The module lifecycle stageGeneral Availability

Available with limitations in CE, BE

Available without limitations in:  SE, SE+, EE

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the console module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable console

  • Using ModuleConfig console.

    Set spec.enabled to true or false in ModuleConfig console (create it if necessary);

    Example of a manifest to enable module console:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: console
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the console module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object console on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module console) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig console (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc console

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig console using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig console:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: console
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

Requirements

To the Deckhouse version: 1.71 and above.

Parameters

Schema version: 1

  • settings
    object
    • settings.allowAnyoneToRuleTheCluster
      Deprecated
      boolean
      This parameter is ignored. It will be removed in future releases. It was used to skip user permissions, so any user would have highest possible privileges in the UI.

      Default: false

    • settings.auth
      object
      Authentication configuration.

      Default: {}

      • settings.auth.allowedUserGroups
        array of strings

        An array of user groups that can access the web UI.

        This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

        Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

      • settings.auth.externalAuthentication
        object
        Parameters to enable external authentication. Uses Nginx Ingress external-auth mechanism which is based on the the Nginx auth_request module.
        • settings.auth.externalAuthentication.authSignInURL
          string
          URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
        • settings.auth.externalAuthentication.authURL
          string
          URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
        • settings.auth.externalAuthentication.useBearerTokens
          boolean

          The console must use the user ID to work with the Kubernetes API (the authentication service must return the Authorization HTTP header that contains the bearer-token – the console will use this token to make requests to the Kubernetes API server).

          Default value is true.

          Caution! For security reasons, this mode only works if https.mode (global or for a module) is not set to Disabled.

      • settings.auth.password
        Deprecated
        string

        This parameter is ignored and will be removed in future releases.

        It was used for http authorization of the admin user, if the user-authn module was disabled or the externalAuthentication parameter was not set.

        Now the external authentication is required for module to function properly.

      • settings.auth.sessionTTL
        string

        User session will be kept for specified amount of time even if user will not log in.

        Specified with s, m or h suffix.

        Default: 24h

      • settings.auth.whitelistSourceRanges
        array of strings
        An array if CIDRs that are allowed to authenticate.

        Example: 


        whitelistSourceRanges:
- 1.1.1.1/32
    • settings.externalWebsocketPort
      integer
      External port for WebSocket protocol requests. If WebSocket traffic goes through a proxy server before reaching the backend, the frontend application will use this to connect to the proxy server.

      Allowed values: 1 <= X <= 65535

    • settings.highAvailability
      boolean

      Manually enable the high availability mode.

      By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

      Examples: 


      highAvailability: true

      highAvailability: false
    • settings.https
      object

      What certificate type to use with frontend and status apps.

      This parameter completely overrides the global.modules.https settings.

      Examples: 


      customCertificate:
  secretName: foobar
mode: CustomCertificate

      certManager:
  clusterIssuerName: letsencrypt
mode: CertManager
      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for frontend.

          Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

          Default: letsencrypt

      • settings.https.customCertificate
        object

        Default: {}

        • settings.https.customCertificate.secretName
          string

          The name of the secret in the d8-system namespace to use with frontend.

          This secret must have the kubernetes.io/tls format.

          Default: false

      • settings.https.mode
        string

        The HTTPS usage mode:

        • Disabled — in this mode, the web UI can only be accessed over HTTP. Caution! This mode is not supported. HTTPS is required for the module to function properly. If HTTPS is disabled, the web UI will be unavailable.
        • CertManager — frontend will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
        • CustomCertificate — frontend will use HTTPS using the certificate from the d8-system namespace.
        • OnlyInURI — frontend will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

        Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

    • settings.ingressClass
      string

      The class of the Ingress controller used for the web UI.

      An optional parameter. By default, the modules.ingressClass global value is used.

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

      Example: 


      ingressClass: nginx
    • settings.nodeSelector
      object

      Node selector for frontend and backend pods. The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      disktype: ssd
    • settings.tolerations
      array of objects

      Node tolerations for frontend and backend pods. The same as in the Pods’ spec.tolerations parameter in Kubernetes;

      If the parameter is omitted or false, it will be determined automatically.

      Example: 


      tolerations:
- effect: NoSchedule
  key: key1
  operator: Equal
  value: value1
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string