Skip to main content
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
Andre_Sostizzo
Digital Support
Digital Support

Available now an example of Kubernetes environment preparation for QSEoK including deployment steps.

Qlik Sense Enterprise on Kubernetes (QSEoK) has specific environmental requirements which can easily be missed posing a challenge with the new deployment.

Qlik Digital Support has documented steps on an example CentOS Linux system to meet those requirements including the deployment of QSEoK.

You can see this content via the Knowledge Base articles below:

Kubernetes cluster deployment example in preparation to QSEoK deployment
https://support.qlik.com/articles/000101537

Deployment example of Qlik Sense Enterprise on Kubernetes (QSEoK)
https://support.qlik.com/articles/000101649

Please give this post a like if you found it helpful! Also please let us know if you have any questions or leave your feedback in the comments.

 

 

18 Comments
Andre_Sostizzo
Digital Support
Digital Support

@ssamuels, yes you should be able to get Azure setup as an IdP as it supports OIDC. Unfortunately we do not have any example steps with Azure at this time.

547 Views
ssamuels
Partner - Creator
Partner - Creator

@Andre_Sostizzo After some trial and error I succeeded in configuring Azure AD as Identity Provider for QSEoK.

My next challange is replacing the self-signed certificate of QSEoK with a third-party wildcard certificate for the domain. I followed the steps in the online help, by creating a yaml file that holds the base64 encoded certificate and key. I created the secret resource with the "kubectl apply -f secret.yaml" command and verified the secret was created with the command "kubectl get secret ...". Then I configured the Ingress to use the certificate by adding the configuration in my yaml file (see yanml code below).

# References the "e-mergo" secret created within the “default” namespace
elastic-infa:
  nginx-ingress:
      controller:
           extraArgs:
                default-ssl-certificate: "default/e-mergo"

After upgrading the deployment through helm I'm still seeing the self-signed certificate being used when accesing the Hub in my browser. Where can I find logs that can help me find out why my certificate is not picked up by the Ingress?

0 Likes
501 Views
ThiebaudS
Partner - Creator II
Partner - Creator II

Hi @ssamuels 

Are you sure you don't have a typo in the values.yaml file ?

You have "elastic-infa" instead of "elastic-infra".

I've checked my config and it should work.

Best regards,

Thiebaud

749 Views
ssamuels
Partner - Creator
Partner - Creator

Hi @ThiebaudS 

Thanks for your quick reply! Indeed, there was a typo in my yaml file, but unfortunately the issue still remains after changing "elastic-infa" to "elastic-infra" and upgrading the deployment. 

0 Likes
735 Views
ssamuels
Partner - Creator
Partner - Creator

I checked the configuration of the pod "qliksense-nginx-ingress-controller-xxxxxx" with the "kubectl describe pod" command to verify if the default ssl certificate was modified. 

Args:
/nginx-ingress-controller
--election-id=ingress-controller-leader
--ingress-class=qlik-nginx
--configmap=default/qliksense-nginx-ingress-controller
--watch-namespace=default
--update-status=false
--default-ssl-certificate=default/e-mergo
--metrics-per-host=false
State: Running


This seems ok to me, but for some reason the self-signed certificate is still being used.

0 Likes
718 Views
ssamuels
Partner - Creator
Partner - Creator

Could it be that the ingress will always fallback to the default self-signed certificate if the ingress is configured to accept traffic from all hosts (*)?  If that's the case, how do I change the host for the ingress?

681 Views
ssamuels
Partner - Creator
Partner - Creator

Finally found the cause of my issue with the certificate not being picked up by the ingress. I was using an encrypted private key in my secret.yaml file. After converting the key to unencrypted and recreating the secret, the issue is solved.

656 Views
ssamuels
Partner - Creator
Partner - Creator

Another requirement for the tls secret to be accepted by the ingress is that you have to provide the full certificate chain as server certificate in the secret.yaml. file. So you have to combine the server certificate with the intermediate certificate and the root certificate. 

631 Views