Parameters

The parent key for all of the following parameters is openshift4_console.

`namespace`

type	string
default	`openshift-console`

The namespace where the console is deployed.

It’s not recommended to change this parameter. Changing the parameter might break the components function.

`namespace_annotations`

type

dictionary

default

openshift.io/node-selector: ''

Annotations to add to the managed namespace. Annotations can be removed by setting the value to null.

`openshift_version`

type

dictionary

default

Major: '4'
Minor: '17'

The OpenShift major and minor version.

This parameter is intended to be populated from the openshiftVersion dynamic fact and replicates the fact’s structure.

`route`

type	dictionary
default	`{"console": {}, "downloads": {}}`

A dictionary holding the configuration for the console and download routes.

The component will look for keys hostname and servingCertKeyPairSecret in the values of keys console and downloads. The component expects that the value of servingCertKeyPairSecret is of the form {"name": "<secret_name>"} and refers to a secret in namespace openshift-config.

`config`

type	dictionary
default	CRD defaults.

A dictionary holding the .spec for the console config.

See the OpenShift docs for available parameters.

The component will inject various configurations based on other parameters.

Additionally, on OpenShift 4.19 and newer, the component automatically configures the console’s "Developer" view state based on the cluster’s distribution. The "Developer" view is disabled for OKE clusters and enabled for other clusters.

`config.managementState`

type	enum `Managed`, `Unmanaged`, `Removed`
default	`Managed`

Indicates whether and how the operator should manage the console.

`config.plugins`

type	list
default	dynamic, depending on the reported OpenShift version

Add plugins to the console.

The component will inject a dynamic set of plugins into the configuration based on the reported OpenShift version in parameter openshift_version. For OpenShift 4.14 and newer, the component always adds plugin monitoring-plugin. For OpenShift 4.17 and newer, the component always adds plugin networking-console-plugin. Additionally, the component will remove duplicated entries from the list of configured plugins.

The order of entries in the field isn’t guaranteed to be stable.

`config.route`

type	dictionary with `hostname` and `secret` keys
default	undefined

Create a custom route to access the console. If the route is part of the default apps domain, no TLS cert needs to be specified since the default wildcard cert will be used.

This configuration parameter is deprecated starting with OpenShift 4.8, see the upstream documentation.

The component always configures the console route via the ingress.config.openshift.io/cluster object.

If both this parameter and parameter route are present, parameter route has precedence over this parameter.

`console_links`

type	dictionary
default	`{}`

Each entry in parameter console_links is deployed onto the cluster as an OpenShift ConsoleLink. The value of the entry will be used as the ConsoleLink specification. Entries with null values are skipped. This allows users to remove links which were configured higher up in the hierarchy.

`custom_logo`

type	dictionary
default	`{}`

This parameter is deprecated on OpenShift 4.19 and newer. Use custom_logos and custom_favicon instead.

Add a custom logo to the console. Takes a single key with the filename and the value is the base64 encoded logo. The logo can be a file in any common image format, including GIF, JPG, PNG, or SVG, and is constrained to a max-height of 60px The filename needs to have a filename extension which matches the image format.

For SVG logos the file must not be base64 encoded, but inserted directly as a string.

By default, OpenShift won’t serve a favicon if a custom logo is configured for the console. This is an intentional design decision as documented in this bug report.

The component tries to ensure that a favicon is served even if a custom logo is configured. However, because the current workaround for the missing favicon requires an additional custom route for the console hostname, it can only be implemented for configurations which use a custom console hostname. Otherwise, the component is unable to correctly configure spec.hostname for the console.

`custom_logos`

type	dictionary
default	See `class/defaults.yml`

Configure custom logos for the console. This parameter only has an effect on OpenShift 4.19 and newer. For older versions of OpenShift, use parameter custom_logo.

OpenShift 4.19 introduces a new console look with a dark and light theme. The new custom logo mechanism allows configuring separate logos for each theme. The component supports keys dark and light to specify logos for the dark and light theme respectively. The component additionally supports specifying a single logo for all themes in key '*'. If there’s no logo for a theme, the console will show the default logo for that theme.

Each logo can be a file in any common image format, including GIF, JPG, PNG, or SVG, and is constrained to a max-height of 60px.

The component looks for fields type and data in each entry of the parameter. Field type is expected to be a valid file extension in all lower case matching the image data provided in field data. Field data is the logo image data, in plain text for SVG and base64 encoded for all other formats.

The component will render all the logos in a single ConfigMap. The component will dynamically add logos to fields data (for SVG) and binaryData (for other formats) in the ConfigMap.

Additionally, the component will configure an entry in spec.customization.logos in the console.operator.openshift.io custom resource to actually configure the custom logos.

Examples

Separate logo per theme

custom_logos:
  dark:
    type: svg
    data: |
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <svg xmlns="http://www.w3.org/2000/svg" width="60" height="60">
      <circle cx="30" cy="30" r="20" stroke="#fff" stroke-width="4" fill-opacity="0%"/>
      </svg>
  light:
    type: svg
    data: |
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <svg xmlns="http://www.w3.org/2000/svg" width="60" height="60">
      <circle cx="30" cy="30" r="20" stroke="#000" stroke-width="4" fill-opacity="0%"/>
      </svg>

Same logo for all themes

custom_logos:
  '*':
    type: svg
    data: |
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <svg xmlns="http://www.w3.org/2000/svg" width="60" height="60">
      <circle cx="30" cy="30" r="20" stroke="#f00" stroke-width="4" fill-opacity="0%"/>
      </svg>

Different file types

custom_logos:
  dark:
    type: svg
    data: | (1)
      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
      <svg xmlns="http://www.w3.org/2000/svg" width="60" height="60">
      <circle cx="30" cy="30" r="20" stroke="#fff" stroke-width="4" fill-opacity="0%"/>
      </svg>
  light:
    type: png
    data: iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAYAAAA6/NlyAAAABHNCSVQICAgIfAhkiAAAA5dJREFUaIHtmk1vTUEYx39HgkTYtMTOQtVL2WiKoF5W1IpGmrTpUlLxMUTDF6B8AKp8gWqxkHbtLUQixZbqQlVvScjf4pxK89y59869Z+Zei/NPZjE39zz/35Mz85w5MwcKFSpUqFChQq1SEjO4YDNwAjgJHAB2A9tIfwf4AXwB5oA3wDNgJoHlmFxBJUgE5wQPBSsC1dlWBBOCPkW+IbklGBC8biDJSu2V4GKr8yqToFPwJGCitk0LdrU6TwAEw4KlKrBzgluCIcFBQZtgfdbast+GBGOCD1XifBcMtTLRRHC9AtxvwT3B0QZiHhOMZzFcsUebPrczsNsVgB4prcZ5PfZkQ9nlMdbUpAU3HBDLgksRvEYEJYfftdBelQCGHeafBd0RPXsE8w7fwVieq8adjgL1RbAnqjH/hrhNelHQEdPUPnqWY95Zh3+PY3hPxTIbcAyp4HPWg2PEwdEf2iRR+QpqOqhJfTyThuVl0KqtdG1sn7O5Hz05ePY5ntN9IQ0emuB3gwVvnOm+YbofKvBmlb/11LWCiiHBccNUEmwKEdgO57mmrnIqcyWCj4btTK3r1nnEPmX6UwmoMcxwyhhs4Txd6zqfhPeb/qwnUzM0Y/qWtUw+Cdtq/M4bJ74sS/4nh2DBzJO23EEDSbDVsH0NEfSXCbo+AGsQCTYatp+1rvEZ0lYtr9B55JPwD9PfEgOkQVmWpVoX+CS8YPo7vHHiy7JY1jL5JPze9Pd648RXl+lb1jL5JPzG9E9448RXr+lb1vql9ARgbSX88B8tLT/Vu7T0Cex6eTgWgDkvV69j9yX/y0MW/IEJfi9I4HxME4ZpPGRwO6x/qwkbd1V4uhwbAGdDGiSC5//RFs9Tw/IieF0RXDQmEowENfHjuOLguBDLzB59lAQ9Uczc/ocdBXQypuEupad4aw3nmzGfBXtVvhH/TbAztvGQY0jNCw5F9DziSFaCgVieFmDUYb4iuBzB64pjGEtwNbRXNYhE6ZGlhZDgsWBfAI8uRzVebTdD5FEvUFLhTq8+p8eVbqV6Py6ymL3ZouJPhdjNu7MVIAcdhWxt+yi4o/SYtVvQLtiQtfbst+HsP3ZtvLYtNm3O1pKgQzBVBTZvm4xejRuRoF/pwVaoRF8Izrc6r6rK5mGf0rMf16cKtVopm/9n65n/vor96eEm0pf0U6Sb5LuB7ZR/evgeeEv66eFsAqWYXIUKFSpUqFCh1ugvn+zZeVm8jdkAAAAASUVORK5CYII= (2)

1	SVG needs to be configured as plain text
2	All other formats, such as PNG need to be configured base64 encoded

`custom_favicon`

type	dictionary
default	`{}`

Starting with OpenShift 4.19, users can configure custom favicons for the console. This parameter has no effect on OpenShift versions before 4.19.

OpenShift 4.19 supports specifying separate favicons for the dark and light themes, but the component currently only supports configuring a single favicon for both themes.

The component looks for fields type and data in the parameter. Field type is expected to be a valid file extension in all lower case matching the image data provided in field data. Field data is the favicon data, in plain text for SVG and base64 encoded for all other formats.

The component will write the favicon into a ConfigMap and configure an entry in spec.customization.logos in the console.operator.openshift.io custom resource to enable the custom favicon for the console.

`capabilities`

type	dictionary
default	[See `class/defaults.yml`]

This parameter allows users to enable or disable OpenShift console capabilities. OpenShift 4.19 supports two capabilities: LightspeedButton and GettingStartedBanner. The parameter has no effect on OpenShift 4.18 and older. The component enables the "Getting Started" banner by default and disables the Lightspeed button by default. The component skips entries in this parameter which aren’t defined as available capabilities for the OpenShift version specified in parameter openshift_version.

`secrets`

type	dictionary
default	`{}`

Each entry in parameter secrets is deployed onto the cluster as a Kubernetes Secret with type=kubernetes.io/tls. Entries with null values are skipped. This allows users to remove secrets which were configured higher up in the hierarchy.

The component has basic validation to ensure the secret contents are a plausible Kubernetes TLS secret.

The dictionary keys are used as metadata.name for the resulting Secret resources. The dictionary values are directly merged into a Secret resource which only has type=kubernetes.io/tls set. The secrets are created in the namespace indicated by parameter namespace.

`cert_manager_certs`

type	dictionary
default	`{}`

Each entry in parameter cert_manager_certs is deployed onto the cluster as a cert-manager Certificate resource. Entries with null values are skipped. This allows users to remove certificates which were configured higher up in the hierarchy.

The dictionary keys are used as metadata.name and spec.secretName for the resulting Certificate resources. The dictionary values are then directly directly merged into the mostly empty Certificate resources.

OpenShift won’t admit the route for the HTTP01 solver pod unless the Certificate resources are deployed in the same namespace as the web console. This behavior is caused by a security feature in the OpenShift ingress controller operator to not allow malicious actors to abuse hostnames which are already in use in other namespaces.

However, since OpenShift requires that custom TLS secrets for the OpenShift console are stored in namespace openshift-config, we deploy a script to clone the TLS secret created by cert-manager into namespace openshift-config for each Certificate resource.

`notifications`

type	dictionary
default	`{}`

Each entry in parameter notifications is deployed onto the cluster as a ConsoleNotification resource. Entries with null values are skipped. This allows users to remove notifications which were configured higher up in the hierarchy.

The dictionary keys are used as metadata.name for the resulting ConsoleNotification resources.

The dictionary values correspond to the .spec of the ConsoleNotification. See the OpenShift docs for available parameters.

This component will by default use .location: BannerTop, .color: '#1abc9c' and .backgroundColor: ' #d1d61c' unless otherwise configured.

`upgrade_notification`

type	dictionary
default	`enabled: false notification: {}`

When upgrade notifications are enabled, this component will create an ArgoCD sync hook and an upgradejob hook which will dynamically create (and remove) a ConsoleNotification informing users about the next upcoming minor OCP upgrade. It is based on the upgrade controller’s channel overlay and the next possible maintenance dates.

The values for the upgrade_notification.notification dictionary are the the same as for notifications above. Additionally the following variables can be used in the notification text: OVERLAY_DATE, OVERLAY_CHANNEL, OVERLAY_VERSION, OVERLAY_VERSION_MINOR and NEXT_MAINTENANCE, see also the example below.

Example: Custom hostname in cluster’s app domain

openshift4_console:
  route:
    console:
      hostname: console.apps.example.com

Example: Custom hostname outside cluster’s app domain

In this case we need to specify a custom certificate:

openshift4_console:
  route:
    console:
      hostname: console.cluster.example.com
      servingCertKeyPairSecret:
        name: console-cluster-example-com-tls (1)
  secrets:
    console-cluster-example-com-tls:
      stringData:
        tls.crt: ?{vaultkv:${cluster:tenant}/${cluster:name}/openshift4-console/certificates/cert} (2)
        tls.key: ?{vaultkv:${cluster:tenant}/${cluster:name}/openshift4-console/certificates/key} (3)

1	A secret with keys `tls.crt` and `tls.key` with this name must exist in namespace `openshift-config`.
2	Reference to the console hostname TLS certificate in Vault
3	Reference to the console hostname TLS private key in Vault

Example: Custom hostname outside cluster’s app domain with cert-manager certificate

This configuration assumes that the DNS record for console.cluster.example.com points to the cluster’s application LBs, ideally as a CNAME to the cluster’s application domain. This is required so that cert-manager can request the Let’s Encrypt certificate using a HTTP01 challenge.

openshift4_console:
  route:
    console:
      hostname: console.cluster.example.com
      servingCertKeyPairSecret:
        name: console-cluster-example-com-tls (1)
  cert_manager_certs:
    console-cluster-example-com-tls:
      spec:
        dnsNames:
          - console.cluster.example.com
        issuerRef:
          name: letsencrypt-production
          kind: ClusterIssuer

Example: Custom links and logo in the web console

openshift4_console:
  console_links:
    homepage: (1)
      href: 'https://www.example.com/'
      location: ApplicationMenu
      text: Home
      applicationMenu:
        section: Company
        # image that is 24x24 in size
        imageURL: https://via.placeholder.com/24
    user-docs: (2)
      href: 'https://docs.example.com/'
      location: HelpMenu
      text: User Documentation
    project-link: (3)
      href: 'https://docs.example.com/organization/'
      location: HelpMenu
      text: User Documentation
      namespaceDashboard:
        matchExpressions:
         - key: organization
           operation: Exists
  custom_logo:
    logo.png: |- (4)
      <base64-encoded_logo>

1	Adds a link to an overflow menu at the top of every page
2	Adds a link to the help menu at the top of every page
3	Adds a link to the dashboard of every namespace with a label `organization`
4	Provide a single base64-encoded logo and the key needs to have the correct filename extension

Example: Console notification

openshift4_console:
  notifications:
    appuio-documentation:
      text: Please visit our documentation for more information
      location: BannerBottom
      color: '#1abc9c'
      backgroundColor: ' #d1d61c'
      link:
        href: https://docs.appuio.cloud
        text: APPUiO documentation

Example: Upgrade notification

openshift4_console:
  upgrade_notification:
    enabled: true
    notification:
      text: 'Cluster will be upgraded to OpenShift $OVERLAY_VERSION in the maintenance window at $NEXT_MAINTENANCE'
      link:
        href: https://kb.vshn.ch/oc4/references/release_notes.html
        text: release notes