forked from secureCodeBox/secureCodeBox
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
108 lines (97 loc) · 5.12 KB
/
values.yaml
File metadata and controls
108 lines (97 loc) · 5.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
# Default values for operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# telemetryEnabled -- The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry
telemetryEnabled: true
image:
# image.repository -- The operator image repository
repository: docker.io/securecodebox/operator
# image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
# -- Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks).
# Requires that every namespace has a configmap with the CA certificate(s)
customCACertificate:
# -- name of the configMap holding the ca certificate(s), needs to be the same across all namespaces
existingCertificate: null
# -- key in the configmap holding the certificate(s)
certificate: "public.crt"
serviceAccount:
# -- Name of the serviceAccount the operator uses to talk to the k8s api
name: securecodebox-operator
# -- Annotations of the serviceAccount the operator uses to talk to the k8s api
annotations: {}
# -- Labels of the serviceAccount the operator uses to talk to the k8s api
labels: {}
# -- Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
securityContext:
# securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
runAsNonRoot: true
# securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
readOnlyRootFilesystem: true
# securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
allowPrivilegeEscalation: false
# securityContext.privileged -- Ensures that the operator container is not run in privileged mode
privileged: false
capabilities:
drop:
# securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
- all
# -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
podSecurityContext: {}
lurker:
image:
# lurker.image.repository -- The operator image repository
repository: docker.io/securecodebox/lurker
# lurker.image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
minio:
# -- Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
enabled: true
tls:
enabled: false
certSecret: minio-tls
defaultBucket:
enabled: true
name: "securecodebox"
# Overwrite Minio's default 4Gi memory request
resources:
requests:
memory: "256Mi"
# Config for external s3 systems
s3:
# s3.enabled Enable this and disable minio if you want to directly connect agains AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
enabled: false
endpoint: "fra1.digitaloceanspaces.com"
bucket: "my-bucket"
# Implicit 443. You probably only need to change this when the system uses a non default port
port: null
# s3.authType -- Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox)
authType: access-secret-key
# Name to a k8s secret in the same namespace as this release with credentials to the s3 bucket. Only used when s3.authType is set to "access-secret-key"
# By default this assumes to have 'accesskey' and 'secretkey' as attributes
# Example creation via kubectl:
# kubectl create secret generic my-secret --from-literal=accessKey="******" --from-literal="secretKey=******"
keySecret: my-secret
# Names to the attributes in the s3 secret
secretAttributeNames:
accesskey: accesskey
secretkey: secretkey
# s3.awsStsEndpoint -- STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa"
awsStsEndpoint: "https://sts.amazonaws.com"
# resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi