sealed-secrets

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# This file has been modified by Chainguard, Inc.

# Chainguard, Inc. modifications are subject to the license

# available at: https://www.chainguard.dev/legal/software-license-agreement

# SPDX-License-Identifier: APACHE-2.0

## @section Global parameters

## Global Docker image parameters

## Please, note that this will override the image parameters, including dependencies, configured to use the global value

## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass

## @param global.imageRegistry Global Docker image registry

## @param global.imagePullSecrets [array] Global Docker registry secret names as an array

global:

imageRegistry: ""

## E.g.

## imagePullSecrets:

## - myRegistryKeySecretName

imagePullSecrets: []

## Security parameters

security:

## @param global.security.allowInsecureImages Allows skipping image verification

allowInsecureImages: false

## Compatibility adaptations for Kubernetes platforms

compatibility:

## Compatibility adaptations for Openshift

openshift:

## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)

adaptSecurityContext: auto

org: ""

## @section Common parameters

## @param kubeVersion Override Kubernetes version

kubeVersion: ""

## @param nameOverride String to partially override common.names.fullname

nameOverride: ""

## @param fullnameOverride String to fully override common.names.fullname

fullnameOverride: ""

## @param namespaceOverride String to fully override common.names.namespace

namespaceOverride: ""

## @param commonLabels [object] Labels to add to all deployed objects

commonLabels: {}

## @param commonAnnotations [object] Annotations to add to all deployed objects

commonAnnotations: {}

## @param clusterDomain Kubernetes cluster domain name

clusterDomain: cluster.local

## @param extraDeploy [array] Array of extra objects to deploy with the release

extraDeploy: []

## @section Sealed Secrets Parameters

## Iamguarded Sealed Secrets image

## ref: https://hub.docker.com/r/iamguarded/redis/tags/

## @param image.registry [default: REGISTRY_NAME] Sealed Secrets image registry

## @param image.repository [default: REPOSITORY_NAME/sealed-secrets] Sealed Secrets image repository

## @skip image.tag Sealed Secrets image tag (immutable tags are recommended)

## @param image.digest Sealed Secrets image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

## @param image.pullPolicy Sealed Secrets image pull policy

## @param image.pullSecrets [array] Sealed Secrets image pull secrets

## @param image.debug Enable Sealed Secrets image debug mode

image:

registry: cgr.dev

repository: chainguard-private/sealed-secrets-controller-iamguarded

tag: 0.36.1

digest: ""

## Specify a imagePullPolicy

## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

pullPolicy: IfNotPresent

## Optionally specify an array of imagePullSecrets.

## Secrets must be manually created in the namespace.

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

## e.g:

## pullSecrets:

## - myRegistryKeySecretName

pullSecrets: []

## Enable debug mode

100

debug: false

101

## @param command [array] Override default container command (useful when using custom images)

102

103

command: []

104

## @param commandArgs [array] Additional args (doesn't override the default ones)

105

106

commandArgs: []

107

## @param args [array] Override default container args (useful when using custom images)

108

109

args: []

110

## @param revisionHistoryLimit Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)

111

## e.g:

112

revisionHistoryLimit: ""

113

## @param createController Specifies whether the Sealed Secrets controller should be created

114

115

createController: true

116

## @param secretName The name of an existing TLS secret containing the key used to encrypt secrets

117

118

secretName: ""

119

## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource

120

121

updateStatus: true

122

## @param skipRecreate Specifies whether the Sealed Secrets controller should skip recreating removed secrets

123

## Setting it to true allows to optionally restore backward compatibility in low priviledge

124

## environments when old versions of the controller did not require watch permissions on secrets

125

## for secret re-creation.

126

127

skipRecreate: false

128

## @param keyRenewPeriod Specifies key renewal period. Default 30 days. e.g keyRenewPeriod: "720h30m"

129

130

keyRenewPeriod: ""

131

## @param rateLimit Number of allowed sustained request per second for verify endpoint

132

133

rateLimit: ""

134

## @param rateLimitBurst Number of requests allowed to exceed the rate limit per second for verify endpoint

135

136

rateLimitBurst: ""

137

## @param additionalNamespaces List of namespaces used to manage the Sealed Secrets

138

139

additionalNamespaces: []

140

## @param privateKeyAnnotations Map of annotations to be set on the sealing keypairs

141

142

privateKeyAnnotations: {}

143

## @param privateKeyLabels Map of labels to be set on the sealing keypairs

144

145

privateKeyLabels: {}

146

## @param logInfoStdout Specifies whether the Sealed Secrets controller will log info to stdout

147

148

logInfoStdout: false

149

## @param containerPorts.http Controller HTTP container port to open

150

## @param containerPorts.metrics Controller metrics container port

151

152

containerPorts:

153

http: 8080

154

metrics: 8081

155

## Sealed Secret resource requests and limits

156

## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

157

## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).

158

## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15

159

160

resourcesPreset: "nano"

161

## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

162

## Example:

163

## resources:

164

## requests:

165

## cpu: 2

166

## memory: 512Mi

167

## limits:

168

## cpu: 3

169

## memory: 1024Mi

170

171

resources: {}

172

## Configure extra options for Sealed Secret containers' liveness, readiness and startup probes

173

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

174

## @param livenessProbe.enabled Enable livenessProbe on Sealed Secret containers

175

## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

176

## @param livenessProbe.periodSeconds Period seconds for livenessProbe

177

## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

178

## @param livenessProbe.failureThreshold Failure threshold for livenessProbe

179

## @param livenessProbe.successThreshold Success threshold for livenessProbe

180

181

livenessProbe:

182

enabled: true

183

initialDelaySeconds: 5

184

periodSeconds: 10

185

timeoutSeconds: 1

186

failureThreshold: 3

187

successThreshold: 1

188

## @param readinessProbe.enabled Enable readinessProbe on Sealed Secret containers

189

## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

190

## @param readinessProbe.periodSeconds Period seconds for readinessProbe

191

## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

192

## @param readinessProbe.failureThreshold Failure threshold for readinessProbe

193

## @param readinessProbe.successThreshold Success threshold for readinessProbe

194

195

readinessProbe:

196

enabled: true

197

initialDelaySeconds: 5

198

periodSeconds: 10

199

timeoutSeconds: 1

200

failureThreshold: 3

201

successThreshold: 1

202

## @param startupProbe.enabled Enable startupProbe on Sealed Secret containers

203

## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe

204

## @param startupProbe.periodSeconds Period seconds for startupProbe

205

## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe

206

## @param startupProbe.failureThreshold Failure threshold for startupProbe

207

## @param startupProbe.successThreshold Success threshold for startupProbe

208

209

startupProbe:

210

enabled: false

211

initialDelaySeconds: 10

212

periodSeconds: 10

213

timeoutSeconds: 1

214

failureThreshold: 15

215

successThreshold: 1

216

## @param customLivenessProbe [object] Custom livenessProbe that overrides the default one

217

218

customLivenessProbe: {}

219

## @param customReadinessProbe [object] Custom readinessProbe that overrides the default one

220

221

customReadinessProbe: {}

222

## @param customStartupProbe [object] Custom startupProbe that overrides the default one

223

224

customStartupProbe: {}

225

## Configure Pods Security Context

226

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

227

## @param podSecurityContext.enabled Enabled Sealed Secret pods' Security Context

228

## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

229

## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface

230

## @param podSecurityContext.supplementalGroups Set filesystem extra groups

231

## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup

232

233

podSecurityContext:

234

enabled: true

235

fsGroupChangePolicy: Always

236

sysctls: []

237

supplementalGroups: []

238

fsGroup: 1001

239

## Configure Container Security Context

240

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

241

## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context

242

## @param containerSecurityContext.allowPrivilegeEscalation Whether the Sealed Secret container can escalate privileges

243

## @param containerSecurityContext.capabilities.drop Which privileges to drop in the Sealed Secret container

244

## @param containerSecurityContext.readOnlyRootFilesystem Whether the Sealed Secret container has a read-only root filesystem

245

## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user

246

## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

247

## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser

248

## @param containerSecurityContext.runAsGroup Set Sealed Secret containers' Security Context runAsGroup

249

## @param containerSecurityContext.seccompProfile.type Set Sealed Secret container's Security Context seccompProfile type

250

251

containerSecurityContext:

252

enabled: true

253

allowPrivilegeEscalation: false

254

capabilities:

255

drop: ["ALL"]

256

readOnlyRootFilesystem: true

257

runAsNonRoot: true

258

seLinuxOptions: {}

259

runAsUser: 1001

260

runAsGroup: 1001

261

seccompProfile:

262

type: RuntimeDefault

263

## @param automountServiceAccountToken Mount Service Account token in pod

264

265

automountServiceAccountToken: true

266

## @param hostAliases [array] Sealed Secret pods host aliases

267

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

268

269

hostAliases: []

270

## @param podLabels [object] Extra labels for Sealed Secret pods

271

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

272

273

podLabels: {}

274

## @param podAnnotations [object] Annotations for Sealed Secret pods

275

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

276

277

podAnnotations: {}

278

## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

279

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

280

281

podAffinityPreset: ""

282

## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

283

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

284

285

podAntiAffinityPreset: soft

286

## Node affinity preset

287

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

288

289

nodeAffinityPreset:

290

## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

291

292

type: ""

293

## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set

294

295

key: ""

296

## @param nodeAffinityPreset.values [array] Node label values to match. Ignored if `affinity` is set

297

## E.g.

298

## values:

299

## - e2e-az1

300

## - e2e-az2

301

302

values: []

303

## @param affinity [object] Affinity for Sealed Secret pods assignment

304

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

305

## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set

306

307

affinity: {}

308

## @param nodeSelector [object] Node labels for Sealed Secret pods assignment

309

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

310

311

nodeSelector: {}

312

## @param tolerations [array] Tolerations for Sealed Secret pods assignment

313

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

314

315

tolerations: []

316

## @param updateStrategy.type Sealed Secret statefulset strategy type

317

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies

318

319

updateStrategy:

320

## StrategyType

321

## Can be set to RollingUpdate or OnDelete

322

323

type: RollingUpdate

324

## @param priorityClassName Sealed Secret pods' priorityClassName

325

326

priorityClassName: ""

327

## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template

328

## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods

329

330

topologySpreadConstraints: []

331

## @param schedulerName Name of the k8s scheduler (other than default) for Sealed Secret pods

332

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

333

334

schedulerName: ""

335

## @param terminationGracePeriodSeconds Seconds the pod needs to terminate gracefully

336

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

337

338

terminationGracePeriodSeconds: ""

339

## @param lifecycleHooks [object] for the Sealed Secret container(s) to automate configuration before or after startup

340

341

lifecycleHooks: {}

342

## @param extraEnvVars Array with extra environment variables to add to Sealed Secret nodes

343

## e.g:

344

## extraEnvVars:

345

## - name: FOO

346

## value: "bar"

347

348

extraEnvVars: []

349

## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Sealed Secret nodes

350

351

extraEnvVarsCM: ""

352

## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for Sealed Secret nodes

353

354

extraEnvVarsSecret: ""

355

## @param extraVolumes [array] Optionally specify extra list of additional volumes for the Sealed Secret pod(s)

356

357

extraVolumes: []

358

## @param extraVolumeMounts [array] Optionally specify extra list of additional volumeMounts for the Sealed Secret container(s)

359

360

extraVolumeMounts: []

361

## @param sidecars [object] Add additional sidecar containers to the Sealed Secret pod(s)

362

## e.g:

363

## sidecars:

364

## - name: your-image-name

365

## image: your-image

366

## imagePullPolicy: Always

367

## ports:

368

## - name: portname

369

## containerPort: 1234

370

371

sidecars: []

372

## @param initContainers [object] Add additional init containers to the Sealed Secret pod(s)

373

## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

374

## e.g:

375

## initContainers:

376

## - name: your-image-name

377

## image: your-image

378

## imagePullPolicy: Always

379

## command: ['sh', '-c', 'echo "hello world"']

380

381

initContainers: []

382

## @section Traffic Exposure Parameters

383

384

385

## Sealed Secret service parameters

386

387

service:

388

## @param service.type Sealed Secret service type

389

390

type: ClusterIP

391

ports:

392

## @param service.ports.http Sealed Secret service HTTP port number

393

394

http: 8080

395

## @param service.ports.name Sealed Secret service HTTP port name

396

397

398

## @param service.nodePorts.http Node port for HTTP

399

## Specify the nodePort value for the LoadBalancer and NodePort service types

400

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

401

## NOTE: choose port between <30000-32767>

402

403

nodePorts:

404

http: ""

405

## @param service.clusterIP Sealed Secret service Cluster IP

406

## e.g.:

407

## clusterIP: None

408

409

clusterIP: ""

410

## @param service.loadBalancerIP Sealed Secret service Load Balancer IP

411

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

412

413

loadBalancerIP: ""

414

## @param service.loadBalancerClass Sealed Secret service Load Balancer Class

415

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class

416

417

loadBalancerClass: ""

418

## @param service.loadBalancerSourceRanges [array] Sealed Secret service Load Balancer sources

419

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

420

## e.g:

421

## loadBalancerSourceRanges:

422

## - 10.10.10.0/24

423

424

loadBalancerSourceRanges: []

425

## @param service.externalTrafficPolicy Sealed Secret service external traffic policy

426

## ref: http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

427

428

externalTrafficPolicy: Cluster

429

## @param service.annotations [object] Additional custom annotations for Sealed Secret service

430

431

annotations: {}

432

## @param service.extraPorts Extra ports to expose in Sealed Secret service (normally used with the `sidecars` value)

433

434

extraPorts: []

435

## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin

436

## Values: ClientIP or None

437

## ref: https://kubernetes.io/docs/concepts/services-networking/service/

438

439

sessionAffinity: None

440

## @param service.sessionAffinityConfig Additional settings for the sessionAffinity

441

## sessionAffinityConfig:

442

## clientIP:

443

## timeoutSeconds: 300

444

445

sessionAffinityConfig: {}

446

## Sealed Secret ingress parameters

447

## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/

448

449

ingress:

450

## @param ingress.enabled Enable ingress record generation for Sealed Secret

451

452

enabled: false

453

## @param ingress.pathType Ingress path type

454

455

pathType: ImplementationSpecific

456

## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)

457

458

apiVersion: ""

459

## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress

460

## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.

461

## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/

462

463

ingressClassName: ""

464

## @param ingress.hostname Default host for the ingress record

465

466

hostname: sealed-secrets.local

467

## @param ingress.path Default path for the ingress record

468

## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers

469

470

path: /

471

## @param ingress.annotations [object] Additional custom annotations for the ingress record

472

## NOTE: If `ingress.certManager=true`, annotation `kubernetes.io/tls-acme: "true"` will automatically be added

473

474

annotations: {}

475

## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter

476

## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`

477

## You can:

478

## - Use the `ingress.secrets` parameter to create this TLS secret

479

## - Relay on cert-manager to create it by setting `ingress.certManager=true`

480

## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`

481

482

tls: false

483

## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm

484

485

selfSigned: false

486

## @param ingress.extraHosts [array] An array with additional hostname(s) to be covered with the ingress record

487

## e.g:

488

## extraHosts:

489

## - name: sealed-secrets.local

490

## path: /

491

492

extraHosts: []

493

## @param ingress.extraPaths [array] An array with additional arbitrary paths that may need to be added to the ingress under the main host

494

## e.g:

495

## extraPaths:

496

## - path: /*

497

## backend:

498

## serviceName: ssl-redirect

499

## servicePort: use-annotation

500

501

extraPaths: []

502

## @param ingress.extraTls [array] TLS configuration for additional hostname(s) to be covered with this ingress record

503

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

504

## e.g:

505

## extraTls:

506

## - hosts:

507

## - sealed-secrets.local

508

## secretName: sealed-secrets.local-tls

509

510

extraTls: []

511

## @param ingress.secrets [array] Custom TLS certificates as secrets

512

## NOTE: 'key' and 'certificate' are expected in PEM format

513

## NOTE: 'name' should line up with a 'secretName' set further up

514

## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates

515

## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days

516

## It is also possible to create and manage the certificates outside of this helm chart

517

## Please see README.md for more information

518

## e.g:

519

## secrets:

520

## - name: sealed-secrets.local-tls

521

## key: |-

522

## -----BEGIN RSA PRIVATE KEY-----

523

## ...

524

## -----END RSA PRIVATE KEY-----

525

## certificate: |-

526

## -----BEGIN CERTIFICATE-----

527

## ...

528

## -----END CERTIFICATE-----

529

530

secrets: []

531

## @param ingress.extraRules Additional rules to be covered with this ingress record

532

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules

533

## e.g:

534

## extraRules:

535

## - host: sealed-secrets.local

536

## http:

537

## path: /

538

## backend:

539

## service:

540

## name: sealed-secrets

541

## port:

542

## name: http

543

544

extraRules: []

545

## @section Other Parameters

546

547

548

## RBAC configuration

549

550

rbac:

551

## @param rbac.create Specifies whether RBAC resources should be created

552

553

create: true

554

## @param rbac.pspEnabled PodSecurityPolicy

555

556

pspEnabled: false

557

## @param rbac.clusterRole Specifies whether the Cluster Role resource should be created. If both rbac.clusterRole and rbac.namespacedRoles are set to false no RBAC will be created.

558

559

clusterRole: true

560

## @param rbac.clusterRoleName Specifies the name for the Cluster Role resource

561

562

clusterRoleName: ""

563

## @param rbac.namespacedRoles Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces). If both rbac.clusterRole and rbac.namespacedRoles are set to false no RBAC will be created.

564

565

namespacedRoles: false

566

## @param rbac.namespacedRolesName Specifies the name for the namesapced Role resource

567

568

namespacedRolesName: ""

569

## @param rbac.unsealer.rules Custom RBAC rules to set for unsealer ClusterRole

570

## @param rbac.keyAdmin.rules Custom RBAC rules to set for key-admin role

571

## @param rbac.serviceProxier.rules Custom RBAC rules to set for service-proxier role

572

## e.g:

573

## rules:

574

## - apiGroups:

575

## - ""

576

## resources:

577

## - pods

578

## verbs:

579

## - get

580

## - list

581

582

unsealer:

583

rules: []

584

keyAdmin:

585

rules: []

586

serviceProxier:

587

rules: []

588

## @param rbac.labels Extra labels to be added to RBAC resources

589

590

labels: {}

591

## ServiceAccount configuration

592

593

serviceAccount:

594

## @param serviceAccount.create Specifies whether a ServiceAccount should be created

595

596

create: true

597

## @param serviceAccount.name The name of the ServiceAccount to use.

598

## If not set and create is true, a name is generated using the common.names.fullname template

599

600

601

## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template)

602

603

annotations: {}

604

## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account

605

606

automountServiceAccountToken: false

607

## Network policies

608

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

609

610

networkPolicy:

611

## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created

612

613

enabled: false

614

## @param networkPolicy.allowExternal Don't require client label for connections

615

## When set to false, only pods with the correct client label will have network access to the port the controller is

616

## listening on. When true, the controller accept connections from any source (with the correct destination port).

617

618

allowExternal: true

619

## Pod Disruption Budget configuration

620

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

621

## @param pdb.create Enable a Pod Disruption Budget creation

622

## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled

623

## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.

624

625

pdb:

626

create: true

627

minAvailable: ""

628

maxUnavailable: ""

629

## @section Metrics parameters

630

631

metrics:

632

## @param metrics.enabled Sealed Secrets toggle metrics service definition

633

enabled: false

634

service:

635

## @param metrics.service.type Sealed Secrets metrics service type

636

637

type: ClusterIP

638

## @param metrics.service.ports.metrics Sealed Secrets metrics service port

639

640

ports:

641

metrics: 8081

642

## @param metrics.service.externalTrafficPolicy Sealed Secrets metrics service external traffic policy

643

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

644

645

externalTrafficPolicy: Cluster

646

## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

647

648

extraPorts: []

649

## @param metrics.service.loadBalancerIP Sealed Secrets metrics service Load Balancer IP

650

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

651

652

loadBalancerIP: ""

653

## @param metrics.service.loadBalancerSourceRanges Sealed Secrets metrics service Load Balancer sources

654

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

655

## e.g.

656

## loadBalancerSourceRanges:

657

## - 10.10.10.0/24

658

659

loadBalancerSourceRanges: []

660

## @param metrics.service.annotations Additional custom annotations for Sealed Secrets metrics service

661

662

annotations: {}

663

## Prometheus Service Monitor

664

## ref: https://github.com/coreos/prometheus-operator

665

## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

666

667

serviceMonitor:

668

## @param metrics.serviceMonitor.enabled Specify if a ServiceMonitor will be deployed for Prometheus Operator

669

670

enabled: false

671

## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running

672

673

namespace: ""

674

port:

675

## @param metrics.serviceMonitor.port.number Port number for the serviceMonitor

676

677

## @param metrics.serviceMonitor.port.name Port name for the serviceMonitor

678

number: 8081

679

## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor

680

681

labels: {}

682

## @param metrics.serviceMonitor.annotations Additional ServiceMonitor annotations (evaluated as a template)

683

684

annotations: {}

685

## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus

686

687

jobLabel: ""

688

## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels

689

690

honorLabels: false

691

## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.

692

## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

693

## e.g:

694

## interval: 10s

695

696

interval: ""

697

## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended

698

## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

699

## e.g:

700

## scrapeTimeout: 10s

701

702

scrapeTimeout: ""

703

## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics

704

705

metricRelabelings: []

706

## @param metrics.serviceMonitor.relabelings Specify general relabeling

707

708

relabelings: []

709

## @param metrics.serviceMonitor.selector Prometheus instance selector labels

710

## ref: https://github.com/iamguarded/charts/tree/main/iamguarded/prometheus-operator#prometheus-configuration

711

## selector:

712

## prometheus: my-prometheus

713

714

selector: {}

715

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

sealed-secrets

The trusted source for open source

Product

Solutions

Customers

Resources

Company