252 lines
8.8 KiB
YAML
252 lines
8.8 KiB
YAML
# Default values for freeipa.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
replicaCount: 1
|
|
|
|
hostname: freeipa.example.org
|
|
|
|
image:
|
|
repository: freeipa/freeipa-server
|
|
pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
tag: "fedora-36-4.9.10"
|
|
|
|
# # IPA Server must know it's own hostname to work properly....
|
|
# # These values will probs need to be overwritten or could use lookup function?
|
|
# app_domain: apps.mycluster.example.com
|
|
# admin_password: Passw0rd
|
|
# realm: "-r redhatlabs.dev"
|
|
|
|
# # sensible defaults
|
|
# install_opts: "-U --setup-dns --no-forwarders --no-ntp"
|
|
# container_args: "ipa-server-install"
|
|
# volume: 5Gi
|
|
|
|
# # this can be used if not using helm install to set the correct ns
|
|
# # namespaceOverride: ipa
|
|
|
|
# # this example is using the ldap admin user and password as the bind creds
|
|
# # and expects a group in ldap called `student`
|
|
# # disabled by default so as to not overwrite existing oauth configs in openshift-config ns
|
|
# ocp_auth:
|
|
# enabled: false
|
|
# bind_dn: "uid=admin,cn=users,cn=accounts,dc=redhatlabs,dc=dev"
|
|
# bind_password: Passw0rd
|
|
# base: "cn=student,cn=groups,cn=accounts,dc=redhatlabs,dc=dev"
|
|
# domain: "dc=redhatlabs,dc=dev"
|
|
|
|
# machineconfig:
|
|
# ignition_version: 3.1.0
|
|
|
|
command: {}
|
|
|
|
args:
|
|
realm: EXAMPLE.ORG
|
|
domain: example.org
|
|
dspassword: ASDF1poiu2QWER3mnbv4 #pragma: allowlist secret
|
|
adminpassword: ASDF1poiu2QWER3mnbv4 #pragma: allowlist secret
|
|
nohostdns: true
|
|
nontp: true
|
|
setupdns: false
|
|
autoforwarders: true # if setup dns is true thiw will be applicable
|
|
allowzoneoverlap: true # if setup dns is true thiw will be applicable
|
|
sshtrustdns: false
|
|
|
|
## Enable persistence using Persistent Volume Claims
|
|
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
|
|
##
|
|
persistence:
|
|
## @param persistence.enabled Enable HashiCorp Consul data persistence using PVC, use a Persistent Volume Claim, If false, use emptyDir
|
|
##
|
|
enabled: true
|
|
## @param persistence.storageClass Persistent Volume storage class
|
|
## If defined, storageClassName: <storageClass>
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
## GKE, AWS & OpenStack)
|
|
##
|
|
storageClass: ""
|
|
## @param persistence.annotations Persistent Volume Claim annotations
|
|
##
|
|
annotations: {}
|
|
## @param persistence.accessModes Persistent Volume Access Mode
|
|
##
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
## @param persistence.size PVC Storage Request for HashiCorp Consul data volume
|
|
##
|
|
size: 5Gi
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
extraEnv: {}
|
|
|
|
podAnnotations: {}
|
|
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
containerSecurityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
## Container security context
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
|
|
## @param metrics.containerSecurityContext.enabled HashiCorp Consul Prometheus Exporter securityContext
|
|
## @param metrics.containerSecurityContext.runAsUser User ID for the HashiCorp Consul Prometheus Exporter
|
|
## @param metrics.containerSecurityContext.runAsNonRoot Force the container to be run as non root
|
|
##
|
|
|
|
service:
|
|
type: ClusterIP
|
|
#clusterIP: 10.43.201.201
|
|
port: 80
|
|
|
|
## Configure the ingress resource that allows you to access the Consul UI
|
|
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
|
##
|
|
ingress:
|
|
## @param ingress.enabled Enable ingress resource for Management console
|
|
##
|
|
enabled: false
|
|
## @param ingress.path Path for the default host
|
|
##
|
|
path: /
|
|
## @param ingress.apiVersion Override API Version (automatically detected if not set)
|
|
##
|
|
apiVersion: ""
|
|
## @param ingress.pathType Ingress path type
|
|
##
|
|
pathType: ImplementationSpecific
|
|
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
|
|
## certManager: false
|
|
##
|
|
|
|
## @param ingress.hostname Default host for the ingress resource, a host pointing to this will be created
|
|
##
|
|
hostname: example.org
|
|
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
|
|
## For a full list of possible ingress annotations, please see
|
|
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
|
|
## Use this parameter to set the required annotations for cert-manager, see
|
|
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
|
|
##
|
|
## e.g:
|
|
## annotations:
|
|
## kubernetes.io/ingress.class: nginx
|
|
## cert-manager.io/cluster-issuer: cluster-issuer-name
|
|
##
|
|
annotations: {}
|
|
## @param ingress.ingressClassName Set the ingerssClassName on the ingress record for k8s 1.18+
|
|
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
|
|
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
|
|
##
|
|
ingressClassName: ""
|
|
## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter
|
|
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
|
|
## or a custom one if you use the tls.existingSecret parameter
|
|
## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
|
|
## Example:
|
|
## existingSecret: name-of-existing-secret
|
|
##
|
|
tls: false
|
|
## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
|
|
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
|
|
## extraHosts:
|
|
## - name: consul-ui.local
|
|
## path: /
|
|
##
|
|
extraHosts: []
|
|
## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
|
|
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
|
|
## extraPaths:
|
|
## - path: /*
|
|
## backend:
|
|
## serviceName: ssl-redirect
|
|
## servicePort: use-annotation
|
|
##
|
|
extraPaths: []
|
|
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
|
|
##
|
|
selfSigned: false
|
|
## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
|
|
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
|
|
## extraTls:
|
|
## - hosts:
|
|
## - consul-ui.local
|
|
## secretName: rconsul-ui.local-tls
|
|
##
|
|
extraTls: []
|
|
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
|
|
## key and certificate should start with -----BEGIN CERTIFICATE----- or
|
|
## -----BEGIN RSA PRIVATE KEY-----
|
|
##
|
|
## name should line up with a tlsSecret set further up
|
|
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
|
|
##
|
|
## It is also possible to create and manage the certificates outside of this helm chart
|
|
## Please see README.md for more information
|
|
## Example:
|
|
## - name: consul-ui.local-tls
|
|
## key:
|
|
## certificate:
|
|
##
|
|
secrets: []
|
|
## @param ingress.existingSecret It is you own the certificate as secret.
|
|
existingSecret: ""
|
|
## @param ingress.extraRules Additional rules to be covered with this ingress record
|
|
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
|
|
## e.g:
|
|
## extraRules:
|
|
## - host: example.local
|
|
## http:
|
|
## path: /
|
|
## backend:
|
|
## service:
|
|
## name: example-svc
|
|
## port:
|
|
## name: http
|
|
##
|
|
extraRules: []
|
|
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
## Enable diagnostic mode in the deployment
|
|
##
|
|
diagnosticMode:
|
|
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
|
|
##
|
|
enabled: false
|
|
## @param diagnosticMode.command Command to override all containers in the deployment
|
|
##
|
|
command:
|
|
- sleep
|
|
## @param diagnosticMode.args Args to override all containers in the deployment
|
|
##
|
|
args:
|
|
- infinity
|
|
|