/
values.yaml
217 lines (199 loc) · 6.11 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
## Section: Kubernetes
# All settings related to how Fleet is deployed in Kubernetes
hostName: fleet.localhost
replicas: 3 # The number of Fleet instances to deploy
imageTag: v4.47.3 # Version of Fleet to deploy
podAnnotations: {} # Additional annotations to add to the Fleet pod
serviceAccountAnnotations: {} # Additional annotations to add to the Fleet service account
resources:
limits:
cpu: 1 # 1GHz
memory: 1Gi
requests:
cpu: 0.1 # 100Mhz
memory: 50Mi
# Node labels for pod assignment
# ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
# Tolerations for pod assignment
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Configurable affinity for pod assignment
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- fleet
topologyKey: kubernetes.io/hostname
weight: 100
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/tls-acme: "true"
# nginx.ingress.kubernetes.io/proxy-body-size: 10m
# kubernetes.io/ingress.class: nginx
# cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: chart-example-tls
hosts:
- chart-example.local
## Section: Fleet
# All of the settings relating to configuring the Fleet server
fleet:
listenPort: 8080
# Name of the Secret resource storing S3 bucket and optionally TLS secrets
secretName: fleet
# Whether or not to run `fleet db prepare` to run SQL migrations before starting Fleet
autoApplySQLMigrations: true
tls:
enabled: true
# Set to true if you need a separate secret for just TLS data.
# Useful with cert-manager and similar deployments.
uniqueTLSSecret: false
secretName: fleet-tls
compatibility: modern
certSecretKey: server.cert
keySecretKey: server.key
auth:
bcryptCost: 12
saltKeySize: 24
app:
tokenKeySize: 24
inviteTokenValidityPeriod: 120h # 5 days
session:
keySize: 64
duration: 2160h # 90 days
logging:
debug: false
json: false
disableBanner: false
carving:
s3:
bucketName: ""
prefix: ""
accessKeyID: ""
secretKey: s3-bucket
stsAssumeRoleARN: ""
extraVolumes: []
extraVolumeMounts: []
## Section: osquery
# All of the settings related to osquery's interactions with the Fleet server
osquery:
# Name of the secret resource containing optional secrets for AWS credentials
secretName: osquery
nodeKeySize: 24
labelUpdateInterval: 30m
detailUpdateInterval: 30m
# To change where Fleet store the logs sent from osquery, set the values below
logging:
statusPlugin: filesystem
resultPlugin: filesystem
# To congigure the filesystem logger, change the values below
filesystem:
statusLogFile: osquery_status # will be placed in the /logs volume
resultLogFile: osquery_result # will be placed in the /logs volume
enableRotation: false
enableCompression: false
volumeSize: 20Gi # the maximum size of the volume
# To configure the AWS Firehose logger, change the values below
firehose:
region: ""
accessKeyID: ""
secretKey: firehose
stsAssumeRoleARN: ""
statusStream: ""
resultStream: ""
# To configure the AWS Kinesis logger, change the values below
kinesis:
region: ""
accessKeyID: ""
secretKey: kinesis
stsAssumeRoleARN: ""
statusStream: ""
resultStream: ""
# To configure the AWS Lambda logger, change the values below
lambda:
region: ""
accessKeyID: ""
secretKey: lambda
stsAssumeRoleARN: ""
statusFunction: ""
resultFunction: ""
# To configure the GCP PubSub logger, change the values below
pubsub:
project: ""
statusTopic: ""
resultTopic: ""
## Section: database
# All of the connection settings for MySQL
database:
# Name of the Secret resource containing MySQL password and TLS secrets
secretName: mysql
address: 127.0.0.1:3306
database: fleet
username: fleet
passwordKey: mysql-password
maxOpenConns: 50
maxIdleConns: 50
connMaxLifetime: 0
tls:
enabled: false
## Commented options below are optional. Uncomment to use.
# caCertKey: ca.cert
## Client certificates require both the certKey and keyKey
# certKey: client.cert
# keyKey: client.key
config: ""
serverName: ""
## Section: cache
# All of the connection settings for Redis
cache:
address: 127.0.0.1:6379
database: "0"
usePassword: false
secretName: redis
passwordKey: redis-password
## Section: GKE
# Settings that make running on Google Kubernetes Engine easier
gke:
# The CloudSQL Proxy runs as a container in the Fleet Pod that proxies connections to a Cloud SQL instance
cloudSQL:
enableProxy: false
imageTag: 1.17-alpine
verbose: true
instanceName: ""
# The GKE Ingress requires a few changes that other ingress controllers don't
ingress:
useManagedCertificate: false
useGKEIngress: false
# 0 to allow the nodeport to be automatically selected, otherwise allowed range (30000-32767)
nodePort: 0
# Workload Identity allows the K8s service account to assume the IAM permissions of a GCP service account
workloadIdentityEmail: ""
## Section: Environment Variables
# All of the environment variables that can be set for Fleet
environments:
# MDM Settings
# The following environment variables are used to configure Fleet to work with
# Apple's MDM service. These are optional and only required if you are using
# Fleet to manage Apple devices.
# To more information: https://fleetdm.com/docs/using-fleet/mdm-macos-setup#step-3-configure-fleet-with-the-required-files
FLEET_MDM_APPLE_APNS_CERT_BYTES: ""
FLEET_MDM_APPLE_APNS_KEY_BYTES: ""
FLEET_MDM_APPLE_SCEP_CERT_BYTES: ""
FLEET_MDM_APPLE_SCEP_KEY_BYTES: ""
mysql:
enabled: false
redis:
enabled: false