Configuration
On this page
This section contains example configurations for Ververica Platform. The configuration can be passed to Ververica Platform during the installation with helm via the values.yaml file under the vvp key.
Persistence Configuration
Remote RDBMS persistence is only available in Ververica Platform Stream Edition and above. :::caution
Ververica Platform persists its metadata using JDBC, either in a remote RDBMS or locally using SQLite.
:::note This refers to data owned by the Platform itself and accessed via its API such as Namespaces, Deployments, Jobs, and Savepoint metadata, but does not include artifacts, Apache Flink® checkpoint and savepoint data etc.
Currently, the following remote RDBMSs are supported:
- MariaDB/MySQL Persistence
- PostgreSQL Persistence
- Microsoft SQL Server Persistence
- Microsoft SQL Server Persistence
- OracleDB Persistence
The simplest mode of operation is using the preset configuration vvp.persistence.type: local which uses a Kubernetes PVC to store a SQLite database.
This preset also configures SQLite with some important settings. If you use SQLite with vvp.persistence.type: jdbc, we recommend using the following JDBC URL parameters: journal_mode=WAL&synchronous=FULL&busy_timeout=10000
Please do not use a network-backed filesystem for backing your SQLite database. There is no guarantee that in the case of a network partition, the data in SQLite is not corrupted. We recommend using a dedicated remote RDBMS for production workloads.
Instead, if you wish to use a remote datastore, specify `vvp.persistence.type: jdbc` and provide an appropriate Spring datasource configuration under `vvp.persistence.datasource`.
MariaDB/MySQL Persistence
Ververica Platform supports MySQL persistence using the MySQL-compatible MariaDB JDBC connector. Therefore, if you wish to use MySQL with Ververica Platform, you must use mariadb in your JDBC connection URL.
`yaml showLineNumbers vvp: persistence: type: jdbc datasource: url: jdbc:mariadb://mysql.internal:3306/vvp username: vvp password: password `
PostgreSQL Persistence
1vvp:
2 persistence:
3 type: jdbc
4 datasource:
5 url: jdbc:postgresql://postgresql.internal:5432/vvp
6 username: vvp
7 password: passwordMicrosoft SQL Server Persistence
1vvp:
2 persistence:
3 type: jdbc
4 datasource:
5 url: jdbc:sqlserver://mssql.internal;databaseName=vvp
6 username: vvp
7 password: passwordOracleDB Persistence
1vvp:
2 persistence:
3 type: jdbc
4 datasource:
5 url: jdbc:oracle:thin:@internal:1521/VVP
6 username: vvp
7 password: passwordConfiguring Offline DDL Updates
Ververica Platform uses the Liquibase database schema change management tool to run database updates.
If your environment disallows automatic DDL updates, disable Liquibase at startup and configure Ververica Platform to generate an offline changeset against the target database. Ververica Platform generates the changeset and creates or updates the database.
To disable Liquibase at startup, please add the following configuration to your values.yaml configuration file:
1env:
2 - name: LIQUIBASE_ENABLED
3 value: falseTo configure Ververica Platform to generate an offline changeset and create or update the target database, run the following command:
1docker run --rm <vvp-image-registry>/vvp-persistence:<vvp-version> --url="<JDBC-connection-string>" --username=<your-db-user-name> --password=<your-db-password> updatewhere the parameters are:
--urlThe database URL, a JDBC connection string using the following syntax:--url="jdbc-format-dependent-on-db"-- please see examples below--usernameThe username for database access:--username=db-user-name--passwordThe password for database access:--password=db-pass
If you want to generate DDL statements and send them to your DBA team for execution, replace update with update-sql in the command above.
The database URL is a JDBC connection string which varies depending on the database. Some common examples are:
- MS SQL Server:
jdbc:sqlserver://<IP OR HOSTNAME>:1433;database=<DATABASE> - PostgreSQL:
jdbc:postgresql://<IP OR HOSTNAME>:5432/<DATABASE>?currentSchema=<SCHEMA NAME> - MySQL:
jdbc:mariadb://<IP OR HOSTNAME>:3306/<DATABASE> - MariaDB:
jdbc:mariadb://<IP OR HOSTNAME>:3306/<DATABASE> - SQLite:
jdbc:sqlite:/tmp/<DB FILE NAME>.db
The Liquibase documentation includes useful additional information including details of additional parameters that can be passed as a Docker running command and JDBC connection strings for a number of popular databases.
Authentication Configuration
Bootstrap Token
Ververica Platform supports a "bootstrap token", specified during installation or upgrade, which can be used as an API token with administrator privileges. This is useful for performing certain bootstrapping tasks such as creating an initial Namespace and assigning its members.
The token can be any non-empty string and is set by assigning vvp.auth.bootstrapToken.token in a Helm values file or on the command line.
For example, if you install or upgrade Ververica Platform using Helm and include the CLI option: --set vvp.auth.bootstrapToken.token=my-secret-token, you (or an automated task) could create a Namespace by running:
1curl \
2 -X POST \
3 -H 'Authorization: Bearer my-secret-token' \
4 -H 'Content-Type: application/json' \
5 https://vvp.internal/namespaces/v1/namespaces \
6 -d '
7{
8 "name": "namespaces/my-namespace",
9 "roleBindings": [{
10 "role": "owner",
11 "members": ["group:vvp-users"]
12 }]
13}
14'Google Authentication Configuration Example
(Scope under vvp.auth)
1# Google auth does not support groups, so administrators must be specified manually in this
2# list, or with an environment variable: vvp.admins=user:admin1@example.com,admin2@example.com
3admins:
4- user:admin1@example.com
5- user:admin2@example.com
6
7oidc:
8 #groupsClaim: # Google auth does not support groups
9 registrationId: google
10 registration:
11 clientId: 1009242745340-9piji4g84vkrzbp2qyp19asrk8p2ug2s.apps.googleusercontent.com
12 clientSecret: 4wHQZc_KHN0u8QqgpmV6TY86
13 provider:
14 userNameAttribute: email # Required to correctly identify usersAzure Authentication Configuration Example
(Scope under vvp.auth)
1admins:
2 - user:admin1@example.com
3 - user:admin2@example.com
4oidc:
5 # NOTE: see the following Azure doc on how to enable groupsClaim at the Azure side:
6 # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
7 groupsClaim: groups
8 # NOTE: Your Azure application needs a redirect URI of <baseUrl>/login/oauth2/code/vvp
9 registrationId: vvp
10 registration:
11 clientId: xxxxxx-your-client-id-xxxxxx
12 clientSecret: xxxxxx-your-client-secret-xxxxxx
13 redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
14 clientAuthenticationMethod: client_secret_basic
15 authorizationGrantType: authorization_code
16 scope:
17 - openid
18 - profile
19 provider:
20 # Let Spring Boot figure out parameters itself from
21 # https://login.microsoftonline.com/xxxxxx-your-tenant-id-xxxxxx/v2.0/.well-known/openid-configuration
22 # Note: External users may not be able to sign in if you use the 'common'
23 # tenant ID. Instead, find your Azure AD's tenant ID and use that.
24 issuerUri: https://login.microsoftonline.com/xxxxxx-your-tenant-id-xxxxxx/v2.0 # No trailing slash!
25 # make sure, spring-boot does not fetch user info
26 # see https://github.com/spring-projects/spring-security/issues/7679
27 userInfoUri:
28 userNameAttribute: preferred_username # Required to correctly identify usersAmazon AWS Authentication Configuration Example
(Scope under vvp.auth)
1# This uses AWS Cognito User Pool as an identity provider. You need to create a user pool,
2# create and configure an app client in the user pool, and create a Cognito domain.
3admins:
4- user:admin1@example.com
5- user:admin2@example.com
6
7oidc:
8 groupsClaim: cognito:groups
9 registrationId: vvp
10 registration:
11 clientId: <ClientId>
12 clientSecret: <ClientSecret>
13 redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
14 clientAuthenticationMethod: client_secret_basic
15 authorizationGrantType: authorization_code
16 scope:
17 - openid
18 - profile
19 provider:
20 issuerUri: https://cognito-idp.<AWSRegion>.amazonaws.com/<UserPoolID>
21 userNameAttribute: username
22 # LogoutURL is the logout URL of the created app client in the User Pool
23 endSessionEndpoint: "https://<UserPoolDomainPrefix>.auth.<AWSRegion>.amazoncognito.com/logout?client_id=<ClientId>&logout_uri=<LogoutURL>"External License Configuration Example
Ververica Platform supports the usage of an external license which does not need to be part of your values.yaml.
First, create a Secret in the same namespace as your Ververica Platform installation.
1apiVersion: v1
2kind: Secret
3metadata:
4 name: vvp-license
5 namespace: vvp
6type: Opaque
7stringData:
8 license.yaml: |-
9 vvp:
10 license:
11 data: <your-license>Once the Secret has been created you have to add the following entries in your values.yaml file without the need to specify vvp.license.data.
1licenseConfigPath: file:/etc/vvp-licenses/license.yaml
2
3# This volume is added to the Ververica Platform Pod
4volumes:
5 - name: license
6 secret:
7 secretName: vvp-license
8
9# The added volume is mounted to the respective Ververica Platform containers
10volumeMounts:
11 - name: license
12 mountPath: /etc/vvp-licenses/It is important to follow this schema <https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#features.external-config.files>__ for the path provided via licenseConfigPath.
Custom Pod Annotations
Custom annotations can be added to the Ververica Platform pod by adding them to the values.yaml file as shown in the example below.
1# Annotations 'inject-sidecar' and 'environment', with values 'enabled' and 'test', are added to the Ververica Platform pod
2podAnnotations:
3 inject-sidecar: enabled
4 environment: testContent Security Policy (CSP)
You can customize the Content Security Policy (CSP) header for the Gateway to control which resources the browser is allowed to load. This is useful for improving security or resolving UI rendering issues in certain environments.
1vvp:
2 gateway:
3 contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline';"Full Example Configuration
This full example demonstrates most of the options needed to configure Ververica Platform for your environment.
1vvp:
2 auth:
3 enabled: true
4
5 admins:
6 - group:vvp-admins # The OIDC-supplied group which indicates an administrator
7
8 bootstrapToken:
9 token: dmVydmVyaWNhLmNvbS9jYXJlZXJz
10
11 oidc:
12 groupsClaim: roles # The OIDC ID token claim containing a list of a user's groups
13 registrationId: my-oidc-provider
14 registration:
15 clientId: vvp
16 clientSecret: secret
17 redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
18 clientAuthenticationMethod: client_secret_basic
19 authorizationGrantType: authorization_code
20 scope:
21 - openid
22 provider:
23 authorizationUri: http://my-oidc-provider.internal/openid-connect/auth
24 tokenUri: http://my-oidc-provider.internal/openid-connect/token
25 userInfoUri: http://my-oidc-provider.internal/openid-connect/userinfo
26 jwkSetUri: http://my-oidc-provider.internal/openid-connect/certs
27 userNameAttribute: email # Required to correctly identify users
28 endSessionEndpoint: http://my-oidc-provider.internal/openid-connect/logout
29
30 persistence:
31 type: jdbc
32 datasource:
33 url: jdbc:postgresql://postgresql.internal:5432/vvp
34 username: vvp
35 password: password
36
37 blobStorage:
38 baseUri: s3://my-bucket/vvp
39
40 # Add additional custom Flink images to the UI, optionally setting them as the default image
41 # for a particular Flink minor version
42 flinkVersionMetadata:
43 - flinkVersion: 1.9.0 # The full Flink version this image supplies
44 imageTag: 1.9.0-custom1 # The Docker image tag for the Flink repository specified below
45 defaultFor:
46 - 1.9 # Make this the default image for deployments on Flink 1.9
47
48 flinkDeploymentDefaults:
49 registry: my-custom-registry.internal/vvp
50 repository: flink
51
52 license:
53 # Ververica Platform License (www.ververica.com/enterprise-trial)
54 data: {
55 "kind": "License",
56 "apiVersion": "v1",
57 "metadata": {
58 "id": "53b8cf22-1af2-44bd-a7ba-7420418f6572",
59 "createdAt": "2020-02-21T12:56:52.407899Z",
60 "annotations": {
61 "signature": "<omitted>",
62 "licenseSpec": "ewogICJsaWNlbnNlSWQiIDogIjUzYjhjZjIyLTFhZjItNDRiZC1hN2JhLTc0MjA0MThmNjU3MiIsCiAgImxpY2Vuc2VkVG8iIDogInRlc3QiLAogICJleHBpcmVzIiA6ICIyMDIwLTAzLTIyVDEyOjU2OjUxLjg3MzU1M1oiLAogICJwYXJhbXMiIDogewogICAgInF1b3RhLnR5cGUiIDogIlVOTElNSVRFRCIsCiAgICAidHJpYWwiIDogInRydWUiCiAgfQp9"
63 }
64 },
65 "spec": {
66 "licenseId": "53b8cf22-1af2-44bd-a7ba-7420418f6572",
67 "licensedTo": "My Company Inc.",
68 "expires": "2020-03-22T12:56:51.873553Z",
69 "params": {
70 "quota.type": "UNLIMITED",
71 "trial": "true"
72 }
73 }
74 }