plm/oc-k8s
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11bdecd80d
oc-k8s/opencloud/charts/hydra/values.yaml
plm 324f0f6828 hydra bootstraping
2024-12-02 13:20:11 +01:00

671 lines
21 KiB
YAML
Raw Blame History

# -- Number of ORY Hydra members
replicaCount: 1
image:
# -- ORY Hydra image
repository: oryd/hydra
# -- ORY Hydra version
tag: v2.2.0
# -- Image pull policy
pullPolicy: IfNotPresent
# -- Image pull secrets
imagePullSecrets: []
# Chart name override
nameOverride: ""
# -- Full chart name override
fullnameOverride: ""
# -- Pod priority
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
## -- Configures the Kubernetes service
service:
# -- Configures the Kubernetes service for the proxy port.
public:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The load balancer IP
loadBalancerIP: ""
# -- The service port
port: 4444
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: hydra
# -- Configures the Kubernetes service for the api port.
admin:
# -- En-/disable the service
enabled: true
# -- The service type
type: ClusterIP
# -- The load balancer IP
loadBalancerIP: ""
# -- The service port
port: 4445
# -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
name: http
# -- If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# If you do want to specify additional labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'labels:'.
# e.g. app: hydra
# -- Path to the metrics endpoint
metricsPath: /admin/metrics/prometheus
## -- Secret management
secret:
# -- switch to false to prevent creating the secret
enabled: true
# -- Provide custom name of existing secret, or custom name of secret to be created
nameOverride: ""
# nameOverride: "myCustomSecret"
# -- Annotations to be added to secret. Annotations are added only when secret is being created. Existing secret will not be modified.
secretAnnotations:
# Create the secret before installation, and only then. This saves the secret from regenerating during an upgrade
# pre-upgrade is needed to upgrade from 0.7.0 to newer. Can be deleted afterwards.
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
helm.sh/resource-policy: "keep"
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
## -- Configure ingress
ingress:
# -- Configure ingress for the proxy port.
public:
# -- En-/Disable the proxy ingress.
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: public.hydra.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - proxy.hydra.local
# - secretName: hydra-proxy-example-tls
admin:
# -- En-/Disable the api ingress.
enabled: false
className: ""
annotations: {}
# If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: admin.hydra.localhost
paths:
- path: /
pathType: ImplementationSpecific
# tls: []
# hosts:
# - api.hydra.local
# - secretName: hydra-api-example-tls
## -- Configure ORY Hydra itself
hydra:
# -- Ability to override the entrypoint of hydra container
# (e.g. to source dynamic secrets or export environment dynamic variables)
command: ["hydra"]
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
customArgs: []
# -- The ORY Hydra configuration. For a full list of available settings, check:
# https://www.ory.sh/docs/hydra/reference/configuration
config:
serve:
public:
port: 4444
admin:
port: 4445
tls:
allow_termination_from:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
# -- The secrets have to be provided as a string slice, example:
# system:
# - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
# - "foo bar 123 456 lorem"
# - "foo bar 123 456 lorem 1"
# - "foo bar 123 456 lorem 2"
# - "foo bar 123 456 lorem 3"
secrets: {}
# -- Configure the urls used by hydra itself, such as the issuer.
# Note: some values are required for hydra to start, please refer to https://www.ory.sh/docs/hydra/self-hosted/kubernetes-helm-chart
# self:
# issuer: "https://public.hydra.localhost:4444/"
urls:
self: {}
# -- Enables database migration
automigration:
enabled: false
# -- Configure the way to execute database migration. Possible values: job, initContainer
# When set to job, the migration will be executed as a job on release or upgrade.
# When set to initContainer, the migration will be executed when kratos pod is created
# Defaults to job
type: job
# -- Ability to override the entrypoint of the automigration container
# (e.g. to source dynamic secrets or export environment dynamic variables)
customCommand: []
# -- Ability to override arguments of the entrypoint. Can be used in-depended of customCommand
# eg:
# - sleep 5;
# - kratos
customArgs: []
# -- resource requests and limits for the automigration initcontainer
resources: {}
# -- Enable dev mode, not secure in production environments
dev: false
## -- Deployment specific config
deployment:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: "25%"
maxUnavailable: "25%"
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
# This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources: {}
## -- initContainer securityContext for hydra & migration init
initContainerSecurityContext: {}
## -- pod securityContext for hydra & migration init
podSecurityContext:
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
runAsUser: 65534
fsGroup: 65534
runAsGroup: 65534
seccompProfile:
type: RuntimeDefault
## -- container securityContext for hydra & migration init
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
allowPrivilegeEscalation: false
privileged: false
seLinuxOptions:
level: "s0:c123,c456"
lifecycle: {}
# -- Set custom deployment level labels
labels: {}
# -- Set custom deployment level annotations
annotations: {}
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- Array of extra envs to be passed to the deployment. Kubernetes format is expected. Value is processed with Helm
# `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Parameters for the automigration initContainer
automigration:
# -- Array of extra envs to be passed to the initContainer. Kubernetes format is expected. Value is processed with
# Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Configure node tolerations.
tolerations: []
# -- Configure pod topologySpreadConstraints.
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: hydra
# app.kubernetes.io/instance: hydra
# -- Configure pod dnsConfig.
dnsConfig: {}
# options:
# - name: "ndots"
# value: "1"
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# For example, mount a secret containing Certificate root CA to verify database
# TLS connection.
# extraVolumes:
# - name: postgresql-tls
# secret:
# secretName: postgresql-root-ca
# extraVolumeMounts:
# - name: postgresql-tls
# mountPath: "/etc/postgresql-tls"
# readOnly: true
# -- Configure HPA
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPU: {}
# type: Utilization
# averageUtilization: 80
targetMemory: {}
# type: Utilization
# averageUtilization: 80
# -- Set custom behavior
# https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior
behavior: {}
# -- Default probe timers
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 5
# -- Default probe timers
startupProbe:
failureThreshold: 5
successThreshold: 1
periodSeconds: 1
timeoutSeconds: 1
initialDelaySeconds: 0
automountServiceAccountToken: false
terminationGracePeriodSeconds: 60
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Configure a custom livenessProbe. This overwrites the default object
customLivenessProbe: {}
# -- Configure a custom readinessProbe. This overwrites the default object
customReadinessProbe: {}
# -- Configure a custom startupProbe. This overwrites the default object
customStartupProbe: {}
# -- Number of revisions kept in history
revisionHistoryLimit: 5
## -- Values for initialization job
job:
# -- If you do want to specify annotations, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
annotations:
helm.sh/hook-weight: "1"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Set custom deployment level labels
labels: {}
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format
# is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- If you want to add extra init containers.
# extraInitContainers: |
# - name: ...
# image: ...
extraInitContainers: ""
# -- Node labels for pod assignment.
nodeSelector: {}
# If you do want to specify node labels, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'nodeSelector:'.
# foo: bar
# -- resource requests and limits for the automigration job
resources: {}
# -- Configure node tolerations.
tolerations: []
# -- If you want to add lifecycle hooks.
lifecycle: ""
# lifecycle: |
# preStop:
# exec:
# command: [...]
# -- Set automounting of the SA token
automountServiceAccountToken: true
# -- Set sharing process namespace
shareProcessNamespace: false
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
spec:
# -- Set job back off limit
backoffLimit: 10
## -- Configure node affinity
affinity: {}
## -- Configures controller setup
maester:
enabled: true
## -- Values for the hydra admin service arguments to hydra-maester
hydra-maester:
adminService:
# -- The service name value may need to be set if you use `fullnameOverride` for the parent chart
name: ""
# -- You only need to set this port if you change the value for `service.admin.port` in the parent chart
# port:
## -- Sidecar watcher configuration
watcher:
enabled: false
image: oryd/k8s-toolbox:v0.0.7
# -- Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo
mountFile: ""
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Label key used for managing applications
watchLabelKey: "ory.sh/watcher"
# -- Number of revisions kept in history
revisionHistoryLimit: 5
# -- pod securityContext for watcher deployment
podSecurityContext: {}
resources: {}
automountServiceAccountToken: true
# -- container securityContext for watcher deployment
securityContext:
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
allowPrivilegeEscalation: false
privileged: false
## -- Janitor cron job configuration
janitor:
# -- Enable cleanup of stale database rows by periodically running the janitor command
enabled: false
# -- Configure if the trust relationships must be cleaned up
cleanupGrants: false
# -- Configure if the consent and authentication requests must be cleaned up
cleanupRequests: false
# -- Configure if the access and refresh tokens must be cleaned up
cleanupTokens: false
# -- Configure how many records are deleted with each iteration
batchSize: 100
# -- Configure how many records are retrieved from database for deletion
limit: 10000
## -- CronJob configuration
cronjob:
janitor:
# -- Configure how often the cron job is ran
schedule: "0 */1 * * *"
# -- Configure a custom entrypoint, overriding the default value
customCommand: []
# -- Configure the arguments of the entrypoint, overriding the default value
customArgs: []
# -- Array of extra envs to be passed to the cronjob. This takes precedence over deployment variables. Kubernetes
# format is expected. Value is processed with Helm `tpl`
# - name: FOO
# value: BAR
extraEnv: []
# -- If you want to add extra init containers. These are processed before the migration init container.
extraInitContainers: ""
# extraInitContainers: |
# - name: ...
# image: ...
# -- If you want to add extra sidecar containers.
extraContainers: ""
# extraContainers: |
# - name: ...
# image: ...
# -- If you want to mount external volume
extraVolumes: []
# - name: my-volume
# secret:
# secretName: my-secret
extraVolumeMounts: []
# - name: my-volume
# mountPath: /etc/secrets/my-secret
# readOnly: true
# -- Set custom cron job level labels
labels: {}
# -- Set custom cron job level annotations
annotations: {}
# -- Specify pod metadata, this metadata is added directly to the pod, and not higher objects
podMetadata:
# -- Extra pod level labels
labels: {}
# -- Extra pod level annotations
annotations: {}
# -- Configure node labels for pod assignment
nodeSelector: {}
# -- Configure node tolerations
tolerations: []
# -- Configure node affinity
affinity: {}
# -- Set automounting of the SA token
automountServiceAccountToken: true
# -- Specify the serviceAccountName value.
# In some situations it is needed to provides specific permissions to Hydra deployments
# Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio.
# Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment.
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations:
helm.sh/hook-weight: "0"
helm.sh/hook: "pre-install, pre-upgrade"
helm.sh/hook-delete-policy: "before-hook-creation"
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
name: ""
# -- Configure the containers' SecurityContext for the janitor cronjob
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 100
allowPrivilegeEscalation: false
privileged: false
## -- pod securityContext for the janitor cronjob
podSecurityContext: {}
# -- We usually recommend not to specify default resources and to leave this as a conscious choice for the user.
# This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources:
limits: {}
requests: {}
## -- PodDistributionBudget configuration
pdb:
enabled: false
spec:
minAvailable: ""
maxUnavailable: ""
## -- Parameters for the Prometheus ServiceMonitor objects.
# Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html
serviceMonitor:
# -- switch to true to enable creating the ServiceMonitor
enabled: false
# -- HTTP scheme to use for scraping.
scheme: http
# -- Interval at which metrics should be scraped
scrapeInterval: 60s
# -- Timeout after which the scrape is ended
scrapeTimeout: 30s
# -- Provide additionnal labels to the ServiceMonitor ressource metadata
labels: {}
# -- TLS configuration to use when scraping the endpoint
tlsConfig: {}
configmap:
# -- switch to false to prevent checksum annotations being maintained and propogated to the pods
hashSumEnabled: true
test:
# -- Provide additional labels to the test pod
labels: {}
# -- use a busybox image from another repository
busybox:
repository: busybox
tag: 1
Reference in New Issue View Git Blame Copy Permalink