/
values.yaml
224 lines (222 loc) · 8.14 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
# Default values for stash-enterprise.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Overrides name template
nameOverride: ""
# Overrides fullname template
fullnameOverride: ""
# Number of stash operator replicas to create (only 1 is supported)
replicaCount: 1
# License for the product.
# Get a license by following the steps from [here](https://stash.run/docs/latest/setup/install/enterprise#get-a-trial-license).
# Example:
# helm install appscode/stash-enterprise \
# --set-file license=/path/to/license/file
# or
# helm install appscode/stash-enterprise \
# --set license=<license file content>
license: ""
# Name of the ApiService to use by the addon to identify the respective service and certificate for license verification request
licenseApiService: v1beta1.admission.stash.appscode.com
# Docker registry fqdn used to pull Stash related images.
# Set this to use docker registry hosted at ${registryFQDN}/${registry}/${image}
registryFQDN: ghcr.io
operator:
# Docker registry used to pull operator image
registry: stashed
# Name of operator container image
repository: stash-enterprise
# Operator container image tag
tag: ""
# Compute Resources required by the operator container
resources: # +doc-gen:break
requests:
cpu: "100m"
# Security options the operator container should run with
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
crdInstaller:
# Docker registry of the CRD installer image. By default, it will use the same registry as the operator.
registry: ""
# Name of CRD crd installer image. Default `stash-crd-installer`
repository: stash-crd-installer
# Tag of the CRD installer image. By default, it will use the same tag as the operator.
tag: ""
# Use crd-installer job to install the Stash CRDs. Default is `true`.
enabled: true
# Security options the Prometheus pushgateway container should run with
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
pushgateway:
# Docker registry used to pull Prometheus pushgateway image
registry: prom
# Prometheus pushgateway container image
repository: pushgateway
# Prometheus pushgateway container image tag
tag: v1.4.2
# Compute Resources required by the Prometheus pushgateway container
resources: {}
# Security options the Prometheus pushgateway container should run with
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
# If you want to use a custom Pushgatway, specify its URL.
# Stash will not inject pushgatway sidecar if you set this field.
customURL: ""
cleaner:
# Docker registry used to pull Webhook cleaner image
registry: appscode
# Webhook cleaner container image
repository: kubectl
# Webhook cleaner container image tag
tag: v1.22
# Skip generating cleaner YAML
skip: false
# Security options the Prometheus pushgateway container should run with
securityContext: # +doc-gen:break
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
seccompProfile:
type: RuntimeDefault
# Specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
#
# Example:
# helm template charts/stash \
# --set imagePullSecrets[0].name=sec0 \
# --set imagePullSecrets[1].name=sec1
imagePullSecrets: []
# Container image pull policy
imagePullPolicy: IfNotPresent
# If true, installs Stash operator as critical addon
criticalAddon: false
# Log level for operator
logLevel: 3
# Annotations applied to operator deployment
annotations: {}
# Annotations passed to operator pod(s).
podAnnotations: {}
# Node labels for pod assignment
nodeSelector: # +doc-gen:break
kubernetes.io/os: linux
# Tolerations for pod assignment
tolerations: []
# Affinity rules for pod assignment
affinity: {}
# Security options the operator pod should run with.
podSecurityContext: # +doc-gen:break
fsGroup: 65535
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
apiserver:
# The minimum priority the webhook api group should have at least. Please see
# https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L58-L64
# for more information on proper values of this field.
groupPriorityMinimum: 10000
# The ordering of the webhook api inside of the group. Please see
# https://github.com/kubernetes/kube-aggregator/blob/release-1.9/pkg/apis/apiregistration/v1beta1/types.go#L66-L70
# for more information on proper values of this field
versionPriority: 15
# If true, mutating webhook is configured for Kubernetes workloads
enableMutatingWebhook: true
# If true, validating webhook is configured for Stash CRDss
enableValidatingWebhook: true
# CA certificate used by the Kubernetes api server. This field is automatically assigned by the operator.
ca: not-ca-cert
# If true, bypasses checks that validating webhook is actually enabled in the Kubernetes cluster.
bypassValidatingWebhookXray: false
# If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
useKubeapiserverFqdnForAks: true
healthcheck:
# If true, enables the readiness and liveliness probes for the operator pod.
enabled: false
servingCerts:
# If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor)
# to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`.
generate: true
# CA certficate used by serving certificate of webhook server.
caCrt: ""
# Serving certficate used by webhook server.
serverCrt: ""
# Private key for the serving certificate used by webhook server.
serverKey: ""
webhook:
failurePolicy: Ignore
monitoring:
# Name of monitoring agent (one of "prometheus.io", "prometheus.io/operator", "prometheus.io/builtin")
agent: ""
# Specify whether to monitor Stash backup and recovery
backup: false
# Specify whether to monitor Stash operator
operator: false
serviceMonitor:
# Specify the labels for ServiceMonitor.
# Prometheus crd will select ServiceMonitor using these labels.
# Only usable when monitoring agent is `prometheus.io/operator`.
labels: {}
security:
copyAuthenticationConfigMap: false
apparmor:
# `Optional:` Allows the default AppArmor profile, requires setting the default.
enabled: false
seccomp:
# `Optional:` Allows the default seccomp profile, requires setting the default.
enabled: false
# PSP names passed to operator
#
# Example:
# helm install appscode/stash \
# --set podSecurityPolicies[0]=abc \
# --set podSecurityPolicies[1]=xyz
podSecurityPolicies: # +doc-gen:break
- baseline
# PSPs are cluster-scoped resources and can't be duplicated.
# Many clusters may already include well known PSPs like "privileged" and "baseline".
createPSPs:
# Set to false to prevent chart creating "privileged" PSP.
privileged: true
# Set to false to prevent chart creating "baseline" PSP.
baseline: true
platform:
# Set true, if installed in OpenShift
openshift: false
# Network volume accessor configurations
netVolAccessor:
# CPU resource for each network volume accessor deployment
cpu: 100m
# Memory for each network volume accessor deployment
memory: 128Mi
# Run the network volume accessor with this UID.
runAsUser: 2000
# Run the network volume accessor deployments in privileged mode
privileged: false