Skip to content

Licence handling, renewal & rotation

Your KDBL Context Lake (K-Lake) deployment is licensed offline — it verifies its licence locally with no phone-home (see licensing.md for the enforcement model). This page covers what you, as the operator, need to do to keep a valid licence in place: storing the licence file, renewing it, and what a licence rotation means for you.

What you hold

  • Your licence — a small signed blob (a KDBLLIC1.… string, or a licence file) issued to you by KDBL. It encodes your customer name, capacity, expiry, and grace/lockdown windows, and is tamper-evident: editing it breaks the signature and it stops verifying.
  • KDBL issues and signs licences. You cannot self-mint one, and you never need a signing secret of your own — your deployment only ever verifies the licence.

To check a licence at any time:

kdbl-control licence inspect <file>        # prints the terms, confirms ✓ signature valid
kdbl-control --api-url http://kdbl-api --api-token <TOKEN> licence status

Storing your licence

Treat the licence as deployment configuration:

  • Provision it as the kdbl-licence Secret in your kdbl namespace (the standard deployment manifests wire it in for you). Every service reads KDBL_LICENCE / KDBL_LICENCE_FILE from that Secret at boot.
  • Keep a copy of the original licence file somewhere safe so you can re-apply it if you rebuild the deployment.

Renewing or resizing

There is no revocation list and no phone-home, so renewal is simply applying a newer licence:

  1. Ask KDBL for a renewed licence (new expiry, or a larger capacity). KDBL sends you a new licence file/blob.
  2. Verify it: kdbl-control licence inspect <file>✓ signature valid.
  3. Apply it — either update the kdbl-licence Secret (newest licence wins) and restart, or apply it live with no restart:
kdbl-control --api-url http://kdbl-api --api-token <CLUSTER_ADMIN> licence apply <file>

The API stays available throughout (even when a licence has lapsed) specifically so you can apply a renewal live.

Licence rotation

Occasionally KDBL may rotate the signing scheme (for example after a scheduled hygiene rotation). When that happens:

  • KDBL ships an updated set of K-Lake images and re-issues your licence under the new scheme.
  • What you do: roll your K-Lake service containers to the updated images and apply the re-issued licence. Your old licence stops verifying once the updated images are in place, so apply the new one in the same change window.

After rolling, confirm each container logs that the licence was accepted at boot and stays Running. A container stuck restarting with a "no licence applied" message means the kdbl-licence Secret is missing or does not verify — apply a valid, current licence and restart.

See licensing.md for the full enforcement model.