Examples
Example configurations for Konflux Operator Custom Resources
The following examples demonstrate how to configure Konflux Operator Custom Resources:
Empty Konflux Configuration
Empty Konflux configuration (Default values)
# Title: Empty Konflux Configuration
# Description: Empty Konflux configuration (Default values)
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec: {}
Konflux with GitHub Authentication
Konflux configuration with GitHub authentication
# Title: Konflux with GitHub Authentication
# Description: Konflux configuration with GitHub authentication
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec:
ui:
spec:
ingress:
enabled: true
proxy:
replicas: 1
nginx:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
dex:
dex:
# The secret should be created in the konflux-ui namespace
env:
- name: GITHUB_CLIENT_ID
valueFrom:
secretKeyRef:
name: github-client
key: clientID
- name: GITHUB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: github-client
key: clientSecret
config:
connectors:
# Add a GitHub connector to the Dex configuration - https://dexidp.io/docs/connectors/github/
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
Konflux Configuration
Complete Konflux configuration with all components (UI, Build Service, Integration Service, Release Service, etc.)
# Title: Konflux Configuration
# Description: Complete Konflux configuration with all components (UI, Build Service, Integration Service, Release Service, etc.)
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec:
ui:
spec:
ingress:
nodePortService:
httpsPort: 30011
proxy:
replicas: 1
nginx:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
dex:
config:
enablePasswordDB: true
passwordConnector: local
staticPasswords:
- email: "user1@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # notsecret
username: "user1"
userID: "7138d2fe-724e-4e86-af8a-db7c4b080e20"
- email: "user2@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # notsecret
username: "user2"
userID: "ea8e8ee1-2283-4e03-83d4-b00f8b821b64"
integrationService:
spec:
integrationControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
releaseService:
spec:
releaseControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
buildService:
spec:
buildControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
namespaceLister:
spec:
namespaceLister:
replicas: 1
namespaceLister:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
info:
spec:
publicInfo:
environment: development
visibility: public
banner:
items:
- summary: "Welcome to Konflux-CI! This is a development environment for testing and development purposes."
type: info
certManager:
# CreateClusterIssuer controls whether cluster issuer resources are created
# Defaults to true if not specified
createClusterIssuer: true
internalRegistry:
# Enabled controls whether internal registry resources are deployed
# Defaults to false if not specified
enabled: true
Konflux Application API Configuration
KonfluxApplicationAPI configuration (minimal example)
# Title: Konflux Application API Configuration
# Description: KonfluxApplicationAPI configuration (minimal example)
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxApplicationAPI
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-application-api
spec: {}
Konflux Build Service Configuration
KonfluxBuildService configuration with custom resource limits and environment variables
# Title: Konflux Build Service Configuration
# Description: KonfluxBuildService configuration with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxBuildService
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-build-service
spec:
buildControllerManager:
replicas: 2
manager:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: PAC_WEBHOOK_URL
value: "http://pipelines-as-code-controller.pipelines-as-code.svc.cluster.local:8180"
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: build-service-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: build-service-secret
key: secret-key
Konflux Cert Manager Configuration
KonfluxCertManager configuration for certificate management
# Title: Konflux Cert Manager Configuration
# Description: KonfluxCertManager configuration for certificate management
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxCertManager
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-cert-manager
spec:
# CreateClusterIssuer controls whether cluster issuer resources are created
# Defaults to true if not specified
createClusterIssuer: true
Konflux Default Tenant Configuration
KonfluxDefaultTenant configuration for default tenant
# Title: Konflux Default Tenant Configuration
# Description: KonfluxDefaultTenant configuration for default tenant
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxDefaultTenant
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konfluxdefaulttenant-sample
spec:
# TODO(user): Add fields here
Konflux Enterprise Contract Configuration
KonfluxEnterpriseContract configuration for enterprise contract policies
# Title: Konflux Enterprise Contract Configuration
# Description: KonfluxEnterpriseContract configuration for enterprise contract policies
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxEnterpriseContract
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-enterprise-contract
spec: {}
Konflux Image Controller Configuration
KonfluxImageController configuration for image management
# Title: Konflux Image Controller Configuration
# Description: KonfluxImageController configuration for image management
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxImageController
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-image-controller
spec: {}
Konflux Info Configuration
KonfluxInfo full configuration for information display
# Title: Konflux Info Configuration
# Description: KonfluxInfo full configuration for information display
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxInfo
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-info
spec:
publicInfo:
# Environment type: development, production, or staging
environment: production
# Visibility level: public or private
visibility: public
# Optional status page URL
statusPageUrl: "https://status.konflux.example.com"
# Integration configurations
integrations:
# GitHub App integration
github:
application_url: "https://github.com/apps/my-konflux-app/installations/new"
# SBOM server configuration
sbom_server:
url: "https://sbom.example.com/content"
sbom_sha: "https://sbom.example.com/sha"
# Image Controller configuration
image_controller:
enabled: true
notifications:
# Webhook notification example
- title: "Build Complete Notification"
event: "build_complete"
method: "webhook"
config:
url: "https://webhook.example.com/build/complete"
# Email notification example
- title: "Repository Push Notification"
event: "repo_push"
method: "email"
config:
email: "devops-team@example.com"
# Another webhook with different event
- title: "Image Scan Complete"
event: "image_scan_complete"
method: "webhook"
config:
url: "https://webhook.example.com/scan"
timeout: "30s"
# RBAC role definitions
rbac:
# Admin role with custom display name
- name: "konflux-admin-user-actions"
description: "Full access to Konflux resources including secrets and administrative operations"
displayName: "Administrator"
# Maintainer role (displayName defaults to name)
- name: "konflux-maintainer-user-actions"
description: "Manage workspace resources without access to sensitive or destructive actions"
# Viewer role
- name: "konflux-viewer-user-actions"
description: "Read-only access to view CI results and workspace information"
displayName: "Viewer Role"
# Custom role
- name: "konflux-custom-role"
description: "Custom role for specific use case with limited permissions"
# Banner configurations
banner:
items:
# Simple informational banner (always visible)
- summary: "Welcome to Konflux-CI! This is a production environment."
type: info
# Warning banner with time-based scheduling (weekdays 9 AM - 5 PM EST)
- summary: "**Scheduled Maintenance**: System maintenance will occur on Friday, March 15th from 2:00 AM to 4:00 AM EST."
type: warning
startTime: "09:00"
endTime: "17:00"
timeZone: "America/New_York"
dayOfWeek: 1 # Monday
# Danger banner for specific date (one-time event)
- summary: "**CRITICAL**: Security patch deployment in progress. Some services may be temporarily unavailable."
type: danger
startTime: "14:00"
endTime: "18:00"
timeZone: "UTC"
year: 2025
month: 3
dayOfMonth: 15
# Info banner for specific day of week (recurring weekly)
- summary: "Weekly team standup reminder: Every Monday at 10:00 AM."
type: info
startTime: "09:00"
endTime: "11:00"
timeZone: "America/Los_Angeles"
dayOfWeek: 1 # Monday (0=Sunday, 1=Monday, etc.)
# Warning banner for specific month and day (recurring annually)
- summary: "**Annual Review Period**: Performance reviews are due by end of month."
type: warning
startTime: "00:00"
endTime: "23:59"
timeZone: "UTC"
month: 12
dayOfMonth: 31
# Info banner with Markdown formatting
- summary: |
**New Feature Available**:
- Enhanced build pipeline visualization
- Improved security scanning
- [View Documentation](https://docs.konflux.example.com)
type: info
startTime: "08:00"
endTime: "20:00"
timeZone: "Europe/London"
Konflux Integration Service Configuration
KonfluxIntegrationService configuration with custom resource limits and environment variables
# Title: Konflux Integration Service Configuration
# Description: KonfluxIntegrationService configuration with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxIntegrationService
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-integration-service
spec:
integrationControllerManager:
replicas: 3
manager:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 512m
memory: 1Gi
env:
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: integration-service-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: integration-service-secret
key: secret-key
Konflux Internal Registry Configuration
KonfluxInternalRegistry configuration for internal registry
# Title: Konflux Internal Registry Configuration
# Description: KonfluxInternalRegistry configuration for internal registry
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxInternalRegistry
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-internal-registry
spec:
# TODO(user): Add fields here
Konflux Namespace Lister Configuration
KonfluxNamespaceLister configuration for namespace lister with custom resource limits and environment variables
# Title: Konflux Namespace Lister Configuration
# Description: KonfluxNamespaceLister configuration for namespace lister with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxNamespaceLister
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-namespace-lister
spec:
namespaceLister:
replicas: 3
namespaceLister:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 512m
memory: 1Gi
env:
- name: LOG_LEVEL
value: "0"
- name: CACHE_RESYNC_PERIOD
value: "10m"
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: namespace-lister-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: namespace-lister-secret
key: secret-key
Konflux RBAC Configuration
KonfluxRBAC configuration for role-based access control
# Title: Konflux RBAC Configuration
# Description: KonfluxRBAC configuration for role-based access control
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxRBAC
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-rbac
spec: {}
Konflux Release Service Configuration
KonfluxReleaseService configuration with custom resource limits and environment variables
# Title: Konflux Release Service Configuration
# Description: KonfluxReleaseService configuration with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxReleaseService
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-release-service
spec:
releaseControllerManager:
replicas: 3
manager:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 100m
memory: 256Mi
env:
- name: DEFAULT_RELEASE_PVC
valueFrom:
configMapKeyRef:
name: release-service-manager-properties
key: DEFAULT_RELEASE_PVC
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: release-service-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: release-service-secret
key: secret-key
Konflux UI Configuration
KonfluxUI configuration with ingress, proxy, and dex settings
# Title: Konflux UI Configuration
# Description: KonfluxUI configuration with ingress, proxy, and dex settings
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxUI
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-ui
spec:
# Ingress configuration
ingress:
enabled: true
ingressClassName: "nginx"
host: "konflux-ui.example.com"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
tlsSecretName: "konflux-ui-tls"
# Proxy deployment configuration
proxy:
replicas: 3
nginx:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: NGINX_WORKER_PROCESSES
value: "4"
- name: NGINX_WORKER_CONNECTIONS
value: "1024"
- name: NGINX_KEEPALIVE_TIMEOUT
value: "65"
oauth2Proxy:
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
env:
- name: OAUTH2_PROXY_PROVIDER
value: "oidc"
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: "https://dex.example.com/idp/"
- name: OAUTH2_PROXY_CLIENT_ID
value: "oauth2-proxy"
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secret
key: client-secret
# Dex deployment configuration
dex:
replicas: 2
dex:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: DEX_LOG_LEVEL
value: "debug"
- name: DEX_STORAGE_TYPE
value: "kubernetes"
config:
hostname: "dex.example.com"
port: "9443"
enablePasswordDB: true
passwordConnector: "local"
configureLoginWithOpenShift: true
connectors:
- type: "github"
id: "github"
name: "GitHub"
config:
clientID: "$GITHUB_CLIENT_ID"
clientSecret: "$GITHUB_CLIENT_SECRET"
redirectURI: "https://dex.example.com/idp/callback"
orgs:
- name: "my-org"
teams:
- "developers"
- "admins"
- name: "another-org"
teams:
- "contributors"
- type: "oidc"
id: "google"
name: "Google"
config:
clientID: "$GOOGLE_CLIENT_ID"
clientSecret: "$GOOGLE_CLIENT_SECRET"
redirectURI: "https://dex.example.com/idp/callback"
issuer: "https://accounts.google.com"
groups:
- "admin@example.com"
- type: "ldap"
id: "ldap"
name: "LDAP"
config:
host: "ldap.example.com:636"
bindDN: "cn=admin,dc=example,dc=com"
bindPW: "$LDAP_BIND_PASSWORD"
userSearch:
baseDN: "ou=Users,dc=example,dc=com"
filter: "(objectClass=person)"
username: "uid"
idAttr: "uid"
emailAttr: "mail"
nameAttr: "cn"
groupSearch:
baseDN: "ou=Groups,dc=example,dc=com"
filter: "(objectClass=groupOfNames)"
nameAttr: "cn"
userMatchers:
- userAttr: "DN"
groupAttr: "member"
staticPasswords:
- email: "user1@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: REDACTED
username: "user1"
userID: "7138d2fe-724e-4e86-af8a-db7c4b080e20"
- email: "user2@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: REDACTED
username: "user2"
userID: "ea8e8ee1-2283-4e03-83d4-b00f8b821b64"
- email: "admin@konflux.dev"
# bcrypt hash of the string "admin": $(echo admin | htpasswd -BinC 10 admin | cut -d: -f2)
hash: REDACTED
username: "admin"
userID: "admin-12345-67890-abcdef"