHub.backend.config.auth.provider to customoidc and fill in the values in the analysisHub.backend.config.auth.oidc.custom:

analysisHub:
backend:
config:
auth:
provider: customoidc
oidc:
custom:
issuerurl: my-issuer-url
clientid: my-client-id
clientsecret: my-client-secret

Alternatively, the client secret can also be supplied using a secret with key 'client-secret':

analysisHub:
backend:
secrets:
auth:
oidc:
custom:
clientSecretSecretName: my-secret
Local credentials

To use local credentials (username/password), set analysisHub.backend.config.auth.provider to localdb and fill in the values in the analysisHub.backend.config.auth.localdb:

analysisHub:
backend:
config:
auth:
provider: localdb
localdb:
dbpath: /data/auth.db
## Set the admin credentials, or use a secret in the 'secrets' block.
admin:
username: my-org-admin
password: pleasechangethis
## Password hashing parameters
argon2:
memory: 47104
iterations: 1
parallelism: 1
saltlength: 16
keylength: 32

Alternatively, the admin credentials can also be supplied using a secret with keys 'username' and 'password':

analysisHub:
backend:
secrets:
auth:
localdb:
adminSecretName: my-secret
Analysis Hub frontend served without TLS

When using no TLS (that is, users connect to the Analysis Hub over plain HTTP), it is important to set analysisHub.backend.config.frontend.tls.enabled to false:

analysisHub:
backend:
config:
frontend:
tls:
enabled: false
Ingress (analysisHub.frontend.ingress.*)

To enable ingress, set the relevant values under analysisHub.frontend.ingress, e.g.:

analysisHub:
frontend:
ingress:
annotations: {}
ingressClassName: nginx
host: analysis.domain.internal
tls: true
tlsSecretName: my-org-tls
grpcEnabled: false

Alternatively, the user interface can be exposed by modifying analysisHub.frontend.service:

analysisHub:
frontend:
service:
type: LoadBalancer
port: 80
Persistence

The linksight components require persistence, which is configured in the charts. By default, the default storage class of the cluster is used.

To set a custom storage class for the components, set datastation.persistence.storageClass and/or analysisHub.backend.persistence.storageClass:

datastation:
persistence:
storageClass: my-storage-class

The chart prevents PVCs from being deleted during a helm delete operation. When it is preferred to delete PVCs after the chart is deleted, set:

persistence:
resourcePolicy: ""

Other

Dual setup

By default, this chart deploys the data station and Analysis Hub in dual setup mode. If each component needs to be registered separately, then this can be disabled by setting registration.dualSetup to false:

registration:
dualSetup: false

Install the chart

Install the Harbor helm chart with a release name my-release:

helm install -f values.yaml my-release linksight/linksight

Uninstall

To uninstall/delete the my-release deployment:

helm uninstall my-release

Additional chart configuration

Check out the values.yaml file of this chart to explore all configuration options.