The module does not have any mandatory parameters.
The module is enabled by default in the following bundles: Default
, Managed
.
The module is disabled by default in the Minimal
bundle.
The module is configured using the ModuleConfig custom resource named dashboard
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/dashboard
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: dashboard
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- accessLevelstring
The level of access to the dashboard if the
user-authn
module is disabled and noexternalAuthentication
is configured. See supported values in the user-authz documentation.By default,
User
level is used.Use
user-authz
module settings to configure access if theuser-authn
module is enabled orexternalAuthentication
is configured.Default:
"User"
Allowed values:
User
,PrivilegedUser
,Editor
,Admin
,ClusterEditor
,ClusterAdmin
,SuperAdmin
- authobject
Options related to authentication or authorization in the application.
- auth.allowScaleboolean
Activate ability to scale Deployment and StatefulSet from the web interface.
This parameter has no effect if the
externalAuthentication
is enabled. - auth.externalAuthenticationobject
Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.
Note! External authentication is enabled automatically if the user-authn module is enabled.
- auth.externalAuthentication.authSignInURLstring
The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
- auth.externalAuthentication.authURLstring
The URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
- auth.externalAuthentication.useBearerTokensboolean
The dashboard must use the user ID to work with the Kubernetes API (the authentication service must return the Authorization HTTP header that contains the bearer-token – the dashboard will use this token to make requests to the Kubernetes API server).
Default value is false.
Caution! For security reasons, this mode only works if
https.mode
(global or for a module) is not set toDisabled
;
- auth.externalAuthentication.authSignInURLstring
- auth.whitelistSourceRangesarray of strings
The CIDR range for which authentication to access the dashboard is allowed.
- auth.allowScaleboolean
- highAvailabilityboolean
Manually enable the high availability mode.
By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.
Example:
highAvailability: true
- httpsobject
What certificate type to use with the dashboard.
This parameter completely overrides the
global.modules.https
settings.Examples:
https: mode: CustomCertificate customCertificate: secretName: foobar
https: mode: CertManager certManager: clusterIssuerName: letsencrypt
- https.certManagerobject
- https.certManager.clusterIssuerNamestring
What ClusterIssuer to use for the dashboard. Currently,
letsencrypt
,letsencrypt-staging
,selfsigned
are available; also, you can define your own.Default:
"letsencrypt"
- https.certManager.clusterIssuerNamestring
- https.customCertificateobject
- https.customCertificate.secretNamestring
The name of the Secret in the
d8-system
namespace to use with the dashboard (this Secret must have the kubernetes.io/tls format).Default:
"false"
- https.customCertificate.secretNamestring
- https.modestring
The HTTPS usage mode:
CertManager
— the dashboard will use HTTPS and get a certificate from the ClusterIssuer defined in thecertManager.clusterIssuerName
parameter.CustomCertificate
— the dashboard will use the certificate from thed8-system
namespace for HTTPS.Disabled
— in this mode, the dashboard works over HTTP only.OnlyInURI
— the dashboard will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.
Allowed values:
Disabled
,CertManager
,CustomCertificate
,OnlyInURI
- https.certManagerobject
- ingressClassstring
The class of the Ingress controller used for the dashboard.
By default, the
modules.ingressClass
global value is used.Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- nodeSelectorobject
The same as in the Pods’
spec.nodeSelector
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically. - tolerationsarray of objects
The same as in the Pods’
spec.tolerations
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.- tolerations.effectstring
- tolerations.keystring
- tolerations.operatorstring
- tolerations.tolerationSecondsinteger
- tolerations.valuestring
Authentication
user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.
Use kubectl to see password:
kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values dashboard -o json | jq '.dashboard.internal.auth.password'
Delete the Secret to re-generate password:
kubectl -n d8-dashboard delete secret/basic-auth
Note! The
auth.password
parameter is deprecated.