-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy pathvalues.example.yaml
More file actions
229 lines (214 loc) · 9.38 KB
/
values.example.yaml
File metadata and controls
229 lines (214 loc) · 9.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# Copyright 2020 The Kubermatic Kubernetes Platform contributors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# # Dex Is the OpenID Provider for Kubermatic.
dex:
ingress:
# configure your base domain, under which the Kubermatic dashboard shall be available
host: kkp.example.com
# Commented as DEX client and static users configuration
# As Dex is replaced with Custom/External OIDC Provider - KeyCloak
# clients:
# # The "kubermatic" client is used for logging into the Kubermatic dashboard. It always
# # needs to be configured.
# - id: kubermatic
# name: Kubermatic
# # Generate a secure secret key
# # Those can be generated on the shell using:
# # cat /dev/urandom | tr -dc A-Za-z0-9 | head -c32
# secret: ""
# RedirectURIs:
# # ensure the URLs below use the dex.ingress.host configured above
# - https://kkp.example.com
# - https://kkp.example.com/projects
# # The "kubermaticIssuer" client is used for providing OIDC access to User Clusters.
# # This configuration is optional, used if the "enableOIDCKubeconfig: true" option is used in KubermaticSetting.
# # More about this configuration at https://docs.kubermatic.com/kubermatic/master/tutorials-howtos/oidc-provider-configuration/share-clusters-via-delegated-oidc-authentication/
# - id: kubermaticIssuer
# name: Kubermatic OIDC Issuer
# # Generate a secure secret key
# # Those can be generated on the shell using:
# # cat /dev/urandom | tr -dc A-Za-z0-9 | head -c32
# secret: ""
# RedirectURIs:
# # ensure the URLs below use the dex.ingress.host configured above
# - https://kkp.example.com/api/v1/kubeconfig
# - https://kkp.example.com/api/v2/kubeconfig/secret
# - https://kkp.example.com/api/v2/dashboard/login
# - https://kkp.example.com/api/v2/dashboard/proxy #TODO check if needed
# - id: master-mla
# name: master-mla
# secret: ""
# RedirectURIs:
# - https://prometheus.kkp.example.com/oauth/callback
# - https://alertmanager.kkp.example.com/oauth/callback
# - https://grafana.kkp.example.com/oauth/callback
# - https://karma.kkp.example.com/oauth/callback
# - id: seed-mla
# name: seed-mla
# secret: ""
# RedirectURIs:
# - https://prometheus.mla.seed.kkp.example.com/oauth/callback
# - https://alertmanager.mla.seed.kkp.example.com/oauth/callback
# - https://grafana.mla.seed.kkp.example.com/oauth/callback
# - https://karma.mla.seed.kkp.example.com/oauth/callback
# - id: seed-user-mla
# name: seed-user-mla
# secret: ""
# RedirectURIs:
# - https://alertmanager-user-mla.mla.seed.kkp.example.com/oauth/callback
# - https://grafana-user-mla.mla.seed.kkp.example.com/oauth/callback
# # Depending on your chosen login method, you need to configure either an OAuth provider like
# # Google or GitHub, or configure a set of static passwords. Check the `charts/oauth/values.yaml`
# # for an overview over all available connectors.
# # For testing purposes, we configure a single static user/password combination.
# staticPasswords:
# - email: kubermatic@example.com
# # bcrypt hash of the string "password", can be created using recent versions of htpasswd:
# # `htpasswd -bnBC 10 "" PASSWORD_HERE | tr -d ':\n' | sed 's/$2y/$2a/'`
# hash: "$2a$10$zMJhg/3axbm/m0KmoVxJiO1eO5gtNrgKDysy5GafQFrXY93OE9LsK"
# # these are used within Kubermatic to identify the user
# username: admin
# userID: 872b5325-808f-482b-a431-16de97d51ced
# the cert-manager Issuer (or ClusterIssuer) responsible for managing the certificates
# If you want to deploy your own certificate without relying on cert-manager
# uncomment the next line and remove subsequent certIssuer configuration.
# certIssuer: null
certIssuer:
# For generating a certificate signed by a trusted root authority replace
# with "letsencrypt-prod".
name: letsencrypt-prod
kind: ClusterIssuer
minio:
storeSize: '200Gi'
storageClass: kubermatic-backup
credentials:
# generated access key length should be at least 3 characters
accessKey: "YOUR-ACCESS-KEY"
# generated secret key length should be at least 8 characters
secretKey: "YOUR-SECRET-KEY"
telemetry:
# uuid is the unique identifier of the client where the agent is running.
# This field is required and will print an error message when that entry is missing.
# You can generate uuid using command uuidgen on your linux machine
uuid: ""
#-------------------------------------------------------------------------------Master MLA stack
prometheus:
host: prometheus.kkp.example.com
storageSize: '100Gi'
tsdb:
retentionTime: '10d'
# only load the KKP-master alerts, as this cluster is not a shared master/seed
ruleFiles:
- /etc/prometheus/rules/general-*.yaml
- /etc/prometheus/rules/kubermatic-master-*.yaml
- /etc/prometheus/rules/managed-*.yaml
alertmanager:
host: alertmanager.kkp.example.com
grafana:
user: admin
password: adm1n
provisioning:
configuration:
auto_assign_org_role: Editor
disable_login_form: false
root_url: https://grafana.kkp.example.com
datasources:
lokiServices:
- loki
prometheusService:
- prometheus
loki:
persistence:
size: '100Gi'
#-----------------------------------------------------------------------------------IAP
iap:
oidc_issuer_url: https://keycloak.example.com/realms/realm-id # Update the KeyCloak realm URL to be used.
deployments:
prometheus:
name: prometheus
ingress:
host: prometheus.kkp.example.com
upstream_service: prometheus.monitoring.svc.cluster.local
upstream_port: 9090
client_id: master-mla
# client_secret is the "secret" from the KeyCloak client "master-mla"
client_secret: <copy value from KeyCloak>
# generate a fresh secret key here
encryption_key: <generate random secret key here>
config:
scope: openid email profile roles groups
email_domains:
- kkp.example.com
insecure_oidc_allow_unverified_email: "true" # TO BE Removed later if added email domain is valid and emails are verified
pass_user_headers: true
skip_auth_regex:
- /-/health
alertmanager:
name: alertmanager
ingress:
host: alertmanager.kkp.example.com
upstream_service: alertmanager.monitoring.svc.cluster.local
upstream_port: 9093
client_id: master-mla
# client_secret is the "secret" from the KeyCloak client "master-mla"
client_secret: <copy value from KeyCloak>
# generate a fresh secret key here
encryption_key: <generate random secret key here>
config:
scope: openid email profile roles groups
email_domains:
- kkp.example.com
insecure_oidc_allow_unverified_email: "true" # TO BE Removed later if added email domain is valid and emails are verified
pass_user_headers: true
skip_auth_regex:
- /-/health
grafana:
name: grafana
ingress:
host: grafana.kkp.example.com
upstream_service: grafana.monitoring.svc.cluster.local
upstream_port: 3000
client_id: master-mla
# client_secret is the "secret" from the KeyCloak client "master-mla"
client_secret: <copy value from KeyCloak>
# generate a fresh secret key here
encryption_key: <generate random secret key here>
config:
scope: openid email profile roles groups
email_domains:
- kkp.example.com
insecure_oidc_allow_unverified_email: "true" # TO BE Removed later if added email domain is valid and emails are verified
pass_user_headers: true
skip_auth_regex:
- /api/health
karma:
name: karma
ingress:
host: karma.kkp.example.com
upstream_service: karma.monitoring.svc.cluster.local
upstream_port: 8080
client_id: master-mla
# client_secret is the "secret" from the KeyCloak client "master-mla"
client_secret: <copy value from KeyCloak>
# generate a fresh secret key here
encryption_key: <generate random secret key here>
config:
scope: openid email profile roles groups
email_domains:
- kkp.example.com
insecure_oidc_allow_unverified_email: "true" # TO BE Removed later if added email domain is valid and emails are verified
pass_user_headers: true
certIssuer:
name: letsencrypt-prod
kind: ClusterIssuer