Available in:  CE, BE, SE, SE+, EE

The module has 15 alerts.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/upmeter resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: upmeter
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable upmeter

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: upmeter
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable upmeter

The module is configured using the ModuleConfig custom resource named upmeter (learn more about setting up Deckhouse…).

Example of the ModuleConfig/upmeter resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: upmeter
spec:
  version: 3
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 3

  • settings
    object
    • settings.auth
      object

      Configuration of authentication for Upmeter frontends.

      • settings.auth.status
        object

        Required value

        Authentication configuration.

        • settings.auth.status.allowedUserGroups
          array of strings

          An array of user groups that can access Grafana & Prometheus.

          This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

          Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

        • settings.auth.status.externalAuthentication
          object

          Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the NGINX auth_request module.

          External authentication is enabled automatically if the user-authn module is enabled.

          • settings.auth.status.externalAuthentication.authSignInURL
            string

            URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

          • settings.auth.status.externalAuthentication.authURL
            string

            URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

        • settings.auth.status.whitelistSourceRanges
          array of strings

          An array if CIDRs that are allowed to authenticate.

          Example:

          whitelistSourceRanges:
- 1.1.1.1/32
      • settings.auth.webui
        object

        Required value

        Authentication configuration.

        • settings.auth.webui.allowedUserGroups
          array of strings

          An array of user groups that can access Grafana & Prometheus.

          This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

          Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

        • settings.auth.webui.externalAuthentication
          object

          Parameters to enable external authentication. Uses NGINX Ingress external-auth mechanism which is based on the the NGINX auth_request module.

          • settings.auth.webui.externalAuthentication.authSignInURL
            string

            URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

          • settings.auth.webui.externalAuthentication.authURL
            string

            URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

        • settings.auth.webui.password
          string

          Password for http authorization of the admin user. It is generated automatically, but you can change it.

          This parameter is used if the externalAuthentication is not enabled.

        • settings.auth.webui.whitelistSourceRanges
          array of strings

          An array if CIDRs that are allowed to authenticate.

          Example:

          whitelistSourceRanges:
- 1.1.1.1/32
    • settings.disabledProbes
      array of strings

      Group names or specific probes from a group. You can view the names in the web UI.

      For example:

      disabledProbes:
  - "synthetic/api" # disable a specific probe
  - "synthetic/"    # disable a group of probes
  - control-plane   # / can be omitted

      Default: []

    • settings.https
      object

      What certificate type to use with webui and status apps.

      This parameter completely overrides the global.modules.https settings.

      Examples:

      https:
  mode: CustomCertificate
  customCertificate:
    secretName: foobar

      https:
  mode: CertManager
  certManager:
    clusterIssuerName: letsencrypt
      • settings.https.certManager
        object
        • settings.https.certManager.clusterIssuerName
          string

          What ClusterIssuer to use for webui/status.

          Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

          Default: "letsencrypt"

      • settings.https.customCertificate
        object
        • settings.https.customCertificate.secretName
          string

          The name of the secret in the d8-system namespace to use with webui/status.

          This secret must have the kubernetes.io/tls format.

          Default: "false"

      • settings.https.mode
        string

        The HTTPS usage mode:

        • Disabled — webui/status will work over HTTP only;
        • CertManager — webui/status will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
        • CustomCertificate — webui/status will use HTTPS using the certificate from the d8-system namespace.
        • OnlyInURI — webui/status will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.

        Default: "Disabled"

        Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

    • settings.ingressClass
      string

      The class of the Ingress controller used for the Upmeter.

      Optional. By default, the modules.ingressClass global value is used

      Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    • settings.nodeSelector
      object

      Node selector for Upmeter server. The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      nodeSelector:
  disktype: ssd
    • settings.smokeMini
      object

      Configuration of authentication for smoke-mini.

      • settings.smokeMini.auth
        object

        Required value

        Authentication configuration.

        • settings.smokeMini.auth.allowedUserGroups
          array of strings

          An array of user groups that can access Grafana & Prometheus.

          This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

          Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

        • settings.smokeMini.auth.externalAuthentication
          object

          Parameters to enable external authentication. Uses NGINX Ingress external-auth mechanism which is based on the the NGINX auth_request module.

          • settings.smokeMini.auth.externalAuthentication.authSignInURL
            string

            URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).

          • settings.smokeMini.auth.externalAuthentication.authURL
            string

            URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.

        • settings.smokeMini.auth.password
          string

          Password for http authorization of the admin user. It is generated automatically, but you can change it.

          This parameter is used if the externalAuthentication is not enabled.

        • settings.smokeMini.auth.whitelistSourceRanges
          array of strings

          An array if CIDRs that are allowed to authenticate.

          Example:

          whitelistSourceRanges:
- 1.1.1.1/32
      • settings.smokeMini.https
        object

        What certificate type to use with smoke-mini.

        This parameter completely overrides the global.modules.https settings.

        Examples:

        https:
  mode: CustomCertificate
  customCertificate:
    secretName: foobar

        https:
  mode: CertManager
  certManager:
    clusterIssuerName: letsencrypt
        • settings.smokeMini.https.certManager
          object
          • settings.smokeMini.https.certManager.clusterIssuerName
            string

            What ClusterIssuer to use for smoke-mini.

            Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

            Default: "letsencrypt"

        • settings.smokeMini.https.customCertificate
          object
          • settings.smokeMini.https.customCertificate.secretName
            string

            The name of the secret in the d8-system namespace to use with smoke-mini.

            This secret must have the kubernetes.io/tls format.

            Default: "false"

        • settings.smokeMini.https.mode
          string

          The HTTPS usage mode:

          • Disabled — smoke-mini will work over HTTP only;
          • CertManager — smoke-mini will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
          • CustomCertificate — smoke-mini will use HTTPS using the certificate from the d8-system namespace.
          • OnlyInURI — smoke-mini will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme. Load balancer should provide a redirect from HTTP to HTTPS.

          Default: "Disabled"

          Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

      • settings.smokeMini.storageClass

        A StorageClass to use when checking the health of disks.

        If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either the global StorageClass or global.discovery.defaultStorageClass is used, and if those are undefined, the emptyDir volume is used to store the data.

        global.discovery.defaultStorageClass is applied during module activation, changing default StorageClass in cluster won’t result in disk re-provisioning.

        Setting it to false forces the use of an emptyDir volume.

        Default: false

        Examples:

        storageClass: false

        storageClass: default
    • settings.smokeMiniDisabled
      boolean

      Disables smokeMini.

      Disables “synthetic” probe group in Upmeter as well.

      Default: false

    • settings.statusPageAuthDisabled
      boolean

      Disables authorization for the status domain.

      Default: false

    • settings.storageClass

      The name of StorageClass that will be used in the cluster by default.

      The name of the StorageClass to use. If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, the StorageClass will be used according to the global storageClass parameter setting.

      The global storageClass parameter is only considered when the module is enabled. Changing the global storageClass parameter while the module is enabled will not trigger disk re-provisioning.

      If false is specified, emptyDir will be forced to be used.

      Warning. Specifying a value different from the one currently used (in the existing PVC) will result in disk re-provisioning and all data will be deleted.

      Warning. When migrating Upmeter with local storage to other nodes, the pods will enter a Pending state. In this situation, it will be necessary to back up the Upmeter database, delete the old PVCs, and manually restart the pod. Here, local storage refers to a StorageClass associated not with network storage but with a local volume on a node (for example, a StorageClass created by the local-path-provisioner module).

      Examples:

      storageClass: false

      storageClass: default
    • settings.tolerations
      array of objects

      Node tolerations for Upmeter server. The same as in the Pods’ spec.tolerations parameter in Kubernetes;

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      tolerations:
- key: key1
  operator: Equal
  value: value1
  effect: NoSchedule
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string

Authentication

user-authn module provides authentication by default. Also, externalAuthentication can be configured (see below). If these options are disabled, the module will use basic auth with the auto-generated password.

Use kubectl to see password:

kubectl -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values upmeter -o json | jq '.upmeter.internal.auth.webui.password'

Delete the Secret to re-generate password:

kubectl -n d8-upmeter delete secret/basic-auth-webui

Use kubectl to see password for status page:

kubectl -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module values upmeter -o json | jq '.upmeter.internal.auth.status.password'

Delete the Secret to re-generate password for status page:

kubectl -n d8-upmeter delete secret/basic-auth-status

Note! The auth.status.password and auth.webui.password parameters are deprecated.