forked from aquasecurity/aqua-helm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
179 lines (166 loc) · 5.73 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Specifies the secret data for imagePullSecrets needed to fetch the private docker images
imageCredentials:
create: false
name: aqua-registry-secret # example
repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io"
registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/"
username: ""
password: ""
rbac:
create: false # Enable to create RBAC for gateway chart, when deploying Gateway only
clusterRole:
roleRef: ""
console:
publicIP:
publicPort:
serviceAccount:
annotations: {}
create: false
name: "aqua-sa"
replicaCount: 1
logLevel:
image:
repository: gateway
tag: "2022.4"
pullPolicy: Always
service:
type: ClusterIP # Enable gateway to external by changing type to "LoadBalancer"
loadbalancerIP: "" # Specify loadBalancerIP address for aqua-web in AKS platform
loadBalancerSourceRanges: # Specify loadBalancerSourceRanges addresses if needed (list)
labels: {}
annotations: {}
ports:
- name: aqua-gate
port: 3622
targetPort: 3622
nodePort:
protocol: TCP
- name: aqua-gate-ssl
port: 8443
targetPort: 8443
nodePort:
protocol: TCP
- name: aqua-health
port: 8082
protocol: TCP
targetPort: 8082
nodePort:
publicIP:
livenessProbe:
httpGet:
path: /
port: 8082
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
tcpSocket:
port: 8443
initialDelaySeconds: 60
periodSeconds: 60
resources: {}
# Note: For recommendations please check the official sizing guide.
# requests:
# cpu: 100m
# memory: 0.2Gi
# limits:
# cpu: 1000m
# memory: 2Gi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
# my-annotation-key: my value; more value
podLabels: {}
securityContext:
runAsUser: 11431
runAsGroup: 11433
fsGroup: 11433
container_securityContext: {}
pdb:
minAvailable: "1"
# Allows you to specify the API version for the PodDisruptionBudget
# This is useful where .Capabilities.APIVersions.Has does not work e.g. Helm template & ArgoCD
# For example: policy/v1beta1 or policy/v1
apiVersion:
# TLS is for enabling mTLS/TLS establishment between gateway <-> server and gateway <-> enforcers
TLS:
enabled: false # enable to true for secure communication (mTLS/TLS)
secretName: "" # provide certificates secret name created to enable tls/mtls communication between enforcer and gateway/envoy
publicKey_fileName: "" #provide filename of the public key eg: aqua_gateway.crt
privateKey_fileName: "" #provide filename of the private key eg: aqua_gateway.key
rootCA_fileName: "" #provide filename of the rootCA, if using self-signed certificates eg: rootCA.crt
aqua_verify_enforcer: "0" # change it to "1" for enabling mTLS between enforcer and gateway/envoy
# extraEnvironmentVars is a list of extra environment variables to set in the gateway deployments.
# https://docs.aquasec.com/docs/gateway-optional-variables
extraEnvironmentVars: {}
# ENV_NAME: value
# extraSecretEnvironmentVars is a list of extra environment variables to set in the gateway deployments.
# These variables take value from existing Secret objects.
extraSecretEnvironmentVars: []
# - envName: ENV_NAME
# secretName: name
# secretKey: key
# extraVolumeMounts is a list of extra volumes to mount into the container's filesystem of the KubeEnforcer deployment
extraVolumeMounts: []
# extraVolumes is a list of volumes that can be mounted inside the KubeEnforcer deployment
extraVolumes: []
#enable or disable creation of headless service for envoy
headlessService: true
global:
# Specify the Kubernetes (k8s) platform acronym.
# Allowed values are:
# - aks: Azure Kubernetes Service
# - eks: Amazon Elastic Kubernetes Service
# - gke: Google Kubernetes Engine
# - openshift: Red Hat OpenShift/OCP
# - tkg: VMware Tanzu Kubernetes Grid
# - tkgi: VMware Tanzu Kubernetes Grid Integrated Edition
# - k8s: Plain/on-prem Vanilla Kubernetes
# - rancher: Rancher Kubernetes Platform
# - gs: Giant Swarm platform
# - k3s: k3s Kubernetes platform
# - mke: Mirantis Kubernetes Engine
platform: ""
db:
external:
enabled: true
name: ""
host: ""
port: ""
user: ""
password: ""
auditName: ""
auditHost: ""
auditPort: ""
auditUser: ""
auditPassword: ""
pubsubName: ""
pubsubHost: ""
pubsubPort: ""
pubsubUser: ""
pubsubPassword: ""
passwordFromSecret:
#Enable if loading passwords for db and audit-db from secret
enabled: false
#Specify the Password Secret name used for db password
dbPasswordName: ""
#Specify the db password key name stored in the #dbPasswordName secret
dbPasswordKey: ""
#Specify the Password Secret name used for audit db password
dbAuditPasswordName: ""
#Specify the audit db password key name stored in the #dbAuditPasswordName secret
dbAuditPasswordKey: ""
#Specify the Password Secret name used for pubsub db password
dbPubsubPasswordName: ""
#Specify the pubsub db password key name stored in the #PubsubPasswordName secret
dbPubsubPasswordKey: ""
ssl: false
sslmode: require # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
auditssl: false
auditsslmode: require # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
pubsubssl: false
pubsubsslmode: require # accepts: allow | prefer | require | verify-ca | verify-full (Default: Require)
# To establish mTLS/verify-ca/verify-full with External DB, enable to true and supply dbcerts secret to dcertSecretName
externalDbCerts:
enable: false
certSecretName: ""