operator-helm/values.yaml at main · speedscale/operator-helm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
# An API key is required to connect to the Speedscale cloud.
# If you need a key email support@speedscale.com.
apiKey: ""

# A secret name can be referenced instead of the api key itself.
# The secret must be of the format:
#
# type: Opaque
# data:
#   SPEEDSCALE_API_KEY: <key>
#   SPEEDSCALE_APP_URL: <appUrl>
apiKeySecret: ""

# Speedscale domain to use.
appUrl: "app.speedscale.com"

# The name of your cluster.
clusterName: "my-cluster"

# Speedscale default component image settings
image:
  registry: gcr.io/speedscale
  tag: v2.5.449
  pullPolicy: Always

# Individual tags to be used by specific components. If specified here, the operator will use the given tag
# when creating resources with that component. If not specified, the above default is used.
imageTags:
  nettap: v0.0.65

# Log level for Speedscale components.
logLevel: "info"

# Namespaces to be watched by Speedscale Operator as a list of names.
namespaceSelector: []

# Filter Rule to apply to the Speedscale Forwarder
filterRule: "standard"

# Data Loss Prevention settings.
dlp:
  # Instructs operator to enable data loss prevention features
  enabled: false

  # Configuration for data loss prevention
  config: "standard"

# If the operator pod/webhooks need to be on the host network.
# This is only needed if the control plane cannot connect directly to a pod
# for eg. if Calico is used as EKS's default networking
# https://docs.tigera.io/calico/3.25/getting-started/kubernetes/managed-public-cloud/eks#install-eks-with-calico-networking
hostNetwork: false

# A set of annotations to be applied to all Speedscale related deployments,
# services, jobs, pods, etc.
#
# Example:
# annotation.first: value
# annotation.second: value
globalAnnotations: {}

# Annotations to be applied to the MutatingWebhookConfiguration and ValidatingWebhookConfiguration resources.
#
# Example (inject CA from an existing secret via cert-manager):
# cert-manager.io/inject-ca-from-secret: speedscale-webhook-certs
webhookAnnotations: {}


# controls whether Speedscale creates the TLS cert secrets (speedscale-certs and speedscale-webhook-certs).
# Disable if you are managing these secrets externally (e.g. cert-manager).
# When disabled, the secrets must exist with those exact names before installing the chart.
createTLSCerts: true

# A set of labels to be applied to all Speedscale related deployments,
# services, jobs, pods, etc.
#
# Example:
# label1: value
# label2: value
globalLabels: {}

# A global pod security context to be applied to all Speedscale related deployments.
# Certain environments such as OpenShift may require specific settings.
globalPodSecurityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  privileged: false
  readOnlyRootFilesystem: true
  runAsUser: 2100
  runAsGroup: 2100
  seccompProfile:
    type: RuntimeDefault
  capabilities:
    drop:
      - ALL

globalSecurityContext:
  runAsNonRoot: true
  fsGroup: 2100
  supplementalGroups: [2100]

# A full affinity object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity
affinity: {}

# The list of tolerations as detailed: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
tolerations:
- key: kubernetes.io/arch
  operator: Equal
  value: amd64
  effect: NoSchedule
- key: kubernetes.io/arch
  operator: Equal
  value: arm64
  effect: NoSchedule

# A nodeselector object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
nodeSelector: {}

# Deploy a demo app at startup. Set this to an empty string to not deploy.
# Valid values: ["java", ""]
deployDemo: "java"

# Proxy connection settings if required by your network. These translate to standard proxy environment
# variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY
http_proxy: ""
https_proxy: ""
no_proxy: ""

# control if sidecar init containers should run with privileged set
privilegedSidecars: false

# controls a pre-install job that will create a JKS with standard certs and the Speedscale cert.
# This job requires a root container user, disable if not needed or security policies forbid `runAsNonRoot: true`
createJKS: true

# control if the sidecar should enable/disable use of the smart dns lookup feature (requires NET_ADMIN)
disableSidecarSmartReverseDNS: false

# Operator settings. These limits are recommended unless you have a cluster
# with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.).
operator:
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 128Mi
  # how long to wait for the SUT to become ready
  test_prep_timeout: 10m
  # timeout for deploying & upgrading control plane components
  control_plane_timeout: 5m

# Default sidecar settings. Example:
# sidecar:
#   resources:
#     limits:
#       cpu: 500m
#       memory: 512Mi
#       ephemeral-storage: 100Mi
#     requests:
#       cpu: 10m
#       memory: 32Mi
#       ephemeral-storage: 100Mi
#   ignore_src_hosts: example.com, example.org
#   ignore_src_ips: 8.8.8.8, 1.1.1.1
#   ignore_dst_hosts: example.com, example.org
#   ignore_dst_ips: 8.8.8.8, 1.1.1.1
#   insert_init_first: false
#   tls_out: false
#   reinitialize_iptables: false
sidecar: {}

# Forwarder settings
forwarder:
  replicas: 1
  resources:
    limits:
      cpu: "2"
      memory: 512M
    requests:
      cpu: 300m
      memory: 250M
  # exporters configures additional destinations for captured traffic, keyed by name.
  # Each entry specifies an OTel endpoint to ship traffic to, with optional per-exporter
  # filter rule and DLP config overrides.
  # exporters:
  #   my-exporter:
  #     otel_endpoint: http://otelcol.example.com:4317
  #     filter_rule: standard
  #     dlp_config_id: ""

# Instructs operator to deploy resources necessary to interact with your cluster from the Speedscale dashboard.
dashboardAccess: true
# Provides access WITHIN the cluster for Speedscale to mount secrets for use as variables during tests. These secrets never leave the cluster.
# An empty list means access to all secrets.
secretAccessList: []

# Inspector settings
inspector:
  resources:
    limits:
      cpu: 400m
      memory: 500M
    requests:
      cpu: 200m
      memory: 128M

collector:
  resources:
    limits:
      cpu: "1"
      memory: 500M
    requests:
      cpu: 300m
      memory: 250M

replayComponents:
  generator:
    resources:
      limits:
        cpu: "8"
        memory: 8G
      requests:
        cpu: 200m
        memory: 256M
  redis:
    resources:
      limits:
        cpu: 500m
        memory: 2G
      requests:
        cpu: 100m
        memory: 100M
  responder:
    resources:
      limits:
        cpu: "1.5"
        memory: 500M
      requests:
        cpu: 500m
        memory: 250M

# BETA: enable ebpf-based, proxyless traffic capture. To configure, change the capture targets list below to
# the desired namespace and pod selector
ebpf:
  enabled: false
  # Force overwrite the nettap ConfigMap on helm upgrade. Useful for resetting the
  # configuration to chart defaults. Any operator-managed capture targets will be
  # re-added automatically on the next reconciliation loop.
  forceConfigOverwrite: false
  # nettap must run as root in order to inspect the host file system for
  # other running processes (/proc)
  nettap:
    capture:
      podSecurityContext:
        capabilities:
          add:
          - BPF
          - PERFMON
          - NET_ADMIN
          - SYS_ADMIN
          - SYS_PTRACE
          - SYS_RESOURCE
          drop:
          - ALL
        privileged: false
        runAsGroup: 0
        runAsUser: 0
    ingest:
      podSecurityContext:
        capabilities:
          add:
          - NET_RAW
          drop:
          - ALL
        privileged: false
        runAsGroup: 0
        runAsUser: 0
    securityContext:
      runAsNonRoot: false
    resources:
      limits:
        cpu: 500m
        memory: 1G
      requests:
        cpu: 100m
        memory: 256M
  configuration:
    system:
      cgroupv2Path: /host/sys/fs/cgroup
      procfsPath: /host/proc
      vmlinuxPath: /host/sys/kernel/btf/vmlinux
    logging:
      level: info
      format: json
    capture:
      # targets to be monitored and captured by the ebpf capture process
      targets: []
        # - name: example
        #   namespaceSelector:
        #     matchLabels:
        #       kubernetes.io/metadata.name: example-namespace
        #   podSelector:
        #     matchLabels:
        #       app: example-app
        #   filters:
        #     - port: 9090
        #     - port: 8443