duynguyen/k8s-cluster
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
k8s-cluster/manifest/external-secrets/values.yaml

775 lines
25 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
global:
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# matchLabelKeys:
# - pod-template-hash
# - maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: DoNotSchedule
# matchLabelKeys:
# - pod-template-hash
affinity: {}
# -- Global hostAliases to be applied to all deployments
hostAliases: []
# -- Global pod labels to be applied to all deployments
podLabels: {}
# -- Global pod annotations to be applied to all deployments
podAnnotations: {}
# -- Global imagePullSecrets to be applied to all deployments
imagePullSecrets: []
# -- Global image repository to be applied to all deployments
repository: ""
compatibility:
openshift:
# -- Manages the securityContext properties to make them compatible with OpenShift.
# Possible values:
# auto - Apply configurations if it is detected that OpenShift is the target platform.
# force - Always apply configurations.
# disabled - No modification applied.
adaptSecurityContext: auto
replicaCount: 1
bitwarden-sdk-server:
enabled: false
namespaceOverride: ""
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image:
repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
tag: ""
# -- The flavour of tag you want to use
# There are different image flavours available, like distroless and ubi.
# Please see GitHub release notes for image tags for these flavors.
# By default, the distroless image is used.
flavour: ""
# -- If set, install and upgrade CRDs through helm chart.
installCRDs: true
crds:
# -- If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false.
createClusterExternalSecret: true
# -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
createClusterSecretStore: true
# -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
createSecretStore: true
# -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
createClusterGenerator: true
# -- If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false.
createClusterPushSecret: true
# -- If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false.
createPushSecret: true
annotations: {}
conversion:
# -- Conversion is disabled by default as we stopped supporting v1alpha1.
enabled: false
# -- If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs.
# v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources.
# Warning: This flag will be removed on 2026.05.01.
unsafeServeV1Beta1: false
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
namespaceOverride: ""
# -- Additional labels added to all helm chart resources.
commonLabels: {}
# -- If true, external-secrets will perform leader election between instances to ensure no more
# than one instance of external-secrets operates at a time.
leaderElect: false
# -- If set external secrets will filter matching
# Secret Stores with the appropriate controller values.
controllerClass: ""
# -- If true external secrets will use recommended kubernetes
# annotations as prometheus metric labels.
extendedMetricLabels: false
# -- If set external secrets are only reconciled in the
# provided namespace
scopedNamespace: ""
# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
# and implicitly disable cluster stores and cluster external secrets
scopedRBAC: false
# -- If true the OpenShift finalizer permissions will be added to RBAC
openshiftFinalizers: true
# -- If true the system:auth-delegator ClusterRole will be added to RBAC
systemAuthDelegator: false
# -- if true, the operator will process cluster external secret. Else, it will ignore them.
# When enabled, this adds update/patch permissions on namespaces to handle finalizers for proper
# cleanup during namespace deletion, preventing race conditions with ExternalSecrets.
processClusterExternalSecret: true
# -- if true, the operator will process cluster push secret. Else, it will ignore them.
processClusterPushSecret: true
# -- if true, the operator will process cluster store. Else, it will ignore them.
processClusterStore: true
# -- if true, the operator will process secret store. Else, it will ignore them.
processSecretStore: true
# -- if true, the operator will process cluster generator. Else, it will ignore them.
processClusterGenerator: true
# -- if true, the operator will process push secret. Else, it will ignore them.
processPushSecret: true
# -- Enable support for generic targets (ConfigMaps, Custom Resources).
# Warning: Using generic target. Make sure access policies and encryption are properly configured.
# When enabled, this grants the controller permissions to create/update/delete
# ConfigMaps and optionally other resource types specified in generic.resources.
genericTargets:
# -- Enable generic target support
enabled: false
# -- List of additional resource types to grant permissions for.
# Each entry should specify apiGroup, resources, and verbs.
# Example:
# resources:
# - apiGroup: "argoproj.io"
# resources: ["applications"]
# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
resources: []
# -- Specifies whether an external secret operator deployment be created.
createOperator: true
# -- if true, HTTP2 will be enabled for the services created by all controllers, curently metrics and webhook.
enableHTTP2: false
# -- Vault token cache configuration
vault:
# -- Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request.
enableTokenCache: false
# -- Maximum size of Vault token cache. Only used if enableTokenCache is true.
tokenCacheSize: 262144
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
# a time.
concurrent: 1
# -- Specifies Log Params to the External Secrets Operator
log:
level: info
timeEncoding: epoch
service:
# -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
ipFamilyPolicy: ""
# -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
ipFamilies: []
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
servicebindings:
# -- Specifies whether a clusterrole to give servicebindings read access should be created.
create: true
# -- Specifies whether permissions are aggregated to the view ClusterRole
aggregateToView: true
# -- Specifies whether permissions are aggregated to the edit ClusterRole
aggregateToEdit: true
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra Kubernetes objects to deploy with the helm chart
extraObjects: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
## -- Extra init containers to add to the pod.
extraInitContainers: []
## -- Extra containers to add to the pod.
extraContainers: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Set deployment strategy
strategy: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext:
enabled: true
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- How should we react to missing CRD "`monitoring.coreos.com/v1/ServiceMonitor`"
#
# Possible values:
# - `skipIfMissing`: Only render ServiceMonitor resources if CRD is present, skip if missing.
# - `failIfMissing`: Fail Helm install if CRD is not present.
# - `alwaysRender` : Always render ServiceMonitor resources, do not check for CRD.
# @schema
# enum:
# - skipIfMissing
# - failIfMissing
# - alwaysRender
# @schema
renderMode: skipIfMissing # @schema enum: [skipIfMissing, failIfMissing, alwaysRender]
# -- namespace where you want to install ServiceMonitors
namespace: ""
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Let prometheus add an exported_ prefix to conflicting labels
honorLabels: false
# -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
metricRelabelings: []
# - action: replace
# regex: (.*)
# replacement: $1
# sourceLabels:
# - exported_namespace
# targetLabel: namespace
# -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
metrics:
listen:
port: 8080
secure:
enabled: false
# -- if those are not set or invalid, self-signed certs will be generated
# -- TLS cert directory path
certDir: /etc/tls
# -- TLS cert file path
certFile: /etc/tls/tls.crt
# -- TLS key file path
keyFile: /etc/tls/tls.key
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
grafanaDashboard:
# -- If true creates a Grafana dashboard.
enabled: false
# -- Label that ConfigMaps should have to be loaded as dashboards.
sidecarLabel: "grafana_dashboard"
# -- Label value that ConfigMaps should have to be loaded as dashboards.
sidecarLabelValue: "1"
# -- Annotations that ConfigMaps can have to get configured in Grafana,
# See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
# https://github.com/grafana/helm-charts/tree/main/charts/grafana
annotations: {}
# -- Extra labels to add to the Grafana dashboard ConfigMap.
extraLabels: {}
livenessProbe:
# -- Enabled determines if the liveness probe should be used or not. By default it's disabled.
enabled: false
# -- The body of the liveness probe settings.
spec:
# -- Bind address for the health server used by both liveness and readiness probes (--live-addr flag).
address: ""
# -- Port for the health server used by both liveness and readiness probes (--live-addr flag).
port: 8082
# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
timeoutSeconds: 5
# -- Number of consecutive probe failures that should occur before considering the probe as failed.
failureThreshold: 5
# -- Period in seconds for K8s to start performing probes.
periodSeconds: 10
# -- Number of successful probes to mark probe successful.
successThreshold: 1
# -- Delay in seconds for the container to start before performing the initial probe.
initialDelaySeconds: 10
# -- Handler for liveness probe.
httpGet:
# -- Set this value to 'live' (for named port) or an an integer for liveness probes.
# @schema type: [string, integer]
port: live
# -- Path for liveness probe.
path: /healthz
readinessProbe:
# -- Determines whether the readiness probe is enabled. Disabled by default. Enabling this will auto-start the health server (--live-addr) even if livenessProbe is disabled. Health server address/port are configured via livenessProbe.spec.address and livenessProbe.spec.port.
enabled: false
# -- The body of the readiness probe settings (standard Kubernetes probe spec).
spec:
# -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
timeoutSeconds: 5
# -- Number of consecutive probe failures that should occur before considering the probe as failed.
failureThreshold: 3
# -- Period in seconds for K8s to start performing probes.
periodSeconds: 10
# -- Number of successful probes to mark probe successful.
successThreshold: 1
# -- Delay in seconds for the container to start before performing the initial probe.
initialDelaySeconds: 10
# -- Handler for readiness probe.
httpGet:
# -- Set this value to 'live' (for named port) or an integer for readiness probes.
# @schema type: [string, integer]
port: live
# -- Path for readiness probe.
path: /readyz
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1 # @schema type:[integer, string]
nameOverride: ""
# maxUnavailable: "50%"
# -- Run the controller on the host network
hostNetwork: false
# -- (bool) Specifies if controller pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
# @schema type: [boolean, null]
hostUsers:
webhook:
# -- Annotations to place on validating webhook configuration.
annotations: {}
# -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
create: true
# -- Specifies the time to check if the cert is valid
certCheckInterval: "5m"
# -- Specifies the lookaheadInterval for certificate validity
lookaheadInterval: ""
replicaCount: 1
# -- Specifies Log Params to the Webhook
log:
level: info
timeEncoding: epoch
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
certDir: /tmp/certs
# -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
failurePolicy: Fail
# -- Specifies if webhook pod should use hostNetwork or not.
hostNetwork: false
# -- (bool) Specifies if webhook pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
# @schema type: [boolean, null]
hostUsers:
image:
repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
tag: ""
# -- The flavour of tag you want to use
flavour: ""
imagePullSecrets: []
# -- The port the webhook will listen to
port: 10250
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
# -- Specifies `hostAliases` to webhook deployment
hostAliases: []
certManager:
# -- Enabling cert-manager support will disable the built in secret and
# switch to using cert-manager (installed separately) to automatically issue
# and renew the webhook certificate. This chart does not install
# cert-manager for you, See https://cert-manager.io/docs/
enabled: false
# -- Automatically add the cert-manager.io/inject-ca-from annotation to the
# webhooks and CRDs. As long as you have the cert-manager CA Injector
# enabled, this will automatically setup your webhook's CA to the one used
# by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
addInjectorAnnotations: true
cert:
# -- Create a certificate resource within this chart. See
# https://cert-manager.io/docs/usage/certificate/
create: true
# -- For the Certificate created by this chart, setup the issuer. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
issuerRef:
group: cert-manager.io
kind: "Issuer"
name: "my-issuer"
# -- Set the requested duration (i.e. lifetime) of the Certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
# One year by default.
duration: "8760h0m0s"
# -- Set the revisionHistoryLimit on the Certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
# Defaults to 0 (ignored).
revisionHistoryLimit: 0
# -- How long before the currently issued certificates expiry
# cert-manager should renew the certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
# Note that renewBefore should be greater than .webhook.lookaheadInterval
# since the webhook will check this far in advance that the certificate is
# valid.
renewBefore: ""
# -- Specific settings on the privateKey and its generation
privateKey: {}
# rotationPolicy: Always
# algorithm: RSA
# size: 2048
# -- Specific settings on the signatureAlgorithm used on the cert.
# signatureAlgorithm is only valid for cert-manager v1.18.0+
signatureAlgorithm: ""
# -- Add extra annotations to the Certificate resource.
annotations: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Set deployment strategy
strategy: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1 # @schema type:[integer, string]
nameOverride: ""
# maxUnavailable: "50%"
metrics:
listen:
port: 8080
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
readinessProbe:
# -- Address for readiness probe
address: ""
# -- ReadinessProbe port for kubelet
port: 8081
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra init containers to add to the pod.
extraInitContainers: []
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Secret
secretAnnotations: {}
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext:
enabled: true
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Manage the service through which the webhook is reached.
service:
# -- Whether the service object should be enabled or not (it is expected to exist).
enabled: true
# -- Custom annotations for the webhook service.
annotations: {}
# -- Custom labels for the webhook service.
labels: {}
# -- The service type of the webhook service.
type: ClusterIP
# -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
# Check the documentation of your load balancer provider to see if/how this should be used.
loadBalancerIP: ""
certController:
# -- Specifies whether a certificate controller deployment be created.
create: true
requeueInterval: "5m"
replicaCount: 1
# -- Specifies Log Params to the Certificate Controller
log:
level: info
timeEncoding: epoch
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image:
repository: ghcr.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
tag: ""
flavour: ""
imagePullSecrets: []
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
# -- Specifies `hostAliases` to cert-controller deployment
hostAliases: []
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Set deployment strategy
strategy: {}
# -- Run the certController on the host network
hostNetwork: false
# -- (bool) Specifies if certController pod should use hostUsers or not. If hostNetwork is true, hostUsers should be too. Only available in Kubernetes ≥ 1.33.
# @schema type: [boolean, null]
hostUsers:
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1 # @schema type:[integer, string]
nameOverride: ""
# maxUnavailable: "50%"
metrics:
listen:
port: 8080
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
readinessProbe:
# -- Address for readiness probe
address: ""
# -- ReadinessProbe port for kubelet
port: 8081
startupProbe:
# -- Enabled determines if the startup probe should be used or not. By default it's enabled
enabled: false
# -- whether to use the readiness probe port for startup probe.
useReadinessProbePort: true
# -- Port for startup probe.
port: ""
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra init containers to add to the pod.
extraInitContainers: []
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext:
enabled: true
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Specifies `dnsPolicy` to deployment
dnsPolicy: ClusterFirst
# -- Specifies `dnsOptions` to deployment
dnsConfig: {}
# -- Specifies `hostAliases` to deployment
hostAliases: []
# -- Any extra pod spec on the deployment
podSpecExtra: {}
Reference in New Issue View Git Blame Copy Permalink