-
Notifications
You must be signed in to change notification settings - Fork 64
/
values.yaml
187 lines (164 loc) · 5.4 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
image:
repository: ghcr.io/ratify-project/ratify
crdRepository: ghcr.io/ratify-project/ratify-crds
tag: v1.3.1
pullPolicy: IfNotPresent
nameOverride: ""
fullnameOverride: ""
replicaCount: 1
affinity: {}
tolerations: []
notationCerts: []
cosignKeys: []
notation:
enabled: true
cosign:
enabled: true
scopes: ["*"] # corresponds to a single trust policy
key: "" # DEPRECATED: Use cosignKeys instead
rekorURL: ""
tLogVerify: true
keyless:
ctLogVerify: true
certificateIdentity: ""
certificateIdentityRegExp: ""
certificateOIDCIssuer: ""
certificateOIDCIssuerRegExp: ""
vulnerabilityreport:
enabled: false
passthrough: false
schemaURL: ""
createdAnnotationName: ""
maximumAge: ""
notaryProjectSignatureRequired: false
disallowedSeverities: []
denylistCVEs: []
sbom:
enabled: false
notaryProjectSignatureRequired: false
disallowedLicenses: []
disallowedPackages: []
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 600m
memory: 512Mi
serviceAccount:
create: true
name: ratify-admin
# Annotations to add to the service account
annotations: {}
gatekeeper:
version: "3.17.0"
namespace: # default is gatekeeper-system
instrumentation:
metricsEnabled: true
metricsType: prometheus
metricsPort: 8888
# Can be used to authenticate to:
# ACR -> oras.authProviders.azureWorkloadIdentityEnabled
# Key Vault -> azurekeyvault.enabled
azureWorkloadIdentity:
clientId:
azureManagedIdentity:
clientId:
tenantId:
azurekeyvault:
enabled: false
vaultURI:
tenantId:
certificates: []
keys: []
refreshInterval:
alibabacloudAcrConfig:
defaultInstanceId:
acrInstancesConfig: []
oras:
useHttp: false
authProviders:
azureWorkloadIdentityEnabled: false
azureManagedIdentityEnabled: false
k8secretsEnabled: false
awsEcrBasicEnabled: false
awsApiOverride:
enabled: false
endpoint: ""
partition: "" # defaults to aws
region: ""
alibabacloudAcrBasicEnabled: false
cache:
# Please tune your cache parameters to get better performance on the Oras Store performance.
enabled: true # ttl-based cache may cause inconsistency between cache and data source, please disable it if strong consistency is required.
ttl: 10 # in seconds
provider:
tls:
crt: "" # crt used by ratify (httpserver), please provide your own crt
key: "" # key used by ratify (httpserver), please provide your own key
caCert: "" # CA crt used by ratify (httpserver), please provide your own CA crt
caKey: "" # CA key used by ratify (httpserver), please provide your own CA key
cabundle: "" # base64 encoded CA bundle used for the 'caBundle' property for the ratify provider within gatekeeper
timeout:
# timeout values must match gatekeeper webhook timeouts
validationTimeoutSeconds: 5
mutationTimeoutSeconds: 2
cache:
enabled: true # enable ratify wide cache
type: ristretto # cache type, currently only ristretto(default) and redis are supported
cacheSizeMb: 256 # max size of the cache in MB
ttl: 10s # cache ttl duration
name: "" # state-store name for dapr cache, defaults to redis
enableMutation: true # enableMutation allows ratify to mutate image tag to image digest. It is highly recommended to enable mutation since the verified digest may be different from the one run.
podAnnotations: {}
podLabels: {}
enableRuntimeDefaultSeccompProfile: true
healthPort: 9099
rbac:
create: true
upgradeCRDs:
enabled: true
extraRules: []
crds:
affinity: {}
tolerations: []
nodeSelector: { kubernetes.io/os: linux }
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
policy:
useRego: false # Set to true if Rego Policy would be used for evaluation.
logger:
formatter: "text" # Formatter can be set to `text`, `json` or `logstash`. Default to `text` if not specified.
level: "info" # Default to `info` if not specified.
requestHeaders:
traceIDHeaderName: # List of headers that include the trace ID in the external data requests to Ratify. The same headers will be passed to upstream services like remote registries.
- "" # e.g. Set it to `x-ms-correlation-request-id` to trace across Azure.
# See https://ratify.dev/docs/reference/usage#feature-flags for a list of available feature flags
featureFlags:
# RATIFY_FEATURE_NAME: true
# RATIFY_CERT_ROTATION enables rotation for TLS certificates.
RATIFY_CERT_ROTATION: false
# RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY enables high availability mode including distributed caching.
RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY: false
notationCert: "" # DEPRECATED: Use notationCerts instead
akvCertConfig: # DEPRECATED: Use azurekeyvault instead
enabled: false # DEPRECATED: Use azurekeyvault.enabled instead
vaultURI: # DEPRECATED: Use azurekeyvault.vaultURI instead
cert1Name: # DEPRECATED: Use azurekeyvault.certificates instead
cert1Version: # DEPRECATED: Use azurekeyvault.certificates instead
cert2Name: # DEPRECATED: Use azurekeyvault.certificates instead
cert2Version: # DEPRECATED: Use azurekeyvault.certificates instead
certificates: # DEPRECATED: Use azurekeyvault.certificates instead
tenantId: # DEPRECATED: Use azurekeyvault.tenantId instead
# env: environment variables for ratify container
env: []
# - name: https_proxy
# value: http://proxy-server:80