-
Notifications
You must be signed in to change notification settings - Fork 57
/
values.yaml
308 lines (278 loc) · 12.6 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
---
# Note to contributors:
# We use helm-docs to generate README.md from comments in this file, so the
# tool should be run again when values.yaml is modified. We appreciate PRs
# that include this change, but you don't have to.
# However we wish to preserve ordering and not sort the whole list by
# alphanumeric order, because it doesn't suit well new users.
# So please use this command if you run it:
# $ helm-docs --sort-values-order file
# -- Override Kubernetes version detection ; usefull with "helm template"
kubeVersion: ""
# -- Extra labels to add on chart resources
extraLabels: {}
# -- Partially override x509-certificate-exporter.fullname template (will prepend the release name)
nameOverride: ""
# -- Fully override x509-certificate-exporter.fullname template
fullnameOverride: ""
# -- Specify docker-registry secret names as an array
imagePullSecrets: []
image:
# -- x509-certificate-exporter image registry
registry: docker.io
# -- x509-certificate-exporter image repository
repository: enix/x509-certificate-exporter
# -- x509-certificate-exporter image tag (defaults to Chart appVersion)
tag:
# -- Suffix added to image tags for container flavor selection (could be `-busybox`, `-alpine`, or `-scratch`)
tagSuffix:
# -- x509-certificate-exporter image pull policy
pullPolicy: IfNotPresent
psp:
# -- Should Pod Security Policy resources be created
create: false
rbac:
# -- Should RBAC resources be created
create: true
secretsExporter:
# -- Name of the ServiceAccount for the Secrets exporter (required if `rbac.create=false`)
serviceAccountName:
# -- Annotations added to the ServiceAccount for the Secrets exporter
serviceAccountAnnotations: {}
# -- Annotations added to the ClusterRole for the Secrets exporter
clusterRoleAnnotations: {}
# -- Annotations added to the ClusterRoleBinding for the Secrets exporter
clusterRoleBindingAnnotations: {}
hostPathsExporter:
# -- Name of the ServiceAccount for hostPath exporters (required if `rbac.create=false`)
serviceAccountName:
# -- Annotations added to the ServiceAccount for the hostPath exporters
serviceAccountAnnotations: {}
# -- Annotations added to the ClusterRole for the hostPath exporters
clusterRoleAnnotations: {}
# -- Annotations added to the ClusterRoleBinding for the hostPath exporters
clusterRoleBindingAnnotations: {}
# -- Extra labels added to all Pods
podExtraLabels: {}
# -- Annotations added to all Pods
podAnnotations: {}
# prometheus.io/port: "9793"
# prometheus.io/scrape: "true"
# -- Enable additional metrics to report per-certificate errors ; helps with identifying read errors origin not having to look at exporter logs, at the expense of additional storage on Prometheus
exposePerCertificateErrorMetrics: false
# -- Enable additional metrics with relative durations instead of absolute timestamps ; not recommended with Prometheus
exposeRelativeMetrics: false
# -- (list) Restrict metric labels to this list if set. **Warning** : use with caution as reducing cardinality may yield metrics collisions and force the exporter to ignore certificates. This will also degrade the usability of the Grafana dashboard. This list should always include at least `filepath`, `secret_namespace` and `secret_name`. Also `subject_CN` is highly recommended for when a file contains multiple certificates.
metricLabelsFilterList: null
secretsExporter:
# -- Should the TLS Secrets exporter be running
enabled: true
# -- Should debug messages be produced by the TLS Secrets exporter
debugMode: false
# -- Desired number of TLS Secrets exporter Pod
replicas: 1
# -- restartPolicy for Pods of the TLS Secrets exporter
restartPolicy: Always
# -- DeploymentStrategy for the TLS Secrets exporter
strategy: {}
# -- ResourceRequirements for containers of the TLS Secrets exporter
# @default -- check `values.yaml`
resources:
limits:
cpu: 200m
memory: 150Mi
requests:
cpu: 20m
memory: 20Mi
# -- Node selector for Pods of the TLS Secrets exporter
nodeSelector: {}
# -- Toleration for Pods of the TLS Secrets exporter
tolerations: []
# -- Affinity for Pods of the TLS Secrets exporter
affinity: {}
# -- Extra labels added to Pods of the TLS Secrets exporter
podExtraLabels: {}
# -- Annotations added to Pods of the TLS Secrets exporter
podAnnotations: {}
# -- PodSecurityContext for Pods of the TLS Secrets exporter
podSecurityContext: {}
# -- SecurityContext for containers of the TLS Secrets exporter
# @default -- check `values.yaml`
securityContext:
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# -- Which type of Secrets should be watched ; "key" is the map key in the secret data
# @default -- check `values.yaml`
secretTypes:
- type: kubernetes.io/tls
key: tls.crt
# -- Restrict the list of namespaces the TLS Secrets exporter should scan for certificates to watch (all namespaces if empty)
includeNamespaces: []
# -- Exclude namespaces from being scanned by the TLS Secrets exporter (evaluated after `includeNamespaces`)
excludeNamespaces: []
# -- Only watch TLS Secrets having these labels (all secrets if empty). Items can be keys such as `my-label` or also require a value with syntax `my-label=my-value`.
includeLabels: []
# -- Exclude TLS Secrets having these labels. Items can be keys such as `my-label` or also require a value with syntax `my-label=my-value`.
excludeLabels: []
cache:
# -- Enable caching of Kubernetes resources to prevent scraping timeouts
enabled: true
# -- Maximum time a resource can stay in cache unrefreshed (seconds) - it will be at least half of that
maxDuration: 300
hostPathsExporter:
# -- Should debug messages be produced by hostPath exporters (default for all hostPathsExporter.daemonSets)
debugMode: false
# -- restartPolicy for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
restartPolicy: Always
# -- updateStrategy for DaemonSet of hostPath exporters (default for all hostPathsExporter.daemonSets)
updateStrategy: {}
# -- ResourceRequirements for containers of hostPath exporters (default for all hostPathsExporter.daemonSets)
# @default -- check `values.yaml`
resources:
limits:
cpu: 100m
memory: 40Mi
requests:
cpu: 10m
memory: 20Mi
# -- Node selector for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
nodeSelector: {}
# -- Toleration for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
tolerations: []
# -- Affinity for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
affinity: {}
# -- Extra labels added to Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
podExtraLabels: {}
# -- Annotations added to Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
podAnnotations: {}
# -- PodSecurityContext for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets)
podSecurityContext: {}
# -- SecurityContext for containers of hostPath exporters (default for all hostPathsExporter.daemonSets)
# @default -- check `values.yaml`
securityContext:
runAsUser: 0
runAsGroup: 0
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# -- [SEE README] List of directory paths of the host to scan for PEM encoded certificate files to be watched and exported as metrics (one level deep)
watchDirectories: []
# -- [SEE README] List of file paths of the host for PEM encoded certificates to be watched and exported as metrics (one level deep)
watchFiles: []
# -- [SEE README] List of Kubeconf file paths of the host to scan for embedded certificates to export metrics about
watchKubeconfFiles: []
# -- [SEE README] Map to define one or many DaemonSets running hostPath exporters. Key is used as a name ; value is a map to override all default settings set by `hostPathsExporter.*`.
daemonSets: {}
rbacProxy:
# -- Should kube-rbac-proxy be used to expose exporters
enabled: false
image:
# -- kube-rbac-proxy image registry
registry: quay.io
# -- kube-rbac-proxy image repository
repository: coreos/kube-rbac-proxy
# -- kube-rbac-proxy image version
tag: v0.5.0
# -- kube-rbac-proxy image pull policy
pullPolicy: IfNotPresent
# -- Listen port for the exporter running inside kube-rbac-proxy exposed Pods
upstreamListenPort: 9091
# -- ResourceRequirements for all containers of kube-rbac-proxy
# @default -- check `values.yaml`
resources:
limits:
cpu: 20m
memory: 40Mi
requests:
cpu: 10m
memory: 20Mi
# -- SecurityContext for all containers of kube-rbac-proxy
# @default -- check `values.yaml`
securityContext:
runAsUser: 65534
runAsGroup: 65534
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
# -- TCP port to expose Pods on (whether kube-rbac-proxy is enabled or not)
podListenPort: 9793
# -- Enable hostNetwork mode. Useful when Prometheus is deployed outside of the Kubernetes cluster
hostNetwork: false
service:
# -- Should a headless Service be installed, targets all instances Deployment and DaemonSets (required for ServiceMonitor)
create: true
# -- TCP port to expose the Service on
port: 9793
# -- Annotations to add to the Service
annotations: {}
# -- Extra labels to add to the Service
extraLabels: {}
prometheusServiceMonitor:
# -- Should a ServiceMonitor ressource be installed to scrape this exporter. For prometheus-operator (kube-prometheus) users.
create: true
# -- Target scrape interval set in the ServiceMonitor
scrapeInterval: 60s
# -- Target scrape timeout set in the ServiceMonitor
scrapeTimeout: 30s
# -- Extra labels to add on ServiceMonitor ressources
extraLabels: {}
# -- Relabel config for the ServiceMonitor, see: https://coreos.com/operators/prometheus/docs/latest/api.html#relabelconfig
relabelings: []
prometheusPodMonitor:
# -- Should a PodMonitor ressource be installed to scrape this exporter. For prometheus-operator (kube-prometheus) users.
create: false
# -- Target scrape interval set in the PodMonitor
scrapeInterval: 60s
# -- Target scrape timeout set in the PodMonitor
scrapeTimeout: 30s
# -- Extra labels to add on PodMonitor ressources
extraLabels: {}
# -- Relabel config for the PodMonitor, see: https://coreos.com/operators/prometheus/docs/latest/api.html#relabelconfig
relabelings: []
prometheusRules:
# -- Should a PrometheusRule ressource be installed to alert on certificate expiration. For prometheus-operator (kube-prometheus) users.
create: true
# -- Should the X509ExporterReadErrors alerting rule be created to notify when the exporter can't read files or authenticate with the Kubernetes API. It aims at preventing undetected misconfigurations and monitoring regressions.
alertOnReadErrors: true
# -- Severity for the X509ExporterReadErrors alerting rule
readErrorsSeverity: warning
# -- Should the CertificateError alerting rule be created to notify when the exporter can't decode or process a certificate. Depends on `exposePerCertificateErrorMetrics` to be enabled too.
alertOnCertificateErrors: true
# -- Severity for the CertificateError alerting rule
certificateErrorsSeverity: warning
# -- Severity for the CertificateRenewal alerting rule
certificateRenewalsSeverity: warning
# -- Severity for the CertificateExpiration alerting rule
certificateExpirationsSeverity: critical
# -- Raise a warning alert when this little days are left before a certificate expiration (cert-manager would renew Let's Encrypt certs before day 29)
warningDaysLeft: 28
# -- Raise a critical alert when this little days are left before a certificate expiration (two weeks to deal with ACME rate limiting should this be an issue)
criticalDaysLeft: 14
# -- Extra labels to add on PrometheusRule ressources
extraLabels: {}
# -- Extra labels to add on PrometheusRule rules
alertExtraLabels: {}
# -- Extra rulePrefix to PrometheusRule rules
rulePrefix: ""
# -- Skip all built-in alerts when using extraAlertGroups
disableBuiltinAlertGroup: false
# -- Additional alert groups for custom configuration (example in `values.yaml`)
extraAlertGroups: []
# - name: custom.rules
# rules:
# - alert: X509ExporterReadErrorsCustom
# expr: x509_read_errors > 0
# for: 30m
# labels:
# severity: warning
# annotations:
# summary: Error events exist for this x509-certificate-exporter
# description: This x509-certificate-exporter instance has experienced parse errors in the past.
# -- Extra objects to deploy with the release
extraDeploy: []