Web UI configuration reference for Lokomotive


Web UI is a web interface to your Lokomotive cluster. It is based on the Headlamp project, an easy-to-use and versatile dashboard for Kubernetes.

It has a clean and modern UI and supports the most common operations for Kubernetes clusters.


  • A Kubernetes cluster accessible via kubectl.

  • An ingress controller such as Contour for HTTP ingress.

  • cert-manager to generate TLS certificates.

  • Optionally dex to use OIDC for authentication.


# web-ui.lokocfg

component "web-ui" {
  ingress {
    host                       = "web-ui.example.lokomotive-k8s.org"
    class                      = "contour"
    certmanager_cluster_issuer = "letsencrypt-production"
  oidc {
    client_id     = var.dex_static_client_clusterauth_id
    client_secret = var.dex_static_client_clusterauth_secret
    issuer_url    = "https://dex.example.lokomotive-k8s.org"

Secrets can be defined in another file (lokocfg.vars) like following:

# A random secret key (create one with `openssl rand -base64 32`)
dex_static_client_clusterauth_secret = "2KBvQkjOZdc3iHt4KSb9GUECdenH/VDl04TwMdSyPcs="
dex_static_client_clusterauth_id     = "clusterauth"


To use OIDC for authentication make sure you first have authentication with Dex and Gangway configured. Additionally, you need to add the Web UI redirect URL to the static_client.redirect_uris argument in the dex configuration.

The Web UI redirect URL is https://web-ui.<CLUSTER_NAME>.<DOMAIN_NAME>/oidc-callback.


  static_client {

    redirect_uris = [..., "https://web-ui.example.lokomotive-k8s.org/oidc-callback"]

Finally, configure the oidc arguments in the Web UI component following the description in the Attribute reference .

Attribute reference

Table of all the arguments accepted by the component.

Argument Description Default Type Required
namespace Namespace where the Web UI will be installed. “lokomotive-system” string false
ingress Configuration block for exposing the Web UI through an Ingress resource. - block false
ingress.host Used as the hosts domain in the Ingress resource for web-ui that is automatically created. - string true
ingress.class Ingress class to use for the Web UI Ingress. contour string false
ingress.certmanager_cluster_issuer ClusterIssuer to be used by cert-manager while issuing TLS certificates. Supported values: letsencrypt-production, letsencrypt-staging. letsencrypt-production string false
oidc Configuration block for setting up OIDC authentication against dex. - block false
oidc.client_id Static client id. It must match the dex static_client name. - string true
oidc.client_secret Static client secret. It must match the dex static_client secret. - string true
oidc.issuer_url Dex’s issuer URL. It must match the dex issuer_host. - string true


To apply the Web UI component:

lokoctl component apply web-ui


To destroy the component:

lokoctl component delete web-ui