-
Notifications
You must be signed in to change notification settings - Fork 775
/
values.yaml
910 lines (812 loc) · 29.1 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
## Fission chart configuration
##
## serviceType to consider while creating Fission Controller service.
## For minikube/kind, set this to NodePort, elsewhere use LoadBalancer or ClusterIP.
##
serviceType: ClusterIP
## routerServiceType to consider while creating Fission Router service.
## For minikube, set this to NodePort, elsewhere use LoadBalancer or ClusterIP.
##
routerServiceType: LoadBalancer
## repository represents base repository for images used in the chart.
## Keep it empty for using existing local image
##
repository: ghcr.io
## image represents the base image fission-bundle used by multiple Fission components.
## We alter arguments to the image to run a particular component.
##
image: fission/fission-bundle
## imageTag represents the tag of the base image fission-bundle used by multiple Fission components.
## It is also used by the chart to identify version of the few more images apart from fission-bundle.
## Keep it empty for using latest tag.
##
imageTag: v1.19.0-rc2
## pullPolicy represents the pull policy to use for images in the chart.
##
pullPolicy: IfNotPresent
## imageppullsecrets
imagePullSecrets: []
## priorityClassName represents the priority class name to use for Fission components.
## Refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
## executor.priorityClassName takes precedence over this value for executor.
## router.priorityClassName takes precedence over this value for router.
##
priorityClassName: ""
## terminationMessagePath is the path at which the pod termination message will be written.
## executor.terminationMessagePath takes precedence over this value for executor.
## router.terminationMessagePath takes precedence over this value for router.
##
terminationMessagePath: /dev/termination-log
## terminationMessagePolicy is the policy for the termination message.
## executor.terminationMessagePolicy takes precedence over this value for executor.
## router.terminationMessagePolicy takes precedence over this value for router.
##
terminationMessagePolicy: File
## controllerPort represents the port at which the Fission controller service should be exposed.
##
controllerPort: 31313
## routerPort represents the port at which the Fission Router service should be exposed.
##
routerPort: 31314
## defaultNamespace represents the namespace in which Fission custom resources will be created by the Fission user.
## This is different from the release namespace.
## Please consider setting `additionalFissionNamespaces` if you want more than one namespace to be used for Fission custom resources.
##
defaultNamespace: default
## builderNamespace represents the namespace in which Fission Builder resources will be created.
## if builderNamespace is set to empty then builder resources will be created in the same namespace as the Fission resources.
## This is different from the release namespace.
##
builderNamespace: ""
## functionNamespace represents the namespace in which Fission Function resources will be created.
## if functionNamespace is set to empty then function resources will be created in the same namespace as the Fission resources.
## This is different from the release namespace.
##
functionNamespace: ""
## Fission will watch the following namespaces along with the `defaultNamespace` for fission custom resources.
## additionalFissionNamespaces:
## - namespace1
## - namespace2
## - namespace3
additionalFissionNamespaces: []
## createNamespace decides to create namespaces by the chart.
## If set to true, functionNamespace and builderNamespace namespaces mentioned above will be created by the chart.
## Set to false if you want to create the namespaces manually.
##
createNamespace: true
## enableIstio indicates whether to enable istio integration.
##
enableIstio: false
## fetcher is a light weight component that helps in running functions.
## fetcher helps in fetching function source code/build and uploading it when function is invoked.
##
fetcher:
## image represents the image of the fetcher component.
image: fission/fetcher
## imageTag represents the tag of the image of the fetcher component.
imageTag: v1.19.0-rc2
## Fetcher is only for to downloading or uploading archive.
## Normally, you don't need to change the value here, unless necessary.
##
resource:
## cpu represents the cpu resource required by the fetcher component.
##
cpu:
requests: "10m"
## Low CPU limits will increases the function specialization time.
limits: ""
## mem represents the memory resource required by the fetcher component.
##
mem:
requests: "16Mi"
limits: ""
## executor is responsible for providing resources to your functions.
##
executor:
## executor priorityClassName
## Ref. https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
## Recommended to use system-cluster-critical for executor pods.
##
priorityClassName: ""
## terminationMessagePath is the path at which the file to which the executor will write a message upon termination.
##
terminationMessagePath: ""
## terminationMessagePolicy is the policy for the executor termination message.
##
terminationMessagePolicy: ""
## adoptExistingResources decides whether to adopt existing resources when executor restarts or Fission is redeployed.
##
adoptExistingResources: false
## podReadyTimeout represents the timeout in seconds for waiting for pod to become ready.
## This is applicable to Pool Manager executor type only.
##
podReadyTimeout: 300s
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## Object Reaper
## objectReaperInterval (seconds) represents GLOBAL interval to run process that reaps objects after certain idle time.
## Also you can set different objectReaperInterval for specific executor type. See poolmgs/newdeploy/container section
## Default: 5 (in seconds)
##
objectReaperInterval: 5
poolmgr: {}
## objectReaperInterval specific to poolmgr executor type
##
## objectReaperInterval: 5
newdeploy: {}
## objectReaperInterval specific to newdeploy executor type
##
## objectReaperInterval: 5
container: {}
## objectReaperInterval specific to container executor type
##
## objectReaperInterval: 5
serviceAccountCheck:
## enables fission to create service account, roles and rolebinding for missing permission for builder and fetcher.
enabled: true
## indicates the time interval in minutes, after that fission will create service account, roles and rolebinding for builder and fetcher.
## interval will be applicable only if enable value is set to true.
## default timing will be 0 minutes. That means check will run only once.
## if you want to run check every 30 minutes then set interval to 30.
interval: 0
## router is responsible for routing function calls to the appropriate function.
##
router:
## router priorityClassName
## Ref. https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
## Recommended to use system-cluster-critical for router pods.
##
priorityClassName: ""
## terminationMessagePath is the path at which the file to which the router will write a message upon termination.
##
terminationMessagePath: ""
## terminationMessagePolicy is the policy for the router termination message.
##
terminationMessagePolicy: ""
## deployAsDaemonSet decides whether to deploy router as a DaemonSet or a Deployment.
##
deployAsDaemonSet: false
## replicas decides how many router pods to deploy. Only used when deployAsDaemonSet is false.
##
replicas: 1
## svcAddressMaxRetries is the max times for router to retry with a specific function service address
##
svcAddressMaxRetries: 5
## svcAddressUpdateTimeout is the timeout setting for a goroutine to wait for the update of a service entry.
##
svcAddressUpdateTimeout: 30s
## unTapServiceTimeout is the timeout used in the request context of unTapService.
## unTapService is called to free up the resources once the function invocation is done.
##
unTapServiceTimeout: 3600s
## displayAccessLog display endpoing access logs
## Please be aware of enabling logging endpoint access log, it increases
## router resource utilization when under heavy workloads.
##
displayAccessLog: false
## svcAnnotations is the annotations to be added to the service resource created for router.
##
# svcAnnotations:
# cloud.google.com/load-balancer-type: Internal
## useEncodedPath decideds to match encoded path.
## If true, "/foo%2Fbar" will match the path "/{var}";
## Otherwise, it will match the path "/foo/bar".
## For details, see: https://github.com/fission/fission/issues/1317
##
useEncodedPath: false
roundTrip:
## If true, router will disable the HTTP keep-alive which result in performance degradation.
## But it ensures that router can redirect new coming requests to new function pods.
##
## If false, router will enable transport keep-alive feature for better performance.
## However, the drawback is it takes longer to switch to newly created function pods
## if using newdeploy as executor type for function. If you want to preserve the
## performance while keeping the short switching time to new function, you can create
## an environment with short grace period by setting flag "--graceperiod" (default 360s),
## so that kubernetes will be able to reap old function pod quickly.
##
## For details, see https://github.com/fission/fission/issues/723
##
disableKeepAlive: false
## keepAliveTime is period for an active network connection to function pod.
##
keepAliveTime: 30s
## timeout is HTTP transport request timeout
##
timeout: 50ms
## The length of request timeout will multiply with timeoutExponent after each retry
##
timeoutExponent: 2
## maxRetries defines no of retries of a failed request
##
maxRetries: 10
## Extend the container specs for the core fission pods.
## Can be used to add things like affinity/tolerations/nodeSelectors/etc.
## For example:
## extraCoreComponentPodConfig:
## affinity:
## nodeAffinity:
## requiredDuringSchedulingIgnoredDuringExecution:
## nodeSelectorTerms:
## - matchExpressions:
## - key: capability
## operator: In
## values:
## - app
##
#extraCoreComponentPodConfig:
# affinity:
# tolerations:
# nodeSelector:
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## The builder manager watches the package & environments CRD changes and manages the builds of function source code.
##
buildermgr:
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## controller is the component that the client talks to.
## It contains CRUD APIs for functions, triggers, environments, Kubernetes event watches, etc. and proxy APIs to internal 3rd-party services.
##
controller:
enabled: false
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## webhook is the component that validates API calls.
## It contains validation and mutation for functions, triggers, environments, Kubernetes event watches, etc.
##
webhook:
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
certManager:
enabled: false
caBundlePEM: |
crtPEM: |
keyPEM: |
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## kubewatcher watches the Kubernetes API and invokes functions associated with watches, sending the watch event to the function.
##
kubewatcher:
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## The storage service is the home for all archives of packages with sizes larger than 256KB.
##
storagesvc:
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Archive pruner removes archives from storage which are not referenced by any package.
archivePruner:
enabled: true
## Run prune routine at interval (in minutes)
interval: 60
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## The timer works like kubernetes CronJob but instead of creating a pod to do the task
## It sends a request to router to invoke the function.
##
timer:
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## Kafka: enable and configure the details
##
kafka:
enabled: false
## note: below link is only for reference.
## Please use the brokers link for your kafka here.
##
brokers: "broker.kafka:9092" # or your-bootstrap-server.kafka:9092/9093
## Sample config for authentication
## authentication:
## tls:
## enabled: true
## caCert: 'auth/kafka/ca.crt'
## userCert: 'auth/kafka/user.crt'
## userKey: 'auth/kafka/user.key'
##
authentication:
tls:
enabled: false
## InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name.
## Warning: Setting this to true, makes TLS susceptible to man-in-the-middle attacks
##
insecureSkipVerify: false
## path to certificate containing public key of CA authority
##
caCert: ""
## path to certificate containing public key of the user signed by CA authority
##
userCert: ""
## path to private key of the user
##
userKey: ""
## version of Kafka broker
## For 0.x it must be a string in the format
## "major.minor.veryMinor.patch" example: 0.8.2.0
## For 1.x it must be a string in the format
## "major.major.veryMinor" example: 2.0.1
## Should be >= 0.11.2.0 to enable Kafka record headers support
##
# version: "0.11.2.0"
# The following components expose Prometheus metrics and have servicemonitors in this chart (disabled by default)
# Controller, router, executor, storage svc
serviceMonitor:
enabled: false
##namespace in which you want to deploy servicemonitor
##
namespace: ""
## Map of additional labels to add to the ServiceMonitor resources
# to allow selecting specific ServiceMonitors
# in case of multiple prometheus deployments
additionalServiceMonitorLabels: {}
# release: "monitoring"
# key: "value"
# The following components expose Prometheus metrics and have podmonitors in this chart (disabled by default)
#
podMonitor:
enabled: false
##namespace in which you want to deploy podmonitor
##
namespace: ""
## Map of additional labels to add to the PodMonitor resources
# to allow selecting specific PodMonitor
# in case of multiple prometheus deployments
additionalPodMonitorLabels: {}
# release: "monitoring"
# key: "value"
## Persist data to a persistent volume.
##
persistence:
## If true, fission will create/use a Persistent Volume Claim unless storageType is set to s3
## If false, use emptyDir
##
enabled: true
## Must be set to either local or S3.
## If storateType is set(other than local), one of its backend configuration must be set as below.
##
#storageType: local | s3
## Sample configuration for AWS s3 storage backend
##
# s3:
# bucketName: <awsBucketName>
# subDir: <sub directory within a bucket>
# accessKeyId: <awsAccessKeyId>
# secretAccessKey: <awsSecretAccessKey>
# region: <awsRegion>
## For Minio and other s3 compatible storage systems set endPoint property
# endPoint: <s3StorageUrl>
## A manually managed Persistent Volume Claim name
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
##
# existingClaim:
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
accessMode: ReadWriteOnce
size: 8Gi
## Extend the container specs for the core fission pods.
## Can be used to add things like affinity/tolerations/nodeSelectors/etc.
## For example:
## extraCoreComponentPodConfig:
## affinity:
## nodeAffinity:
## requiredDuringSchedulingIgnoredDuringExecution:
## nodeSelectorTerms:
## - matchExpressions:
## - key: capability
## operator: In
## values:
## - app
##
#extraCoreComponentPodConfig:
# affinity:
# tolerations:
# nodeSelector:
## Analytics let us count how many people installed fission. Set to
## false to disable analytics.
##
analytics: true
## Internally used for generating an analytics job for non-helm installs
##
analyticsNonHelmInstall: false
## Google Analytics Tracking ID
##
gaTrackingID: UA-196546703-1
## Logger config
## This would be used if influxdb is enabled
##
logger:
influxdbAdmin: "admin"
fluentdImageRepository: index.docker.io
fluentdImage: fluent/fluent-bit
fluentdImageTag: 1.8.8
## Fluent-bit writes/reads it’s own sqlite database to record a history of tracked
## files and a state of offsets, this is very useful to resume a state if the ser-
## vice is restarted. For Kubernetes environment with constraints like OpenShift,
## the containers are limited to write hostPath volume. Hence, we have to enable
## security context and set privileged to true.
##
enableSecurityContext: false
## Enable PodSecurityPolicies to allow privileged container
## Only required in some clusters and when enableSecurityContext is true
##
podSecurityPolicy:
enabled: false
## Configure additional capabilities
##
additionalCapabilities:
# example values for linkerd
#- NET_RAW
#- NET_ADMIN
## Enable InfluxDB
##
influxdb:
enabled: false
image: influxdb:1.8
## Allow user to override busybox image used in fluent-bit init container
##
busyboxImage: busybox
## Archive pruner is a garbage collector for archives on the fission storage service.
## This interval configures the frequency at which it runs inside the storagesvc pod.
## The value is in minutes.
##
preUpgradeChecks:
## Run pre-install/pre-upgrade checks if true
##
enabled: true
## pre-install/pre-upgrade checks live in this image
##
image: fission/pre-upgrade-checks
## pre-install/pre-upgrade checks image version
##
imageTag: v1.19.0-rc2
## Fission post-install/post-upgrade reporting live in this image
##
postInstallReportImage: fission/reporter
## If there are any pod specialization errors when a function is triggered, the error
## summary is returned as part of http response if this is set to true.
##
debugEnv: false
## Prometheus related configuration to query metrics
##
prometheus:
## please assign the prometheus service URL
## that is accessible by Fission components.
## This is mainly used to enable canary deployment.
##
serviceEndpoint: ""
canaryDeployment:
## set this flag to true if you need canary deployment feature
enabled: false
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Security Context
## It holds pod-level and container level security configuration.
## This is an experimental section, please verify before enabling in production.
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
securityContext:
enabled: true
## Mark it false, if you want to stop the non root user validation
runAsNonRoot: true
fsGroup: 10001
runAsUser: 10001
runAsGroup: 10001
## Enable authentication for fission function invocation via Fission router
##
authentication:
## set this flag to true if you need authentication
## for all function invocations
## default 'false'
##
enabled: false
## authUriPath defines authentication endpoint path
## via router
## default '/auth/login'
##
authUriPath:
## authUsername is used as a username for authentication
## default 'admin'
##
authUsername: admin
## jwtSigningKey is the signing key used for
## signing the JWT token
##
jwtSigningKey: serverless
## jwtExpiryTime is the JWT expiry time
## in seconds
## default '120'
##
jwtExpiryTime:
## jwtIssuer is the issuer of JWT
## default 'fission'
##
jwtIssuer: fission
## OpenTelemetry is a set of tools for collecting, analyzing, and visualizing
## distributed tracing data across function calls.
##
openTelemetry:
## Use this flag to set the collector endpoint for OpenTelemetry.
## The variable is endpoint of the collector in the format shown below.
## otlpCollectorEndpoint: "otel-collector.observability.svc:4317"
##
otlpCollectorEndpoint: ""
## Set this flag to false if you are using secure endpoint for the collector.
##
otlpInsecure: true
## Key-value pairs to be used as headers associated with gRPC or HTTP requests to the collector.
## Eg. otlpHeaders: "key1=value1,key2=value2"
##
otlpHeaders: ""
## Supported samplers:
## always_on - Sampler that always samples spans, regardless of the parent span's sampling decision.
## always_off - Sampler that never samples spans, regardless of the parent span's sampling decision.
## traceidratio - Sampler that samples probabalistically based on rate.
## parentbased_always_on - (default if empty) Sampler that respects its parent span's sampling decision, but otherwise always samples.
## parentbased_always_off - Sampler that respects its parent span's sampling decision, but otherwise never samples.
## parentbased_traceidratio - Sampler that respects its parent span's sampling decision, but otherwise samples probabalistically based on rate.
## See https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md#general-sdk-configuration
##
tracesSampler: "parentbased_traceidratio"
## Each Sampler type defines its own expected input, if any.
## Currently we get trace ratio for the case of,
## 1. traceidratio
## 2. parentbased_traceidratio
## Sampling probability, a number in the [0..1] range, e.g. "0.1". Default is 0.1.
##
tracesSamplingRate: "0.1"
## Supported providers:
## tracecontext - W3C Trace Context
## baggage - W3C Baggage
## b3 - B3 Single
## b3multi - B3 Multi
## jaeger - Jaeger uber-trace-id header
## xray - AWS X-Ray (third party)
## ottrace - OpenTracing Trace (third party)
## none - No tracing
## See https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md#general-sdk-configuration
##
propagators: "tracecontext,baggage"
## Message Queue Trigger Kind, KEDA: enable and configuration
##
mqt_keda:
enabled: true
connector_images:
kafka:
image: fission/keda-kafka-http-connector
tag: v0.11
rabbitmq:
image: fission/keda-rabbitmq-http-connector
tag: v0.10
awskinesis:
image: fission/keda-aws-kinesis-http-connector
tag: v0.10
aws_sqs:
image: fission/keda-aws-sqs-http-connector
tag: v0.10
nats_steaming:
image: fission/keda-nats-streaming-http-connector
tag: v0.12
nats_jetstream:
image: fission/keda-nats-jetstream-http-connector
tag: v0.2
gcp_pubsub:
image: fission/keda-gcp-pubsub-http-connector
tag: v0.5
redis:
image: fission/keda-redis-http-connector
tag: v0.3
## Pod resources as:
## resources:
## limits:
## cpu: <tbd>
## memory: <tbd>
## requests:
## cpu: <tbd>
## memory: <tbd>
##
resources: {}
## Enable Pprof based profiling used mostly by Fission developers
##
pprof:
enabled: false
## Enable runtimePodSpec and add spec to your poolmgr or newdeploy pods
##
runtimePodSpec:
## Setting it false by default so that integration tests pass
##
enabled: false
## Checkout PodSpec in https://fission.io/docs/reference/crd-reference/#runtime
##
podSpec:
## Default podspec to improve security of the pods
##
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
## Enable builderPodSpec and add spec to your env builder pods
##
builderPodSpec:
## Setting it false by default so that integration tests pass
##
enabled: false
## Checkout PodSpec in https://fission.io/docs/reference/crd-reference/#builder
##
podSpec:
## Default podspec to improve security of the pods
##
securityContext:
fsGroup: 10001
runAsGroup: 10001
runAsNonRoot: true
runAsUser: 10001
## Enable Grafana Dashboard configmaps for auto dashboard provisioning
## If you use kube-prometheus stack for monitoring, these will get imported into grafana
grafana:
## The namespace in which grafana pod is present
namespace: monitoring
dashboards:
## Disabled by default. switch to true to deploy them
enable: false