-
-
Notifications
You must be signed in to change notification settings - Fork 107
/
values.yaml
370 lines (355 loc) · 16.9 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
# Default values for StackStorm Enterprise HA cluster
# This is a YAML-formatted file.
##
## Docker image settings, applied to all StackStorm pods
##
image:
# StackStorm Enterprise private Docker Registry used to pull images
repository: docker.stackstorm.com
# Image pull policy. Change to "IfNotPresent" when switching to stable images
pullPolicy: Always
##
## StackStorm shared variables
##
st2:
# Custom StackStorm config (st2.user.conf) which will apply settings on top of default st2.conf
config: |
[api]
allow_origin = '*'
# Custom pack configs and image settings.
#
# By default, system packs are available. However, since 'st2 pack install' cannot be run in the k8s cluster,
# you will need to bake additional packs into an 'st2packs' image. Please see stackstorm-enterprise-ha/README.md
# for details on how to build this image.
packs:
# Custom StackStorm pack configs. Each record creates a file in '/opt/stackstorm/configs/'
# https://docs.stackstorm.com/reference/pack_configs.html#configuration-file
configs:
core.yaml: |
---
# example core pack config yaml
# Custom packs image settings. The repository, name, tag and pullPolicy for this image
# are specified below.
image:
# If you wish to use a docker registry running in the k8s cluster, set docker-registry.enabled to true.
# Uncomment the following line to make the custom packs image available to the necessary pods.
# repository: localhost:5000
name: st2packs
tag: latest
pullPolicy: Always
# StackStorm Role Based Access Control settings (https://docs.stackstorm.com/rbac.html)
rbac:
# Custom StackStorm RBAC roles, shipped in '/opt/stackstorm/rbac/roles/'
# See https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
roles:
sample.yaml: |
# sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
---
name: "sample"
description: "Example Role which contains no permission grants and serves for demonstration purposes"
# Custom StackStorm RBAC role assignments, shipped in '/opt/stackstorm/rbac/assignments/'
# See: https://docs.stackstorm.com/rbac.html#defining-user-role-assignments
assignments:
st2admin.yaml: |
---
username: st2admin
roles:
- system_admin
stanley.yaml: |
---
username: stanley
roles:
- admin
# StackStorm RBAC LDAP groups-to-roles mapping rules, shipped in '/opt/stackstorm/rbac/mappings/'
# See RBAC Roles Based on LDAP Groups: https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership
mappings:
#stormers.yaml: |
#---
#group: "CN=stormers,OU=groups,DC=stackstorm,DC=net"
#description: "Automatically grant admin role to all stormers group members."
#roles:
# - "admin"
##
## StackStorm Enterprise Cluster Secrets. All fields are required!
## NB! It's highly recommended to change ALL defaults!
##
# TODO: Move to `secrets.yaml` when it gets implemented in Helm (https://github.com/kubernetes/helm/issues/2196) ? (#14)
# TODO: Alternatively as part of reorganizing Helm values, consider moving values to existing `st2` and `st2web` sections ? (#14)
secrets:
st2:
# Required (!) StackStorm Enterprise license key.
# Don't have one? Obtain 90-day free trial at https://stackstorm.com/#product
license: ""
# Username, used to login to StackStorm system
username: st2admin
# Password, used to login to StackStorm system
password: Ch@ngeMe
# SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
# Warning! Replace with your own SSH key!
# TODO: For prod/stable consider auto-generating if no key provided
ssh_key: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs73kblN3XfLR6tYsHRHyX/aQKx4amcNjT+E+2ufwqkiINDyA
CGim0Z4WFOEO6UtZApeOlUehp2MEFGFpl2u8vUC1b7AsWaImB4ywMIPOFblqaEag
DskrFp7FOggqZFWX7NwVZpm/KkvCw/fCehnxuv+za+hUtg4Qiv86qXShrlsn98B7
64Aq27oxkvhRU2OkDUP/wPNQnXzIZxfFYSvS7rGzKrswdZfWysscIUor4a+7GahM
yq8PGD6qp2wkiL7wFarZerS2Sq3M06Y89yzppCoPYI6kaEPuqrjSYZvh38CAVbGG
SgPv3CFgR1N3BsBEAx7OF+40R58C+3ldH8e1tQIDAQABAoIBAQCN7137YR3Zqm3p
q8aaDhn/fYzK/7KxyYEbCxu/cXiyfyRPW5cfDMTuso9tXWuQ/lcDnPqTF0WoEKCg
F2xyjjk0mWytDcl33nt5areXF/4dWZWVUnACPQkxi57i/J+9K3oVKJYdtzsmAz2B
0pxYHzSsHk9o3sZGHUUi/fks51TlgPNgOP8hf7/K9w9+FSE26geqjddqWwQbbStI
rDc3ZPMcGI4E5DuGmnrxWf4omUqScTB+bvUgN+WC02v1Bj4HaAX7PlLCUZMuTk3S
BcG4v7qiglxVYdBjtHNwtg1YAoVYh6sXckxqi1XudhoRXGlgYtyrcW0mWnnB4hIQ
vy7//uABAoGBANw8H1h93U1HNsqfIa1Ys3u6qZdHByHvA8e7Jk6GEFUEOAQSyxZ+
0RbFWC4knuQL+YklqeDNCXekwVEvVenf2lhZ4rHNbmv/9pWhq7sQcDOQPi5nVxJl
bkQoQkeNGeH8KPF1E2RsfJ8uU3NfD00yMFrNaeBUIlY44ABMOQSJREq1AoGBANDu
V0IV1BahqEW5mmnTdHLG6+tiSQdutrQv4hxBL59PhwyeMvpzFgwkNmymAZMLl40D
Y/0wg2lVr7Fb+peCrLpiNMEPWv/a38IEVTDm7YcsHZayEsc1vdjdMoZ8k5VNi25F
+lvQ/CxDNqJGTNEBBYmb5QHopBh8YowwIrT0yZ8BAoGAFYtAGbz+SA/+WSXl+noh
3Kmu62CEXxptiT1Siv3sXRSzkhpwiXvQYmTdsm3cqTxOpc7sZlRIZ87TJmj2A5Hl
Xx0z4ubQtXntmkedcAg0oaarnoh3aRJJDhvOGAfCj2vGaZBlXD6MllnGyhNzgL63
IjrT76DrVvnrV7wdG8d9yb0CgYAuQFT4wDRPPkIuDURtoO3qarbXSM654nx3rxHz
B0svjT9sP6kxYEDFN08FBkra7noCMXn1FsRAkUNvk9kJqVfresoK4wdWFHHsVWE2
jiiO/+kc7xbRGsiINY91ziYtqxjutHcT1FO+yLJTghSHQB6ls+kiXwnUkdSPDCji
vj3UAQKBgE19oSdfKbpKTyHu5rs+lN/KictDuMrqAriWODCygZ1/X1J1zpqvpUbt
WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
-----END RSA PRIVATE KEY-----
st2web:
# SSL Certificate used for StackStorm Web UI in nginx (HTTPS)
# Warning! This is dummy auto-generated self-signed SSL cert. Use your own instead!
# TODO: For prod/stable consider auto-generating if no cert provided
ssl_certificate: |-
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIJANcrpXluUyomMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJUGFsbyBBbHRv
MRMwEQYDVQQKDApTdGFja1N0b3JtMSEwHwYDVQQLDBhJbmZvcm1hdGlvbiAgIFRl
Y2hub2xvZ3kxEzARBgNVBAMMCnN0YWNrc3Rvcm0wHhcNMTgwNTIzMTQxMDMyWhcN
MTkwNTIzMTQxMDMyWjCBgzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
aWExEjAQBgNVBAcMCVBhbG8gQWx0bzETMBEGA1UECgwKU3RhY2tTdG9ybTEhMB8G
A1UECwwYSW5mb3JtYXRpb24gICBUZWNobm9sb2d5MRMwEQYDVQQDDApzdGFja3N0
b3JtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5r2f8xtKToZM3rMS
J+gcpRjCIACv4ivJDxhhOJ1L9WXpR5UGUtftuiRKvhQA6lW0buPyAWnIDdEyUKHa
QoPPYfB/mmuu5qc14JLJ9swzqkfHkgcgi1DjXFg8GkfWKXymtD2F/jU+Mf94NS9P
kfZO7mAfOMjsX18J7Vmq/Jk2dYOmbQHsj549VNUcaj4HEmf52cqHlJCAdl8gVJ0H
8NDJwDkb1okNKqCMLu5sR3ffmTnVO+zxsNIZMnngevWfhkLkYdEpxraL0Dyi8HkA
004cvPryoit4sucYvEWU2ZWBjBtOFJmqH8QQYei/G9JDVjfXk8KoRm1EvH1G3Hab
6wmB0QIDAQABo1AwTjAdBgNVHQ4EFgQUrTArdEoZeiCoYs5xp+BDp9/AlhowHwYD
VR0jBBgwFoAUrTArdEoZeiCoYs5xp+BDp9/AlhowDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQsFAAOCAQEAjhMlepcXlWlbr7HcwDX0bNAAze+tJ/NVQGAkl92Nu/9L
KsJmObhFEJmok4ZuYhzeVlNRVkC465oHhDLOjUzZoZ6y4hiyH8YJacnZ8mpFFxcc
/s18QEw5+G6/xTAzTsrvN2aS+M6qVfEM2tmtwzb7cE14nExLrKq9MGZ6c9qBbH/k
YP18QVLx89mBcrWHzbUmCXkVzVxcII2U2CyPhGoHpN054oZ9XT5r0p/JqWLl2wEh
6iNbkxysfAeB2J0tY10uSWCzQuQ1UtzDaBkGUHd+UKR98EcduoNqMoUIwkAu0gjk
k8kkryYUKpQ/OAiyXIDJiR9lWPGG1Kr8ZqOwjeCRKw==
-----END CERTIFICATE-----
# SSL Certificate private key used for StackStorm Web UI in nginx (HTTPS)
# Warning! This is dummy auto-generated self-signed SSL cert. Use your own instead!
# TODO: For prod/stable consider auto-generating if no cert provided
ssl_certificate_key: |-
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmvZ/zG0pOhkze
sxIn6BylGMIgAK/iK8kPGGE4nUv1ZelHlQZS1+26JEq+FADqVbRu4/IBacgN0TJQ
odpCg89h8H+aa67mpzXgksn2zDOqR8eSByCLUONcWDwaR9YpfKa0PYX+NT4x/3g1
L0+R9k7uYB84yOxfXwntWar8mTZ1g6ZtAeyPnj1U1RxqPgcSZ/nZyoeUkIB2XyBU
nQfw0MnAORvWiQ0qoIwu7mxHd9+ZOdU77PGw0hkyeeB69Z+GQuRh0SnGtovQPKLw
eQDTThy8+vKiK3iy5xi8RZTZlYGMG04UmaofxBBh6L8b0kNWN9eTwqhGbUS8fUbc
dpvrCYHRAgMBAAECggEBAKiTETCDV55W8AIjwbf2FDdqBylqVxVd995XaW/7O2tl
sTDi52PO7Zd4vEJyStjpFJGPZ1cw+T9e/ut51AOUWQastg0TbwyETRBtLbBpL7XQ
CzXcjyI5TmJA9Gge45AbyY8VA7fdHjtY8XGpxvBUiwYMo8LQyCBFRvNo90rkhK0E
xk+mk+DhVFTFvJbYhENTAA8iCq3GeeA7tC+hwOkyNUeyiroIYa1m9uwIPFHS4gxF
+uCRsTnhOxUVzxfAWsWBZDe0Yo5zVHl7xwFfse1T//vbwoF5ouIP2IjbwGveCbeW
hunsYOPdkkT8rdszyLmrfrpA6Bc0tHKuOz9fJRcCuSECgYEA+9RIc/mzz0AI09oA
8vNWYImgPRa0l+AxX3EuL/xx49i8swpELtjNzsz0H1J0nY6baPMaoxj4TEJFxT7c
X5NSltcZlxxAxi5WdEpJSdSvznNTKpYVqyDkJWN+1NuoW5e8LOMOuR3NRx7ogA2P
o2NpsbShIp22odMaj1tW9kED+N8CgYEA6o/uBVs+y2Fv7Y86PSnaBJPzO07YO1xG
tan0zr4TBp2o4YX5sgSdCSlZmSsrGi5Vq20RsBkOg4w8o4ZFYPBZmi+xDyomiibA
qssbYTTovwooy5y5LMO+HSz0ClWe17v+o/M0OWwM/uLZ/dOb309NT81A58f0jZIn
6ghnWscF608CgYBmAxRmhpxkNBhfWUxRHmm7KYUTugLmExdtBjgjkCvClKW8EUiV
gZW9VCEAHzLGMGKcHP6JWzAaFC6XPGOhA9jM6c2f/P3wSg0ThpQxqEqfYvAprCqS
6/v/eVKDf4evssOzmzb3ni7txIOCe/vXwAmsxvMPRrwYyZ9Uuzd7AdNOGQKBgB8G
Alk7BEcqD/+/ndhRHMDWQKlreDYBsmh8niBqC2IooBmT+r6M1ahMi8kyaHUCA9q0
hk5gQgcsGSkXrT1xDKjT/fsffBFxprHwQyLMOKxrz5F+nQ9KpG5/b5eeU2/9MWTF
2fZuUBm2L1bfEhKrDnKrlxYQ4EuJNTZC/kiHYkUJAoGBAICBQqCOkFaugy0obNvD
BRmc3S5gNeMQHangZKKO1I0hnK0WeWV/D/sTNY1GxxPNhHfU3yfQvfI+Kswspi/b
ofUOhwAXuMsTtuLagOMyAJVs+KRVrvnXGT/p9l213ZAnDtFSpkvcjD9WUcupeTca
BjdoJBzImjVB5znOgIui3ME5
-----END PRIVATE KEY-----
##
## StackStorm Enterprise Cluster pod settings for each individual service/component.
##
# Many st2web instances, placed behind a load balancer that serve web app and proxify requests to st2auth, st2api, st2stream.
st2web:
# Minimum 2 replicas are recommended to run st2web in HA mode
replicas: 2
# Tested resource consumption based on multiple requests to st2web within nginx
# Please adjust based on your conscious choice
resources:
requests:
memory: "25Mi"
cpu: "50m"
limits:
memory: "100Mi"
# TODO: Add Ingress and/or LoadBalancer setting as a way to expose service to public (#31)
# ingress:
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2auth
# Multiple st2auth processes can be behind a load balancer in an active-active configuration.
st2auth:
replicas: 2
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2api
# Multiple st2api process can be behind a load balancer in an active-active configuration.
st2api:
replicas: 2
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2stream
# Multiple st2stream process can be behind a load balancer in an active-active configuration.
st2stream:
replicas: 2
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2rulesengine
# Multiple st2rulesengine processes can run in active-active with only connections to MongoDB and RabbitMQ. All these will share the TriggerInstance load and naturally pick up more work if one or more of the processes becomes unavailable.
st2rulesengine:
replicas: 2
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2timersengine
# Only single replica is created via K8s Deployment as timersengine can't work in active-active mode at the moment and it relies on K8s failover/reschedule capabilities to address cases of process failure.
st2timersengine:
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2workflowengine
# Multiple st2workflowengine processes can run in active-active mode and will share the load and pick up more work if one or more of the processes become available.
st2workflowengine:
replicas: 2
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2notifier
# st2notifier runs in active-active mode and requires for that coordination backend like Redis or Zookeeper
st2notifier:
replicas: 2
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2sensorcontainer
# It is possible to run st2sensorcontainer in HA mode by running one process on each compute instance. Each sensor node needs to be
# provided with proper partition information to share work with other sensor nodes so that the same sensor does not run on different nodes.
st2sensorcontainer:
# TODO: Re-work to use single-sensor-per-container mode partitioning instead of running 1 single node of st2sensorcontainer. Proper implementation is now possible with Helm templating (#12)
# NB! Number of replicas are hardcoded to 1, see above T0D0 about using single-sensor-per-container mode in future as way of Sensor Partitioning.
# replicas: 1
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2actionrunner
# Multiple st2actionrunner processes can run in active-active with only connections to MongoDB and RabbitMQ. Work gets naturally
# distributed across runners via RabbitMQ. Adding more st2actionrunner processes increases the ability of StackStorm to execute actions.
st2actionrunner:
replicas: 5
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
# https://docs.stackstorm.com/reference/ha.html#st2garbagecollector
# Optional service that cleans up old executions and other operations data based on setup configurations.
# By default this process does nothing and needs to be setup in st2.conf to perform any work.
st2garbagecollector:
# Having 1 st2garbagecollector unique replica is enough for periodic task like st2 history garbage collection
replicas: 1
# TODO: Find out recommended/default resources for this specific service (#25)
resources: {}
# Additional advanced settings to control pod/deployment placement
nodeSelector: {}
tolerations: []
affinity: {}
##
## MongoDB HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/mongodb-replicaset
##
# Specs for the MongoDB image
mongodb-ha:
image:
# StackStorm currently supports maximum MongoDB v3.4
tag: 3.4
##
## RabbitMQ HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/rabbitmq-ha
##
rabbitmq-ha:
rabbitmqUsername: admin
# TODO: Use default random 24 character password, but need to fetch this string for use by
# downstream services.
rabbitmqPassword: 9jS+w1u07NbHtZke1m+jW4Cj
persistentVolume:
enabled: true
##
## Docker registry configuration (3rd party chart dependency)
##
## The docker registry is useful if custom images need to be made available in the cluster.
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/docker-registry
##
## If enabled is true, helm installs a docker registry into the cluster.
## Otherwise, the docker registry is not installed.
##
docker-registry:
enabled: false
fullnameOverride: st2packs-docker-registry
##
## Docker registry proxy configuration (3rd party chart dependency)
## (only installed if docker-registry is enabled)
##
## This is run on each k8s node, and proxies pod localhost:5000 to the docker registry
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/incubator/kube-registry-proxy
##
kube-registry-proxy:
registry:
host: st2packs-docker-registry.default.svc.cluster.local
port: 5000
hostPort: 5000