-
Notifications
You must be signed in to change notification settings - Fork 37
/
values.yaml
444 lines (319 loc) · 10.4 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
# Default values for snyk-broker.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
##### Snyk Specific Values #####
# Broker Token is a value from Snyk. Get this from the integration settings page or your Snyk Representative
brokerToken: ""
# brokerClientUrl is the address of the broker. This needs to be the address of itself. In the case of Kubernetes, you need to ensure that you are pointing to the cluster ingress you have setup.
# Ex: http://kubernetes-ingress.domain.com:8000
brokerClientUrl: ""
# Do not touch unless directed by a Snyk Representative
brokerServerUrl: "https://broker.snyk.io"
preflightChecks:
enabled: true
highAvailabilityMode:
enabled: false
brokerDispatcherUrl: "https://api.snyk.io"
# This number if only used if enableHighAvailabilityMode is true
replicaCount: 2
# Adds additional labels to broker deployment
labels: {}
##### SCM Generic #####
# scmType is used to define the Source Control that you are connecting to.
# Allowed values for scmType:
# GitHub.com: github-com
# GitHub Enterprise: github-enterprise
# Bitbucket: bitbucket-server
# GitLab: gitlab
# Azure Repos: azure-repos
# Artifactory: artifactory
# Nexus: nexus
# Nexus2: nexus2
# Jira: jira
# Jira with bearer auth: jira-bearer-auth
# Container Registry Agent: container-registry-agent
scmType: "github-com"
# scmToken is used for SCMs that require a personal Access Token: GitHub & Gitlab
scmToken: ""
# scmTokenPool is used by credential pooling for SCMs that require a personal Access Token: GitHub & Gitlab
scmTokenPool: ""
# useExternalSecretScmTokenPool forces credential pooling for SCMs, e.g. by using Secrets Store CSI Driver (default is false).
useExternalSecretScmTokenPool: false
##### Github Enterprise #####
# GHE URL - Ex: your.ghe.domain.com (do not prepend HTTPS) - For GHE Cloud use api.github.com
github: ""
# GHE API Address - do not prepend HTTPS
githubApi: ""
# GHE Graph QL Address - do not prepend HTTPS
githubGraphQl: ""
##### Bitbucket Server #####
# Bitbucket Username (Bitbucket-server type only)
bitbucketUsername: ""
# Bitbucket Password (Bitbucket-server type only)
bitbucketPassword: ""
# Bitbucket Pat (Bitbucket-server-bearer-auth type only)
bitbucketPat: ""
# Bitbucket URL - do not prepend HTTPS
bitbucket: ""
# Bitbucket API URL - do not prepend HTTPS
bitbucketApi: ""
##### GitLab #####
# Gitlab URL - do not prepend HTTPS
gitlab: ""
##### Azure Repos #####
# Azure Repos Organization
azureReposOrg: ""
# Azure Repos Hostname - do not prepend HTTPS
azureReposHost: ""
# Azure Repos Token
azureReposToken: ""
##### Artifactory #####
# Artifactory URL - do not prepend HTTPS
artifactoryUrl: ""
##### Nexus 2 & 3 #####
# Nexus Base URL - include HTTPS
baseNexusUrl: ""
# Nexus URL - include HTTPS
nexusUrl: ""
# Nexus Validation URL, checked by broker client systemcheck endpoint.
brokerClientValidationUrl: ""
##### Jira #####
# Jira Username
jiraUsername: ""
# Jira Password
jiraPassword: ""
#Jira PAT (for Bearer auth):
jiraPat: ""
# Jira Hostname - do not prepend HTTPS
jiraHostname: ""
##### Container Registry Agent #####
# Container Registry Type. See Documentation for allowed values
crType: ""
# Container Registry Base URL - do not prepend HTTPS
crBase: ""
# Container Registry Username
crUsername: ""
# Container Registry Password
crPassword: ""
# Container Role ARN (Only for ECR)
crRoleArn: ""
# Container Region (Only for ECR)
crRegion: ""
# Container External ID (Only for ECR)
crExternalId: ""
# Container Authentication Token (Only for DigitalOcean)
crToken: ""
# CRA Image tag. Do not adjust unless instructed by Snyk Representative
crImage: "latest"
##### Code Agent #####
# Set to 'true' to enable Code Agent
enableCodeAgent: ""
# Only adjust this value if advised to by Snyk Representative. Used to upload content to non-standard environment.
upstreamUrlCodeAgent: ""
# Snyk API token. Allows Code Agent to upload source code. Group > Settings > Service Accounts
snykToken: ""
#CA Image Tag. Do not touch unless instructed by Snyk Representative
caImage: "latest"
# Only adjust this value if advised to by Snyk Representative. This is the URL of the Snyk Code Agent. This helm chart already connects everything.
gitClientUrl: ""
##### Snyk Code Local Engine #####
# Set to 'true' to enable Snyk Code Local Engine
enableSnykCodeLocalEngine: ""
##### Logging #####
# Default Log Level. Can be set to "debug" for more information
logLevel: "info"
# Add additional logging by setting to true
logEnableBody: "false"
##### Enable HTTPS #####
# To enable broker client to run a HTTPS server enable enableBrokerLocalWebserverOverHttps flag and also provide location of HTTPS_CERT and HTTPS_KEY
enableBrokerLocalWebserverOverHttps: false
# Location of mounted cert
httpsCert: ""
# Location of mounted HTTPS key
httpsKey: ""
##### HTTPS Inspection #####
# Not supported by Snyk Container Registry Agent or Snyk Code Agent (use tlsRejectUnauthorized instead). Location of mounted custom certificate. To allow visibility for SSL Inspection.
caCert: ""
caCertFile: ""
# Set to "0" to disable trust validation when using self signed certificates.
tlsRejectUnauthorized: ""
##### Use behind proxy #####
# Do not change unless advised by your Snyk Representative. You probably need to use HTTPS proxy setting and leave this blank. - HTTP Proxy URL
httpProxy: ""
# HTTPS Proxy URL - This will apply to both Snyk Broker and Snyk Code Agent
httpsProxy: ""
# No Proxy URL - This will apply to both Snyk Broker and Snyk Code Agent
noProxy: ""
# For custom accept.json, specify the path to the accept.json using the --set-file command when installing the chart
acceptJson: ""
##### Broker Image Parameters #####
image:
repository: snyk/broker
crRepository: snyk/container-registry-agent
caRepository: snyk/code-agent
pullPolicy: Always
# Overrides the image tag. If left empty the latest version is used
tag: ""
##### Broker Image Pull Secrets Parameters #####
imagePullSecrets: []
# - name: registrySecretName
# Health and System Check Paths for the broker
healthCheckPath: &healthCheckPath "/healthcheck"
systemCheckPath: &systemCheckPath "/systemcheck"
# Configure K8s Liveness and Readiness Probes for broker
brokerLivenessProbe:
enabled: true
path: *healthCheckPath
config:
initialDelaySeconds: 3
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
brokerReadinessProbe:
enabled: true
path: *healthCheckPath
config:
initialDelaySeconds: 3
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
##### Broker Resource Values #####
brokerResources:
limits:
cpu: 1
memory: "256Mi"
requests:
cpu: 1
memory: "256Mi"
##### Container Registry Agent Resource Values #####
crResources:
limits:
cpu: 1
memory: "2Gi"
requests:
cpu: 1
memory: "2Gi"
##### Code Agent Resource Values #####
caResources:
limits:
cpu: 1
memory: "2Gi"
requests:
cpu: 1
memory: "2Gi"
storage: "2Gi"
##### Ports for Broker, Code Agent, Container Registry Agent #####
deployment:
container:
containerPort: 8000
crSnykPort: 8081
caSnykPort: 3000
nameOverride: ""
fullnameOverride: ""
##### Service Account Values. Nothing to change here #####
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: "snyk-broker"
podAnnotations: {}
podSecurityContext: {}
##### Security Context #####
# These can be adjusted at your own risk.
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 1000
securityContextCr:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1000
securityContextCa:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 1000
##### Service Types #####
# If you prefer to adjust how communication to the cluster occurs, these values can be adjusted
service:
# Snyk Broker
brokerType: ClusterIP
# Container Registry Agent
crType: ClusterIP
# Code Agent
caType: ClusterIP
port: 8000
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
##### Optionally Deploy a Broker Ingress Resource #####
brokerIngress:
enabled: false
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
ingressClassName: ""
annotations: {}
#kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
path: /
pathType: Prefix
hosts:
- <ENTER_BROKER_CLIENT_URL> # Must match the Broker client url
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
extraPaths: []
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
## Or for k8s > 1.19
# - path: /*
# pathType: Prefix
# backend:
# service:
# name: ssl-redirect
# port:
# name: use-annotation
tls: [] # If configured to use https for BROKER_CLIENT_URL
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
##### Extra K8s resources, Volumes and VolumeMounts
# These are useful when there is a need to introduce additional K8s resources (Drivers, Volumes, etc.) into the mix.
# Secrets Store CSI Driver is one perfect example that can utilize these
extraObjects: []
extraVolumes: []
extraVolumeMounts: []
extraContainerSpecs:
extraPodSpecs:
# tolerations:
# - key: "networking/something"
# operator: "Equal"
# value: "internal-pods"
# effect: "NoSchedule"
# nodeSelector:
# networking.company.com/network-segment: internal-pods
extraPodSpecsCr:
# As above, for Container Registry Agent
##### The Broker is designed to work with multiple replicas (min 2, max 4) only with High Availability mode enabled.
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 4
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80