Available with limitations in: CE, BE, SE
Available without limitations in: SE+, EE
Schema version: 1
-
objectauthAuthentication configuration.
Default:
{}-
array of stringsauth.allowedUserGroups
An array of user groups that can access the web UI.
This parameter is used if the user-authn module is enabled or the
externalAuthenticationparameter is set.Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.
-
objectauth.externalAuthentication
Parameters to enable external authentication. Uses Nginx Ingress external-auth mechanism which is based on the the Nginx auth_request module.
Note! External authentication is enabled automatically if the user-authn module is enabled.
Default:
{}-
stringauth.externalAuthentication.authSignInURLURL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
-
stringauth.externalAuthentication.authURLURL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
-
-
stringauth.passwordDeprecated
This parameter is ignored and will be removed in future releases.
It was used for http authorization of the
adminuser, if the user-authn module was disabled or theexternalAuthenticationparameter was not set.Now the external authentication is required for Deckhouse Commander to function properly.
-
array of stringsauth.whitelistSourceRangesAn array if CIDRs that are allowed to authenticate.
Example:
whitelistSourceRanges: - 1.1.1.1/32
-
-
objectfeatureFlagsA parameter used to control experimental features.
Default:
{} -
booleanhighAvailability
Manually enable the high availability mode.
By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.
Examples:
highAvailability: truehighAvailability: false -
objecthttps
What certificate type to use with the web UI.
This parameter completely overrides the
global.modules.httpssettings.Examples:
customCertificate: secretName: foobar mode: CustomCertificatecertManager: clusterIssuerName: letsencrypt mode: CertManager-
objecthttps.certManager
Default:
{}-
stringhttps.certManager.clusterIssuerName
What ClusterIssuer to use for the web UI.
Currently,
letsencrypt,letsencrypt-staging,selfsignedare available. Also, you can define your own.Default:
letsencrypt
-
-
objecthttps.customCertificate
Default:
{}-
stringhttps.customCertificate.secretName
The name of the secret in the
d8-systemnamespace to use with the web UI.This secret must have the kubernetes.io/tls format.
Default:
false
-
-
stringhttps.mode
The HTTPS usage mode:
Disabled— in this mode, the web UI can only be accessed over HTTP. Caution! This mode is not supported. HTTPS is required for the module to function properly. If HTTPS is disabled, the web UI will be unavailable.CertManager— the web UI is accessed over HTTPS using a certificate obtained from a clusterIssuer specified in thecertManager.clusterIssuerNameparameter.CustomCertificate— the web UI is accessed over HTTPS using the certificate from thed8-systemnamespace.OnlyInURI— the web UI will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in theuser-authnwill be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.
Allowed values:
Disabled,CertManager,CustomCertificate,OnlyInURI
-
-
stringingressClass
The class of the Ingress controller used for the web UI.
An optional parameter. By default, the
modules.ingressClassglobal value is used.Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Example:
ingressClass: nginx -
objectnodeSelector
The same as in the Pods’
spec.nodeSelectorparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.Example:
disktype: ssd -
objectpostgres
Default:
{}-
objectpostgres.external
-
stringpostgres.external.dbDatabase name
-
stringpostgres.external.hostServer address
-
stringpostgres.external.passwordUser password
-
stringpostgres.external.portServer port
-
objectpostgres.external.ssl
-
stringpostgres.external.ssl.secretName
The name of the secret in the
d8-commandernamespace which contains client certificate for certificate authentication on the PostgreSQL server.Example of creating a secret:
kubectl -n d8-commander create secret generic postgres-ssl --from-file=tls.crt=client.crt --from-file=tls.key=client.key --from-file=ca.crt=ca.crt
-
-
stringpostgres.external.userUser name
-
-
objectpostgres.internal
Default:
{}-
integerpostgres.internal.diskSizeGigabytes
Disk size for PostgreSQL database in gigabytes.
You should manually specify the desired disk size for the PostgreSQL database, but you can increase it later if necessary.
The extended-monitoring module automatically monitors the percentage of used disk space.
CAUTION! If the PostgreSQL data storage becomes full, the application may stop working.
Default:
2 -
stringpostgres.internal.storageClass
The name of the StorageClass to use.
If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either the global StorageClass or
global.discovery.defaultStorageClassis used.Refer to the documentation section Changing the storage class if you want to change this value.
Examples:
storageClass: ceph-ssdstorageClass: network-ssd
-
-
stringpostgres.mode
The PostgreSQL usage mode:
Internal— PostgreSQL is deployed in a cluster and managed using the postgres-operator.External- an external PostgreSQL installation managed by the user is used.
Default:
InternalAllowed values:
Internal,External
-
-
array of objectstolerations
The same as in the Pods’
spec.tolerationsparameter in Kubernetes;If the parameter is omitted or
false, it will be determined automatically.Example:
tolerations: - effect: NoSchedule key: key1 operator: Equal value: value1-
stringtolerations.effect
-
stringtolerations.key
-
stringtolerations.operator
-
integertolerations.tolerationSeconds
-
stringtolerations.value
-