The module lifecycle stageGeneral Availability

Available with limitations in BE, SE, SE+, EE, CSE Lite (1.67), CSE Pro (1.67)

How to explicitly enable the module…

Warning. Enabling and disabling the module has some specific features. Read more in the module setup documentation.

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the stronghold module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable stronghold

  • Using ModuleConfig stronghold.

    Set spec.enabled to true or false in ModuleConfig stronghold (create it if necessary);

    Example of a manifest to enable module stronghold:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: stronghold
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the stronghold module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object stronghold on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module stronghold) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig stronghold (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc stronghold

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig stronghold using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig stronghold:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: stronghold
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

How to change the module release channel…

To change the module release channel, follow the instruction.

Requirements

To the Deckhouse version: 1.71 and above.

Parameters

Schema version: 1

  • settings
    object
    • settings.enableAuditLog
      boolean
      Enables audit log (EE only feature).

      Example: 


      enableAuditLog: true
    • settings.enableUserInterface
      boolean
      Enables User Interface.

      Default: true

      Example: 


      enableUserInterface: false
    • settings.https
      object

      What certificate type to use with Stronghold.

      This parameter completely overrides the global.modules.https settings.

      Examples: 


      customCertificate:
  secretName: stronghold-tls
mode: CustomCertificate

      certManager:
  clusterIssuerName: letsencrypt
mode: CertManager
      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for Stronghold.

          Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

          Default: letsencrypt

      • settings.https.customCertificate
        object

        Default: {}

        • settings.https.customCertificate.secretName
          string

          The name of the secret in the d8-system namespace to use with Stronghold.

          This secret must have the kubernetes.io/tls format.

          Default: false

      • settings.https.mode
        string

        The HTTPS usage mode:

        • CertManager — Stronghold will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
        • CustomCertificate — Stronghold will use HTTPS using the certificate from the d8-system namespace.

        Default: CertManager

        Allowed values: CertManager, CustomCertificate

    • settings.ingress
      object

      Default: {}

      • settings.ingress.class
        string

        The class of the Ingress controller used for Stronghold.

        An optional parameter. By default, the modules.ingressClass global value is used.

        Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

        Example: 


        class: public
    • settings.inlet
      string

      The way the connection to Stronghold is implemented.

      The following inlet types are supported:

      • Ingress — access via ingress-nginx controller.

      Default: Ingress

      Allowed values: Ingress

    • settings.license
      string
      Stronghold EE License key. Leave empty to use Stronghold CE

      Default:

    • settings.management
      object

      Default: {}

      • settings.management.administrators
        array of objects
        An list of users and groups that can access Stronghold as administrators. Other authenticated users will access Stronghold with default policy.

        Example: 


        administrators:
- name: admins
  type: Group
- name: security
  type: Group
- name: manager@mycompany.tld
  type: User
        • settings.management.administrators.name
          string
        • settings.management.administrators.type
          string

          Allowed values: Group, User

      • settings.management.mode
        string
        Automatic - enable Stronghold auto-init and auto-unseal. Root token will be stored in stronghold-keys Secret resource

        Default: Automatic

        Allowed values: Automatic

        Example: 


        mode: Automatic
    • settings.plugins
      array of objects
      List of plugins to load into Stronghold. Each plugin is verified by SHA256 checksum.

      Example: 


      plugins:
- ignoreFailure: false
  name: vault-plugin-secrets-github
  sha256: 72cb1f2775ee2abf12ffb725e469d0377fe7bbb93cd7aaa6921c141eddecab87
  url: https://github.com/martinbaillie/vault-plugin-secrets-github/releases/download/v2.3.2/vault-plugin-secrets-github-linux-amd64
      • settings.plugins.ca
        string
        PEM-encoded CA certificate(s) used to verify the HTTPS server for this plugin's URL. If set, only this CA is trusted (not system CAs).
      • settings.plugins.ignoreFailure
        boolean
        If true, failure to download or verify this plugin does not block Stronghold startup, but the plugin functionality will not be available.

        Default: false

      • settings.plugins.insecureSkipVerify
        boolean
        If true, TLS server certificate is not verified for this plugin's URL.

        Default: false

      • settings.plugins.name
        string
        Filename of the plugin binary after download.
      • settings.plugins.sha256
        string
        SHA256 checksum of the file. Download is rejected if the checksum does not match. This will block Stronghold startup unless ignoreFailure is set.

        Pattern: ^[a-fA-F0-9]{64}$

      • settings.plugins.url
        string
        URL to download the plugin binary (http or https, domain, path and filename). If the file is unavailable, this will block Stronghold startup unless ignoreFailure is set.

        Pattern: ^https?://[a-zA-Z0-9][-a-zA-Z0-9.]*[a-zA-Z0-9](/[^/]+)*/[^/.]+$