Example Configurations
This section will define a handful of example configurations for common scenarios. These examples serve as a basis for you to modify for your specific deployment.
Minimum Configuration for Deployment
The following configuration is a reduced set that brings up services with minimum features enabled. This includes no configuration for email (SMTP), only local accounts (no SSO/LDAP/AD), no TLS certificates, etc. This should NOT be used for production deployments but it helpful for getting an initial deployment that can be then modified.
Minimum Configuration
# Minimum default values for tiledb-cloud-enterprise.
# This is a YAML-formatted file.
# REQUIRED: Set the docker registry image credentials to pull TileDB Cloud docker images
# The password should be provided to you by your account representative
imageCredentials:
password: ""
##################################
# TileDB Cloud REST API settings #
##################################
tiledb-cloud-rest:
# Config ingress, be sure to set the url to where you want to expose the api
ingress:
url:
# REQUIRED: Change this to the hostname you'd like the API service to be at
- api.tiledb.example.com
# optional TLS
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources:
# REQUIRED:
# Set the resource limits for the REST service.
# We recommend a minimum of 8 cpus and 24 GB of ram on the worker nodes
# We set REST to slightly below this to allow for other pods on the same worker node.
# These setting effect the number of concurrent operations
# limits:
# cpu: 100m
# memory: 128Mi
requests:
# cpu: 16000m
# memory: 16Gi
cpu: 7000m
memory: 17Gi
resourcesDind:
# Set the resources for the Docker-in-Docker pod, this is where the UDFs run
# The resources here directly effect the number of concurrent UDFs that can be run
requests:
memory: 6Gi
restConfig:
# REQUIRED: Set the private dockerhub registry credentials, these are the same as the `imageCredentials` above
ContainerRegistry:
DockerhubPassword: ""
# REQUIRED: Set the initial passwords for the internal users of Rest
# Replace "secret" with a strong password
# This config can be removed after the first run of Rest
ComputationUserInitialPassword: "secret"
PrometheusUserInitialPassword: "secret"
CronUserInitialPassword: "secret"
UIUserInitialPassword: "secret"
DebugUserInitialPassword: "secret"
# REQUIRED: Set the signing secret(s) for api tokens, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
# This is a list of token signing secrets. Zero element of the list is used
# for signing, the rest are used for validation.
# This mechanism provides a way to rotate signing secrets.
# In case there are active tokens signed with a key and this key is removed from
# the list, the tokens are invalidated.
TokenSigningSecrets:
- "Secret"
# REQUIRED: This is needed for the TileDB Jupyterlab Prompt User Options extension
CorsAllowedOrigins:
- "https://jupyterhub.tiledb.example.com"
# REQUIRED: Define supported storage types and locations, if you want to use NFS
# enable "local"
StorageLocationsSupported:
- "s3"
#- "local"
#- "hdfs"
#- "azure"
#- "gcs"
# REQUIRED: Configure main database. It is recommended to host a MariaDB or MySQL instance outside of the kubernetes cluster
Databases:
# `main` is a required database configuration
main:
Driver: mysql
Host: "{{ .Release.Name }}-mariadb.{{ .Release.Namespace }}.svc.cluster.local"
Port: 3306
Schema: tiledb_rest
Username: tiledb_user
Password: password
# It is not recommend to run the database inside k8s for production use, but it is helpful for testing
mariadb:
# Set to true if you wish to deploy a database inside k8s for testing
enabled: false
image:
repository: bitnami/mariadb
tag: 10.5.8
pullPolicy: IfNotPresent
auth:
# Auth parameters much match with the restConfig.Databases.main above
database: tiledb_rest
username: tiledb_user
password: password
rootPassword: changeme
primary:
# Enable persistence if you wish to save the database, again running in k8s is not recommend for production use
persistence:
enabled: false
# Set security context to user id of mysqld user in tiledb-mariadb-server
podSecurityContext:
enabled: true
fsGroup: 999
containerSecurityContext:
enabled: true
runAsUser: 999
####################################
# TileDB Cloud UI Console settings #
####################################
tiledb-cloud-ui:
# REQUIRED: set the url of the jupyterhub server
config:
# REQUIRED: Set a secret here with `openssl rand -hex 32`
SessionKey: "secret"
RestServer:
# REQUIRED: This needs to be set to
# the same value as restConfig.UIUserInitialPassword
Password: "secret"
JupyterhubURL: "https://jupyterhub.tiledb.example.com"
# SSOOkta:
# Domain: "domain-name.okta.com"
# ClientID: "client_id"
# ClientSecret: "secret"
# REQUIRED: Config ingress, be sure to set the hostname to where you want to expose the UI
ingress:
enabled: true
# REQUIRED: Set URL for web console
url:
- console.tiledb.example.com
# optional TLS
tls: []
#########################################
# TileDB Cloud Hosted Notebook Settings #
#########################################
jupyterhub:
# REQUIRED: Set the private registry credentials, these are the same as the `imageCredentials` above
imagePullSecret:
password: ""
proxy:
# REQUIRED: Set a signing secret here with `openssl rand -hex 32`
secretToken: "Secret"
# The pre-puller is used to to ensure the docker images for notebooks are prepulled to each node
# This can improve notebook startup time, but add additional storage requirements to the nodes
# If you wish to use dedicated k8s node groups for notebooks, see:
# https://zero-to-jupyterhub.readthedocs.io/en/0.8.2/optimization.html?highlight=labels#using-a-dedicated-node-pool-for-users
hub:
config:
CryptKeeper:
# REQUIRED: Set the jupyterhub auth secret for persistence, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
keys:
- "Secret"
TileDBCloud:
# REQUIRED: Set the oauth2 secret, this should be a secure value
# We recommend creating a random value with `openssl rand -hex
client_secret: "Secret"
# REQUIRED: Set the domain for the jupyterhub and the oauth2 service
# it is likely you just need to replace `example.com` with your own internal domain
# This should match the ingress settings above and the hydra settings below
oauth_callback_url: "http://jupyterhub.tiledb.example.com/hub/oauth_callback"
token_url: "http://oauth2.tiledb.example.com/oauth2/token"
auth_url: "http://oauth2.tiledb.example.com/oauth2/auth"
userdata_url: "http://oauth2.tiledb.example.com/userinfo"
# REQUIRED: Set the domain for the REST API and the oauth2 service
# it is likely you just need to replace `example.com` with your own internal domain
# This should match the tiledb-cloud-rest settings above and the hydra settings below
extraEnv:
OAUTH2_AUTHORIZE_URL: "https://oauth2.tiledb.example.com/oauth2/auth"
OAUTH2_USERDATA_URL: "https://oauth2.tiledb.example.com/userinfo"
TILEDB_REST_HOST: "https://api.tiledb.example.com"
# Uncomment to disable SSL validation. Useful when testing deployments
# TILEDB_REST_IGNORE_SSL_VALIDATION: "true"
ingress:
enabled: true
# REQUIRED: set the ingress domain for hosted notebooks
hosts:
- "jupyterhub.tiledb.example.com"
# optional TLS
tls: []
########################################
# TileDB Cloud Oauth2 Service Settings #
########################################
hydra:
hydra:
# REQUIRED: Set the domain for the jupyterhub
# it is likely you just need to replace `example.com` with your own internal domain
# This should match the ingress settings above and the hydra settings below
dangerousAllowInsecureRedirectUrls:
- http://jupyterhub.tiledb.example.com/hub/oauth_callback
config:
# Optionally set the internal k8s cluster IP address space to allow non-ssl connections from
# This defaults to all private IP spaces
# serve:
# tls:
# allow_termination_from:
# Set to cluster IP
# - 172.20.0.0/12
secrets:
# REQUIRED: Set the oauth2 secret, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
system:
- "secret"
cookie:
- "Secret"
# REQUIRED: Set MariaDB Database connection, this defaults to the in k8s development settings.
# You will need to set this to the same connection parameters as the tiledb-cloud-rest section
dsn: "mysql://tiledb_user:password@tcp(tiledb-cloud-mariadb.tiledb-cloud.svc.cluster.local:3306)/tiledb_rest?parseTime=true"
urls:
self:
# REQUIRED: Update the domain for the oauth2 service and the web console ui
# It is likely you can just replace `example.com` with your own internal domain
issuer: "https://oauth2.tiledb.example.com/"
public: "https://oauth2.tiledb.example.com/"
login: "https://console.tiledb.example.com/oauth2/login"
consent: "https://console.tiledb.example.com/oauth2/consent"
# Configure ingress for oauth2 service
ingress:
public:
hosts:
# REQUIRED: set the ingress domain for oauth2 service
- host: "oauth2.tiledb.example.com"
paths:
- path: /
pathType: ImplementationSpecific
# optional TLS
tls: []
######################
# Ingress Controller #
######################
ingress-nginx:
# This is provided for ease of testing, it is recommend to establish your own ingress which fits your environment
enabled: false
## nginx configuration
## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md
##
controller:
name: controller
autoscaling:
enabled: true
minReplicas: 2
config:
use-proxy-protocol: "true"
log-format-escape-json: "true"
log-format-upstream: '{ "time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x-forward-for": "$proxy_add_x_forwarded_for", "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", "http_user_agent": "$http_user_agent" }'
# Set timeouts to 1 hour
proxy-send-timeout: "3600"
proxy-read-timeout: "3600"
send-timeout: "3600"
client-max-body-size: "3076m"
proxy-body-size: "3076m"
proxy-buffering: "off"
proxy-request-buffering: "off"
proxy-http-version: "1.1"
ingressClass: nginx
## Allows customization of the external service
## the ingress will be bound to via DNS
publishService:
enabled: true
service:
annotations:
# Enable public facing load balancer
service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
# Set any needed annotations. The default ones we have set are for aws ELB nginx
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
# Set aws-load-balancer-internal to allow all traffic from inside
# the vpc only, the -internal makes it not accessible to the internet
service.beta.kubernetes.io/aws-load-balancer: '0.0.0.0/0'
# Set timeout to 1 hour
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
## Set external traffic policy to: "Local" to preserve source IP on
## providers supporting it
## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
externalTrafficPolicy: "Local"
type: LoadBalancerMinIO Usage for Deployment
MinIO is commonly used as a self-hosted object store. MinIO works well with TileDB Cloud.
Provided that after MinIO installation you have created:
A bucket called
minio-tiledb-cloud-intermediate-result-storage
The configuration below shows only the section that needs to be modified for use with MinIO.
MinIO Configuration
# MinIO configuration values for tiledb-cloud-enterprise.
# This is a YAML-formatted file.
##################################
# TileDB Cloud REST API settings #
##################################
tiledb-cloud-rest:
restConfig:
# REQUIRED: Define supported storage types and locations, if you want to use NFS
# enable "local"
StorageLocationsSupported:
- "s3"
ArraySettings:
# When enabled, AWS credentials will be auto-discovered
# from the Environment, config file, EC2 metadata etc.
AllowS3NoCredentials: false
# Change to false avoid any region checks for s3 compatible storage.
CheckS3Region: false
ResultStorage:
Config:
# REQUIRED: Configure with MinIO access details for task results storage bucket
- "vfs.s3.aws_access_key_id": "key"
- "vfs.s3.aws_secret_access_key": "secret"
# REQUIRED: Set to a minio bucket location for task results storage
Path: "s3://minio-tiledb-cloud-intermediate-result-storage"
Workflows:
BatchTaskParamsStorage:
S3BatchTaskParamsStorage:
# REQUIRED: Set to a minio bucket location for Task Graph Storage
Bucket: "s3://minio-tiledb-cloud-intermediate-result-storage"
Path: "argo-workflows"
TileDBEmbedded:
Config:
- "vfs.s3.scheme": "http"
- "vfs.s3.region": ""
# REQUIRED: Set to your minio host
- "vfs.s3.endpoint_override": "minio.example.com:9999"
- "vfs.s3.use_virtual_addressing": "false"
##################
# Argo Workflows #
##################
argo-workflows:
useStaticCredentials: true
artifactRepository:
s3:
# insecure will disable TLS. Primarily used for minio installs not configured with TLS
insecure: true
# REQUIRED: The Bucket where the artifacts are stored
bucket: 'minio-tiledb-cloud-intermediate-result-storage'
# REQUIRED: Set to MinIO host
endpoint: minio.example.com:9999
# REQUIRED: Configure with minio access details
accessKeySecret:
name: minio-secret
key: MINIO_ACCESS_KEY_ID
secretKeySecret:
name: minio-secret
key: MINIO_SECRET_ACCESS_KEY
Last updated