flux
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
20
##
21
global:
22
imageRegistry: ""
23
## E.g.
24
## imagePullSecrets:
25
## - myRegistryKeySecretName
26
##
27
imagePullSecrets: []
28
defaultStorageClass: ""
29
storageClass: ""
30
## Security parameters
31
##
32
security:
33
## @param global.security.allowInsecureImages Allows skipping image verification
34
allowInsecureImages: false
35
## Compatibility adaptations for Kubernetes platforms
36
##
37
compatibility:
38
## Compatibility adaptations for Openshift
39
##
40
openshift:
41
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
42
##
43
adaptSecurityContext: auto
44
org: ""
45
## @section Common parameters
46
##
47
48
## @param kubeVersion Override Kubernetes version
49
##
50
kubeVersion: ""
51
## @param nameOverride String to partially override common.names.name
52
##
53
nameOverride: ""
54
## @param fullnameOverride String to fully override common.names.fullname
55
##
56
fullnameOverride: ""
57
## @param namespaceOverride String to fully override common.names.namespace
58
##
59
namespaceOverride: ""
60
## @param commonLabels Labels to add to all deployed objects
61
##
62
commonLabels: {}
63
## @param commonAnnotations Annotations to add to all deployed objects
64
##
65
commonAnnotations: {}
66
## @param clusterDomain Kubernetes cluster domain name
67
##
68
clusterDomain: cluster.local
69
## @param extraDeploy Array of extra objects to deploy with the release
70
##
71
extraDeploy: []
72
## Enable diagnostic mode in the deployment
73
##
74
diagnosticMode:
75
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
76
##
77
enabled: false
78
## @param diagnosticMode.command Command to override all containers in the deployment
79
##
80
command:
81
- sleep
82
## @param diagnosticMode.args Args to override all containers in the deployment
83
##
84
args:
85
- infinity
86
## @section Kustomize Controller Parameters
87
##
88
kustomizeController:
89
## @param kustomizeController.enabled Enable Kustomize Controller
90
##
91
enabled: true
92
## @param kustomizeController.installCRDs Flag to install Kustomize Controller CRDs
93
##
94
installCRDs: true
95
## @param kustomizeController.watchAllNamespaces Watch for custom resources in all namespaces
96
##
97
watchAllNamespaces: true
98
## Iamguarded Kustomize Controller image
99
## @param kustomizeController.image.registry [default: REGISTRY_NAME] Kustomize Controller image registry
100
## @param kustomizeController.image.repository [default: REPOSITORY_NAME/fluxcd-kustomize-controller] Kustomize Controller image repository
101
## @skip kustomizeController.image.tag Kustomize Controller image tag (immutable tags are recommended)
102
## @param kustomizeController.image.digest Kustomize Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
103
## @param kustomizeController.image.pullPolicy Kustomize Controller image pull policy
104
## @param kustomizeController.image.pullSecrets Kustomize Controller image pull secrets
105
## @param kustomizeController.image.debug Enable Kustomize Controller image debug mode
106
##
107
image:
108
registry: cgr.dev
109
repository: chainguard-private/flux-kustomize-controller-iamguarded
110
tag: 1.8.1
111
digest: ""
112
## Specify a imagePullPolicy
113
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
114
##
115
pullPolicy: IfNotPresent
116
## Optionally specify an array of imagePullSecrets.
117
## Secrets must be manually created in the namespace.
118
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
119
## e.g:
120
## pullSecrets:
121
## - myRegistryKeySecretName
122
##
123
pullSecrets: []
124
## Enable debug mode
125
##
126
debug: false
127
## @param kustomizeController.replicaCount Number of Kustomize Controller replicas to deploy
128
##
129
replicaCount: 1
130
## @param kustomizeController.containerPorts.metrics Kustomize Controller metrics container port
131
## @param kustomizeController.containerPorts.health Kustomize Controller health container port
132
##
133
containerPorts:
134
metrics: 8080
135
health: 9440
136
## Network Policies
137
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
138
##
139
networkPolicy:
140
## @param kustomizeController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
141
##
142
enabled: true
143
## @param kustomizeController.networkPolicy.allowExternal Don't require server label for connections
144
## The Policy model to apply. When set to false, only pods with the correct
145
## server label will have network access to the ports server is listening
146
## on. When true, server will accept connections from any source
147
## (with the correct destination port).
148
##
149
allowExternal: true
150
## @param kustomizeController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
151
##
152
allowExternalEgress: true
153
## @param kustomizeController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
154
##
155
kubeAPIServerPorts: [443, 6443, 8443]
156
## @param kustomizeController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
157
## e.g:
158
## extraIngress:
159
## - ports:
160
## - port: 1234
161
## from:
162
## - podSelector:
163
## - matchLabels:
164
## - role: frontend
165
## - podSelector:
166
## - matchExpressions:
167
## - key: role
168
## operator: In
169
## values:
170
## - frontend
171
extraIngress: []
172
## @param kustomizeController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
173
## e.g:
174
## extraEgress:
175
## - ports:
176
## - port: 1234
177
## to:
178
## - podSelector:
179
## - matchLabels:
180
## - role: frontend
181
## - podSelector:
182
## - matchExpressions:
183
## - key: role
184
## operator: In
185
## values:
186
## - frontend
187
##
188
extraEgress: []
189
## @param kustomizeController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
190
## @param kustomizeController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
191
##
192
ingressNSMatchLabels: {}
193
ingressNSPodMatchLabels: {}
194
## Configure extra options for Kustomize Controller containers' liveness and readiness probes
195
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
196
## @param kustomizeController.livenessProbe.enabled Enable livenessProbe on Kustomize Controller containers
197
## @param kustomizeController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
198
## @param kustomizeController.livenessProbe.periodSeconds Period seconds for livenessProbe
199
## @param kustomizeController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
200
## @param kustomizeController.livenessProbe.failureThreshold Failure threshold for livenessProbe
201
## @param kustomizeController.livenessProbe.successThreshold Success threshold for livenessProbe
202
##
203
livenessProbe:
204
enabled: true
205
initialDelaySeconds: 5
206
periodSeconds: 10
207
timeoutSeconds: 5
208
failureThreshold: 5
209
successThreshold: 1
210
## @param kustomizeController.readinessProbe.enabled Enable readinessProbe on Kustomize Controller containers
211
## @param kustomizeController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
212
## @param kustomizeController.readinessProbe.periodSeconds Period seconds for readinessProbe
213
## @param kustomizeController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
214
## @param kustomizeController.readinessProbe.failureThreshold Failure threshold for readinessProbe
215
## @param kustomizeController.readinessProbe.successThreshold Success threshold for readinessProbe
216
##
217
readinessProbe:
218
enabled: true
219
initialDelaySeconds: 5
220
periodSeconds: 10
221
timeoutSeconds: 5
222
failureThreshold: 5
223
successThreshold: 1
224
## @param kustomizeController.startupProbe.enabled Enable startupProbe on Kustomize Controller containers
225
## @param kustomizeController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
226
## @param kustomizeController.startupProbe.periodSeconds Period seconds for startupProbe
227
## @param kustomizeController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
228
## @param kustomizeController.startupProbe.failureThreshold Failure threshold for startupProbe
229
## @param kustomizeController.startupProbe.successThreshold Success threshold for startupProbe
230
##
231
startupProbe:
232
enabled: false
233
initialDelaySeconds: 5
234
periodSeconds: 10
235
timeoutSeconds: 5
236
failureThreshold: 5
237
successThreshold: 1
238
## @param kustomizeController.customLivenessProbe Custom livenessProbe that overrides the default one
239
##
240
customLivenessProbe: {}
241
## @param kustomizeController.customReadinessProbe Custom readinessProbe that overrides the default one
242
##
243
customReadinessProbe: {}
244
## @param kustomizeController.customStartupProbe Custom startupProbe that overrides the default one
245
##
246
customStartupProbe: {}
247
## Kustomize Controller resource requests and limits
248
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
249
## @param kustomizeController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if kustomizeController.resources is set (kustomizeController.resources is recommended for production).
250
##
251
resourcesPreset: "nano"
252
## @param kustomizeController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
253
## Example:
254
## resources:
255
## requests:
256
## cpu: 2
257
## memory: 512Mi
258
## limits:
259
## cpu: 3
260
## memory: 1024Mi
261
##
262
resources: {}
263
## Configure Pods Security Context
264
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
265
## @param kustomizeController.podSecurityContext.enabled Enabled Kustomize Controller pods' Security Context
266
## @param kustomizeController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
267
## @param kustomizeController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
268
## @param kustomizeController.podSecurityContext.supplementalGroups Set filesystem extra groups
269
## @param kustomizeController.podSecurityContext.fsGroup Set Kustomize Controller pod's Security Context fsGroup
270
##
271
podSecurityContext:
272
enabled: true
273
fsGroupChangePolicy: Always
274
sysctls: []
275
supplementalGroups: []
276
fsGroup: 1001
277
## Configure Container Security Context
278
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
279
## @param kustomizeController.containerSecurityContext.enabled Enabled Kustomize Controller containers' Security Context
280
## @param kustomizeController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
281
## @param kustomizeController.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
282
## @param kustomizeController.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
283
## @param kustomizeController.containerSecurityContext.runAsNonRoot Set Kustomize Controller containers' Security Context runAsNonRoot
284
## @param kustomizeController.containerSecurityContext.privileged Set Kustomize Controller containers' Security Context privileged
285
## @param kustomizeController.containerSecurityContext.readOnlyRootFilesystem Set Kustomize Controller containers' Security Context runAsNonRoot
286
## @param kustomizeController.containerSecurityContext.allowPrivilegeEscalation Set Kustomize Controller container's privilege escalation
287
## @param kustomizeController.containerSecurityContext.capabilities.drop Set Kustomize Controller container's Security Context runAsNonRoot
288
## @param kustomizeController.containerSecurityContext.seccompProfile.type Set Kustomize Controller container's Security Context seccomp profile
289
##
290
containerSecurityContext:
291
enabled: true
292
seLinuxOptions: {}
293
runAsUser: 1001
294
runAsGroup: 1001
295
runAsNonRoot: true
296
privileged: false
297
readOnlyRootFilesystem: true
298
allowPrivilegeEscalation: false
299
capabilities:
300
drop: ["ALL"]
301
seccompProfile:
302
type: RuntimeDefault
303
## @param kustomizeController.command Override default container command (useful when using custom images)
304
##
305
command: []
306
## @param kustomizeController.args Override default container args (useful when using custom images)
307
##
308
args: []
309
## @param kustomizeController.automountServiceAccountToken Mount Service Account token in pod
310
##
311
automountServiceAccountToken: true
312
## @param kustomizeController.hostAliases Kustomize Controller pods host aliases
313
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
314
##
315
hostAliases: []
316
## @param kustomizeController.podLabels Extra labels for Kustomize Controller pods
317
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
318
##
319
podLabels: {}
320
## @param kustomizeController.podAnnotations Annotations for Kustomize Controller pods
321
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
322
##
323
podAnnotations: {}
324
## @param kustomizeController.podAffinityPreset Pod affinity preset. Ignored if `kustomizeController.affinity` is set. Allowed values: `soft` or `hard`
325
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
326
##
327
podAffinityPreset: ""
328
## @param kustomizeController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `kustomizeController.affinity` is set. Allowed values: `soft` or `hard`
329
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
330
##
331
podAntiAffinityPreset: soft
332
## Pod Disruption Budget configuration
333
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
334
## @param kustomizeController.pdb.create Enable/disable a Pod Disruption Budget creation
335
## @param kustomizeController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
336
## @param kustomizeController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
337
##
338
pdb:
339
create: true
340
minAvailable: ""
341
maxUnavailable: ""
342
## Autoscaling configuration
343
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
344
## @param kustomizeController.autoscaling.enabled Enable autoscaling for kustomizeController
345
## @param kustomizeController.autoscaling.minReplicas Minimum number of kustomizeController replicas
346
## @param kustomizeController.autoscaling.maxReplicas Maximum number of kustomizeController replicas
347
## @param kustomizeController.autoscaling.targetCPU Target CPU utilization percentage
348
## @param kustomizeController.autoscaling.targetMemory Target Memory utilization percentage
349
##
350
autoscaling:
351
enabled: false
352
minReplicas: ""
353
maxReplicas: ""
354
targetCPU: ""
355
targetMemory: ""
356
## Node kustomizeController.affinity preset
357
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
358
##
359
nodeAffinityPreset:
360
## @param kustomizeController.nodeAffinityPreset.type Node affinity preset type. Ignored if `kustomizeController.affinity` is set. Allowed values: `soft` or `hard`
361
##
362
type: ""
363
## @param kustomizeController.nodeAffinityPreset.key Node label key to match. Ignored if `kustomizeController.affinity` is set
364
##
365
key: ""
366
## @param kustomizeController.nodeAffinityPreset.values Node label values to match. Ignored if `kustomizeController.affinity` is set
367
## E.g.
368
## values:
369
## - e2e-az1
370
## - e2e-az2
371
##
372
values: []
373
## @param kustomizeController.affinity Affinity for Kustomize Controller pods assignment
374
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
375
## NOTE: `kustomizeController.podAffinityPreset`, `kustomizeController.podAntiAffinityPreset`, and `kustomizeController.nodeAffinityPreset` will be ignored when it's set
376
##
377
affinity: {}
378
## @param kustomizeController.nodeSelector Node labels for Kustomize Controller pods assignment
379
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
380
##
381
nodeSelector: {}
382
## @param kustomizeController.tolerations Tolerations for Kustomize Controller pods assignment
383
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
384
##
385
tolerations: []
386
## @param kustomizeController.updateStrategy.type Kustomize Controller statefulset strategy type
387
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
388
##
389
updateStrategy:
390
## StrategyType
391
## Can be set to RollingUpdate or OnDelete
392
##
393
type: RollingUpdate
394
## @param kustomizeController.priorityClassName Kustomize Controller pods' priorityClassName
395
##
396
priorityClassName: ""
397
## @param kustomizeController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
398
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
399
##
400
topologySpreadConstraints: []
401
## @param kustomizeController.schedulerName Name of the k8s scheduler (other than default) for Kustomize Controller pods
402
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
403
##
404
schedulerName: ""
405
## @param kustomizeController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
406
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
407
##
408
terminationGracePeriodSeconds: ""
409
## @param kustomizeController.lifecycleHooks for the Kustomize Controller container(s) to automate configuration before or after startup
410
##
411
lifecycleHooks: {}
412
## @param kustomizeController.extraEnvVars Array with extra environment variables to add to Kustomize Controller nodes
413
## e.g:
414
## extraEnvVars:
415
## - name: FOO
416
## value: "bar"
417
##
418
extraEnvVars: []
419
## @param kustomizeController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Kustomize Controller nodes
420
##
421
extraEnvVarsCM: ""
422
## @param kustomizeController.extraEnvVarsSecret Name of existing Secret containing extra env vars for Kustomize Controller nodes
423
##
424
extraEnvVarsSecret: ""
425
## @param kustomizeController.extraVolumes Optionally specify extra list of additional volumes for the Kustomize Controller pod(s)
426
##
427
extraVolumes: []
428
## @param kustomizeController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kustomize Controller container(s)
429
##
430
extraVolumeMounts: []
431
## @param kustomizeController.sidecars Add additional sidecar containers to the Kustomize Controller pod(s)
432
## e.g:
433
## sidecars:
434
## - name: your-image-name
435
## image: your-image
436
## imagePullPolicy: Always
437
## ports:
438
## - name: portname
439
## containerPort: 1234
440
##
441
sidecars: []
442
## @param kustomizeController.initContainers Add additional init containers to the Kustomize Controller pod(s)
443
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
444
## e.g:
445
## initContainers:
446
## - name: your-image-name
447
## image: your-image
448
## imagePullPolicy: Always
449
## command: ['sh', '-c', 'echo "hello world"']
450
##
451
initContainers: []
452
## @section Kustomize Controller RBAC Parameters
453
##
454
455
## RBAC configuration
456
##
457
rbac:
458
## @param kustomizeController.rbac.create Specifies whether RBAC resources should be created
459
##
460
create: true
461
## @param kustomizeController.rbac.rules Custom RBAC rules to set
462
## e.g:
463
## rules:
464
## - apiGroups:
465
## - ""
466
## resources:
467
## - pods
468
## verbs:
469
## - get
470
## - list
471
##
472
rules: []
473
## ServiceAccount configuration
474
##
475
serviceAccount:
476
## @param kustomizeController.serviceAccount.create Specifies whether a ServiceAccount should be created
477
##
478
create: true
479
## @param kustomizeController.serviceAccount.name The name of the ServiceAccount to use.
480
## If not set and create is true, a name is generated using the common.names.fullname template
481
##
482
name: ""
483
## @param kustomizeController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
484
##
485
annotations: {}
486
## @param kustomizeController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
487
##
488
automountServiceAccountToken: false
489
## @section Kustomize Controller Metrics Parameters
490
##
491
492
## Prometheus metrics
493
##
494
metrics:
495
## @param kustomizeController.metrics.enabled Enable the export of Prometheus metrics
496
##
497
enabled: true
498
## Kustomize Controller service parameters
499
##
500
service:
501
## @param kustomizeController.metrics.service.type Kustomize Controller service type
502
##
503
type: ClusterIP
504
## @param kustomizeController.metrics.service.ports.metrics Kustomize Controller service metrics port
505
##
506
ports:
507
metrics: 80
508
## Node ports to expose
509
## @param kustomizeController.metrics.service.nodePorts.metrics Node port for HTTP
510
## NOTE: choose port between <30000-32767>
511
##
512
nodePorts:
513
metrics: ""
514
## @param kustomizeController.metrics.service.clusterIP Kustomize Controller service Cluster IP
515
## e.g.:
516
## clusterIP: None
517
##
518
clusterIP: ""
519
## @param kustomizeController.metrics.service.loadBalancerIP Kustomize Controller service Load Balancer IP
520
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
521
##
522
loadBalancerIP: ""
523
## @param kustomizeController.metrics.service.loadBalancerSourceRanges Kustomize Controller service Load Balancer sources
524
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
525
## e.g:
526
## loadBalancerSourceRanges:
527
## - 10.10.10.0/24
528
##
529
loadBalancerSourceRanges: []
530
## @param kustomizeController.metrics.service.externalTrafficPolicy Kustomize Controller service external traffic policy
531
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
532
##
533
externalTrafficPolicy: Cluster
534
## @param kustomizeController.metrics.service.annotations [object] Additional custom annotations for Kustomize Controller service
535
##
536
annotations:
537
prometheus.io/scrape: "true"
538
prometheus.io/port: "{{ .Values.kustomizeController.metrics.service.ports.metrics }}"
539
## @param kustomizeController.metrics.service.extraPorts Extra ports to expose in Kustomize Controller service (normally used with the `sidecars` value)
540
##
541
extraPorts: []
542
## @param kustomizeController.metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
543
## Values: ClientIP or None
544
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
545
##
546
sessionAffinity: None
547
## @param kustomizeController.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
548
## sessionAffinityConfig:
549
## clientIP:
550
## timeoutSeconds: 300
551
##
552
sessionAffinityConfig: {}
553
## Prometheus Operator ServiceMonitor configuration
554
##
555
serviceMonitor:
556
## @param kustomizeController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
557
##
558
enabled: false
559
## @param kustomizeController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
560
##
561
namespace: ""
562
## @param kustomizeController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
563
##
564
annotations: {}
565
## @param kustomizeController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
566
##
567
labels: {}
568
## @param kustomizeController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
569
##
570
jobLabel: ""
571
## @param kustomizeController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
572
##
573
honorLabels: false
574
## @param kustomizeController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
575
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
576
## e.g:
577
## interval: 10s
578
##
579
interval: ""
580
## @param kustomizeController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
581
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
582
## e.g:
583
## scrapeTimeout: 10s
584
##
585
scrapeTimeout: ""
586
## @param kustomizeController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
587
##
588
metricRelabelings: []
589
## @param kustomizeController.metrics.serviceMonitor.relabelings Specify general relabeling
590
##
591
relabelings: []
592
## @param kustomizeController.metrics.serviceMonitor.selector Prometheus instance selector labels
593
## selector:
594
## prometheus: my-prometheus
595
##
596
selector: {}
597
## @section Helm Controller Parameters
598
##
599
helmController:
600
## @param helmController.enabled Enable Helm Controller
601
##
602
enabled: true
603
## @param helmController.installCRDs Flag to install Helm Controller CRDs
604
##
605
installCRDs: true
606
## @param helmController.watchAllNamespaces Watch for custom resources in all namespaces
607
##
608
watchAllNamespaces: true
609
## Iamguarded Helm Controller image
610
## @param helmController.image.registry [default: REGISTRY_NAME] Helm Controller image registry
611
## @param helmController.image.repository [default: REPOSITORY_NAME/fluxcd-helm-controller] Helm Controller image repository
612
## @skip helmController.image.tag Helm Controller image tag (immutable tags are recommended)
613
## @param helmController.image.digest Helm Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
614
## @param helmController.image.pullPolicy Helm Controller image pull policy
615
## @param helmController.image.pullSecrets Helm Controller image pull secrets
616
## @param helmController.image.debug Enable Helm Controller image debug mode
617
##
618
image:
619
registry: cgr.dev
620
repository: chainguard-private/flux-helm-controller-iamguarded
621
tag: 1.5.1
622
digest: ""
623
## Specify a imagePullPolicy
624
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
625
##
626
pullPolicy: IfNotPresent
627
## Optionally specify an array of imagePullSecrets.
628
## Secrets must be manually created in the namespace.
629
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
630
## e.g:
631
## pullSecrets:
632
## - myRegistryKeySecretName
633
##
634
pullSecrets: []
635
## Enable debug mode
636
##
637
debug: false
638
## @param helmController.replicaCount Number of Helm Controller replicas to deploy
639
##
640
replicaCount: 1
641
## @param helmController.containerPorts.metrics Helm Controller metrics container port
642
## @param helmController.containerPorts.health Helm Controller health container port
643
##
644
containerPorts:
645
metrics: 8080
646
health: 9440
647
## Network Policies
648
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
649
##
650
networkPolicy:
651
## @param helmController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
652
##
653
enabled: true
654
## @param helmController.networkPolicy.allowExternal Don't require server label for connections
655
## The Policy model to apply. When set to false, only pods with the correct
656
## server label will have network access to the ports server is listening
657
## on. When true, server will accept connections from any source
658
## (with the correct destination port).
659
##
660
allowExternal: true
661
## @param helmController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
662
##
663
allowExternalEgress: true
664
## @param helmController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
665
##
666
kubeAPIServerPorts: [443, 6443, 8443]
667
## @param helmController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
668
## e.g:
669
## extraIngress:
670
## - ports:
671
## - port: 1234
672
## from:
673
## - podSelector:
674
## - matchLabels:
675
## - role: frontend
676
## - podSelector:
677
## - matchExpressions:
678
## - key: role
679
## operator: In
680
## values:
681
## - frontend
682
extraIngress: []
683
## @param helmController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
684
## e.g:
685
## extraEgress:
686
## - ports:
687
## - port: 1234
688
## to:
689
## - podSelector:
690
## - matchLabels:
691
## - role: frontend
692
## - podSelector:
693
## - matchExpressions:
694
## - key: role
695
## operator: In
696
## values:
697
## - frontend
698
##
699
extraEgress: []
700
## @param helmController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
701
## @param helmController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
702
##
703
ingressNSMatchLabels: {}
704
ingressNSPodMatchLabels: {}
705
## Configure extra options for Helm Controller containers' liveness and readiness probes
706
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
707
## @param helmController.livenessProbe.enabled Enable livenessProbe on Helm Controller containers
708
## @param helmController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
709
## @param helmController.livenessProbe.periodSeconds Period seconds for livenessProbe
710
## @param helmController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
711
## @param helmController.livenessProbe.failureThreshold Failure threshold for livenessProbe
712
## @param helmController.livenessProbe.successThreshold Success threshold for livenessProbe
713
##
714
livenessProbe:
715
enabled: true
716
initialDelaySeconds: 5
717
periodSeconds: 10
718
timeoutSeconds: 5
719
failureThreshold: 5
720
successThreshold: 1
721
## @param helmController.readinessProbe.enabled Enable readinessProbe on Helm Controller containers
722
## @param helmController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
723
## @param helmController.readinessProbe.periodSeconds Period seconds for readinessProbe
724
## @param helmController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
725
## @param helmController.readinessProbe.failureThreshold Failure threshold for readinessProbe
726
## @param helmController.readinessProbe.successThreshold Success threshold for readinessProbe
727
##
728
readinessProbe:
729
enabled: true
730
initialDelaySeconds: 5
731
periodSeconds: 10
732
timeoutSeconds: 5
733
failureThreshold: 5
734
successThreshold: 1
735
## @param helmController.startupProbe.enabled Enable startupProbe on Helm Controller containers
736
## @param helmController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
737
## @param helmController.startupProbe.periodSeconds Period seconds for startupProbe
738
## @param helmController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
739
## @param helmController.startupProbe.failureThreshold Failure threshold for startupProbe
740
## @param helmController.startupProbe.successThreshold Success threshold for startupProbe
741
##
742
startupProbe:
743
enabled: false
744
initialDelaySeconds: 5
745
periodSeconds: 10
746
timeoutSeconds: 5
747
failureThreshold: 5
748
successThreshold: 1
749
## @param helmController.customLivenessProbe Custom livenessProbe that overrides the default one
750
##
751
customLivenessProbe: {}
752
## @param helmController.customReadinessProbe Custom readinessProbe that overrides the default one
753
##
754
customReadinessProbe: {}
755
## @param helmController.customStartupProbe Custom startupProbe that overrides the default one
756
##
757
customStartupProbe: {}
758
## Helm Controller resource requests and limits
759
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
760
## @param helmController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if helmController.resources is set (helmController.resources is recommended for production).
761
##
762
resourcesPreset: "nano"
763
## @param helmController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
764
## Example:
765
## resources:
766
## requests:
767
## cpu: 2
768
## memory: 512Mi
769
## limits:
770
## cpu: 3
771
## memory: 1024Mi
772
##
773
resources: {}
774
## Configure Pods Security Context
775
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
776
## @param helmController.podSecurityContext.enabled Enabled Helm Controller pods' Security Context
777
## @param helmController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
778
## @param helmController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
779
## @param helmController.podSecurityContext.supplementalGroups Set filesystem extra groups
780
## @param helmController.podSecurityContext.fsGroup Set Helm Controller pod's Security Context fsGroup
781
##
782
podSecurityContext:
783
enabled: true
784
fsGroupChangePolicy: Always
785
sysctls: []
786
supplementalGroups: []
787
fsGroup: 1001
788
## Configure Container Security Context
789
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
790
## @param helmController.containerSecurityContext.enabled Enabled Helm Controller containers' Security Context
791
## @param helmController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
792
## @param helmController.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
793
## @param helmController.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
794
## @param helmController.containerSecurityContext.runAsNonRoot Set Helm Controller containers' Security Context runAsNonRoot
795
## @param helmController.containerSecurityContext.privileged Set Helm Controller containers' Security Context privileged
796
## @param helmController.containerSecurityContext.readOnlyRootFilesystem Set Helm Controller containers' Security Context runAsNonRoot
797
## @param helmController.containerSecurityContext.allowPrivilegeEscalation Set Helm Controller container's privilege escalation
798
## @param helmController.containerSecurityContext.capabilities.drop Set Helm Controller container's Security Context runAsNonRoot
799
## @param helmController.containerSecurityContext.seccompProfile.type Set Helm Controller container's Security Context seccomp profile
800
##
801
containerSecurityContext:
802
enabled: true
803
seLinuxOptions: {}
804
runAsUser: 1001
805
runAsGroup: 1001
806
runAsNonRoot: true
807
privileged: false
808
readOnlyRootFilesystem: true
809
allowPrivilegeEscalation: false
810
capabilities:
811
drop: ["ALL"]
812
seccompProfile:
813
type: RuntimeDefault
814
## @param helmController.command Override default container command (useful when using custom images)
815
##
816
command: []
817
## @param helmController.args Override default container args (useful when using custom images)
818
##
819
args: []
820
## @param helmController.automountServiceAccountToken Mount Service Account token in pod
821
##
822
automountServiceAccountToken: true
823
## @param helmController.hostAliases Helm Controller pods host aliases
824
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
825
##
826
hostAliases: []
827
## @param helmController.podLabels Extra labels for Helm Controller pods
828
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
829
##
830
podLabels: {}
831
## @param helmController.podAnnotations Annotations for Helm Controller pods
832
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
833
##
834
podAnnotations: {}
835
## @param helmController.podAffinityPreset Pod affinity preset. Ignored if `helmController.affinity` is set. Allowed values: `soft` or `hard`
836
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
837
##
838
podAffinityPreset: ""
839
## @param helmController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `helmController.affinity` is set. Allowed values: `soft` or `hard`
840
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
841
##
842
podAntiAffinityPreset: soft
843
## Pod Disruption Budget configuration
844
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
845
## @param helmController.pdb.create Enable/disable a Pod Disruption Budget creation
846
## @param helmController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
847
## @param helmController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
848
##
849
pdb:
850
create: true
851
minAvailable: ""
852
maxUnavailable: ""
853
## Autoscaling configuration
854
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
855
## @param helmController.autoscaling.enabled Enable autoscaling for helmController
856
## @param helmController.autoscaling.minReplicas Minimum number of helmController replicas
857
## @param helmController.autoscaling.maxReplicas Maximum number of helmController replicas
858
## @param helmController.autoscaling.targetCPU Target CPU utilization percentage
859
## @param helmController.autoscaling.targetMemory Target Memory utilization percentage
860
##
861
autoscaling:
862
enabled: false
863
minReplicas: ""
864
maxReplicas: ""
865
targetCPU: ""
866
targetMemory: ""
867
## Node helmController.affinity preset
868
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
869
##
870
nodeAffinityPreset:
871
## @param helmController.nodeAffinityPreset.type Node affinity preset type. Ignored if `helmController.affinity` is set. Allowed values: `soft` or `hard`
872
##
873
type: ""
874
## @param helmController.nodeAffinityPreset.key Node label key to match. Ignored if `helmController.affinity` is set
875
##
876
key: ""
877
## @param helmController.nodeAffinityPreset.values Node label values to match. Ignored if `helmController.affinity` is set
878
## E.g.
879
## values:
880
## - e2e-az1
881
## - e2e-az2
882
##
883
values: []
884
## @param helmController.affinity Affinity for Helm Controller pods assignment
885
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
886
## NOTE: `helmController.podAffinityPreset`, `helmController.podAntiAffinityPreset`, and `helmController.nodeAffinityPreset` will be ignored when it's set
887
##
888
affinity: {}
889
## @param helmController.nodeSelector Node labels for Helm Controller pods assignment
890
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
891
##
892
nodeSelector: {}
893
## @param helmController.tolerations Tolerations for Helm Controller pods assignment
894
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
895
##
896
tolerations: []
897
## @param helmController.updateStrategy.type Helm Controller statefulset strategy type
898
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
899
##
900
updateStrategy:
901
## StrategyType
902
## Can be set to RollingUpdate or OnDelete
903
##
904
type: RollingUpdate
905
## @param helmController.priorityClassName Helm Controller pods' priorityClassName
906
##
907
priorityClassName: ""
908
## @param helmController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
909
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
910
##
911
topologySpreadConstraints: []
912
## @param helmController.schedulerName Name of the k8s scheduler (other than default) for Helm Controller pods
913
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
914
##
915
schedulerName: ""
916
## @param helmController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
917
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
918
##
919
terminationGracePeriodSeconds: ""
920
## @param helmController.lifecycleHooks for the Helm Controller container(s) to automate configuration before or after startup
921
##
922
lifecycleHooks: {}
923
## @param helmController.extraEnvVars Array with extra environment variables to add to Helm Controller nodes
924
## e.g:
925
## extraEnvVars:
926
## - name: FOO
927
## value: "bar"
928
##
929
extraEnvVars: []
930
## @param helmController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Helm Controller nodes
931
##
932
extraEnvVarsCM: ""
933
## @param helmController.extraEnvVarsSecret Name of existing Secret containing extra env vars for Helm Controller nodes
934
##
935
extraEnvVarsSecret: ""
936
## @param helmController.extraVolumes Optionally specify extra list of additional volumes for the Helm Controller pod(s)
937
##
938
extraVolumes: []
939
## @param helmController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Helm Controller container(s)
940
##
941
extraVolumeMounts: []
942
## @param helmController.sidecars Add additional sidecar containers to the Helm Controller pod(s)
943
## e.g:
944
## sidecars:
945
## - name: your-image-name
946
## image: your-image
947
## imagePullPolicy: Always
948
## ports:
949
## - name: portname
950
## containerPort: 1234
951
##
952
sidecars: []
953
## @param helmController.initContainers Add additional init containers to the Helm Controller pod(s)
954
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
955
## e.g:
956
## initContainers:
957
## - name: your-image-name
958
## image: your-image
959
## imagePullPolicy: Always
960
## command: ['sh', '-c', 'echo "hello world"']
961
##
962
initContainers: []
963
## @section Helm Controller RBAC Parameters
964
##
965
966
## RBAC configuration
967
##
968
rbac:
969
## @param helmController.rbac.create Specifies whether RBAC resources should be created
970
##
971
create: true
972
## @param helmController.rbac.rules Custom RBAC rules to set
973
## e.g:
974
## rules:
975
## - apiGroups:
976
## - ""
977
## resources:
978
## - pods
979
## verbs:
980
## - get
981
## - list
982
##
983
rules: []
984
## ServiceAccount configuration
985
##
986
serviceAccount:
987
## @param helmController.serviceAccount.create Specifies whether a ServiceAccount should be created
988
##
989
create: true
990
## @param helmController.serviceAccount.name The name of the ServiceAccount to use.
991
## If not set and create is true, a name is generated using the common.names.fullname template
992
##
993
name: ""
994
## @param helmController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
995
##
996
annotations: {}
997
## @param helmController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
998
##
999
automountServiceAccountToken: false
1000
## @section Helm Controller Metrics Parameters
1001
##
1002
1003
## Prometheus metrics
1004
##
1005
metrics:
1006
## @param helmController.metrics.enabled Enable the export of Prometheus metrics
1007
##
1008
enabled: true
1009
## Helm Controller service parameters
1010
##
1011
service:
1012
## @param helmController.metrics.service.type Helm Controller service type
1013
##
1014
type: ClusterIP
1015
## @param helmController.metrics.service.ports.metrics Helm Controller service metrics port
1016
##
1017
ports:
1018
metrics: 80
1019
## Node ports to expose
1020
## @param helmController.metrics.service.nodePorts.metrics Node port for HTTP
1021
## NOTE: choose port between <30000-32767>
1022
##
1023
nodePorts:
1024
metrics: ""
1025
## @param helmController.metrics.service.clusterIP Helm Controller service Cluster IP
1026
## e.g.:
1027
## clusterIP: None
1028
##
1029
clusterIP: ""
1030
## @param helmController.metrics.service.loadBalancerIP Helm Controller service Load Balancer IP
1031
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1032
##
1033
loadBalancerIP: ""
1034
## @param helmController.metrics.service.loadBalancerSourceRanges Helm Controller service Load Balancer sources
1035
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1036
## e.g:
1037
## loadBalancerSourceRanges:
1038
## - 10.10.10.0/24
1039
##
1040
loadBalancerSourceRanges: []
1041
## @param helmController.metrics.service.externalTrafficPolicy Helm Controller service external traffic policy
1042
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1043
##
1044
externalTrafficPolicy: Cluster
1045
## @param helmController.metrics.service.annotations [object] Additional custom annotations for Helm Controller service
1046
##
1047
annotations:
1048
prometheus.io/scrape: "true"
1049
prometheus.io/port: "{{ .Values.helmController.metrics.service.ports.metrics }}"
1050
## @param helmController.metrics.service.extraPorts Extra ports to expose in Helm Controller service (normally used with the `sidecars` value)
1051
##
1052
extraPorts: []
1053
## @param helmController.metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
1054
## Values: ClientIP or None
1055
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1056
##
1057
sessionAffinity: None
1058
## @param helmController.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
1059
## sessionAffinityConfig:
1060
## clientIP:
1061
## timeoutSeconds: 300
1062
##
1063
sessionAffinityConfig: {}
1064
## Prometheus Operator ServiceMonitor configuration
1065
##
1066
serviceMonitor:
1067
## @param helmController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
1068
##
1069
enabled: false
1070
## @param helmController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
1071
##
1072
namespace: ""
1073
## @param helmController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
1074
##
1075
annotations: {}
1076
## @param helmController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1077
##
1078
labels: {}
1079
## @param helmController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
1080
##
1081
jobLabel: ""
1082
## @param helmController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1083
##
1084
honorLabels: false
1085
## @param helmController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1086
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1087
## e.g:
1088
## interval: 10s
1089
##
1090
interval: ""
1091
## @param helmController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1092
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1093
## e.g:
1094
## scrapeTimeout: 10s
1095
##
1096
scrapeTimeout: ""
1097
## @param helmController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
1098
##
1099
metricRelabelings: []
1100
## @param helmController.metrics.serviceMonitor.relabelings Specify general relabeling
1101
##
1102
relabelings: []
1103
## @param helmController.metrics.serviceMonitor.selector Prometheus instance selector labels
1104
## selector:
1105
## prometheus: my-prometheus
1106
##
1107
selector: {}
1108
## @section Source Controller Parameters
1109
##
1110
sourceController:
1111
## @param sourceController.enabled Enable Source Controller
1112
##
1113
enabled: true
1114
## @param sourceController.installCRDs Flag to install Source Controller CRDs
1115
##
1116
installCRDs: true
1117
## @param sourceController.watchAllNamespaces Watch for custom resources in all namespaces
1118
##
1119
watchAllNamespaces: true
1120
## Iamguarded Source Controller image
1121
## @param sourceController.image.registry [default: REGISTRY_NAME] Source Controller image registry
1122
## @param sourceController.image.repository [default: REPOSITORY_NAME/fluxcd-source-controller] Source Controller image repository
1123
## @skip sourceController.image.tag Source Controller image tag (immutable tags are recommended)
1124
## @param sourceController.image.digest Source Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
1125
## @param sourceController.image.pullPolicy Source Controller image pull policy
1126
## @param sourceController.image.pullSecrets Source Controller image pull secrets
1127
## @param sourceController.image.debug Enable Source Controller image debug mode
1128
##
1129
image:
1130
registry: cgr.dev
1131
repository: chainguard-private/flux-source-controller-iamguarded
1132
tag: 1.8.0
1133
digest: ""
1134
## Specify a imagePullPolicy
1135
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1136
##
1137
pullPolicy: IfNotPresent
1138
## Optionally specify an array of imagePullSecrets.
1139
## Secrets must be manually created in the namespace.
1140
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1141
## e.g:
1142
## pullSecrets:
1143
## - myRegistryKeySecretName
1144
##
1145
pullSecrets: []
1146
## Enable debug mode
1147
##
1148
debug: false
1149
## @param sourceController.replicaCount Number of Source Controller replicas to deploy
1150
##
1151
replicaCount: 1
1152
## @param sourceController.containerPorts.http Source Controller http container port
1153
## @param sourceController.containerPorts.metrics Source Controller metrics container port
1154
## @param sourceController.containerPorts.health Source Controller health container port
1155
##
1156
containerPorts:
1157
http: 9090
1158
metrics: 8080
1159
health: 9440
1160
## Network Policies
1161
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1162
##
1163
networkPolicy:
1164
## @param sourceController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1165
##
1166
enabled: true
1167
## @param sourceController.networkPolicy.allowExternal Don't require server label for connections
1168
## The Policy model to apply. When set to false, only pods with the correct
1169
## server label will have network access to the ports server is listening
1170
## on. When true, server will accept connections from any source
1171
## (with the correct destination port).
1172
##
1173
allowExternal: true
1174
## @param sourceController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1175
##
1176
allowExternalEgress: true
1177
## @param sourceController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
1178
##
1179
kubeAPIServerPorts: [443, 6443, 8443]
1180
## @param sourceController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1181
## e.g:
1182
## extraIngress:
1183
## - ports:
1184
## - port: 1234
1185
## from:
1186
## - podSelector:
1187
## - matchLabels:
1188
## - role: frontend
1189
## - podSelector:
1190
## - matchExpressions:
1191
## - key: role
1192
## operator: In
1193
## values:
1194
## - frontend
1195
extraIngress: []
1196
## @param sourceController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1197
## e.g:
1198
## extraEgress:
1199
## - ports:
1200
## - port: 1234
1201
## to:
1202
## - podSelector:
1203
## - matchLabels:
1204
## - role: frontend
1205
## - podSelector:
1206
## - matchExpressions:
1207
## - key: role
1208
## operator: In
1209
## values:
1210
## - frontend
1211
##
1212
extraEgress: []
1213
## @param sourceController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1214
## @param sourceController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1215
##
1216
ingressNSMatchLabels: {}
1217
ingressNSPodMatchLabels: {}
1218
## Configure extra options for Source Controller containers' liveness and readiness probes
1219
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1220
## @param sourceController.livenessProbe.enabled Enable livenessProbe on Source Controller containers
1221
## @param sourceController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1222
## @param sourceController.livenessProbe.periodSeconds Period seconds for livenessProbe
1223
## @param sourceController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1224
## @param sourceController.livenessProbe.failureThreshold Failure threshold for livenessProbe
1225
## @param sourceController.livenessProbe.successThreshold Success threshold for livenessProbe
1226
##
1227
livenessProbe:
1228
enabled: true
1229
initialDelaySeconds: 5
1230
periodSeconds: 10
1231
timeoutSeconds: 5
1232
failureThreshold: 5
1233
successThreshold: 1
1234
## @param sourceController.readinessProbe.enabled Enable readinessProbe on Source Controller containers
1235
## @param sourceController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1236
## @param sourceController.readinessProbe.periodSeconds Period seconds for readinessProbe
1237
## @param sourceController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1238
## @param sourceController.readinessProbe.failureThreshold Failure threshold for readinessProbe
1239
## @param sourceController.readinessProbe.successThreshold Success threshold for readinessProbe
1240
##
1241
readinessProbe:
1242
enabled: true
1243
initialDelaySeconds: 5
1244
periodSeconds: 10
1245
timeoutSeconds: 5
1246
failureThreshold: 5
1247
successThreshold: 1
1248
## @param sourceController.startupProbe.enabled Enable startupProbe on Source Controller containers
1249
## @param sourceController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1250
## @param sourceController.startupProbe.periodSeconds Period seconds for startupProbe
1251
## @param sourceController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1252
## @param sourceController.startupProbe.failureThreshold Failure threshold for startupProbe
1253
## @param sourceController.startupProbe.successThreshold Success threshold for startupProbe
1254
##
1255
startupProbe:
1256
enabled: false
1257
initialDelaySeconds: 5
1258
periodSeconds: 10
1259
timeoutSeconds: 5
1260
failureThreshold: 5
1261
successThreshold: 1
1262
## @param sourceController.customLivenessProbe Custom livenessProbe that overrides the default one
1263
##
1264
customLivenessProbe: {}
1265
## @param sourceController.customReadinessProbe Custom readinessProbe that overrides the default one
1266
##
1267
customReadinessProbe: {}
1268
## @param sourceController.customStartupProbe Custom startupProbe that overrides the default one
1269
##
1270
customStartupProbe: {}
1271
## Source Controller resource requests and limits
1272
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1273
## @param sourceController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if sourceController.resources is set (sourceController.resources is recommended for production).
1274
##
1275
resourcesPreset: "nano"
1276
## @param sourceController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1277
## Example:
1278
## resources:
1279
## requests:
1280
## cpu: 2
1281
## memory: 512Mi
1282
## limits:
1283
## cpu: 3
1284
## memory: 1024Mi
1285
##
1286
resources: {}
1287
## Configure Pods Security Context
1288
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1289
## @param sourceController.podSecurityContext.enabled Enabled Source Controller pods' Security Context
1290
## @param sourceController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1291
## @param sourceController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1292
## @param sourceController.podSecurityContext.supplementalGroups Set filesystem extra groups
1293
## @param sourceController.podSecurityContext.fsGroup Set Source Controller pod's Security Context fsGroup
1294
##
1295
podSecurityContext:
1296
enabled: true
1297
fsGroupChangePolicy: Always
1298
sysctls: []
1299
supplementalGroups: []
1300
fsGroup: 1001
1301
## Configure Container Security Context
1302
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1303
## @param sourceController.containerSecurityContext.enabled Enabled Source Controller containers' Security Context
1304
## @param sourceController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1305
## @param sourceController.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1306
## @param sourceController.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1307
## @param sourceController.containerSecurityContext.runAsNonRoot Set Source Controller containers' Security Context runAsNonRoot
1308
## @param sourceController.containerSecurityContext.privileged Set Source Controller containers' Security Context privileged
1309
## @param sourceController.containerSecurityContext.readOnlyRootFilesystem Set Source Controller containers' Security Context runAsNonRoot
1310
## @param sourceController.containerSecurityContext.allowPrivilegeEscalation Set Source Controller container's privilege escalation
1311
## @param sourceController.containerSecurityContext.capabilities.drop Set Source Controller container's Security Context runAsNonRoot
1312
## @param sourceController.containerSecurityContext.seccompProfile.type Set Source Controller container's Security Context seccomp profile
1313
##
1314
containerSecurityContext:
1315
enabled: true
1316
seLinuxOptions: {}
1317
runAsUser: 1001
1318
runAsGroup: 1001
1319
runAsNonRoot: true
1320
readOnlyRootFilesystem: true
1321
privileged: false
1322
allowPrivilegeEscalation: false
1323
capabilities:
1324
drop: ["ALL"]
1325
seccompProfile:
1326
type: RuntimeDefault
1327
## @param sourceController.command Override default container command (useful when using custom images)
1328
##
1329
command: []
1330
## @param sourceController.args Override default container args (useful when using custom images)
1331
##
1332
args: []
1333
## @param sourceController.automountServiceAccountToken Mount Service Account token in pod
1334
##
1335
automountServiceAccountToken: true
1336
## @param sourceController.hostAliases Source Controller pods host aliases
1337
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1338
##
1339
hostAliases: []
1340
## @param sourceController.podLabels Extra labels for Source Controller pods
1341
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1342
##
1343
podLabels: {}
1344
## @param sourceController.podAnnotations Annotations for Source Controller pods
1345
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1346
##
1347
podAnnotations: {}
1348
## @param sourceController.podAffinityPreset Pod affinity preset. Ignored if `sourceController.affinity` is set. Allowed values: `soft` or `hard`
1349
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1350
##
1351
podAffinityPreset: ""
1352
## @param sourceController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `sourceController.affinity` is set. Allowed values: `soft` or `hard`
1353
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1354
##
1355
podAntiAffinityPreset: soft
1356
## Pod Disruption Budget configuration
1357
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1358
## @param sourceController.pdb.create Enable/disable a Pod Disruption Budget creation
1359
## @param sourceController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1360
## @param sourceController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
1361
##
1362
pdb:
1363
create: true
1364
minAvailable: ""
1365
maxUnavailable: ""
1366
## Autoscaling configuration
1367
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1368
## @param sourceController.autoscaling.enabled Enable autoscaling for sourceController
1369
## @param sourceController.autoscaling.minReplicas Minimum number of sourceController replicas
1370
## @param sourceController.autoscaling.maxReplicas Maximum number of sourceController replicas
1371
## @param sourceController.autoscaling.targetCPU Target CPU utilization percentage
1372
## @param sourceController.autoscaling.targetMemory Target Memory utilization percentage
1373
##
1374
autoscaling:
1375
enabled: false
1376
minReplicas: ""
1377
maxReplicas: ""
1378
targetCPU: ""
1379
targetMemory: ""
1380
## Node sourceController.affinity preset
1381
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1382
##
1383
nodeAffinityPreset:
1384
## @param sourceController.nodeAffinityPreset.type Node affinity preset type. Ignored if `sourceController.affinity` is set. Allowed values: `soft` or `hard`
1385
##
1386
type: ""
1387
## @param sourceController.nodeAffinityPreset.key Node label key to match. Ignored if `sourceController.affinity` is set
1388
##
1389
key: ""
1390
## @param sourceController.nodeAffinityPreset.values Node label values to match. Ignored if `sourceController.affinity` is set
1391
## E.g.
1392
## values:
1393
## - e2e-az1
1394
## - e2e-az2
1395
##
1396
values: []
1397
## @param sourceController.affinity Affinity for Source Controller pods assignment
1398
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1399
## NOTE: `sourceController.podAffinityPreset`, `sourceController.podAntiAffinityPreset`, and `sourceController.nodeAffinityPreset` will be ignored when it's set
1400
##
1401
affinity: {}
1402
## @param sourceController.nodeSelector Node labels for Source Controller pods assignment
1403
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1404
##
1405
nodeSelector: {}
1406
## @param sourceController.tolerations Tolerations for Source Controller pods assignment
1407
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1408
##
1409
tolerations: []
1410
## @param sourceController.updateStrategy.type Source Controller statefulset strategy type
1411
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1412
##
1413
updateStrategy:
1414
## StrategyType
1415
## Can be set to RollingUpdate or OnDelete
1416
##
1417
type: RollingUpdate
1418
## @param sourceController.priorityClassName Source Controller pods' priorityClassName
1419
##
1420
priorityClassName: ""
1421
## @param sourceController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1422
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1423
##
1424
topologySpreadConstraints: []
1425
## @param sourceController.schedulerName Name of the k8s scheduler (other than default) for Source Controller pods
1426
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1427
##
1428
schedulerName: ""
1429
## @param sourceController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
1430
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1431
##
1432
terminationGracePeriodSeconds: ""
1433
## @param sourceController.lifecycleHooks for the Source Controller container(s) to automate configuration before or after startup
1434
##
1435
lifecycleHooks: {}
1436
## @param sourceController.extraEnvVars Array with extra environment variables to add to Source Controller nodes
1437
## e.g:
1438
## extraEnvVars:
1439
## - name: FOO
1440
## value: "bar"
1441
##
1442
extraEnvVars: []
1443
## @param sourceController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Source Controller nodes
1444
##
1445
extraEnvVarsCM: ""
1446
## @param sourceController.extraEnvVarsSecret Name of existing Secret containing extra env vars for Source Controller nodes
1447
##
1448
extraEnvVarsSecret: ""
1449
## @param sourceController.extraVolumes Optionally specify extra list of additional volumes for the Source Controller pod(s)
1450
##
1451
extraVolumes: []
1452
## @param sourceController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Source Controller container(s)
1453
##
1454
extraVolumeMounts: []
1455
## @param sourceController.sidecars Add additional sidecar containers to the Source Controller pod(s)
1456
## e.g:
1457
## sidecars:
1458
## - name: your-image-name
1459
## image: your-image
1460
## imagePullPolicy: Always
1461
## ports:
1462
## - name: portname
1463
## containerPort: 1234
1464
##
1465
sidecars: []
1466
## @param sourceController.initContainers Add additional init containers to the Source Controller pod(s)
1467
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1468
## e.g:
1469
## initContainers:
1470
## - name: your-image-name
1471
## image: your-image
1472
## imagePullPolicy: Always
1473
## command: ['sh', '-c', 'echo "hello world"']
1474
##
1475
initContainers: []
1476
## @section Source Controller service parameters
1477
##
1478
service:
1479
## @param sourceController.service.type Source Controller service type
1480
##
1481
type: ClusterIP
1482
## @param sourceController.service.ports.http Source Controller service metrics port
1483
##
1484
ports:
1485
http: 80
1486
## Node ports to expose
1487
## @param sourceController.service.nodePorts.http Node port for HTTP
1488
## NOTE: choose port between <30000-32767>
1489
##
1490
nodePorts:
1491
http: ""
1492
## @param sourceController.service.clusterIP Source Controller service Cluster IP
1493
## e.g.:
1494
## clusterIP: None
1495
##
1496
clusterIP: ""
1497
## @param sourceController.service.loadBalancerIP Source Controller service Load Balancer IP
1498
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1499
##
1500
loadBalancerIP: ""
1501
## @param sourceController.service.loadBalancerSourceRanges Source Controller service Load Balancer sources
1502
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1503
## e.g:
1504
## loadBalancerSourceRanges:
1505
## - 10.10.10.0/24
1506
##
1507
loadBalancerSourceRanges: []
1508
## @param sourceController.service.externalTrafficPolicy Source Controller service external traffic policy
1509
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1510
##
1511
externalTrafficPolicy: Cluster
1512
## @param sourceController.service.annotations [object] Additional custom annotations for Source Controller service
1513
##
1514
annotations:
1515
prometheus.io/scrape: "true"
1516
prometheus.io/port: "{{ .Values.sourceController.service.ports }}"
1517
## @param sourceController.service.extraPorts Extra ports to expose in Source Controller service (normally used with the `sidecars` value)
1518
##
1519
extraPorts: []
1520
## @param sourceController.service.sessionAffinity Control where client requests go, to the same pod or round-robin
1521
## Values: ClientIP or None
1522
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1523
##
1524
sessionAffinity: None
1525
## @param sourceController.service.sessionAffinityConfig Additional settings for the sessionAffinity
1526
## sessionAffinityConfig:
1527
## clientIP:
1528
## timeoutSeconds: 300
1529
##
1530
sessionAffinityConfig: {}
1531
## @section Source Conttroller Persistence Parameters
1532
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1533
##
1534
persistence:
1535
## @param sourceController.persistence.enabled Enable persistence using Persistent Volume Claims
1536
## (NOTE: Disabled by default in upstream flux configuration)
1537
##
1538
enabled: false
1539
## @param sourceController.persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted
1540
##
1541
resourcePolicy: ""
1542
## @param sourceController.persistence.mountPath Persistent Volume mount root path
1543
##
1544
mountPath: /iamguarded/fluxcd-source-controller/data
1545
## @param sourceController.persistence.storageClass Persistent Volume storage class
1546
## If defined, storageClassName: <storageClass>
1547
## If set to "-", storageClassName: "", which disables dynamic provisioning
1548
## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner
1549
##
1550
storageClass: ""
1551
## @param sourceController.persistence.accessModes [array] Persistent Volume access modes
1552
##
1553
accessModes:
1554
- ReadWriteOnce
1555
## @param sourceController.persistence.size Persistent Volume size
1556
##
1557
size: 10Gi
1558
## @param sourceController.persistence.dataSource Custom PVC data source
1559
##
1560
dataSource: {}
1561
## @param sourceController.persistence.annotations Annotations for the PVC
1562
##
1563
annotations: {}
1564
## @param sourceController.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
1565
## selector:
1566
## matchLabels:
1567
## app: my-app
1568
##
1569
selector: {}
1570
## @param sourceController.persistence.existingClaim The name of an existing PVC to use for persistence
1571
##
1572
existingClaim: ""
1573
## @section Source Controller RBAC Parameters
1574
##
1575
1576
## RBAC configuration
1577
##
1578
rbac:
1579
## @param sourceController.rbac.create Specifies whether RBAC resources should be created
1580
##
1581
create: true
1582
## @param sourceController.rbac.rules Custom RBAC rules to set
1583
## e.g:
1584
## rules:
1585
## - apiGroups:
1586
## - ""
1587
## resources:
1588
## - pods
1589
## verbs:
1590
## - get
1591
## - list
1592
##
1593
rules: []
1594
## ServiceAccount configuration
1595
##
1596
serviceAccount:
1597
## @param sourceController.serviceAccount.create Specifies whether a ServiceAccount should be created
1598
##
1599
create: true
1600
## @param sourceController.serviceAccount.name The name of the ServiceAccount to use.
1601
## If not set and create is true, a name is generated using the common.names.fullname template
1602
##
1603
name: ""
1604
## @param sourceController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
1605
##
1606
annotations: {}
1607
## @param sourceController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1608
##
1609
automountServiceAccountToken: false
1610
## @section Source Controller Metrics Parameters
1611
##
1612
1613
## Prometheus metrics
1614
##
1615
metrics:
1616
## @param sourceController.metrics.enabled Enable the export of Prometheus metrics
1617
##
1618
enabled: true
1619
## Source Controller service parameters
1620
##
1621
service:
1622
## @param sourceController.metrics.service.type Source Controller service type
1623
##
1624
type: ClusterIP
1625
## @param sourceController.metrics.service.ports.metrics Source Controller service metrics port
1626
##
1627
ports:
1628
metrics: 80
1629
## Node ports to expose
1630
## @param sourceController.metrics.service.nodePorts.metrics Node port for HTTP
1631
## NOTE: choose port between <30000-32767>
1632
##
1633
nodePorts:
1634
metrics: ""
1635
## @param sourceController.metrics.service.clusterIP Source Controller service Cluster IP
1636
## e.g.:
1637
## clusterIP: None
1638
##
1639
clusterIP: ""
1640
## @param sourceController.metrics.service.loadBalancerIP Source Controller service Load Balancer IP
1641
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1642
##
1643
loadBalancerIP: ""
1644
## @param sourceController.metrics.service.loadBalancerSourceRanges Source Controller service Load Balancer sources
1645
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1646
## e.g:
1647
## loadBalancerSourceRanges:
1648
## - 10.10.10.0/24
1649
##
1650
loadBalancerSourceRanges: []
1651
## @param sourceController.metrics.service.externalTrafficPolicy Source Controller service external traffic policy
1652
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1653
##
1654
externalTrafficPolicy: Cluster
1655
## @param sourceController.metrics.service.annotations [object] Additional custom annotations for Source Controller service
1656
##
1657
annotations:
1658
prometheus.io/scrape: "true"
1659
prometheus.io/port: "{{ .Values.sourceController.metrics.service.ports.metrics }}"
1660
## @param sourceController.metrics.service.extraPorts Extra ports to expose in Source Controller service (normally used with the `sidecars` value)
1661
##
1662
extraPorts: []
1663
## @param sourceController.metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
1664
## Values: ClientIP or None
1665
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1666
##
1667
sessionAffinity: None
1668
## @param sourceController.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
1669
## sessionAffinityConfig:
1670
## clientIP:
1671
## timeoutSeconds: 300
1672
##
1673
sessionAffinityConfig: {}
1674
## Prometheus Operator ServiceMonitor configuration
1675
##
1676
serviceMonitor:
1677
## @param sourceController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
1678
##
1679
enabled: false
1680
## @param sourceController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
1681
##
1682
namespace: ""
1683
## @param sourceController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
1684
##
1685
annotations: {}
1686
## @param sourceController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1687
##
1688
labels: {}
1689
## @param sourceController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
1690
##
1691
jobLabel: ""
1692
## @param sourceController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1693
##
1694
honorLabels: false
1695
## @param sourceController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1696
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1697
## e.g:
1698
## interval: 10s
1699
##
1700
interval: ""
1701
## @param sourceController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1702
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1703
## e.g:
1704
## scrapeTimeout: 10s
1705
##
1706
scrapeTimeout: ""
1707
## @param sourceController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
1708
##
1709
metricRelabelings: []
1710
## @param sourceController.metrics.serviceMonitor.relabelings Specify general relabeling
1711
##
1712
relabelings: []
1713
## @param sourceController.metrics.serviceMonitor.selector Prometheus instance selector labels
1714
## selector:
1715
## prometheus: my-prometheus
1716
##
1717
selector: {}
1718
## @section Notification Controller Parameters
1719
##
1720
notificationController:
1721
## @param notificationController.enabled Enable Notification Controller
1722
##
1723
enabled: true
1724
## @param notificationController.installCRDs Flag to install Notification Controller CRDs
1725
##
1726
installCRDs: true
1727
## @param notificationController.watchAllNamespaces Watch for custom resources in all namespaces
1728
##
1729
watchAllNamespaces: true
1730
## Iamguarded Notification Controller image
1731
## @param notificationController.image.registry [default: REGISTRY_NAME] Notification Controller image registry
1732
## @param notificationController.image.repository [default: REPOSITORY_NAME/fluxcd-notification-controller] Notification Controller image repository
1733
## @skip notificationController.image.tag Notification Controller image tag (immutable tags are recommended)
1734
## @param notificationController.image.digest Notification Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
1735
## @param notificationController.image.pullPolicy Notification Controller image pull policy
1736
## @param notificationController.image.pullSecrets Notification Controller image pull secrets
1737
## @param notificationController.image.debug Enable Notification Controller image debug mode
1738
##
1739
image:
1740
registry: cgr.dev
1741
repository: chainguard-private/flux-notification-controller-iamguarded
1742
tag: 1.8.1
1743
digest: ""
1744
## Specify a imagePullPolicy
1745
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1746
##
1747
pullPolicy: IfNotPresent
1748
## Optionally specify an array of imagePullSecrets.
1749
## Secrets must be manually created in the namespace.
1750
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1751
## e.g:
1752
## pullSecrets:
1753
## - myRegistryKeySecretName
1754
##
1755
pullSecrets: []
1756
## Enable debug mode
1757
##
1758
debug: false
1759
## @param notificationController.replicaCount Number of Notification Controller replicas to deploy
1760
##
1761
replicaCount: 1
1762
## @param notificationController.containerPorts.metrics Notification Controller metrics container port
1763
## @param notificationController.containerPorts.receiver Notification Controller receiver container port
1764
## @param notificationController.containerPorts.health Notification Controller health container port
1765
## @param notificationController.containerPorts.webhook Notification Controller webhook container port
1766
##
1767
containerPorts:
1768
metrics: 8080
1769
receiver: 9090
1770
health: 9440
1771
webhook: 9292
1772
## Network Policies
1773
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1774
##
1775
networkPolicy:
1776
## @param notificationController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1777
##
1778
enabled: true
1779
## @param notificationController.networkPolicy.allowExternal Don't require server label for connections
1780
## The Policy model to apply. When set to false, only pods with the correct
1781
## server label will have network access to the ports server is listening
1782
## on. When true, server will accept connections from any source
1783
## (with the correct destination port).
1784
##
1785
allowExternal: true
1786
## @param notificationController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1787
##
1788
allowExternalEgress: true
1789
## @param notificationController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
1790
##
1791
kubeAPIServerPorts: [443, 6443, 8443]
1792
## @param notificationController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1793
## e.g:
1794
## extraIngress:
1795
## - ports:
1796
## - port: 1234
1797
## from:
1798
## - podSelector:
1799
## - matchLabels:
1800
## - role: frontend
1801
## - podSelector:
1802
## - matchExpressions:
1803
## - key: role
1804
## operator: In
1805
## values:
1806
## - frontend
1807
extraIngress: []
1808
## @param notificationController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1809
## e.g:
1810
## extraEgress:
1811
## - ports:
1812
## - port: 1234
1813
## to:
1814
## - podSelector:
1815
## - matchLabels:
1816
## - role: frontend
1817
## - podSelector:
1818
## - matchExpressions:
1819
## - key: role
1820
## operator: In
1821
## values:
1822
## - frontend
1823
##
1824
extraEgress: []
1825
## @param notificationController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1826
## @param notificationController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1827
##
1828
ingressNSMatchLabels: {}
1829
ingressNSPodMatchLabels: {}
1830
## Configure extra options for Notification Controller containers' liveness and readiness probes
1831
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1832
## @param notificationController.livenessProbe.enabled Enable livenessProbe on Notification Controller containers
1833
## @param notificationController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1834
## @param notificationController.livenessProbe.periodSeconds Period seconds for livenessProbe
1835
## @param notificationController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1836
## @param notificationController.livenessProbe.failureThreshold Failure threshold for livenessProbe
1837
## @param notificationController.livenessProbe.successThreshold Success threshold for livenessProbe
1838
##
1839
livenessProbe:
1840
enabled: true
1841
initialDelaySeconds: 5
1842
periodSeconds: 10
1843
timeoutSeconds: 5
1844
failureThreshold: 5
1845
successThreshold: 1
1846
## @param notificationController.readinessProbe.enabled Enable readinessProbe on Notification Controller containers
1847
## @param notificationController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1848
## @param notificationController.readinessProbe.periodSeconds Period seconds for readinessProbe
1849
## @param notificationController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1850
## @param notificationController.readinessProbe.failureThreshold Failure threshold for readinessProbe
1851
## @param notificationController.readinessProbe.successThreshold Success threshold for readinessProbe
1852
##
1853
readinessProbe:
1854
enabled: true
1855
initialDelaySeconds: 5
1856
periodSeconds: 10
1857
timeoutSeconds: 5
1858
failureThreshold: 5
1859
successThreshold: 1
1860
## @param notificationController.startupProbe.enabled Enable startupProbe on Notification Controller containers
1861
## @param notificationController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1862
## @param notificationController.startupProbe.periodSeconds Period seconds for startupProbe
1863
## @param notificationController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1864
## @param notificationController.startupProbe.failureThreshold Failure threshold for startupProbe
1865
## @param notificationController.startupProbe.successThreshold Success threshold for startupProbe
1866
##
1867
startupProbe:
1868
enabled: false
1869
initialDelaySeconds: 5
1870
periodSeconds: 10
1871
timeoutSeconds: 5
1872
failureThreshold: 5
1873
successThreshold: 1
1874
## @param notificationController.customLivenessProbe Custom livenessProbe that overrides the default one
1875
##
1876
customLivenessProbe: {}
1877
## @param notificationController.customReadinessProbe Custom readinessProbe that overrides the default one
1878
##
1879
customReadinessProbe: {}
1880
## @param notificationController.customStartupProbe Custom startupProbe that overrides the default one
1881
##
1882
customStartupProbe: {}
1883
## Notification Controller resource requests and limits
1884
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1885
## @param notificationController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if notificationController.resources is set (notificationController.resources is recommended for production).
1886
##
1887
resourcesPreset: "nano"
1888
## @param notificationController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1889
## Example:
1890
## resources:
1891
## requests:
1892
## cpu: 2
1893
## memory: 512Mi
1894
## limits:
1895
## cpu: 3
1896
## memory: 1024Mi
1897
##
1898
resources: {}
1899
## Configure Pods Security Context
1900
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1901
## @param notificationController.podSecurityContext.enabled Enabled Notification Controller pods' Security Context
1902
## @param notificationController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1903
## @param notificationController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1904
## @param notificationController.podSecurityContext.supplementalGroups Set filesystem extra groups
1905
## @param notificationController.podSecurityContext.fsGroup Set Notification Controller pod's Security Context fsGroup
1906
##
1907
podSecurityContext:
1908
enabled: true
1909
fsGroupChangePolicy: Always
1910
sysctls: []
1911
supplementalGroups: []
1912
fsGroup: 1001
1913
## Configure Container Security Context
1914
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1915
## @param notificationController.containerSecurityContext.enabled Enabled Notification Controller containers' Security Context
1916
## @param notificationController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1917
## @param notificationController.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1918
## @param notificationController.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1919
## @param notificationController.containerSecurityContext.runAsNonRoot Set Notification Controller containers' Security Context runAsNonRoot
1920
## @param notificationController.containerSecurityContext.readOnlyRootFilesystem Set Notification Controller containers' Security Context runAsNonRoot
1921
## @param notificationController.containerSecurityContext.privileged Set Notification Controller containers' Security Context privileged
1922
## @param notificationController.containerSecurityContext.allowPrivilegeEscalation Set Notification Controller container's privilege escalation
1923
## @param notificationController.containerSecurityContext.capabilities.drop Set Notification Controller container's Security Context runAsNonRoot
1924
## @param notificationController.containerSecurityContext.seccompProfile.type Set Notification Controller container's Security Context seccomp profile
1925
##
1926
containerSecurityContext:
1927
enabled: true
1928
seLinuxOptions: {}
1929
runAsUser: 1001
1930
runAsGroup: 1001
1931
runAsNonRoot: true
1932
privileged: false
1933
readOnlyRootFilesystem: true
1934
allowPrivilegeEscalation: false
1935
capabilities:
1936
drop: ["ALL"]
1937
seccompProfile:
1938
type: RuntimeDefault
1939
## @param notificationController.command Override default container command (useful when using custom images)
1940
##
1941
command: []
1942
## @param notificationController.args Override default container args (useful when using custom images)
1943
##
1944
args: []
1945
## @param notificationController.automountServiceAccountToken Mount Service Account token in pod
1946
##
1947
automountServiceAccountToken: true
1948
## @param notificationController.hostAliases Notification Controller pods host aliases
1949
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1950
##
1951
hostAliases: []
1952
## @param notificationController.podLabels Extra labels for Notification Controller pods
1953
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1954
##
1955
podLabels: {}
1956
## @param notificationController.podAnnotations Annotations for Notification Controller pods
1957
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1958
##
1959
podAnnotations: {}
1960
## @param notificationController.podAffinityPreset Pod affinity preset. Ignored if `notificationController.affinity` is set. Allowed values: `soft` or `hard`
1961
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1962
##
1963
podAffinityPreset: ""
1964
## @param notificationController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `notificationController.affinity` is set. Allowed values: `soft` or `hard`
1965
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1966
##
1967
podAntiAffinityPreset: soft
1968
## Pod Disruption Budget configuration
1969
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1970
## @param notificationController.pdb.create Enable/disable a Pod Disruption Budget creation
1971
## @param notificationController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1972
## @param notificationController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
1973
##
1974
pdb:
1975
create: true
1976
minAvailable: ""
1977
maxUnavailable: ""
1978
## Autoscaling configuration
1979
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1980
## @param notificationController.autoscaling.enabled Enable autoscaling for notificationController
1981
## @param notificationController.autoscaling.minReplicas Minimum number of notificationController replicas
1982
## @param notificationController.autoscaling.maxReplicas Maximum number of notificationController replicas
1983
## @param notificationController.autoscaling.targetCPU Target CPU utilization percentage
1984
## @param notificationController.autoscaling.targetMemory Target Memory utilization percentage
1985
##
1986
autoscaling:
1987
enabled: false
1988
minReplicas: ""
1989
maxReplicas: ""
1990
targetCPU: ""
1991
targetMemory: ""
1992
## Node notificationController.affinity preset
1993
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1994
##
1995
nodeAffinityPreset:
1996
## @param notificationController.nodeAffinityPreset.type Node affinity preset type. Ignored if `notificationController.affinity` is set. Allowed values: `soft` or `hard`
1997
##
1998
type: ""
1999
## @param notificationController.nodeAffinityPreset.key Node label key to match. Ignored if `notificationController.affinity` is set
2000
##
2001
key: ""
2002
## @param notificationController.nodeAffinityPreset.values Node label values to match. Ignored if `notificationController.affinity` is set
2003
## E.g.
2004
## values:
2005
## - e2e-az1
2006
## - e2e-az2
2007
##
2008
values: []
2009
## @param notificationController.affinity Affinity for Notification Controller pods assignment
2010
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2011
## NOTE: `notificationController.podAffinityPreset`, `notificationController.podAntiAffinityPreset`, and `notificationController.nodeAffinityPreset` will be ignored when it's set
2012
##
2013
affinity: {}
2014
## @param notificationController.nodeSelector Node labels for Notification Controller pods assignment
2015
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2016
##
2017
nodeSelector: {}
2018
## @param notificationController.tolerations Tolerations for Notification Controller pods assignment
2019
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2020
##
2021
tolerations: []
2022
## @param notificationController.updateStrategy.type Notification Controller statefulset strategy type
2023
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
2024
##
2025
updateStrategy:
2026
## StrategyType
2027
## Can be set to RollingUpdate or OnDelete
2028
##
2029
type: RollingUpdate
2030
## @param notificationController.priorityClassName Notification Controller pods' priorityClassName
2031
##
2032
priorityClassName: ""
2033
## @param notificationController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
2034
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
2035
##
2036
topologySpreadConstraints: []
2037
## @param notificationController.schedulerName Name of the k8s scheduler (other than default) for Notification Controller pods
2038
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2039
##
2040
schedulerName: ""
2041
## @param notificationController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
2042
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
2043
##
2044
terminationGracePeriodSeconds: ""
2045
## @param notificationController.lifecycleHooks for the Notification Controller container(s) to automate configuration before or after startup
2046
##
2047
lifecycleHooks: {}
2048
## @param notificationController.extraEnvVars Array with extra environment variables to add to Notification Controller nodes
2049
## e.g:
2050
## extraEnvVars:
2051
## - name: FOO
2052
## value: "bar"
2053
##
2054
extraEnvVars: []
2055
## @param notificationController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Notification Controller nodes
2056
##
2057
extraEnvVarsCM: ""
2058
## @param notificationController.extraEnvVarsSecret Name of existing Secret containing extra env vars for Notification Controller nodes
2059
##
2060
extraEnvVarsSecret: ""
2061
## @param notificationController.extraVolumes Optionally specify extra list of additional volumes for the Notification Controller pod(s)
2062
##
2063
extraVolumes: []
2064
## @param notificationController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Notification Controller container(s)
2065
##
2066
extraVolumeMounts: []
2067
## @param notificationController.sidecars Add additional sidecar containers to the Notification Controller pod(s)
2068
## e.g:
2069
## sidecars:
2070
## - name: your-image-name
2071
## image: your-image
2072
## imagePullPolicy: Always
2073
## ports:
2074
## - name: portname
2075
## containerPort: 1234
2076
##
2077
sidecars: []
2078
## @param notificationController.initContainers Add additional init containers to the Notification Controller pod(s)
2079
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
2080
## e.g:
2081
## initContainers:
2082
## - name: your-image-name
2083
## image: your-image
2084
## imagePullPolicy: Always
2085
## command: ['sh', '-c', 'echo "hello world"']
2086
##
2087
initContainers: []
2088
## @section Notification Controller Traffic Exposure Parameters
2089
service:
2090
## Notification Controller Receiver service parameters
2091
##
2092
receiver:
2093
## @param notificationController.service.receiver.type Notification Controller service type
2094
##
2095
type: ClusterIP
2096
## @param notificationController.service.receiver.ports.http Notification Controller service receiver port
2097
##
2098
ports:
2099
http: 80
2100
## Node ports to expose
2101
## @param notificationController.service.receiver.nodePorts.http Node port for HTTP
2102
## NOTE: choose port between <30000-32767>
2103
##
2104
nodePorts:
2105
http: ""
2106
## @param notificationController.service.receiver.clusterIP Notification Controller service Cluster IP
2107
## e.g.:
2108
## clusterIP: None
2109
##
2110
clusterIP: ""
2111
## @param notificationController.service.receiver.loadBalancerIP Notification Controller service Load Balancer IP
2112
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2113
##
2114
loadBalancerIP: ""
2115
## @param notificationController.service.receiver.loadBalancerSourceRanges Notification Controller service Load Balancer sources
2116
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2117
## e.g:
2118
## loadBalancerSourceRanges:
2119
## - 10.10.10.0/24
2120
##
2121
loadBalancerSourceRanges: []
2122
## @param notificationController.service.receiver.externalTrafficPolicy Notification Controller service external traffic policy
2123
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
2124
##
2125
externalTrafficPolicy: Cluster
2126
## @param notificationController.service.receiver.annotations [object] Additional custom annotations for Notification Controller service
2127
##
2128
annotations: {}
2129
## @param notificationController.service.receiver.extraPorts Extra ports to expose in Notification Controller service (normally used with the `sidecars` value)
2130
##
2131
extraPorts: []
2132
## @param notificationController.service.receiver.sessionAffinity Control where client requests go, to the same pod or round-robin
2133
## Values: ClientIP or None
2134
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2135
##
2136
sessionAffinity: None
2137
## @param notificationController.service.receiver.sessionAffinityConfig Additional settings for the sessionAffinity
2138
## sessionAffinityConfig:
2139
## clientIP:
2140
## timeoutSeconds: 300
2141
##
2142
sessionAffinityConfig: {}
2143
## Notification Controller webhook service parameters
2144
##
2145
webhook:
2146
## @param notificationController.service.webhook.type Notification Controller service type
2147
##
2148
type: ClusterIP
2149
## @param notificationController.service.webhook.ports.http Notification Controller service webhook port
2150
##
2151
ports:
2152
http: 80
2153
## Node ports to expose
2154
## @param notificationController.service.webhook.nodePorts.http Node port for HTTP
2155
## NOTE: choose port between <30000-32767>
2156
##
2157
nodePorts:
2158
http: ""
2159
## @param notificationController.service.webhook.clusterIP Notification Controller service Cluster IP
2160
## e.g.:
2161
## clusterIP: None
2162
##
2163
clusterIP: ""
2164
## @param notificationController.service.webhook.loadBalancerIP Notification Controller service Load Balancer IP
2165
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2166
##
2167
loadBalancerIP: ""
2168
## @param notificationController.service.webhook.loadBalancerSourceRanges Notification Controller service Load Balancer sources
2169
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2170
## e.g:
2171
## loadBalancerSourceRanges:
2172
## - 10.10.10.0/24
2173
##
2174
loadBalancerSourceRanges: []
2175
## @param notificationController.service.webhook.externalTrafficPolicy Notification Controller service external traffic policy
2176
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
2177
##
2178
externalTrafficPolicy: Cluster
2179
## @param notificationController.service.webhook.annotations [object] Additional custom annotations for Notification Controller service
2180
##
2181
annotations: {}
2182
## @param notificationController.service.webhook.extraPorts Extra ports to expose in Notification Controller service (normally used with the `sidecars` value)
2183
##
2184
extraPorts: []
2185
## @param notificationController.service.webhook.sessionAffinity Control where client requests go, to the same pod or round-robin
2186
## Values: ClientIP or None
2187
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2188
##
2189
sessionAffinity: None
2190
## @param notificationController.service.webhook.sessionAffinityConfig Additional settings for the sessionAffinity
2191
## sessionAffinityConfig:
2192
## clientIP:
2193
## timeoutSeconds: 300
2194
##
2195
sessionAffinityConfig: {}
2196
## @section Notification Controller RBAC Parameters
2197
##
2198
2199
## RBAC configuration
2200
##
2201
rbac:
2202
## @param notificationController.rbac.create Specifies whether RBAC resources should be created
2203
##
2204
create: true
2205
## @param notificationController.rbac.rules Custom RBAC rules to set
2206
## e.g:
2207
## rules:
2208
## - apiGroups:
2209
## - ""
2210
## resources:
2211
## - pods
2212
## verbs:
2213
## - get
2214
## - list
2215
##
2216
rules: []
2217
## ServiceAccount configuration
2218
##
2219
serviceAccount:
2220
## @param notificationController.serviceAccount.create Specifies whether a ServiceAccount should be created
2221
##
2222
create: true
2223
## @param notificationController.serviceAccount.name The name of the ServiceAccount to use.
2224
## If not set and create is true, a name is generated using the common.names.fullname template
2225
##
2226
name: ""
2227
## @param notificationController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
2228
##
2229
annotations: {}
2230
## @param notificationController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
2231
##
2232
automountServiceAccountToken: false
2233
## @section Notification Controller Metrics Parameters
2234
##
2235
2236
## Prometheus metrics
2237
##
2238
metrics:
2239
## @param notificationController.metrics.enabled Enable the export of Prometheus metrics
2240
##
2241
enabled: true
2242
## Notification Controller service parameters
2243
##
2244
service:
2245
## @param notificationController.metrics.service.type Notification Controller service type
2246
##
2247
type: ClusterIP
2248
## @param notificationController.metrics.service.ports.metrics Notification Controller service metrics port
2249
##
2250
ports:
2251
metrics: 80
2252
## Node ports to expose
2253
## @param notificationController.metrics.service.nodePorts.metrics Node port for HTTP
2254
## NOTE: choose port between <30000-32767>
2255
##
2256
nodePorts:
2257
metrics: ""
2258
## @param notificationController.metrics.service.clusterIP Notification Controller service Cluster IP
2259
## e.g.:
2260
## clusterIP: None
2261
##
2262
clusterIP: ""
2263
## @param notificationController.metrics.service.loadBalancerIP Notification Controller service Load Balancer IP
2264
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2265
##
2266
loadBalancerIP: ""
2267
## @param notificationController.metrics.service.loadBalancerSourceRanges Notification Controller service Load Balancer sources
2268
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2269
## e.g:
2270
## loadBalancerSourceRanges:
2271
## - 10.10.10.0/24
2272
##
2273
loadBalancerSourceRanges: []
2274
## @param notificationController.metrics.service.externalTrafficPolicy Notification Controller service external traffic policy
2275
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
2276
##
2277
externalTrafficPolicy: Cluster
2278
## @param notificationController.metrics.service.annotations [object] Additional custom annotations for Notification Controller service
2279
##
2280
annotations:
2281
prometheus.io/scrape: "true"
2282
prometheus.io/port: "{{ .Values.notificationController.metrics.service.ports.metrics }}"
2283
## @param notificationController.metrics.service.extraPorts Extra ports to expose in Notification Controller service (normally used with the `sidecars` value)
2284
##
2285
extraPorts: []
2286
## @param notificationController.metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
2287
## Values: ClientIP or None
2288
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2289
##
2290
sessionAffinity: None
2291
## @param notificationController.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
2292
## sessionAffinityConfig:
2293
## clientIP:
2294
## timeoutSeconds: 300
2295
##
2296
sessionAffinityConfig: {}
2297
## Prometheus Operator ServiceMonitor configuration
2298
##
2299
serviceMonitor:
2300
## @param notificationController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
2301
##
2302
enabled: false
2303
## @param notificationController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
2304
##
2305
namespace: ""
2306
## @param notificationController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
2307
##
2308
annotations: {}
2309
## @param notificationController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
2310
##
2311
labels: {}
2312
## @param notificationController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
2313
##
2314
jobLabel: ""
2315
## @param notificationController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
2316
##
2317
honorLabels: false
2318
## @param notificationController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
2319
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2320
## e.g:
2321
## interval: 10s
2322
##
2323
interval: ""
2324
## @param notificationController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2325
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2326
## e.g:
2327
## scrapeTimeout: 10s
2328
##
2329
scrapeTimeout: ""
2330
## @param notificationController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
2331
##
2332
metricRelabelings: []
2333
## @param notificationController.metrics.serviceMonitor.relabelings Specify general relabeling
2334
##
2335
relabelings: []
2336
## @param notificationController.metrics.serviceMonitor.selector Prometheus instance selector labels
2337
## selector:
2338
## prometheus: my-prometheus
2339
##
2340
selector: {}
2341
## @section Image Automation Controller Parameters
2342
##
2343
imageAutomationController:
2344
## @param imageAutomationController.enabled Enable Image Automation Controller
2345
##
2346
enabled: true
2347
## @param imageAutomationController.installCRDs Flag to install Image Automation Controller CRDs
2348
##
2349
installCRDs: true
2350
## @param imageAutomationController.watchAllNamespaces Watch for custom resources in all namespaces
2351
##
2352
watchAllNamespaces: true
2353
## Iamguarded Image Automation Controller image
2354
## @param imageAutomationController.image.registry [default: REGISTRY_NAME] Image Automation Controller image registry
2355
## @param imageAutomationController.image.repository [default: REPOSITORY_NAME/fluxcd-image-automation-controller] Image Automation Controller image repository
2356
## @skip imageAutomationController.image.tag Image Automation Controller image tag (immutable tags are recommended)
2357
## @param imageAutomationController.image.digest Image Automation Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
2358
## @param imageAutomationController.image.pullPolicy Image Automation Controller image pull policy
2359
## @param imageAutomationController.image.pullSecrets Image Automation Controller image pull secrets
2360
## @param imageAutomationController.image.debug Enable Image Automation Controller image debug mode
2361
##
2362
image:
2363
registry: cgr.dev
2364
repository: chainguard-private/flux-image-automation-controller-iamguarded
2365
tag: 1.1.0
2366
digest: ""
2367
## Specify a imagePullPolicy
2368
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2369
##
2370
pullPolicy: IfNotPresent
2371
## Optionally specify an array of imagePullSecrets.
2372
## Secrets must be manually created in the namespace.
2373
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2374
## e.g:
2375
## pullSecrets:
2376
## - myRegistryKeySecretName
2377
##
2378
pullSecrets: []
2379
## Enable debug mode
2380
##
2381
debug: false
2382
## @param imageAutomationController.replicaCount Number of Image Automation Controller replicas to deploy
2383
##
2384
replicaCount: 1
2385
## @param imageAutomationController.containerPorts.metrics Image Automation Controller metrics container port
2386
## @param imageAutomationController.containerPorts.health Image Automation Controller health container port
2387
##
2388
containerPorts:
2389
metrics: 8080
2390
health: 9440
2391
## Network Policies
2392
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2393
##
2394
networkPolicy:
2395
## @param imageAutomationController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
2396
##
2397
enabled: true
2398
## @param imageAutomationController.networkPolicy.allowExternal Don't require server label for connections
2399
## The Policy model to apply. When set to false, only pods with the correct
2400
## server label will have network access to the ports server is listening
2401
## on. When true, server will accept connections from any source
2402
## (with the correct destination port).
2403
##
2404
allowExternal: true
2405
## @param imageAutomationController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2406
##
2407
allowExternalEgress: true
2408
## @param imageAutomationController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
2409
##
2410
kubeAPIServerPorts: [443, 6443, 8443]
2411
## @param imageAutomationController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2412
## e.g:
2413
## extraIngress:
2414
## - ports:
2415
## - port: 1234
2416
## from:
2417
## - podSelector:
2418
## - matchLabels:
2419
## - role: frontend
2420
## - podSelector:
2421
## - matchExpressions:
2422
## - key: role
2423
## operator: In
2424
## values:
2425
## - frontend
2426
extraIngress: []
2427
## @param imageAutomationController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
2428
## e.g:
2429
## extraEgress:
2430
## - ports:
2431
## - port: 1234
2432
## to:
2433
## - podSelector:
2434
## - matchLabels:
2435
## - role: frontend
2436
## - podSelector:
2437
## - matchExpressions:
2438
## - key: role
2439
## operator: In
2440
## values:
2441
## - frontend
2442
##
2443
extraEgress: []
2444
## @param imageAutomationController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2445
## @param imageAutomationController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2446
##
2447
ingressNSMatchLabels: {}
2448
ingressNSPodMatchLabels: {}
2449
## Configure extra options for Image Automation Controller containers' liveness and readiness probes
2450
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2451
## @param imageAutomationController.livenessProbe.enabled Enable livenessProbe on Image Automation Controller containers
2452
## @param imageAutomationController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2453
## @param imageAutomationController.livenessProbe.periodSeconds Period seconds for livenessProbe
2454
## @param imageAutomationController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2455
## @param imageAutomationController.livenessProbe.failureThreshold Failure threshold for livenessProbe
2456
## @param imageAutomationController.livenessProbe.successThreshold Success threshold for livenessProbe
2457
##
2458
livenessProbe:
2459
enabled: true
2460
initialDelaySeconds: 5
2461
periodSeconds: 10
2462
timeoutSeconds: 5
2463
failureThreshold: 5
2464
successThreshold: 1
2465
## @param imageAutomationController.readinessProbe.enabled Enable readinessProbe on Image Automation Controller containers
2466
## @param imageAutomationController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2467
## @param imageAutomationController.readinessProbe.periodSeconds Period seconds for readinessProbe
2468
## @param imageAutomationController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2469
## @param imageAutomationController.readinessProbe.failureThreshold Failure threshold for readinessProbe
2470
## @param imageAutomationController.readinessProbe.successThreshold Success threshold for readinessProbe
2471
##
2472
readinessProbe:
2473
enabled: true
2474
initialDelaySeconds: 5
2475
periodSeconds: 10
2476
timeoutSeconds: 5
2477
failureThreshold: 5
2478
successThreshold: 1
2479
## @param imageAutomationController.startupProbe.enabled Enable startupProbe on Image Automation Controller containers
2480
## @param imageAutomationController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
2481
## @param imageAutomationController.startupProbe.periodSeconds Period seconds for startupProbe
2482
## @param imageAutomationController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
2483
## @param imageAutomationController.startupProbe.failureThreshold Failure threshold for startupProbe
2484
## @param imageAutomationController.startupProbe.successThreshold Success threshold for startupProbe
2485
##
2486
startupProbe:
2487
enabled: false
2488
initialDelaySeconds: 5
2489
periodSeconds: 10
2490
timeoutSeconds: 5
2491
failureThreshold: 5
2492
successThreshold: 1
2493
## @param imageAutomationController.customLivenessProbe Custom livenessProbe that overrides the default one
2494
##
2495
customLivenessProbe: {}
2496
## @param imageAutomationController.customReadinessProbe Custom readinessProbe that overrides the default one
2497
##
2498
customReadinessProbe: {}
2499
## @param imageAutomationController.customStartupProbe Custom startupProbe that overrides the default one
2500
##
2501
customStartupProbe: {}
2502
## Image Automation Controller resource requests and limits
2503
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2504
## @param imageAutomationController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if imageAutomationController.resources is set (imageAutomationController.resources is recommended for production).
2505
##
2506
resourcesPreset: "nano"
2507
## @param imageAutomationController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2508
## Example:
2509
## resources:
2510
## requests:
2511
## cpu: 2
2512
## memory: 512Mi
2513
## limits:
2514
## cpu: 3
2515
## memory: 1024Mi
2516
##
2517
resources: {}
2518
## Configure Pods Security Context
2519
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2520
## @param imageAutomationController.podSecurityContext.enabled Enabled Image Automation Controller pods' Security Context
2521
## @param imageAutomationController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
2522
## @param imageAutomationController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
2523
## @param imageAutomationController.podSecurityContext.supplementalGroups Set filesystem extra groups
2524
## @param imageAutomationController.podSecurityContext.fsGroup Set Image Automation Controller pod's Security Context fsGroup
2525
##
2526
podSecurityContext:
2527
enabled: true
2528
fsGroupChangePolicy: Always
2529
sysctls: []
2530
supplementalGroups: []
2531
fsGroup: 1001
2532
## Configure Container Security Context
2533
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2534
## @param imageAutomationController.containerSecurityContext.enabled Enabled Image Automation Controller containers' Security Context
2535
## @param imageAutomationController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2536
## @param imageAutomationController.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2537
## @param imageAutomationController.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2538
## @param imageAutomationController.containerSecurityContext.runAsNonRoot Set Image Automation Controller containers' Security Context runAsNonRoot
2539
## @param imageAutomationController.containerSecurityContext.readOnlyRootFilesystem Set Image Automation Controller containers' Security Context runAsNonRoot
2540
## @param imageAutomationController.containerSecurityContext.privileged Set Image Automation Controller containers' Security Context privileged
2541
## @param imageAutomationController.containerSecurityContext.allowPrivilegeEscalation Set Image Automation Controller container's privilege escalation
2542
## @param imageAutomationController.containerSecurityContext.capabilities.drop Set Image Automation Controller container's Security Context runAsNonRoot
2543
## @param imageAutomationController.containerSecurityContext.seccompProfile.type Set Image Automation Controller container's Security Context seccomp profile
2544
##
2545
containerSecurityContext:
2546
enabled: true
2547
seLinuxOptions: {}
2548
runAsUser: 1001
2549
runAsGroup: 1001
2550
runAsNonRoot: true
2551
readOnlyRootFilesystem: true
2552
privileged: false
2553
allowPrivilegeEscalation: false
2554
capabilities:
2555
drop: ["ALL"]
2556
seccompProfile:
2557
type: RuntimeDefault
2558
## @param imageAutomationController.command Override default container command (useful when using custom images)
2559
##
2560
command: []
2561
## @param imageAutomationController.args Override default container args (useful when using custom images)
2562
##
2563
args: []
2564
## @param imageAutomationController.automountServiceAccountToken Mount Service Account token in pod
2565
##
2566
automountServiceAccountToken: true
2567
## @param imageAutomationController.hostAliases Image Automation Controller pods host aliases
2568
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
2569
##
2570
hostAliases: []
2571
## @param imageAutomationController.podLabels Extra labels for Image Automation Controller pods
2572
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
2573
##
2574
podLabels: {}
2575
## @param imageAutomationController.podAnnotations Annotations for Image Automation Controller pods
2576
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
2577
##
2578
podAnnotations: {}
2579
## @param imageAutomationController.podAffinityPreset Pod affinity preset. Ignored if `imageAutomationController.affinity` is set. Allowed values: `soft` or `hard`
2580
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2581
##
2582
podAffinityPreset: ""
2583
## @param imageAutomationController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `imageAutomationController.affinity` is set. Allowed values: `soft` or `hard`
2584
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2585
##
2586
podAntiAffinityPreset: soft
2587
## Pod Disruption Budget configuration
2588
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
2589
## @param imageAutomationController.pdb.create Enable/disable a Pod Disruption Budget creation
2590
## @param imageAutomationController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
2591
## @param imageAutomationController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
2592
##
2593
pdb:
2594
create: true
2595
minAvailable: ""
2596
maxUnavailable: ""
2597
## Autoscaling configuration
2598
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
2599
## @param imageAutomationController.autoscaling.enabled Enable autoscaling for imageAutomationController
2600
## @param imageAutomationController.autoscaling.minReplicas Minimum number of imageAutomationController replicas
2601
## @param imageAutomationController.autoscaling.maxReplicas Maximum number of imageAutomationController replicas
2602
## @param imageAutomationController.autoscaling.targetCPU Target CPU utilization percentage
2603
## @param imageAutomationController.autoscaling.targetMemory Target Memory utilization percentage
2604
##
2605
autoscaling:
2606
enabled: false
2607
minReplicas: ""
2608
maxReplicas: ""
2609
targetCPU: ""
2610
targetMemory: ""
2611
## Node imageAutomationController.affinity preset
2612
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
2613
##
2614
nodeAffinityPreset:
2615
## @param imageAutomationController.nodeAffinityPreset.type Node affinity preset type. Ignored if `imageAutomationController.affinity` is set. Allowed values: `soft` or `hard`
2616
##
2617
type: ""
2618
## @param imageAutomationController.nodeAffinityPreset.key Node label key to match. Ignored if `imageAutomationController.affinity` is set
2619
##
2620
key: ""
2621
## @param imageAutomationController.nodeAffinityPreset.values Node label values to match. Ignored if `imageAutomationController.affinity` is set
2622
## E.g.
2623
## values:
2624
## - e2e-az1
2625
## - e2e-az2
2626
##
2627
values: []
2628
## @param imageAutomationController.affinity Affinity for Image Automation Controller pods assignment
2629
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2630
## NOTE: `imageAutomationController.podAffinityPreset`, `imageAutomationController.podAntiAffinityPreset`, and `imageAutomationController.nodeAffinityPreset` will be ignored when it's set
2631
##
2632
affinity: {}
2633
## @param imageAutomationController.nodeSelector Node labels for Image Automation Controller pods assignment
2634
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2635
##
2636
nodeSelector: {}
2637
## @param imageAutomationController.tolerations Tolerations for Image Automation Controller pods assignment
2638
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2639
##
2640
tolerations: []
2641
## @param imageAutomationController.updateStrategy.type Image Automation Controller statefulset strategy type
2642
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
2643
##
2644
updateStrategy:
2645
## StrategyType
2646
## Can be set to RollingUpdate or OnDelete
2647
##
2648
type: RollingUpdate
2649
## @param imageAutomationController.priorityClassName Image Automation Controller pods' priorityClassName
2650
##
2651
priorityClassName: ""
2652
## @param imageAutomationController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
2653
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
2654
##
2655
topologySpreadConstraints: []
2656
## @param imageAutomationController.schedulerName Name of the k8s scheduler (other than default) for Image Automation Controller pods
2657
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2658
##
2659
schedulerName: ""
2660
## @param imageAutomationController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
2661
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
2662
##
2663
terminationGracePeriodSeconds: ""
2664
## @param imageAutomationController.lifecycleHooks for the Image Automation Controller container(s) to automate configuration before or after startup
2665
##
2666
lifecycleHooks: {}
2667
## @param imageAutomationController.extraEnvVars Array with extra environment variables to add to Image Automation Controller nodes
2668
## e.g:
2669
## extraEnvVars:
2670
## - name: FOO
2671
## value: "bar"
2672
##
2673
extraEnvVars: []
2674
## @param imageAutomationController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Image Automation Controller nodes
2675
##
2676
extraEnvVarsCM: ""
2677
## @param imageAutomationController.extraEnvVarsSecret Name of existing Secret containing extra env vars for Image Automation Controller nodes
2678
##
2679
extraEnvVarsSecret: ""
2680
## @param imageAutomationController.extraVolumes Optionally specify extra list of additional volumes for the Image Automation Controller pod(s)
2681
##
2682
extraVolumes: []
2683
## @param imageAutomationController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Image Automation Controller container(s)
2684
##
2685
extraVolumeMounts: []
2686
## @param imageAutomationController.sidecars Add additional sidecar containers to the Image Automation Controller pod(s)
2687
## e.g:
2688
## sidecars:
2689
## - name: your-image-name
2690
## image: your-image
2691
## imagePullPolicy: Always
2692
## ports:
2693
## - name: portname
2694
## containerPort: 1234
2695
##
2696
sidecars: []
2697
## @param imageAutomationController.initContainers Add additional init containers to the Image Automation Controller pod(s)
2698
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
2699
## e.g:
2700
## initContainers:
2701
## - name: your-image-name
2702
## image: your-image
2703
## imagePullPolicy: Always
2704
## command: ['sh', '-c', 'echo "hello world"']
2705
##
2706
initContainers: []
2707
## @section Image Automation Controller RBAC Parameters
2708
##
2709
2710
## RBAC configuration
2711
##
2712
rbac:
2713
## @param imageAutomationController.rbac.create Specifies whether RBAC resources should be created
2714
##
2715
create: true
2716
## @param imageAutomationController.rbac.rules Custom RBAC rules to set
2717
## e.g:
2718
## rules:
2719
## - apiGroups:
2720
## - ""
2721
## resources:
2722
## - pods
2723
## verbs:
2724
## - get
2725
## - list
2726
##
2727
rules: []
2728
## ServiceAccount configuration
2729
##
2730
serviceAccount:
2731
## @param imageAutomationController.serviceAccount.create Specifies whether a ServiceAccount should be created
2732
##
2733
create: true
2734
## @param imageAutomationController.serviceAccount.name The name of the ServiceAccount to use.
2735
## If not set and create is true, a name is generated using the common.names.fullname template
2736
##
2737
name: ""
2738
## @param imageAutomationController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
2739
##
2740
annotations: {}
2741
## @param imageAutomationController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
2742
##
2743
automountServiceAccountToken: false
2744
## @section Image Automation Controller Metrics Parameters
2745
##
2746
2747
## Prometheus metrics
2748
##
2749
metrics:
2750
## @param imageAutomationController.metrics.enabled Enable the export of Prometheus metrics
2751
##
2752
enabled: true
2753
## Image Automation Controller service parameters
2754
##
2755
service:
2756
## @param imageAutomationController.metrics.service.type Image Automation Controller service type
2757
##
2758
type: ClusterIP
2759
## @param imageAutomationController.metrics.service.ports.metrics Image Automation Controller service metrics port
2760
##
2761
ports:
2762
metrics: 80
2763
## Node ports to expose
2764
## @param imageAutomationController.metrics.service.nodePorts.metrics Node port for HTTP
2765
## NOTE: choose port between <30000-32767>
2766
##
2767
nodePorts:
2768
metrics: ""
2769
## @param imageAutomationController.metrics.service.clusterIP Image Automation Controller service Cluster IP
2770
## e.g.:
2771
## clusterIP: None
2772
##
2773
clusterIP: ""
2774
## @param imageAutomationController.metrics.service.loadBalancerIP Image Automation Controller service Load Balancer IP
2775
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2776
##
2777
loadBalancerIP: ""
2778
## @param imageAutomationController.metrics.service.loadBalancerSourceRanges Image Automation Controller service Load Balancer sources
2779
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2780
## e.g:
2781
## loadBalancerSourceRanges:
2782
## - 10.10.10.0/24
2783
##
2784
loadBalancerSourceRanges: []
2785
## @param imageAutomationController.metrics.service.externalTrafficPolicy Image Automation Controller service external traffic policy
2786
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
2787
##
2788
externalTrafficPolicy: Cluster
2789
## @param imageAutomationController.metrics.service.annotations [object] Additional custom annotations for Image Automation Controller service
2790
##
2791
annotations:
2792
prometheus.io/scrape: "true"
2793
prometheus.io/port: "{{ .Values.imageAutomationController.metrics.service.ports.metrics }}"
2794
## @param imageAutomationController.metrics.service.extraPorts Extra ports to expose in Image Automation Controller service (normally used with the `sidecars` value)
2795
##
2796
extraPorts: []
2797
## @param imageAutomationController.metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
2798
## Values: ClientIP or None
2799
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2800
##
2801
sessionAffinity: None
2802
## @param imageAutomationController.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
2803
## sessionAffinityConfig:
2804
## clientIP:
2805
## timeoutSeconds: 300
2806
##
2807
sessionAffinityConfig: {}
2808
## Prometheus Operator ServiceMonitor configuration
2809
##
2810
serviceMonitor:
2811
## @param imageAutomationController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
2812
##
2813
enabled: false
2814
## @param imageAutomationController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
2815
##
2816
namespace: ""
2817
## @param imageAutomationController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
2818
##
2819
annotations: {}
2820
## @param imageAutomationController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
2821
##
2822
labels: {}
2823
## @param imageAutomationController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
2824
##
2825
jobLabel: ""
2826
## @param imageAutomationController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
2827
##
2828
honorLabels: false
2829
## @param imageAutomationController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
2830
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2831
## e.g:
2832
## interval: 10s
2833
##
2834
interval: ""
2835
## @param imageAutomationController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2836
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2837
## e.g:
2838
## scrapeTimeout: 10s
2839
##
2840
scrapeTimeout: ""
2841
## @param imageAutomationController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
2842
##
2843
metricRelabelings: []
2844
## @param imageAutomationController.metrics.serviceMonitor.relabelings Specify general relabeling
2845
##
2846
relabelings: []
2847
## @param imageAutomationController.metrics.serviceMonitor.selector Prometheus instance selector labels
2848
## selector:
2849
## prometheus: my-prometheus
2850
##
2851
selector: {}
2852
## @section Image Reflector Controller Parameters
2853
##
2854
imageReflectorController:
2855
## @param imageReflectorController.enabled Enable Image Reflector Controller
2856
##
2857
enabled: true
2858
## @param imageReflectorController.installCRDs Flag to install Image Reflector Controller CRDs
2859
##
2860
installCRDs: true
2861
## @param imageReflectorController.watchAllNamespaces Watch for custom resources in all namespaces
2862
##
2863
watchAllNamespaces: true
2864
## Iamguarded Image Reflector Controller image
2865
## @param imageReflectorController.image.registry [default: REGISTRY_NAME] Image Reflector Controller image registry
2866
## @param imageReflectorController.image.repository [default: REPOSITORY_NAME/fluxcd-image-reflector-controller] Image Reflector Controller image repository
2867
## @skip imageReflectorController.image.tag Image Reflector Controller image tag (immutable tags are recommended)
2868
## @param imageReflectorController.image.digest Image Reflector Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
2869
## @param imageReflectorController.image.pullPolicy Image Reflector Controller image pull policy
2870
## @param imageReflectorController.image.pullSecrets Image Reflector Controller image pull secrets
2871
## @param imageReflectorController.image.debug Enable Image Reflector Controller image debug mode
2872
##
2873
image:
2874
registry: cgr.dev
2875
repository: chainguard-private/flux-image-reflector-controller-iamguarded
2876
tag: 1.1.0
2877
digest: ""
2878
## Specify a imagePullPolicy
2879
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2880
##
2881
pullPolicy: IfNotPresent
2882
## Optionally specify an array of imagePullSecrets.
2883
## Secrets must be manually created in the namespace.
2884
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2885
## e.g:
2886
## pullSecrets:
2887
## - myRegistryKeySecretName
2888
##
2889
pullSecrets: []
2890
## Enable debug mode
2891
##
2892
debug: false
2893
## @param imageReflectorController.replicaCount Number of Image Reflector Controller replicas to deploy
2894
##
2895
replicaCount: 1
2896
## @param imageReflectorController.containerPorts.metrics Image Reflector Controller metrics container port
2897
## @param imageReflectorController.containerPorts.health Image Reflector Controller health container port
2898
##
2899
containerPorts:
2900
metrics: 8080
2901
health: 9440
2902
## Network Policies
2903
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2904
##
2905
networkPolicy:
2906
## @param imageReflectorController.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
2907
##
2908
enabled: true
2909
## @param imageReflectorController.networkPolicy.allowExternal Don't require server label for connections
2910
## The Policy model to apply. When set to false, only pods with the correct
2911
## server label will have network access to the ports server is listening
2912
## on. When true, server will accept connections from any source
2913
## (with the correct destination port).
2914
##
2915
allowExternal: true
2916
## @param imageReflectorController.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2917
##
2918
allowExternalEgress: true
2919
## @param imageReflectorController.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
2920
##
2921
kubeAPIServerPorts: [443, 6443, 8443]
2922
## @param imageReflectorController.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2923
## e.g:
2924
## extraIngress:
2925
## - ports:
2926
## - port: 1234
2927
## from:
2928
## - podSelector:
2929
## - matchLabels:
2930
## - role: frontend
2931
## - podSelector:
2932
## - matchExpressions:
2933
## - key: role
2934
## operator: In
2935
## values:
2936
## - frontend
2937
extraIngress: []
2938
## @param imageReflectorController.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
2939
## e.g:
2940
## extraEgress:
2941
## - ports:
2942
## - port: 1234
2943
## to:
2944
## - podSelector:
2945
## - matchLabels:
2946
## - role: frontend
2947
## - podSelector:
2948
## - matchExpressions:
2949
## - key: role
2950
## operator: In
2951
## values:
2952
## - frontend
2953
##
2954
extraEgress: []
2955
## @param imageReflectorController.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2956
## @param imageReflectorController.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2957
##
2958
ingressNSMatchLabels: {}
2959
ingressNSPodMatchLabels: {}
2960
## Configure extra options for Image Reflector Controller containers' liveness and readiness probes
2961
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2962
## @param imageReflectorController.livenessProbe.enabled Enable livenessProbe on Image Reflector Controller containers
2963
## @param imageReflectorController.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2964
## @param imageReflectorController.livenessProbe.periodSeconds Period seconds for livenessProbe
2965
## @param imageReflectorController.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2966
## @param imageReflectorController.livenessProbe.failureThreshold Failure threshold for livenessProbe
2967
## @param imageReflectorController.livenessProbe.successThreshold Success threshold for livenessProbe
2968
##
2969
livenessProbe:
2970
enabled: true
2971
initialDelaySeconds: 5
2972
periodSeconds: 10
2973
timeoutSeconds: 5
2974
failureThreshold: 5
2975
successThreshold: 1
2976
## @param imageReflectorController.readinessProbe.enabled Enable readinessProbe on Image Reflector Controller containers
2977
## @param imageReflectorController.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2978
## @param imageReflectorController.readinessProbe.periodSeconds Period seconds for readinessProbe
2979
## @param imageReflectorController.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2980
## @param imageReflectorController.readinessProbe.failureThreshold Failure threshold for readinessProbe
2981
## @param imageReflectorController.readinessProbe.successThreshold Success threshold for readinessProbe
2982
##
2983
readinessProbe:
2984
enabled: true
2985
initialDelaySeconds: 5
2986
periodSeconds: 10
2987
timeoutSeconds: 5
2988
failureThreshold: 5
2989
successThreshold: 1
2990
## @param imageReflectorController.startupProbe.enabled Enable startupProbe on Image Reflector Controller containers
2991
## @param imageReflectorController.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
2992
## @param imageReflectorController.startupProbe.periodSeconds Period seconds for startupProbe
2993
## @param imageReflectorController.startupProbe.timeoutSeconds Timeout seconds for startupProbe
2994
## @param imageReflectorController.startupProbe.failureThreshold Failure threshold for startupProbe
2995
## @param imageReflectorController.startupProbe.successThreshold Success threshold for startupProbe
2996
##
2997
startupProbe:
2998
enabled: false
2999
initialDelaySeconds: 5
3000
periodSeconds: 10
3001
timeoutSeconds: 5
3002
failureThreshold: 5
3003
successThreshold: 1
3004
## @param imageReflectorController.customLivenessProbe Custom livenessProbe that overrides the default one
3005
##
3006
customLivenessProbe: {}
3007
## @param imageReflectorController.customReadinessProbe Custom readinessProbe that overrides the default one
3008
##
3009
customReadinessProbe: {}
3010
## @param imageReflectorController.customStartupProbe Custom startupProbe that overrides the default one
3011
##
3012
customStartupProbe: {}
3013
## Image Reflector Controller resource requests and limits
3014
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3015
## @param imageReflectorController.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if imageReflectorController.resources is set (imageReflectorController.resources is recommended for production).
3016
##
3017
resourcesPreset: "nano"
3018
## @param imageReflectorController.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3019
## Example:
3020
## resources:
3021
## requests:
3022
## cpu: 2
3023
## memory: 512Mi
3024
## limits:
3025
## cpu: 3
3026
## memory: 1024Mi
3027
##
3028
resources: {}
3029
## Configure Pods Security Context
3030
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3031
## @param imageReflectorController.podSecurityContext.enabled Enabled Image Reflector Controller pods' Security Context
3032
## @param imageReflectorController.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
3033
## @param imageReflectorController.podSecurityContext.sysctls Set kernel settings using the sysctl interface
3034
## @param imageReflectorController.podSecurityContext.supplementalGroups Set filesystem extra groups
3035
## @param imageReflectorController.podSecurityContext.fsGroup Set Image Reflector Controller pod's Security Context fsGroup
3036
##
3037
podSecurityContext:
3038
enabled: true
3039
fsGroupChangePolicy: Always
3040
sysctls: []
3041
supplementalGroups: []
3042
fsGroup: 1001
3043
## Configure Container Security Context
3044
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
3045
## @param imageReflectorController.containerSecurityContext.enabled Enabled Image Reflector Controller containers' Security Context
3046
## @param imageReflectorController.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
3047
## @param imageReflectorController.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
3048
## @param imageReflectorController.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
3049
## @param imageReflectorController.containerSecurityContext.runAsNonRoot Set Image Reflector Controller containers' Security Context runAsNonRoot
3050
## @param imageReflectorController.containerSecurityContext.privileged Set Image Reflector Controller containers' Security Context privileged
3051
## @param imageReflectorController.containerSecurityContext.readOnlyRootFilesystem Set Image Reflector Controller containers' Security Context runAsNonRoot
3052
## @param imageReflectorController.containerSecurityContext.allowPrivilegeEscalation Set Image Reflector Controller container's privilege escalation
3053
## @param imageReflectorController.containerSecurityContext.capabilities.drop Set Image Reflector Controller container's Security Context runAsNonRoot
3054
## @param imageReflectorController.containerSecurityContext.seccompProfile.type Set Image Reflector Controller container's Security Context seccomp profile
3055
##
3056
containerSecurityContext:
3057
enabled: true
3058
seLinuxOptions: {}
3059
runAsUser: 1001
3060
runAsGroup: 1001
3061
runAsNonRoot: true
3062
privileged: false
3063
readOnlyRootFilesystem: true
3064
allowPrivilegeEscalation: false
3065
capabilities:
3066
drop: ["ALL"]
3067
seccompProfile:
3068
type: RuntimeDefault
3069
## @param imageReflectorController.command Override default container command (useful when using custom images)
3070
##
3071
command: []
3072
## @param imageReflectorController.args Override default container args (useful when using custom images)
3073
##
3074
args: []
3075
## @param imageReflectorController.automountServiceAccountToken Mount Service Account token in pod
3076
##
3077
automountServiceAccountToken: true
3078
## @param imageReflectorController.hostAliases Image Reflector Controller pods host aliases
3079
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
3080
##
3081
hostAliases: []
3082
## @param imageReflectorController.podLabels Extra labels for Image Reflector Controller pods
3083
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
3084
##
3085
podLabels: {}
3086
## @param imageReflectorController.podAnnotations Annotations for Image Reflector Controller pods
3087
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
3088
##
3089
podAnnotations: {}
3090
## @param imageReflectorController.podAffinityPreset Pod affinity preset. Ignored if `imageReflectorController.affinity` is set. Allowed values: `soft` or `hard`
3091
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3092
##
3093
podAffinityPreset: ""
3094
## @param imageReflectorController.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `imageReflectorController.affinity` is set. Allowed values: `soft` or `hard`
3095
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3096
##
3097
podAntiAffinityPreset: soft
3098
## Pod Disruption Budget configuration
3099
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
3100
## @param imageReflectorController.pdb.create Enable/disable a Pod Disruption Budget creation
3101
## @param imageReflectorController.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
3102
## @param imageReflectorController.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
3103
##
3104
pdb:
3105
create: true
3106
minAvailable: ""
3107
maxUnavailable: ""
3108
## Autoscaling configuration
3109
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
3110
## @param imageReflectorController.autoscaling.enabled Enable autoscaling for imageReflectorController
3111
## @param imageReflectorController.autoscaling.minReplicas Minimum number of imageReflectorController replicas
3112
## @param imageReflectorController.autoscaling.maxReplicas Maximum number of imageReflectorController replicas
3113
## @param imageReflectorController.autoscaling.targetCPU Target CPU utilization percentage
3114
## @param imageReflectorController.autoscaling.targetMemory Target Memory utilization percentage
3115
##
3116
autoscaling:
3117
enabled: false
3118
minReplicas: ""
3119
maxReplicas: ""
3120
targetCPU: ""
3121
targetMemory: ""
3122
## Node imageReflectorController.affinity preset
3123
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
3124
##
3125
nodeAffinityPreset:
3126
## @param imageReflectorController.nodeAffinityPreset.type Node affinity preset type. Ignored if `imageReflectorController.affinity` is set. Allowed values: `soft` or `hard`
3127
##
3128
type: ""
3129
## @param imageReflectorController.nodeAffinityPreset.key Node label key to match. Ignored if `imageReflectorController.affinity` is set
3130
##
3131
key: ""
3132
## @param imageReflectorController.nodeAffinityPreset.values Node label values to match. Ignored if `imageReflectorController.affinity` is set
3133
## E.g.
3134
## values:
3135
## - e2e-az1
3136
## - e2e-az2
3137
##
3138
values: []
3139
## @param imageReflectorController.affinity Affinity for Image Reflector Controller pods assignment
3140
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
3141
## NOTE: `imageReflectorController.podAffinityPreset`, `imageReflectorController.podAntiAffinityPreset`, and `imageReflectorController.nodeAffinityPreset` will be ignored when it's set
3142
##
3143
affinity: {}
3144
## @param imageReflectorController.nodeSelector Node labels for Image Reflector Controller pods assignment
3145
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
3146
##
3147
nodeSelector: {}
3148
## @param imageReflectorController.tolerations Tolerations for Image Reflector Controller pods assignment
3149
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
3150
##
3151
tolerations: []
3152
## @param imageReflectorController.updateStrategy.type Image Reflector Controller statefulset strategy type
3153
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
3154
##
3155
updateStrategy:
3156
## StrategyType
3157
## Can be set to RollingUpdate or OnDelete
3158
##
3159
type: RollingUpdate
3160
## @param imageReflectorController.priorityClassName Image Reflector Controller pods' priorityClassName
3161
##
3162
priorityClassName: ""
3163
## @param imageReflectorController.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
3164
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
3165
##
3166
topologySpreadConstraints: []
3167
## @param imageReflectorController.schedulerName Name of the k8s scheduler (other than default) for Image Reflector Controller pods
3168
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
3169
##
3170
schedulerName: ""
3171
## @param imageReflectorController.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
3172
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
3173
##
3174
terminationGracePeriodSeconds: ""
3175
## @param imageReflectorController.lifecycleHooks for the Image Reflector Controller container(s) to automate configuration before or after startup
3176
##
3177
lifecycleHooks: {}
3178
## @param imageReflectorController.extraEnvVars Array with extra environment variables to add to Image Reflector Controller nodes
3179
## e.g:
3180
## extraEnvVars:
3181
## - name: FOO
3182
## value: "bar"
3183
##
3184
extraEnvVars: []
3185
## @param imageReflectorController.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Image Reflector Controller nodes
3186
##
3187
extraEnvVarsCM: ""
3188
## @param imageReflectorController.extraEnvVarsSecret Name of existing Secret containing extra env vars for Image Reflector Controller nodes
3189
##
3190
extraEnvVarsSecret: ""
3191
## @param imageReflectorController.extraVolumes Optionally specify extra list of additional volumes for the Image Reflector Controller pod(s)
3192
##
3193
extraVolumes: []
3194
## @param imageReflectorController.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Image Reflector Controller container(s)
3195
##
3196
extraVolumeMounts: []
3197
## @param imageReflectorController.sidecars Add additional sidecar containers to the Image Reflector Controller pod(s)
3198
## e.g:
3199
## sidecars:
3200
## - name: your-image-name
3201
## image: your-image
3202
## imagePullPolicy: Always
3203
## ports:
3204
## - name: portname
3205
## containerPort: 1234
3206
##
3207
sidecars: []
3208
## @param imageReflectorController.initContainers Add additional init containers to the Image Reflector Controller pod(s)
3209
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
3210
## e.g:
3211
## initContainers:
3212
## - name: your-image-name
3213
## image: your-image
3214
## imagePullPolicy: Always
3215
## command: ['sh', '-c', 'echo "hello world"']
3216
##
3217
initContainers: []
3218
## @section Image Reflector Conttroller Persistence Parameters
3219
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
3220
##
3221
persistence:
3222
## @param imageReflectorController.persistence.enabled Enable persistence using Persistent Volume Claims
3223
## (NOTE: Disabled by default in upstream flux configuration)
3224
##
3225
enabled: false
3226
## @param imageReflectorController.persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted
3227
##
3228
resourcePolicy: ""
3229
## @param imageReflectorController.persistence.mountPath Persistent Volume mount root path
3230
##
3231
mountPath: /iamguarded/fluxcd-image-reflector-controller/data
3232
## @param imageReflectorController.persistence.storageClass Persistent Volume storage class
3233
## If defined, storageClassName: <storageClass>
3234
## If set to "-", storageClassName: "", which disables dynamic provisioning
3235
## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner
3236
##
3237
storageClass: ""
3238
## @param imageReflectorController.persistence.accessModes [array] Persistent Volume access modes
3239
##
3240
accessModes:
3241
- ReadWriteOnce
3242
## @param imageReflectorController.persistence.size Persistent Volume size
3243
##
3244
size: 10Gi
3245
## @param imageReflectorController.persistence.dataSource Custom PVC data source
3246
##
3247
dataSource: {}
3248
## @param imageReflectorController.persistence.annotations Annotations for the PVC
3249
##
3250
annotations: {}
3251
## @param imageReflectorController.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
3252
## selector:
3253
## matchLabels:
3254
## app: my-app
3255
##
3256
selector: {}
3257
## @param imageReflectorController.persistence.existingClaim The name of an existing PVC to use for persistence
3258
##
3259
existingClaim: ""
3260
## @section Image Reflector Controller RBAC Parameters
3261
##
3262
3263
## RBAC configuration
3264
##
3265
rbac:
3266
## @param imageReflectorController.rbac.create Specifies whether RBAC resources should be created
3267
##
3268
create: true
3269
## @param imageReflectorController.rbac.rules Custom RBAC rules to set
3270
## e.g:
3271
## rules:
3272
## - apiGroups:
3273
## - ""
3274
## resources:
3275
## - pods
3276
## verbs:
3277
## - get
3278
## - list
3279
##
3280
rules: []
3281
## ServiceAccount configuration
3282
##
3283
serviceAccount:
3284
## @param imageReflectorController.serviceAccount.create Specifies whether a ServiceAccount should be created
3285
##
3286
create: true
3287
## @param imageReflectorController.serviceAccount.name The name of the ServiceAccount to use.
3288
## If not set and create is true, a name is generated using the common.names.fullname template
3289
##
3290
name: ""
3291
## @param imageReflectorController.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
3292
##
3293
annotations: {}
3294
## @param imageReflectorController.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
3295
##
3296
automountServiceAccountToken: false
3297
## @section Image Reflector Controller Metrics Parameters
3298
##
3299
3300
## Prometheus metrics
3301
##
3302
metrics:
3303
## @param imageReflectorController.metrics.enabled Enable the export of Prometheus metrics
3304
##
3305
enabled: true
3306
## Image Reflector Controller service parameters
3307
##
3308
service:
3309
## @param imageReflectorController.metrics.service.type Image Reflector Controller service type
3310
##
3311
type: ClusterIP
3312
## @param imageReflectorController.metrics.service.ports.metrics Image Reflector Controller service metrics port
3313
##
3314
ports:
3315
metrics: 80
3316
## Node ports to expose
3317
## @param imageReflectorController.metrics.service.nodePorts.metrics Node port for HTTP
3318
## NOTE: choose port between <30000-32767>
3319
##
3320
nodePorts:
3321
metrics: ""
3322
## @param imageReflectorController.metrics.service.clusterIP Image Reflector Controller service Cluster IP
3323
## e.g.:
3324
## clusterIP: None
3325
##
3326
clusterIP: ""
3327
## @param imageReflectorController.metrics.service.loadBalancerIP Image Reflector Controller service Load Balancer IP
3328
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
3329
##
3330
loadBalancerIP: ""
3331
## @param imageReflectorController.metrics.service.loadBalancerSourceRanges Image Reflector Controller service Load Balancer sources
3332
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
3333
## e.g:
3334
## loadBalancerSourceRanges:
3335
## - 10.10.10.0/24
3336
##
3337
loadBalancerSourceRanges: []
3338
## @param imageReflectorController.metrics.service.externalTrafficPolicy Image Reflector Controller service external traffic policy
3339
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
3340
##
3341
externalTrafficPolicy: Cluster
3342
## @param imageReflectorController.metrics.service.annotations [object] Additional custom annotations for Image Reflector Controller service
3343
##
3344
annotations:
3345
prometheus.io/scrape: "true"
3346
prometheus.io/port: "{{ .Values.imageReflectorController.metrics.service.ports.metrics }}"
3347
## @param imageReflectorController.metrics.service.extraPorts Extra ports to expose in Image Reflector Controller service (normally used with the `sidecars` value)
3348
##
3349
extraPorts: []
3350
## @param imageReflectorController.metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin
3351
## Values: ClientIP or None
3352
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
3353
##
3354
sessionAffinity: None
3355
## @param imageReflectorController.metrics.service.sessionAffinityConfig Additional settings for the sessionAffinity
3356
## sessionAffinityConfig:
3357
## clientIP:
3358
## timeoutSeconds: 300
3359
##
3360
sessionAffinityConfig: {}
3361
## Prometheus Operator ServiceMonitor configuration
3362
##
3363
serviceMonitor:
3364
## @param imageReflectorController.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
3365
##
3366
enabled: false
3367
## @param imageReflectorController.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
3368
##
3369
namespace: ""
3370
## @param imageReflectorController.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
3371
##
3372
annotations: {}
3373
## @param imageReflectorController.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
3374
##
3375
labels: {}
3376
## @param imageReflectorController.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
3377
##
3378
jobLabel: ""
3379
## @param imageReflectorController.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
3380
##
3381
honorLabels: false
3382
## @param imageReflectorController.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
3383
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
3384
## e.g:
3385
## interval: 10s
3386
##
3387
interval: ""
3388
## @param imageReflectorController.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
3389
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
3390
## e.g:
3391
## scrapeTimeout: 10s
3392
##
3393
scrapeTimeout: ""
3394
## @param imageReflectorController.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
3395
##
3396
metricRelabelings: []
3397
## @param imageReflectorController.metrics.serviceMonitor.relabelings Specify general relabeling
3398
##
3399
relabelings: []
3400
## @param imageReflectorController.metrics.serviceMonitor.selector Prometheus instance selector labels
3401
## selector:
3402
## prometheus: my-prometheus
3403
##
3404
selector: {}
3405
## 'volumePermissions' init container parameters
3406
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
3407
## based on the podSecurityContext/containerSecurityContext parameters
3408
##
3409
volumePermissions:
3410
## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`
3411
##
3412
enabled: false
3413
## OS Shell + Utility image
3414
## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry
3415
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository
3416
## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended)
3417
## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
3418
## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy
3419
## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets
3420
##
3421
image:
3422
registry: cgr.dev
3423
repository: chainguard-private/os-shell-iamguarded
3424
tag: 1.0.0
3425
digest: ""
3426
pullPolicy: IfNotPresent
3427
## Optionally specify an array of imagePullSecrets.
3428
## Secrets must be manually created in the namespace.
3429
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
3430
## e.g:
3431
## pullSecrets:
3432
## - myRegistryKeySecretName
3433
##
3434
pullSecrets: []
3435
## Init container's resource requests and limits
3436
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3437
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
3438
##
3439
resourcesPreset: "nano"
3440
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3441
## Example:
3442
## resources:
3443
## requests:
3444
## cpu: 2
3445
## memory: 512Mi
3446
## limits:
3447
## cpu: 3
3448
## memory: 1024Mi
3449
##
3450
resources: {}
3451
## Init container Container Security Context
3452
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
3453
## @param volumePermissions.containerSecurityContext.enabled Enable init container's Security Context
3454
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
3455
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
3456
##
3457
containerSecurityContext:
3458
enabled: true
3459
seLinuxOptions: {}
3460
runAsUser: 0
3461