-
Notifications
You must be signed in to change notification settings - Fork 27
Expand file tree
/
Copy pathvalues.yaml
More file actions
298 lines (298 loc) · 9.29 KB
/
values.yaml
File metadata and controls
298 lines (298 loc) · 9.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
# Thunder subchart configuration
thunder:
deployment:
replicaCount: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
securityContext:
# Read-only root filesystem. Must be false for SQLite
readOnlyRootFilesystem: false
enableRunAsUser: true
fsGroup: 10001
runAsUser: 10001
seccompProfile:
enabled: true
type: RuntimeDefault
terminationGracePeriodSeconds: 10
image:
registry: ghcr.io/asgardeo
repository: thunder
tag: "0.34.0"
pullPolicy: Always
container:
port: 8090
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
persistence:
enabled: false
storageClass: ""
accessMode: ReadWriteOnce
size: 1Gi
annotations: {}
service:
port: 8090
serviceAccount:
name: thunder-service-account
create: true
hpa:
enabled: false
pdb:
minAvailable: "50%"
ingress:
enabled: false
ocIngress:
hostname: "thunder.amp.localhost"
configuration:
server:
port: 8090
httpOnly: true
publicUrl: "http://thunder.amp.localhost:8080"
gateClient:
hostname: "thunder.amp.localhost"
port: 8080
scheme: "http"
path: "/gate"
crypto:
encryption:
key: "file://repository/resources/security/crypto.key"
passwordHashing:
algorithm: "PBKDF2"
argon2id:
iterations: 2
memory: 19456
parallelism: 1
key_size: 32
salt_size: 16
pbkdf2:
iterations: 600000
key_size: 32
salt_size: 16
sha256:
salt_size: 16
keys:
- id: "default-key"
certFile: "repository/resources/security/signing.cert"
keyFile: "repository/resources/security/signing.key"
database:
config:
type: sqlite
sqlite:
path: "repository/database/configdb.db"
options: "_journal_mode=WAL&_busy_timeout=5000&_pragma=foreign_keys(1)"
max_open_conns: 500
max_idle_conns: 100
conn_max_lifetime: 3600
runtime:
type: sqlite
sqlite:
path: "repository/database/runtimedb.db"
options: "_journal_mode=WAL&_busy_timeout=5000&_pragma=foreign_keys(1)"
max_open_conns: 500
max_idle_conns: 100
conn_max_lifetime: 3600
user:
type: sqlite
sqlite:
path: "repository/database/userdb.db"
options: "_journal_mode=WAL&_busy_timeout=5000&_pragma=foreign_keys(1)"
max_open_conns: 500
max_idle_conns: 100
conn_max_lifetime: 3600
cache:
disabled: false
type: "inmemory"
size: 1000
ttl: 3600
evictionPolicy: "LRU"
cleanupInterval: 300
jwt:
issuer: "http://thunder.amp.localhost:8080"
validityPeriod: 3600
audience: "application"
preferredKeyId: "default-key"
oauth:
refreshToken:
renewOnGrant: false
validityPeriod: 86400
authorizationCode:
validityPeriod: 600
dcr:
insecure: false
consent:
enabled: true
baseUrl: "http://localhost:9090/api/v1"
timeout: 5
maxRetries: 3
server:
port: 9090
hostname: "localhost"
database:
type: sqlite
sqlitePath: "repository/database/consentdb.db"
sqliteOptions: "_pragma=journal_mode(WAL)&_pragma=cache_size(-16000)"
cors:
allowedOrigins:
- "http://localhost:3000"
setup:
enabled: true
backoffLimit: 3
ttlSecondsAfterFinished: 86400
preserveJob: true
debug: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 250m
memory: 128Mi
bootstrap:
enabled: true
configMap:
name: amp-thunder-bootstrap
files:
- 50-amp-api-client.sh
- 51-user-schema-and-users.sh
- 52-amp-console-app.sh
- 53-workload-publisher-app.sh
- 54-observer-resource-reader-app.sh
- 55-amp-publisher-client.sh
- 56-amp-system-client.sh
- 57-am-cli-client.sh
# Observer Resource Reader Client configuration (for observability plane to read resources)
observerResourceReaderClient:
clientId: "openchoreo-observer-resource-reader-client" # clusterauthzrolebinding is already created with this clientId by openchoreo, so it should not be changed unless the corresponding ClusterAuthzRoleBinding is also updated
clientSecret: "openchoreo-observer-resource-reader-client-secret"
name: "OpenChoreo Observer Resource Reader"
description: "OpenChoreo Observer Resource Reader Client for reading resources from control plane"
grantTypes:
- "client_credentials"
tokenEndpointAuthMethod: "client_secret_post"
pkceRequired: false
publicClient: false
accessTokenValidityPeriod: 3600
# Workload Publisher Client configuration (for CI workflows to create workloads)
workloadPublisherClient:
clientId: "openchoreo-workload-publisher-client" # clusterauthzrolebinding is already created with this clientId by openchoreo, so it should not be changed unless the corresponding ClusterAuthzRoleBinding is also updated
clientSecret: "openchoreo-workload-publisher-secret"
name: "Workload Publisher"
description: "OpenChoreo Workload Publisher Client for creating workloads from CI workflows"
grantTypes:
- "client_credentials"
tokenEndpointAuthMethod: "client_secret_post"
pkceRequired: false
publicClient: false
accessTokenValidityPeriod: 3600
# AMP API Client configuration
ampApiClient:
clientId: "amp-api-client"
clientSecret: "amp-api-client-secret"
name: "AMP API Client"
description: "Client application for AMP API access"
grantTypes:
- "client_credentials"
tokenEndpointAuthMethod: "client_secret_basic"
pkceRequired: false
publicClient: false
accessTokenValidityPeriod: 3600
# AMP System Client configuration (for agent-manager to provision per-org OAuth apps via Thunder admin API)
# WARNING: clientSecret below is a LOCAL-DEVELOPMENT-ONLY placeholder.
# In production, override ampSystemClient.clientSecret via a Kubernetes Secret
# or external secret manager. Deploying with this default value is insecure.
ampSystemClient:
clientId: "amp-system-client"
clientSecret: "amp-system-client-secret"
name: "AMP System Client"
description: "System client for agent-manager to provision per-org OAuth apps"
grantTypes:
- "client_credentials"
tokenEndpointAuthMethod: "client_secret_basic"
pkceRequired: false
publicClient: false
accessTokenValidityPeriod: 3600
# AMP Publisher Client configuration (for evaluation job to publish scores)
ampPublisherClient:
clientId: "amp-publisher-client"
clientSecret: "amp-publisher-client-secret" # Override in production; must match the value stored in OpenBao at secret/amp-publisher-client-secret (used by ExternalSecret at workflow runtime)
name: "AMP Publisher Client"
description: "Client application for evaluation job to publish scores"
grantTypes:
- "client_credentials"
tokenEndpointAuthMethod: "client_secret_basic"
pkceRequired: false
publicClient: false
accessTokenValidityPeriod: 3600
# AMP CLI Client configuration (public PKCE client for interactive login)
amCliClient:
clientId: "am-cli"
name: "AMP CLI"
description: "AMP CLI application for interactive user login"
redirectUris:
- "http://127.0.0.1:10325/callback"
grantTypes:
- "authorization_code"
- "refresh_token"
responseTypes:
- "code"
allowedUserTypes:
- "engineer"
tokenEndpointAuthMethod: "none"
pkceRequired: true
publicClient: true
accessTokenValidityPeriod: 3600
idTokenValidityPeriod: 3600
userAttributes:
- "given_name"
- "family_name"
- "username"
- "groups"
- "ouId"
# AMP Console Client configuration
ampConsoleClient:
clientId: "amp-console-client"
clientSecret: "amp-console-client-secret"
name: "AMP Console"
description: "AMP Console Application"
redirectUris:
- "http://localhost:3000/login"
grantTypes:
- "authorization_code"
- "refresh_token"
responseTypes:
- "code"
allowedUserTypes:
- "engineer"
tokenEndpointAuthMethod: "none"
pkceRequired: true
publicClient: true
accessTokenValidityPeriod: 3600
idTokenValidityPeriod: 3600
userAttributes:
- "given_name"
- "family_name"
- "username"
- "groups"
- "ouId"
# Default Organization unit configuration
organizationUnit:
name: "Default"
handle: "default"
description: "Default organizational unit"
# User schema configuration
userSchema:
name: "engineer"
allowSelfRegistration: true
# Default admin user configuration
defaultUsers:
- username: "amp-admin@wso2.com"
password: "Amp-Admin@wso2.com"
givenName: "Admin"
familyName: "User"
groups: ["platformEngineer"]