Skip to main content

Configuration

Kubero UI

Customize the Kubero configuration

Allways edit the kuberoes CRD to make changes in your Kubero configuration. Changes on the configmap will be overwritten by the operator.

kubectl edit kuberoes kubero -n kubero

The config has three sections so far:

  1. kubero: configures the UI
  2. buildpacks: the selectable list of buildpacks
  3. podSizeList: the selectable list of pods

A full example can be found here https://github.com/kubero-dev/kubero/blob/main/config.yaml

kubero:
readonly: false
banner:
show: false
message: "Welcome to Kubero!"
bgcolor: "#8560A9"
fontcolor: "azure"
auth:
github:
# set your secrets in the secret resource
enabled: false
id: ""
callbackUrl: ""
org: ""
oauth2:
enabled: false
name: ""
id: ""
authUrl: ""
tokenUrl: ""
secret: ""
callbackUrl: ""
scope: "" # space seperated list of scopes
auditLogs:
enabled: false
storageClassName:
accessModes:
- ReadWriteOnce
size: 0.1Gi
limit: 1000
clusterissuer: letsencrypt-prod
templates:
enabled: true
catalogs:
- name: "Kubero"
description: "Kubero templates"
templateBasePath: "https://raw.githubusercontent.com/kubero-dev/kubero/main/services/"
index:
url: "https://raw.githubusercontent.com/kubero-dev/templates/main/index.json"
format: "json" # json or yaml # TODO has no effect yet. json is always used
- name: "Kubero Frameworks"
description: "Kubero frameworks"
templateBasePath: "https://raw.githubusercontent.com/kubero-dev/kubero/main/services/"
index:
url: "https://raw.githubusercontent.com/kubero-dev/templates/main/index-frameworks.json"
format: "json" # json or yaml # TODO has no effect yet. json is always used
buildpacks:
- name: NodeJS # displayed Name
language: JavaScript # Language detection match
fetch:
repository: ghcr.io/kubero-dev/fetch
tag: main
build:
repository: node # image to use
tag: latest # tag to use
command: "npm install" # command to run
run:
repository: node
tag: latest
command: "node index.js"
podSizeList:
- name: small
description: 'Small (CPU: 0.25, Memory: 0.5Gi)'
default: true
# resources are defined as usual in Kubernetes
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
memory: 0.5Gi
cpu: 250m
limits:
memory: 1Gi
cpu: 500m

CD/CD Buildpipeline

Building Docker images is a standard process in CI/CD pipelines. Kubero supports building images using these three methods: buildpacks.io, Nixpacks and Dockerfiles.

Once built, these images must be pushed to a container registry, which is configured in the kubero Custom Resource Definition (CRD). The target registry must have a valid TLS certificate, Fully Qualified Domain Name (FQDN), and basic authentication enabled for security. You can use a public (v2) registry like docker.io or ghcr.io, or set up a local registry by enabling the create flag.

If you opt for a local registry, ensure that it is configured as an insecure registry on all nodes in the cluster. For details on configuring insecure registries, see the Docker CLI documentation.

info

This config requires Kubero Operator >= v0.0.137

spec:
registry:
enabled: true # creates registry credentials for a external or a local registry (required for build strategy apps)
create: true # spins up a local registry
#host: registry.kubero.svc.cluster.local # works for pushes, but not for pulls. DO NOT USE THIS :( since it requires to configure all nodes ot acceppt this "insecure" registry
#host: docker.io # requires a docker account. Might be the best choice when running on a non public domain
host: registry.mykubero.com # will make your images publicly avaialble with a basic auth protection
account:
# create account with:
# docker run --entrypoint htpasswd httpd:2 -Bbn [username] [password]
# http://aspirine.org/htpasswd_en.html (use bcrypt)
username: MyUser
password: MyPassword
hash: $2y$05$cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
port: 443
storage: 1Gi
storageClassName:

Authentication

The Kubero UI has a built-in authentication to restrict access. All methods can be used simultaneously.

Local

This setup is suitable for individual users or very small teams (up to 8 credentials). Authentication credentials are stored in the environment variable KUBERO_USERS as a base64-encoded string.

caution

Do not use this example credentials

1) create an encrypted password

PASSWORD=asdf &&
SALT=asdf &&
echo -n $PASSWORD | openssl dgst -sha256 -hmac $SALT

2) create a JSON file with the encrypted password. For example users.json

[
{
"id": 1,
"method": "local",
"username": "asdf",
"password": "8a8423ba78c8f3da60a602493663c1cdc248a89541b12980e292399c0f0cad21",
"insecure": false
"apitoken": "asdf",
},
{
"id": 2,
"method": "local",
"username": "qwer",
"password": "qwer",
"insecure": true,
"apitoken": "asdf",
}
]

3) encode the created file to base64

cat users.json | base64

4) put the env var in your secrets.yaml and apply it

apiVersion: v1
kind: Secret
metadata:
name: kubero-secrets
type: Opaque
data:
...
...
stringData:
KUBERO_USERS: "WwogIHsKICAgICJpZCI6IDEsCiAgICAibWV0aG9kIjogImxvY2FsIiwKICAgICJ1c2VybmFtZSI6ICJhc2RmIiwKICAgICJwYXNzd29yZCI6ICI4YTg0MjNiYTc4YzhmM2RhNjBhNjAyNDkzNjYzYzFjZGMyNDhhODk1NDFiMTI5ODBlMjkyMzk5YzBmMGNhZDIxIiwKICAgICJpbnNlY3VyZSI6IGZhbHNlCiAgfSwKICB7CiAgICAiaWQiOiAyLAogICAgIm1ldGhvZCI6ICJsb2NhbCIsCiAgICAidXNlcm5hbWUiOiAicXdlciIsCiAgICAicGFzc3dvcmQiOiAicXdlciIsCiAgICAiaW5zZWN1cmUiOiB0cnVlCiAgfQpd"
...
...
kubectl apply -f secrets.yaml -n kubero

Github

If you already have a GitHub organization and want to grant access to its members, use this section.

  1. go to organisation settings -> developer settings -> OAuth Apps and register an application Regisgter your application

  2. Choos a name and a homepage URL. Set the callback url to https://<your-kubero-domain>/api/auth/github/callback Configure your application

  3. You will need the Client ID and the generated Client Secret Client ID and Client Secret

  4. Configure the kubero UI

kubero:
auth:
github:
enabled: true
id: "<your client id>"
callbackUrl: "<your callback URL>"
org: "your-org" # this will limit access to this organisation
info

The Organisation needs to be public and visible in user profile. Private Organisations are not supported by Github since they are not accessible during login process.

  1. Add the "Client Secret" to secret
apiVersion: v1
kind: Secret
metadata:
name: kubero-secrets
type: Opaque
stringData:
GITHUB_CLIENT_SECRET: <your client secret>
data:
...
...

Oauth2 (gitea, azure, keycloak, ...)

This should fit all other usecases.