E6Console
API Version: e6data.io/v1alpha1 Kind: E6Console Short Names: ec
1. Purpose
E6Console manages the E6Data control plane UI and API server as a combined deployment. It provides:
- Web-based management interface for all E6Data CRDs (QueryService, Catalogs, TrafficInfra, etc.)
- REST API server for programmatic access to E6Data resources
- Static UI serving bundled with the Go API server in a single container
- Optional AuthGateway integration for authentication
- Direct Ingress support for simpler deployments
The console provides a unified interface for managing your E6Data infrastructure without needing to use kubectl directly.
2. High-level Behavior
When you create an E6Console CR, the operator:
- Creates ServiceAccount and RBAC for cluster-wide E6Data resource access
- Deploys console pods running the combined UI + API server
- Creates ClusterIP service for internal access
- Optionally creates Ingress for direct external access
- Optionally integrates with AuthGateway for authenticated access
Architecture
┌─────────────────────────────────────────┐
│ E6Console │
│ │
│ ┌─────────────┐ ┌─────────────────┐ │
Internet ──────────▶│ │ React UI │ │ Go API Server │ │
(via Ingress or │ │ (Static) │──│ /api/v1/* │ │
AuthGateway) │ └─────────────┘ └────────┬────────┘ │
│ │ │
└────────────────────────────┼────────────┘
│
▼
┌────────────────────────────────────────┐
│ Kubernetes API Server │
│ │
│ QueryServices Catalogs TrafficInfra │
│ MetadataServices AuthGateways etc. │
└────────────────────────────────────────┘
Prerequisites
- Cluster-wide access to E6Data CRDs (operator manages RBAC)
- AuthGateway (optional, for authenticated access)
- Ingress controller (optional, for direct ingress)
Child Resources Created
| Resource Type | Name Pattern | Purpose |
| ServiceAccount | {name}-console | Identity for API access |
| ClusterRole | {name}-console | E6Data CRD read/write permissions |
| ClusterRoleBinding | {name}-console | Binds role to service account |
| Deployment | {name}-console | Console pods |
| Service | {name}-console | ClusterIP service |
| Ingress | {name}-console | External access (if enabled) |
3. Spec Reference
E6ConsoleSpec
| Field | Type | Required | Default | Description |
replicas | int32 | No | 2 | Number of console replicas |
image | E6ConsoleImageSpec | No | See below | Container image configuration |
resources | E6ConsoleResourceSpec | No | See below | CPU/memory resources |
service | E6ConsoleServiceSpec | No | See below | Service configuration |
ingress | E6ConsoleIngressSpec | No | - | Direct ingress configuration |
authGatewayRef | E6ConsoleAuthGatewayRef | No | - | AuthGateway integration |
E6ConsoleImageSpec
| Field | Type | Required | Default | Description |
repository | string | No | e6data | Container registry |
name | string | No | e6-console | Image name |
tag | string | No | latest | Image tag |
pullPolicy | string | No | IfNotPresent | Pull policy (Always, IfNotPresent, Never) |
pullSecrets | []string | No | - | List of secret names for pulling the image |
E6ConsoleResourceSpec
| Field | Type | Required | Default | Description |
cpu | string | No | 200m | CPU request/limit |
memory | string | No | 256Mi | Memory request/limit |
E6ConsoleServiceSpec
| Field | Type | Required | Default | Description |
type | string | No | ClusterIP | Service type (ClusterIP, LoadBalancer, NodePort) |
port | int32 | No | 8080 | Service port |
annotations | map[string]string | No | - | Service annotations |
E6ConsoleIngressSpec
| Field | Type | Required | Default | Description |
enabled | bool | No | false | Enable ingress creation |
host | string | No | - | Ingress hostname |
ingressClassName | string | No | - | Ingress class to use |
tls | E6ConsoleIngressTLSSpec | No | - | TLS configuration |
annotations | map[string]string | No | - | Ingress annotations |
E6ConsoleIngressTLSSpec
| Field | Type | Required | Default | Description |
enabled | bool | No | false | Enable TLS |
secretName | string | No | - | TLS secret name |
E6ConsoleAuthGatewayRef
| Field | Type | Required | Default | Description |
name | string | Yes | - | AuthGateway name |
namespace | string | No | Same namespace | AuthGateway namespace |
pathPrefix | string | No | / | Path prefix in AuthGateway |
4. Status Reference
E6ConsoleStatus
| Field | Type | Description |
phase | string | Current phase (Pending, Deploying, Ready, Degraded, Failed) |
message | string | Human-readable status message |
endpoint | string | URL to access the console |
readyReplicas | int32 | Number of ready replicas |
conditions | []metav1.Condition | Detailed condition information |
observedGeneration | int64 | Last observed generation |
lastTransitionTime | metav1.Time | Last status change time |
Phase Values
| Phase | Description |
Pending | Waiting for dependencies |
Deploying | Creating/updating resources |
Ready | All replicas healthy |
Degraded | Partial availability |
Failed | Deployment failed |
5. Example CRs
Basic Console (ClusterIP only)
apiVersion: e6data.io/v1alpha1
kind: E6Console
metadata:
name: console
namespace: e6data-system
spec:
replicas: 2
image:
repository: e6data
name: e6-console
tag: latest
resources:
cpu: "200m"
memory: "256Mi"
service:
type: ClusterIP
port: 8080
Console with Direct Ingress
apiVersion: e6data.io/v1alpha1
kind: E6Console
metadata:
name: console
namespace: e6data-system
spec:
replicas: 2
image:
repository: e6data
name: e6-console
tag: v1.0.0
resources:
cpu: "500m"
memory: "512Mi"
service:
type: ClusterIP
port: 8080
ingress:
enabled: true
host: console.e6data.example.com
ingressClassName: nginx
tls:
enabled: true
secretName: console-tls
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
Console with AuthGateway Integration
apiVersion: e6data.io/v1alpha1
kind: E6Console
metadata:
name: console
namespace: poc1
spec:
replicas: 2
image:
repository: e6data
name: e6-console
tag: v1.0.0
resources:
cpu: "500m"
memory: "512Mi"
service:
type: ClusterIP
port: 8080
# Expose through AuthGateway for authentication
authGatewayRef:
name: poc1-auth
namespace: poc1
pathPrefix: /console
Console with Private Registry (imagePullSecrets)
apiVersion: e6data.io/v1alpha1
kind: E6Console
metadata:
name: console
namespace: poc1
spec:
replicas: 2
image:
repository: us-docker.pkg.dev/e6data-analytics/e6data
name: e6-console
tag: "1.0.6"
pullPolicy: Always
pullSecrets:
- gcr-key # Secret containing registry credentials
resources:
cpu: "500m"
memory: "512Mi"
service:
type: ClusterIP
port: 8080
6. RBAC Permissions
The E6Console controller automatically creates a ClusterRole and ClusterRoleBinding for the console's service account. The naming pattern is {name}-console-{namespace} to avoid conflicts across namespaces.
Auto-created ClusterRole:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {name}-console-{namespace} # e.g., console-console-poc1
rules:
# Full access to all E6Data CRDs
- apiGroups: ["e6data.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Read-only access to core Kubernetes resources
- apiGroups: [""]
resources: ["namespaces", "secrets", "configmaps", "services", "pods"]
verbs: ["get", "list", "watch"]
# Read-only access to workload controllers
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "watch"]
Auto-created ClusterRoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {name}-console-{namespace}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {name}-console-{namespace}
subjects:
- kind: ServiceAccount
name: {name}-console
namespace: {namespace}
7. API Endpoints
The E6Console API server exposes the following endpoints:
| Endpoint | Method | Description |
/healthz | GET | Health check |
/api/v1/namespaces | GET | List namespaces |
/api/v1/metadataservices | GET, POST | List/create MetadataServices |
/api/v1/metadataservices/{ns}/{name} | GET, PUT, DELETE | Get/update/delete MetadataServices |
/api/v1/catalogs | GET, POST | List/create E6Catalogs |
/api/v1/catalogs/{ns}/{name} | GET, PUT, DELETE | Get/update/delete E6Catalog |
/api/v1/catalogs/{ns}/{name}/refresh | POST | Trigger catalog refresh |
/api/v1/queryservices | GET, POST | List/create QueryServices |
/api/v1/queryservices/{ns}/{name} | GET, PUT, DELETE | Get/update/delete QueryService |
/api/v1/queryservices/{ns}/{name}/suspend | POST | Suspend QueryService |
/api/v1/queryservices/{ns}/{name}/resume | POST | Resume QueryService |
/api/v1/queryservices/{ns}/{name}/scale | POST | Scale QueryService |
/api/v1/trafficinfras | GET, POST | List/create TrafficInfras |
/api/v1/trafficinfras/{ns}/{name} | GET, PUT, DELETE | Get/update/delete TrafficInfra |
/api/v1/authgateways | GET, POST | List/create AuthGateways |
/api/v1/authgateways/{ns}/{name} | GET, PUT, DELETE | Get/update/delete AuthGateway |
/api/v1/namespaceconfigs | GET, POST | List/create NamespaceConfigs |
/api/v1/namespaceconfigs/{ns}/{name} | GET, PUT, DELETE | Get/update/delete NamespaceConfig |
/api/v1/pools | GET, POST | List/create Pools |
/api/v1/pools/{ns}/{name} | GET, PUT, DELETE | Get/update/delete Pool |
/api/v1/monitoringservices | GET, POST | List/create MonitoringServices |
/api/v1/monitoringservices/{ns}/{name} | GET, PUT, DELETE | Get/update/delete MonitoringServices |
/api/v1/catalogrefreshschedules | GET, POST | List/create schedules |
/api/v1/catalogrefreshschedules/{ns}/{name} | GET, PUT, DELETE | Get/update/delete schedule |
8. Troubleshooting
Console pods not starting
# Check pod status
kubectl get pods -l app.kubernetes.io/name=e6-console
# Check pod logs
kubectl logs -l app.kubernetes.io/name=e6-console
# Check RBAC
kubectl auth can-i list queryservices.e6data.io --as=system:serviceaccount:{namespace}:{name}-console
API returning 403 errors
The console ServiceAccount may not have proper RBAC:
# Check ClusterRoleBinding
kubectl get clusterrolebinding {name}-console -o yaml
# Verify role permissions
kubectl get clusterrole {name}-console -o yaml
UI not loading
# Check if UI files are mounted
kubectl exec -it deploy/{name}-console -- ls /app/ui/
# Check environment variables
kubectl exec -it deploy/{name}-console -- env | grep UI_PATH