-
Notifications
You must be signed in to change notification settings - Fork 45
Expand file tree
/
Copy pathuds-bundle.yaml
More file actions
260 lines (256 loc) · 11.5 KB
/
Copy pathuds-bundle.yaml
File metadata and controls
260 lines (256 loc) · 11.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
# Copyright 2024-2026 Defense Unicorns
# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
kind: UDSBundle
metadata:
name: k3d-core-demo
description: A UDS bundle for deploying the standard UDS Core package on a development cluster
# x-release-please-start-version
version: "1.5.0"
# x-release-please-end
packages:
- name: uds-k3d-dev
repository: ghcr.io/defenseunicorns/packages/uds-k3d
ref: 0.20.0-airgap
overrides:
uds-dev-stack:
minio:
variables:
- name: BUCKETS
description: "Set Minio Buckets"
path: buckets
- name: SVCACCTS
description: "Minio Service Accounts"
path: svcaccts
- name: USERS
description: "Minio Users"
path: users
- name: POLICIES
description: "Minio policies"
path: policies
- name: init
repository: ghcr.io/zarf-dev/packages/init
ref: v0.76.0
- name: core
path: ../../build/
# x-release-please-start-version
ref: 1.5.0
# x-release-please-end
optionalComponents:
- istio-passthrough-gateway
- istio-egress-gateway
- metrics-server
- envoy-gateway
overrides:
pepr-uds-core:
module:
variables:
- name: PEPR_WATCHER_MEMORY_REQUEST
description: "Memory requests for the pepr watcher pod"
path: "watcher.resources.requests.memory"
default: "256Mi"
- name: PEPR_ADMISSION_MEMORY_REQUEST
description: "Memory requests for the pepr admission pods"
path: "admission.resources.requests.memory"
default: "256Mi"
- name: PEPR_WATCHER_CPU_REQUEST
description: "CPU requests for the pepr watcher pod"
path: "watcher.resources.requests.cpu"
default: "200m"
- name: PEPR_ADMISSION_CPU_REQUEST
description: "CPU requests for the pepr admission pods"
path: "admission.resources.requests.cpu"
default: "200m"
loki:
loki:
variables:
- name: LOKI_CHUNKS_BUCKET
description: "The object storage bucket for Loki chunks"
path: loki.storage.bucketNames.chunks
- name: LOKI_RULER_BUCKET
description: "The object storage bucket for Loki ruler"
path: loki.storage.bucketNames.ruler
- name: LOKI_ADMIN_BUCKET
description: "The object storage bucket for Loki admin"
path: loki.storage.bucketNames.admin
- name: LOKI_S3_ENDPOINT
description: "The S3 endpoint"
path: loki.storage.s3.endpoint
- name: LOKI_S3_REGION
description: "The S3 region"
path: loki.storage.s3.region
- name: LOKI_S3_ACCESS_KEY_ID
description: "The S3 Access Key ID"
path: loki.storage.s3.accessKeyId
- name: LOKI_S3_SECRET_ACCESS_KEY
path: loki.storage.s3.secretAccessKey
description: "The S3 Secret Access Key"
# NOTE: Loki write/read/backend replicas are scaled down to 1 to reduce resource
# consumption for demo and CI scenarios. These values are not recommended or supported
# for production and are known to cause issues in some scenarios.
- name: LOKI_WRITE_REPLICAS
path: write.replicas
description: "Loki write replicas"
default: "1"
- name: LOKI_READ_REPLICAS
path: read.replicas
description: "Loki read replicas"
default: "1"
- name: LOKI_BACKEND_REPLICAS
path: backend.replicas
description: "Loki backend replicas"
default: "1"
istio-admin-gateway:
uds-istio-config:
variables:
- name: ADMIN_TLS_CERT
description: "The TLS cert for the admin gateway (must be base64 encoded)"
path: tls.cert
- name: ADMIN_TLS_KEY
description: "The TLS key for the admin gateway (must be base64 encoded)"
path: tls.key
- name: ADMIN_TLS1_2_SUPPORT
description: "Add support for TLS 1.2 on this gateway"
path: tls.supportTLSV1_2
istio-tenant-gateway:
uds-istio-config:
variables:
- name: TENANT_TLS_CERT
description: "The TLS cert for the tenant gateway (must be base64 encoded)"
path: tls.cert
- name: TENANT_TLS_KEY
description: "The TLS key for the tenant gateway (must be base64 encoded)"
path: tls.key
- name: TENANT_TLS1_2_SUPPORT
description: "Add support for TLS 1.2 on this gateway"
path: tls.supportTLSV1_2
gateway:
variables:
- name: TENANT_SERVICE_PORTS
description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)"
path: "service.ports"
authservice:
authservice:
variables:
- name: AUTHSERVICE_REPLICA_COUNT
description: "Number of authservice replicas"
default: 1
path: replicaCount
keycloak:
keycloak:
variables:
- name: INSECURE_ADMIN_PASSWORD_GENERATION
description: "Generate an insecure admin password for dev/test"
path: insecureAdminPasswordGeneration.enabled
- name: KEYCLOAK_HA
description: "Enable Keycloak HA"
path: autoscaling.enabled
- name: KEYCLOAK_PG_USERNAME
description: "Keycloak Postgres username"
path: postgresql.username
- name: KEYCLOAK_PG_PASSWORD
description: "Keycloak Postgres password"
path: postgresql.password
- name: KEYCLOAK_PG_DATABASE
description: "Keycloak Postgres database"
path: postgresql.database
- name: KEYCLOAK_PG_HOST
description: "Keycloak Postgres host"
path: postgresql.host
- name: KEYCLOAK_DEVMODE
description: "Enables Keycloak dev mode"
path: devMode
# This is a workaround for Keycloak and Kernel 6.12+ memory issue. It will be removed once
# https://github.com/defenseunicorns/uds-core/issues/1212 is sorted
- name: KEYCLOAK_HEAP_OPTIONS
description: "Sets the JAVA_OPTS_KC_HEAP environment variable in Keycloak"
path: env[0].value
- name: KEYCLOAK_EXTRA_VOLUME_MOUNTS
description: "Extra volume mounts for Keycloak"
path: extraVolumeMounts
- name: KEYCLOAK_EXTRA_VOLUMES
description: "Extra volumes for Keycloak"
path: extraVolumes
- name: KEYCLOAK_TRUSTSTORE_PATHS
description: "Truststore paths for Keycloak"
path: truststorePaths
- name: KEYCLOAK_CUSTOM_TERMS_AND_CONDITIONS
description: "Custom terms and conditions for the Keycloak login page"
path: "themeCustomizations.termsAndConditions.text.inline"
default: ""
values:
- path: detailedObservability.alerts.enabled
value: true
- path: realmInitEnv
value:
GOOGLE_IDP_ENABLED: true
GOOGLE_IDP_ID: "C01881u7t"
GOOGLE_IDP_SIGNING_CERT: "MIIDdjCCAl6gAwIBAgIGAZUBt5zpMA0GCSqGSIb3DQEBCwUAMHwxFDASBgNVBAoTC0dvb2dsZSBJbmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MQ8wDQYDVQQDEwZHb29nbGUxGTAXBgNVBAsTEEdvb2dsZSBXb3Jrc3BhY2UxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTI1MDIxMzIzNDkyNVoXDTMwMDIxMjIzNDkyNVowfDEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDzANBgNVBAMTBkdvb2dsZTEZMBcGA1UECxMQR29vZ2xlIFdvcmtzcGFjZTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCIhy74McJ/ykhQw2zTxfe4YiTkQbupa1fzQTZSglQm8FsGZbQoihdg98QmaxyQj20SIOt3svhGEeSdromX4LSxdwxUkPwMsKrQe7ywetsUYfe7KETYCiwDs9xSpq2x1BXqJoy/oi//R/YMMrAoT6HEpE6FiU1NMuNxDiTZx+eVQ5LNlodXdUkqdXa7xsO9BumWwBdCwJgk35dW0cSkxePEBkmpKgdMgUd9SgROo1mxJG77+dQ/C3PGA/i7Gx1n3S+jjvC9sR+b5GFNJpqPYFGnSinhN2o8jQj51U0Jve7EyTV3VFgGfDrbHjYeT1CVQX9vO51FzJPtUzRsDilwpKV3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFpeBvkGqtN43T615DxKpJxiz1y9EqDZzi6uyhSs3xbo2kdOduXpJlziXC3Q1l94/DmItZINRJYT3Y5yh9w4yGZQn5Tc+NajjoRND6SILkMeamvEHLagXy7Qh3HzS3sO5pg5GFjwswxHIsrKxhrIoSwyNiWjz3RSvXCUPEunWjNoF4pvyS3RRs7xvi5JHUuM4ThqMY6HvwoCJqcpRMOBJiDbTooz7SJS1fpK6tVMFnXoJ6Tq89+g+yjcmmZnjV0FkeiXcb7yBR/vkuUyAQhh0Mw14B72mDwqY8Ord1AdgCdVlvRSXCrKLF/ii3AxqJ9ET0rGn0HKk5wi/lYMa3AnEZo="
GOOGLE_IDP_NAME_ID_FORMAT: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
GOOGLE_IDP_CORE_ENTITY_ID: "https://sso.uds.dev/realms/uds"
GOOGLE_IDP_ADMIN_GROUP: "uds-core-dev-admin"
GOOGLE_IDP_AUDITOR_GROUP: "uds-core-dev-auditor"
- path: env[0]
value:
name: JAVA_OPTS_KC_HEAP
value: "-XX:MaxRAMPercentage=70 -XX:MinRAMPercentage=70 -XX:InitialRAMPercentage=50 -XX:MaxRAM=1G"
grafana:
grafana:
variables:
- name: GRAFANA_EXTRA_CONFIGMAP_MOUNTS
description: "Extra ConfigMap mounts for Grafana"
path: extraConfigmapMounts
- name: GRAFANA_HA
description: Enable HA Grafana
path: autoscaling.enabled
uds-grafana-config:
variables:
- name: GRAFANA_PG_HOST
description: Grafana postgresql host
path: postgresql.host
- name: GRAFANA_PG_PORT
description: Grafana postgresql port
path: postgresql.port
- name: GRAFANA_PG_DATABASE
description: Grafana postgresql database
path: postgresql.database
- name: GRAFANA_PG_PASSWORD
description: Grafana postgresql password
path: postgresql.password
- name: GRAFANA_PG_USER
description: Grafana postgresql username
path: postgresql.user
- name: GRAFANA_PG_SSL_MODE
description: Grafana postgresql SSL mode
path: postgresql.ssl_mode
velero:
velero:
values:
- path: "configuration.backupStorageLocation"
value:
- name: default
provider: aws
bucket: "uds"
prefix: "backups"
config:
region: "uds-dev-stack"
s3ForcePathStyle: true
s3Url: "http://minio.uds-dev-stack.svc.cluster.local:9000"
credential:
name: "velero-bucket-credentials"
key: "cloud"
falco:
falco:
values:
- path: "falcosidekick.replicaCount"
value: 1
uds-falco-config:
variables:
- name: FALCO_SANDBOX_RULES_ENABLED
description: Enable sandbox rules
path: sandboxRulesEnabled
- name: FALCO_INCUBATING_RULES_ENABLED
description: Enable incubating rules
path: incubatingRulesEnabled
- name: FALCO_DISABLED_RULES
description: Disable specific rules
path: disabledRules