Configuration files

There are two files generated after running opctl init --provider <provider>:

  • params.yaml - contains the fields that need to be updated to configure your deployment.
  • config.yaml - contains components that are going to be included in the deployment. This file should not be updated unless you plan on adding custom Kustomize components to your deployment.

For further information on populating the params.yaml file, refer to the sections below. This information is also available inside the generated params.yaml template.

tip

It is highly recommended that you commit params.yaml file into a private repository and encrypt it with BlackBox or use a secret management service like Azure Key Vault, AWS Secret Manager, GCP Secret Manager or HashiCorp Vault.

Content of configuration file params.yaml

important

The template below is automatically generated when your run opctl init for your provider.

This particular one was generated by running

opctl init --provider aks --enable-https --enable-cert-manager --dns-provider route53
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Component: Onepanel
# Description: Onepanel application information
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
application:
# First namespace that will be created in Onepanel, more can be added later
defaultNamespace: default
# Domain where Onepanel is hosted
# Use a first-level or multi-level subdomain like example.com or sub.example.com
domain: <domain>
# The Fully Qualified Domain (FQDN) where Onepanel will be hosted.
# If `domain` above is set to example.com or sub.example.com, then your FQDN could be: app.example.com or app.sub.example.com respectively
fqdn: <fully-qualified-domain-name>
# HTTP or HTTPS - Do not change, determined by `opctl init --enable-https`
# CLI flag: --enable-https
insecure: false
# Node pool or group label keys and values used for AutoScaling and for NodeSelectors
# The provider will set these label key and values on your nodes automatically
# These can also be customized depending on your provider
nodePool:
label: <node-pool-label>
# Add more by following the format:
# - name: <name>
# value: <value>
# The first option will be used as default.
options:
- name: 'Use friendly name 1'
value: <value-1>
- name: 'Use friendly name 2'
value: <value-2>
# The kubernetes cluster where Onepanel will be deployed.
# Valid values: minikube, microk8s, aks, eks, gke
provider: aks
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Component: Artifact repository
# Description: S3 compatible object storage for storing files across Onepanel
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
artifactRepository:
s3:
# S3 access key
accessKey: <access-key>
# Name of bucket, example: my-bucket
bucket: <bucket-name>
# Endpoint for S3 compatible storage
# Supported provider endpoints:
# AWS: s3.amazonaws.com
# GCS: storage.googleapis.com
# Minio: my-minio-endpoint.default:9000
endpoint: s3.amazonaws.com
# Change to true if endpoint does NOT support HTTPS
insecure: false
# Key Format for objects stored by Workflows. This can reference Workflow variables
keyFormat: artifacts/{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}
# Bucket region
region: us-west-2
# S3 secret key
secretKey: <secret-key>
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Component: cert-manager
# Description: automatically creates and renews TLS certificates using Let's Encrypt
# Docs: https://onepanelio.github.io/core-docs/docs/deployment/configuration/tls
# CLI flag: --enable-cert-manager
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certManager:
# Enter certificate admin email
# Example: [email protected]
email: <cert-admin-email>
# DNS Provider: Amazon Route53
# Docs: https://onepanelio.github.io/core-docs/docs/deployment/configuration/tls#route53
# CLI flag: --dns-provider=route53
route53:
access_key: <aws-access-key>
region: <aws-region>
secret_key: <aws-secret-key>
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Component: Database
# Description: Database connection information
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
database:
# Name of database
# If using an external production database, use the name of that database.
# For in-cluster test database, use any name you like.
databaseName: onepanel
# Do not change, only `postgres` driver is supported at this time.
driverName: postgres
# Database host - use `postgres` for in-cluster test database
host: <database-ip-or-hostname>
# Database password
# If using an external production database, use the password for that database.
# For in-cluster test database, use any password you like.
password: <password>
# Database port
port: 5432
# Database username
# If using an external production database, use the username for that database.
# For in-cluster test database, use any username you like.
username: <username>

Sections

What follows is a more detailed description of each section of the params.yaml file.

application

This is where you set the basic application configuration.

The insecure field is set to true by default and will be set to false if you add the --enable-https when running opctl init.

defaultNamespace

This is the first Namespace you want created. This could be a project name or a team name. It is set to default by default but we recommend you use something more meaningful.

domain

This is the domain for your Onepanel resources. Some resources like Workspaces create subdomains of this domain so they can be accessed by a browser. This can be a top level domain like example.com or a subdomain sub.example.com.

important

Domains, not ip addresses, are required with Istio.

fqdn

This is where Onepanel UI and API will be deployed. This should be a subdomain of the domain field mentioned above. For example: app.example.com or app.sub.example.com.

important

Domains, not ip addresses, are required with Istio.

insecure

The insecure field is set to true by default and will be set to false if you add the --enable-https when running opctl init.

nodePool

Depending on your provider, these are either called node pools or node groups. They are labels on Kubernetes nodes that Onepanel uses for auto scaling nodes on demand.

A common label to identify these is beta.kubernetes.io/instance-type which most cloud providers automatically set. The value of this label is usually set to the instance type of the cloud provider.

You can see all labels on your nodes by running:

kubectl get nodes --show-labels
note

For minikube, you can use this configuration.

nodePool:
label: minikube.k8s.io/minikube
options:
- name: 'Minikube'
value: minikube

Note that this lists many different labels, so you can pick and choose any label key/value that is unique to that node.

For example after running the kubectl command above, you may get the following list of labels:

agentpool=nodepool1,
beta.kubernetes.io/arch=amd64,
beta.kubernetes.io/instance-type=Standard_D2s_v3,
beta.kubernetes.io/os=linux,
failure-domain.beta.kubernetes.io/region=eastus,

You can then use the label key/value pairs as follows:

nodePool:
label: beta.kubernetes.io/instance-type # node label key
options:
- name: 'CPU: 2, RAM: 8GB' # friendly name for instance
value: 'Standard_D2s_v3' # node label value
- name: 'CPU: 4, RAM: 16GB'
value: Standard_D4s_v3
- name: 'GPU: 1xK80, CPU: 6, RAM: 56GB'
value: Standard_NC6

artifactRepository

This section allows you to setup the default object storage for your Workflow and Workspace artifacts, which includes Workflow log storage. Onepanel currently supports any S3 compatible artifact repository such as AWS, GCS and Minio. Support for additional object storages is coming soon.

Here's an example AWS S3 configuration:

artifactRepository:
s3:
accessKey: AKIAJSIE27KKMHXI3BJQ
bucket: pipelines.example.com
endpoint: s3.amazonaws.com
region: us-west-2
secretKey: 5bEYu26084qjSFyclM/f2pz4gviSfoOg+mFwBH39
important

Onepanel Workflows will automatically upload or download artifacts from artifacts/{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}. See Workflow artifacts for more information.

certManager

If you have run opctl init with --enable-https, --enable-cert-manager and --dns-provider flags set, you need to configure your respective DNS provider here so that Onepanel can create and renew your TLS certificates for you.

See TLS certificates for more information about configuring this section.

database

This is the database settings section.

For a test cluster, you can set the database host to postgres and use any username or password. This database will be automatically created in the cluster with the information you entered.

Note that you cannot change the username/password for the test database once it's created.

Example:

database:
databaseName: onepanel
driverName: postgres
host: postgres
password: mypassword
port: 5432
# Database username
# If using an external production database, use the username for that database.
# For in-cluster test database, use any username you like.
username: onepanel
important

For a production environment, use a managed database service and set the configuration accordingly.

metalLB

This is to configure a load balancer for local or bare-metal deployments.

Example:

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Component: Application and kubernetes load balancing on non-cloud deployments.
# Description: MetalLB, LoadBalancer
# CLI flag: --enable-metallb
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
metalLb:
addresses:
- 10.1.31.1/24

Getting the address range

First, find minikube's ip.

minikube ip

For the first part of the range, use minikube ip + 1

So if minikube ip gives us 192.168.64.64

We use 192.168.64.65

For the second part of the range, change the last part to 255

So we can use a range of 192.168.64.65 to 192.168.64.255

metalLb:
addresses:
- 192.168.64.65-192.168.64.255

workflowEngine

containerRuntimeExecutor

The executor workflow engine uses to perform certain actions like monitoring pod logs, collecting artifacts, managing container lifecycles, etc.

The possible values are docker and pns:

  • docker is more reliable, however it mounts the docker.sock of the host makes it less secure.
  • pns is more secure, however in some versions of Kubernetes, it tends to fail on tasks that take less than 15 seconds.