Examples
Example configurations for Konflux Operator Custom Resources
The following examples demonstrate how to configure Konflux Operator Custom Resources:
Konflux E2E Test Configuration
Konflux configuration for E2E tests with image-controller enabled
# Title: Konflux E2E Test Configuration
# Description: Konflux configuration for E2E tests with image-controller enabled
#
# This sample extends the base configuration with image-controller enabled,
# which is required for E2E tests but optional for local development.
#
# Usage:
# E2E CI: Used by .github/workflows/operator-test-e2e.yaml
# Local E2E testing: KONFLUX_CR=operator/config/samples/konflux-e2e.yaml ./scripts/deploy-local.sh
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec:
ui:
spec:
ingress:
nodePortService:
httpsPort: 30011
proxy:
replicas: 1
reverseProxy:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
dex:
config:
enablePasswordDB: true
passwordConnector: local
# WARNING: Demo users for CI and local development ONLY
# For production, remove staticPasswords and configure OIDC connectors
# See docs/operator-deployment.md for production authentication examples
staticPasswords:
- email: "user1@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # notsecret
username: "user1"
userID: "7138d2fe-724e-4e86-af8a-db7c4b080e20"
groups:
- "konflux-users"
- "team-alpha"
- email: "user2@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # notsecret
username: "user2"
userID: "ea8e8ee1-2283-4e03-83d4-b00f8b821b64"
groups:
- "konflux-users"
- "team-beta"
integrationService:
spec:
integrationControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
# snapshotGarbageCollector.resources: lower the GC container requests for resource-constrained
# clusters (e.g. local Kind).
snapshotGarbageCollector:
resources:
requests:
cpu: 50m
memory: 64Mi
releaseService:
spec:
releaseControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 256Mi
limits:
cpu: 30m
memory: 256Mi
buildService:
spec:
# Skip TLS verification for PaC webhook URLs — the e2e environment
# exposes Pipelines-as-Code via a route with a self-signed certificate.
pacWebhookInsecureSSL: true
buildControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
namespaceLister:
spec:
namespaceLister:
replicas: 1
namespaceLister:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
info:
spec:
publicInfo:
environment: development
visibility: public
banner:
items:
# Display a banner at the top of the Konflux UI to all users.
- summary: "Welcome to Konflux-CI! This development and testing environment has been deployed with default insecure passwords!"
type: danger
certManager:
# CreateClusterIssuer controls whether cluster issuer resources are created
# Defaults to true if not specified
createClusterIssuer: true
internalRegistry:
# Enabled controls whether internal registry resources are deployed
# Defaults to false if not specified
# For local development on Kind, this provides an OCI registry at localhost:5001
enabled: true
# Default tenant creates a shared namespace accessible by all authenticated users.
# Needed for E2E tests. See konflux_v1alpha1_konflux.yaml for detailed documentation.
defaultTenant:
enabled: true
# E2E-specific: Enable image-controller for E2E tests
imageController:
enabled: true
Empty Konflux Configuration
Empty Konflux configuration (Default values)
# Title: Empty Konflux Configuration
# Description: Empty Konflux configuration (Default values)
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec: {}
Konflux with GitHub Authentication
Konflux configuration with GitHub authentication
# Title: Konflux with GitHub Authentication
# Description: Konflux configuration with GitHub authentication
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec:
ui:
spec:
ingress:
enabled: true
proxy:
replicas: 1
reverseProxy:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
dex:
dex:
# The secret should be created in the konflux-ui namespace
env:
- name: GITHUB_CLIENT_ID
valueFrom:
secretKeyRef:
name: github-client
key: clientID
- name: GITHUB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: github-client
key: clientSecret
config:
connectors:
# See the Dex documentation for available connector configuration - https://dexidp.io/docs/connectors
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
Konflux Configuration
Complete Konflux configuration with all components (UI, Build Service, Integration Service, Release Service, etc.)
# Title: Konflux Configuration
# Description: Complete Konflux configuration with all components (UI, Build Service, Integration Service, Release Service, etc.)
#
# This sample is used in CI tests and local development. It includes demo users with static passwords
# for testing purposes. For production deployments, remove the staticPasswords section and configure
# OIDC authentication (GitHub, Google, LDAP, etc.) instead.
#
# Usage:
# CI: Used automatically by .github/workflows/operator-test-e2e.yaml
# Local: ./scripts/deploy-local.sh (uses this file by default)
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: Konflux
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux
spec:
ui:
spec:
# NodePort exposes the UI on the host for Kind clusters.
# Kind maps container port 30011 to host port 9443 (see kind-config.yaml).
# Access the UI at https://localhost:9443 (HTTPS required).
# For non-Kind clusters, use Ingress instead (see konflux_v1alpha1_konfluxui.yaml).
ingress:
nodePortService:
httpsPort: 30011
proxy:
replicas: 1
reverseProxy:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
dex:
config:
enablePasswordDB: true
passwordConnector: local
# WARNING: Demo users for CI and local development ONLY
# For production, remove staticPasswords and configure OIDC connectors
# See docs/operator-deployment.md for production authentication examples
staticPasswords:
- email: "user1@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # notsecret
username: "user1"
userID: "7138d2fe-724e-4e86-af8a-db7c4b080e20"
groups:
- "konflux-users"
- "team-alpha"
- email: "user2@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # notsecret
username: "user2"
userID: "ea8e8ee1-2283-4e03-83d4-b00f8b821b64"
groups:
- "konflux-users"
- "team-beta"
integrationService:
spec:
integrationControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
# snapshotGarbageCollector.resources: lower the GC container requests for resource-constrained
# clusters (e.g. local Kind).
snapshotGarbageCollector:
resources:
requests:
cpu: 50m
memory: 64Mi
releaseService:
spec:
releaseControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
buildService:
spec:
buildControllerManager:
replicas: 1
manager:
resources:
requests:
cpu: 30m
memory: 128Mi
limits:
cpu: 30m
memory: 128Mi
# pipelineConfig:
# # removeDefaults: true # Discard all operator-provided default pipelines
# pipelines:
# - name: fbc-builder
# removed: true # Remove this specific default pipeline
# - name: my-custom-pipeline
# bundle: quay.io/myorg/pipeline:latest
# # defaultPipelineName: fbc-builder # Use existing default pipeline as default
# # defaultPipelineName: my-custom-pipeline # Use custom pipeline as default
namespaceLister:
spec:
namespaceLister:
replicas: 1
namespaceLister:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
info:
spec:
publicInfo:
environment: development
visibility: public
banner:
items:
# Display a banner at the top of the Konflux UI to all users.
- summary: "Welcome to Konflux-CI! This development and testing environment has been deployed with default insecure passwords!"
type: danger
certManager:
# CreateClusterIssuer controls whether cluster issuer resources are created
# Defaults to true if not specified
createClusterIssuer: true
internalRegistry:
# Enabled controls whether internal registry resources are deployed
# Defaults to false if not specified
# For local development on Kind, this provides an OCI registry at localhost:5001
enabled: true
# Default tenant creates a shared namespace ("default-tenant") accessible by all authenticated users.
# All authenticated users get maintainer permissions in this namespace.
# Appropriate for local development and testing. For production multi-tenant environments where
# you need strict namespace isolation, set enabled: false and create per-team tenant namespaces.
# Defaults to true if not specified.
defaultTenant:
enabled: true
# telemetry:
# # Enabled controls whether segment-bridge telemetry resources are deployed.
# # Defaults to false if not specified.
# enabled: true
# spec:
# # segmentKey is the Segment write key; omit to use the default build-time key
# # segmentKey: "your-write-key"
#
# # segmentAPIURL is the base URL without "/batch". The operator appends "/batch".
# # Defaults to "https://api.segment.io/v1" if not specified.
# # segmentAPIURL: "https://console.redhat.com/connections/api/v1"
Konflux Application API Configuration
KonfluxApplicationAPI configuration (minimal example)
# Title: Konflux Application API Configuration
# Description: KonfluxApplicationAPI configuration (minimal example)
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxApplicationAPI
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-application-api
spec: {}
Konflux Build Service Configuration
KonfluxBuildService configuration with custom resource limits, environment variables,
# Title: Konflux Build Service Configuration
# Description: KonfluxBuildService configuration with custom resource limits, environment variables,
# and pipeline configuration options.
#
# Pipeline Configuration:
# pipelineConfig controls the contents of the build-pipeline-config ConfigMap.
# The operator always manages this ConfigMap. Use pipelineConfig to customize it:
# - Override a default pipeline by specifying the same name with a different bundle
# - Remove a specific default with removed: true
# - Discard all defaults with removeDefaults: true
# - Add new pipelines alongside or instead of defaults
# - Set defaultPipelineName to specify which pipeline is selected by default for new components
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxBuildService
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-build-service
spec:
# pacWebhookInsecureSSL: true # Skip TLS verification for webhooks (dev/test only)
# logEncoder: console # Use human-readable logs (default: json)
# webhookURLs: # Map repository URL prefixes to external webhook URLs (e.g. Smee proxies)
# https://github.com: "https://smee.example.com/github-hook"
# https://gitlab.com: "https://smee.example.com/gitlab-hook"
# pipelineConfig:
# # removeDefaults: true # Discard all operator-provided default pipelines
# pipelines:
# - name: fbc-builder
# removed: true # Remove this specific default pipeline
# - name: my-custom-pipeline
# bundle: quay.io/myorg/pipeline:latest
# # defaultPipelineName: fbc-builder # Use existing default pipeline as default
# # defaultPipelineName: my-custom-pipeline # Use custom pipeline as default
buildControllerManager:
replicas: 2
manager:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: PAC_WEBHOOK_URL
value: "http://pipelines-as-code-controller.pipelines-as-code.svc.cluster.local:8180"
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: build-service-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: build-service-secret
key: secret-key
Konflux Cert Manager Configuration
KonfluxCertManager configuration for certificate management
# Title: Konflux Cert Manager Configuration
# Description: KonfluxCertManager configuration for certificate management
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxCertManager
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-cert-manager
spec:
# CreateClusterIssuer controls whether cluster issuer resources are created
# Defaults to true if not specified
createClusterIssuer: true
Konflux CLI Tools
KonfluxCLI configuration for the CLI component
# Title: Konflux CLI Tools
# Description: KonfluxCLI configuration for the CLI component
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxCLI
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-cli
spec: {}
Konflux Default Tenant Configuration
KonfluxDefaultTenant configuration for default tenant
# Title: Konflux Default Tenant Configuration
# Description: KonfluxDefaultTenant configuration for default tenant
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxDefaultTenant
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konfluxdefaulttenant-sample
spec:
# TODO(user): Add fields here
Konflux Enterprise Contract Configuration
KonfluxEnterpriseContract configuration for enterprise contract policies
# Title: Konflux Enterprise Contract Configuration
# Description: KonfluxEnterpriseContract configuration for enterprise contract policies
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxEnterpriseContract
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-enterprise-contract
spec: {}
Konflux Image Controller Configuration
KonfluxImageController configuration for image management
# Title: Konflux Image Controller Configuration
# Description: KonfluxImageController configuration for image management
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxImageController
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-image-controller
spec: {}
Konflux Info Configuration
KonfluxInfo full configuration for information display
# Title: Konflux Info Configuration
# Description: KonfluxInfo full configuration for information display
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxInfo
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-info
spec:
publicInfo:
# Environment type: development, production, or staging
environment: production
# Visibility level: public or private
visibility: public
# Optional status page URL
statusPageUrl: "https://status.konflux.example.com"
# Integration configurations
integrations:
# GitHub App integration
github:
application_url: "https://github.com/apps/my-konflux-app/installations/new"
# SBOM server configuration
sbom_server:
url: "https://sbom.example.com/content"
sbom_sha: "https://sbom.example.com/sha"
# Image Controller configuration
image_controller:
enabled: true
notifications:
# Webhook notification example
- title: "Build Complete Notification"
event: "build_complete"
method: "webhook"
config:
url: "https://webhook.example.com/build/complete"
# Email notification example
- title: "Repository Push Notification"
event: "repo_push"
method: "email"
config:
email: "devops-team@example.com"
# Another webhook with different event
- title: "Image Scan Complete"
event: "image_scan_complete"
method: "webhook"
config:
url: "https://webhook.example.com/scan"
timeout: "30s"
# RBAC role definitions
rbac:
# Admin role with custom display name
- name: "konflux-admin-user-actions"
description: "Full access to Konflux resources including secrets and administrative operations"
displayName: "Administrator"
# Maintainer role (displayName defaults to name)
- name: "konflux-maintainer-user-actions"
description: "Manage workspace resources without access to sensitive or destructive actions"
# Viewer role
- name: "konflux-viewer-user-actions"
description: "Read-only access to view CI results and workspace information"
displayName: "Viewer Role"
# Custom role
- name: "konflux-custom-role"
description: "Custom role for specific use case with limited permissions"
# Banner configurations
banner:
items:
# Simple informational banner (always visible)
- summary: "Welcome to Konflux-CI! This is a production environment."
type: info
# Warning banner with time-based scheduling (weekdays 9 AM - 5 PM EST)
- summary: "**Scheduled Maintenance**: System maintenance will occur on Friday, March 15th from 2:00 AM to 4:00 AM EST."
type: warning
startTime: "09:00"
endTime: "17:00"
timeZone: "America/New_York"
dayOfWeek: 1 # Monday
# Danger banner for specific date (one-time event)
- summary: "**CRITICAL**: Security patch deployment in progress. Some services may be temporarily unavailable."
type: danger
startTime: "14:00"
endTime: "18:00"
timeZone: "UTC"
year: 2025
month: 3
dayOfMonth: 15
# Info banner for specific day of week (recurring weekly)
- summary: "Weekly team standup reminder: Every Monday at 10:00 AM."
type: info
startTime: "09:00"
endTime: "11:00"
timeZone: "America/Los_Angeles"
dayOfWeek: 1 # Monday (0=Sunday, 1=Monday, etc.)
# Warning banner for specific month and day (recurring annually)
- summary: "**Annual Review Period**: Performance reviews are due by end of month."
type: warning
startTime: "00:00"
endTime: "23:59"
timeZone: "UTC"
month: 12
dayOfMonth: 31
# Info banner with Markdown formatting
- summary: |
**New Feature Available**:
- Enhanced build pipeline visualization
- Improved security scanning
- [View Documentation](https://docs.konflux.example.com)
type: info
startTime: "08:00"
endTime: "20:00"
timeZone: "Europe/London"
Konflux Integration Service Configuration
KonfluxIntegrationService configuration with custom resource limits and environment variables
# Title: Konflux Integration Service Configuration
# Description: KonfluxIntegrationService configuration with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxIntegrationService
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-integration-service
spec:
# Pipeline run timeouts. Each field maps to the corresponding env var on the
# controller-manager container. Omit to use the upstream integration-service defaults.
pipelineTimeout: "6h"
tasksTimeout: "4h"
finallyTimeout: "2h"
integrationControllerManager:
replicas: 3
manager:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 512m
memory: 1Gi
# For env vars beyond the typed timeout fields above, use manager.env directly.
# Supports plain values and valueFrom references (ConfigMap, Secret).
# env:
# - name: EXAMPLE_CUSTOM_CONFIG
# valueFrom:
# configMapKeyRef:
# name: integration-service-config
# key: custom-config
# - name: EXAMPLE_SECRET_VALUE
# valueFrom:
# secretKeyRef:
# name: integration-service-secret
# key: secret-key
# Snapshot GC retention policy. Each field maps to the corresponding env var on the
# GC container. Omit any field to use the upstream integration-service default.
# Upstream defaults: prSnapshotsToKeep=70, nonPRSnapshotsToKeep=640, minSnapshotsToKeepPerComponent=5
prSnapshotsToKeep: "10"
nonPRSnapshotsToKeep: "100" # upstream default is 640; set lower for tighter retention
minSnapshotsToKeepPerComponent: "4"
snapshotGarbageCollector:
# resources: override the GC container resource requests/limits.
# When omitted, the operator uses the values defined in the upstream integration-service
# repository (config/snapshotgc/snapshotgc.yaml at the pinned SHA).
# Set lower requests here only for resource-constrained environments (e.g. local Kind).
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: "1"
memory: 2000Mi
# For GC env vars beyond the typed fields above, use snapshotGarbageCollector.env directly.
# Supports plain values and valueFrom references (ConfigMap, Secret).
# env:
# - name: EXAMPLE_GC_CONFIG
# valueFrom:
# configMapKeyRef:
# name: snapshot-gc-config
# key: some-key
Konflux Internal Registry Configuration
KonfluxInternalRegistry configuration for internal registry
# Title: Konflux Internal Registry Configuration
# Description: KonfluxInternalRegistry configuration for internal registry
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxInternalRegistry
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-internal-registry
spec:
# TODO(user): Add fields here
Konflux Namespace Lister Configuration
KonfluxNamespaceLister configuration for namespace lister with custom resource limits and environment variables
# Title: Konflux Namespace Lister Configuration
# Description: KonfluxNamespaceLister configuration for namespace lister with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxNamespaceLister
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-namespace-lister
spec:
namespaceLister:
replicas: 3
namespaceLister:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 512m
memory: 1Gi
env:
- name: LOG_LEVEL
value: "0"
- name: CACHE_RESYNC_PERIOD
value: "10m"
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: namespace-lister-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: namespace-lister-secret
key: secret-key
Konflux RBAC Configuration
KonfluxRBAC configuration for role-based access control
# Title: Konflux RBAC Configuration
# Description: KonfluxRBAC configuration for role-based access control
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxRBAC
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-rbac
spec: {}
Konflux Release Service Configuration
KonfluxReleaseService configuration with custom resource limits and environment variables
# Title: Konflux Release Service Configuration
# Description: KonfluxReleaseService configuration with custom resource limits and environment variables
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxReleaseService
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-release-service
spec:
releaseControllerManager:
replicas: 3
manager:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 100m
memory: 256Mi
env:
- name: DEFAULT_RELEASE_PVC
valueFrom:
configMapKeyRef:
name: release-service-manager-properties
key: DEFAULT_RELEASE_PVC
- name: EXAMPLE_CUSTOM_CONFIG
valueFrom:
configMapKeyRef:
name: release-service-config
key: custom-config
- name: EXAMPLE_SECRET_VALUE
valueFrom:
secretKeyRef:
name: release-service-secret
key: secret-key
Konflux UI Configuration
KonfluxUI configuration with ingress, proxy, and dex settings
# Title: Konflux UI Configuration
# Description: KonfluxUI configuration with ingress, proxy, and dex settings
apiVersion: konflux.konflux-ci.dev/v1alpha1
kind: KonfluxUI
metadata:
labels:
app.kubernetes.io/name: konflux-operator
app.kubernetes.io/managed-by: kustomize
name: konflux-ui
spec:
# Ingress configuration
ingress:
enabled: true
ingressClassName: "nginx"
host: "konflux-ui.example.com"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
tlsSecretName: "konflux-ui-tls"
# Proxy deployment configuration
proxy:
replicas: 3
reverseProxy:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
oauth2Proxy:
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
env:
- name: OAUTH2_PROXY_PROVIDER
value: "oidc"
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: "https://dex.example.com/idp/"
- name: OAUTH2_PROXY_CLIENT_ID
value: "oauth2-proxy"
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secret
key: client-secret
# Dex deployment configuration
dex:
replicas: 2
dex:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
env:
- name: DEX_LOG_LEVEL
value: "debug"
- name: DEX_STORAGE_TYPE
value: "kubernetes"
config:
hostname: "dex.example.com"
port: "9443"
enablePasswordDB: true
passwordConnector: "local"
configureLoginWithOpenShift: true
connectors:
- type: "github"
id: "github"
name: "GitHub"
config:
clientID: "$GITHUB_CLIENT_ID"
clientSecret: "$GITHUB_CLIENT_SECRET"
redirectURI: "https://dex.example.com/idp/callback"
orgs:
- name: "my-org"
teams:
- "developers"
- "admins"
- name: "another-org"
teams:
- "contributors"
- type: "oidc"
id: "google"
name: "Google"
config:
clientID: "$GOOGLE_CLIENT_ID"
clientSecret: "$GOOGLE_CLIENT_SECRET"
redirectURI: "https://dex.example.com/idp/callback"
issuer: "https://accounts.google.com"
groups:
- "admin@example.com"
- type: "ldap"
id: "ldap"
name: "LDAP"
config:
host: "ldap.example.com:636"
bindDN: "cn=admin,dc=example,dc=com"
bindPW: "$LDAP_BIND_PASSWORD"
userSearch:
baseDN: "ou=Users,dc=example,dc=com"
filter: "(objectClass=person)"
username: "uid"
idAttr: "uid"
emailAttr: "mail"
nameAttr: "cn"
groupSearch:
baseDN: "ou=Groups,dc=example,dc=com"
filter: "(objectClass=groupOfNames)"
nameAttr: "cn"
userMatchers:
- userAttr: "DN"
groupAttr: "member"
staticPasswords:
- email: "user1@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: REDACTED
username: "user1"
userID: "7138d2fe-724e-4e86-af8a-db7c4b080e20"
groups:
- "konflux-users"
- "team-alpha"
- email: "user2@konflux.dev"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: REDACTED
username: "user2"
userID: "ea8e8ee1-2283-4e03-83d4-b00f8b821b64"
groups:
- "konflux-users"
- "team-beta"
- email: "admin@konflux.dev"
# bcrypt hash of the string "admin": $(echo admin | htpasswd -BinC 10 admin | cut -d: -f2)
hash: REDACTED
username: "admin"
userID: "admin-12345-67890-abcdef"
groups:
- "konflux-users"
- "konflux-admins"