-
Notifications
You must be signed in to change notification settings - Fork 6
/
kustomization.yaml
292 lines (257 loc) · 14.8 KB
/
kustomization.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# [EDIT] Specify the Kubernetes namespace into which Zenhub will be deployed.
namespace: <a_dedicated_namespace>
# [NOTE] You cannot set a `name_suffix` because the URLs would not match
# existing resources.
resources:
- base
- options/sanitycheck
# - options/ingress # Example of an Nginx Ingress
# Optional configurations
patchesStrategicMerge:
# - options/zenhub-registry/zenhub-registry.yaml #! Adds imagePullSecrets to pull images from Zenhub's registry
# - options/pullpolicy/always.yaml #! Sets the image pull policy of deployments to Always
# - options/scaling/deployments-scaling.yaml #! Change number of replicas and scaling
# - options/scaling/deployments-resources-small.yaml #! Enable to use minimum required resources, or customize them yourself
# - options/pgbouncer/pgbouncer-config.yaml #! Enable if password_encryption is set to scram-sha-256 on your postgres database,
#! or if you need to change the default pool size and connection limits.
#! See documentation in options/pgbouncer/README.md to make configuration changes.
# - options/ai-features/gpu-nodepool-tolerations-and-replicas.yaml #! Enable to configure the AI deployment to tolerate the
#! taints on your GPU node(s) and set desired number of replicas.
# [EDIT] (Optional) specify any labels you want applied to the deployments.
commonLabels:
app.kubernetes.io/part-of: zenhub-enterprise
app.kubernetes.io/application: zenhub
app.kubernetes.io/instance: zhe-for-k8s
app.kubernetes.io/managed-by: kustomize
commonAnnotations:
app.kubernetes.io/version: 4.2.1
# [EDIT] If your cluster does not have access to our public Docker registry,
# update the `newName` values with paths to your own private Docker registry.
images:
- name: kraken-webapp
newName: us.gcr.io/zenhub-public/kraken-webapp
newTag: zhe-4.2.1
- name: kraken-extension
newName: us.gcr.io/zenhub-public/kraken-extension
newTag: zhe-4.2.1
- name: kraken-zhe-admin
newName: us.gcr.io/zenhub-public/kraken-zhe-admin
newTag: zhe-4.2.1
- name: raptor-backend
newName: us.gcr.io/zenhub-public/raptor-backend
newTag: zhe-4.2.1
- name: toad-backend
newName: us.gcr.io/zenhub-public/toad-backend
newTag: zhe-4.2.1
- name: sanitycheck
newName: us.gcr.io/zenhub-public/sanitycheck
newTag: zhe-4.2.1
- name: devsite
newName: us.gcr.io/zenhub-public/devsite
newTag: zhe-4.2.1
- name: busybox
newName: docker.io/library/busybox
newTag: latest
- name: nginx
newName: docker.io/library/nginx
newTag: latest
configMapGenerator:
- name: configuration
behavior: merge
literals:
# [EDIT] Set your top-level domain where Zenhub will be served from. This
# is used to tell the Zenhub webapp how to reach the Zenhub APIs.
- domain_tld=yourcompany.dev
# [EDIT] Set the subdomain that Zenhub will be served from, or leave as
# default "zenhub" value.
- subdomain_suffix=zenhub
# [EDIT] Set the subdomain that Zenhub Admin-UI will be served from, or leave as
# default "admin-zenhub" value.
- admin_ui_subdomain=admin-zenhub
# [EDIT] Set the subdomain that Zenhub GraphiQL Explorer will be served from, or leave as
# default "developers" value. The domain would then be https://developers-<subdomain_suffix>.<domain_tld>
- graphiql_explorer_subdomain_prefix=developers
# [EDIT] NOTE: Make sure the value does not have a trailing slash.
- github_hostname=https://<github_enterprise_host>
# [EDIT] Specify the OAuth App Client ID for the Zenhub application. See here
# for instructions on how to setup an OAuth app on your GitHub server:
# https://docs.github.com/en/developers/apps/creating-an-oauth-app
# The secret value should be passed to `github_app_secret` below (in the
# "secretGenerator" section). Section 2.2 of the README in this folder explains
# how to configure the fields of the OAuth App.
- github_app_id=<github_oauth_app_client_id> # GitHub OAuth App Client ID
# [EDIT] S3 API compatible object storage buckets for uploaded files and images
- bucket_access_key_id=<access_key_id>
- bucket_region=<bucket_region> # e.g., us-east-1
- bucket_domain=<bucket_public_domain> # e.g., s3.us-east-1.amazonaws.com
- files_bucket_name=<bucket_name>
- images_bucket_name=<bucket_name>
# If you are using AWS DocumentDB for your MongoDB, enable this and append ?retryWrites=false to mongo_url
# - mongo_is_documentdb=true
# [EDIT] Link to your Chome Extension download page. Obtained by configuring your Chrome Extension through the Zenhub Admin User Interface
- chrome_extension_webstore_url=<your_chrome_extension_url> # e.g. https://chrome.google.com/webstore/detail/your-extension-name/id
#
# [EDIT] Firefox extension UUID used to publish Firefox extensions.
# NOTE: Always use the same UUID to allow for automatic extension updates for your users
# You can find the UUID at the bottom of your extension's product page https://addons.mozilla.org/developers/
- manifest_firefox_id=zenhub-enterprise@<your_company_domain>
# GraphQL rate limit configuration.
# The default limits are a maximum of 30 concurrent requests and 90 seconds of processing per request.
# "graphql_active_operation_limit" refers to the maximum concurrent requests
# "graphql_runtime_limit_ms" refers to maximum processing time per request
# Please read this documentation for further explanation:
# https://developers.zenhub.com/graphql-api-docs/rate-limiting/index.html#concurrent-requests-limit
# https://developers.zenhub.com/graphql-api-docs/rate-limiting/index.html#processing-time-limits
- graphql_active_operation_limit=30
- graphql_runtime_limit_ms=90000
# REST API rate limit configuration.
# The default limits for the Legacy REST API are 100 requests per 60 seconds.
- rest_api_request_limit=100
- rest_api_time_limit=60
# [BETA] Built-in Zenhub email and password authentication configuration.
# Does not support password changes or email verification.
- email_pw_enabled=false
# W3ID authentication configuration
# [EDIT] (optional) Change w3id_enabled to true, then uncomment and fill out the rest of the options to enable
- w3id_enabled=false
# - w3id_client_id=<your_client_id> # e.g. hgfedcba-1234-abcd-1234-4321abcdefgh
# - w3id_default_endpoint_url=<your_default_endpoint> # e.g. https://acme.verify.ibm.com/v1.0/endpoint/default
# - w3id_issuer_url=<your_issuer_url> # e.g. https://acme.verify.ibm.com/oidc/endpoint/default
# Azure AD authentication configuration
# [EDIT] (optional) Change azure_ad_enabled to true, then uncomment and fill out the rest of the options to enable
- azure_ad_enabled=false
# - azure_ad_client_id=<your_client_id> # e.g. 12345678-abcd-1234-abcd-1234567890ab
# - azure_ad_tenant_id=<your_tenant_id> # e.g. abcdefgh-4321-abcd-4321-abcdefgh1234
# LDAP authentication configuration
# [EDIT] (optional) Change ldap_enabled to true, then uncomment and fill out the rest of the options to enable
- ldap_enabled=false
# - ldap_host=<your_ldap_host> # e.g. ldap.example.com
# - ldap_port=<your_ldap_port> # e.g. 389 for plain or 636 for ssl
# - ldap_method=<your_ldap_method> # e.g. plain or ssl
# - ldap_base=<your_ldap_base> # e.g. dc=example,dc=com
# - ldap_bind_dn=<your_ldap_bind_dn> # e.g. cn=admin,dc=example,dc=com
# - ldap_user_filter=<your_ldap_user_filter> # e.g. (&(objectclass=inetOrgPerson)(uid=%<username>s))
# SAML authentication configuration
# [EDIT] (optional) Change saml_enabled to true, then uncomment and fill out the rest of the options to enable
- saml_enabled=false
# - saml_idp_metadata_url=<your_idp_metadata_url> # Metadata URL for your Zenhub SAML App
# - saml_sp_entity_id=<your_sp_entity_id> # Unique Service Provider ID for your Zenhub SAML App
# Notion integration configuration
# [EDIT] (optional) Change notion_enabled to true, then uncomment and fill out the rest of the options to enable
- notion_enabled=false
# - notion_client_id=<your_client_id> # e.g. 1234-abcd-1234567890ab-12345678-abcd
# AI features configuration
# [EDIT] (optional) Change ai_features_enabled to true to enable AI features. Be sure to enable and configure the
# patchesStrategicMerge options/ai-features/gpu-nodepool-tolerations-and-replicas.yaml file in order to configure the AI deployment to
# tolerate the taints on your GPU node(s) and set the desired number of replicas.
- ai_features_enabled=false
# Do not create/edit zhe-urls.env file. This is managed by the configmap-generator.sh script.
- name: configuration
behavior: merge
envs:
- zhe-urls.env
secretGenerator:
- name: configuration
behavior: merge
literals:
# [EDIT] Fill in postgres_username and postgres_password for pgbouncer postgres connection pooler
- postgres_url=postgresql://<postgres_username>:<postgres_password>@pgbouncer:5432/raptor_production?sslmode=disable
# [EDIT] The full standard credentials URI for PostgreSQL to be provided to pgbouncer to make connections to postgresql
- pgbouncer_url=postgresql://<postgres_username>:<postgres_password>@<postgres_hostname>:<postgres_port>/raptor_production
# [EDIT] The full standard full credentials URI for MongoDB
- mongo_url=mongodb://<mongo_username>:<mongo_password>@<mongo_hostname>:<mongo_port>/zenhub
# [EDIT] The full standard full credentials URI for Redis
- redis_url=redis://<redis_username>:<redis_password>@<redis_hostname>:<redis_port>/0
# [EDIT] The full standard full credentials URI for Redis
- cable_redis_url=redis://<redis_username>:<redis_password>@<redis_hostname>:<redis_port>/1
# [EDIT] The full standard full credentials URI for Redis
- graphql_redis_url=redis://<redis_username>:<redis_password>@<redis_hostname>:<redis_port>/2
# [EDIT] The standard full credentials URI for RabbitMQ. Remove the 's' from amqps if not using TLS on RabbitMQ. Refer to https://www.rabbitmq.com/uri-spec.html for the proper syntax if using Virtual Hosts (vhosts).
- rabbitmq_url=amqps://<rabbitmq_username>:<rabbitmq_password>@<rabbitmq_hostname>:<rabbitmq_port>
# [EDIT] The secret for the GitHub OAuth app. See github_app_id above.
- github_app_secret=<github_oauth_app_secret>
# [EDIT] Bucket secret access key
- bucket_secret_access_key=<some-key>
# [EDIT] License Token
- enterprise_license_token=<zhe-license-jwt>
# [EDIT] Admin-UI password
- admin_ui_pass=<some_pass>
# [EDIT] (optional) Uncomment and fill to enable W3ID authentication
# - w3id_client_secret=<your_client_secret> # e.g. U75zD5Zet4
# [EDIT] (optional) Uncomment and fill to enable Azure AD authentication
# - azure_ad_client_secret=<your_client_secret> # e.g. abcd12~efgh567ijkl890mnopq123rstu456vwxyz
# [EDIT] (optional) Uncomment and fill to enable LDAP authentication
# - ldap_bind_password=<your_ldap_bind_password>
# [EDIT] (optional) Uncomment and fill to enable Notion integration
# - notion_client_secret=<your_client_secret> # e.g. secret_12345678abcd1234abcd1234567890ab
# [EDIT] Required certificate for Postgres DB SSL/TLS.
# [NOTE] Your provided certificate must be named postgres-ca.pem
- name: postgres-ca-bundle
behavior: replace
files:
- <some_path>/postgres-ca.pem
# [EDIT] Certificates for MongoDB SSL/TLS.
# [NOTE] If you use this you must add "?tls=true&tlsCAFile=/var/ca-bundle/mongo/<some_pem>" to the end of mongo_url
- name: mongo-ca-bundle
behavior: replace
files:
- <some_path>/<some_pem>
# [EDIT] If you need admin access to PgBouncer to view pools, connections, etc. and the username that you use to connect to PostgreSQL is not named "postgres".
# [EDIT] Or if you just need to tune the default PgBouncer pool size and connection limits to better suit your database.
# [EDIT] Or if password_encryption is set to scram-sha-256 on your postgres database and md5 authentication cannot be used.
# [IMPORTANT NOTE] See documentation in options/pgbouncer/README.md to make configuration changes.
# - name: pgbouncer-userlist
# files:
# - options/pgbouncer/userlist.txt
# options:
# disableNameSuffixHash: true
# - name: pgbouncer-ini
# files:
# - options/pgbouncer/pgbouncer.ini
# options:
# disableNameSuffixHash: true
- name: internal
# internal values are generated at random for new customer and taken from existing ZHE2 installation for migrating customer
behavior: merge
literals:
# NOTE:
# => If you are setting up a new Zenhub Enterprise, respect the regexp format
# on Linux, you can run the following to generate the secret as follows:
# for most secrets
# tr -dc '[:alnum:]' </dev/urandom | head -c ${1-38} ; echo ''
# for the ones requiring a hex format
# tr -dc '[:xdigit:]' </dev/urandom | head -c ${1-64} | awk '{print tolower($0)}'
# on MacOS, add LC_CTYPE=C to the beginning of the tr command
# [EDIT]
- toad_redis_password=<[:alnum:]{24}>
# [EDIT]
- raptor_redis_password=<[:alnum:]{24}>
# [EDIT]
- internal_auth_token=<[:alnum:]{38}>
# [EDIT]
- raptor_admin_password=<[:alnum:]{38}>
# [EDIT]
- crypto_pass=<[:alnum:]{38}>
# [EDIT]
- lockbox_master_key=<[:xdigit:]{64}>
# [EDIT] A random string used to seed the encryption of sensitive data in
# the Raptor database.
- secret_key_base=<[:alnum:]{42}>
# [EDIT] A random auth token string that will be passed in the headers of any internal requests
- internal_integration_auth_token=<[:alnum:]{38}>
# A random string for the Zenhub token verification service, not used on-premise
- token_verification_github_access_token=thisisrequiredbytheappbutnotusedonprem
# [EDIT] Private key used to encrypt GitHub token retrieved and cached in
# the database.
- github_token_value_key=<[:xdigit:]{64}>
# [EDIT] Secret for authenticating GitHub webhooks from Toad. This is set in your
- ghwebhook_secret=<[:alnum:]{38}>
# [EDIT] Encrypt repository ID. Part of the GitHub webhook callback URL.
- ghwebhook_pass=<[:alnum:]{38}>
# [EDIT] Should be the same value as `ghwebhook_secret` above. This
# one is used by the Raptor services.
- github_webhooks_secret=<[:alnum:]{38}>
replacements:
- path: replacement.yaml