The upmeter module: configuration

Schema version: 2

• authobject

  Required value

  Configuration of authentication for Upmeter frontends.

  • auth.statusobject

    Required value

    Authentication configuration.

    • auth.status.allowedUserGroupsarray of strings

      An array of user groups that can access Grafana & Prometheus.

      This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

    • auth.status.externalAuthenticationobject

      Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the NGINX auth_request module.

      External authentication is enabled automatically if the user-authn module is enabled.

      • auth.status.externalAuthentication.authSignInURLstring

        URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

      • auth.status.externalAuthentication.authURLstring

        URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

    • auth.status.whitelistSourceRangesarray of strings

      An array if CIDRs that are allowed to authenticate.

      Example:

      whitelistSourceRanges:
      - 1.1.1.1/32
      

  • auth.webuiobject

    Required value

    Authentication configuration.

    • auth.webui.allowedUserGroupsarray of strings

      An array of user groups that can access Grafana & Prometheus.

      This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

    • auth.webui.externalAuthenticationobject

      Parameters to enable external authentication. Uses NGINX Ingress external-auth mechanism which is based on the the NGINX auth_request module.

      • auth.webui.externalAuthentication.authSignInURLstring

        URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

      • auth.webui.externalAuthentication.authURLstring

        URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

    • auth.webui.passwordstring

      Password for http authorization of the admin user. It is generated automatically, but you can change it.

      This parameter is used if the externalAuthentication is not enabled.

    • auth.webui.whitelistSourceRangesarray of strings

      An array if CIDRs that are allowed to authenticate.

      Example:

      whitelistSourceRanges:
      - 1.1.1.1/32
      

• disabledProbesarray of strings

  Group names or specific probes from a group. You can view the names in the web UI.

  For example:

  disabledProbes:
    - "synthetic/api" # disable a specific probe
    - "synthetic/"    # disable a group of probes
    - control-plane   # / can be omitted
  

  Default: []

• httpsobject

  What certificate type to use with webui and status apps.

  This parameter completely overrides the global.modules.https settings.

  Examples:

  https:
    mode: CustomCertificate
    customCertificate:
      secretName: foobar
  

  https:
    mode: CertManager
    certManager:
      clusterIssuerName: letsencrypt
  

  • https.certManagerobject
    • https.certManager.clusterIssuerNamestring

      What ClusterIssuer to use for webui/status.

      Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

      Default: "letsencrypt"

  • https.customCertificateobject
    • https.customCertificate.secretNamestring

      The name of the secret in the d8-system namespace to use with webui/status.

      This secret must have the kubernetes.io/tls format.

      Default: "false"

  • https.modestring

    The HTTPS usage mode:

    • Disabled — webui/status will work over HTTP only;
    • CertManager — webui/status will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
    • CustomCertificate — webui/status will use HTTPS using the certificate from the d8-system namespace.
    • OnlyInURI — webui/status will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

    Default: "Disabled"

    Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

• nodeSelectorobject

  Node selector for Upmeter server. The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

  If the parameter is omitted or false, it will be determined automatically.

  Example:

  nodeSelector:
    disktype: ssd
  

• smokeMiniobject

  Configuration of authentication for smoke-mini.

  • smokeMini.authobject

    Required value

    Authentication configuration.

    • smokeMini.auth.allowedUserGroupsarray of strings

      An array of user groups that can access Grafana & Prometheus.

      This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

    • smokeMini.auth.externalAuthenticationobject

      Parameters to enable external authentication. Uses NGINX Ingress external-auth mechanism which is based on the the NGINX auth_request module.

      • smokeMini.auth.externalAuthentication.authSignInURLstring

        URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

      • smokeMini.auth.externalAuthentication.authURLstring

        URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

    • smokeMini.auth.passwordstring

      Password for http authorization of the admin user. It is generated automatically, but you can change it.

      This parameter is used if the externalAuthentication is not enabled.

    • smokeMini.auth.whitelistSourceRangesarray of strings

      An array if CIDRs that are allowed to authenticate.

      Example:

      whitelistSourceRanges:
      - 1.1.1.1/32
      

  • smokeMini.httpsobject

    What certificate type to use with smoke-mini.

    This parameter completely overrides the global.modules.https settings.

    Examples:

    https:
      mode: CustomCertificate
      customCertificate:
        secretName: foobar
    

    https:
      mode: CertManager
      certManager:
        clusterIssuerName: letsencrypt
    

    • smokeMini.https.certManagerobject
      • smokeMini.https.certManager.clusterIssuerNamestring

        What ClusterIssuer to use for smoke-mini.

        Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

        Default: "letsencrypt"

    • smokeMini.https.customCertificateobject
      • smokeMini.https.customCertificate.secretNamestring

        The name of the secret in the d8-system namespace to use with smoke-mini.

        This secret must have the kubernetes.io/tls format.

        Default: "false"

    • smokeMini.https.modestring

      The HTTPS usage mode:

      • Disabled — smoke-mini will work over HTTP only;
      • CertManager — smoke-mini will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
      • CustomCertificate — smoke-mini will use HTTPS using the certificate from the d8-system namespace.
      • OnlyInURI — smoke-mini will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

      Default: "Disabled"

      Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

  • smokeMini.ingressClassstring

    The class of the Ingress controller used for the smoke-mini.

    Optional. By default, the modules.ingressClass global value is used

    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

  • smokeMini.storageClass

    A StorageClass to use when checking the health of disks.

    If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either the global StorageClass or global.discovery.defaultStorageClass is used, and if those are undefined, the emptyDir volume is used to store the data.

    Setting it to false forces the use of an emptyDir volume.

    Default: false

    Examples:

    storageClass: false
    

    storageClass: default
    

• smokeMiniDisabledboolean

  Disables smokeMini.

  Disables “synthetic” probe group in Upmeter as well.

  Default: false

• statusPageAuthDisabledboolean

  Disables authorization for the status domain.

  Default: false

• storageClass

  The name of the StorageClass to use. If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either the global StorageClass or global.discovery.defaultStorageClass is used, and if those are undefined, the emptyDir volume is used to store the data.

  CAUTION! Setting this value to one that differs from the current one (in the existing PVC) will result in disk reprovisioning and data loss.

  Setting it to false forces the use of an emptyDir volume.

  Examples:

  storageClass: false
  

  storageClass: default
  

• tolerationsarray of objects

  Node tolerations for Upmeter server. The same as in the Pods’ spec.tolerations parameter in Kubernetes;

  If the parameter is omitted or false, it will be determined automatically.

  Example:

  tolerations:
  - key: key1
    operator: Equal
    value: value1
    effect: NoSchedule
  

  • tolerations.effectstring
  • tolerations.keystring
  • tolerations.operatorstring
  • tolerations.tolerationSecondsinteger
  • tolerations.valuestring