mirror of
https://gitlab.fabcity.hamburg/software/fab-city-os-core-chart.git
synced 2024-09-19 20:08:53 +02:00
sort out secrets and config properties
This commit is contained in:
parent
03e69a8b65
commit
887eef5179
402
values.yaml
402
values.yaml
|
@ -1,20 +1,124 @@
|
|||
# Default values for fcos-core.
|
||||
# Default values for fcoscore.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
## @param global.imageRegistry Global Docker image registry
|
||||
## @param global.imagePullSecrets Global Docker registry secret names as an array
|
||||
## @param global.storageClass Global StorageClass for Persistent Volume(s)
|
||||
##
|
||||
global:
|
||||
imageRegistry: ""
|
||||
## E.g.
|
||||
## imagePullSecrets:
|
||||
## - myRegistryKeySecretName
|
||||
##
|
||||
imagePullSecrets: []
|
||||
storageClass: ""
|
||||
|
||||
replicaCount: 1
|
||||
|
||||
## Enable diagnostic mode in the statefulset
|
||||
##
|
||||
diagnosticMode:
|
||||
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
|
||||
##
|
||||
enabled: false
|
||||
## @param diagnosticMode.command Command to override all containers in the the statefulset
|
||||
##
|
||||
command:
|
||||
- sleep
|
||||
## @param diagnosticMode.args Args to override all containers in the the statefulset
|
||||
##
|
||||
args:
|
||||
- infinity
|
||||
|
||||
## @param image.registry fcoscore image registry
|
||||
## @param image.repository fcoscore image repository
|
||||
## @param image.pullPolicy fcoscore image pull policy
|
||||
## @param image.pullSecrets fcoscore image pull secrets
|
||||
## @param image.tag fcoscore image tag
|
||||
## @param image.debug Enable image debug mode
|
||||
##
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: dyne/reflow
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
||||
##
|
||||
pullPolicy: IfNotPresent
|
||||
## Optionally specify an array of imagePullSecrets.
|
||||
## Secrets must be manually created in the namespace.
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||||
## e.g:
|
||||
## pullSecrets:
|
||||
## - myRegistryKeySecretName
|
||||
##
|
||||
pullSecrets: []
|
||||
## Set to true if you would like to see extra information on logs
|
||||
##
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
# tag: ""
|
||||
tag: ""
|
||||
# debug: false
|
||||
debug: true
|
||||
|
||||
audit:
|
||||
pgAuditLog: true
|
||||
logLinePrefix: ""
|
||||
# logTimezone: ""
|
||||
|
||||
imagePullSecrets: []
|
||||
nameOverride: ""
|
||||
fullnameOverride: ""
|
||||
|
||||
## Authentication parameters
|
||||
##
|
||||
auth:
|
||||
## @param auth.username FabCityOS admin user
|
||||
##
|
||||
username: root
|
||||
## @param auth.password FabCityOS admin password. WARNING: Minimum length of 10 characters
|
||||
## Defaults to a random 10-character alphanumeric string if not set
|
||||
##
|
||||
password: ""
|
||||
## @param auth.existingSecret Name of an existing secret to use for Discourse credentials
|
||||
## `auth.password` will be ignored and picked up from this secret
|
||||
## The secret must contain the key `discourse-password`
|
||||
## The value is evaluated as a template
|
||||
##
|
||||
existingSecret: ""
|
||||
|
||||
## @param host Hostname to create application URLs (include the port if =/= 80)
|
||||
##
|
||||
host: ""
|
||||
## @param siteName fcoscore site name
|
||||
##
|
||||
siteName: 'Fab City Core node for valueflows circular economy networks'
|
||||
|
||||
## fcoscore SMTP settings
|
||||
## @param smtp.enabled Enable/disable SMTP
|
||||
## @param smtp.backend SMTP Backend type
|
||||
## @param smtp.host SMTP host name
|
||||
## @param smtp.port SMTP port number
|
||||
## @param smtp.user SMTP account user name
|
||||
## @param smtp.password SMTP account password
|
||||
## @param smtp.protocol SMTP protocol (Allowed values: tls, ssl)
|
||||
## @param smtp.auth SMTP authentication method
|
||||
## @param smtp.existingSecret Name of an existing Kubernetes secret. The secret must have the following key configured: `smtp-password`
|
||||
##
|
||||
smtp:
|
||||
enabled: false
|
||||
backend: smtp
|
||||
host: ""
|
||||
port: ""
|
||||
user: ""
|
||||
password: ""
|
||||
protocol: ""
|
||||
auth: ""
|
||||
existingSecret: ""
|
||||
from: ""
|
||||
api_key: ""
|
||||
|
||||
serviceAccount:
|
||||
# Specifies whether a service account should be created
|
||||
create: true
|
||||
|
@ -26,9 +130,6 @@ serviceAccount:
|
|||
|
||||
podAnnotations: {}
|
||||
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
securityContext: {}
|
||||
# capabilities:
|
||||
# drop:
|
||||
|
@ -39,7 +140,7 @@ securityContext: {}
|
|||
|
||||
service:
|
||||
type: ClusterIP
|
||||
port: 80
|
||||
port: 4000
|
||||
|
||||
ingress:
|
||||
enabled: false
|
||||
|
@ -48,7 +149,7 @@ ingress:
|
|||
# kubernetes.io/ingress.class: nginx
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
hosts:
|
||||
- host: fcos-core.local
|
||||
- host: fcoscore.local
|
||||
paths:
|
||||
- path: /
|
||||
pathType: ImplementationSpecific
|
||||
|
@ -69,6 +170,23 @@ resources: {}
|
|||
# cpu: 100m
|
||||
# memory: 128Mi
|
||||
|
||||
## Configure Pods Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
## @param podSecurityContext.enabled Enabled Odoo pods' Security Context
|
||||
## @param podSecurityContext.fsGroup Set Odoo pod's Security Context fsGroup
|
||||
##
|
||||
podSecurityContext: {}
|
||||
# fsGroup: 2000
|
||||
|
||||
## Configure Container Security Context (only main container)
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
||||
## @param containerSecurityContext.enabled Enabled Odoo containers' Security Context
|
||||
## @param containerSecurityContext.runAsUser Set Odoo container's Security Context runAsUser
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: false
|
||||
runAsUser: 1001
|
||||
|
||||
autoscaling:
|
||||
enabled: false
|
||||
minReplicas: 1
|
||||
|
@ -81,3 +199,273 @@ nodeSelector: {}
|
|||
tolerations: []
|
||||
|
||||
affinity: {}
|
||||
|
||||
fcoscore:
|
||||
secretName: fcoscore
|
||||
## @param fcoscore.command Custom command to override image cmd
|
||||
##
|
||||
command: []
|
||||
## @param fcoscore.args Custom args for the custom command
|
||||
##
|
||||
args: []
|
||||
## @param fcoscore.extraEnvVars Array with extra environment variables to add fcoscore pods
|
||||
##
|
||||
extraEnvVars: []
|
||||
## @param fcoscore.extraEnvVarsCM ConfigMap containing extra environment variables for fcoscore pods
|
||||
##
|
||||
extraEnvVarsCM: ""
|
||||
## @param fcoscore.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for fcoscore pods
|
||||
##
|
||||
extraEnvVarsSecret: ""
|
||||
## config properties
|
||||
##
|
||||
org_name: "FabCity"
|
||||
## config properties
|
||||
##
|
||||
mix_env: "prod"
|
||||
## config properties
|
||||
##
|
||||
flavour: "reflow"
|
||||
## config properties
|
||||
##
|
||||
lang: "en_US.UTF-8"
|
||||
## config properties
|
||||
##
|
||||
upload_limit: "30000000"
|
||||
## config properties
|
||||
##
|
||||
timeout: "10000"
|
||||
## config properties
|
||||
##
|
||||
invite_only: true
|
||||
## config properties
|
||||
##
|
||||
invite_key: ""
|
||||
## config properties
|
||||
##
|
||||
replace_os_vars: true
|
||||
## config properties
|
||||
##
|
||||
liveview_enabled: true
|
||||
## config properties
|
||||
##
|
||||
acme_agree: true
|
||||
## config properties
|
||||
##
|
||||
erlang_cookie: "bonfire"
|
||||
## config properties
|
||||
##
|
||||
web_push:
|
||||
## config properties
|
||||
##
|
||||
subject: "mailto:hostmaster@example.com"
|
||||
## config properties
|
||||
##
|
||||
public_key: ""
|
||||
## config properties
|
||||
##
|
||||
geolocate_opencagedata: ""
|
||||
## config properties
|
||||
##
|
||||
meili_master_key: ""
|
||||
## config properties
|
||||
##
|
||||
encryption_salt: ""
|
||||
## config properties
|
||||
##
|
||||
secret_key_base: ""
|
||||
## config properties
|
||||
##
|
||||
signing_salt: ""
|
||||
## config properties
|
||||
##
|
||||
github_token: ""
|
||||
## config properties
|
||||
##
|
||||
disable_db_automigration: false
|
||||
## config properties
|
||||
##
|
||||
seeds_user: ""
|
||||
## config properties
|
||||
##
|
||||
seeds_pw: ""
|
||||
## config properties
|
||||
##
|
||||
web_push_public_key: ""
|
||||
## config properties
|
||||
##
|
||||
web_push_private_key: ""
|
||||
|
||||
## Persistence Parameters
|
||||
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
|
||||
##
|
||||
persistence:
|
||||
## @param persistence.enabled Enable persistence using Persistent Volume Claims
|
||||
##
|
||||
enabled: true
|
||||
## @param persistence.storageClass Persistent Volume storage class
|
||||
## If defined, storageClassName: <storageClass>
|
||||
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
||||
## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner
|
||||
##
|
||||
storageClass: ""
|
||||
## @param persistence.accessModes [array] Persistent Volume access modes
|
||||
##
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
## @param persistence.accessMode Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead)
|
||||
##
|
||||
accessMode: ReadWriteOnce
|
||||
## @param persistence.size Persistent Volume size
|
||||
##
|
||||
size: 10Gi
|
||||
## @param persistence.existingClaim The name of an existing PVC to use for persistence
|
||||
##
|
||||
existingClaim: ""
|
||||
## @param persistence.selector Selector to match an existing Persistent Volume for Discourse data PVC
|
||||
## If set, the PVC can't have a PV dynamically provisioned for it
|
||||
## E.g.
|
||||
## selector:
|
||||
## matchLabels:
|
||||
## app: my-app
|
||||
##
|
||||
selector: {}
|
||||
## @param persistence.annotations Persistent Volume Claim annotations
|
||||
##
|
||||
annotations: {}
|
||||
|
||||
|
||||
networkPolicy:
|
||||
## @param networkPolicy.enabled Enable network policies
|
||||
## If ingress.enabled is true, configure networkPolicy.ingress selectors to allow communication
|
||||
##
|
||||
enabled: false
|
||||
## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies
|
||||
## @param networkPolicy.ingress.namespaceSelector Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace.
|
||||
## @param networkPolicy.ingress.podSelector Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods.
|
||||
##
|
||||
ingress:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: ingress
|
||||
##
|
||||
podSelector: {}
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: ingress
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backends (PostgreSQL and Redis) only accessible by Discourse's pods.
|
||||
## @param networkPolicy.ingressRules.customBackendSelector Backend selector labels. These labels will be used to identify the backend pods.
|
||||
## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes Discourse only accessible from a particular origin
|
||||
## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector Namespace selector label that is allowed to access Discourse. This label will be used to identified the allowed namespace(s).
|
||||
## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector Pods selector label that is allowed to access Discourse. This label will be used to identified the allowed pod(s).
|
||||
## @param networkPolicy.ingressRules.customRules Custom network policy ingress rule
|
||||
##
|
||||
ingressRules:
|
||||
## PostgreSQL and Redis backends only can be accessed from Discourse
|
||||
##
|
||||
backendOnlyAccessibleByFrontend: false
|
||||
customBackendSelector: {}
|
||||
## Allow only from the indicated:
|
||||
##
|
||||
accessOnlyFrom:
|
||||
enabled: false
|
||||
## e.g:
|
||||
## namespaceSelector:
|
||||
## label: ingress
|
||||
##
|
||||
namespaceSelector: {}
|
||||
## e.g:
|
||||
## podSelector:
|
||||
## label: access
|
||||
##
|
||||
podSelector: {}
|
||||
## custom ingress rules
|
||||
## e.g:
|
||||
## customRules:
|
||||
## - from:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: {}
|
||||
## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53).
|
||||
## @param networkPolicy.egressRules.customRules Custom network policy rule
|
||||
##
|
||||
egressRules:
|
||||
## Deny connections to external. This is not compatible with an external database.
|
||||
##
|
||||
denyConnectionsToExternal: false
|
||||
## Additional custom egress rules
|
||||
## e.g:
|
||||
## customRules:
|
||||
## - to:
|
||||
## - namespaceSelector:
|
||||
## matchLabels:
|
||||
## label: example
|
||||
##
|
||||
customRules: {}
|
||||
|
||||
## PostgreSQL chart configuration
|
||||
## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml
|
||||
## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
|
||||
## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
|
||||
## @param postgresql.auth.postgresPassword Password for the "postgres" admin user
|
||||
## @param postgresql.auth.username Name for a custom user to create
|
||||
## @param postgresql.auth.password Password for the custom user to create
|
||||
## @param postgresql.auth.database Name for a custom database to create
|
||||
## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
|
||||
## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
|
||||
##
|
||||
postgresql:
|
||||
enabled: true
|
||||
auth:
|
||||
host: ""
|
||||
# port: 5432
|
||||
username: fcoscore
|
||||
database: bonfire
|
||||
audit:
|
||||
logHostname: true
|
||||
logConnections: true
|
||||
logDisconnections: true
|
||||
pgAuditLogCatalog: "on"
|
||||
clientMinMessages: error
|
||||
extensions: hstore,pg_trgm,postgis
|
||||
# primary:
|
||||
# initdb:
|
||||
# scripts:
|
||||
# init.sql: |
|
||||
# CREATE DATABASE bonfire;
|
||||
# CREATE EXTENSION IF NOT EXISTS postgis;
|
||||
# CREATE EXTENSION IF NOT EXISTS hstore;
|
||||
# GRANT ALL ON bonfire TO fcoscore;
|
||||
# # CREATE USER usr_fcos_core WITH PASSWORD 'pwd_fcos_core';
|
||||
|
||||
## External PostgreSQL configuration
|
||||
## All of these values are only used when postgresql.enabled is set to false
|
||||
## @param externalDatabase.host Database host
|
||||
## @param externalDatabase.port Database port number
|
||||
## @param externalDatabase.user Non-root username for FabCityOS
|
||||
## @param externalDatabase.password Password for the non-root username for FabCityOS
|
||||
## @param externalDatabase.database FabCityOS database name
|
||||
## @param externalDatabase.create Switch to enable user/database creation during the installation stage
|
||||
## @param externalDatabase.postgresUser PostgreSQL admin user, used during the installation stage
|
||||
## @param externalDatabase.postgresPassword PostgreSQL admin password, used during the installation stage
|
||||
## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
|
||||
## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
|
||||
## @param externalDatabase.existingSecretPostgresPasswordKey Name of an existing secret key containing the database admin user credentials
|
||||
##
|
||||
externalDatabase:
|
||||
host: ""
|
||||
port: 5432
|
||||
user: ""
|
||||
password: ""
|
||||
database: ""
|
||||
create: true
|
||||
postgresUser: postgres
|
||||
existingSecret: ""
|
||||
existingSecretPasswordKey: ""
|
||||
existingSecretPostgresPasswordKey: ""
|
||||
|
Loading…
Reference in a new issue