Kubernetes enrolment
Described is the process to tie a license to your Kubernetes (k8s) cluster, which will allow the same license (kx.lic
)
file to be used on all instances within that ('global') scope.
The process to enrol an environment is identical to a single system though now includes a verification step that the
Identity Document contain an usable global
scoped identifier.
Run the following commands on the target host install klic and authenticate to the service by running the command below.
klic authenticate login --email <EMAIL>
Next enrol the environment using the command below replacing <TENANT-UUID>
with your appropriate tenant UUID:
klic environment create <TENANT-UUID> 'My Environment'
created new environment bd7259d4-9389-11ec-9907-9ffaae04230b
This emits an 'environment UUID' (example above shows bd7259d4-9389-11ec-9907-9ffaae04230b
) that we will refer to as
using the placeholder <ENVIRONMENT-UUID>
for the rest of the document.
Warning
If run your processes as root
(not recommended) you must run this command also as root
Verify for the presence of kubernetes_ca:...
in the identity captured for the registered environment.
klic environment describe <ENVIRONMENT-UUID>
environment bd7259d4-9389-11ec-9907-9ffaae04230b
tenant 1453c0e8-9386-11ec-9c64-a747bf6bfc0a
name My Environment
description
disabled False
identity ['fqdn:bc81549b15d1', 'os:l64', 'bid:36817b74-98e4-4aee-8d9f-9aa4aac29fb2', 'container:kubernetes', 'kubernetes_ca:07c99217d3bb5affd70f57752a5530d9', 'vm:gcp']
tags []
License Issuing
The process to issue a license is identical to a single system but amended to request a globally scoped license:
On any host verify that you have one or more entitlements assigned to your tenant.
klic entitlement list 1453c0e8-9386-11ec-9c64-a747bf6bfc0a
tenant entitlement name description tier
------------------------------------ ------------------------------------ ------ ------------- ------
1453c0e8-9386-11ec-9c64-a747bf6bfc0a 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e Your Entitlement core
For this example, the 'entitlement UUID' is 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
that we will refer to as using the placeholder <ENTITLEMENT-UUID>
for
the rest of the document.
The entitlement constraints can be verified by describing it:
klic entitlement describe 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
tenant 1453c0e8-9386-11ec-9c64-a747bf6bfc0a
entitlement 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
name Your Entitlement
description
disabled False
tier core
scope global
duration 90
created 2022-02-22 03:07:12.459386
modified 2022-02-22 03:07:12.459386
tags []
You can then issue a license on any host using the previously created license.
klic license create <ENVIRONMENT-UUID> 'My License' --entitlement <ENTITLEMENT-UUID> --duration 90 --scope global
saved 'kx.lic' to '/home/user/q/lic'
created new license 050b34b6-938d-11ec-ad16-8766a33d30bd
This emits a license UUID that we will refer to as using the placeholder <LICENSE-UUID>
for the rest of the document.
The license will be placed at $QLIC/kx.lic
(or $PWD/kx.lic
).
Verify for the presence of kubernetes_ca:...
in the license identity.
klic license describe <LICENSE-UUID>
license 050b34b6-938d-11ec-ad16-8766a33d30bd
environment bd7259d4-9389-11ec-9907-9ffaae04230b
tenant 1453c0e8-9386-11ec-9c64-a747bf6bfc0a
name My License
description
entitlement 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
disabled False
created 2022-02-22 03:10:42.582202
duration 90
notbefore 2022-02-22
notafter 2022-03-04
scope global
identity ['container:kubernetes', 'kubernetes_ca:07c99217d3bb5affd70f57752a5530d9']
features ['insights.lib.embedq', 'insights.lib.pykx', 'insights.lib.sql', 'insights.app.rt']
tags []
Installing the license
When using Kubernetes it is recommended you manage and distribute kx.lic
as a secret.
The example below assumes you've;
- built a container on top of kdb+/q
- fetched a license valid for your container environment to
$HOME/q/lic/kx.lic
kubectl create secret generic kx-lic --from-file="$HOME/q/lic/kx.lic"
Now include with your pod definitions:
..
spec:
volumes:
- name: kx-lic
secret:
secretName: kx-lic
defaultMode: 222
containers:
- name: my-example-container-snippet
env:
- name: QLIC
value: /run/secrets/kx
volumeMounts:
- name: kx-lic
mountPath: /run/secrets/kx/
readOnly: true
Updating the kx.lic
is done by:
kubectl create secret generic kx-lic --save-config --dry-run=client --from-file=$HOME/q/lic/kx.lic -o yaml | kubectl apply -f -
After a minute or so, the secrets in the container will reflect the new kx.lic
.