Configuration

parameters

Schema version: 1

• settings

  object
  • allowAnyoneToRuleTheCluster

    Deprecated

    boolean

    This parameter is ignored. It will be removed in future releases. It was used to skip user permissions, so any user would have highest possible privileges in the UI.

    Default: false

  • auth

    object

    Authentication configuration.

    Default: {}

    • auth.allowedUserGroups

      array of strings

      An array of user groups that can access the web UI.

      This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set.

      Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one.

    • auth.externalAuthentication

      object

      Parameters to enable external authentication. Uses Nginx Ingress external-auth mechanism which is based on the the Nginx auth_request module.
      • auth.externalAuthentication.authSignInURL

        string

        URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code).
      • auth.externalAuthentication.authURL

        string

        URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code.
      • auth.externalAuthentication.useBearerTokens

        boolean

        The console must use the user ID to work with the Kubernetes API (the authentication service must return the Authorization HTTP header that contains the bearer-token – the console will use this token to make requests to the Kubernetes API server).

        Default value is true.

        Caution! For security reasons, this mode only works if https.mode (global or for a module) is not set to Disabled.

    • auth.password

      string

      Password for http authorization of the admin user. It is generated automatically, but you can change it.

      This parameter is used if the externalAuthentication is not enabled.

    • auth.sessionTTL

      string

      User session will be kept for specified amount of time even if user will not log in.

      Specified with s, m or h suffix.

      Default: 24h

    • auth.whitelistSourceRanges

      array of strings

      An array if CIDRs that are allowed to authenticate.

      Example:

      
      

      whitelistSourceRanges:
      - 1.1.1.1/32
      

  • externalWebsocketPort

    integer

    External port for WebSocket protocol requests. If WebSocket traffic goes through a proxy server before reaching the backend, the frontend application will use this to connect to the proxy server.

    Allowed values: 1 <= X <= 65535

  • highAvailability

    boolean

    Manually enable the high availability mode.

    By default, Deckhouse automatically decides whether to enable the HA mode. Click here to learn more about the HA mode for modules.

    Examples:

    
    

    highAvailability: true
    

    highAvailability: false
    

  • https

    object

    What certificate type to use with frontend and status apps.

    This parameter completely overrides the global.modules.https settings.

    Examples:

    
    

    customCertificate:
      secretName: foobar
    mode: CustomCertificate
    

    certManager:
      clusterIssuerName: letsencrypt
    mode: CertManager
    

    • https.certManager

      object
      • https.certManager.clusterIssuerName

        string

        What ClusterIssuer to use for frontend.

        Currently, letsencrypt, letsencrypt-staging, selfsigned are available. Also, you can define your own.

        Default: letsencrypt

    • https.customCertificate

      object

      Default: {}

      • https.customCertificate.secretName

        string

        The name of the secret in the d8-system namespace to use with frontend.

        This secret must have the kubernetes.io/tls format.

        Default: false

    • https.mode

      string

      The HTTPS usage mode:

      • Disabled — frontend will work over HTTP only;
      • CertManager — frontend will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter.
      • CustomCertificate — frontend will use HTTPS using the certificate from the d8-system namespace.
      • OnlyInURI — frontend will work over HTTP (thinking that there is an external HTTPS load balancer in front that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme.

      Default: Disabled

      Allowed values: Disabled, CertManager, CustomCertificate, OnlyInURI

  • ingressClass

    string

    The class of the Ingress controller used for the web UI.

    An optional parameter. By default, the modules.ingressClass global value is used.

    Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

    Example:

    
    

    ingressClass: nginx
    

  • nodeSelector

    object

    Node selector for frontend and backend pods. The same as in the Pods’ spec.nodeSelector parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    
    

    disktype: ssd
    

  • tolerations

    array of objects

    Node tolerations for frontend and backend pods. The same as in the Pods’ spec.tolerations parameter in Kubernetes;

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    
    

    tolerations:
    - effect: NoSchedule
      key: key1
      operator: Equal
      value: value1
    

    • tolerations.effect

      string
    • tolerations.key

      string
    • tolerations.operator

      string
    • tolerations.tolerationSeconds

      integer
    • tolerations.value

      string