-
Notifications
You must be signed in to change notification settings - Fork 21
/
values.yaml
1280 lines (1172 loc) · 36.9 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Default values for helm.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
#Suchart properties for frontend
frontend:
enabled: true
namespace: dna
imagePullSecret:
name: dockerregistry
key: "docker-config"
ingress:
enabled: false
namespace: ingress
host: "localhost"
lbIP: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
appFrontend:
replicaCount: 1
#Specify the frontend image, after building the image from docker file
image: ""
config:
#If you want to enable OIDC authentication then set oidcDisabled to "false"
oidcDisabled: true
oidcProvider: INTERNAL
apiBaseUrl: api
#Specify the Jupyter Notebook url
jupyterNotebookUrl: http://localhost/notebooks
jupyterNotebookOidcPopUpUrl: http://localhost/notebooks/hub/oauth_login?next=
#Specify the dataiku live application URL
dataikuLiveAppUrl: ""
dataikuTrainingAppUrl: ""
#Specify the OAuth token URL for OIDC authentication
oauth2TokenUrl: ""
oauth2AuthUrl: ""
oauth2RevokeUrl: ""
oauth2LogoutUrl: ""
oauth2IntrospectionUrl: ""
oauth2UserInfoUrl: ""
frontendClientid: ""
redirectUrls: ""
#Specify the swagger URL for malwarescan
swaggerUiUrl: http://localhost/avscan/swagger-ui.html#/
dataikuFerretUrl: ""
#Specify the ML pipeline URL
mlPipelineUrl: ""
#Specify the App Header
appNameHeader: ""
appNameHome: ""
contactUsHtml: <div><p>There could be many places where you may need our help, and we are happy to support you. <br /> Please add your communication channels links here</p></div>
brandLogoUrl: /images/branding/logo-brand.png
appLogoUrl: /images/branding/logo-app.png
enableInternalUserInfo: true
enableDataCompliance: true
# Set enabledReports to "true" if you want to enable reports, by default value is "false"
enabledReports: true
# Set enableJupyterWorkspace to "true", if you want to enable Jupyter Workspace
enableJupyterWorkspace: false
# Set enableDataikuWorkspace to "true", if you want to enable Dataiku Workspace, by default value is "false"
enableDataikuWorkspace: false
enableMalwareService: true
enableDataPipelineService: false
# Set enableStorageService to "true" to enable Storage Service
enableStorageService: true
storageMFEAppURL: http://localhost:7175
enablePipelineService: false
enabledMlPipelineService: false
enableMalwareApiInfo: false
# If you want to enable notification, set enableNotification to "true", by default it is false
enableNotification: true
# Specify the company name
companyName: XYZ
backendHost: dna-service
# Configure ngnix as per the
ngnix:
backend: http://dna-service.dna.svc.cluster.local:80
jupyServer: http://proxy-public:8000
grafanaServer: http://i3-monitoring-grafana.i3-monitoring.svc.cluster.local:80
avscanServer: http://clamav-rest-service.clamav.svc.cluster.local:8181
avscanMgwServer: http://dna-microgateway.clamav.svc.cluster.local:80
airflowServer: http://airflow.airflow.svc.cluster.local:8080
naasServer: http://naas-backend-service.naas.svc.cluster.local:7272
dashboard: http://dashboard-backend-service.dashboard.svc.cluster.local:7173
storage: http://storage-be.storage.svc.cluster.local:80
#Suchart properties for backend
backend:
enabled: true
namespace: dna
imagePullSecret:
name: dockerregistry
key: "docker-config"
ingress:
enabled: false
namespace: ingress
host: "ingress-host"
lbIP: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
app:
backend:
replicaCount: 1
image: ""
#Specify the secrets which will be used by backend to run properly, Secrets will be encoded in base64 at the time of deployment
secrets:
name: app-secrets
notebookSecretToken: ""
oidcClientID: ""
oidcClientSecret: ""
drdCertPassword: ""
jwtSecretKey:
s3AccessKey:
s3SecretKey:
dataikuProdApiKey: ""
dataikuTrainingApiKey: ""
avscanApiKey: ""
appDBUserName: postgres
appDBPassword: postgres
config:
enableItsmm: false
enableJupyterNotebook: false
enableDataiku: false
enableAttachmentScan: true
enableInternalUser: false
redirectUrl: ""
dbUri: jdbc:postgresql://dna-bitnamipostgresql:5432/db
oidcUserInfoUrl: ""
oidcTokenIntrospectionUrl: ""
oidcProvider: INTERNAL
oidcTokenRevocationUrl: ""
internalUserRequestUrl: ""
internalCertFile: ""
oidcDisabled: true
#Create a bucket in the minio and mention the bucket name in the s3BuckerName
s3BucketName: ""
s3Url: http://minio.storage.svc.cluster.local:9000
corosOriginUrl: ""
jupyterNotebookUrl: ""
vaultHost: vault.vault.svc.cluster.local
vaultPort: 8200
dataikuProdUri: ""
dataikuProdAdminGroup: ""
dataikutraininguri: ""
avscanAppId: ""
naasBroker: ""
loggingEnvironment: dev
loggingPath: /tmp/app/log
dataikuProjectUri: /projects/
dataikuTrainingAdminGroup: ""
avscanUri: http://clamav-rest-service.clamav.svc.cluster.local:8181/avscan/api/v1
flywayBaseline: "true"
flywayBaselineOnMigrate: "true"
flywayBaselineVersion: "0"
flywaySchema: "public"
dashboardUri: http://dashboard-backend-service.dashboard.svc.cluster.local:7173/dashboards
vault:
secret:
name: vault-secrets
rootToken: ""
#Suchart properties for i3postgressql database
i3postgresql:
enabled: false
namespace: dna
app:
db:
replicaCount: 1
image: ""
pgssl: "NO"
dbname: db
secrets:
name: postgres-secrets
backupUserName: ""
backupUserPassword: ""
dbAdminUserName: ""
dbAdminPassword: ""
patroniUserPassword: ""
appUserName: ""
appPassword: ""
probes:
initialDelaySeconds: 30
timeoutSeconds: 10
periodSeconds: 10
failureThreshold: 3
readinessProbe:
port: ""
airflowDB:
airflowUserName: ""
airflowdbName: ""
airflowdbPwd: ""
dashboardDB:
dashboardUserName: ""
dashboarddbName: ""
dashboarddbPwd: ""
#Subchart properties for bitnami postgresql
bitnamipostgresql:
enabled: true
namespace: dna
global:
postgresql:
postgresqlDatabase: db
postgresqlUsername: postgres
postgresqlPassword: postgres
servicePort: 5432
#Subchart properties for clamav
clamav:
enabled: true
appName: clamav
namespace: clamav
app:
backend:
name: clamav-rest
image: ""
replicaCount: 1
secrets:
name: oneapi-secrets
onapiBasicAuthToken: ""
config:
clamav_backend_url: clamav-service
clamav_backend_port: 3310
max_file_size: 4000MB
max_request_size: 4000MB
api_request_limit: 20
with_in: 2
time_unit: seconds
auth_api_host: http://dna-service.dna.svc.cluster.local:80/api/subscription/validate
restricted_url_pattern: /avscan/api/v1/scan.*
loggingPath: /tmp/clamav/log
loggingEnvironment: dev
corsOriginUrl: ""
securityContext:
runasUser: 0
probes:
initialDelaySeconds: 60
timeoutSeconds: 10
periodSeconds: 10
failureThreshold: 3
livenessProbe:
path: /avscan/actuator/health/liveness
port: api
readinessProbe:
path: /avscan/actuator/health/readiness
port: api
image:
repo: ""
replicaCount: 1
pullPolicy: Always
ingress:
enabled: false
host: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
imagePullSecret:
name: dockerregistry
key: "docker-config"
Storage:
storageClass: ""
accessModes: ReadWriteOnce
size: 2G
# resources:
# requests:
# memory: "512Mi"
# cpu: "250m"
# limits:
# memory: "1000Mi"
# cpu: "500m"
#Subchart properties for naas
naas:
enabled: true
appName: naas
namespace: naas
app:
backend:
image: ""
secrets:
name: naas-app-secrets
authApiToken: ""
jwtKey:
db:
appUserName: postgres
appPassword: postgres
config:
api_db_url: jdbc:postgresql://dna-bitnamipostgresql.dna.svc.cluster.local:5432/db
naas_broker: ""
max_poll_records: 6000
dna_uri: http://dna-service.dna.svc.cluster.local:80
dna_auth_enable: false
mailServerHost: ""
mailServerPort: ""
notificationSenderEmail: ""
poll_time: 5000
naas_central_topic: CentralEventTopic
naas_centralread_topic: CentralReadTopic
naas_centraldelte_topic: CentralDeleteTopic
loggingPath: /tmp/naas/log
loggingEnvironment: dev
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1000Mi"
cpu: "500m"
probes:
initialDelaySeconds: 180
timeoutSeconds: 10
periodSeconds: 30
failureThreshold: 3
livenessProbe:
path: /naas/actuator/health/liveness
port: api
readinessProbe:
path: /naas/actuator/health/readiness
port: api
image:
pullPolicy: Always
ingress:
enabled: false
host: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
imagePullSecret:
name: dockerregistry
key: "docker-config"
#Subchart properties for notebooks
notebooks:
enabled: false
namespace: notebooks
app:
jupyter:
config:
configproxy_auth_token: ""
kf_pipelines_endpoint: http://ml-pipeline-ui.kubeflow
image:
name: jupyterhub:1.0
pullPolicy: Always
profileListImages:
default: pyspark-notebook:1.0-default
tensorflow: pyspark-notebook:1.0-tensorflow
chronos: pyspark-notebook:1.0-chronos
proxy:
image: configurable-http-proxy:latest
hubConfig:
name: hub-config
KubeSpawnerimage: pyspark-notebook:1.0-default
securitycontext: ""
serviceAccount: "hub"
oauthAuthenticator: GenericOAuthenticator
oauthClientId: ""
oauthClientSecret: ""
oauthCallback: ""
oauthAuthorizeUrl: ""
oauthTokenUrl: ""
oauthUserDataUrl: ""
oauthUsrKey: sub
oauthLoginSvc: OIDC
prespawn_hook: ""
enableUserNS: "False"
userNameSpaceTemplate: kubeflow
ingress:
enabled: false
host: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
Storage:
storageClass: ""
accessModes: ReadWriteOnce
size: 1G
resources:
cpu: 1
memory: 1G
#Subchart properties for dashboard
dashboard:
enabled: true
namespace: dashboard
image: ""
imagePullSecret:
name: dockerregistry
key: "docker-config"
dbUrl: jdbc:postgresql://dna-bitnamipostgresql.dna.svc.cluster.local:5432/dashboard
secret:
name: dashboard-secrets
appUserName: dashboard
appPassword: dashboard
jwtKey:
appUrl: http://dna-service.dna.svc.cluster.local:80
enableAuth: false
loggingPath: /tmp/dashboard/log
loggingEnvironment: dev
flywayBaseline: "true"
flywayBaselineOnMigrate: "true"
flywayBaselineVersion: "0"
flywaySchema: "public"
containerPort: 7173
ingress:
enabled: false
host: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1000Mi"
cpu: "500m"
probes:
initialDelaySeconds: 120
timeoutSeconds: 10
periodSeconds: 20
failureThreshold: 3
livenessProbe:
path: /dashboards/actuator/health/liveness
port: api
readinessProbe:
path: /dashboards/actuator/health/readiness
port: api
#Subchart properties for airflow
airflow:
enabled: false
appName: airflow
namespace: airflow
imagePullSecret:
name: dockerregistry
key: "docker-config"
backend:
image: ""
imagePullPolicy: Always
dbUrl: jdbc:postgresql://dna-bitnamipostgresql.dna.svc.cluster.local:5432/airflow
secret:
name: airflow-backend-secrets
dbPassword: airflow
dbUsername: airflow
gitToken: ""
jwtKey:
oidcClientID: ""
oidcClientSecret: ""
containerPort: 7171
crossOriginUrl: ""
apiUrl: http://dna-service.dna.svc.cluster.local:80
oidcInfoUrl: ""
oidcIntrospectionUrl: ""
oidcRevocationUrl: ""
oidcDisabled: true
gitUrl: ""
gitMountPath: /git/airflow-user-dags
gitBranch: main
dag:
path: dags
ext: py
waitTime: 20
retry: 20
loggingPath: /tmp/airflow/log
loggingEnvironment: dev
flywayBaseline: "true"
flywayBaselineOnMigrate: "true"
flywayBaselineVersion: "0"
flywaySchema: "public"
ingress:
enabled: true
host: ""
annotations:
traefik.frontend.rule.type: PathPrefix
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
cert-manager.io/cluster-issuer: ""
pullSecretData:
secret:
gitUserName:
gitPassword:
#gitSshKey: ""
knownHosts: ""
postgresql:
sqlAlchemyConn: postgresql+psycopg2://airflow:airflow@dna-bitnamipostgresql.dna.svc.cluster.local:5432/airflow
#clientSecret: eyJSb2xlIjoiQWRtaW4iLCJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkphdmFJblVzZSIsImV4cCI6MTY0OTY2Mzg5MCwiaWF0IjoxNjQ5NjYzODkwfQ.0bHIjToqnWk5zOq0a-Bn-HV6jw6-bnVCNx56L5QnVkg
gitSync:
image: ""
repo: https://github.com/airflow_dags.git
dest: git-sync
branch: main
ssh: "false"
root: /git
# editor:
# gitEnabled: True
# gitCMD: /usr/bin/git
# gitDefaultArgs: -c color.ui=true
# gitIntRepo: False
# lineLength: 88
# stringNormalization: False
configuration:
loggingLevel: INFO
executor: KubernetesExecutor
parallelism: 32
pluginsFolder: /usr/local/airflow/plugins
loadExamples: False
scheduler:
dagDirListInterval: 5
childProcessLogDirectory: /usr/local/airflow/logs/scheduler
jobHeartbeatSec: 5
parsingProcesses: 2
schedulerHeartbeatSec: 5
minFileProcessInterval: 0
statsdOn: False
statsdHost: localhost
statsdPort: 8125
statsdPrefix: airflow
minFileParsingLoopTime: 1
printStatsInterval: 30
schedulerZombieTaskThreshold: 300
maxTisPerQuery: 0
authenticate: False
catchupByDefault: True
webserver:
baseUrl: ""
path: /pipelines
rbac: True
host: 0.0.0.0
port: 8080
masterTimeout: 120
workerTimeout: 120
workerRefreshBatchSize: 1
workerRefreshInterval: 30
secretKey: ""
numberOfWorkers: 4
workerClass: sync
exposeConfig: True
dagDefaultView: graph
dagOrientation: LR
demoMode: False
logFetchTimeoutSec: 5
hidePausedDagsByDefault: False
pageSize: 100
kubernetes:
workerContainerImagePullPolicy: Always
workerServiceAccountName: airflow
deleteWorkerPods: True
dagsInImage: false
gitSubpath: dags
inCluster: True
gitSyncContainerRepository: airflow-git-sync
gitSyncContainerTag: latest
gitSyncInitContainerName: git-sync-container
gitSyncRunAsUser: 1000
runAsUser: 1000
fsGroup: 65533
kubernetesLabels:
airflowWorker:
docker:
image:
name: ""
tag: latest
service:
port: 8080
db:
port: 64000
webserver:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 2000Mi
cpu: 1000m
scheduler:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 2000Mi
cpu: 1000m
gitContainer:
requests:
memory: 250Mi
cpu: 250m
limits:
memory: 1000Mi
cpu: 500m
backendResources:
requests:
memory: 512Mi
cpu: 250m
limits:
memory: 1000Mi
cpu: 500m
volumes:
logsPath: /usr/local/airflow/logs
dagsPath: /usr/local/airflow/dags/git-sync/dags
gitDagsPath: /usr/local/airflow/dags
airflowLogsClaim:
resourcePolicy: keep
accessMode: ReadWriteOnce
storage:
className: ""
size: 2Gi
oidc:
logout:
uri: ""
Storage:
storageClass: ""
accessModes: ReadWriteOnce
size: 1Gi
#Subchart properties for microgateway
microgateway:
enabled: false
namespace: clamav
proxy: ""
noProxy: ""
apigee:
# environment variables
debug: "*" # Enable DEBUG mode with "*"
key: ""
secret: ""
org: internal
env: development
# if introspection is required add the introspection credentials
#introspection_client_id:
#introspection_client_secret:
# validate target https certificates (1=enabled; 0=disabled)
node_tls_reject_unauthorized: 1
certs:
# key and cert will be mount under /home/node/certs/[host].key|.cert
# - host: example.org
# key: put base64 encoded key here
# cert: put base64 encoded certificate here
config:
# content of apigee config. Make sure that the whole content has the correct indent of two spaces!
# edge_config, analytics and oauth is already defined
edgemicro:
port: 8080
max_connections: 1000
max_connections_hard: 5000
max_times: 300
config_change_poll_interval: 86400
logging:
to_console: true
level: debug
stack_trace: false
plugins:
sequence:
- cors-oneapi
- spikearrest
#- introspection
# ApiKey Security needs 'oauth' plugin. Confusing. I know.
- oauth
#- quota
#- app-to-header
- backend-basicauth
#- backend-jwt
proxies:
# References an Apigee Proxy Configuration
###################################
# !!! REPLACE WITH YOUR PROXY !!! #
###################################
- edgemicro_malwarescanapi_v1
# In case a proxy is needed for accessing the API backend (target-server)
proxy:
url: ""
enabled: false
headers:
x-forwarded-for: true
x-forwarded-host: true
x-request-id: true
x-response-time: true
via: true
backend-basicauth:
username: 'admin'
password: 'password123'
cors-oneapi:
cors-allow-credentials: true
backend-jwt:
header_attribute_name: x-claims
sign_secret: 'my-secret'
claims:
- iss
- sub
- client_id
- scope
- app_name
- custom_client_identification
spikearrest:
timeUnit: minute
allow: 6000
bufferSize: 600
# client certificate configuration
# targets:
# - host: 'example.org'
# ssl:
# client:
# key: /home/node/certs/example.org.key # Don't change this, will be set via certs.key
# cert: /home/node/certs/example.org.crt # Don't change this, will be set via certs.cert
# passphrase: 'optional'
image:
repository: edgemicro
tag: latest
pullPolicy: IfNotPresent
nameOverride: ""
fullnameOverride: ""
service:
type: NodePort
port: 80
nodePort: 30005
resources:
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
# Optionaly an ingress route can be defined. Routing options are configured in here.
ingress:
enabled: true
basePath: /malware-scan/api/v1
# Define a list of hosts for the routing. If an empty list is provided routing will be enabled for all hostnames
hosts: [""]
annotations: {}
#traefik.ingress.kubernetes.io/rewrite-target: /malware_scan_api
# Add custom labels to ingress route
labels: {}
#Subchart properties for vault
vault:
enabled: true
namespace: vault
global:
# enabled is the master enabled switch. Setting this to true or false
# will enable or disable all the components within this chart by default.
enabled: true
# Image pull secret to use for registry authentication.
imagePullSecrets:
# imagePullSecrets:
- name: dockerregistry
# TLS for end-to-end encrypted transport
tlsDisable: true
server:
# Resource requests, limits, etc. for the server cluster placement. This
# should map directly to the value of the resources field for a PodSpec.
# By default no direct resource request is made.
image:
repository: vault
tag: latest
# Overrides the default Image Pull Policy
pullPolicy: IfNotPresent
resources:
# resources:
# requests:
# memory: 256Mi
# cpu: 250m
# limits:
# memory: 256Mi
# cpu: 250m
# Ingress allows ingress services to be created to allow external access
# from Kubernetes to access Vault pods.
ingress:
enabled: false
labels: { }
# traffic: external
annotations: { }
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
# As of now vault can only be servered on "/"
paths: [ / ]
tls: [ ]
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# authDelegator enables a cluster role binding to be attached to the service
# account. This cluster role binding can be used to setup Kubernetes auth
# method. https://www.vaultproject.io/docs/auth/kubernetes.html
authDelegator:
enabled: false
# extraContainers is a list of sidecar containers. Specified as a raw YAML string.
extraContainers: null
# Used to define custom readinessProbe settings
readinessProbe:
enabled: true
# If you need to use a http path instead of the default exec
# path: /v1/sys/health?standbyok
# Used to enable a livenessProbe for the pods
livenessProbe:
enabled: false
path: /v1/sys/health?standbyok
# extraEnvironmentVars is a list of extra enviroment variables to set with the stateful set. These could be
# used to include variables required for auto-unseal.
extraEnvironmentVars: { }
# GOOGLE_REGION: global
# GOOGLE_PROJECT: myproject
# GOOGLE_APPLICATION_CREDENTIALS: /vault/userconfig/myproject/myproject-creds.json
# extraSecretEnvironmentVars is a list of extra enviroment variables to set with the stateful set.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: [ ]
# - envName: AWS_SECRET_ACCESS_KEY
# secretName: vault
# secretKey: AWS_SECRET_ACCESS_KEY
# extraVolumes is a list of extra volumes to mount. These will be exposed
# to Vault in the path `/vault/userconfig/<name>/`. The value below is
# an array of objects, examples are shown below.
extraVolumes: [ ]
# - type: secret (or "configMap")
# name: my-secret
# path: null # default is `/vault/userconfig`
# Affinity Settings
# Commenting out or setting as empty the affinity variable, will allow
# deployment to single node services such as Minikube
affinity: |
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "vault.name" . }}
app.kubernetes.io/instance: "{{ .Release.Name }}"
component: server
topologyKey: kubernetes.io/hostname
# Toleration Settings for server pods
# This should be a multi-line string matching the Toleration array
# in a PodSpec.
tolerations: { }
# nodeSelector labels for server pod assignment, formatted as a muli-line string.
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
# Example:
# nodeSelector: |
# beta.kubernetes.io/arch: amd64
nodeSelector: { }
# Extra labels to attach to the server pods
# This should be a multi-line string mapping directly to the a map of
# the labels to apply to the server pods
extraLabels: { }
# Extra annotations to attach to the server pods
# This should be a multi-line string mapping directly to the a map of
# the annotations to apply to the server pods
annotations: { }
# Enables a headless service to be used by the Vault Statefulset
service:
enabled: true
# clusterIP controls whether a Cluster IP address is attached to the
# Vault service within Kubernetes. By default the Vault service will
# be given a Cluster IP address, set to None to disable. When disabled
# Kubernetes will create a "headless" service. Headless services can be
# used to communicate with pods directly through DNS instead of a round robin
# load balancer.
# clusterIP: None
# Port on which Vault server is listening
port: 8200
# Target port to which the service should be mapped to
targetPort: 8200
# Extra annotations for the service definition
annotations: { }
# This configures the Vault Statefulset to create a PVC for data
# storage when using the file backend.
# See https://www.vaultproject.io/docs/configuration/storage/index.html to know more
dataStorage:
enabled: true
# Size of the PVC created
size: 1Gi
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: ""
# Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce
# This configures the Vault Statefulset to create a PVC for audit
# logs. Once Vault is deployed, initialized and unseal, Vault must
# be configured to use this for audit logs. This will be mounted to
# /vault/audit
# See https://www.vaultproject.io/docs/audit/index.html to know more
auditStorage:
enabled: true
# Size of the PVC created
size: 1Gi
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: ""
# Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce
# Run Vault in "dev" mode. This requires no further setup, no state management,
# and no initialization. This is useful for experimenting with Vault without
# needing to unseal, store keys, et. al. All data is lost on restart - do not
# use dev mode for anything other than experimenting.
# See https://www.vaultproject.io/docs/concepts/dev-server.html to know more
dev:
enabled: false
# Run Vault in "standalone" mode. This is the default mode that will deploy if
# no arguments are given to helm. This requires a PVC for data storage to use
# the "file" backend. This mode is not highly available and should not be scaled
# past a single replica.
standalone:
enabled: "-"
# config is a raw string of default configuration when using a Stateful
# deployment. Default is to use a PersistentVolumeClaim mounted at /vault/data
# and store data there. This is only used when using a Replica count of 1, and
# using a stateful set. This should be HCL.
config: |
ui = true
listener "tcp" {