This repository has been archived by the owner on Jan 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 12
/
values.yaml
149 lines (131 loc) · 7.07 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
replicaCount: 1
image:
repository: docker.io/keptncontrib/job-executor-service
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
subscription:
pubsubTopic: "sh.keptn.event.test.triggered,sh.keptn.event.deployment.triggered,sh.keptn.event.evaluation.triggered,sh.keptn.event.release.triggered,sh.keptn.event.approval.triggered,sh.keptn.event.action.triggered" # Sets the events the service subscribes to
jobexecutorserviceinitcontainer:
image:
repository: docker.io/keptncontrib/job-executor-service-initcontainer # Container Image Name
tag: "" # Container Tag
distributor:
stageFilter: "" # Sets the stage this helm service belongs to
serviceFilter: "" # Sets the service this helm service belongs to
projectFilter: "" # Sets the project this helm service belongs to
image:
repository: docker.io/keptn/distributor # Container Image Name
pullPolicy: IfNotPresent # Kubernetes Image Pull Policy
tag: "0.17.0" # Container Tag
config:
queueGroup:
enabled: true # Enable connection via Nats queue group to support exactly-once message processing
securityContext: # Settings for the default security context of the distributor
runAsNonRoot: true
runAsUser: 65532
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
remoteControlPlane:
topicSubscription: "sh.keptn.event.test.triggered,sh.keptn.event.deployment.triggered,sh.keptn.event.evaluation.triggered,sh.keptn.event.release.triggered,sh.keptn.event.approval.triggered" # Specify list of CloudEvents to subscribe to in the case of remote control plane
autoDetect: # The auto-detection feature enables helm to query the API token from the Keptn installation, no api.token, api.protocol, api.hostname must be specified
enabled: false # Enable of the auto-detection of the Keptn install
namespace: "" # If multiple instances of Keptn are installed, the namespace of the target instance must be given
api:
protocol: "http" # Used Protocol (http, https)
apiValidateTls: true # Defines if the control plane certificate should be validated
hostname: "api-gateway-nginx.keptn" # Hostname of the control plane cluster, Port
authMode: "token" # Flag to choose the defined authentication method, valid values are token and oauth
token: "" # Keptn API Token
oauth: #
clientId: "" # The client OAuth ID
clientSecret: "" # The client OAuth Secret
clientDiscovery: "" # The well known discovery URL which should be used by the distributor
scopes: "" # A list of scopes for the OAuth client
jobConfig:
serviceAccount: # The default service account that is used for jobs
create: true # Enables the service account creation
name: "default-job-account" # The name of the service account to use for job execution
annotations: { } # Annotations to add to the service account
allowedImageList: "" # A list of images that are allowed for the jobs (e.g.: docker.io/*,ghcr.io/my-other-user/my-other-image:*,ghcr.io/my-user/my-image:1.2.3)
labels: { } # Configure additional labels that should be attached to all jobs
# --------------------------------------------------------------------------------------------------- #
# WARNING: allowing privileged containers or runAsNonRoot is dangerous, only change the default #
# security configuration if you need, the securityContext can be overwritten by each job #
# --------------------------------------------------------------------------------------------------- #
allowPrivilegedJobs: false # If true the job-executor-service will only warn instead of refusing to run privileged jobs
podSecurityContext: # Default pod security context for job workloads
RunAsUser: 1000
RunAsGroup: 2000
RunAsNonRoot: true
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
jobSecurityContext: # Default security context for job workloads, can be overwritten by jobs
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 2000
capabilities:
drop: [ "all" ]
seccompProfile:
type: RuntimeDefault
taskDeadlineSeconds: 0 # Set taskDeadlineSeconds to an integer > 0 to limit how long task can run
networkPolicy:
enabled: false # Sets a restrictive network policy for all jobs
blockCIDRs: [ # A list of CIDR which should not be accessible to jobs
# "10.0.0.0/8",
# "172.16.0.0/12",
# "192.168.0.0/16"
]
imagePullSecrets: [ ] # Secrets to use for container registry credentials
serviceAccount:
create: true # Enables the service account creation
annotations: { } # Annotations to add to the service account
name: "" # The name of the service account to use.
config:
storageClassName: "gp2"
storageVolumeName: "job-executor-service-git-volume"
podAnnotations: { } # Annotations to add to the created pods
# -------------------------------------------------------------------------- #
# WARNING: DO NOT CHANGE THE DEFAULT podSecurityContext OR securityContext! #
# Changes may #
# - impact the job-executor-service from running correctly #
# - result in a security risk for the whole kubernetes cluster #
# -------------------------------------------------------------------------- #
podSecurityContext:
fsGroup: 2000
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 2000
capabilities:
drop: ["all"]
seccompProfile:
type: RuntimeDefault
service:
type: ClusterIP
port: 8080
resources: # Resource limits and requests
limits:
cpu: 1
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
nodeSelector: { } # Node selector configuration
tolerations: [ ] # Tolerations for the pods
affinity: { } # Affinity rules
networkPolicy:
ingress:
enabled: false
egress:
enabled: false
k8sMasterCIDR: ""
k8sMasterPort: 0