Available with limitations in CE, BE, SE, SE+, EE, CSE Lite (1.73), CSE Pro (1.73)

The module lifecycle stageGeneral Availability
The module has requirements for installation

How to explicitly enable the module…

Warning. Enabling and disabling the module has some specific features. Read more in the module setup documentation.

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the stronghold module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable stronghold

  • Using ModuleConfig stronghold.

    Set spec.enabled to true or false in ModuleConfig stronghold (create it if necessary);

    Example of a manifest to enable module stronghold:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: stronghold
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the stronghold module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object stronghold on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module stronghold) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig stronghold (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc stronghold

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig stronghold using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig stronghold:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: stronghold
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

How to change the module release channel…

To change the module release channel, follow the instruction.

Requirements

To the Deckhouse version: 1.72 and above.

Parameters

Schema version: 1

  • settings
    object
    • settings.diskSizeGigabytes
      integer
      The size of the disk for storage or PVC when specifying the storageClass parameters. For HA configurations, automatic increase and decrease of the disk size is supported. For one-node Stronghold configurations, only increase of the PVC size is supported. Make sure the specified value is sufficient for storing Stronghold data. The extended-monitoring module automatically monitors the percentage of used disk space.

      Default: 1

    • settings.enableAuditLog
      boolean
      Enables audit log (EE only feature).

      Example: 


      enableAuditLog: true
    • settings.enableUserInterface
      boolean
      Enables User Interface.

      Default: true

      Example: 


      enableUserInterface: false
    • settings.https
      object

      What certificate type to use with Stronghold.

      This parameter completely overrides the global.modules.https settings.

      Examples: 


      customCertificate:
  secretName: stronghold-tls
mode: CustomCertificate

      certManager:
  clusterIssuerName: letsencrypt
mode: CertManager
      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for Stronghold.

          Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

          Default: letsencrypt

      • settings.https.customCertificate
        object

        Default: {}

        • settings.https.customCertificate.secretName
          string

          The name of the secret in the d8-system namespace to use with Stronghold.

          This secret must have the kubernetes.io/tls format.

          Default: false

      • settings.https.mode
        string

        The HTTPS usage mode:

        • CertManager — Stronghold will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
        • CustomCertificate — Stronghold will use HTTPS using the certificate from the d8-system namespace.

        Default: CertManager

        Allowed values: CertManager, CustomCertificate

    • settings.ingress
      object

      Default: {}

      • settings.ingress.class
        string

        The class of the Ingress controller used for Stronghold.

        An optional parameter. By default, the modules.ingressClass global value is used.

        Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

        Example: 


        class: public
    • settings.inlet
      string

      The way the connection to Stronghold is implemented.

      The following inlet types are supported:

      • Ingress — access via ingress-nginx controller.

      Default: Ingress

      Allowed values: Ingress

    • settings.license
      string

      Stronghold EE License key.

      Leave empty to use Stronghold CE.

      Default: ‘’

    • settings.management
      object

      Default: {}

      • settings.management.administrators
        array of objects
        A list of users and groups that can access Stronghold as administrators. Other authenticated users will access Stronghold with default policy.

        Example: 


        administrators:
- name: admins
  type: Group
- name: security
  type: Group
- name: manager@mycompany.tld
  type: User
        • settings.management.administrators.name
          string
        • settings.management.administrators.type
          string

          Allowed values: Group, User

      • settings.management.mode
        string
        Enables Stronghold auto-init and auto-unseal. The root token is stored in the stronghold-keys Secret.

        Default: Automatic

        Allowed values: Automatic

        Example: 


        mode: Automatic
    • settings.nodeSelector
      object
      The same as the Pods’ spec.nodeSelector parameter in Kubernetes. If the parameter is omitted or false, Stronghold will be placed on control-plane nodes.

      Example: 


      node-role.kubernetes.io/stronghold: ''
    • settings.plugins
      array of objects
      List of plugins to load into Stronghold. Each plugin is verified by SHA256 checksum.

      Example: 


      plugins:
- ignoreFailure: false
  name: vault-plugin-secrets-github
  sha256: 72cb1f2775ee2abf12ffb725e469d0377fe7bbb93cd7aaa6921c141eddecab87
  url: https://github.com/martinbaillie/vault-plugin-secrets-github/releases/download/v2.3.2/vault-plugin-secrets-github-linux-amd64
      • settings.plugins.ca
        string
        PEM-encoded CA certificate(s) used to verify the HTTPS server for this plugin’s URL. If set, only this CA is trusted (not system CAs).
      • settings.plugins.ignoreFailure
        boolean
        If true, failure to download or verify this plugin does not block Stronghold startup, but the plugin functionality will not be available.

        Default: false

      • settings.plugins.insecureSkipVerify
        boolean
        If true, TLS server certificate is not verified for this plugin’s URL.

        Default: false

      • settings.plugins.name
        string
        Filename of the plugin binary after download.
      • settings.plugins.sha256
        string
        SHA256 checksum of the file. Download is rejected if the checksum does not match. This will block Stronghold startup unless ignoreFailure is set.

        Pattern: ^[a-fA-F0-9]{64}$

      • settings.plugins.url
        string
        URL to download the plugin binary (http or https, domain, path and filename). If the file is unavailable, this will block Stronghold startup unless ignoreFailure is set.

        Pattern: ^https?://[a-zA-Z0-9][-a-zA-Z0-9.]*[a-zA-Z0-9](/[^/]+)*/[^/.]+$

    • settings.storageClass
      string

      The name of StorageClass that will be used.

      By default Stronghold keeps data in local storage on master nodes.

      If you change this parameter, a gradual data transfer will be performed to the new StorageClass if using a HA Stronghold configuration.

      For one-node Stronghold configurations, this parameter is only considered when the module is first started.

      If you need to change the StorageClass in a one-node Stronghold configuration, you can do this through backup/restore and disabling/enabling the module. In this case, don’t forget to save the unseal keys as described in the documentation.

      When changing this parameter, make sure the value specified in diskSizeGigabytes is sufficient for storing Stronghold data.

      Default: ‘’

      Examples: 


      storageClass: ssd

      storageClass: ceph-rbd
    • settings.tolerations
      array of objects
      The same as the Pods’ spec.tolerations parameter in Kubernetes. If the parameter is omitted or false, tolerations will be determined automatically.
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string