k8s/helm/charts/oathkeeper-maester/values.yaml at 0cc54cc9acb76f6b3f6a8489b8995b20a5cf5e00 · ory/k8s · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# -- Global setting, passed down to all pods
global:
  ## -- Mode for oathkeeper controller possible modes are: controller or sidecar
  ory:
    oathkeeper:
      maester:
        mode: controller
  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}

# -- Number of controller replicas in deployment mode
replicaCount: 1
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- Single namespace mode. If enabled the controller will watch for resources only from namespace it is deployed in, ignoring others
singleNamespaceMode: false

# oathkeeperFullnameOverride: oathkeeper
# -- Defines the Namespace in which the ConfigMap is stored. Defaults to the same Namespace as the ORY Maester Helm release.
rulesConfigmapNamespace: ""
# rulesConfigmapNamespace: some-namespace
# -- Defines the name of the single root-level ConfigMap key used to store the entire array of Access Rules.
# When the ConfigMap is mounted in the Oathkeeper Pod, this becomes also the filename of the "rules file" to the Oathkeeper process. Defaults to `access-rules.json`.
rulesFileName: ""
# rulesFileName: access-rules.json

## -- Image configuration
image:
  # -- ORY Oathkeeper Rule Controller image
  repository: oryd/oathkeeper-maester
  # -- ORY Oathkeeper Rule Controller version
  tag: "v0.1.12"
  # -- Image pull policy
  pullPolicy: IfNotPresent

# -- Image pull secrets
imagePullSecrets: []

## -- Container level security context
securityContext:
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 65534
  runAsGroup: 65534
  allowPrivilegeEscalation: false
  privileged: false
  seccompProfile:
    type: RuntimeDefault
  seLinuxOptions:
    level: "s0:c123,c456"

## -- Pod level security context
podSecurityContext:
  fsGroupChangePolicy: "OnRootMismatch"
  runAsNonRoot: true
  runAsUser: 65534
  fsGroup: 65534
  runAsGroup: 65534
  seccompProfile:
    type: RuntimeDefault

## -- Deployment specific configuration
deployment:
  resources: {}
    #  We usually recommend not to specify default resources and to leave this as a conscious
    #  choice for the user. This also increases chances charts run on environments with little
    #  resources, such as Minikube. If you do want to specify resources, uncomment the following
    #  lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 30Mi
    # requests:
    #   cpu: 100m
    #   memory: 20Mi

  # -- Pod priority
  # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  priorityClassName: ""

  # -- Node labels for pod assignment.
  nodeSelector: {}
  # If you do want to specify node labels, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
  #   foo: bar

  # -- Configure node tolerations.
  tolerations: []
  # -- Deployment level extra labels
  extraLabels: {}

  # -- Configure pod topologySpreadConstraints.
  topologySpreadConstraints: []
  # - maxSkew: 1
  #   topologyKey: topology.kubernetes.io/zone
  #   whenUnsatisfiable: DoNotSchedule
  #   labelSelector:
  #     matchLabels:
  #       app.kubernetes.io/name: oathkeeper-maester
  #       app.kubernetes.io/instance: oathkeeper-maester

  # -- Configure pod dnsConfig.
  dnsConfig: {}
  #   options:
  #     - name: "ndots"
  #       value: "1"

  # -- Configure annotations.
  annotations: {}

  # -- Configure environment variables.
  envs: {}
  # https://github.com/kubernetes/kubernetes/issues/57601
  # This applications connects to the k8s API and requires the permissions
  automountServiceAccountToken: true
  terminationGracePeriodSeconds: 60
  # -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
  podMetadata:
    # -- Extra pod level labels
    labels: {}
    # -- Extra pod level annotations
    annotations: {}

  # -- Configure service account
  serviceAccount:
    # -- Annotations to add to the service account
    annotations: {}

## -- Configure node affinity
affinity: {}

## -- PodDistributionBudget configuration
pdb:
  enabled: false
  spec:
    minAvailable: ""
    maxUnavailable: ""