Prior to the deployment, depending on the cluster types you need to generate either of the proxying or serving certificates.
Used to secure the communication between Hawtio Online and the Jolokia agents. A client certificate is generated and mounted into the Hawtio Online pod with a secret, to be used for TLS client authentication.
Used to secure the communication between the client and Hawtio Online.
For Kubernetes, proxying certificates are disabled by default and you don’t need to go through the steps.
This means that client certificate authentication between Hawtio Online and the Jolokia agents is not available by default for Kubernetes, and the Jolokia agents need to disable client certificate authentication so that Hawtio Online can connect to them. You can still use TLS for securing the communication between them.
It is possible to use a proxying client certificate for Hawtio Online on Kubernetes; it requires you to generate or provide a custom CA for the certificate and then mount/configure it into the Jolokia agent for its client certificate authentication.
For Kubernetes, a serving certificate must be generated manually. Run the following script to generate and set up a certificate for Hawtio Online:
$ ./scripts/generate-serving.sh [-k tls.key] [-c tls.crt] [SECRET_NAME] [CN]
$ yarn gen:serving [-k tls.key] [-c tls.crt] [SECRET_NAME] [CN]
You can provide an existing TLS key and certificate by passing parameters
-k tls.key and
-c tls.crt respectively. Otherwise, a self-signed
tls.crt will be generated automatically in the working directory and used for creating the serving certificate secret.
You can optionally pass
CN to customise the secret name and Common Name used in the TLS certificate. The default secret name is
hawtio-online-tls-serving and CN is
Now you can run the following instructions to deploy the Hawtio Online console on your Kubernetes cluster.
You may want to read how to get started with the CLI for more information about the
kubectl client tool.
To deploy the Hawtio Online console on Kubernetes, follow the steps below.
If you have Yarn installed:
$ yarn deploy:k8s:cluster
$ kubectl apply -k deploy/k8s/cluster/
There are two deployment modes you can choose from: cluster and namespace.
The Hawtio Online console can discover and connect to hawtio-enabled  applications deployed across multiple namespaces / projects.
This restricts the Hawtio Online console access to a single namespace / project, and as such acts as a single tenant deployment.
Hawtio Online currently supports authentication mode
form for Kubernetes, which is configured through
HAWTIO_ONLINE_AUTH environment variable on Deployment.
Authenticates requests with bearer tokens through the Hawtio login form.
With the Form authentication mode, any user with a bearer token can be authenticated. See Authenticating for different ways to provide users with bearer tokens.
Here we illustrate how to create a
ServiceAccount as a user to log in to the Hawtio console as an example. See Creating a Hawtio user for Form authentication for more details.