The module is enabled by default in the following bundles: Default
, Managed
.
The module is disabled by default in the Minimal
bundle.
The module is configured using the ModuleConfig custom resource named upmeter
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/upmeter
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: upmeter
spec:
version: 2
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 2
- authobject
Required value
Configuration of authentication for Upmeter frontends.
- auth.statusobject
Required value
Authentication configuration.
- auth.status.allowedUserGroupsarray of strings
An array of user groups that can access Grafana & Prometheus.
This parameter is used if the
user-authn
module is enabled or theexternalAuthentication
parameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
- auth.status.externalAuthenticationobject
Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the NGINX auth_request module.
External authentication is enabled automatically if the user-authn module is enabled.
- auth.status.externalAuthentication.authSignInURLstring
URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
- auth.status.externalAuthentication.authURLstring
URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
- auth.status.externalAuthentication.authSignInURLstring
- auth.status.whitelistSourceRangesarray of strings
An array if CIDRs that are allowed to authenticate.
Example:
whitelistSourceRanges: - 1.1.1.1/32
- auth.status.allowedUserGroupsarray of strings
- auth.webuiobject
Required value
Authentication configuration.
- auth.webui.allowedUserGroupsarray of strings
An array of user groups that can access Grafana & Prometheus.
This parameter is used if the
user-authn
module is enabled or theexternalAuthentication
parameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
- auth.webui.externalAuthenticationobject
Parameters to enable external authentication. Uses NGINX Ingress external-auth mechanism which is based on the the NGINX auth_request module.
- auth.webui.externalAuthentication.authSignInURLstring
URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
- auth.webui.externalAuthentication.authURLstring
URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
- auth.webui.externalAuthentication.authSignInURLstring
- auth.webui.passwordstring
Password for http authorization of the
admin
user. It is generated automatically, but you can change it.This parameter is used if the
externalAuthentication
is not enabled. - auth.webui.whitelistSourceRangesarray of strings
An array if CIDRs that are allowed to authenticate.
Example:
whitelistSourceRanges: - 1.1.1.1/32
- auth.webui.allowedUserGroupsarray of strings
- auth.statusobject
- disabledProbesarray of strings
Group names or specific probes from a group. You can view the names in the web UI.
For example:
disabledProbes: - "synthetic/api" # disable a specific probe - "synthetic/" # disable a group of probes - control-plane # / can be omitted
Default:
[]
- httpsobject
What certificate type to use with webui and status apps.
This parameter completely overrides the
global.modules.https
settings.Examples:
https: mode: CustomCertificate customCertificate: secretName: foobar
https: mode: CertManager certManager: clusterIssuerName: letsencrypt
- https.certManagerobject
- https.certManager.clusterIssuerNamestring
What ClusterIssuer to use for webui/status.
Currently,
letsencrypt
,letsencrypt-staging
,selfsigned
are available. Also, you can define your own.Default:
"letsencrypt"
- https.certManager.clusterIssuerNamestring
- https.customCertificateobject
- https.customCertificate.secretNamestring
The name of the secret in the
d8-system
namespace to use with webui/status.This secret must have the kubernetes.io/tls format.
Default:
"false"
- https.customCertificate.secretNamestring
- https.modestring
The HTTPS usage mode:
Disabled
— webui/status will work over HTTP only;CertManager
— webui/status will use HTTPS and get a certificate from the clusterissuer defined in thecertManager.clusterIssuerName
parameter.CustomCertificate
— webui/status will use HTTPS using the certificate from thed8-system
namespace.OnlyInURI
— webui/status will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in theuser-authn
will be generated using the HTTPS scheme.
Default:
"Disabled"
Allowed values:
Disabled
,CertManager
,CustomCertificate
,OnlyInURI
- https.certManagerobject
- nodeSelectorobject
Node selector for Upmeter server. The same as in the Pods’
spec.nodeSelector
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.Example:
nodeSelector: disktype: ssd
- smokeMiniobject
Configuration of authentication for smoke-mini.
- smokeMini.authobject
Required value
Authentication configuration.
- smokeMini.auth.allowedUserGroupsarray of strings
An array of user groups that can access Grafana & Prometheus.
This parameter is used if the
user-authn
module is enabled or theexternalAuthentication
parameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
- smokeMini.auth.externalAuthenticationobject
Parameters to enable external authentication. Uses NGINX Ingress external-auth mechanism which is based on the the NGINX auth_request module.
- smokeMini.auth.externalAuthentication.authSignInURLstring
URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
- smokeMini.auth.externalAuthentication.authURLstring
URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
- smokeMini.auth.externalAuthentication.authSignInURLstring
- smokeMini.auth.passwordstring
Password for http authorization of the
admin
user. It is generated automatically, but you can change it.This parameter is used if the
externalAuthentication
is not enabled. - smokeMini.auth.whitelistSourceRangesarray of strings
An array if CIDRs that are allowed to authenticate.
Example:
whitelistSourceRanges: - 1.1.1.1/32
- smokeMini.auth.allowedUserGroupsarray of strings
- smokeMini.httpsobject
What certificate type to use with smoke-mini.
This parameter completely overrides the
global.modules.https
settings.Examples:
https: mode: CustomCertificate customCertificate: secretName: foobar
https: mode: CertManager certManager: clusterIssuerName: letsencrypt
- smokeMini.https.certManagerobject
- smokeMini.https.certManager.clusterIssuerNamestring
What ClusterIssuer to use for smoke-mini.
Currently,
letsencrypt
,letsencrypt-staging
,selfsigned
are available. Also, you can define your own.Default:
"letsencrypt"
- smokeMini.https.certManager.clusterIssuerNamestring
- smokeMini.https.customCertificateobject
- smokeMini.https.customCertificate.secretNamestring
The name of the secret in the
d8-system
namespace to use with smoke-mini.This secret must have the kubernetes.io/tls format.
Default:
"false"
- smokeMini.https.customCertificate.secretNamestring
- smokeMini.https.modestring
The HTTPS usage mode:
Disabled
— smoke-mini will work over HTTP only;CertManager
— smoke-mini will use HTTPS and get a certificate from the clusterissuer defined in thecertManager.clusterIssuerName
parameter.CustomCertificate
— smoke-mini will use HTTPS using the certificate from thed8-system
namespace.OnlyInURI
— smoke-mini will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in theuser-authn
will be generated using the HTTPS scheme.
Default:
"Disabled"
Allowed values:
Disabled
,CertManager
,CustomCertificate
,OnlyInURI
- smokeMini.https.certManagerobject
- smokeMini.ingressClassstring
The class of the Ingress controller used for the smoke-mini.
Optional. By default, the
modules.ingressClass
global value is usedPattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- smokeMini.storageClass
A StorageClass to use when checking the health of disks.
If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either the global StorageClass or
global.discovery.defaultStorageClass
is used, and if those are undefined, the emptyDir volume is used to store the data.Setting it to
false
forces the use of an emptyDir volume.Default:
false
Examples:
storageClass: false
storageClass: default
- smokeMini.authobject
- smokeMiniDisabledboolean
Disables smokeMini.
Disables “synthetic” probe group in Upmeter as well.
Default:
false
- statusPageAuthDisabledboolean
Disables authorization for the status domain.
Default:
false
- storageClass
The name of the StorageClass to use. If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either the global StorageClass or
global.discovery.defaultStorageClass
is used, and if those are undefined, the emptyDir volume is used to store the data.CAUTION! Setting this value to one that differs from the current one (in the existing PVC) will result in disk reprovisioning and data loss.
Setting it to
false
forces the use of an emptyDir volume.Examples:
storageClass: false
storageClass: default
- tolerationsarray of objects
Node tolerations for Upmeter server. The same as in the Pods’
spec.tolerations
parameter in Kubernetes;If the parameter is omitted or
false
, it will be determined automatically.Example:
tolerations: - key: key1 operator: Equal value: value1 effect: NoSchedule
- tolerations.effectstring
- tolerations.keystring
- tolerations.operatorstring
- tolerations.tolerationSecondsinteger
- tolerations.valuestring
Authentication
user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.
Use kubectl to see password:
kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values upmeter -o json | jq '.upmeter.internal.auth.webui.password'
Delete the Secret to re-generate password:
kubectl -n d8-upmeter delete secret/basic-auth-webui
Use kubectl to see password for status page:
kubectl -n d8-system exec deploy/deckhouse -- deckhouse-controller module values upmeter -o json | jq '.upmeter.internal.auth.status.password'
Delete the Secret to re-generate password for status page:
kubectl -n d8-upmeter delete secret/basic-auth-status
Note! The
auth.status.password
andauth.webui.password
parameters are deprecated.