The module lifecycle stage: General Availability
Available with limitations in: BE, SE, SE+, EE, CSE Lite (1.67), CSE Pro (1.67)
How to explicitly enable the module…
You may explicitly enable or disable the module in one of the following ways:
-
Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the
strongholdmodule and enable (or disable) the “Module enabled” toggle. Save changes.Example:
-
Via Deckhouse CLI (d8).
Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).
Example of enabling the module:
d8 system module enable stronghold -
Using ModuleConfig
stronghold.Set
spec.enabledtotrueorfalsein ModuleConfigstronghold(create it if necessary);Example of a manifest to enable module
stronghold:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: stronghold spec: enabled: true
You can configure the module in one of the following ways:
-
Via Deckhouse web UI.
In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the
strongholdmodule and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.Example:
You can also edit the ModuleConfig object
strongholdon the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the modulestronghold) by specifying the schema version in thespec.versionparameter and the necessary module parameters in thespec.settingssection. -
Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).
Edit the existing ModuleConfig
stronghold(for more details on configuring Deckhouse, see the documentation) by executing the following command:d8 k edit mc strongholdMake the necessary changes in the
spec.settingssection. If necessary, specify the schema version in thespec.versionparameter. Save the changes.You can also create a file with manifest for ModuleConfig
strongholdusing the example below. Fill in thespec.settingssection with the required module parameters. If necessary, specify the schema version in thespec.versionparameter.Apply the manifest using the following command (indicate the manifest file name):
d8 k apply -f <FILENAME>Example of a manifest for ModuleConfig
stronghold:apiVersion: deckhouse.io/v1alpha1 kind: ModuleConfig metadata: name: stronghold spec: version: 1 enabled: true settings: # Module parameters from the "Parameters" section below.
Requirements
To the Deckhouse version: 1.71 and above.
Parameters
Schema version: 1
-
-
booleansettings.enableAuditLogEnables audit log (EE only feature).
Example:
enableAuditLog: true -
booleansettings.enableUserInterfaceEnables User Interface.
Default:
trueExample:
enableUserInterface: false -
objectsettings.https
What certificate type to use with Stronghold.
This parameter completely overrides the
global.modules.httpssettings.Examples:
customCertificate: secretName: stronghold-tls mode: CustomCertificatecertManager: clusterIssuerName: letsencrypt mode: CertManager-
objectsettings.https.certManager
-
stringsettings.https.certManager.clusterIssuerName
What ClusterIssuer to use for Stronghold.
Currently,
letsencrypt,letsencrypt-staging,selfsignedare available. Also, you can define your own.Default:
letsencrypt
-
-
objectsettings.https.customCertificate
Default:
{}-
stringsettings.https.customCertificate.secretName
The name of the secret in the
d8-systemnamespace to use with Stronghold.This secret must have the kubernetes.io/tls format.
Default:
false
-
-
stringsettings.https.mode
The HTTPS usage mode:
CertManager— Stronghold will use HTTPS and get a certificate from the clusterissuer defined in thecertManager.clusterIssuerNameparameter.CustomCertificate— Stronghold will use HTTPS using the certificate from thed8-systemnamespace.
Default:
CertManagerAllowed values:
CertManager,CustomCertificate
-
-
objectsettings.ingress
Default:
{}-
stringsettings.ingress.class
The class of the Ingress controller used for Stronghold.
An optional parameter. By default, the
modules.ingressClassglobal value is used.Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Example:
class: public
-
-
stringsettings.inlet
The way the connection to Stronghold is implemented.
The following inlet types are supported:
Ingress— access via ingress-nginx controller.
Default:
IngressAllowed values:
Ingress -
stringsettings.licenseStronghold EE License key. Leave empty to use Stronghold CE
Default:
-
objectsettings.management
Default:
{}-
array of objectssettings.management.administratorsAn list of users and groups that can access Stronghold as administrators. Other authenticated users will access Stronghold with default policy.
Example:
administrators: - name: admins type: Group - name: security type: Group - name: manager@mycompany.tld type: User-
stringsettings.management.administrators.name
-
stringsettings.management.administrators.type
Allowed values:
Group,User
-
-
stringsettings.management.modeAutomatic - enable Stronghold auto-init and auto-unseal. Root token will be stored in
stronghold-keysSecret resourceDefault:
AutomaticAllowed values:
AutomaticExample:
mode: Automatic
-
-