-
Notifications
You must be signed in to change notification settings - Fork 179
Expand file tree
/
Copy pathvalues.yaml
More file actions
228 lines (201 loc) · 8.99 KB
/
values.yaml
File metadata and controls
228 lines (201 loc) · 8.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
# Default values for operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# telemetryEnabled -- The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry
telemetryEnabled: true
# -- Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
imagePullSecrets: []
image:
# image.repository -- The operator image repository
repository: docker.io/securecodebox/operator
# image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
# -- Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks).
# Requires that every namespace has a configmap with the CA certificate(s)
customCACertificate:
# -- name of the configMap holding the ca certificate(s), needs to be the same across all namespaces
existingCertificate: null
# -- key in the configmap holding the certificate(s)
certificate: "public.crt"
# -- Additional volumes to be mounted to the operator deployment
extraVolumes: [ ]
# Example:
# extraVolumes:
# - name: ssl-certificates
# secret:
# secretName: ssl-cert-secret
# - name: config-volume
# configMap:
# name: operator-config
# - name: cache-volume
# emptyDir: {}
# -- Additional volume mounts to be mounted to the operator deployment
extraVolumeMounts: [ ]
# Example:
# extraVolumeMounts:
# - name: ssl-certificates
# mountPath: /etc/ssl/certs
# readOnly: true
# - name: config-volume
# mountPath: /etc/config
# - name: cache-volume
# mountPath: /cache
serviceAccount:
# -- Name of the serviceAccount the operator uses to talk to the k8s api
name: securecodebox-operator
# -- Annotations of the serviceAccount the operator uses to talk to the k8s api
annotations: {}
# -- Labels of the serviceAccount the operator uses to talk to the k8s api
labels: {}
# -- Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
securityContext:
# securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
runAsNonRoot: true
# securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
readOnlyRootFilesystem: true
# securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
allowPrivilegeEscalation: false
# securityContext.privileged -- Ensures that the operator container is not run in privileged mode
privileged: false
capabilities:
drop:
# securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
- ALL
seccompProfile:
# securityContext.seccompProfile.type -- one of RuntimeDefault, Unconfined, Localhost
# To disable seccompProfile, set to Unconfined. See: https://kubernetes.io/docs/tutorials/security/seccomp/
type: RuntimeDefault
# -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
podSecurityContext: {}
# -- Health and liveness probe configuration for the controller manager
probes:
# -- Liveness probe configuration
liveness:
httpGet:
path: /healthz
port: healthchecks
initialDelaySeconds: 15
periodSeconds: 20
# -- Readiness probe configuration
readiness:
httpGet:
path: /readyz
port: healthchecks
initialDelaySeconds: 5
periodSeconds: 10
nodeSelector: {}
# -- Configuration for the metrics the operator exports
metrics:
serviceMonitor:
# -- Creates a prometheus operator ServiceMonitor rule to automatically scrape the operators metrics: https://github.com/prometheus-operator/prometheus-operator
enabled: false
lurker:
image:
# lurker.image.repository -- The operator image repository
repository: docker.io/securecodebox/lurker
# lurker.image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
# -- Minio configuration for direct deployment
minio:
# -- Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
enabled: true
# -- Minio image configuration
image:
repository: docker.io/minio/minio
# renovate: image=docker.io/minio/minio
tag: "RELEASE.2025-07-23T15-54-02Z"
pullPolicy: IfNotPresent
# -- Default buckets to create on startup
defaultBuckets: "securecodebox"
# -- Authentication configuration
auth:
# -- Root user for minio
rootUser: "admin"
# -- Root password for minio (leave empty to generate a secure random password)
rootPassword: ""
# -- Name of existing secret containing minio credentials (if set, auth.rootUser and auth.rootPassword are ignored)
existingSecret: ""
# -- Resource limits and requests for minio
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
ephemeral-storage: "1Gi"
# -- Persistence configuration
persistence:
# -- Storage class for minio data persistence
storageClass: ""
# -- Size of the persistent volume
size: "10Gi"
# -- Pod security context for minio
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# -- Container security context for minio
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
# -- TLS configuration (currently not implemented)
tls:
enabled: false
# Config for external s3 systems
s3:
# s3.enabled Enable this and disable minio if you want to directly connect against AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
enabled: false
tls:
enabled: true
endpoint: "fra1.digitaloceanspaces.com"
bucket: "my-bucket"
# Implicit 443. You probably only need to change this when the system uses a non default port
port: null
# s3.authType -- Authentication method. Supports `access-secret-key` (used by most s3 endpoints) and `aws-iam`` (Used by AWS EKS IAM Role to Kubernetes Service Account Binding (IRSA) and EKS Pod Identity Authentication. Support for AWS IRSA is considered experimental in the secureCodeBox)
authType: access-secret-key
# Name to a k8s secret in the same namespace as this release with credentials to the s3 bucket. Only used when s3.authType is set to "access-secret-key"
# By default this assumes to have 'accesskey' and 'secretkey' as attributes
# Example creation via kubectl:
# kubectl create secret generic my-secret --from-literal=accesskey='******' --from-literal=secretkey='******' -n <namespace>
keySecret: my-secret
# Names to the attributes in the s3 secret
secretAttributeNames:
accesskey: accesskey
secretkey: secretkey
# s3.awsStsEndpoint -- STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-iam". Usually not required, even in IRSA or Pod Identity setups as the region gets injected by AWS into the pod.
awsStsEndpoint: "https://sts.amazonaws.com"
# -- Go Template that generates the path used to store raw result file and findings.json file in the s3 bucket. Can be used to store the files in a subfolder of the s3 bucket
# @default -- scan-{{ .Scan.UID }}/{{ .Filename }}
urlTemplate: null
# resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
# presignedUrlExpirationTimes -- Duration how long presigned urls are valid
presignedUrlExpirationTimes:
scanners: "12h"
parsers: "1h"
hooks: "1h"
# -- Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect.
allowIstioSidecarInjectionInJobs: false