-
Notifications
You must be signed in to change notification settings - Fork 1
/
values.yaml
314 lines (275 loc) · 12.6 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
# Default values for scalardl-audit.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- String to partially override scalardl-audit.fullname template (will maintain the release name)
nameOverride: ""
# -- String to fully override scalardl-audit.fullname template
fullnameOverride: ""
envoy:
# -- enable envoy
enabled: true
# -- String to partially override envoy.fullname template
nameOverride: scalardl-audit
envoyConfiguration:
# -- list of service name and port
serviceListeners: scalardl-audit-service:40051,scalardl-audit-privileged:40052
image:
# -- Docker tag
version: 2.0.0-SNAPSHOT
service:
# -- service types in kubernetes
type: ClusterIP
# -- Service annotations, e.g: prometheus, etc.
annotations: {}
ports:
envoy:
# -- envoy public port
port: 40051
# -- envoy k8s internal name
targetPort: 40051
# -- envoy protocol
protocol: TCP
envoy-priv:
# -- envoy public port
port: 40052
# -- envoy k8s internal name
targetPort: 40052
# -- envoy protocol
protocol: TCP
auditor:
# -- number of replicas to deploy
replicaCount: 3
scalarAuditorConfiguration:
# -- The contact points of the database such as hostnames or URLs
dbContactPoints: cassandra
# -- The port number of the contact points
dbContactPort: 9042
# -- The username of the database
dbUsername: cassandra
# -- The password of the database
dbPassword: cassandra
# -- The storage of the database: cassandra or cosmos
dbStorage: cassandra
# -- The port number of Auditor Server
auditorServerPort: 40051
# -- The port number of Auditor Privileged Server
auditorServerPrivilegedPort: 40052
# -- The port number of Auditor Admin Server
auditorServerAdminPort: 40053
# -- The log level of Scalar auditor
auditorLogLevel: INFO
# -- The host name of Ledger. The service endpoint of Ledger-side envoy should be specified
auditorLedgerHost: ""
# -- The holder ID of an Auditor certificate
auditorCertHolderId: auditor
# -- The version of an Auditor certificate
auditorCertVersion: 1
# -- The name of an Auditor secret
secretName: auditor-keys
# -- The secret key of an Auditor certificate
auditorCertSecretKey: certificate
# -- The secret key of an Auditor private key
auditorPrivateKeySecretKey: private-key
# -- The auditor.properties is created based on the values of auditor.scalarAuditorConfiguration by default. If you want to customize auditor.properties, you can override this value with your auditor.properties.
# @default -- The default minimum necessary values of auditor.properties are set. You can overwrite it with your own auditor.properties.
auditorProperties: |
# Comma separated contact points
# The value of auditor.scalarAuditorConfiguration.dbContactPoints is set by default.
scalar.db.contact_points={{ default .Env.HELM_SCALAR_DB_CONTACT_POINTS "" }}
# Port number for all the contact points. Default port number for each database is used if empty.
# The value of auditor.scalarAuditorConfiguration.dbContactPort is set by default.
scalar.db.contact_port={{ default .Env.HELM_SCALAR_DB_CONTACT_PORT "" }}
# Credential information to access the database
# The value of auditor.scalarAuditorConfiguration.dbUsername is set by default.
scalar.db.username={{ default .Env.HELM_SCALAR_DB_USERNAME "" }}
# The value of auditor.scalarAuditorConfiguration.dbPassword is set by default.
scalar.db.password={{ default .Env.HELM_SCALAR_DB_PASSWORD "" }}
# Storage implementation. Either cassandra or cosmos can be set.
# The value of auditor.scalarAuditorConfiguration.dbStorage is set by default.
scalar.db.storage={{ default .Env.HELM_SCALAR_DB_STORAGE "" }}
# Server port.
# The value of auditor.scalarAuditorConfiguration.auditorServerPort is set by default.
scalar.dl.auditor.server.port={{ default .Env.HELM_SCALAR_DL_AUDITOR_SERVER_PORT "" }}
# Server privileged port.
# The value of auditor.scalarAuditorConfiguration.auditorServerPrivilegedPort is set by default.
scalar.dl.auditor.server.privileged_port={{ default .Env.HELM_SCALAR_DL_AUDITOR_SERVER_PRIVILEGED_PORT "" }}
# Server admin port.
# The value of auditor.scalarAuditorConfiguration.auditorServerAdminPort is set by default.
scalar.dl.auditor.server.admin_port={{ default .Env.HELM_SCALAR_DL_AUDITOR_SERVER_ADMIN_PORT "" }}
# Optional. A hostname or an IP address of the ledger server.
# It assumes that there is a single endpoint that is given by DNS or a load balancer.
# The value of auditor.scalarAuditorConfiguration.auditorLedgerHost is set by default.
scalar.dl.auditor.ledger.host={{ default .Env.HELM_SCALAR_DL_AUDITOR_LEDGER_HOST "" }}
# Required. The holder ID of a certificate.
# It must be configured for each private key and unique in the system.
# The value of auditor.scalarAuditorConfiguration.auditorCertHolderId is set by default.
scalar.dl.auditor.cert_holder_id={{ default .Env.HELM_SCALAR_DL_AUDITOR_CERT_HOLDER_ID "" }}
# Optional. The version of the certificate.
# Use another bigger integer if you need to change your private key.
# The value of auditor.scalarAuditorConfiguration.auditorCertVersion is set by default.
scalar.dl.auditor.cert_version={{ default .Env.HELM_SCALAR_DL_AUDITOR_CERT_VERSION "" }}
# Required. The path of the certificate file in PEM format.
# The value "/keys/auditor.scalarAuditorConfiguration.auditorCertSecretKey" is set by default.
scalar.dl.auditor.cert_path={{ default .Env.HELM_SCALAR_DL_AUDITOR_CERT_PATH "" }}
# Required. The path of a corresponding private key file in PEM format to the certificate.
# The value "/keys/auditor.scalarAuditorConfiguration.auditorPrivateKeySecretKey" is set by default.
scalar.dl.auditor.private_key_path={{ default .Env.HELM_SCALAR_DL_AUDITOR_PRIVATE_KEY_PATH "" }}
# -- Secret name that includes sensitive data such as credentials. Each secret key is passed to Pod as environment variables using envFrom.
secretName: ""
image:
# -- Docker image
repository: ghcr.io/scalar-labs/scalar-auditor
# -- Docker tag
version: 4.0.0-SNAPSHOT
# -- Specify a imagePullPolicy
pullPolicy: IfNotPresent
# -- Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
imagePullSecrets: [name: reg-docker-secrets]
strategy:
rollingUpdate:
# -- The number of pods that can be created above the desired amount of pods during an update
maxSurge: 25%
# -- The number of pods that can be unavailable during the update process
maxUnavailable: 25%
# -- New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate
type: RollingUpdate
# -- PodSecurityContext holds pod-level security attributes and common container settings
podSecurityContext:
seccompProfile:
type: RuntimeDefault
# -- Setting security context at the pod applies those settings to all containers in the pod
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
allowPrivilegeEscalation: false
# -- Defines additional volumes.
extraVolumes: []
# If you set your properties to auditor.auditorProperties,
# you need to create volume that includes key and cert file.
# - name: auditor-keys
# secret:
# secretName: auditor-keys
# -- Defines additional volume mounts.
extraVolumeMounts: []
# If you set your properties to auditor.auditorProperties,
# you need to mount key and cert file to the path set in the "scalar.dl.auditor.private_key_path"
# and "scalar.dl.auditor.cert_path".
# - name: auditor-keys
# mountPath: /keys
# readOnly: true
service:
# -- service types in kubernetes
type: ClusterIP
# -- Service annotations
annotations: {}
ports:
scalardl-auditor:
# -- scalardl target port
port: 40051
# -- scalardl k8s internal name
targetPort: 40051
# -- scalardl protocol
protocol: TCP
scalardl-auditor-priv:
# -- scalardl-priv target port
port: 40052
# -- scalardl-priv k8s internal name
targetPort: 40052
# -- scalardl-priv protocol
protocol: TCP
scalardl-auditor-admin:
# -- scalardl-admin target port
port: 40053
# -- scalardl-admin k8s internal name
targetPort: 40053
# -- scalardl-admin protocol
protocol: TCP
prometheusRule:
# -- enable rules for prometheus
enabled: false
# -- which namespace prometheus is located. by default monitoring
namespace: monitoring
grafanaDashboard:
# -- enable grafana dashboard
enabled: false
# -- which namespace grafana dashboard is located. by default monitoring
namespace: monitoring
serviceMonitor:
# -- enable metrics collect with prometheus
enabled: false
# -- custom interval to retrieve the metrics
interval: "15s"
# -- which namespace prometheus is located. by default monitoring
namespace: monitoring
# -- resources allowed to the pod
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- nodeSelector is form of node selection constraint
nodeSelector: {}
# -- Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.
tolerations: []
# -- the affinity/anti-affinity feature, greatly expands the types of constraints you can express
affinity: {}
# -- Name of existing secret to use for storing database username and password
existingSecret: ""
serviceAccount:
# -- Name of the existing service account resource
serviceAccountName: ""
# -- Specify to mount a service account token or not
automountServiceAccountToken: false
tls:
# -- Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Auditor.
enabled: false
# -- The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for startupProbe and livenessProbe.
overrideAuthority: ""
# -- Name of the Secret containing the custom CA root certificate for TLS communication.
caRootCertSecret: ""
# -- Name of the Secret containing the certificate chain file used for TLS communication.
certChainSecret: ""
# -- Name of the Secret containing the private key file used for TLS communication.
privateKeySecret: ""
# -- Name of the Secret containing the custom CA root certificate for TLS communication between Auditor and Ledger.
caRootCertForLedgerSecret: ""
# -- Name of the Secret containing the CA root certificate for TLS communication on the metrics endpoint. Prometheus Operator retrieves the CA root certificate file from this secret resource. You must create this secret resource in the same namespace as Prometheus.
caRootCertSecretForServiceMonitor: ""
certManager:
# -- Use cert-manager to manage private key and certificate files.
enabled: false
selfSigned:
# -- Use self-signed CA.
enabled: false
caRootCert:
# -- Duration of a self-signed CA certificate.
duration: "8760h0m0s"
# -- How long before expiry a self-signed CA certificate should be renewed.
renewBefore: "360h0m0s"
# -- Duration of a certificate.
duration: "8760h0m0s"
# -- How long before expiry a certificate should be renewed.
renewBefore: "360h0m0s"
# -- Configuration of a private key.
privateKey:
algorithm: ECDSA
encoding: PKCS1
size: 256
# -- List of key usages.
usages:
- server auth
- key encipherment
- signing
# -- Subject Alternative Name (SAN) of a certificate.
dnsNames:
- localhost
# -- Issuer references of cert-manager.
issuerRef: {}