-
Notifications
You must be signed in to change notification settings - Fork 90
Expand file tree
/
Copy pathvalues.yaml
More file actions
498 lines (407 loc) · 17.6 KB
/
values.yaml
File metadata and controls
498 lines (407 loc) · 17.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
# Note: values.yaml files don't support templating out of the box, so that means
# that every value "{{ .Between.Curly.Braces }}" in this file needs to be
# explicitly interpolated on the template side by using the `tpl` function.
# -- Global common labels, applied to all resources
commonLabels: {}
# This section of values is for 1Password Connect API and Sync Configuration
connect:
# -- Denotes whether the 1Password Connect server will be deployed
create: true
# -- The number of replicas to run the 1Password Connect deployment
replicas: 1
# The 1Password Connect API Specific Values
api:
# -- The name of the 1Password Connect API container
name: connect-api
# -- The 1Password Connect API repository
imageRepository: 1password/connect-api
# -- The resources requests/limits for the 1Password Connect API pod
resources:
limits:
memory: 128Mi
requests:
cpu: 0.2
# -- The port the Connect API is served on when TLS is disabled
httpPort: 8080
# -- The port the Connect API is served on when TLS is enabled
httpsPort: 8443
# -- Log level of the Connect API container. Valid options are: trace, debug, info, warn, error.
logLevel: info
# Prometheus Service Monitor
# ref: https://github.com/coreos/prometheus-operator
serviceMonitor:
# -- Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
enabled: false
# -- Specify the interval at which metrics should be scraped
interval: 30s
# -- Define the path used by ServiceMonitor to scrape metrics
path: "/metrics"
# -- Define the HTTP URL parameters used by ServiceMonitor
params: {}
# -- Extra annotations for the ServiceMonitor
annotations: {}
# -- Container securityContext to be added to the Connect API containers.
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
# The 1Password Connect Sync Specific Values
sync:
# -- The name of the 1Password Connect Sync container
name: connect-sync
# -- The 1Password Connect Sync repository
imageRepository: 1password/connect-sync
# -- The resources requests/limits for the 1Password Connect Sync pod
resources: {}
# -- The port serving the health of the Sync container
httpPort: 8081
# -- Log level of the Connect Sync container. Valid options are: trace, debug, info, warn, error.
logLevel: info
# -- Container securityContext to be added to the Connect Sync containers.
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
# -- The name of 1Password Connect Application
applicationName: onepassword-connect
# -- The name of 1Password Connect Host
host: onepassword-connect
# -- The type of Service resource to create for the Connect API and sync services.
serviceType: ClusterIP
# -- Additional annotations to be added to the service.
serviceAnnotations: {}
# 1Password Connect Service Account Configuration
serviceAccount:
# -- Create service account for the 1Password Connect deployment
create: false
# -- Annotations for the 1Password Connect Service Account
annotations: {}
# -- The name of the 1Password Connect Service Account
name: onepassword-connect
# loadBalancerSourceRanges:
# - 10.0.0.0/16
# - 1.84.26.4/32
# loadBalancerIP:
# -- The name of Kubernetes Secret containing the 1Password Connect credentials
credentialsName: op-credentials
# -- The key for the 1Password Connect Credentials stored in the credentials secret
credentialsKey: 1password-credentials.json
# -- Contents of the 1password-credentials.json file for Connect. Can be set be adding `--set-file connect.credentials=<path/to/1password-credentials.json>` to your helm install command
credentials:
# -- Base64-encoded contents of the 1password-credentials.json file for Connect. This can be used instead of `connect.credentials` in case supplying raw JSON to `connect.credentials` leads to issues.
credentials_base64:
# -- The 1Password Connect API image pull policy
imagePullPolicy: IfNotPresent
# -- List of secret names to use as image pull secrets. Secrets must exist in the same namespace.
imagePullSecrets: []
# -- The 1Password Connect version to pull
version: "{{ .Chart.AppVersion }}"
# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the Connect pod
nodeSelector: {}
# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules for the Connect pod
affinity: {}
## Horizontal Pod Autoscaling for the Connect pod
hpa:
# -- Enable Horizontal Pod Autoscaling for the Connect pod
enabled: false
# -- Additional annotations to be added to the HPA Connect
annotations: {}
# -- Minimum number of replicas for the Connect pod
minReplicas: 1
# -- Maximum number of replicas for the Connect pod
maxReplicas: 3
# -- Average Memory utilization percentage for the Connect pod
avgMemoryUtilization: 50
# -- Average CPU utilization percentage for the Connect pod
avgCpuUtilization: 50
# -- Defines the Autoscaling Behavior in up/down directions
behavior: {}
## Pod Disruption Budget for the Connect pod
pdb:
# -- Enable Pod Disruption Budget for the Connect pod
enabled: false
# -- Additional annotations to be added to the PDB Connect
annotations: {}
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
maxUnavailable: 1
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
minAvailable: 0
# 1Password Connect API and Sync Service
probes:
# -- Denotes whether the 1Password Connect API will be continually checked by Kubernetes for liveness and restarted if the pod becomes unresponsive
liveness: true
# -- Denotes whether the 1Password Connect API readiness probe will operate and ensure the pod is ready before serving traffic
readiness: true
# -- [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) to apply to the Connect API deployment resource.
priorityClassName: ""
# -- Additional annotations to be added to the Connect API deployment resource.
annotations: {}
# -- Additional labels to be added to the Connect API deployment resource.
labels: {}
# -- Additional annotations to be added to the Connect API pods.
podAnnotations: {}
# -- Additional labels to be added to the Connect API pods.
podLabels: {}
# -- Pod securityContext to be added to the Connect pods.
podSecurityContext:
fsGroup: 999
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# -- List of tolerations to be added to the Connect API pods.
tolerations: []
# 1Password Connect volume shared between 1Password Connect Containers
dataVolume:
# -- The name of the shared volume used between 1Password Connect Containers
name: shared-data
# -- The type of the shared volume used between 1Password Connect Containers
type: emptyDir
# -- Describes the fields and values for configuration of shared volume for 1Password Connect
values: {}
# Determines if HTTPS Port if setup for the 1Password Connect
tls:
# -- Denotes whether the Connect API is secured with TLS
enabled: false
# -- The name of the secret containing the TLS key (`tls.key`) and certificate (`tls.crt`)
secret: op-connect-tls
# Ingress allows ingress services to be created to allow external access
# from Kubernetes to access 1Password Connect pods.
ingress:
# -- The boolean value to enable/disable the 1Password Connect Ingress
enabled: false
# -- Ingress labels for 1Password Connect
labels:
{}
# traffic: external
# -- The 1Password Connect Ingress Annotations
annotations:
{}
# |
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# or
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Optionally use ingressClassName instead of deprecated annotation.
ingressClassName: ""
# -- Ingress PathType see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types)
pathType: Prefix
# @ignored
hosts:
- host: chart-example.local
paths: []
# -- Additional Ingress Paths
extraPaths: []
# - path: /*
# backend:
# service:
# name: ssl-redirect
# port:
# number: use-annotation
# -- Ingress TLS see [docs](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls)
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
# Optionally the internal profiler can be enabled to debug memory or performance issues.
profiler:
# -- Enable the internal profiler to debug memory or performance issues. For normal operation this does not have to be enabled.
enabled: false
# -- The interval at which profiler snapshots are taken.
interval: 6h
# -- Number of profiler snapshots to keep.
keepLast: 12
# -- Custom Environment Variables for the 1Password Connect container.
customEnvVars: []
# This section of values is for 1Password Operator Configuration
operator:
# -- Denotes whether the 1Password Operator will be deployed
create: false
# -- Authentication method for the Operator. Valid values: `connect` (uses Connect token) or `service-account` (uses 1Password Service Account token)
authMethod: connect
# -- The number of replicas to run the 1Password Operator deployment
replicas: 1
# -- Denotes whether the 1Password Operator will automatically restart deployments based on associated updated secrets.
autoRestart: false
# -- The name of 1Password Operator Application
applicationName: onepassword-connect-operator
# -- The 1Password Operator image pull policy
imagePullPolicy: IfNotPresent
# -- List of secret names to use as image pull secrets. Secrets must exist in the same namespace.
imagePullSecrets: []
# -- The 1Password Operator repository
imageRepository: 1password/onepassword-operator
# -- How often the 1Password Operator will poll for secrets updates.
pollingInterval: 600
# -- The 1Password Operator version to pull
version: "1.12.0"
# -- Pod securityContext to be added to the Operator pods.
podSecurityContext:
fsGroup: 65532
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# -- Container securityContext to be added to the 1Password Operator containers.
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) stanza for the operator pod
nodeSelector: {}
# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) rules for the Operator pod
affinity: {}
## Horizontal Pod Autoscaling for the Operator pod
hpa:
# -- Enable Horizontal Pod Autoscaling for the Operator pod
enabled: false
# -- Additional annotations to be added to the HPA Operator
annotations: {}
# -- Minimum number of replicas for the Operator pod
minReplicas: 1
# -- Maximum number of replicas for the Operator pod
maxReplicas: 3
# -- Average Memory utilization percentage for the Operator pod
avgMemoryUtilization: 50
# -- Average CPU utilization percentage for the Operator pod
avgCpuUtilization: 50
# -- Defines the Autoscaling Behavior in up/down directions
behavior: {}
## Pod Disruption Budget for the Operator pod
pdb:
# -- Enable Pod Disruption Budget for the Operator pod
enabled: false
# -- Additional annotations to be added to the PDB Operator
annotations: {}
# -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
maxUnavailable: 1
# -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
minAvailable: 0
# -- Additional annotations to be added to the Operator deployment resource.
annotations: {}
# -- Additional labels to be added to the Operator deployment resource.
labels: {}
# -- Additional annotations to be added to the Operator pods.
podAnnotations: {}
# -- Additional labels to be added to the Operator pods.
podLabels: {}
# -- [priorityClassName](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) to apply to the Operator pods.
priorityClassName: ""
# -- List of tolerations to be added to the Operator pods.
tolerations: []
# -- A list of namespaces for the 1Password Operator to watch and manage. Use the empty list to watch all namespaces.
watchNamespace: []
# -- The resources requests/limits for the 1Password Operator pod
resources: {}
# 1Password Operator Health Probes
probes:
# -- The port the health probe endpoints are served on for the Operator pod
port: 8081
liveness:
# -- Denotes whether the 1Password Operator will be continually checked by Kubernetes for liveness and restarted if the pod becomes unresponsive
create: true
# -- Number of consecutive failures before Kubernetes restarts the container
failureThreshold: 3
# -- Number of seconds between liveness probe checks
periodSeconds: 20
# -- Number of seconds to wait before starting liveness probes
initialDelaySeconds: 15
readiness:
# -- Denotes whether the 1Password Operator readiness probe will operate and ensure the pod is ready before serving traffic
create: true
# -- Number of seconds to wait before starting readiness probes
initialDelaySeconds: 5
# -- Number of seconds between readiness probe checks
periodSeconds: 10
# 1Password Operator Connect Token Configuration
token:
# -- The name of Kubernetes Secret containing the 1Password Connect API token
name: onepassword-token
# -- The key for the 1Password Connect token stored in the 1Password token secret
key: token
# -- An API token generated for 1Password Connect to be used by the 1Password Operator
value:
# 1Password Service Account Token Configuration
serviceAccountToken:
# -- The name of Kubernetes Secret containing the 1Password Service Account token
name: onepassword-service-account-token
# -- The key for the 1Password Service Account token stored in the 1Password token secret
key: token
# -- Generated 1Password Service Account token to be used by the 1Password Operator
value:
# 1Password Operator Service Account Configuration
serviceAccount:
# -- Denotes whether or not a service account will be created for the 1Password Operator
create: "{{ .Values.operator.create }}"
# -- Annotations for the 1Password Connect Service Account
annotations: {}
# -- The name of the 1Password Connect Operator Service Account
name: onepassword-connect-operator
# 1Password Operator Role Binding Configuration
roleBinding:
# -- Denotes whether or not a role binding will be created for each Namespace for the 1Password Operator Service Account
create: "{{ .Values.operator.create }}"
# -- The name of the 1Password Operator Role Binding
name: onepassword-connect-operator
# 1Password Operator Cluster Role Configuration
clusterRole:
# -- Denotes whether or not a cluster role will be created for each for the 1Password Operator
create: "{{ .Values.operator.create }}"
# -- The name of the 1Password Operator Cluster Role
name: onepassword-connect-operator
# 1Password Operator Cluster Role Binding Configuration
clusterRoleBinding:
# -- Denotes whether or not a Cluster role binding will be created for the 1Password Operator Service Account
create: "{{ .Values.operator.create }}"
# -- The name of the 1Password Operator Cluster Role Binding
name: onepassword-connect-operator
# -- Log level of the Operator container. Valid options are: debug, info and error.
logLevel: info
# -- Passes the `--enable-annotations` flag to the Operator container when true.
enableAnnotations: false
# -- Passes the `--allow-empty-values` flag to the Operator container that allows adding fields with empty values to Kubernetes secrets when true
allowEmptyValues: false
# -- Custom environment variables for the 1Password Operator container.
customEnvVars: []
# 1Password Operator TLS settings
tls:
# -- Set trust.secret to the secret name containing the Connect TLS cert when using a self-signed cert.
trust: {}
# 1Password Acceptance Tests Functionality
acceptanceTests:
# -- Enable acceptance tests for the chart
enabled: false
# -- Test fixtures configuration for acceptance tests
fixtures: {}
healthCheck:
# -- Enable the health check test
enabled: true
image:
# -- The image repository for the health check test container
repository: curlimages/curl
# -- The image tag for the health check test container
tag: "latest"
# -- Pod securityContext to be added to the acceptance test pods.
podSecurityContext:
fsGroup: 65532
runAsUser: 65532
runAsGroup: 65532
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# -- Container securityContext to be added to the acceptance test containers.
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false