Available now an example of Kubernetes environment preparation for QSEoK including deployment steps.
Qlik Sense Enterprise on Kubernetes (QSEoK) has specific environmental requirements which can easily be missed posing a challenge with the new deployment.
Qlik Digital Support has documented steps on an example CentOS Linux system to meet those requirements including the deployment of QSEoK.
You can see this content via the Knowledge Base articles below:
@ssamuels, yes you should be able to get Azure setup as an IdP as it supports OIDC. Unfortunately we do not have any example steps with Azure at this time.
@Andre_Sostizzo After some trial and error I succeeded in configuring Azure AD as Identity Provider for QSEoK.
My next challange is replacing the self-signed certificate of QSEoK with a third-party wildcard certificate for the domain. I followed the steps in the online help, by creating a yaml file that holds the base64 encoded certificate and key. I created the secret resource with the "kubectl apply -f secret.yaml" command and verified the secret was created with the command "kubectl get secret ...". Then I configured the Ingress to use the certificate by adding the configuration in my yaml file (see yanml code below).
# References the "e-mergo" secret created within the “default” namespace elastic-infa: nginx-ingress: controller: extraArgs: default-ssl-certificate: "default/e-mergo"
After upgrading the deployment through helm I'm still seeing the self-signed certificate being used when accesing the Hub in my browser. Where can I find logs that can help me find out why my certificate is not picked up by the Ingress?
Thanks for your quick reply! Indeed, there was a typo in my yaml file, but unfortunately the issue still remains after changing "elastic-infa" to "elastic-infra" and upgrading the deployment.
I checked the configuration of the pod "qliksense-nginx-ingress-controller-xxxxxx" with the "kubectl describe pod" command to verify if the default ssl certificate was modified.
Could it be that the ingress will always fallback to the default self-signed certificate if the ingress is configured to accept traffic from all hosts (*)? If that's the case, how do I change the host for the ingress?
Finally found the cause of my issue with the certificate not being picked up by the ingress. I was using an encrypted private key in my secret.yaml file. After converting the key to unencrypted and recreating the secret, the issue is solved.
Another requirement for the tls secret to be accepted by the ingress is that you have to provide the full certificate chain as server certificate in the secret.yaml. file. So you have to combine the server certificate with the intermediate certificate and the root certificate.
