Skip to content

Kubernetes enrolment

Described is the process to tie a license to your Kubernetes (k8s) cluster, which will allow the same license (kx.lic) file to be used on all instances within that ('global') scope.

The process to enrol an environment is identical to a single system though now includes a verification step that the Identity Document contain an usable global scoped identifier.

Run the following commands on the target host install klic and authenticate to the service by running the command below.

klic authenticate login --email <EMAIL>

Next enrol the environment using the command below replacing <TENANT-UUID> with your appropriate tenant UUID:

klic environment create <TENANT-UUID> 'My Environment'
created new environment bd7259d4-9389-11ec-9907-9ffaae04230b

This emits an 'environment UUID' (example above shows bd7259d4-9389-11ec-9907-9ffaae04230b) that we will refer to as using the placeholder <ENVIRONMENT-UUID> for the rest of the document.

Warning

If run your processes as root (not recommended) you must run this command also as root

Verify for the presence of kubernetes_ca:... in the identity captured for the registered environment.

klic environment describe <ENVIRONMENT-UUID>
environment  bd7259d4-9389-11ec-9907-9ffaae04230b
tenant       1453c0e8-9386-11ec-9c64-a747bf6bfc0a
name         My Environment
description
disabled     False
identity     ['fqdn:bc81549b15d1', 'os:l64', 'bid:36817b74-98e4-4aee-8d9f-9aa4aac29fb2', 'container:kubernetes', 'kubernetes_ca:07c99217d3bb5affd70f57752a5530d9', 'vm:gcp']
tags         []

License Issuing

The process to issue a license is identical to a single system but amended to request a globally scoped license:

On any host verify that you have one or more entitlements assigned to your tenant.

klic entitlement list 1453c0e8-9386-11ec-9c64-a747bf6bfc0a
tenant                                entitlement                           name              description    tier
------------------------------------  ------------------------------------  ------            -------------  ------
1453c0e8-9386-11ec-9c64-a747bf6bfc0a  87cbb7e6-938c-11ec-9c6f-43a2b6841a5e  Your Entitlement                 core

For this example, the 'entitlement UUID' is 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e that we will refer to as using the placeholder <ENTITLEMENT-UUID> for the rest of the document.

The entitlement constraints can be verified by describing it:

klic entitlement describe 87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
tenant       1453c0e8-9386-11ec-9c64-a747bf6bfc0a
entitlement  87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
name         Your Entitlement
description
disabled     False
tier         core
scope        global
duration     90
created      2022-02-22 03:07:12.459386
modified     2022-02-22 03:07:12.459386
tags         []

You can then issue a license on any host using the previously created license.

klic license create <ENVIRONMENT-UUID> 'My License' --entitlement <ENTITLEMENT-UUID> --duration 90 --scope global
saved 'kx.lic' to '/home/user/q/lic'
created new license 050b34b6-938d-11ec-ad16-8766a33d30bd

This emits a license UUID that we will refer to as using the placeholder <LICENSE-UUID> for the rest of the document. The license will be placed at $QLIC/kx.lic (or $PWD/kx.lic).

Verify for the presence of kubernetes_ca:... in the license identity.

klic license describe <LICENSE-UUID>
license      050b34b6-938d-11ec-ad16-8766a33d30bd
environment  bd7259d4-9389-11ec-9907-9ffaae04230b
tenant       1453c0e8-9386-11ec-9c64-a747bf6bfc0a
name         My License
description
entitlement  87cbb7e6-938c-11ec-9c6f-43a2b6841a5e
disabled     False
created      2022-02-22 03:10:42.582202
duration     90
notbefore    2022-02-22
notafter     2022-03-04
scope        global
identity     ['container:kubernetes', 'kubernetes_ca:07c99217d3bb5affd70f57752a5530d9']
features     ['insights.lib.embedq', 'insights.lib.pykx', 'insights.lib.sql', 'insights.app.rt']
tags         []

Installing the license

When using Kubernetes it is recommended you manage and distribute kx.lic as a secret.

The example below assumes you've;

  • built a container on top of kdb+/q
  • fetched a license valid for your container environment to $HOME/q/lic/kx.lic
kubectl create secret generic kx-lic --from-file="$HOME/q/lic/kx.lic"

Now include with your pod definitions:

    ..
    spec:
      volumes:
      - name: kx-lic
        secret:
          secretName: kx-lic
          defaultMode: 222
      containers:
      - name: my-example-container-snippet
        env:
        - name: QLIC
          value: /run/secrets/kx
        volumeMounts:
        - name: kx-lic
          mountPath: /run/secrets/kx/
          readOnly: true

Updating the kx.lic is done by:

kubectl create secret generic kx-lic --save-config --dry-run=client --from-file=$HOME/q/lic/kx.lic -o yaml | kubectl apply -f -

After a minute or so, the secrets in the container will reflect the new kx.lic.