The module does not have any mandatory parameters.
An example of the configuration
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse-tools
spec:
enabled: true
version: 1
The module is enabled by default in the following bundles: Default
, Managed
.
The module is disabled by default in the Minimal
bundle.
The module is configured using the ModuleConfig custom resource named deckhouse-tools
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/deckhouse-tools
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: deckhouse-tools
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- auth
Parameters to authenticate and authorize access to the module’s web interface.
- auth.allowedUserGroups
An array of groups whose users can browse the module’s web interface.
This parameter is used if the
user-authn
module is enabled or if theexternalAuthentication
parameter is set.Caution! Note that you must add those groups to the appropriate field in the
DexProvider
config if this module is used together with theuser-authn
one.Default:
[]
Examples:
allowedUserGroups: - admin - users
allowedUserGroups: []
- auth.externalAuthentication
Parameters to enable external authentication based on the NGINX Ingress external-auth mechanism that uses the Nginx auth_request module.
External authentication is enabled automatically if the user-authn module is enabled.
- auth.externalAuthentication.authSignInURL
The URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response).
Default:
""
Example:
authSignInURL: https://$host/dex-authenticator/sign_in
- auth.externalAuthentication.authURL
The URL of the authentication service.
If the user is authenticated, the service should return an HTTP 200 response code.
Default:
""
Example:
authURL: https://deckhouse-tools-dex-authenticator.d8-system.svc.cluster.local/dex-authenticator/auth
- https
What certificate type to use.
This parameter completely overrides the
global.modules.https
settings.Examples:
https: mode: Disabled
https: mode: OnlyInURI
https: mode: CustomCertificate customCertificate: secretName: foobar
https: mode: CertManager certManager: clusterIssuerName: letsencrypt
- https.certManager
Parameters for certmanager.
- https.certManager.clusterIssuerName
What ClusterIssuer to use for getting an SSL certificate (currently,
letsencrypt
,letsencrypt-staging
,selfsigned
are supported; you can also define your own).Default:
"letsencrypt"
Example:
clusterIssuerName: letsencrypt
- https.customCertificate
Parameters for custom certificate usage.
- https.customCertificate.secretName
The name of the secret in the
d8-system
namespace to use with the module’s web interface.Note that this secret must conform to the kubernetes.io/tls format.
- https.mode
The HTTPS usage mode:
CertManager
— the web UI is accessed over HTTPS using a certificate obtained from a clusterIssuer specified in thecertManager.clusterIssuerName
parameter.CustomCertificate
— the web UI is accessed over HTTPS using a certificate from thed8-system
namespace.Disabled
— in this mode, the module’s web interface can only be accessed over HTTP.OnlyInURI
— the module’s web interface will work over HTTP (implies there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in theuser-authn
will be generated using the HTTPS scheme. The load balancer should provide redirection from HTTP to HTTPS.
Default:
"CertManager"
Allowed values:
Disabled
,CertManager
,CustomCertificate
,OnlyInURI
- ingressClass
The class of the Ingress controller of the module web interface.
An optional parameter; by default, the
modules.ingressClass
global value is used.Pattern:
^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- nodeSelector
The same as in the pods’
spec.nodeSelector
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.Example:
nodeSelector: disktype: ssd
- tolerations
The same as in the pods’
spec.tolerations
parameter in Kubernetes;If the parameter is omitted or
false
, it will be determined automatically.Example:
tolerations: - key: key1 operator: Equal value: value1 effect: NoSchedule
- tolerations.effect
- tolerations.key
- tolerations.operator
- tolerations.tolerationSeconds
- tolerations.value