-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
263 lines (240 loc) · 7.89 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
# Recursive
# https://github.com/helm/helm/issues/2247
# https://github.com/Noksa/helm-resolve-deps
# Default values for cert-manager-init.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
certificate:
# -- Name of the certificate and webhook |
appName: "compcrdwebhook"
oda-crds:
enabled: true
canvas-namespaces:
enabled: true
certManagerNamespace: cert-manager
componentNamespace: components
istio:
# -- Add Istion instrumentation label to the components namespace
labelEnabledComponent: true
cert-manager-init:
nameOverride: ""
fullnameOverride: ""
namespace: canvas
# The certificate has a default duration of 90d. It rotates automatically, but the the server using it doesn't handle that rotation
# https://github.com/tmforum-oda/oda-canvas-charts/issues/38
#
# -- Duration of the certificates generate for the webhook in hours |
certificateDuration: 21600h
#Cert manager get a lease object on kube-system namespace to elect leader.
#The time to wait for a leader is 60s.
#The lease can survive among installations, so cainjectot can waits up to 60s to become leader
#If cainjector is not fully initialized we can find the following error
# cert-manager-init/templates/issuer.yaml failed: Internal error occurred:
# failed calling webhook "webhook.cert-manager.io": failed to call webhook:
# Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=10s": x509: certificate signed by unknown authority
# In seconds
# -- Time to wait CertManager to be ready to prevent issuer creation errors
leaseWaitTimeonStartup: 80
cert-manager:
enabled: true
installCRDs: true
namespace: cert-manager
keycloak:
enabled: true
image:
tag: 20.0.5-debian-11-r2
auth:
adminUser: "admin"
adminPassword: "adpass"
postgresql:
enabled: true
image:
tag: 15.2.0-debian-11-r31
auth:
username: "keycloak"
password: "keycloakdbuser"
database: "keycloak"
# -- Since keycloak 17+, default to / but the controllers work with older versions
httpRelativePath: "/auth/"
#proxy: edge
#tls:
# enabled: true
# autoGenerated: true
#extraEnvVars:
# - name: PROXY_ADDRESS_FORWARDING
# value: "true"
##
# -- Keycloak LoadBalancer and Headless ClusterIp service port
service:
ports: &portKeycloak
http: 8083
# -- Keycloak HTTP container port
containerPorts: *portKeycloak
# -- Create a myrealm realm with a seccon user
keycloakConfigCli:
enabled: true
image:
tag: 5.5.0-debian-11-r35
backoffLimit: 1
command: [ "java", "-jar", "/opt/keycloak-config-cli.jar" ]
configuration:
myrealm.json: |
{
"enabled": true,
"realm": "myrealm",
"users": [
{
"username": "seccon",
"email": "[email protected]",
"enabled": true,
"firstName": "Security",
"lastName": "User"
}
]
}
ingress:
enabled: false
ingressClassName: "traefik"
hosts:
- name: keycloak.local
path: /
tls: false
controller:
deployment:
controllerName: oda-controller
compconImage: tmforumodacanvas/component-istio-controller
compconVersion: 0.5.2
compconPrereleaseSuffix:
imagePullPolicy: IfNotPresent
istioGateway: true
secconImage: tmforumodacanvas/security-listener
secconVersion: 0.7.1
secconPrereleaseSuffix:
monitoredNamespaces: 'components' # comma separated list of namespaces
ingressClass:
enabled: false
name: nginx
keycloak: *portKeycloak
dataDog:
enabled: true
#We reuse the admin user created on keycloak installation
credentials:
user: admin
pass: adpass
configmap:
kcrealm: myrealm
# -- Log level [python] (https://docs.python.org/3/library/logging.html
loglevel: '20'
dependentapi-simple-operator:
enabled: true
image: tmforumodacanvas/dependentapi-simple-operator
version: 0.2.2
prereleaseSuffix:
imagePullPolicy: IfNotPresent
loglevel: '20'
canvas-vault:
enabled: true
# changing the auth_path requires changing the encrypted token in secretsmanagement-operator
auth_path: "jwt-k8s-sman"
# if issuer is empty, it will be autodetected
issuer:
# if cacert is empty it will be autodetected
cacert:
vault:
#fullnameOverride: "canvas-vault-hc"
nameOverride: "vault-hc"
global:
namespace: "canvas-vault"
server:
image:
# last version with MPL license
tag: "1.14.8"
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
dev:
enabled: true
# Set VAULT_DEV_ROOT_TOKEN_ID value
devRootToken: "egalegal"
# Settings for the statefulSet used to run Vault.
statefulSet:
# Set the pod and container security contexts.
# If not set, these will default to, and for *not* OpenShift:
# pod:
# runAsNonRoot: true
# runAsGroup: {{ .Values.server.gid | default 1000 }}
# runAsUser: {{ .Values.server.uid | default 100 }}
# fsGroup: {{ .Values.server.gid | default 1000 }}
# container:
# allowPrivilegeEscalation: false
#
# If not set, these will default to, and for OpenShift:
# pod: {}
# container: {}
securityContext:
pod:
fsGroup: 1000
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 100
supplementalGroups:
- 1000
container:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# Enables debug logging.
debug: true
injector:
# True if you want to enable vault agent injection.
# @default: global.enabled
enabled: false
agentImage:
# last version with MPL license
tag: "1.14.8"
csi:
agent:
image:
# last version with MPL license
tag: "1.14.8"
secretsmanagement-operator:
image: tmforumodacanvas/secretsmanagement-operator
version: 0.1.0
prereleaseSuffix:
imagePullPolicy: IfNotPresent
sidecarImage: tmforumodacanvas/secretsmanagement-sidecar
sidecarVersion: 0.1.0
sidecarPrereleaseSuffix:
sidecarImagePullPolicy: IfNotPresent
# TODO: add TLS to canvas-vault-hc
vault_addr: "http://canvas-vault-hc.canvas-vault.svc.cluster.local:8200"
# the tempaltes can be used to generate cluster specific authenticator and key-value stores, here 'sman'.
auth_path: "jwt-k8s-sman"
secrets_mount_tpl: "kv-sman-{0}"
policy_name_tpl: "sman-{0}-policy"
login_role_tpl: "sman-{0}-role"
secrets_base_path_tpl: "sidecar"
# use autodetection to retreive the value for audience
autodetectAudience: true
# as an alternative it can be retrieved manually and set directly:
# kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
#audience: "https://kubernetes.default.svc.cluster.local"
#audience: "https://container.googleapis.com/v1/projects/tmforum-oda-component-cluster/locations/europe-west3/clusters/ihc-dt"
# INFO=20, DEBUG=10
logLevel: 20
# plaintext token for HashiCorp Vault.
# In the log files a warning will be shown with the encrypted value, which should be used instead of this
hvacToken: egalegal
# encrpyted token (can be found in logfile)
# #hvacTokenEnc:
oda-webhook:
image: tmforumodacanvas/compcrdwebhook
version: 0.8.2
prereleaseSuffix:
imagePullPolicy: IfNotPresent