-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy pathvalues.yaml
More file actions
504 lines (456 loc) · 14.8 KB
/
Copy pathvalues.yaml
File metadata and controls
504 lines (456 loc) · 14.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
# Default values for hyperfleet-api
# This is a YAML-formatted file.
# -- Number of API server replicas
replicaCount: 1
image:
# -- Container image registry (no default — must be set)
registry: CHANGE_ME
# -- Container image repository (no default — must be set)
repository: CHANGE_ME
# -- Image pull policy
pullPolicy: Always
# -- Image tag (no default — must be set via `--set image.tag=<version>`)
tag: ""
# -- Secrets for pulling images from private registries
imagePullSecrets: []
# -- Override the chart name used in resource names
nameOverride: ""
# -- Override the full release name used in resource names
fullnameOverride: ""
# -- Container ports exposed by the API server. These must match the
# corresponding application config values (`config.server.port`,
# `config.health.port`, `config.metrics.port`).
ports:
# -- API server port
api: 8000
# -- Health check endpoint port
health: 8080
# -- Prometheus metrics endpoint port
metrics: 9090
# -- Application configuration. All settings in this section generate the
# ConfigMap consumed by the API server. Set `config.existingConfigMap` to
# use a pre-existing ConfigMap instead.
config:
# -- Use an existing ConfigMap instead of generating one. When set, all
# other `config.*` values are ignored.
existingConfigMap: ""
# -- HTTP server settings
server:
# -- Public hostname advertised by the API (leave empty for auto-detect)
hostname: ""
# -- Listen address
host: "0.0.0.0"
# -- Listen port (must match `ports.api`)
port: 8000
# -- Request timeout settings
timeouts:
# -- HTTP read timeout
read: 5s
# -- HTTP write timeout
write: 30s
# -- TLS configuration for the API server
tls:
# -- Enable TLS on the API listener
enabled: false
# -- Path to TLS certificate file
cert_file: ""
# -- Path to TLS key file
key_file: ""
# -- JWT authentication settings
jwt:
# -- Enable JWT authentication
enabled: false
# -- OIDC issuer URL for token validation
issuer_url: ""
# -- Expected JWT audience claim
audience: ""
# -- JWT claim used as the caller identity
identity_claim: email
# -- HTTP header used to pass caller identity (bypasses JWT when set)
identity_header: ""
# -- JWK settings for token verification
jwk:
# -- Path to a local JWK certificate file
cert_file: ""
# -- URL to fetch JWK certificates from
cert_url: ""
# -- Database connection settings. Credentials must be provided via a
# Secret — see `database.external.secretName` or use the built-in
# PostgreSQL (`database.postgresql.enabled`).
database:
# -- SQL dialect
dialect: postgres
# -- Database host (auto-set when using the built-in PostgreSQL)
host: ""
# -- Database port
port: 5432
# -- Database name
name: hyperfleet
# -- Enable SQL debug logging
debug: false
# -- SSL / TLS settings for the database connection
ssl:
# -- SSL mode (`disable`, `require`, `verify-ca`, `verify-full`)
mode: disable
# -- Path to the CA root certificate
root_cert_file: ""
# -- Connection pool tuning
pool:
# -- Maximum number of open connections
max_connections: 50
# -- Maximum number of idle connections
max_idle_connections: 10
# -- Maximum lifetime of a connection
conn_max_lifetime: 5m
# -- Maximum idle time before a connection is closed
conn_max_idle_time: 1m
# -- Timeout for acquiring a connection from the pool
request_timeout: 30s
# -- Number of connection retry attempts on startup
conn_retry_attempts: 10
# -- Interval between connection retry attempts
conn_retry_interval: 3s
# -- Logging configuration
logging:
# -- Log level (`debug`, `info`, `warn`, `error`)
level: info
# -- Log format (`json` or `text`)
format: json
# -- Log output destination
output: stdout
# -- OpenTelemetry tracing integration.
# See the [tracing standard](https://github.com/openshift-hyperfleet/architecture/blob/main/hyperfleet/standards/tracing.md#configuration).
otel:
# -- Enable OpenTelemetry log correlation
enabled: false
# -- Sensitive-data masking for logs
masking:
# -- Enable log masking
enabled: true
# -- HTTP headers whose values are redacted in logs
headers:
- Authorization
- X-API-Key
- Cookie
- X-Auth-Token
- X-Forwarded-Authorization
- X-HyperFleet-Identity
# -- Field names whose values are redacted in logs
fields:
- password
- secret
- token
- api_key
- access_token
- refresh_token
- client_secret
# -- Prometheus metrics endpoint settings
metrics:
# -- Listen address (must be `0.0.0.0` for in-cluster access)
host: 0.0.0.0
# -- Listen port (must match `ports.metrics`)
port: 9090
# -- TLS configuration for the metrics endpoint
tls:
# -- Enable TLS on the metrics endpoint
enabled: false
# -- Duration window for label-based metric inclusion
label_metrics_inclusion_duration: 168h
# -- Threshold after which a deletion is considered stuck
deletion_stuck_threshold: 30m
# -- Health check endpoint settings
health:
# -- Listen address (must be `0.0.0.0` for probe access)
host: 0.0.0.0
# -- Listen port (must match `ports.health`)
port: 8080
# -- TLS configuration for the health endpoint
tls:
# -- Enable TLS on the health endpoint
enabled: false
# -- Graceful shutdown timeout
shutdown_timeout: 20s
# -- Timeout for the database liveness ping
db_ping_timeout: 2s
# -- Adapters required for resources to reach "Ready" state.
# Production deployments should list all expected adapters.
adapters:
# -- Adapters required for cluster resources
required:
# -- Required cluster adapters (e.g. `["validation", "dns", "pullsecret", "hypershift"]`)
cluster: []
# -- Required nodepool adapters (e.g. `["validation", "hypershift"]`)
nodepool: []
# -- ServiceAccount configuration
serviceAccount:
# -- Create a ServiceAccount for the API server
create: true
# -- Annotations added to the ServiceAccount (e.g. for Workload Identity)
annotations: {}
# -- Override the ServiceAccount name (defaults to the release fullname)
name: ""
# -- Additional annotations applied to all pods
podAnnotations: {}
# -- Additional labels applied to all pods
podLabels: {}
# -- Pod-level security context
podSecurityContext:
# -- Filesystem group for volume mounts
fsGroup: 65532
# -- Run all containers as non-root
runAsNonRoot: true
# -- UID for all containers
runAsUser: 65532
# -- Container-level security context
securityContext:
# -- Disallow privilege escalation
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# -- Mount root filesystem as read-only
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
# -- Kubernetes Service configuration
service:
# -- Service type (`ClusterIP`, `LoadBalancer`, `NodePort`)
type: ClusterIP
# -- CPU and memory resource requests and limits
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
# -- Node selector constraints for pod scheduling
nodeSelector: {}
# -- Tolerations for pod scheduling
tolerations: []
# -- Affinity rules for pod scheduling
affinity: {}
# -- Horizontal Pod Autoscaler configuration
autoscaling:
# -- Enable the HPA
enabled: false
# -- Minimum number of replicas
minReplicas: 1
# -- Maximum number of replicas
maxReplicas: 10
# -- Target CPU utilization percentage
targetCPUUtilizationPercentage: 80
# -- Target memory utilization percentage
targetMemoryUtilizationPercentage: 80
# -- PodDisruptionBudget configuration
podDisruptionBudget:
# -- Enable the PDB
enabled: false
# -- Minimum number of available pods during disruption
minAvailable: 1
# maxUnavailable: 1
# -- Database infrastructure settings. For **production**, set
# `database.external.enabled=true` and supply a secret with connection
# details. For **development**, the built-in PostgreSQL pod is enabled
# by default.
database:
# -- External database configuration (production)
external:
# -- Use an external database instead of the built-in PostgreSQL
enabled: false
# -- Name of an existing Secret with keys: `db.host`, `db.port`,
# `db.name`, `db.user`, `db.password`
secretName: ""
# -- Built-in PostgreSQL for development and testing
postgresql:
# -- Deploy a single-pod PostgreSQL instance
enabled: true
# -- PostgreSQL container image
image: docker.io/library/postgres:14.2
# -- Database name
database: hyperfleet
# -- Database user
user: hyperfleet
# -- Database password (**development only** — use a Secret in production)
password: hyperfleet-dev-password
# -- PostgreSQL listen port
port: 5432
# -- Resource requests and limits for the PostgreSQL pod
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
# -- Persistent volume configuration for PostgreSQL data
persistence:
# -- Enable persistent storage (uses emptyDir when disabled)
enabled: false
# -- Volume size
size: 1Gi
# -- StorageClass name (empty for cluster default)
storageClass: ""
# -- Monitoring and alerting configuration
monitoring:
# -- PodMonitoring for Google Managed Prometheus (GMP) scraping
podMonitoring:
# -- Create a PodMonitoring resource
enabled: false
# -- Scrape interval
interval: 30s
# -- Additional labels for the PodMonitoring resource
additionalLabels: {}
# -- Metric relabel configs to apply to samples before ingestion
metricRelabeling: []
# -- TLS configuration when config.metrics.tls.enabled=true
tlsConfig:
# -- Disable target certificate validation (e.g. for self-signed certs)
insecureSkipVerify: false
# -- PrometheusRule for alerting
prometheusRule:
# -- Create PrometheusRule resources
enabled: false
# -- Additional labels for PrometheusRule discovery
additionalLabels: {}
# -- Namespace to create the PrometheusRule in (defaults to release namespace)
namespace: ""
# -- Alert rule configuration
rules:
# -- Alert when a deletion is stuck
deletionStuck:
# -- Duration before the alert fires
for: "5m"
# -- Runbook URL included in the alert
runbookUrl: ""
# -- Alert when a deletion times out
deletionTimeout:
# -- Duration before the alert fires
for: "30m"
# -- Runbook URL included in the alert
runbookUrl: ""
# -- ServiceMonitor for Prometheus Operator scrape configuration
serviceMonitor:
# -- Create a ServiceMonitor resource
enabled: false
# -- Scrape interval
interval: 30s
# -- Scrape timeout
scrapeTimeout: 10s
# -- Additional labels for ServiceMonitor discovery
labels: {}
# -- Namespace to create the ServiceMonitor in (defaults to release namespace)
namespace: ""
# -- Distributed tracing configuration (OpenTelemetry)
tracing:
# -- Enable trace export
enabled: false
# -- Service name reported in traces
serviceName: "hyperfleet-api"
# -- OTLP exporter endpoint (traces go to stdout when empty)
otlpEndpoint: ""
# -- OTLP protocol (`grpc` or `http/protobuf`)
otlpProtocol: "grpc"
# -- Sampler type
sampler: "parentbased_traceidratio"
# -- Sampling rate (`1.0` for dev, `0.01` for production)
samplerArg: "1.0"
# -- Context propagation formats
propagators: "tracecontext,baggage"
# -- Native sidecar containers (Kubernetes 1.28+). Native sidecars are init
# containers with `restartPolicy: Always` — they start before other init
# containers and keep running throughout the pod lifecycle. Use this for
# database proxies that must be available during `db-migrate`.
# Each entry is a full Kubernetes container spec.
# @default -- `[]`
nativeSidecars: []
# Example: Cloud SQL Auth Proxy as native sidecar
# - name: cloud-sql-proxy
# restartPolicy: Always
# image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.3
# args:
# - "--auto-iam-authn"
# - "--structured-logs"
# - "--port=5432"
# - "PROJECT:REGION:INSTANCE"
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# drop: [ALL]
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault
# resources:
# requests:
# cpu: 100m
# memory: 64Mi
# limits:
# cpu: 200m
# memory: 128Mi
# -- Regular sidecar containers. These start after init containers complete.
# Use `nativeSidecars` above for containers that must be available during
# init (e.g. database proxies). Each entry is a full Kubernetes container
# spec.
# @default -- `[]`
sidecars: []
# Example: PgBouncer connection pooler
# - name: pgbouncer
# image: public.ecr.aws/bitnami/pgbouncer:1.25.1
# securityContext:
# allowPrivilegeEscalation: false
# capabilities:
# drop: [ALL]
# readOnlyRootFilesystem: true
# seccompProfile:
# type: RuntimeDefault
# ports:
# - name: pgbouncer
# containerPort: 6432
# protocol: TCP
# env:
# - name: POSTGRESQL_HOST
# value: my-postgresql-host
# - name: POSTGRESQL_PORT
# value: "5432"
# - name: POSTGRESQL_DATABASE
# value: hyperfleet
# - name: POSTGRESQL_USERNAME
# value: hyperfleet
# - name: POSTGRESQL_PASSWORD
# valueFrom:
# secretKeyRef:
# name: my-db-secret
# key: db.password
# - name: PGBOUNCER_PORT
# value: "6432"
# - name: PGBOUNCER_POOL_MODE
# value: transaction
# resources:
# limits:
# cpu: 200m
# memory: 128Mi
# requests:
# cpu: 50m
# memory: 64Mi
# -- Validation schema configuration. Supply a custom OpenAPI schema for
# cluster/nodepool spec validation. When enabled, the schema is mounted into
# the container and every create/update request is validated against it. The
# API will fail to start if the schema is invalid.
validationSchema:
# -- Enable spec validation
enabled: false
# -- Use an existing ConfigMap (must contain an `openapi.yaml` key).
# When set, `validationSchema.content` is ignored.
existingConfigMap: ""
# -- Inline OpenAPI 3.0 schema content. Must define `ClusterSpec` and
# `NodePoolSpec` under `components.schemas`.
# @default -- `""`
content: ""
# -- Additional environment variables injected into the API container.
# Use sparingly — prefer `config.*` values above.
extraEnv: []
# -- Extra volume mounts added to the API container
extraVolumeMounts: []
# -- Extra volumes added to the pod
extraVolumes: []