helm-charts/charts/proxy/values.yaml at main · kcp-dev/helm-charts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
global:
  ## Reference to one or more secrets to be used when pulling images
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ##
  imagePullSecrets: []
  # - name: "image-pull-secret"
  # or
  # - "image-pull-secret"
externalHostname: ""
kcpFrontProxy:
  enabled: true
  image: ghcr.io/kcp-dev/kcp
  # set this to override the image tag used for kcp-front-proxy (determined by chart appVersion by default).
  tag: ""
  v: "3"
  pullPolicy: IfNotPresent
  tokenAuth:
    enabled: false
    fileName: auth-token.csv
    config: |
        user-1-token,user-1,1111-1111-1111-1111,"team-1"
        admin-token,admin,5555-5555-5555-5555,"system:kcp:admin"
        system-token,system,6666-6666-6666-6666,"system:masters"
  openshiftRoute:
    enabled: false
  ingress:
    enabled: false
    annotations:
      kubernetes.io/ingress.class: "nginx"
      acme.cert-manager.io/http01-edit-in-place: "true"
      # this is ingress-controller-specific and might need configuration
      # depending on the ingress-controller in use.
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    secret: ""
  gateway:
    enabled: false
    className: ""
  service:
    annotations: {}
    # set this to LoadBalancer if you want to publish kcp-front-proxy
    # directly instead of going via Route/Ingress/Gateway resources.
    type: ClusterIP
  # set this if you want kcp-front-proxy to use a specific certificate issuer
  # (e.g. the Let's Encrypt ones in this chart).
  # certificateIssuer:
  #   name: ""
  #   kind: Issuer
  profiling:
    enabled: false
    port: 6060
  resources:
    requests:
      cpu: 100m
      memory: 128Mi
    limits:
      # cpu: 1
      memory: 1Gi
  hostAliases:
    enabled: false
    values:
      - ip: ""
        hostnames: []
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  # The default virtual workspaces run in-process, but you can
  # extend the path mapping to include custom virtual workspaces
  # in the front-proxy's routing.
  additionalPathMappings: []
  #- path: /services/...
  #  backend: https://your-external-virtual-workspaces-server:6443
  # backend_server_ca: /etc/kcp/tls/ca.crt # if your server used a cert from the kcp-server-issuer
  #  proxy_client_cert: /etc/kcp-front-proxy/requestheader-client/tls/kcp/tls.crt
  #  proxy_client_key: /etc/kcp-front-proxy/requestheader-client/tls/kcp/tls.key

  # When running external virtual workspaces, kcp-front-proxy needs
  # access to the CA that signed the VW's serving cert. Unless your
  # VWs all use the kcp-server-issuer, you must mount all additional
  # certificates yourself.
  extraVolumes: []
  # - name: example-vw-serving-cert
  #   secret:
  #     secretName: example-vw-serving-cert
  #     items:
  #       - key: ca.crt
  #         path: ca.crt
  extraVolumeMounts: []
  # - name: example-vw-serving-cert
  #   mountPath: /etc/example-vw-serving-cert
  extraFlags: []

authentication:
  # configMapRef can be set to reference a ConfigMap containing an
  # authentication config. The configMap is mounted to
  # /etc/kcp/authentication. The config is expected to be mounted as
  # `config.yaml`.
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server
  # If this is set oidc settings will be ignored.
  configMapRef:
    name: ""

oidc:
  enabled: false
  caSecretName: ""
  # assuming you're using cert-manager, you want to mount the CA certificate
  # directly and use its tls.crt key; if you instead mount a certificate that
  # is _signed by_ the OIDC CA, then do not use its ca.crt key, as it is the
  # absolute top root CA, the CA that actually signed the cert is one of the
  # certs in the tls.crt chain. As you cannot say "use this Secret, but the
  # second cert in the tls.crt key", it's easier to mount the CA cert secret.
  caSecretKeyName: "tls.crt"

audit:
  enabled: false
  volumeSize: 1Gi
  volumeClassName: ""
  policy:
    dir: /etc/kcp/audit
    fileName: audit-policy.yml
    config: |
      # Log all requests at the Metadata level.
      apiVersion: audit.k8s.io/v1
      kind: Policy
      rules:
      - level: Metadata
  log:
    maxAge: "10"
    maxSize: "250"
    maxBackup: "1"
    dir: /var/audit

certificates:
  name: certs
  kcp:
    pki: true
    certs: true
  frontproxy:
    pki: true
    certs: true
  etcd:
    pki: true
    certs: true
  cache:
    pki: false
    certs: false
  secretTemplate:
    enabled: false
    annotations: {}
    labels: {}
  privateKeys:
    algorithm: RSA
    size: 2048
  subject: {}
  # add additional dns names that should be embedded into the kcp server certificate.
  dnsNames:
  - localhost
letsEncrypt:
  enabled: false
  staging:
    enabled: false
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: ""
  production:
    enabled: false
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: ""

sharding:
  enabled: false
  isRoot: true # set this to true for the first (root) shard, false for all other shards.
  rootShardInternalHostname: "" # set this to the internal hostname of the root shard.