deploy-templates/values.yaml

## edp-install configuration
## Ref: https://github.com/epam/edp-install
##
##

global:
   # -- platform type that can be "kubernetes" or "openshift"
  platform: "kubernetes"
  # -- a cluster DNS wildcard name
  dnsWildCard:
  # -- Can be gerrit, github or gitlab. Default: github
  gitProviders:
    - github
    # - gitlab
    # - gerrit

  # Define the Image Registry that will be used in Pipelines.
  # This section is optional, and users can configure the registry within the EDP Portal user interface.
  # Ref: https://epam.github.io/edp-install/user-guide/manage-container-registries/#add-container-registry
  #
  # For example to integrate platform with ecr and publish image under 'edp' prefix:
  # dockerRegistry:
  #   type: "ecr"
  #   url: "<aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com"
  #   space: "edp"
  #   awsRegion: "eu-central-1"
  # As a result all image artifacts are published under "<aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com/edp/simple-project:0.1.0-SNAPSHOT.1"
  #
  # For example to integrate platform with harbor and publish image under 'edp' project name:
  # dockerRegistry:
  #   type: "harbor"
  #   url: "registry.example.com"
  #   space: "edp"
  # As a result all image artifacts are published under https://registry.example.com/edp/simple-project
  #
  # For example to integrate platform with dockerhub and publish image under 'my_user' account:
  # dockerRegistry:
  #   type: "dockerhub"
  #   url: "docker.io"
  #   space: "my_user"
  # As a result all image artifacts are published under https://hub.docker.com/repository/docker/my_user
  #
  # For example to integrate platform with openshift and publish image under 'edp' project name:
  # dockerRegistry:
  #   type: "openshift"
  #   url: "image-registry.openshift-image-registry.svc:5000"
  #   space: "edp"
  # By default, Kubernetes Service Account has the ability to push images to the registry
  # within the namespace where EDP is installed.
  # Ref: https://github.com/epam/edp-tekton/blob/master/charts/pipelines-library/templates/resources/rolebinding-tekton-registry-editor.yaml
  #
  # For example to integrate platform with nexus and publish image under 'edp' project name:
  # dockerRegistry:
  #   type: "nexus"
  #   url: "nexus-container.example.com"
  #   space: "edp"
  # As a result all image artifacts are published under https://nexus-container.example.com/edp
  #
  # For example to integrate platform with GitHub container registry and publish image under 'my_user' project name:
  # dockerRegistry:
  #   type: "ghcr"
  #   url: "ghcr.io"
  #   space: "my_user"
  # As a result all image artifacts are published under https://github.com/users/my_user/packages/container/package/simple-project
  dockerRegistry:
    # -- Defines type of registry. One of `ecr`, `harbor`, `dockerhub`, `openshift`, `nexus` or `ghcr`.
    # 'openshift' registry is available only in case if platform is deployed on the OpenShift cluster and the variable global.platform is set to 'openshift'.
    type: ""
    # Below is an example of endpoint values for each registry type:
    # type:      | url
    # =============================
    # ecr        | <aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com
    # harbor     | <registry.example.com>
    # dockerhub  | 'docker.io'
    # openshift  | <image-registry.openshift-image-registry.svc:5000>
    # nexus      | <nexus-container.example.com>
    # ghcr       | 'ghcr.io'
    # -- Defines registry endpoint URL.
    url: ""
    # Below is a description of space values for each registry type:
    # type:      | description
    # =================================================
    # ecr        | The suffix project name in registry.
    # harbor     | The project name in registry.
    # dockerhub  | The user account id or community user account id with push permission.
    # openshift  | The project name in registry.
    # nexus      | The project name in registry.
    # ghcr       | The user account id or community user account id with push permission.
    # -- Defines project name.
    space: ""
    # -- Defines the geographic area where the (AWS) Elastic Container Registry repository is hosted (optional). E.g. "eu-central-1".
    # Mandatory if 'global.dockerRegistry.type=ecr' for kaniko build-task.
    # Ref: https://github.com/epam/edp-tekton/blob/release/0.10/charts/pipelines-library/templates/tasks/kaniko.yaml#L73
    awsRegion: ""

# Configure External Secrets Operator to provision secrets for Platform and/or EDP. Required External Secrets Operator deployment: https://epam.github.io/edp-install/operator-guide/install-external-secrets-operator/
# https://external-secrets.io/latest/provider-aws-secrets-manager/
# Description of secrets that can be created using this approach - available in the documentation: https://epam.github.io/edp-install/operator-guide/external-secrets-operator-integration/
externalSecrets:
  # -- Configure External Secrets for EDP platform. Deploy SecretStore. Default: false
  enabled: false
  # -- Defines provider type. One of `aws` or `generic`.
  type: "aws"
  secretProvider:
    aws:
      # -- Use AWS as a Secret Provider. Can be ParameterStore or SecretsManager
      service: ParameterStore
      # -- IAM Role to be used for Accessing AWS either Parameter Store or Secret Manager. Format: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AWS_IAM_ROLE_NAME>
      role:
      # -- AWS Region where secrets are stored, e.g. eu-central-1
      region: eu-central-1

    generic:
       # Defines Secret Store configuration. Used when externalSecrets.type is set to "generic".
      secretStore:
        # -- Defines SecretStore name.
        name: "example-secret-store"
        # -- Defines SecretStore provider configuration.
        providerConfig: {}
        #  gcpsm:
        #    projectID: "alphabet-123"

  # When installing EDP, three secrets must be created: ci-argocd, ci-defectdojo, ci-dependency-track, kaniko-docker-config and other.
  # see https://github.com/epam/edp-install/tree/master/deploy-templates/templates/external-secrets, https://epam.github.io/edp-install/operator-guide/external-secrets-operator-integration
  # manageEDPInstallSecrets creates required secrets using ExternalSecretOperator
  # Ensure external secret source is configured properly
  # -- Create necessary secrets for EDP installation, using External Secret Operator
  manageEDPInstallSecrets: true
  # -- Value name in AWS ParameterStore or AWS SecretsManager. Used when manageEDPInstallSecrets is true
  manageEDPInstallSecretsName: /edp/deploy-secrets

annotations: {}

codebase-operator:
  enabled: true
  # image:
  #   repository: epamedp/codebase-operator
  #   tag:
  # envs:
  #   - name: RECONCILATION_PERIOD
  #     value: "360"  # The value should be typed in minutes
  #   # Maximum number of parallel reconciliation codebasebranches
  #   - name: CODEBASE_BRANCH_MAX_CONCURRENT_RECONCILES
  #     value: 3
  # jira:
  #   integration: false
  #   name: "jira"
  #   apiUrl: "https://jiraeu-api.example.com"
  #   rootUrl: "https://jiraeu.example.com"
  #   credentialName: "ci-jira"

cd-pipeline-operator:
  enabled: true
  # image:
  #   repository: epamedp/cd-pipeline-operator
  #   tag:
  # -- Defines the type of the tenant engine that can be "none", "kiosk" or "capsule";
  # for Stages with external cluster tenancyEngine will be ignored. Default: none
  tenancyEngine: "none"
  # -- Required tenancyEngine: capsule. Specify Capsule Tenant specification for Environments.
  capsuleTenant:
    # Enable Capsule Tenant creation as a part of cd-pipeline-operator deployment. Active if tenancyEngine="capsule"
    create: true
    spec:
    #   ingressOptions:
    #     allowWildcardHostnames: false
    #     allowedHostnames:
    #       # Enable restriction pattern for ingress hostname creation.
    #       allowedRegex: ^.*example.com$
    #     hostnameCollisionScope: Tenant
    #   limitRanges:
    #     items:
    #       - limits:
    #            # Default limits for cintainer if not specified in upstream manifest
    #           - default:
    #               cpu: 256m
    #               memory: 512Mi
    #             # Default requests for cintainer if not specified in upstream manifest
    #             defaultRequest:
    #               cpu: 128m
    #               memory: 128Mi
    #             type: Container
    #         # Manage PVC creation
    #       - limits:
    #           - max:
    #               storage: 0Gi
    #             min:
    #               storage: 0Gi
    #             type: PersistentVolumeClaim
    #   # Maximum count of namespace to be created by cd-pipeline-operator
    #   namespaceOptions:
    #     quota: 3
    #   networkPolicies:
    #     items:
    #       - ingress:
    #           - from:
    #               - namespaceSelector:
    #                   matchLabels:
    #                     # Please fill namespace for match selector
    #                     capsule.clastix.io/tenant: <namespace>
    #               - podSelector: {}
    #               - ipBlock:
    #                   cidr: 172.16.0.0/16
    #         podSelector: {}
    #         policyTypes:
    #           - Ingress
    #   resourceQuotas:
    #     items:
    #       - hard:
    #           limits.cpu: 512m
    #           limits.memory: 512Mi
    #       - hard:
    #           # Maximum count of pods to be deployed
    #           pods: '5'
    #     scope: Tenant
    #   serviceOptions:
    #     allowedServices:
    #       # Restrict 'externalName', 'LoadBalancer' and 'NodePort' service type creation
    #       externalName: false
    #       loadBalancer: false
    #       nodePort: false

  # -- should the operator manage(create/delete) namespaces for stages
  # Refer to the guide for managing namespace (https://epam.github.io/edp-install/operator-guide/namespace-management/)
  manageNamespace: true

  # -- Flag indicating whether the operator should manage secrets for stages.
  # This parameter controls the provisioning of the 'regcred' secret within deployed environments, facilitating access to private container registries.
  # Set the parameter to "none" under the following conditions:
  #   - If 'global.dockerRegistry.type=ecr' and IRSA is enabled, or
  #   - If 'global.dockerRegistry.type=openshift'.
  # For private registries, choose the most appropriate method to provide credentials to deployed environments. Refer to the guide for managing container registries (https://epam.github.io/edp-install/user-guide/manage-container-registries/).
  # Possible values: own/eso/none.
  #   - own: Copies the secret once from the parent namespace, without subsequent reconciliation. If updated in the parent namespace, manual updating in all created namespaces is required.
  #   - eso: The secret will be managed by the External Secrets Operator (requires installation and configuration in the cluster: https://epam.github.io/edp-install/operator-guide/install-external-secrets-operator/).
  #   - none: Disables secrets management logic.
  secretManager: own

gerrit-operator:
  enabled: false
  # image:
  #   repository: epamedp/gerrit-operator
  #   tag:
  # gerrit:
  #   deploy: true
  #   name: "gerrit"
  #   image: "openfrontier/gerrit"
  #   version:
  #   imagePullSecrets:
  #   storage:
  #     size: 1Gi
  #     class: gp2
  # gerrit:
  #   # Provide external endpoint access. Default Ingress/Route host pattern: gerrit-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }}
  #   ingress:
  #     # -- Enable external endpoint access. Default Ingress/Route host pattern: gerrit-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }}
  #     annotations: {}
  #     # --  pathType is only for k8s >= 1.1=
  #     pathType: Prefix
  #     # --  For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
  #     # --  See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
  #     # ingressClassName: nginx
  #     tls: []
  #     #  - secretName: chart-example-tls
  #     #    hosts:
  #     #      - gerrit-edp.example.com

edp-headlamp:
  enabled: true
  ingress:
    # -- Enable external endpoint access. Default Ingress/Route host pattern: portal-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }}
    enabled: true
    # -- Annotations for Ingress resource
    annotations:
      {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    # -- Hostname(s) for the Ingress resource
    # -- Ingress TLS configuration
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - portal-edp.example.com
  config:
    # -- base url path at which headlamp should run
    baseURL: ""
    # -- Ensure that the specified client is associated with cluster OIDC integration.
    # -- For detailed instructions, refer to: https://epam.github.io/edp-install/operator-guide/configure-keycloak-oidc-eks/, https://epam.github.io/edp-install/operator-guide/headlamp-oidc/
    oidc:
      # Enable OIDC integration. Default: false
      enabled: false
      # -- Keycloak URL
      keycloakUrl: "https://keycloak.example.com"
      # -- OIDC client ID
      clientID: ""
      # -- OIDC client secret name
      clientSecretName: "keycloak-client-headlamp-secret"
      # -- OIDC client secret key
      clientSecretKey: "clientSecret"
      # -- OIDC issuer realm
      issuerRealm: ""
      # -- OIDC scopes to be used
      scopes: ""
  # image:
  #   repository: epamedp/edp-headlamp
  #   tag:

edp-tekton:
  enabled: true

  tekton-cache:
    # Deploy tekton-cache helm-chart.
    enabled: true
    # Tekton cache endpoint for pipeline-library helm chart. See charts/pipelines-library/templates/resources/cm-tekton-cache.yaml
    # url: http://tekton-cache:8080

  dashboard:
    # -- Deploy Tekton Dashboard as a part of pipeline library when true. Default: true
    # -- WARNING: Default deployment of the dashboard does not involve any proxy and may be accessible to the public.
    # -- To enable proxy protect use openshift_proxy or sso.enabled sections.
    # -- More details:
    # -- https://epam.github.io/edp-install/operator-guide/oauth2-proxy/
    enabled: true

    # -- Define mode for Tekton Dashboard. Enable/disaable capability to create/modify/remove Tekton objects via Tekton Dashboard. Default: false.
    readOnly: false

    # -- Make it possible to use openshift as OIDC provider to hide tekton-dashboard.
    # -- Only for openshift deploy scenario,
    # -- For EKS scenario - uncomment dashboard.ingress.annotations block
    # -- More details:
    # -- https://epam.github.io/edp-install/operator-guide/oauth2-proxy/?h=#enable-oauth2-proxy-on-tekton-dashboard
    openshift_proxy:
      # -- Enable oauth-proxy to include authorization layer on tekton-dashboard. Default: flase
      enabled: false

    ingress:
      # -- Enable external endpoint access. Default Ingress/Route host pattern: tekton-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }}
      enabled: true
      # -- Annotations for Ingress resource
      annotations: {}
        # -- Uncomment it to enable tekton-dashboard OIDC on EKS cluster
        # nginx.ingress.kubernetes.io/auth-signin: 'https://<oauth-ingress-host>/oauth2/start?rd=https://$host$request_uri'
        # nginx.ingress.kubernetes.io/auth-url: 'http://oauth2-proxy.edp.svc.cluster.local:8080/oauth2/auth'
      tls: []
      #  - secretName: chart-example-tls
      #    hosts:
      #      - tekton-edp.example.com
  # GitServers configuration section
  # GitServer creation depends on the gitProviders configuration, if gitProvider is not enabled,
  # the GitServer will not be created.
  gitServers: {}
  #   my-github:
  #     gitProvider: github
  #     host: github.com
  #     webhook:
  #       skipWebhookSSLVerification: false
  #     eventListener:
  #       # -- Enable EventListener
  #       enabled: true
  #       # -- EventListener resources
  #       resources:
  #         requests:
  #           memory: "64Mi"
  #           cpu: "50m"
  #         limits:
  #           memory: "128Mi"
  #           cpu: "500m"
  #       # -- Node labels for EventListener pod assignment
  #       nodeSelector: {}
  #       # -- Tolerations for EventListener pod assignment
  #       tolerations: []
  #       # -- Affinity for EventListener pod assignment
  #       affinity: {}

  #       ingress:
  #         # -- Enable ingress controller resource
  #         enabled: true
  #         # -- Ingress annotations
  #         annotations: {}
  #         # -- Ingress TLS configuration
  #         tls: []

  #   my-gitlab:
  #     gitProvider: gitlab
  #     host: gitlab.com
  #     webhook:
  #       skipWebhookSSLVerification: false
  #     eventListener:
  #       # -- Enable EventListener
  #       enabled: true
  #       # -- EventListener resources
  #       resources:
  #         requests:
  #           memory: "64Mi"
  #           cpu: "50m"
  #         limits:
  #           memory: "128Mi"
  #           cpu: "500m"
  #       # -- Node labels for EventListener pod assignment
  #       nodeSelector: {}
  #       # -- Tolerations for EventListener pod assignment
  #       tolerations: []
  #       # -- Affinity for EventListener pod assignment
  #       affinity: {}

  #       ingress:
  #         # -- Enable ingress controller resource
  #         enabled: true
  #         # -- Ingress annotations
  #         annotations: {}
  #         # -- Ingress TLS configuration
  #         tls: []

  #   my-gerrit:
  #     gitProvider: gerrit
  #     host: gerrit.example.com
  #     gitUser: ci-user
  #     httpsPort: 443
  #     nameSshKeySecret: gerrit-ciuser-sshkey
  #     sshPort: 30022
  #     webhook:
  #       skipWebhookSSLVerification: false
  #     eventListener:
  #       # -- Enable EventListener
  #       enabled: true
  #       # -- EventListener resources
  #       resources:
  #         requests:
  #           memory: "64Mi"
  #           cpu: "50m"
  #         limits:
  #           memory: "128Mi"
  #           cpu: "500m"
  #       # -- Node labels for EventListener pod assignment
  #       nodeSelector: {}
  #       # -- Tolerations for EventListener pod assignment
  #       tolerations: []
  #       # -- Affinity for EventListener pod assignment
  #       affinity: {}

  #       ingress:
  #         # -- Enable ingress controller resource
  #         enabled: true
  #         # -- Ingress annotations
  #         annotations: {}
  #         # -- Ingress TLS configuration
  #         tls: []

# SSO (OAuth2-proxy) configuration section
# The section configures the OAuth2-proxy for single Sign-On (SSO) protection of application endpoints.
#
# More details on setup and deployment:
# - https://epam.github.io/edp-install/operator-guide/oauth2-proxy/
#
# OAuth2-proxy requires Keycloak and Keycloak-operator are properly configured before deployment.
# Ref:
# - https://epam.github.io/edp-install/operator-guide/install-keycloak/
# - https://github.com/epam/edp-cluster-add-ons
# - https://github.com/epam/edp-keycloak-operator
sso:
  # -- Install OAuth2-proxy and Keycloak CRs as a part of EDP deployment.
  enabled: false

  keycloakOperatorResources:
    # Set to false if using the add-ons approach (refer to https://github.com/epam/edp-cluster-add-ons)
    # for EDP installation and if the extension-oidc is already installed.
    # This prevents the creation of an additional Keycloak resource and secret.
    # The 'kind' and 'name' must be specified in case of using an existing Keycloak/ClusterKeycloak resource.
    # Create kind: Keycloak as a part of chart installation
    createKeycloakCR: true
    # Can be Keycloak or ClusterKeycloak.
    kind: Keycloak
    # Name of kind: Keycloak/ClusterKeycloak CR.
    name: main

  # -- Defines the Keycloak realm name, which by default is named after the namespace where EDP is deployed.
  # realmName: edp
  # -- Defines Keycloak sso realm name that is used as the Identity Provider (IdP) realm
  ssoRealmName: "broker"
  # -- Defines Keycloak client name that is used for the Identity Provider (IdP) client
  ssoClientName: "edp"
  # -- Keycloak URL.
  keycloakUrl: https://keycloak.example.com/auth
  # -- Administrators of your tenant.
  admins:
    - "stub_user_one@example.com"
  # -- Developers of your tenant
  developers:
    - "stub_user_one@example.com"
    - "stub_user_two@example.com"

  # Oauth2-proxy image
  image:
    # -- OAuth2-proxy image repository
    repository: quay.io/oauth2-proxy/oauth2-proxy
    # -- OAuth2-proxy image tag
    tag: v7.4.0

  # Create a cookie-secret with the following command:
  # 'openssl rand -base64 32 | head -c 32 | base64'
  # Use an existing secret for OAuth2 cookie-secret
  existingSecret:
    # -- Secret name which stores cookie-secret
    secretName: oauth2-proxy-cookie-secret
    # -- Secret key which stores cookie-secret
    secretKey: cookie-secret

  # -- Additional container environment variables
  extraEnv: []
  # -- Extra arguments to provide to the OAuth2-proxy
  extraArgs: {}

  # -- Additional volumes to be added to the OAuth2-proxy pod
  extraVolumes: []
  #  - name: custom-ca
  #    secret:
  #      defaultMode: 420
  #      secretName: custom-ca

  # -- Additional volumeMounts to be added to the OAuth2-proxy container
  extraVolumeMounts: []
  #  - name: custom-ca
  #    mountPath: /etc/ssl/certs/CA.crt
  #    readOnly: true
  #    subPath: CA.crt

  ingress:
    # -- Enable ingress controller resource
    enabled: true
    # -- Additional ingress annotations
    annotations: {}
    # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
    pathType: Prefix

    # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
    # Ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
    # -- Defines which ingress controller will implement the resource, e.g. nginx
    ingressClassName: ""
    # -- Ingress TLS configuration
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  # -- Node labels for pod assignment
  nodeSelector: {}
  # -- Toleration labels for pod assignment
  tolerations: []
  # -- Affinity settings for pod assignment
  affinity: {}

# -- Define platform Quick Links, more details: https://github.com/epam/edp-codebase-operator/
# @default -- ``
quickLinks:
#   argocd: ""
#   defectdojo: ""
#   dependency_track: ""
#   docker_registry: ""
#   grafana: ""
#   kibana: ""
#   nexus: ""
#   sonar: ""

# -- Define extra Quick Links, more details: https://github.com/epam/edp-codebase-operator/
extraQuickLinks: {}
  # - prometheus:
  #     url: https://ingress-prometheus.example.com
  #     visible: true
  #     icon: icon_in_base64
  # - another_tool:
  #     url: https://ingress-anothertool.example.com
  #     visible: true
  #     icon: icon_in_base64

# -- Array of extra K8s manifests to deploy
extraObjects: []
  # - apiVersion: external-secrets.io/v1beta1
  #   kind: ExternalSecret
  #   metadata:
  #     name: example-secret-1
  #   spec:
  #     data:
  #       - remoteRef:
  #           key: /edp/deploy-secrets
  #           property: example-secret-1.username
  #         secretKey: username
  #       - remoteRef:
  #           key: /edp/deploy-secrets
  #           property: example-secret-1.password
  #         secretKey: password
  #     secretStoreRef:
  #       kind: SecretStore
  #       name: example-parameterstore
  # - |
  #       apiVersion: external-secrets.io/v1beta1
  #       kind: ExternalSecret
  #       metadata:
  #         name: example-secret-2
  #       spec:
  #         data:
  #           - remoteRef:
  #               key: /edp/deploy-secrets
  #               property: example-secret-2.username
  #             secretKey: username
  #           - remoteRef:
  #               key: /edp/deploy-secrets
  #               property: example-secret-2.password
  #             secretKey: password
  #         secretStoreRef:
  #           kind: SecretStore
  #           name: example-parameterstore