Docs Home
Viewing docs for
Self-ManagedNot available for BYOC

Configuration

On this page

This section contains example configurations for Ververica Platform. The configuration can be passed to Ververica Platform during the installation with helm via the values.yaml file under the vvp key.

Persistence Configuration

Currently, the following remote RDBMSs are supported:

  • MariaDB/MySQL Persistence
  • PostgreSQL Persistence
  • Microsoft SQL Server Persistence
  • Microsoft SQL Server Persistence
  • OracleDB Persistence

The simplest mode of operation is using the preset configuration vvp.persistence.type: local which uses a Kubernetes PVC to store a SQLite database.

Instead, if you wish to use a remote datastore, specify `vvp.persistence.type: jdbc` and provide an appropriate Spring datasource configuration under `vvp.persistence.datasource`.

MariaDB/MySQL Persistence

`yaml showLineNumbers vvp: persistence: type: jdbc datasource: url: jdbc:mariadb://mysql.internal:3306/vvp username: vvp password: password `

PostgreSQL Persistence

YAML
1vvp:
2  persistence:
3    type: jdbc
4    datasource:
5      url: jdbc:postgresql://postgresql.internal:5432/vvp
6      username: vvp
7      password: password

Microsoft SQL Server Persistence

YAML
1vvp:
2  persistence:
3    type: jdbc
4    datasource:
5      url: jdbc:sqlserver://mssql.internal;databaseName=vvp
6      username: vvp
7      password: password

OracleDB Persistence

YAML
1vvp:
2  persistence:
3    type: jdbc
4    datasource:
5      url: jdbc:oracle:thin:@internal:1521/VVP
6      username: vvp
7      password: password

Configuring Offline DDL Updates

Ververica Platform uses the Liquibase database schema change management tool to run database updates.

If your environment disallows automatic DDL updates, disable Liquibase at startup and configure Ververica Platform to generate an offline changeset against the target database. Ververica Platform generates the changeset and creates or updates the database.

To disable Liquibase at startup, please add the following configuration to your values.yaml configuration file:

YAML
1env:
2  - name: LIQUIBASE_ENABLED
3    value: false

To configure Ververica Platform to generate an offline changeset and create or update the target database, run the following command:

BASH
1docker run --rm <vvp-image-registry>/vvp-persistence:<vvp-version> --url="<JDBC-connection-string>" --username=<your-db-user-name> --password=<your-db-password> update

where the parameters are:

  • --url The database URL, a JDBC connection string using the following syntax: --url="jdbc-format-dependent-on-db" -- please see examples below
  • --username The username for database access: --username=db-user-name
  • --password The password for database access: --password=db-pass

The database URL is a JDBC connection string which varies depending on the database. Some common examples are:

  • MS SQL Server: jdbc:sqlserver://<IP OR HOSTNAME>:1433;database=<DATABASE>
  • PostgreSQL: jdbc:postgresql://<IP OR HOSTNAME>:5432/<DATABASE>?currentSchema=<SCHEMA NAME>
  • MySQL: jdbc:mariadb://<IP OR HOSTNAME>:3306/<DATABASE>
  • MariaDB: jdbc:mariadb://<IP OR HOSTNAME>:3306/<DATABASE>
  • SQLite: jdbc:sqlite:/tmp/<DB FILE NAME>.db

Authentication Configuration

Bootstrap Token

Ververica Platform supports a "bootstrap token", specified during installation or upgrade, which can be used as an API token with administrator privileges. This is useful for performing certain bootstrapping tasks such as creating an initial Namespace and assigning its members.

The token can be any non-empty string and is set by assigning vvp.auth.bootstrapToken.token in a Helm values file or on the command line.

For example, if you install or upgrade Ververica Platform using Helm and include the CLI option: --set vvp.auth.bootstrapToken.token=my-secret-token, you (or an automated task) could create a Namespace by running:

BASH
1curl \
2  -X POST \
3  -H 'Authorization: Bearer my-secret-token' \
4  -H 'Content-Type: application/json' \
5  https://vvp.internal/namespaces/v1/namespaces \
6  -d '
7{
8  "name": "namespaces/my-namespace",
9  "roleBindings": [{
10    "role": "owner",
11    "members": ["group:vvp-users"]
12  }]
13}
14'

Google Authentication Configuration Example

(Scope under vvp.auth)

YAML
1# Google auth does not support groups, so administrators must be specified manually in this
2# list, or with an environment variable: vvp.admins=user:admin1@example.com,admin2@example.com
3admins:
4- user:admin1@example.com
5- user:admin2@example.com
6
7oidc:
8  #groupsClaim:  # Google auth does not support groups
9  registrationId: google
10  registration:
11    clientId: 1009242745340-9piji4g84vkrzbp2qyp19asrk8p2ug2s.apps.googleusercontent.com
12    clientSecret: 4wHQZc_KHN0u8QqgpmV6TY86
13  provider:
14    userNameAttribute: email  # Required to correctly identify users

Azure Authentication Configuration Example

(Scope under vvp.auth)

YAML
1admins:
2  - user:admin1@example.com
3  - user:admin2@example.com
4oidc:
5  # NOTE: see the following Azure doc on how to enable groupsClaim at the Azure side:
6  # https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims
7  groupsClaim: groups
8  # NOTE: Your Azure application needs a redirect URI of <baseUrl>/login/oauth2/code/vvp
9  registrationId: vvp
10  registration:
11    clientId: xxxxxx-your-client-id-xxxxxx
12    clientSecret: xxxxxx-your-client-secret-xxxxxx
13    redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
14    clientAuthenticationMethod: client_secret_basic
15    authorizationGrantType: authorization_code
16    scope:
17      - openid
18      - profile
19  provider:
20    # Let Spring Boot figure out parameters itself from
21    # https://login.microsoftonline.com/xxxxxx-your-tenant-id-xxxxxx/v2.0/.well-known/openid-configuration
22    # Note: External users may not be able to sign in if you use the 'common'
23    #       tenant ID. Instead, find your Azure AD's tenant ID and use that.
24    issuerUri: https://login.microsoftonline.com/xxxxxx-your-tenant-id-xxxxxx/v2.0  # No trailing slash!
25    # make sure, spring-boot does not fetch user info
26    # see https://github.com/spring-projects/spring-security/issues/7679
27    userInfoUri:
28    userNameAttribute: preferred_username  # Required to correctly identify users

Amazon AWS Authentication Configuration Example

(Scope under vvp.auth)

YAML
1# This uses AWS Cognito User Pool as an identity provider. You need to create a user pool, 
2# create and configure an app client in the user pool, and create a Cognito domain.
3admins:
4- user:admin1@example.com
5- user:admin2@example.com
6
7oidc:
8  groupsClaim:  cognito:groups
9  registrationId: vvp
10  registration:
11    clientId: <ClientId>
12    clientSecret: <ClientSecret>
13    redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
14    clientAuthenticationMethod: client_secret_basic
15    authorizationGrantType: authorization_code
16    scope:
17      - openid
18      - profile
19  provider:
20    issuerUri: https://cognito-idp.<AWSRegion>.amazonaws.com/<UserPoolID>
21    userNameAttribute: username
22    # LogoutURL is the logout URL of the created app client in the User Pool
23  endSessionEndpoint: "https://<UserPoolDomainPrefix>.auth.<AWSRegion>.amazoncognito.com/logout?client_id=<ClientId>&logout_uri=<LogoutURL>"

External License Configuration Example

Ververica Platform supports the usage of an external license which does not need to be part of your values.yaml.

First, create a Secret in the same namespace as your Ververica Platform installation.

YAML
1apiVersion: v1
2kind: Secret
3metadata:
4  name: vvp-license
5  namespace: vvp
6type: Opaque
7stringData:
8  license.yaml: |-
9    vvp:
10      license:
11        data: <your-license>

Once the Secret has been created you have to add the following entries in your values.yaml file without the need to specify vvp.license.data.

YAML
1licenseConfigPath: file:/etc/vvp-licenses/license.yaml
2
3# This volume is added to the Ververica Platform Pod
4volumes:
5  - name: license
6    secret:
7      secretName: vvp-license
8
9# The added volume is mounted to the respective Ververica Platform containers
10volumeMounts:
11  - name: license
12    mountPath: /etc/vvp-licenses/

Custom Pod Annotations

Custom annotations can be added to the Ververica Platform pod by adding them to the values.yaml file as shown in the example below.

YAML
1# Annotations 'inject-sidecar' and 'environment', with values 'enabled' and 'test', are added to the Ververica Platform pod
2podAnnotations:
3  inject-sidecar: enabled
4  environment: test

Content Security Policy (CSP)

You can customize the Content Security Policy (CSP) header for the Gateway to control which resources the browser is allowed to load. This is useful for improving security or resolving UI rendering issues in certain environments.

YAML
1vvp:
2  gateway:
3    contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self' 'unsafe-inline';"

Full Example Configuration

This full example demonstrates most of the options needed to configure Ververica Platform for your environment.

YAML
1vvp:
2  auth:
3    enabled: true
4
5    admins:
6    - group:vvp-admins  # The OIDC-supplied group which indicates an administrator
7
8    bootstrapToken:
9      token: dmVydmVyaWNhLmNvbS9jYXJlZXJz
10
11    oidc:
12      groupsClaim: roles  # The OIDC ID token claim containing a list of a user's groups
13      registrationId: my-oidc-provider
14      registration:
15        clientId: vvp
16        clientSecret: secret
17        redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
18        clientAuthenticationMethod: client_secret_basic
19        authorizationGrantType: authorization_code
20        scope:
21        - openid
22      provider:
23        authorizationUri: http://my-oidc-provider.internal/openid-connect/auth
24        tokenUri: http://my-oidc-provider.internal/openid-connect/token
25        userInfoUri: http://my-oidc-provider.internal/openid-connect/userinfo
26        jwkSetUri: http://my-oidc-provider.internal/openid-connect/certs
27        userNameAttribute: email  # Required to correctly identify users
28      endSessionEndpoint: http://my-oidc-provider.internal/openid-connect/logout
29
30  persistence:
31    type: jdbc
32    datasource:
33      url: jdbc:postgresql://postgresql.internal:5432/vvp
34      username: vvp
35      password: password
36
37  blobStorage:
38    baseUri: s3://my-bucket/vvp
39
40  # Add additional custom Flink images to the UI, optionally setting them as the default image
41  # for a particular Flink minor version
42  flinkVersionMetadata:
43  - flinkVersion: 1.9.0  # The full Flink version this image supplies
44    imageTag: 1.9.0-custom1  # The Docker image tag for the Flink repository specified below
45    defaultFor:
46    - 1.9  # Make this the default image for deployments on Flink 1.9
47
48  flinkDeploymentDefaults:
49    registry: my-custom-registry.internal/vvp
50    repository: flink
51
52  license:
53    # Ververica Platform License (www.ververica.com/enterprise-trial)
54    data: {
55      "kind": "License",
56      "apiVersion": "v1",
57      "metadata": {
58        "id": "53b8cf22-1af2-44bd-a7ba-7420418f6572",
59        "createdAt": "2020-02-21T12:56:52.407899Z",
60        "annotations": {
61          "signature": "<omitted>",
62          "licenseSpec": "ewogICJsaWNlbnNlSWQiIDogIjUzYjhjZjIyLTFhZjItNDRiZC1hN2JhLTc0MjA0MThmNjU3MiIsCiAgImxpY2Vuc2VkVG8iIDogInRlc3QiLAogICJleHBpcmVzIiA6ICIyMDIwLTAzLTIyVDEyOjU2OjUxLjg3MzU1M1oiLAogICJwYXJhbXMiIDogewogICAgInF1b3RhLnR5cGUiIDogIlVOTElNSVRFRCIsCiAgICAidHJpYWwiIDogInRydWUiCiAgfQp9"
63        }
64      },
65      "spec": {
66        "licenseId": "53b8cf22-1af2-44bd-a7ba-7420418f6572",
67        "licensedTo": "My Company Inc.",
68        "expires": "2020-03-22T12:56:51.873553Z",
69        "params": {
70          "quota.type": "UNLIMITED",
71          "trial": "true"
72        }
73      }
74    }
Was this helpful?