Available now an example of Kubernetes environment preparation for QSEoK including deployment steps.
Qlik Sense Enterprise on Kubernetes (QSEoK) has specific environmental requirements which can easily be missed posing a challenge with the new deployment.
Qlik Digital Support has documented steps on an example CentOS Linux system to meet those requirements including the deployment of QSEoK.
You can see this content via the Knowledge Base articles below:
I'm following the steps as described in the support article "Deployment example of QSEoK" to install Qlik Sense for Kubernetes on a single node K8s cluster for testing. The cluster is deployed with MicroK8s on a Linux EC-instance in AWS with Ubuntu 18.4. The cluster is up and running and I was able to deploy a sample app and access it from outside the cluster. The installation of Qlik Sense with helm was also succesful. After the installation all pods are running as expected.
During installation I used a YAML file to configure the built-in IDP on NodePort 32433 (as described in the support article). After upgrading the Qlik Sense deployment with the "helm upgrade" command I can see the service 'qliksense-nginx-ingress-controller' is listening on port 32443.
I'm having an issue logging into Qlik Sense via the built-in IDP to apply the license. When I navigate to the URL "https://elastic.example:32443" I can see the certificate warning, so the site is reachable, but when I proceed the browser is redirected to "http://elastic.example:32123" and I end up with the message "can't reach this page". I can't figure out where this redirct URL comes from and how to solve this.
When I run the command "kubectl describe service qliksense-edge-auth" I can see the service is listening on nodeport 31695, instead of port 32123 that you mention (and the one that is being used in the redirect URL). None of the services is listening on port 32123 in my environment.
I tried deleting the pod qliksense-edge-auth-<ID> because I saw some liveless probe failures in the logs. After recreating the pod the errors are gone, but the issue remains the same.
We see that the OIDC mapping was never setup. Here's an output where oidc port gets configured as specified in the edge-auth's helm charts' value.yaml file.
Notice that the edge-auth version stated above (4.22.61) is for the helm qlik chart (deployment) version 1.43.38.
You are running edge-auth 5.1.6 which is for the latest helm qlik chart version 1.50.27. I confirmed that the values.yaml for the edge-auth chart states:
...
oidc: enabled: false image: registry: qlik ## oidc image repository: simple-oidc-provider # Tag of the docker image tag: 0.2.2 ## oidc configs configs: ## oidc port ## port: 32123
...
Notice oidc: enabled: false.
It is not confirmed why this value was changed by R&D in the latest helm chart deployment. You can try to change the values.yaml file manually, but no guarantees here as there may be other changes that came with this OIDC setting change.
As resolution, you can either implement auth0 as your IdP (see link below), or deploy the prior helm deployment version (1.43.38) which by default has oidc: enabled: true. In order to do so you may use the command below:
Deploying the previous version of the helm chart deployment did the trick! After executing the upgrade command the issue of solved and I'm presented with the login page when navigating to https://elastic.example:32443. Thanks a lot for helping out!
My next challenge will be configuring Azure AD as OIDC Identity Provider.
In Qlik Sense Enterprise Cloud I can add OIDC Identity Providers in the Admin console. I was hoping I could do the same in QSEoK, but the option seems to be missing in the UI, so I guess the only option is to configure the IdP settings in the YAML file when deploying Qlik Sense through Helm.
In the online Help there are sample configurations for setting up Auth0, Okta and ADFS as IdP, but unfortunately not for Azure AD. Is this even possible?
