-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvalues.yaml
164 lines (144 loc) · 6.29 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
global:
# -- Specify the platform that you use. This configuration is for internal use.
platform: ""
# replicaCount -- number of replicas to deploy
replicaCount: 3
envoyConfiguration:
# envoyConfiguration.adminAccessLogPath -- admin log path
adminAccessLogPath: /dev/stdout
# envoyConfiguration.serviceListeners -- list of service name and port
serviceListeners: scalar-service:50051,scalar-privileged:50052
image:
# image.repository -- Docker image
repository: ghcr.io/scalar-labs/scalar-envoy
# image.tag -- Docker tag
version: 2.0.0-SNAPSHOT
# image.pullPolicy -- Specify a imagePullPolicy
pullPolicy: IfNotPresent
# imagePullSecrets -- Optionally specify an array of imagePullSecrets. Secrets must be manually created in the namespace.
imagePullSecrets: []
strategy:
rollingUpdate:
# strategy.rollingUpdate -- The number of pods that can be created above the desired amount of pods during an update
maxSurge: 25%
# strategy.rollingUpdate -- The number of pods that can be unavailable during the update process
maxUnavailable: 25%
# strategy.type -- New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate
type: RollingUpdate
# podSecurityContext -- PodSecurityContext holds pod-level security attributes and common container settings
podSecurityContext:
seccompProfile:
type: RuntimeDefault
# securityContext -- Setting security context at the pod applies those settings to all containers in the pod
securityContext:
# securityContext.capabilities -- Capabilities (specifically, Linux capabilities), are used for permission management in Linux. Some capabilities are enabled by default
capabilities:
drop:
- ALL
# securityContext.runAsNonRoot -- Containers should be run as a non-root user with the minimum required permissions (principle of least privilege)
runAsNonRoot: true
# securityContext.allowPrivilegeEscalation -- AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process
allowPrivilegeEscalation: false
# podAnnotations -- Pod annotations for the envoy Deployment
podAnnotations: {}
service:
# service.type -- service types in kubernetes
type: ClusterIP
# service.annotations -- Service annotations, e.g: prometheus, etc.
annotations: {}
ports:
envoy:
# service.ports.envoy.port -- envoy public port
port: 50051
# service.ports.envoy.targetPort -- envoy k8s internal name
targetPort: 50051
# service.ports.envoy.protocol -- envoy protocol
protocol: TCP
# envoy-priv:
# # service.ports.envoy-priv.port -- envoy public port
# port: 50052
# # service.ports.envoy-priv.targetPort -- envoy k8s internal name
# targetPort: 50052
# # service.ports.envoy-priv.protocol -- envoy protocol
# protocol: TCP
rbac:
# rbac.create -- If true, create and use RBAC resources
create: true
# rbac.serviceAccountAnnotations -- Annotations for the Service Account
serviceAccountAnnotations: {}
podSecurityPolicy:
# podSecurityPolicy.enabled -- enable pod security policy
enabled: false
serviceMonitor:
# serviceMonitor.enabled -- enable metrics collect with prometheus
enabled: false
# serviceMonitor.interval -- custom interval to retrieve the metrics
interval: "15s"
# serviceMonitor.namespace -- which namespace prometheus is located. by default monitoring
namespace: monitoring
prometheusRule:
# prometheusRule.enabled -- enable rules for prometheus
enabled: false
# prometheusRule.namespace -- which namespace prometheus is located. by default monitoring
namespace: monitoring
grafanaDashboard:
# grafanaDashboard.enabled -- enable grafana dashboard
enabled: false
# grafanaDashboard.namespace -- which namespace grafana dashboard is located. by default monitoring
namespace: monitoring
# resources -- resources allowed to the pod
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# nodeSelector -- nodeSelector is form of node selection constraint
nodeSelector: {}
# tolerations -- Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints.
tolerations: []
# affinity -- the affinity/anti-affinity feature, greatly expands the types of constraints you can express
affinity: {}
tls:
# -- TLS configuration between client and Envoy.
downstream:
# -- Enable TLS between client and Envoy.
enabled: false
# -- Name of the Secret containing the certificate chain file used for TLS communication.
certChainSecret: ""
# -- Name of the Secret containing the private key file used for TLS communication.
privateKeySecret: ""
certManager:
# -- Use cert-manager to manage private key and certificate files.
enabled: false
# -- Duration of a certificate.
duration: "8760h0m0s"
# -- How long before expiry a certificate should be renewed.
renewBefore: "360h0m0s"
# -- Configuration of a private key.
privateKey:
algorithm: ECDSA
encoding: PKCS1
size: 256
# -- List of key usages.
usages:
- server auth
- key encipherment
- signing
# -- Subject Alternative Name (SAN) of a certificate.
dnsNames:
- localhost
# -- Issuer references of cert-manager.
issuerRef: {}
# -- Use self-signed CA.
selfSigned:
enabled: false
# -- TLS configuration between Envoy and ScalarDB Cluster or ScalarDL.
upstream:
# -- Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL.
enabled: false
# -- The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL.
overrideAuthority: ""
# -- Name of the Secret containing the custom CA root certificate for TLS communication.
caRootCertSecret: ""