You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy/charts/venafi-kubernetes-agent/README.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -146,11 +146,12 @@ You should see the following events for your service account:
146
146
| authentication.secretKey | string |`"privatekey.pem"`| Key name in the referenced secret |
147
147
| authentication.secretName | string |`"agent-credentials"`| Name of the secret containing the private key |
148
148
| command | list |`[]`| Specify the command to run overriding default binary. |
149
-
| config | object |`{"clientId":"","clusterDescription":"","clusterName":"","configmap":{"key":null,"name":null},"period":"0h1m0s","server":"https://api.venafi.cloud/"}`| Configuration section for the Venafi Kubernetes Agent itself |
149
+
| config | object |`{"clientId":"","clusterDescription":"","clusterName":"","configmap":{"key":null,"name":null},"ignoredSecretTypes":["kubernetes.io/service-account-token","kubernetes.io/dockercfg","kubernetes.io/dockerconfigjson","kubernetes.io/basic-auth","kubernetes.io/ssh-auth,","bootstrap.kubernetes.io/token","helm.sh/release.v1"],"period":"0h1m0s","server":"https://api.venafi.cloud/"}`| Configuration section for the Venafi Kubernetes Agent itself |
150
150
| config.clientId | string |`""`| The client-id returned from the Venafi Control Plane |
151
151
| config.clusterDescription | string |`""`| Description for the cluster resource if it needs to be created in Venafi Control Plane |
152
152
| config.clusterName | string |`""`| Name for the cluster resource if it needs to be created in Venafi Control Plane |
153
153
| config.configmap | object |`{"key":null,"name":null}`| Specify ConfigMap details to load config from an existing resource. This should be blank by default unless you have you own config. |
154
+
| config.ignoredSecretTypes | list |`["kubernetes.io/service-account-token","kubernetes.io/dockercfg","kubernetes.io/dockerconfigjson","kubernetes.io/basic-auth","kubernetes.io/ssh-auth,","bootstrap.kubernetes.io/token","helm.sh/release.v1"]`| Reduce the memory usage of the agent and reduce the load on the Kubernetes API server by omitting various common Secret types when listing Secrets. These Secret types will be added to a "type!=<type>" field selector in the agent config. * https://docs.venafi.cloud/vaas/k8s-components/t-cfg-tlspk-agent/#configuration * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#list-of-supported-fields|
154
155
| config.period | string |`"0h1m0s"`| Send data back to the platform every minute unless changed |
155
156
| config.server | string |`"https://api.venafi.cloud/"`| Overrides the server if using a proxy in your environment For the EU variant use: https://api.venafi.eu/|
156
157
| extraArgs | list |`[]`| Specify additional arguments to pass to the agent binary. For example `["--strict", "--oneshot"]`|
@@ -176,7 +177,7 @@ You should see the following events for your service account:
176
177
| podSecurityContext | object |`{}`| Optional Pod (all containers) `SecurityContext` options, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.|
177
178
| replicaCount | int |`1`| default replicas, do not scale up |
178
179
| resources | object |`{"limits":{"memory":"500Mi"},"requests":{"cpu":"200m","memory":"200Mi"}}`| Set resource requests and limits for the pod. Read [Venafi Kubernetes components deployment best practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling) to learn how to choose suitable CPU and memory resource requests and limits. |
179
-
| securityContext | object |`{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":1000}`| Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container|
180
+
| securityContext | object |`{"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}`| Add Container specific SecurityContext settings to the container. Takes precedence over `podSecurityContext` when set. See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container|
180
181
| serviceAccount.annotations | object |`{}`| Annotations YAML to add to the service account |
181
182
| serviceAccount.create | bool |`true`| Specifies whether a service account should be created |
182
183
| serviceAccount.name | string |`""`| The name of the service account to use. If blank and `serviceAccount.create` is true, a name is generated using the fullname template of the release. |
0 commit comments