helm-charts/charts/shard/values.yaml at main · kcp-dev/helm-charts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
global:
  ## Reference to one or more secrets to be used when pulling images
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ##
  imagePullSecrets: []
  # - name: "image-pull-secret"
  # or
  # - "image-pull-secret"externalHostname: ""
externalHostname: ""
etcd:
  enabled: true
  image: quay.io/coreos/etcd
  tag: v3.5.4
  resources:
    requests:
      cpu: 500m
      memory: 2Gi
    limits:
      # cpu: 1
     memory: 20Gi
  volumeSize: 8Gi
  # StorageClass to use for etcd data volumes.
  storageClassName: ""
  profiling:
    enabled: false
  podDisruptionBudget:
    enabled: false
    maxUnavailable: 1
  tolerations: []
  priorityClassName: ""
  affinity:
    podAntiAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 1
          podAffinityTerm:
            labelSelector:
              matchExpressions:
                - key: "app.kubernetes.io/component"
                  operator: In
                  values:
                    - etcd
            topologyKey: "kubernetes.io/hostname"
kcp:
  enabled: true
  sharding:
    enabled: false
    isRoot: true # set this to true for the first (root) shard, false for all other shards.
    rootShardInternalHostname: "" # set this to the internal hostname of the root shard.
  image: ghcr.io/kcp-dev/kcp
  # set this to override the image tag used for kcp (determined by chart appVersion by default).
  tag: ""
  pullPolicy: IfNotPresent
  v: "3"
  logicalClusterAdminFlag: true
  externalLogicalClusterAdminFlag: true
  # enabled "batteries" (see kcp start --help for available batteries).
  batteries:
    - workspace-types
  resources:
    requests:
      memory: 512Mi
      cpu: 100m
    limits:
      # cpu: 1
      memory: 20Gi
  volumeClassName: ""
  etcd:
    # set this if you are using external or embedded etcds.
    serverAddress: ""
    clientCertificate:
      # set this to a cert-manager Issuer that knows how to
      # issue client certificates for your external etcd if
      # you are not using the etcd provided by this chart.
      issuer: ""
      commonName: root
  volumeSize: 1Gi
  extraFlags: []
  profiling:
    enabled: false
    port: 6060
  tokenAuth:
    enabled: false
    fileName: auth-token.csv
    config: |
        user-1-token,user-1,1111-1111-1111-1111,"team-1"
        admin-token,admin,5555-5555-5555-5555,"system:kcp:admin"
        system-token,system,6666-6666-6666-6666,"system:masters"
  hostAliases:
    enabled: false
    values:
      - ip: ""
        hostnames: []
  homeWorkspaces:
    enabled: false
  securityContext:
    # this matches the group id as set in the kcp Dockerfile.
    fsGroup: 65532
    seccompProfile:
      type: RuntimeDefault
  # Additional volumes to be added to the kcp Deployment.
  extraVolumes: []
  # - name: foo
  #   secret:
  #     secretName: mysecret
  #     optional: false

  # Additional volumeMounts to be added to the kcp Deployment.
  extraVolumeMounts: []
  # - name: foo
  #   mountPath: "/etc/foo"
  #   readOnly: true
kcpFrontProxy:
  service:
    annotations: {}
    type: ClusterIP
  # set this if you want kcp-front-proxy to use a specific certificate issuer
  # (e.g. the Let's Encrypt ones in this chart).
  # certificateIssuer:
  #   name: ""
  #   kind: Issuer

authentication:
  # configMapRef can be set to reference a ConfigMap containing an
  # authentication config. The configMap is mounted to
  # /etc/kcp/authentication. The config is expected to be mounted as
  # `config.yaml`.
  # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server
  # If this is set oidc settings will be ignored.
  configMapRef:
    name: ""

oidc:
  enabled: false
  caSecretName: ""
  # assuming you're using cert-manager, you want to mount the CA certificate
  # directly and use its tls.crt key; if you instead mount a certificate that
  # is _signed by_ the OIDC CA, then do not use its ca.crt key, as it is the
  # absolute top root CA, the CA that actually signed the cert is one of the
  # certs in the tls.crt chain. As you cannot say "use this Secret, but the
  # second cert in the tls.crt key", it's easier to mount the CA cert secret.
  caSecretKeyName: "tls.crt"

audit:
  enabled: false
  volumeSize: 1Gi
  volumeClassName: ""
  policy:
    dir: /etc/kcp/audit
    fileName: audit-policy.yml
    config: |
      # Log all requests at the Metadata level.
      apiVersion: audit.k8s.io/v1
      kind: Policy
      rules:
      - level: Metadata
  log:
    maxAge: "10"
    maxSize: "250"
    maxBackup: "1"
    dir: /var/audit

# caBundle is a CA bundle that will be used to verify connections.
# see https://cert-manager.io/docs/trust/trust-manager/#installation
caBundle:
  enabled: false
  configMapName: ""
  configMapKey: ""

cache:
  enabled: false

externalCache:
  enabled: false

certificates:
  name: certs

sharding:
  enabled: false
  isRoot: true # set this to true for the first (root) shard, false for all other shards.
  rootShardInternalHostname: "" # set this to the internal hostname of the root shard.