Authentication

By default, the user-authn module is used. Alternatively, authentication can be configured using externalAuthentication.

If neither of these methods is enabled, the dashboard module will be disabled.

The parameters auth.password and accessLevel are no longer supported.

Settings

The module does not have any mandatory parameters.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/dashboard resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: dashboard
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable dashboard

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: dashboard
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable dashboard

The module is configured using the ModuleConfig custom resource named dashboard (learn more about setting up Deckhouse…).

Example of the ModuleConfig/dashboard resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: dashboard
spec:
  version: 3
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 3

  • settings
    object
    • settings.auth
      object

      Options related to authentication or authorization in the application.

      • settings.auth.allowedUserGroups
        array of strings

        An array of user groups that can access the dashboard.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

        Warning. Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

      • settings.auth.externalAuthentication
        object

        Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.

        External authentication is enabled automatically if the user-authn module is enabled.

        Warning. For security reasons, this mode only works if https.mode (global or for a module) is not set to Disabled.

        • settings.auth.externalAuthentication.authSignInURL
          string

          The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

        • settings.auth.externalAuthentication.authURL
          string

          The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

        • settings.auth.externalAuthentication.useBearerTokens
          boolean

          The dashboard must use the user ID to work with the Kubernetes API (the authentication service must return the Authorization HTTP header that contains the bearer-token – the dashboard will use this token to make requests to the Kubernetes API server).

          Default: false

      • settings.auth.whitelistSourceRanges
        array of strings

        The CIDR range for which authentication to access the dashboard is allowed.

        Example:

        whitelistSourceRanges:
- 1.1.1.1/32
    • settings.highAvailability
      boolean

      Manually enable the high availability mode.

      By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

      Example:

      highAvailability: true
    • settings.https
      object

      What certificate type to use with the dashboard.

      This parameter completely overrides the global.modules.https settings.

      Examples:

      https:
  mode: CustomCertificate
  customCertificate:
    secretName: foobar

      https:
  mode: CertManager
  certManager:
    clusterIssuerName: letsencrypt
      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for the dashboard. Currently, letsencrypt, letsencrypt-staging, selfsigned are available; also, you can define your own.

          Default: "letsencrypt"

      • settings.https.customCertificate
        object
        • settings.https.customCertificate.secretName
          string

          The name of the Secret in the d8-system namespace to use with the dashboard (this Secret must have the kubernetes.io/tls format).

          Default: "false"

      • settings.https.mode
        string

        The HTTPS usage mode:

        • CertManager — the dashboard will use HTTPS and get a certificate from the ClusterIssuer defined in the certManager.clusterIssuerName parameter;
        • CustomCertificate — the dashboard will use the certificate from the d8-system namespace for HTTPS;
        • Disabled — dashboard will not work in this mode;
        • OnlyInURI — the dashboard will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.

        Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

    • settings.ingressClass
      string

      The class of the Ingress controller used for the dashboard.

      By default, the modules.ingressClass global value is used.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • settings.nodeSelector
      object

      The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

    • settings.tolerations
      array of objects

      The same as in the Pods’ spec.tolerations parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string