-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathvalues.yaml
190 lines (161 loc) · 6.25 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# Default values for conjur-oss.
# NOTE: It is recommended that any chart values that contain sensitive
# information (e.g. database.password, database.url, and SSL certificates
# and keys) be set on the command line with a `--set key=value` argument
# rather than setting these in a custom values YAML file. This avoids the
# risk of leaving around residual values files containing this sensitive
# information.
account:
# Name of Conjur account to be created. Maps to CONJUR_ACCOUNT env variable
# for the Conjur container.
name: "default"
# Set to 'true' to allow the Conjur server to automatically create an account
# with the configured account.name.
create: false
# Affinity rules to apply to the Conjur pod to indicate to Kubernetes scheduler
# which nodes would be most appropriate for Conjur pod placement. See:
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node
affinity: {}
# Conjur whitelisted authenticators, presented as a comma-separated list.
# Maps to CONJUR_AUTHENTICATORS env variable for the Conjur container.
authenticators: "authn"
# Additional labels to apply to all conjur resources
conjurLabels: {}
# Conjur log level. Set to 'debug' to enable detailed debug logs
# in the Conjur container.
logLevel: "info"
database:
# PostgreSQL connection password. If left blank, a pseudo-random,
# 64-character alphanumeric password will be auto-generated.
# Note that this value will be ignored for Helm upgrade operations.
password: ""
ssl:
# Backend database SSL certificate and private key. These should be
# base64-encoded strings. If these values are not set, a self-signed
# certificate will be auto-generated.
# cert:
# key:
# Expiration for an auto-generated cert.
expiration: 365 # days
# PostgreSQL connection string. If left blank, a PostgreSQL deployment
# is created. This value will be ignored for Helm upgrade operations
# (i.e. value used for install is reused).
url: ""
# Conjur data key, 32 byte base-64 encoded string for data encryption.
# Generate one with `docker run --rm cyberark/conjur data-key generate`.
# This is a required setting.
# dataKey:
# Annotations to apply to the Conjur deployment.
deployment:
annotations: {}
image:
# NOTE: For OpenShift deployments, the default values to use for the
# Conjur image are as follows:
#
# repository: registry.connect.redhat.com/cyberark/conjur
# tag: latest
repository: cyberark/conjur # https://hub.docker.com/r/cyberark/conjur/
tag: '1.11.5'
pullPolicy: Always
nginx:
image:
# NOTE: For OpenShift deployments, the default values to use for the
# NGINX image are as follows:
#
# repository: registry.connect.redhat.com/cyberark/conjur-nginx
# tag: latest
repository: nginx # https://hub.docker.com/_/nginx/
tag: '1.15'
pullPolicy: Always
# nodeSelector (node selection constraints) to apply to the Conjur pod. Refer to:
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
nodeSelector: {}
postgres:
image:
# NOTE: For OpenShift deployments, the default values to use for the
# postgres image are as follows:
#
# repository: registry.redhat.io/rhscl/postgresql-10-rhel7
# tag: latest
repository: postgres # https://hub.docker.com/_/postgres/
tag: '10.16'
pullPolicy: Always
persistentVolume:
create: true
size: 8Gi
# Set storageClass to use a non-default storage class for your platform
# storageClass:
# Additional labels to apply to all postgres-related resources
postgresLabels: {}
# Indicates whether the Conjur ClusterRole and ClusterRoleBinding should be
# created. This should be set to true, unless there is already a Conjur
# deployment in a separate namespace that has already created these
# cluster-wide resources.
#
# NOTE: This setting is deprecated and will be replaced in the next major
# release with two separate settings:
# - rbac.createClusterRole (defaulting to true)
# - rbac.createClusterRoleBinding (defaulting to false)
# and the recommendation will be for chart users to create RoleBindings
# for each individual namespace that supports applications that require
# Conjur Kubernetes authentication.
rbac:
create: true
# Number of Conjur pods to run
replicaCount: 1
# Conjur container resource limits and requests. It is recommended that
# these Conjur-specific limits/requests remain unset, and instead let the
# Conjur container resources be constrained by namespace-wide limit ranges
# and resource quotas. The namespace-wide resource limitations are
# typically set by a cluster administrator to values that make sense for
# the host Kubernetes platform.
#
# If you do want to specify resources, uncomment the following lines, adjust
# them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources: {}
service:
external:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
enabled: true
port: 443
internal:
annotations: {}
port: 443
type: NodePort
ssl:
# Conjur CA certificate and key, and signed certificate and key. These
# should be base64-encoded. If left blank, CA certificate and signed
# certificate will be auto-generated.
# caCert:
# caKey:
# cert:
# key:
expiration: 365 # days
hostname: "conjur.myorg.com"
altNames: []
test:
deleteOnSuccess: true # If true, test pods are deleted upon successful
# test completion. Otherwise, test pods are not
# automatically deleted upon test completion,
# regardless of test success or failure.
serviceAccount:
# Indicates whether Conjur service account should be created or not.
# Typically set to `true`, unless the service account has already been
# created outside of this Helm chart workflow.
create: true
# Suffix to apply to the Conjur service account name.
# name:
# Tolerations to apply to the Conjur pod to indicate to the Kubernetes
# scheduler which nodes should be avoided for Conjur pod placement. See:
# https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration
tolerations: []
# Set enabled true for OCP support
openshift:
enabled: false