values.yaml

# -- Global setting, passed down to all pods
global:
  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}

# -- Number of replicas in deployment
replicaCount: 1
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- The Controller have CREATE and READ access to all Secrets in the namespaces listed below.
enabledNamespaces: []

# -- Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others
singleNamespaceMode: false

image:
  # -- Ory Hydra-maester image
  repository: oryd/hydra-maester
  # -- Ory Hydra-maester version
  tag: v0.0.39
  # -- Image pull policy
  pullPolicy: IfNotPresent

# -- Image pull secrets
imagePullSecrets: []

# -- Pod priority
## https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""

## -- Connection data to admin service of Hydra
adminService:
  # -- Service name
  name:
  # -- Service port
  port: 4445
  # -- Set the clients endpoint, should be `/clients` for Hydra 1.x and
  # `/admin/clients` for Hydra 2.x
  endpoint: /admin/clients
  # -- Scheme used by Hydra client endpoint. May be "http" or "https"
  scheme: http
  # -- TLS ca-cert path for hydra client
  tlsTrustStorePath: ""
  # -- Skip http client insecure verification
  insecureSkipVerify: false

forwardedProto:

## -- Deployment specific config
deployment:
  resources: {}
    #  We usually recommend not to specify default resources and to leave this as a conscious
    #  choice for the user. This also increases chances charts run on environments with little
    #  resources, such as Minikube. If you do want to specify resources, uncomment the following
    #  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 30Mi
    # requests:
    #   cpu: 100m
    #   memory: 20Mi

  # -- To set extra env vars for the container.
  extraEnv: []

  # -- If you want to mount external volume
  extraVolumes: []
  # - name: my-volume
  #   secret:
  #     secretName: my-secret
  extraVolumeMounts: []
  # - name: my-volume
  #   mountPath: /etc/secrets/my-secret
  #   readOnly: true

  ## -- pod securityContext
  podSecurityContext:
    fsGroupChangePolicy: "OnRootMismatch"
    runAsNonRoot: true
    runAsUser: 65534
    fsGroup: 65534
    runAsGroup: 65534
    seccompProfile:
      type: RuntimeDefault

  ## -- container securityContext
  securityContext:
    capabilities:
      drop:
        - ALL
    seccompProfile:
      type: RuntimeDefault
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    runAsUser: 65534
    runAsGroup: 65534
    allowPrivilegeEscalation: false
    privileged: false
    seLinuxOptions:
      level: "s0:c123,c456"

  # -- Node labels for pod assignment.
  nodeSelector: {}
  # If you do want to specify node labels, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
  #   foo: bar

  # -- Configure node tolerations.
  tolerations: []
  # -- Deployment level extra annotations
  extraAnnotations: {}
  # -- Deployment level extra labels
  extraLabels: {}

  # -- Configure pod topologySpreadConstraints.
  topologySpreadConstraints: []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: DoNotSchedule
  #   labelSelector:
  #     matchLabels:
  #       app.kubernetes.io/name: hydra
  #       app.kubernetes.io/instance: hydra

  # -- Configure pod dnsConfig.
  dnsConfig: {}
  #   options:
  #     - name: "ndots"
  #       value: "1"

  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}

  # https://github.com/kubernetes/kubernetes/issues/57601
  # -- This applications connects to the k8s API and requires the permissions
  automountServiceAccountToken: true

  terminationGracePeriodSeconds: 60

  # -- Arguments to be passed to the program
  args:
    # -- The minimum frequency at which watched resources are reconciled
    syncPeriod: ""
    # syncPeriod: 10h

  # -- Configure service account
  serviceAccount:
    # -- Annotations to add to the service account
    annotations: {}

# -- Configure node affinity
affinity: {}

## -- PodDistributionBudget configuration
pdb:
  enabled: false
  spec:
    minAvailable: ""
    maxUnavailable: ""

## -- Service configurations
service:
  ## -- Metrics service
  metrics:
    enabled: false
    type: ClusterIP
    ## -- The load balancer IP
    loadBalancerIP: ""
    name: http-metrics
    port: 8080
    annotations: {}

## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
  # -- HTTP scheme to use for scraping.
  scheme: http
  # -- Interval at which metrics should be scraped
  scrapeInterval: 60s
  # -- Timeout after which the scrape is ended
  scrapeTimeout: 30s
  # -- Relabeling is a powerful tool to dynamically rewrite the label set of a target before it gets scraped.
  # Reference: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
  relabelings: []
  # -- Metric relabeling is applied to samples as the last step before ingestion.
  # Reference: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
  metricRelabelings: []
  # -- Provide additional labels to the ServiceMonitor resource metadata
  labels: {}
  # -- TLS configuration to use when scraping the endpoint
  tlsConfig: {}