values.yaml 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629
  1. global:
  2. nodeSelector: {}
  3. tolerations: []
  4. topologySpreadConstraints: []
  5. affinity: {}
  6. compatibility:
  7. openshift:
  8. # -- Manages the securityContext properties to make them compatible with OpenShift.
  9. # Possible values:
  10. # auto - Apply configurations if it is detected that OpenShift is the target platform.
  11. # force - Always apply configurations.
  12. # disabled - No modification applied.
  13. adaptSecurityContext: auto
  14. replicaCount: 1
  15. bitwarden-sdk-server:
  16. enabled: false
  17. namespaceOverride: ""
  18. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  19. revisionHistoryLimit: 10
  20. image:
  21. repository: oci.external-secrets.io/external-secrets/external-secrets
  22. pullPolicy: IfNotPresent
  23. # -- The image tag to use. The default is the chart appVersion.
  24. tag: ""
  25. # -- The flavour of tag you want to use
  26. # There are different image flavours available, like distroless and ubi.
  27. # Please see GitHub release notes for image tags for these flavors.
  28. # By default, the distroless image is used.
  29. flavour: ""
  30. # -- If set, install and upgrade CRDs through helm chart.
  31. installCRDs: true
  32. crds:
  33. # -- If true, create CRDs for Cluster External Secret.
  34. createClusterExternalSecret: true
  35. # -- If true, create CRDs for Cluster Secret Store.
  36. createClusterSecretStore: true
  37. # -- If true, create CRDs for Cluster Generator.
  38. createClusterGenerator: true
  39. # -- If true, create CRDs for Cluster Push Secret.
  40. createClusterPushSecret: true
  41. # -- If true, create CRDs for Push Secret.
  42. createPushSecret: true
  43. annotations: {}
  44. conversion:
  45. # -- Conversion is disabled by default as we stopped supporting v1alpha1.
  46. enabled: false
  47. imagePullSecrets: []
  48. nameOverride: ""
  49. fullnameOverride: ""
  50. namespaceOverride: ""
  51. # -- Additional labels added to all helm chart resources.
  52. commonLabels: {}
  53. # -- If true, external-secrets will perform leader election between instances to ensure no more
  54. # than one instance of external-secrets operates at a time.
  55. leaderElect: false
  56. # -- If set external secrets will filter matching
  57. # Secret Stores with the appropriate controller values.
  58. controllerClass: ""
  59. # -- If true external secrets will use recommended kubernetes
  60. # annotations as prometheus metric labels.
  61. extendedMetricLabels: false
  62. # -- If set external secrets are only reconciled in the
  63. # provided namespace
  64. scopedNamespace: ""
  65. # -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
  66. # and implicitly disable cluster stores and cluster external secrets
  67. scopedRBAC: false
  68. # -- If true the OpenShift finalizer permissions will be added to RBAC
  69. openshiftFinalizers: true
  70. # -- if true, the operator will process cluster external secret. Else, it will ignore them.
  71. processClusterExternalSecret: true
  72. # -- if true, the operator will process cluster push secret. Else, it will ignore them.
  73. processClusterPushSecret: true
  74. # -- if true, the operator will process cluster store. Else, it will ignore them.
  75. processClusterStore: true
  76. # -- if true, the operator will process cluster generator. Else, it will ignore them.
  77. processClusterGenerator: true
  78. # -- if true, the operator will process push secret. Else, it will ignore them.
  79. processPushSecret: true
  80. # -- Specifies whether an external secret operator deployment be created.
  81. createOperator: true
  82. # -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
  83. # a time.
  84. concurrent: 1
  85. # -- Specifies Log Params to the External Secrets Operator
  86. log:
  87. level: info
  88. timeEncoding: epoch
  89. service:
  90. # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
  91. ipFamilyPolicy: ""
  92. # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
  93. ipFamilies: []
  94. serviceAccount:
  95. # -- Specifies whether a service account should be created.
  96. create: true
  97. # -- Automounts the service account token in all containers of the pod
  98. automount: true
  99. # -- Annotations to add to the service account.
  100. annotations: {}
  101. # -- Extra Labels to add to the service account.
  102. extraLabels: {}
  103. # -- The name of the service account to use.
  104. # If not set and create is true, a name is generated using the fullname template.
  105. name: ""
  106. rbac:
  107. # -- Specifies whether role and rolebinding resources should be created.
  108. create: true
  109. servicebindings:
  110. # -- Specifies whether a clusterrole to give servicebindings read access should be created.
  111. create: true
  112. # -- Specifies whether permissions are aggregated to the view ClusterRole
  113. aggregateToView: true
  114. # -- Specifies whether permissions are aggregated to the edit ClusterRole
  115. aggregateToEdit: true
  116. ## -- Extra environment variables to add to container.
  117. extraEnv: []
  118. ## -- Map of extra arguments to pass to container.
  119. extraArgs: {}
  120. ## -- Extra volumes to pass to pod.
  121. extraVolumes: []
  122. ## -- Extra Kubernetes objects to deploy with the helm chart
  123. extraObjects: []
  124. ## -- Extra volumes to mount to the container.
  125. extraVolumeMounts: []
  126. ## -- Extra init containers to add to the pod.
  127. extraInitContainers: []
  128. ## -- Extra containers to add to the pod.
  129. extraContainers: []
  130. # -- Annotations to add to Deployment
  131. deploymentAnnotations: {}
  132. # -- Set deployment strategy
  133. strategy: {}
  134. # -- Annotations to add to Pod
  135. podAnnotations: {}
  136. podLabels: {}
  137. podSecurityContext:
  138. enabled: true
  139. # fsGroup: 2000
  140. securityContext:
  141. allowPrivilegeEscalation: false
  142. capabilities:
  143. drop:
  144. - ALL
  145. enabled: true
  146. readOnlyRootFilesystem: true
  147. runAsNonRoot: true
  148. runAsUser: 1000
  149. seccompProfile:
  150. type: RuntimeDefault
  151. resources: {}
  152. # requests:
  153. # cpu: 10m
  154. # memory: 32Mi
  155. serviceMonitor:
  156. # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
  157. enabled: false
  158. # -- namespace where you want to install ServiceMonitors
  159. namespace: ""
  160. # -- Additional labels
  161. additionalLabels: {}
  162. # -- Interval to scrape metrics
  163. interval: 30s
  164. # -- Timeout if metrics can't be retrieved in given time interval
  165. scrapeTimeout: 25s
  166. # -- Let prometheus add an exported_ prefix to conflicting labels
  167. honorLabels: false
  168. # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
  169. metricRelabelings: []
  170. # - action: replace
  171. # regex: (.*)
  172. # replacement: $1
  173. # sourceLabels:
  174. # - exported_namespace
  175. # targetLabel: namespace
  176. # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
  177. relabelings: []
  178. # - sourceLabels: [__meta_kubernetes_pod_node_name]
  179. # separator: ;
  180. # regex: ^(.*)$
  181. # targetLabel: nodename
  182. # replacement: $1
  183. # action: replace
  184. metrics:
  185. listen:
  186. port: 8080
  187. service:
  188. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  189. enabled: false
  190. # -- Metrics service port to scrape
  191. port: 8080
  192. # -- Additional service annotations
  193. annotations: {}
  194. grafanaDashboard:
  195. # -- If true creates a Grafana dashboard.
  196. enabled: false
  197. # -- Label that ConfigMaps should have to be loaded as dashboards.
  198. sidecarLabel: "grafana_dashboard"
  199. # -- Label value that ConfigMaps should have to be loaded as dashboards.
  200. sidecarLabelValue: "1"
  201. # -- Annotations that ConfigMaps can have to get configured in Grafana,
  202. # See: sidecar.dashboards.folderAnnotation for specifying the dashboard folder.
  203. # https://github.com/grafana/helm-charts/tree/main/charts/grafana
  204. annotations: {}
  205. livenessProbe:
  206. # -- Enabled determines if the liveness probe should be used or not. By default it's disabled.
  207. enabled: false
  208. # -- Address for liveness probe.
  209. address: ""
  210. # -- Specify the maximum amount of time to wait for a probe to respond before considering it fails.
  211. timeoutSeconds: 5
  212. # -- Number of consecutive probe failures that should occur before considering the probe as failed.
  213. failureThreshold: 5
  214. # -- Period in seconds for K8s to start performing probes.
  215. periodSeconds: 10
  216. # -- Number of successful probes to mark probe successful.
  217. successThreshold: 1
  218. # -- Delay in seconds for the container to start before performing the initial probe.
  219. initialDelaySeconds: 10
  220. # -- Handler for liveness probe.
  221. httpGet:
  222. # -- Set this value to 8082 to active liveness probes.
  223. port: "8082"
  224. path: /healthz
  225. nodeSelector: {}
  226. tolerations: []
  227. topologySpreadConstraints: []
  228. affinity: {}
  229. # -- Pod priority class name.
  230. priorityClassName: ""
  231. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  232. podDisruptionBudget:
  233. enabled: false
  234. minAvailable: 1 # @schema type:[integer, string]
  235. nameOverride: ""
  236. # maxUnavailable: "50%"
  237. # -- Run the controller on the host network
  238. hostNetwork: false
  239. webhook:
  240. # -- Annotations to place on validating webhook configuration.
  241. annotations: {}
  242. # -- Specifies whether a webhook deployment be created. If set to false, crds.conversion.enabled should also be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
  243. create: true
  244. # -- Specifies the time to check if the cert is valid
  245. certCheckInterval: "5m"
  246. # -- Specifies the lookaheadInterval for certificate validity
  247. lookaheadInterval: ""
  248. replicaCount: 1
  249. # -- Specifies Log Params to the Webhook
  250. log:
  251. level: info
  252. timeEncoding: epoch
  253. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  254. revisionHistoryLimit: 10
  255. certDir: /tmp/certs
  256. # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
  257. failurePolicy: Fail
  258. # -- Specifies if webhook pod should use hostNetwork or not.
  259. hostNetwork: false
  260. image:
  261. repository: oci.external-secrets.io/external-secrets/external-secrets
  262. pullPolicy: IfNotPresent
  263. # -- The image tag to use. The default is the chart appVersion.
  264. tag: ""
  265. # -- The flavour of tag you want to use
  266. flavour: ""
  267. imagePullSecrets: []
  268. nameOverride: ""
  269. fullnameOverride: ""
  270. # -- The port the webhook will listen to
  271. port: 10250
  272. rbac:
  273. # -- Specifies whether role and rolebinding resources should be created.
  274. create: true
  275. serviceAccount:
  276. # -- Specifies whether a service account should be created.
  277. create: true
  278. # -- Automounts the service account token in all containers of the pod
  279. automount: true
  280. # -- Annotations to add to the service account.
  281. annotations: {}
  282. # -- Extra Labels to add to the service account.
  283. extraLabels: {}
  284. # -- The name of the service account to use.
  285. # If not set and create is true, a name is generated using the fullname template.
  286. name: ""
  287. nodeSelector: {}
  288. certManager:
  289. # -- Enabling cert-manager support will disable the built in secret and
  290. # switch to using cert-manager (installed separately) to automatically issue
  291. # and renew the webhook certificate. This chart does not install
  292. # cert-manager for you, See https://cert-manager.io/docs/
  293. enabled: false
  294. # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
  295. # webhooks and CRDs. As long as you have the cert-manager CA Injector
  296. # enabled, this will automatically setup your webhook's CA to the one used
  297. # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
  298. addInjectorAnnotations: true
  299. cert:
  300. # -- Create a certificate resource within this chart. See
  301. # https://cert-manager.io/docs/usage/certificate/
  302. create: true
  303. # -- For the Certificate created by this chart, setup the issuer. See
  304. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
  305. issuerRef:
  306. group: cert-manager.io
  307. kind: "Issuer"
  308. name: "my-issuer"
  309. # -- Set the requested duration (i.e. lifetime) of the Certificate. See
  310. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  311. # One year by default.
  312. duration: "8760h"
  313. # -- Set the revisionHistoryLimit on the Certificate. See
  314. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  315. # Defaults to 0 (ignored).
  316. revisionHistoryLimit: 0
  317. # -- How long before the currently issued certificate’s expiry
  318. # cert-manager should renew the certificate. See
  319. # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
  320. # Note that renewBefore should be greater than .webhook.lookaheadInterval
  321. # since the webhook will check this far in advance that the certificate is
  322. # valid.
  323. renewBefore: ""
  324. # -- Add extra annotations to the Certificate resource.
  325. annotations: {}
  326. tolerations: []
  327. topologySpreadConstraints: []
  328. affinity: {}
  329. # -- Set deployment strategy
  330. strategy: {}
  331. # -- Pod priority class name.
  332. priorityClassName: ""
  333. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  334. podDisruptionBudget:
  335. enabled: false
  336. minAvailable: 1 # @schema type:[integer, string]
  337. nameOverride: ""
  338. # maxUnavailable: "50%"
  339. metrics:
  340. listen:
  341. port: 8080
  342. service:
  343. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  344. enabled: false
  345. # -- Metrics service port to scrape
  346. port: 8080
  347. # -- Additional service annotations
  348. annotations: {}
  349. readinessProbe:
  350. # -- Address for readiness probe
  351. address: ""
  352. # -- ReadinessProbe port for kubelet
  353. port: 8081
  354. ## -- Extra environment variables to add to container.
  355. extraEnv: []
  356. ## -- Map of extra arguments to pass to container.
  357. extraArgs: {}
  358. ## -- Extra init containers to add to the pod.
  359. extraInitContainers: []
  360. ## -- Extra volumes to pass to pod.
  361. extraVolumes: []
  362. ## -- Extra volumes to mount to the container.
  363. extraVolumeMounts: []
  364. # -- Annotations to add to Secret
  365. secretAnnotations: {}
  366. # -- Annotations to add to Deployment
  367. deploymentAnnotations: {}
  368. # -- Annotations to add to Pod
  369. podAnnotations: {}
  370. podLabels: {}
  371. podSecurityContext:
  372. enabled: true
  373. # fsGroup: 2000
  374. securityContext:
  375. allowPrivilegeEscalation: false
  376. capabilities:
  377. drop:
  378. - ALL
  379. enabled: true
  380. readOnlyRootFilesystem: true
  381. runAsNonRoot: true
  382. runAsUser: 1000
  383. seccompProfile:
  384. type: RuntimeDefault
  385. resources: {}
  386. # requests:
  387. # cpu: 10m
  388. # memory: 32Mi
  389. # -- Manage the service through which the webhook is reached.
  390. service:
  391. # -- Whether the service object should be enabled or not (it is expected to exist).
  392. enabled: true
  393. # -- Custom annotations for the webhook service.
  394. annotations: {}
  395. # -- Custom labels for the webhook service.
  396. labels: {}
  397. # -- The service type of the webhook service.
  398. type: ClusterIP
  399. # -- If the webhook service type is LoadBalancer, you can assign a specific load balancer IP here.
  400. # Check the documentation of your load balancer provider to see if/how this should be used.
  401. loadBalancerIP: ""
  402. certController:
  403. # -- Specifies whether a certificate controller deployment be created.
  404. create: true
  405. requeueInterval: "5m"
  406. replicaCount: 1
  407. # -- Specifies Log Params to the Certificate Controller
  408. log:
  409. level: info
  410. timeEncoding: epoch
  411. # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
  412. revisionHistoryLimit: 10
  413. image:
  414. repository: oci.external-secrets.io/external-secrets/external-secrets
  415. pullPolicy: IfNotPresent
  416. tag: ""
  417. flavour: ""
  418. imagePullSecrets: []
  419. nameOverride: ""
  420. fullnameOverride: ""
  421. rbac:
  422. # -- Specifies whether role and rolebinding resources should be created.
  423. create: true
  424. serviceAccount:
  425. # -- Specifies whether a service account should be created.
  426. create: true
  427. # -- Automounts the service account token in all containers of the pod
  428. automount: true
  429. # -- Annotations to add to the service account.
  430. annotations: {}
  431. # -- Extra Labels to add to the service account.
  432. extraLabels: {}
  433. # -- The name of the service account to use.
  434. # If not set and create is true, a name is generated using the fullname template.
  435. name: ""
  436. nodeSelector: {}
  437. tolerations: []
  438. topologySpreadConstraints: []
  439. affinity: {}
  440. # -- Set deployment strategy
  441. strategy: {}
  442. # -- Run the certController on the host network
  443. hostNetwork: false
  444. # -- Pod priority class name.
  445. priorityClassName: ""
  446. # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  447. podDisruptionBudget:
  448. enabled: false
  449. minAvailable: 1 # @schema type:[integer, string]
  450. nameOverride: ""
  451. # maxUnavailable: "50%"
  452. metrics:
  453. listen:
  454. port: 8080
  455. service:
  456. # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
  457. enabled: false
  458. # -- Metrics service port to scrape
  459. port: 8080
  460. # -- Additional service annotations
  461. annotations: {}
  462. readinessProbe:
  463. # -- Address for readiness probe
  464. address: ""
  465. # -- ReadinessProbe port for kubelet
  466. port: 8081
  467. ## -- Extra environment variables to add to container.
  468. extraEnv: []
  469. ## -- Map of extra arguments to pass to container.
  470. extraArgs: {}
  471. ## -- Extra init containers to add to the pod.
  472. extraInitContainers: []
  473. ## -- Extra volumes to pass to pod.
  474. extraVolumes: []
  475. ## -- Extra volumes to mount to the container.
  476. extraVolumeMounts: []
  477. # -- Annotations to add to Deployment
  478. deploymentAnnotations: {}
  479. # -- Annotations to add to Pod
  480. podAnnotations: {}
  481. podLabels: {}
  482. podSecurityContext:
  483. enabled: true
  484. # fsGroup: 2000
  485. securityContext:
  486. allowPrivilegeEscalation: false
  487. capabilities:
  488. drop:
  489. - ALL
  490. enabled: true
  491. readOnlyRootFilesystem: true
  492. runAsNonRoot: true
  493. runAsUser: 1000
  494. seccompProfile:
  495. type: RuntimeDefault
  496. resources: {}
  497. # requests:
  498. # cpu: 10m
  499. # memory: 32Mi
  500. # -- Specifies `dnsPolicy` to deployment
  501. dnsPolicy: ClusterFirst
  502. # -- Specifies `dnsOptions` to deployment
  503. dnsConfig: {}
  504. # -- Any extra pod spec on the deployment
  505. podSpecExtra: {}