From 887eef5179e0515c51dbeaa0f98fcdd0eabaebbf Mon Sep 17 00:00:00 2001 From: Sebastian Wendel Date: Wed, 22 Jun 2022 17:38:07 +0200 Subject: [PATCH] sort out secrets and config properties --- values.yaml | 402 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 395 insertions(+), 7 deletions(-) diff --git a/values.yaml b/values.yaml index 5490454..80726b1 100644 --- a/values.yaml +++ b/values.yaml @@ -1,20 +1,124 @@ -# Default values for fcos-core. +# Default values for fcoscore. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + replicaCount: 1 +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the statefulset + ## + args: + - infinity + +## @param image.registry fcoscore image registry +## @param image.repository fcoscore image repository +## @param image.pullPolicy fcoscore image pull policy +## @param image.pullSecrets fcoscore image pull secrets +## @param image.tag fcoscore image tag +## @param image.debug Enable image debug mode +## image: registry: docker.io repository: dyne/reflow + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## # Overrides the image tag whose default is the chart appVersion. + # tag: "" tag: "" + # debug: false + debug: true + +audit: + pgAuditLog: true + logLinePrefix: "" + # logTimezone: "" -imagePullSecrets: [] nameOverride: "" fullnameOverride: "" +## Authentication parameters +## +auth: + ## @param auth.username FabCityOS admin user + ## + username: root + ## @param auth.password FabCityOS admin password. WARNING: Minimum length of 10 characters + ## Defaults to a random 10-character alphanumeric string if not set + ## + password: "" + ## @param auth.existingSecret Name of an existing secret to use for Discourse credentials + ## `auth.password` will be ignored and picked up from this secret + ## The secret must contain the key `discourse-password` + ## The value is evaluated as a template + ## + existingSecret: "" + +## @param host Hostname to create application URLs (include the port if =/= 80) +## +host: "" +## @param siteName fcoscore site name +## +siteName: 'Fab City Core node for valueflows circular economy networks' + +## fcoscore SMTP settings +## @param smtp.enabled Enable/disable SMTP +## @param smtp.backend SMTP Backend type +## @param smtp.host SMTP host name +## @param smtp.port SMTP port number +## @param smtp.user SMTP account user name +## @param smtp.password SMTP account password +## @param smtp.protocol SMTP protocol (Allowed values: tls, ssl) +## @param smtp.auth SMTP authentication method +## @param smtp.existingSecret Name of an existing Kubernetes secret. The secret must have the following key configured: `smtp-password` +## +smtp: + enabled: false + backend: smtp + host: "" + port: "" + user: "" + password: "" + protocol: "" + auth: "" + existingSecret: "" + from: "" + api_key: "" + serviceAccount: # Specifies whether a service account should be created create: true @@ -26,9 +130,6 @@ serviceAccount: podAnnotations: {} -podSecurityContext: {} - # fsGroup: 2000 - securityContext: {} # capabilities: # drop: @@ -39,7 +140,7 @@ securityContext: {} service: type: ClusterIP - port: 80 + port: 4000 ingress: enabled: false @@ -48,7 +149,7 @@ ingress: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - - host: fcos-core.local + - host: fcoscore.local paths: - path: / pathType: ImplementationSpecific @@ -69,6 +170,23 @@ resources: {} # cpu: 100m # memory: 128Mi +## Configure Pods Security Context +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled Odoo pods' Security Context +## @param podSecurityContext.fsGroup Set Odoo pod's Security Context fsGroup +## +podSecurityContext: {} + # fsGroup: 2000 + +## Configure Container Security Context (only main container) +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled Odoo containers' Security Context +## @param containerSecurityContext.runAsUser Set Odoo container's Security Context runAsUser +## +containerSecurityContext: + enabled: false + runAsUser: 1001 + autoscaling: enabled: false minReplicas: 1 @@ -81,3 +199,273 @@ nodeSelector: {} tolerations: [] affinity: {} + +fcoscore: + secretName: fcoscore + ## @param fcoscore.command Custom command to override image cmd + ## + command: [] + ## @param fcoscore.args Custom args for the custom command + ## + args: [] + ## @param fcoscore.extraEnvVars Array with extra environment variables to add fcoscore pods + ## + extraEnvVars: [] + ## @param fcoscore.extraEnvVarsCM ConfigMap containing extra environment variables for fcoscore pods + ## + extraEnvVarsCM: "" + ## @param fcoscore.extraEnvVarsSecret Secret containing extra environment variables (in case of sensitive data) for fcoscore pods + ## + extraEnvVarsSecret: "" + ## config properties + ## + org_name: "FabCity" + ## config properties + ## + mix_env: "prod" + ## config properties + ## + flavour: "reflow" + ## config properties + ## + lang: "en_US.UTF-8" + ## config properties + ## + upload_limit: "30000000" + ## config properties + ## + timeout: "10000" + ## config properties + ## + invite_only: true + ## config properties + ## + invite_key: "" + ## config properties + ## + replace_os_vars: true + ## config properties + ## + liveview_enabled: true + ## config properties + ## + acme_agree: true + ## config properties + ## + erlang_cookie: "bonfire" + ## config properties + ## + web_push: + ## config properties + ## + subject: "mailto:hostmaster@example.com" + ## config properties + ## + public_key: "" + ## config properties + ## + geolocate_opencagedata: "" + ## config properties + ## + meili_master_key: "" + ## config properties + ## + encryption_salt: "" + ## config properties + ## + secret_key_base: "" + ## config properties + ## + signing_salt: "" + ## config properties + ## + github_token: "" + ## config properties + ## + disable_db_automigration: false + ## config properties + ## + seeds_user: "" + ## config properties + ## + seeds_pw: "" + ## config properties + ## + web_push_public_key: "" + ## config properties + ## + web_push_private_key: "" + +## Persistence Parameters +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + ## @param persistence.enabled Enable persistence using Persistent Volume Claims + ## + enabled: true + ## @param persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param persistence.accessModes [array] Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param persistence.accessMode Persistent Volume access mode (DEPRECATED: use `persistence.accessModes` instead) + ## + accessMode: ReadWriteOnce + ## @param persistence.size Persistent Volume size + ## + size: 10Gi + ## @param persistence.existingClaim The name of an existing PVC to use for persistence + ## + existingClaim: "" + ## @param persistence.selector Selector to match an existing Persistent Volume for Discourse data PVC + ## If set, the PVC can't have a PV dynamically provisioned for it + ## E.g. + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param persistence.annotations Persistent Volume Claim annotations + ## + annotations: {} + + +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## If ingress.enabled is true, configure networkPolicy.ingress selectors to allow communication + ## + enabled: false + ## @param networkPolicy.ingress.enabled Enable network policy for Ingress Proxies + ## @param networkPolicy.ingress.namespaceSelector Ingress Proxy namespace selector labels. These labels will be used to identify the Ingress Proxy's namespace. + ## @param networkPolicy.ingress.podSelector Ingress Proxy pods selector labels. These labels will be used to identify the Ingress Proxy pods. + ## + ingress: + enabled: false + ## e.g: + ## podSelector: + ## label: ingress + ## + podSelector: {} + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## @param networkPolicy.ingressRules.backendOnlyAccessibleByFrontend Enable ingress rule that makes the backends (PostgreSQL and Redis) only accessible by Discourse's pods. + ## @param networkPolicy.ingressRules.customBackendSelector Backend selector labels. These labels will be used to identify the backend pods. + ## @param networkPolicy.ingressRules.accessOnlyFrom.enabled Enable ingress rule that makes Discourse only accessible from a particular origin + ## @param networkPolicy.ingressRules.accessOnlyFrom.namespaceSelector Namespace selector label that is allowed to access Discourse. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.accessOnlyFrom.podSelector Pods selector label that is allowed to access Discourse. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.customRules Custom network policy ingress rule + ## + ingressRules: + ## PostgreSQL and Redis backends only can be accessed from Discourse + ## + backendOnlyAccessibleByFrontend: false + customBackendSelector: {} + ## Allow only from the indicated: + ## + accessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: {} + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules Custom network policy rule + ## + egressRules: + ## Deny connections to external. This is not compatible with an external database. + ## + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: {} + +## PostgreSQL chart configuration +## ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/values.yaml +## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart +## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user +## @param postgresql.auth.postgresPassword Password for the "postgres" admin user +## @param postgresql.auth.username Name for a custom user to create +## @param postgresql.auth.password Password for the custom user to create +## @param postgresql.auth.database Name for a custom database to create +## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials +## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`) +## +postgresql: + enabled: true + auth: + host: "" + # port: 5432 + username: fcoscore + database: bonfire + audit: + logHostname: true + logConnections: true + logDisconnections: true + pgAuditLogCatalog: "on" + clientMinMessages: error + extensions: hstore,pg_trgm,postgis + # primary: + # initdb: + # scripts: + # init.sql: | + # CREATE DATABASE bonfire; + # CREATE EXTENSION IF NOT EXISTS postgis; + # CREATE EXTENSION IF NOT EXISTS hstore; + # GRANT ALL ON bonfire TO fcoscore; + # # CREATE USER usr_fcos_core WITH PASSWORD 'pwd_fcos_core'; + +## External PostgreSQL configuration +## All of these values are only used when postgresql.enabled is set to false +## @param externalDatabase.host Database host +## @param externalDatabase.port Database port number +## @param externalDatabase.user Non-root username for FabCityOS +## @param externalDatabase.password Password for the non-root username for FabCityOS +## @param externalDatabase.database FabCityOS database name +## @param externalDatabase.create Switch to enable user/database creation during the installation stage +## @param externalDatabase.postgresUser PostgreSQL admin user, used during the installation stage +## @param externalDatabase.postgresPassword PostgreSQL admin password, used during the installation stage +## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials +## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials +## @param externalDatabase.existingSecretPostgresPasswordKey Name of an existing secret key containing the database admin user credentials +## +externalDatabase: + host: "" + port: 5432 + user: "" + password: "" + database: "" + create: true + postgresUser: postgres + existingSecret: "" + existingSecretPasswordKey: "" + existingSecretPostgresPasswordKey: "" + \ No newline at end of file