Home / BeaverDeck / Docs / Configuration Guide / Auth config reference

Auth Config Reference

This page documents the complete YAML snapshot stored in the auth configuration Secret. The same format is produced by Admin export, accepted by Admin import, and loaded from the Secret during startup.

Permissions: application import/export requires mode: admin. Manual Secret inspection or replacement requires Kubernetes Secret permissions for the operator. At runtime, the BeaverDeck ServiceAccount must be able to get, create, and update the configured Secret.

Before applying: replace every REPLACE_* value. The example contains no usable credentials. Generate real bdk1$... hashes as described on the Password hashes page.

Complete Secret Example

apiVersion: v1
kind: Secret
metadata:
  name: beaverdeck-config
  namespace: beaverdeck
  labels:
    app.kubernetes.io/name: beaverdeck
    app.kubernetes.io/component: config
type: Opaque
stringData:
  config.yaml: |
    schema_version: 1
    initialized: true
    roles:
      - name: admin
        mode: admin
      - name: platform-operator
        mode: viewer
        permissions:
          namespaces:
            - apps
            - monitoring
          resources:
            pods: view
            workloads: edit
            nodes: view
            services: view
            ingresses: view
            configmaps: view
            secrets: view
            pvcs: view
            events: view
            insights: edit
            exec: edit
            apply: edit
    users:
      - username: admin
        role: admin
        password_hash: bdk1$180000$<REPLACE_SALT_HEX>$<REPLACE_DIGEST_HEX>
      - username: local-operator
        role: platform-operator
        password_hash: bdk1$180000$<REPLACE_SALT_HEX>$<REPLACE_DIGEST_HEX>
    google:
      config:
        client_id: REPLACE_GOOGLE_CLIENT_ID
        client_secret: REPLACE_GOOGLE_CLIENT_SECRET
        hosted_domain: example.com
        service_account_json: |-
          {
            "type": "service_account",
            "project_id": "REPLACE_GOOGLE_PROJECT_ID",
            "private_key_id": "REPLACE_GOOGLE_PRIVATE_KEY_ID",
            "private_key": "-----BEGIN PRIVATE KEY-----\nREPLACE_GOOGLE_PRIVATE_KEY\n-----END PRIVATE KEY-----\n",
            "client_email": "REPLACE_SERVICE_ACCOUNT@example-project.iam.gserviceaccount.com",
            "client_id": "REPLACE_GOOGLE_SERVICE_ACCOUNT_CLIENT_ID",
            "token_uri": "https://oauth2.googleapis.com/token"
          }
        delegated_admin_email: google-admin@example.com
      mappings:
        - group_email: platform-operators@example.com
          role: platform-operator
    oidc:
      config:
        provider_name: OpenID Connect
        issuer_url: https://idp.example.com
        client_id: REPLACE_OIDC_CLIENT_ID
        client_secret: REPLACE_OIDC_CLIENT_SECRET
        scopes: openid email profile groups
        hosted_domain: example.com
        email_claim: email
        groups_claim: groups
      mappings:
        - group_name: platform-operators
          role: platform-operator

To leave a provider disabled, keep all of its credential fields empty and use mappings: []. BeaverDeck supports one Google provider and one generic OIDC provider. Azure Entra ID uses the OIDC block rather than a separate top-level section.

Configure From Scratch

Create a password hash for every local user. Never place a raw or base64-only password in password_hash.
Copy the full Secret manifest to a protected file and replace all placeholders.
Remove the Google or OIDC credentials and mappings for providers you do not use.
Verify that every user and group mapping references an existing role.
Apply the Secret before installing BeaverDeck, or restart BeaverDeck after applying it to an existing installation.
Read the startup log and confirm that auth config import and normalization succeeded.

kubectl apply -f beaverdeck-config-secret.yaml
kubectl -n beaverdeck rollout restart deployment/beaverdeck
kubectl -n beaverdeck logs deployment/beaverdeck

When the Secret is pre-created before the first pod starts, the rollout restart is unnecessary. If an existing Secret is invalid, startup fails without overwriting it. Fix the Secret, or delete it to return to UI initialization.

Top-Level Fields

Field	Required	Description
`schema_version`	No	Current value is `1`. Omitted or zero is normalized to the current version; unsupported versions fail import.
`exported_at`	No	RFC3339 metadata added by export. It can be omitted when creating a Secret manually.
`initialized`	No	Set to `true` for a complete pre-created config. The normalized value is always recomputed from local users and roles.
`roles`	No for admin-only	Role definitions. A missing `admin` role is added automatically; every custom role must be defined here.
`users`	Yes for initialized config	Local users with password hashes and role references.
`google`	No	Google OAuth/Workspace configuration and group mappings. Missing data is normalized to an empty provider.
`oidc`	No	Generic OIDC or Azure Entra ID configuration and group mappings. Missing defaults are filled.

Roles and Users

Field	Description
`roles[].name`	Unique role name. Names are normalized to lowercase.
`roles[].mode`	`admin` grants every BeaverDeck permission; `viewer` uses explicit permissions.
`roles[].permissions.namespaces`	Optional namespace allowlist. Empty or omitted means every namespace allowed by application policy and Kubernetes RBAC.
`roles[].permissions.resources`	Map of permission keys to `view`, `edit`, or `full`. See Permissions.
`users[].username`	Unique local username; duplicate checks are case-insensitive.
`users[].role`	Name of an existing role.
`users[].password_hash`	BeaverDeck `bdk1$...` password verifier. Raw passwords are rejected.

Google Fields

Field	Description
`google.config.client_id`	Google OAuth client ID.
`google.config.client_secret`	Google OAuth client secret.
`google.config.hosted_domain`	Optional Workspace domain restriction; normalized to lowercase.
`google.config.service_account_json`	Service account JSON used for delegated Google Directory group lookup.
`google.config.delegated_admin_email`	Workspace administrator impersonated for group lookup.
`google.config.updated_at`	Optional application-managed timestamp; omit when creating from scratch.
`google.mappings[].group_email`	Unique Google group email.
`google.mappings[].role`	Existing BeaverDeck role assigned to matching group members.

OIDC and Entra Fields

Field	Description
`oidc.config.provider_name`	Login button/provider label. Defaults to `OpenID Connect`.
`oidc.config.issuer_url`	OIDC issuer used for discovery. For Entra, use the tenant-specific v2.0 issuer.
`oidc.config.client_id`	OIDC application client ID.
`oidc.config.client_secret`	OIDC application client secret.
`oidc.config.scopes`	Space-separated scopes. Defaults to `openid email profile groups`; Entra group lookup may also need Microsoft Graph scopes.
`oidc.config.hosted_domain`	Optional email-domain restriction.
`oidc.config.email_claim`	Claim used as the user identity. Defaults to `email`.
`oidc.config.groups_claim`	Claim containing group values. Defaults to `groups`.
`oidc.config.updated_at`	Optional application-managed timestamp; omit when creating from scratch.
`oidc.mappings[].group_name`	Exact OIDC group value. Entra mappings may use a returned group identifier supported by the application.
`oidc.mappings[].role`	Existing BeaverDeck role assigned to matching group members.

Validation and Normalization

The YAML decoder is strict and rejects unknown fields.
The decoded snapshot is limited to 2 MiB.
Duplicate role names, usernames, Google groups, or OIDC groups are rejected.
Every user and mapping must reference an existing role.
An initialized configuration must contain a local user assigned to an admin-mode role.
Missing provider defaults and the default admin role are filled during successful normalization.
After a successful startup import, BeaverDeck writes the normalized YAML back to the same Secret.