Config
This table was generated from config.yaml.
Cells marked with "—" mean "not specified in schema".
alerts¶
Alerts Config: Configure alerting.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| alerts. |
string | — | Alert To |
| alerts. |
array | — | See note |
| alerts. |
array | — | See note |
| alerts. |
object | — | Alert OpsGenie Config: Configure alerting to OpsGenie. |
| alerts. |
string | https://api.eu.opsgenie.com |
OpsGenine URL |
| alerts. |
boolean | — | Whether to dynamically update existing alerts |
| alerts. |
object | — | Alert OpsGenie Heartbeat: Configure heartbeats to OpsGenie. |
| alerts. |
boolean | — | OpsGenie Heartbeat Enabled |
| alerts. |
object | — | Alert runbooks: Configure runbooks for alerts Runbooks can be configured on an alert group level or per individual alert |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | See note |
| alerts. |
string | — | Alert group runbook URL |
| alerts. |
object | — | Alert Slack Config: Configure alerting to Slack. |
| alerts. |
string | — | Slack Custom Template |
Notes for alerts.customReceivers[]
Alert Custom Receivers: Additional receivers that will be added to the configuration of alertmanager
Note
See the upstream documentation for reference.
Notes for alerts.customRoutes[]
Additional custom routes: Additional route receivers that will be added to the configuration of alertmanager
Note
See the upstream documentation for reference.
Notes for alerts.runbookUrls.alertmanager
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.backupStatus
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.blackbox
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.certManager
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.clusterApi
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.clusterAutoscaler
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.clusterCapacityManagement
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.configReloaders
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.coreDns
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.dailyChecks
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.diskPerf
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.falco
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.fluentd
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.general
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.harbor
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.hnc
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.kubeStateMetrics
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesApps
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesResources
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesStorage
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesSystem
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kured
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.missingMetrics
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.nodeExporter
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.nodeNetwork
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.opensearch
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.openstack
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.packetsDropped
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.prometheus
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.prometheusOperator
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.thanos
Runbooks for thanos alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://github.com/thanos-io/thanos/tree/main/mixin/runbook.md
Notes for alerts.runbookUrls.webhook
Runbooks for alerts: Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
certmanager¶
cert-manager Config: Configure cert-manager, used to provision certificates either self-signed or via Let's Encrypt.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| certmanager. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| certmanager. |
— | — | Describes node affinity scheduling rules for the pod. |
| certmanager. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
object | — | Common Resource: This is meant to describe the base class if you will, for Welkin resources. |
| certmanager. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| certmanager. |
— | — | Describes node affinity scheduling rules for the pod. |
| certmanager. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
boolean | — | — |
| certmanager. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | Kubernetes Quantity Map |
| certmanager. |
object | — | Kubernetes Quantity Map |
| certmanager. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| certmanager. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| certmanager. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | Kubernetes Quantity Map |
| certmanager. |
object | — | Kubernetes Quantity Map |
| certmanager. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| certmanager. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| certmanager. |
object | — | Common Resource: This is meant to describe the base class if you will, for Welkin resources. |
| certmanager. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| certmanager. |
— | — | Describes node affinity scheduling rules for the pod. |
| certmanager. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
boolean | — | — |
| certmanager. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | Kubernetes Quantity Map |
| certmanager. |
object | — | Kubernetes Quantity Map |
| certmanager. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| certmanager. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
Notes for certmanager.cainjector.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for certmanager.cainjector.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for certmanager.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for certmanager.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for certmanager.webhook.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for certmanager.webhook.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
clusterAdmin¶
Cluster Admin: Configure the cluster admins.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| clusterAdmin. |
array of string | — | Admin Groups: Configure the cluster admin groups. |
| clusterAdmin. |
array of string | — | Admin Users: Configure the cluster admin users. |
clusterApi¶
ClusterAPI Config: Set to true if kubernetes is installed with cluster-api.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| clusterApi. |
array of string | — | Clusters: List of clusters to monitor. Used when monitoring clusters for autoscaling. |
| clusterApi. |
boolean | — | ClusterAPI Enabled |
| clusterApi. |
object | — | ClusterAPI Monitoring: Enable autoscaling monitoring of cluster API clusters. |
| clusterApi. |
boolean | — | ClusterAPI Autoscaling Monitoring Enabled |
crossplane¶
Crossplane Config: Configure Crossplane
| Key | Type | Default | Title and Description |
|---|---|---|---|
| crossplane. |
boolean | — | Enable debug logging for Crossplane |
| crossplane. |
boolean | — | Enable Crossplane |
| crossplane. |
object | — | Crossplane Function resource configuration: Crossplane Function resource configuration |
| crossplane. |
boolean | — | Enable debug logging for the function |
| crossplane. |
object | — | See note |
| crossplane. |
object | — | Kubernetes Quantity Map |
| crossplane. |
object | — | Kubernetes Quantity Map |
| crossplane. |
object | — | Crossplane Provider resource configuration: Crossplane Provider resource configuration |
| crossplane. |
boolean | — | Enable debug logging for the provider |
| crossplane. |
object | — | See note |
| crossplane. |
object | — | Kubernetes Quantity Map |
| crossplane. |
object | — | Kubernetes Quantity Map |
| crossplane. |
object | — | Crossplane RBAC manager configuration: Crossplane RBAC manager configuration |
| crossplane. |
object | — | See note |
| crossplane. |
object | — | Kubernetes Quantity Map |
| crossplane. |
object | — | Kubernetes Quantity Map |
Notes for crossplane.functions..resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for crossplane.providers..resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for crossplane.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
dex¶
Dex Config: Configure Dex, the federated OIDC Identity Provider.
Note
Dex is installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| dex. |
array of string | — | Dex Kubelogin Redirects: Configure Dex with additional Kubelogin redirects. |
| dex. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| dex. |
— | — | Describes node affinity scheduling rules for the pod. |
| dex. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| dex. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| dex. |
object | — | Content-Security-Policy rules: Configure Content-Security-Policy header rules Reference: https://content-security-policy.com/ |
| dex. |
boolean | True |
Dex Static Login: Configure Dex with a static password login admin@example.com. |
| dex. |
object | — | Dex Expiry: Configure expiry when authenticating with Dex. |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
object | — | Dex Expiry Refresh Tokens: Configure expiry of refresh tokens when authenticating with Dex. |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
object | — | Dex Google Config: Configure Dex with specific options when using the Google connector. |
| dex. |
string | — | Dex Google Service Account Secret Name |
| dex. |
boolean | — | Dex Google Group Support Enabled |
| dex. |
object | — | See note |
| dex. |
number | 2 |
Dex Replicas |
| dex. |
object | — | See note |
| dex. |
object | — | Kubernetes Quantity Map |
| dex. |
object | — | Kubernetes Quantity Map |
| dex. |
object | — | Dex Service Monitor: Configure the Service Monitor collecting metrics from Dex. |
| dex. |
boolean | True |
Dex Service Monitor Enabled |
| dex. |
string | dex |
See note |
| dex. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| dex. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
Notes for dex.expiry.deviceRequests
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.idToken
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.refreshTokens.absoluteLifetime
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.refreshTokens.reuseInterval
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.refreshTokens.validIfNotUsedFor
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.signingKeys
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for dex.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for dex.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for dex.subdomain
Dex Subdomain: Subdomain of baseDomain that the Ingress to Dex will be created with.
Note
Must be set for both service and workload clusters.
externalDns¶
External DNS Config: Configure External DNS.
External DNS manages DNS records based on Kubernetes resources, and can automatically configure DNS records from:
- CRD resources
- Ingress resources
- Service resources
Currently only AWS Route 53 is supported as the DNS provider.
Note
See the upstream documentation for reference.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| externalDns. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| externalDns. |
— | — | Describes node affinity scheduling rules for the pod. |
| externalDns. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| externalDns. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| externalDns. |
array of string | — | External DNS Domains: Configure the domains External DNS should manage. |
| externalDns. |
boolean | — | External DNS Enabled |
| externalDns. |
array of object | — | See note |
| externalDns. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| externalDns. |
string | — | See note |
| externalDns. |
boolean | — | External DNS Namespaced |
| externalDns. |
string | — | See note |
| externalDns. |
object | — | See note |
| externalDns. |
object | — | Kubernetes Quantity Map |
| externalDns. |
object | — | Kubernetes Quantity Map |
| externalDns. |
object | — | External DNS Sources: Configure the sources External DNS should manage DNS records for. |
| externalDns. |
boolean | — | External DNS CRD |
| externalDns. |
boolean | — | External DNS Ingress |
| externalDns. |
boolean | — | External DNS Service |
| externalDns. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| externalDns. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| externalDns. |
string | — | External DNS TXT Prefix: Configure a prefix to TXT records. This is required with AWS Route 53 if CNAME records are preferred over A/AAAA records as it cannot handle both at the same time. |
Notes for externalDns.endpoints[]
External DNS Endpoints: Configure the endpoints to create DNS records for.
Requires externalDns.sources.crd to be enabled.
Configure an endpoint to create a DNS record for.
Notes for externalDns.logLevel
External DNS Log Level
Examples:
info
Notes for externalDns.provider
External DNS Provider
Examples:
aws
Notes for externalDns.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
externalTrafficPolicy¶
External Traffic Policy: Configure global ingress external traffic policy.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| externalTrafficPolicy. |
boolean | True |
Local External Traffic Policy |
| externalTrafficPolicy. |
object | — | See note |
Notes for externalTrafficPolicy.whitelistRange
Allowlist Range: Configure allowlist CIDR ranges for ingresses.
This is done via the ingress annotation nginx.ingress.kubernetes.io/whitelist-source-range.
Set to false to explicitly opt-out of this annotation.
falco¶
Falco Config: Configuration for Falco, runtime security tool and threat detection.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| falco. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| falco. |
— | — | Describes node affinity scheduling rules for the pod. |
| falco. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
object | — | Falco Alerts: Configure Falco alerts sent from Falco sidekick. |
| falco. |
boolean | — | Falco Alerts Enabled |
| falco. |
string | http://alertmanager-operated.monitoring:9093 |
Falco Alerts Host Port: Configure the notification channel for Falco alerts. |
| falco. |
string | notice |
Falco Alerts Priority: Configure the notification priority for Falco alerts. |
| falco. |
string | alertmanager |
See note |
| falco. |
object | — | Falcoctl Artifact: Configure Falcoctl artefact management. See the upstream repository for reference. |
| falco. |
object | — | Falcoctl Artifact Install: Configure Falcoctl artefact install. |
| falco. |
boolean | — | See note |
| falco. |
array of object | — | Falcoctl Custom Artifact Indices: Configure custom artefact indices for Falcoctl. Configure custom artefact index for Falcoctl. |
| falco. |
object | — | See note |
| falco. |
object | — | Falco Driver: Configuration for the Falco syscall driver used to collect events. See the upstream documentation for more information. |
| falco. |
string | kmod |
See note |
| falco. |
boolean | True |
Falco Enabled |
| falco. |
object | — | Falco Sidekick: Basic configuration for Falco Sidekick, the deployment that forwards Falco alerts to Alertmanager. |
| falco. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| falco. |
— | — | Describes node affinity scheduling rules for the pod. |
| falco. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
object | — | See note |
| falco. |
object | — | See note |
| falco. |
object | — | Kubernetes Quantity Map |
| falco. |
object | — | Kubernetes Quantity Map |
| falco. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| falco. |
object | — | See note |
| falco. |
object | — | See note |
| falco. |
object | — | Kubernetes Quantity Map |
| falco. |
object | — | Kubernetes Quantity Map |
| falco. |
object | — | Falco Rule Files: Configure standard rules to use in Falco. See the upstream documentation for reference. |
| falco. |
object | — | Falco Default Rules: Configure Falco default rules |
| falco. |
boolean | True |
Falco Default Rules Enabled |
| falco. |
string | 3.0.1 |
Falco Default Rules Version |
| falco. |
object | — | Falco Incubating Rules: Configure Falco incubating rules |
| falco. |
boolean | — | Falco Incubating Rules Enabled |
| falco. |
string | 3.0.1 |
Falco Incubating Rules Version |
| falco. |
object | — | Falco Sandbox Rules: Configure Falco sandbox rules |
| falco. |
boolean | — | Falco Sandbox Rules Enabled |
| falco. |
string | 3.0.1 |
Falco Sandbox Rules Version |
| falco. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| falco. |
boolean | True |
Falco Allocate TTY: Attach the Falco process to a TTY inside the container. Needed to flush Falco logs as soon as they are emitted. |
| falco. |
boolean | True |
Use the new containerEngine collector: Use the new container engine collector that replaces the old docker, containerd, crio and podman collectors. |
Notes for falco.alerts.type
Falco Alerts Type: Configure the notification channel for Falco alerts.
Possible values:
alertmanager
slack
none
Notes for falco.artifact.install.enabled
Falcoctl Artifact Install Enabled: Configure Falcoctl to install additional artifacts before Falco starts.
Set this to false in an air-gapped environment, unless artifacts are self-hosted and customIndexes are configured.
Notes for falco.customRules
Falco Custom Rules: Configure custom rules to use in Falco.
Note
See the upstream documentation for reference.
The keys will become the file name of the generated rule file, and all files are parsed in alphabetical order.
Notes for falco.driver.kind
Falco Driver Kind
Possible values:
kmod
modern_ebpf
ebpf
Notes for falco.falcoSidekick.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for falco.falcoSidekick.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for falco.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for falco.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
fluentd¶
Fluentd Config: Configuration for Fluentd.
Fluentd automatically collects logs from all containers running in the environment.
In the service cluster audit, application, and platform logs can be shipped to object storage. In the workload cluster audit logs can be shipped to object storage and application and platform logs to OpenSearch running in the service cluster.
Logs are collected using a daemon set, and in the workload cluster two sets are deployed, one for the system nodes and one for the worker nodes. Application developer can modify two ConfigMaps to add additional configuration and plugins to the set running on the worker nodes.
When logs are shipped to object storage a stateful aggregator is deployed that buffers logs with persistence before they are shipped. When logs are shipped to OpenSearch it is done directly from the forwarder daemons.
Shipping audit and service cluster logs requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.audit and objectStorage.buckets.scLogs respectively.
Note
Fluentd is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| fluentd. |
object | — | Fluentd Aggregator: Configure Fluentd aggregator, used to buffer logs with persistence before they are shipped to object storage. |
| fluentd. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
number | — | See note |
| fluentd. |
integer | — | Flush Thread Count: The number of threads to flush/write chunks in parallel. Flushing parameters |
| fluentd. |
boolean | — | See note |
| fluentd. |
integer | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
boolean | — | Timekey Use UTC: Output plugin decides to use UTC or not to format placeholders using timekey. Common/Time parameters |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Fluentd Aggregator Persistence: Configure Fluentd aggregator persistence. |
| fluentd. |
string | 10Gi |
Fluentd Aggregator Storage |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| fluentd. |
object | — | Fluentd Audit: Configure Fluentd audit log collection. |
| fluentd. |
object | — | Log Manager Compaction: Configure the compaction of logs stored in object storage. |
| fluentd. |
number | — | Log Manager Job Enabled: Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
Log Manager Job Enabled |
| fluentd. |
object | — | Log Manager Job Ephemeral Volume: Configure the job to run with an ephemeral volume if the nodes risk running out of storage. |
| fluentd. |
boolean | — | Log Manager Job Ephemeral Volume Enabled |
| fluentd. |
string | — | — |
| fluentd. |
boolean | — | Fluentd Audit Enabled |
| fluentd. |
string | — | Fluentd Audit Filters: Configure Fluentd audit log filter stages. To capture audit logs label the logs with the @AUDIT label. |
| fluentd. |
object | — | Log Manager Retention: Configure the retention of logs stored in object storage. |
| fluentd. |
number | — | Log Manager Job Enabled: Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
Log Manager Job Enabled |
| fluentd. |
string | — | — |
| fluentd. |
boolean | True |
Fluentd Enabled |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Fluentd Forwarder: Configure Fluentd forwarder, used to collect and forward logs on system nodes. |
| fluentd. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
number | — | See note |
| fluentd. |
integer | — | Flush Thread Count: The number of threads to flush/write chunks in parallel. Flushing parameters |
| fluentd. |
boolean | — | See note |
| fluentd. |
integer | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
boolean | — | Timekey Use UTC: Output plugin decides to use UTC or not to format placeholders using timekey. Common/Time parameters |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
object | — | Fluentd Forwarder Image Config: Configure Fluentd forwarder image repository and tag |
| fluentd. |
string | ghcr.io/elastisys/fluentd-forwarder |
— |
| fluentd. |
string | v4.7.5-ck8s1 |
— |
| fluentd. |
number | 900 |
— |
| fluentd. |
object | — | See note |
| fluentd. |
string | 60s |
— |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
number | 1200 |
— |
| fluentd. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| fluentd. |
object | — | Log Manager: Configure log-manager, used to manage compaction and retention of logs store in object storage. |
| fluentd. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | Log Manager Compaction: Configure log-manager compaction. |
| fluentd. |
number | — | Configure the memory buffer size in GB (accepts decimals) for Azure copy operations. |
| fluentd. |
number | — | Configure the maximum number of concurrent download requests for Azure copy operations. |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
object | — | Log Manager Compaction Volume: Configure log-manager compaction volume. |
| fluentd. |
string | 5Gi |
Log Manager Compaction Volume Size: Configure log-manager compaction volume size. |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Log Manager Retention: Configure log-manager retention. |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| fluentd. |
object | — | Object Storage Configuration.: Configuration options for using object storage specific to Fluentd. |
| fluentd. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| fluentd. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| fluentd. |
string | — | S3 Region: Region to store data. |
| fluentd. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| fluentd. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| fluentd. |
object | — | Fluentd SC Logs: Configure Fluentd service cluster log collection. |
| fluentd. |
object | — | Log Manager Compaction: Configure the compaction of logs stored in object storage. |
| fluentd. |
number | — | Log Manager Job Enabled: Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
Log Manager Job Enabled |
| fluentd. |
object | — | Log Manager Job Ephemeral Volume: Configure the job to run with an ephemeral volume if the nodes risk running out of storage. |
| fluentd. |
boolean | — | Log Manager Job Ephemeral Volume Enabled |
| fluentd. |
string | — | — |
| fluentd. |
boolean | True |
Fluentd SC Logs Enabled |
| fluentd. |
object | — | Log Manager Retention: Configure the retention of logs stored in object storage. |
| fluentd. |
number | — | Log Manager Job Enabled: Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
Log Manager Job Enabled |
| fluentd. |
string | — | — |
| fluentd. |
object | — | Fluentd Forwarder User: Configure Fluentd forwarder, used to collect and forward logs on worker nodes that applications developers run their workload on. |
| fluentd. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
object | — | Kubernetes Quantity Map |
| fluentd. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
Notes for fluentd.aggregator.buffer
Fluentd Buffer Config: Fluentd buffer configuration parameters.
Note
See upstream documentation for reference, set keys will be converted from camelCase to snake_case.
Notes for fluentd.aggregator.buffer.chunkLimitSize
Chunk Limit Size: Events will be written into chunks until the size of chunks become chunkLimitSize.
Examples:
50MB
Notes for fluentd.aggregator.buffer.flushInterval
Flush Interval: Flushes the buffer each flushInterval, if flushMode is equal to interval.
Examples:
15m
Notes for fluentd.aggregator.buffer.flushMode
Flush Mode: The flush mode to use.
Possible values:
lazy
interval
immediate
Notes for fluentd.aggregator.buffer.flushThreadBurstInterval
Flush Thread Burst Interval: The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.
Notes for fluentd.aggregator.buffer.retryForever
Retry Forever: If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.
Notes for fluentd.aggregator.buffer.retryMaxInterval
Retry Max Interval: The maximum interval (seconds) for exponential backoff between retries while failing.
Notes for fluentd.aggregator.buffer.retryType
Retry Type: The retry algorithm type to use.
Possible values:
exponential_backoff
periodic
Notes for fluentd.aggregator.buffer.timekey
Time Key: Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).
Examples:
10m
Notes for fluentd.aggregator.buffer.timekeyWait
Timekey wait: Output plugin will write chunks after timekey_wait seconds later after timekey expiration.
If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.
Examples:
1m
Notes for fluentd.aggregator.buffer.totalLimitSize
Total Limit Size: The size limitation of this buffer plugin instance.
Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).
Examples:
9GB
Notes for fluentd.aggregator.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.aggregator.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.extraConfigMaps
Fluentd Extra ConfigMaps: Configure extra ConfigMaps for Fluentd.
Note
This is only applicable for Fluentd forwarder running on system nodes in the workload cluster.
Notes for fluentd.forwarder.buffer
Fluentd Buffer Config: Fluentd buffer configuration parameters.
Note
See upstream documentation for reference, set keys will be converted from camelCase to snake_case.
Notes for fluentd.forwarder.buffer.chunkLimitSize
Chunk Limit Size: Events will be written into chunks until the size of chunks become chunkLimitSize.
Examples:
50MB
Notes for fluentd.forwarder.buffer.flushInterval
Flush Interval: Flushes the buffer each flushInterval, if flushMode is equal to interval.
Examples:
15m
Notes for fluentd.forwarder.buffer.flushMode
Flush Mode: The flush mode to use.
Possible values:
lazy
interval
immediate
Notes for fluentd.forwarder.buffer.flushThreadBurstInterval
Flush Thread Burst Interval: The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.
Notes for fluentd.forwarder.buffer.retryForever
Retry Forever: If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.
Notes for fluentd.forwarder.buffer.retryMaxInterval
Retry Max Interval: The maximum interval (seconds) for exponential backoff between retries while failing.
Notes for fluentd.forwarder.buffer.retryType
Retry Type: The retry algorithm type to use.
Possible values:
exponential_backoff
periodic
Notes for fluentd.forwarder.buffer.timekey
Time Key: Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).
Examples:
10m
Notes for fluentd.forwarder.buffer.timekeyWait
Timekey wait: Output plugin will write chunks after timekey_wait seconds later after timekey expiration.
If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.
Examples:
1m
Notes for fluentd.forwarder.buffer.totalLimitSize
Total Limit Size: The size limitation of this buffer plugin instance.
Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).
Examples:
9GB
Notes for fluentd.forwarder.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.forwarder.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.logManager.compaction.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.logManager.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.logManager.retention.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.user.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.user.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
gatekeeper¶
OPA Gatekeeper Config: Configure OPA Gatekeeper to give application developer access to Custom Resource Definitions.
Some preconfigured services can be found under the key user.
Note
See the admin docs for context.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| gatekeeper. |
array | — | Additional Mutation Resources: Allow Gatekeeper the ability to look at and use Gatekeeper mutations on specified additional resources. |
| gatekeeper. |
array | — | Additional Validation Delete Resources: Allow Gatekeeper the ability to look at and use Gatekeeper constraints with the less used DELETE operation, on specified additional resources. |
| gatekeeper. |
array | — | Additional Validation Resources: Allow Gatekeeper the ability to look at and use Gatekeeper constraints on specified additional resources. |
| gatekeeper. |
object | — | Allow Dev CRDs: Configure access to Custom Resource Definitions for application developers. |
| gatekeeper. |
string | kubernetes-admin |
Dev CRDs Admin Config User: Configure the admin config user of the /etc/kubernetes/admin.conf found on the control plane nodes.This is necessary if Kubespray is used for managing the cluster. |
| gatekeeper. |
boolean | — | Dev CRDs Enabled |
| gatekeeper. |
string | deny |
See note |
| gatekeeper. |
array of object | — | Dev CRDs Extra CRDs: Configure extra CRDs to allow for application developers. Configure extra CRDs to allow for application developers. |
| gatekeeper. |
array of object | — | See note |
| gatekeeper. |
boolean | True |
Gatekeeper Enabled |
Notes for gatekeeper.allowUserCRDs.enforcement
Dev CRDs Enforcement
Possible values:
deny
warn
dryrun
Notes for gatekeeper.allowUserCRDs.extraServiceAccounts[]
Dev CRDs Extra Service Accounts: Configure extra service accounts to allow access to configured CRDs.
Configure an extra service account to allow access to configured CRDs.
Examples:
[{'namespace': 'example-namespace', 'name': 'example-controller'}]
global¶
Global options: Some common options used in various helm charts.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | 10.233.0.3 |
IP of the cluster DNS in kubernetes |
| global. |
string | — | — |
| global. |
array of string | — | Clusters Monitoring: Configure the names of the workload clusters that sends metrics to the service cluster. Mainly used to filter metrics. |
| global. |
string | containerd |
See note |
| global. |
boolean | — | See note |
| global. |
boolean | — | See note |
| global. |
array of string | ['IPv4'] |
Global setting for ipFamilies for services: Used to set the ipFamilyPolicy for all configurable services. |
| global. |
string | SingleStack |
See note |
| global. |
string | letsencrypt-staging |
See note |
| global. |
string | — | See note |
| global. |
string | — | If baseDomain for wc and sc are not the same, set the domain of the sc cluster. |
| global. |
string | — | If opsDomain for wc and sc are not the same, set the ops domain of the sc cluster. |
| global. |
boolean | True |
Verify ingress certificates |
Notes for global.baseDomain
Base Domain: Domain intended for ingress usage in the workload cluster and to reach application developer facing services such as Grafana, Harbor and OpenSearch Dashboards. E.g. with 'prod.domain.com', OpenSearch Dashboards is reached via 'opensearch.prod.domain.com'.
Notes for global.ck8sCloudProvider
Possible values:
aws
azure
baremetal
citycloud
elastx
exoscale
none
safespring
upcloud
openstack
Notes for global.ck8sConfigSerial
Timestamp of last migration: This property is used during migrations to track state and ensure that the
same version is used during ck8s upgrade prepare as during ck8s upgrade
apply.
Examples:
2025-04-29T08:34:21+00:00
Notes for global.ck8sEnvironmentName
Environment name
Examples:
my-welkin-cluster
Notes for global.ck8sFlavor
Possible values:
prod
dev
air-gapped
Notes for global.ck8sK8sInstaller
Possible values:
capi
kubespray
none
Notes for global.ck8sVersion
Welkin Apps version: Use version number if you are exactly at a release tag.
Otherwise use full commit hash of current commit.
any, can be used to disable this validation.
Examples:
v0.42.1
any
424442541a567646c232d949bad1af2b5b7cb885
Notes for global.containerRuntime
Container runtime
Possible values:
containerd
docker
Notes for global.enforceIPFamilies
Enforce ipFamilies to all services that doesn't explicitly set it.: Enforce ipFamilyPolicy to all services that doesn't explicitly set it.
This is done using a mutating webhook to all services that doesn't set this.
The value it sets is taken from .global.ipFamilies
Notes for global.enforceIPFamilyPolicy
Enforce ipFamilyPolicy to all services that doesn't explicitly set it.: Enforce ipFamilyPolicy to all services that doesn't explicitly set it.
This is done using a mutating webhook to all services that doesn't set this.
The value it sets is taken from .global.ipFamilyPolicy
Notes for global.ipFamilyPolicy
Global setting for ipFamilyPolicy for services: Used to set the ipFamilyPolicy for all configurable services.
Examples:
SingleStack
PreferDualStack
RequireDualStack
Possible values:
SingleStack
PreferDualStack
RequireDualStack
Notes for global.issuer
Default cert-manager issuer to use for issuing certificates for ingresses.
Normally one of letsencrypt-staging or letsencrypt-prod.
Examples:
letsencrypt-staging
letsencrypt-prod
selfsigned
Notes for global.opsDomain
Domain intended for ingress usage in the service cluster and to reach non-user facing services such as Thanos and OpenSearch. E.g. with 'ops.prod.domain.com', OpenSearch is reached via 'opensearch.ops.prod.domain.com'.
gpu¶
GPU Config: Configure the GPU Operator and its dependencies
| Key | Type | Default | Title and Description |
|---|---|---|---|
| gpu. |
object | — | GPU Daemonsets Config: Configure GPU Daemonsets |
| gpu. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| gpu. |
object | — | Device Plugin Configuration: Configuration for the device plugin, e.g. timeslicing |
| gpu. |
boolean | — | GPU Operator Enabled |
| gpu. |
boolean | — | Enable Additional DCGM Metrics: Adds some profiling metrics in DCGM if it's available in your GPU setup |
| gpu. |
object | — | MIG Configuration: Configure MIG options like strategy |
| gpu. |
string | — | See note |
| gpu. |
object | — | Node Feature Discovery Config: Configure Node Feature Discovery |
| gpu. |
object | — | Node Feature Discovery Control Plane Config: Configure Node Feature Discovery Control Plane |
| gpu. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| gpu. |
— | — | Describes node affinity scheduling rules for the pod. |
| gpu. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
object | — | See note |
| gpu. |
object | — | Kubernetes Quantity Map |
| gpu. |
object | — | Kubernetes Quantity Map |
| gpu. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| gpu. |
object | — | Node Feature Discovery worker Config: Configure Node Feature Discovery workers |
| gpu. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| gpu. |
— | — | Describes node affinity scheduling rules for the pod. |
| gpu. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
object | — | See note |
| gpu. |
object | — | Kubernetes Quantity Map |
| gpu. |
object | — | Kubernetes Quantity Map |
| gpu. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| gpu. |
object | — | GPU Operator Config: Configure GPU Operator |
| gpu. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| gpu. |
— | — | Describes node affinity scheduling rules for the pod. |
| gpu. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
object | — | See note |
| gpu. |
object | — | Kubernetes Quantity Map |
| gpu. |
object | — | Kubernetes Quantity Map |
| gpu. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
Notes for gpu.mig.strategy
MIG Strategy: None ignores MIG entirely, single makes MIG devices a standard GPU resource, and shared creates one resource type for each MIG configuration
Possible values:
mixed
single
none
Notes for gpu.nodeFeatureDiscovery.controlPlane.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for gpu.nodeFeatureDiscovery.worker.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for gpu.operator.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
grafana¶
Grafana Config: Configure Grafana, the metrics visualisation dashboard.
Welkin hosts two instances of Grafana one for the Platform Administrator and one for the Application Developer.
Note
Grafana is installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| grafana. |
object | — | Grafana: Configure Grafana. |
| grafana. |
string | — | Grafana Additional Config Values |
| grafana. |
object | — | Grafana Additional Datasources |
| grafana. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| grafana. |
— | — | Describes node affinity scheduling rules for the pod. |
| grafana. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
object | — | Content-Security-Policy rules: Configure Content-Security-Policy header rules Reference: https://content-security-policy.com/ |
| grafana. |
object | — | Grafana dataproxy values: Configure Grafana dataproxy values |
| grafana. |
number | 600 |
Grafana dataproxy timeout |
| grafana. |
boolean | True |
Grafana Enabled |
| grafana. |
object | — | See note |
| grafana. |
object | — | Grafana OIDC: Configure authentication to Grafana via Dex. |
| grafana. |
array of string | — | Grafana OIDC Allowed Domains: Configure the domains of the users allowed to authenticate to Grafana. |
| grafana. |
boolean | True |
Grafana OIDC Enabled |
| grafana. |
boolean | — | Enable authentication through JWT: This setting can weaken the security stance for authentication and should only be used in testing. |
| grafana. |
string | openid profile email groups |
Grafana OIDC Scopes |
| grafana. |
boolean | — | Grafana Skip Role Sync: When enabled the roles for user can be managed within Grafana. |
| grafana. |
object | — | Grafana OIDC Groups: Configure the roles for groups. |
| grafana. |
string | grafana_admin |
Grafana OIDC Admin Group |
| grafana. |
string | grafana_editor |
Grafana OIDC Editor Group |
| grafana. |
string | grafana_viewer |
Grafana OIDC Viewer Group |
| grafana. |
array | — | Grafana Additional Plugins |
| grafana. |
object | — | See note |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
object | — | Grafana Sidecar: Configure the sidecar provisioning dashboards from ConfigMaps in Grafana. |
| grafana. |
object | — | See note |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
string | grafana |
See note |
| grafana. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| grafana. |
boolean | True |
See note |
| grafana. |
boolean | True |
Grafana Viewers Can Edit |
| grafana. |
object | — | Grafana: Configure Grafana. |
| grafana. |
string | — | Grafana Additional Config Values |
| grafana. |
object | — | Grafana Additional Datasources |
| grafana. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| grafana. |
— | — | Describes node affinity scheduling rules for the pod. |
| grafana. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
object | — | Content-Security-Policy rules: Configure Content-Security-Policy header rules Reference: https://content-security-policy.com/ |
| grafana. |
object | — | Grafana dataproxy values: Configure Grafana dataproxy values |
| grafana. |
number | 600 |
Grafana dataproxy timeout |
| grafana. |
boolean | True |
Grafana Enabled |
| grafana. |
object | — | See note |
| grafana. |
object | — | Grafana OIDC: Configure authentication to Grafana via Dex. |
| grafana. |
array of string | — | Grafana OIDC Allowed Domains: Configure the domains of the users allowed to authenticate to Grafana. |
| grafana. |
boolean | True |
Grafana OIDC Enabled |
| grafana. |
boolean | — | Enable authentication through JWT: This setting can weaken the security stance for authentication and should only be used in testing. |
| grafana. |
string | openid profile email groups |
Grafana OIDC Scopes |
| grafana. |
boolean | — | Grafana Skip Role Sync: When enabled the roles for user can be managed within Grafana. |
| grafana. |
object | — | Grafana OIDC Groups: Configure the roles for groups. |
| grafana. |
string | grafana_admin |
Grafana OIDC Admin Group |
| grafana. |
string | grafana_editor |
Grafana OIDC Editor Group |
| grafana. |
string | grafana_viewer |
Grafana OIDC Viewer Group |
| grafana. |
array | — | Grafana Additional Plugins |
| grafana. |
object | — | See note |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
object | — | Grafana Sidecar: Configure the sidecar provisioning dashboards from ConfigMaps in Grafana. |
| grafana. |
object | — | See note |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
object | — | Kubernetes Quantity Map |
| grafana. |
string | grafana |
See note |
| grafana. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| grafana. |
boolean | True |
See note |
| grafana. |
boolean | True |
Grafana Viewers Can Edit |
Notes for grafana.ops.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for grafana.ops.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.ops.sidecar.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.ops.subdomain
Grafana Subdomain: For Admin Grafana the subdomain of opsDomain that the Ingress to Admin Grafana will be created with.
For Dev Grafana the subdomain of baseDomain that the Ingress to Dev Grafana will be created with.
Note
Must be set for both service and workload clusters.
Notes for grafana.ops.trailingDots
Grafana Trailing Dots: Configure Grafana to use absolute domain names.
Warning
Some operating systems and web browsers may have problems accessing Grafana when with this enabled.
Notes for grafana.user.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for grafana.user.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.user.sidecar.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.user.subdomain
Grafana Subdomain: For Admin Grafana the subdomain of opsDomain that the Ingress to Admin Grafana will be created with.
For Dev Grafana the subdomain of baseDomain that the Ingress to Dev Grafana will be created with.
Note
Must be set for both service and workload clusters.
Notes for grafana.user.trailingDots
Grafana Trailing Dots: Configure Grafana to use absolute domain names.
Warning
Some operating systems and web browsers may have problems accessing Grafana when with this enabled.
grafanaLabelEnforcer¶
Grafana Label Enforcer Config: Configure Grafana Label Enforcer, responsible to filter metrics from different clusters for Grafana datasources.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| grafanaLabelEnforcer. |
object | — | See note |
| grafanaLabelEnforcer. |
object | — | Kubernetes Quantity Map |
| grafanaLabelEnforcer. |
object | — | Kubernetes Quantity Map |
Notes for grafanaLabelEnforcer.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
harbor¶
Harbor Config: Configuration options for Harbor.
Harbor is a container registry that deployed for the application developers to use when deploying their applications.
Note
See upstream documentation for reference. All config variables that exists in harbor are not exposed via our config.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| harbor. |
object | — | Alert Config: Configuration options for Harbor Alerts. |
| harbor. |
object | — | Config for HarborP50LatencyHigherThan10Seconds alert: Configuration options for HarborP50LatencyHigherThan10Seconds alert. |
| harbor. |
boolean | True |
Enable HarborP50LatencyHigherThan10Seconds alert |
| harbor. |
object | — | Config for HarborP99LatencyHigherThan55Seconds alert: Configuration options for HarborP99LatencyHigherThan55Seconds alert. |
| harbor. |
boolean | True |
Enable HarborP99LatencyHigherThan55Seconds alert |
| harbor. |
number | 3000 |
Alert For Max Total Artifacts: Alert when the total number of artifacts is above the set number. |
| harbor. |
number | 1500 |
Alert For Max Total Storage Used (GB): Alert when the total storage usage is above the set number. |
| harbor. |
object | — | Backup Job Config: Configuration options for Backup Job. |
| harbor. |
boolean | True |
Enable Harbor Backup |
| harbor. |
object | — | Ephemeral Backup Store Config: EphemeralBackupStore configuration for HarborStorageSize defines how large the ephemeral volumes will be. |
| harbor. |
boolean | — | Enable Ephemeral Backup Store |
| harbor. |
string | 10Gi |
Storage Size |
| harbor. |
number | 7 |
Backup Retention Days: RetentionDays defines how old a backup should be before deleting it. |
| harbor. |
string | — | — |
| harbor. |
object | — | Core Config: Configuration options for Core. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
number | 1 |
Core replication: Number of Core pods |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | See note |
| harbor. |
object | — | External Database Config: Configuration options for External Database. |
| harbor. |
string | registry |
Core Database: Name of the database for Core |
| harbor. |
string | notaryserver |
Notary Server Database: Name of the database for Notary Server |
| harbor. |
string | notarysigner |
Notary Signer Database: Name of the database for Notary Signer |
| harbor. |
string | 5432 |
Database Port: Database listening port |
| harbor. |
string | disable |
See note |
| harbor. |
object | — | Internal Database Config: Configuration options for Internal Database. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | Kubernetes Persistent Volume Claim: PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
string | internal |
— |
| harbor. |
boolean | True |
Enable Harbor |
| harbor. |
object | — | Exporter Config: Configuration options for Exporter. |
| harbor. |
object | — | External: External configuration |
| harbor. |
string | — | See note |
| harbor. |
string | — | See note |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | GC (Garbage Collection) Config: Configuration options for GC (Garbage Collection). |
| harbor. |
boolean | True |
Enable GC (Garbage Collection) |
| harbor. |
boolean | — | Force Configure |
| harbor. |
string | 0 0 0 * * SUN |
See note |
| harbor. |
object | — | Ingress Config: Configuration options for Ingress. |
| harbor. |
object | — | Additional Annotations |
| harbor. |
object | — | DefaultAnnotations: Default annotations for ingress |
| harbor. |
string | — | Nginx Config proxy-buffering |
| harbor. |
string | — | Nginx Config proxy-request-buffering |
| harbor. |
object | — | Jobservice Config: Configuration options for Jobservice. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | JobLog Config: Job log configuration |
| harbor. |
object | — | Kubernetes Persistent Volume Claim: PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
array of string | — | JobLoggers Config: Configuration options for JobLoggers |
| harbor. |
number | 1 |
Jobservice replication: Number of Jobservice pods |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Scan Data Exports Config: Scan data exports configuration |
| harbor. |
object | — | Kubernetes Persistent Volume Claim: PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
object | — | MultipartUpload cleaner job configuration: Configuration options for MultipartUpload cleaner job |
| harbor. |
boolean | True |
Enable Harbor MultipartUpload cleaner |
| harbor. |
number | 7 |
Max age: maxAgeDays defines how old an unfinished multipartupload is allowed to be before deleting it. |
| harbor. |
string | — | — |
| harbor. |
object | — | See note |
| harbor. |
object | — | Notary Config: Configuration options for Notary. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
string | notary.harbor |
— |
| harbor. |
object | — | NotarySigner Config: Configuration options for Notary signer. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Object Storage Configuration.: Configuration options for using object storage specific to harbor. |
| harbor. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| harbor. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| harbor. |
string | — | S3 Region: Region to store data. |
| harbor. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| harbor. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| harbor. |
object | — | OIDC (OpenID Connector) Config: Configuration options for OIDC. |
| harbor. |
string | — | — |
| harbor. |
string | groups |
— |
| harbor. |
string | openid,email,profile,offline_access,groups |
— |
| harbor. |
object | — | Persistence Config: Configuration options for Persistence. |
| harbor. |
boolean | — | See note |
| harbor. |
string | — | See note |
| harbor. |
object | — | Portal Config: Configuration options for Portal. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | See note |
| harbor. |
object | — | External Redis Config: Configuration options when external Redis is set |
| harbor. |
string | — | See note |
| harbor. |
string | — | — |
| harbor. |
object | — | Internal Redis Config: Configuration options when internal Redis is set |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | Kubernetes Persistent Volume Claim: PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
string | internal |
— |
| harbor. |
object | — | Registry config: Registry configuration |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | Controller: Controller configuration |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Persistent Volume Claim: PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Storage Driver S3 Config: Configuration options for S3. Storage Driver S3 |
| harbor. |
-integer- -string- | — | Multi Part Copy Chunk Size: Default chunk size for all but the last S3 Multipart Upload part when copying stored objects. |
| harbor. |
-integer- -string- | — | Multi Part Copy Max Concurrency: Max number of concurrent S3 Multipart Upload operations when copying stored objects. |
| harbor. |
string | 536870912 |
Multi Part Copy Threshold Size: Default object size above which S3 Multipart Upload will be used when copying stored objects. |
| harbor. |
string | harbor |
Sub Domain |
| harbor. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| harbor. |
object | — | Trivy Config: Configuration options for Trivy. |
| harbor. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
array of object | — | Trivy extra environment variables: Array of additional environment variables to pass to Trivy name/value combination |
| harbor. |
object | — | Kubernetes Persistent Volume Claim: PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | Kubernetes Quantity Map |
| harbor. |
object | — | Kubernetes Quantity Map |
Notes for harbor.core.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.database
Database Config: Configuration options for Database used by Harbor
Set type to define which type of redis Harbor should use.
Only external or internal database can be enabled at the same time.
External: Defines an external postgres that harbor will use.
For more details how to configure harbor to use an external database check the README
Internal: Use the internal database that is packaged with harbor.
Notes for harbor.database.external.sslmode
SSL mode type
Possible values:
disable
require
verify-ca
verify-full
Notes for harbor.database.internal.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.exporter.external.coreDatabase
Core Database
Examples:
registry
Notes for harbor.exporter.external.port
Database Port
Examples:
5432
Notes for harbor.exporter.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.gc.schedule
Schedule: Defines a CRON schedule when the garbage collection job should run. Uses a special Cron format that adds "seconds" as the first entry. Order: "seconds, minutes, hours, day of month, month, day of week".
Notes for harbor.jobservice.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for harbor.notary.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.notarySigner.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.persistence.disableRedirect
Harbor registry disable object storage redirect: Controls whether or not Harbor registry redirects users to the object storage endpoint. Set this to true if the object storage is not reachable by users when pushing images to Harbor, e.g. if you run into this timeout error:
dial tcp <IP>:<PORT>: i/o timeout
Notes for harbor.persistence.type
Persistence type: This should match what is set in global config
Possible values:
filesystem
swift
objectStorage
Notes for harbor.portal.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.redis
Redis Config: Configuration options for Redis used by Harbor
Set type to define which type of redis Harbor should use.
Only external or internal redis can be enabled at the same time.
External: Defines an external redis that harbor will use.
For more details how to configure harbor to use an external redis check the README
Internal: Use the internal redis that is packaged with harbor.
Notes for harbor.redis.external.addr
Examples:
rfs-redis-harbor.redis-system.svc.cluster.local:26379
Notes for harbor.redis.internal.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.registry.controller.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.registry.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.trivy.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
hnc¶
HNC (Hierarchical Namespace Controller) Config: Configuration for Hierarchical Namespace Controller.
Note
| Key | Type | Default | Title and Description |
|---|---|---|---|
| hnc. |
array of object | — | See note |
| hnc. |
boolean | True |
Enable HNC: Enable HNC |
| hnc. |
array of string | — | See note |
| hnc. |
boolean | True |
Enable Ha (High Availability): Enable HA mode for hnc webhooks. |
| hnc. |
string | — | See note |
| hnc. |
array of string | — | Managed Namespace Annotations: Annotations that will be propagated to subnamespaces (allows regex). |
| hnc. |
array of string | — | Managed Namespace Labels: Labels that will be propagated to subnamespaces (allows regex). Labels in particular must also be configured in the HierarchyConfiguration object to be propagated. |
| hnc. |
object | — | Common Resource: This is meant to describe the base class if you will, for Welkin resources. |
| hnc. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| hnc. |
— | — | Describes node affinity scheduling rules for the pod. |
| hnc. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
boolean | — | — |
| hnc. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| hnc. |
object | — | See note |
| hnc. |
object | — | See note |
| hnc. |
object | — | Kubernetes Quantity Map |
| hnc. |
object | — | Kubernetes Quantity Map |
| hnc. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| hnc. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| hnc. |
object | — | Service Monitor: Service monitor for Hierarchical Namespace Controller. |
| hnc. |
array | — | Relabelings: Relabeling |
| hnc. |
array | — | Unpropagated Annotations: Annotations that will be stripped from propagated objects |
| hnc. |
object | — | Webhook Config: Webhook for Hierarchical Namespace Controller. |
| hnc. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| hnc. |
— | — | Describes node affinity scheduling rules for the pod. |
| hnc. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
object | — | See note |
| hnc. |
integer | — | — |
| hnc. |
object | — | See note |
| hnc. |
object | — | Kubernetes Quantity Map |
| hnc. |
object | — | Kubernetes Quantity Map |
| hnc. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| hnc. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| hnc. |
boolean | — | Webhook Match Conditions Enable: Fine grained mach conditions for webhook. This feature is only available in Kubernetes v1.28+. |
Notes for hnc.additionalAllowPropagateResources[]
Additional Allow Propagate Resources List: Additional resources to enable opt-in propagation for. Objects that should be propagated must have one of the annotations listed here https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#limit-the-propagation-of-an-object-to-descendant-namespaces
Additional allow propagate resources for hnc.
Examples:
{'resource': 'secrets'}
{'resource': 'networkpolicies', 'group': 'networking.k8s.io'}
Notes for hnc.excludedNamespaces[]
Excluded Namespaces: Namespaces excluded by HNC, here you can configure a list of namespaces to exclude from HNC in addition to the default excluded namespaces.
Including and excluding namespaces
Notes for hnc.includedNamespacesRegex
Included Namespaces Regex: Included namespaces, empty string will include all.
Including and excluding namespaces
Notes for hnc.manager.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for hnc.manager.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for hnc.webhook.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for hnc.webhook.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
images¶
Images Configuration: Configure individual container URI for images of all Welkin components, and (optionally) enable support for global registry and/or repository.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| images. |
object | — | Calico stack image configuration: Calico stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | cert-manager stack image configuration: cert-manager stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | crossplane stack image configuration: crossplane stack image configuration |
| images. |
object | — | Crossplane Configuration packages configuration: Crossplane Configuration packages configuration |
| images. |
object | — | Crossplane Function images configuration: Crossplane Function images configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Crossplane Provider images configuration: Crossplane Provider images configuration |
| images. |
object | — | Dex stack image configuration: Dex stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | ExternalDNS stack image configuration: ExternalDNS stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | falco stack image configuration: falco stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Fluentd stack image configuration: Fluentd stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Gatekeeper stack image configuration: Gatekeeper stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | See note |
| images. |
object | — | Global image registry: If enabled it will be used as the registry of images that don't supply their own. |
| images. |
boolean | — | Enable the global image registry |
| images. |
string | — | See note |
| images. |
object | — | Global image repository: If enabled it will be used as the repository of images that don't supply their own. |
| images. |
boolean | — | Enable the global image repository |
| images. |
string | — | See note |
| images. |
object | — | GPU operator stack image configuration: GPU operator stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Harbor stack image configuration: Harbor stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | HNC stack image configuration: HNC stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | ingress-nginx stack image configuration: ingress-nginx stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Kured stack image configuration: Kured stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | kyverno stack image configuration: kyverno stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Monitoring stack image configuration: Monitoring stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | NodeLocal DNSCache stack image configuration: NodeLocal DNSCache stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | opensearch stack image configuration: opensearch stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Rclone stack image configuration: Rclone stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | Tekton stack image configuration: Tekton stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
object | — | Thanos stack image configuration: Thanos stack image configuration |
| images. |
string | — | See note |
| images. |
object | — | Velero stack image configuration: Velero stack image configuration |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
| images. |
string | — | See note |
Notes for images.calico.accountant
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.cainjector
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.controller
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.startupapicheck
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.webhook
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.crossplane.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.crossplane.kubectl
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.dex.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.externalDns.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.driverLoaderInit
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.falcoctl
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.sidekick
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.fluentd.aggregator
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.fluentd.forwarder
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.fluentd.logManager
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.kubectl
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.postInstallLabelNamespace
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.preInstallCRDs
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.global
Global image settings: Global image registry and repository settings.
If a global registry is supplied and enabled, and an image is specified that doesn't have a registry, the global registry will be used instead.
If a global repository is supplied and enabled, and an image is specified that doesn't have a repository, the global repository will be used instead.
Notes for images.global.registry.uri
Global image registry URI
Examples:
registry.k8s.io
Notes for images.global.repository.uri
Global image repository
Examples:
ingress-nginx
Notes for images.gpuOperator.nodeFeatureDiscovery
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gpuOperator.operator
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.backupJob
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.core
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.database
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.exporter
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.initJob
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.jobservice
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.mpuCleaner
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.portal
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.redis
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.registry
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.registryController
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.trivyAdapter
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.hnc.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.admissionWebhooksPatch
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.controller
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.controllerChroot
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.defaultBackend
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.fileCopier
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kured.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.crdsMigration
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.init
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.main
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.webhooksCleanup
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.admissionWebhooksPatch
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.alertmanager
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.blackboxExporter
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.configReloader
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.grafana
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.grafanaLabelEnforcer
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.grafanaSidecar
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.kubeStateMetrics
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.metricsServer
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.nodeExporter
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.prometheus
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.prometheusOperator
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.s3Exporter
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.trivyOperator
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.nodeLocalDns.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.configurerJob
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.curatorCronjob
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.dashboards
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.exporter
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.initSysctl
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.rclone.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.tekton.controller
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.tekton.remoteResolvers
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.tekton.webhook
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.thanos.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.image
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.kubectl
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginAws
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginAzure
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginGcp
URI for a container image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
ingressNginx¶
Ingress-NGINX Controller Config: Configure Ingress-NGINX, the ingress controller.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| ingressNginx. |
object | — | Ingress-NGINX Controller: Configure the controller daemonset of Ingress-NGINX. |
| ingressNginx. |
object | — | See note |
| ingressNginx. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| ingressNginx. |
— | — | Describes node affinity scheduling rules for the pod. |
| ingressNginx. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| ingressNginx. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| ingressNginx. |
boolean | — | See note |
| ingressNginx. |
boolean | True |
See note |
| ingressNginx. |
object | — | Ingress-NGINX Config: Configure the Ingress-NGINX controller. |
| ingressNginx. |
string | Critical |
See note |
| ingressNginx. |
boolean | — | Ingress-NGINX PROXY Protocol |
| ingressNginx. |
boolean | True |
Ingress-NGINX Annotation Validation: When enabled annotations on Ingress resources are validated. This is disabled by default due to the maturity of the feature and lack of documentation. |
| ingressNginx. |
boolean | — | See note |
| ingressNginx. |
object | — | Ingress NGINX Extra Args: Configure extra args to pass to Ingress NGINX Controller. |
| ingressNginx. |
array | — | Ingress NGINX Extra Environment Variables: Configure extra environment variables to Ingress NGINX Controller. |
| ingressNginx. |
object | — | See note |
| ingressNginx. |
object | — | See note |
| ingressNginx. |
object | — | Kubernetes Quantity Map |
| ingressNginx. |
object | — | Kubernetes Quantity Map |
| ingressNginx. |
object | — | Ingress-NGINX Service: Configure the Service for traffic to Ingress-NGINX. |
| ingressNginx. |
boolean | — | See note |
| ingressNginx. |
object | — | Service Annotations |
| ingressNginx. |
string | — | Service ClusterIP |
| ingressNginx. |
boolean | — | Ingress-NGINX Service Enabled |
| ingressNginx. |
object | — | Ingress-NGINX Internal Service: Configure the Internal Service for traffic to Ingress-NGINX. |
| ingressNginx. |
boolean | — | See note |
| ingressNginx. |
object | — | Service Annotations |
| ingressNginx. |
string | — | Service ClusterIP |
| ingressNginx. |
boolean | — | Ingress-NGINX Service Enabled |
| ingressNginx. |
string | SingleStack |
See note |
| ingressNginx. |
string | — | See note |
| ingressNginx. |
array of string | — | Load Balancer Source Ranges: Configure the source ranges to allow via the Load Balancer Service. |
| ingressNginx. |
object | — | Node Ports: Configure the node ports to allocate for the Service. |
| ingressNginx. |
integer | — | — |
| ingressNginx. |
integer | — | — |
| ingressNginx. |
string | — | See note |
| ingressNginx. |
array of string | ['IPv4'] |
See note |
| ingressNginx. |
string | SingleStack |
See note |
| ingressNginx. |
string | — | See note |
| ingressNginx. |
array of string | — | Load Balancer Source Ranges: Configure the source ranges to allow via the Load Balancer Service. |
| ingressNginx. |
object | — | Node Ports: Configure the node ports to allocate for the Service. |
| ingressNginx. |
integer | — | — |
| ingressNginx. |
integer | — | — |
| ingressNginx. |
string | — | See note |
| ingressNginx. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| ingressNginx. |
boolean | — | See note |
| ingressNginx. |
object | — | Ingress-NGINX Default Backend: Configure the default backend deployment of Ingress-NGINX. |
| ingressNginx. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| ingressNginx. |
— | — | Describes node affinity scheduling rules for the pod. |
| ingressNginx. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| ingressNginx. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| ingressNginx. |
object | — | See note |
| ingressNginx. |
object | — | See note |
| ingressNginx. |
object | — | Kubernetes Quantity Map |
| ingressNginx. |
object | — | Kubernetes Quantity Map |
| ingressNginx. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| ingressNginx. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| ingressNginx. |
string | — | Ingress-NGINX Subdomain |
Notes for ingressNginx.controller.additionalConfig
Ingress-NGINX Additional Config: Configure additional configuration for Ingress-NGINX controller.
Note
See the upstream documentation for reference.
Notes for ingressNginx.controller.allowSnippetAnnotations
Ingress-NGINX Allow Snippet Annotations: When enabled annotations on Ingress resources can add snippets to the config of NGINX.
[!danger] Only enable this after evaluating the risks it poses.
Note
See the upstream documentation for reference.
Notes for ingressNginx.controller.chroot
Ingress-NGINX Controller Chroot: When enabled NGINX itself will run in a chroot under the controller namespace for increased separation between the controller and the proxy.
This requires a special seccomp profile to be available to give the controller the SYS_ADMIN capability, which will be provided by a separate daemon set.
Notes for ingressNginx.controller.config.annotationsRiskLevel
Ingress-NGINX Annotations Risk Level: Configure the accepted risk level of annotations on Ingress resources.
Note
See the upstream documentation for reference.
Possible values:
Critical
High
Medium
Low
Notes for ingressNginx.controller.enablepublishService
Ingress-NGINX Publish Service: When enabled it allows customisation of the IP or FQDN to report the external address of the Service in the Ingress status field.
When disabled it reports the IPs of the nodes where the controller pods are running.
Notes for ingressNginx.controller.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for ingressNginx.controller.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for ingressNginx.controller.service.allocateLoadBalancerNodePorts
Load Balancer Node Ports: When enabled node ports will be allocated for the Load Balancer Service.
This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic.
See reference
Notes for ingressNginx.controller.service.internal.allocateLoadBalancerNodePorts
Load Balancer Node Ports: When enabled node ports will be allocated for the Load Balancer Service.
This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic.
See reference
Notes for ingressNginx.controller.service.internal.ipFamilyPolicy
Service IP Family Policy: Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field.
See reference
Possible values:
SingleStack
PreferDualStack
RequireDualStack
Notes for ingressNginx.controller.service.internal.loadBalancerIP
Load Balancer IP: Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider.
Important
With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation loadbalancer.openstack.org/keep-floatingip: "true" to prevent the floating IP to be deleted.
Notes for ingressNginx.controller.service.internal.type
Service Type: Configure the type of the Service.
Possible values:
ClusterIP
LoadBalancer
NodePort
Notes for ingressNginx.controller.service.ipFamilies[]
Service IP Families: List of IP families (e.g. IPv4, IPv6) assigned to the service. Default is IPv4 only. When utilizing an internal loadbalancer service (ie MetalLB), IPv6 would also need to be included in order for the ingress service to allocate an address in that family.
Notes for ingressNginx.controller.service.ipFamilyPolicy
Service IP Family Policy: Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field.
See reference
Possible values:
SingleStack
PreferDualStack
RequireDualStack
Notes for ingressNginx.controller.service.loadBalancerIP
Load Balancer IP: Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider.
Important
With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation loadbalancer.openstack.org/keep-floatingip: "true" to prevent the floating IP to be deleted.
Notes for ingressNginx.controller.service.type
Service Type: Configure the type of the Service.
Possible values:
ClusterIP
LoadBalancer
NodePort
Notes for ingressNginx.controller.useHostPort
Ingress-NGINX Host Port: When enabled ingress traffic is directly forwarded from target ports on the nodes to reach Ingress-NGINX.
This requires the namespace to use Pod Security Standard privileged.
Notes for ingressNginx.defaultBackend.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for ingressNginx.defaultBackend.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
issuers¶
Issuers Config: Configure issuers for cert-manager.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| issuers. |
array | — | Extra Issuers |
| issuers. |
object | — | Issuers Let's Encrypt: Configure issuers for cert-manager using Let's Encrypt. |
| issuers. |
boolean | True |
Let's Encrypt Enabled |
| issuers. |
object | — | Let's Encrypt Prod: Configure Let's Encrypt production issuer. |
| issuers. |
array | — | Issuer Solver |
| issuers. |
object | — | Let's Encrypt Staging: Configure Let's Encrypt staging issuer. |
| issuers. |
array | — | Issuer Solver |
kubeStateMetrics¶
Kube State Metrics: Configure the kube-state-metrics exporter.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| kubeStateMetrics. |
object | — | See note |
| kubeStateMetrics. |
object | — | Kubernetes Quantity Map |
| kubeStateMetrics. |
object | — | Kubernetes Quantity Map |
Notes for kubeStateMetrics.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
kured¶
Kured Config: Configuration for Kured (Kubernetes Reboot Daemon).
Kured orchestrates node reboots to allow nodes to automatically perform system updates and patches.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| kured. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| kured. |
— | — | Describes node affinity scheduling rules for the pod. |
| kured. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| kured. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| kured. |
object | — | See note |
| kured. |
string | — | See note |
| kured. |
string | 86399 |
Kured Schedule End Time: Schedule reboots only before this time of day. |
| kured. |
string | — | See note |
| kured. |
string | — | See note |
| kured. |
array of string | ['mo', 'tu', 'we', 'th', 'fr', 'sa', 'su'] |
Kured Schedule Reboot Days: Only reboot on these days. |
| kured. |
string | 0:00 |
Kured Schedule Start Time: Schedule reboots only after this time of day. |
| kured. |
string | UTC |
Kured Schedule Time Zone |
| kured. |
object | — | — |
| kured. |
boolean | — | Kured Enabled |
| kured. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| kured. |
object | — | — |
| kured. |
object | — | Kured Metrics: Configuration for Kured metrics |
| kured. |
boolean | True |
Kured Metrics Enabled |
| kured. |
string | — | See note |
| kured. |
object | — | Kured Metrics Labels |
| kured. |
object | — | See note |
| kured. |
object | — | Kured Notification: Send notification from Kured when nodes are rebooted. |
| kured. |
object | — | Kured Slack Notification: Send notification from Kured to Slack when nodes are rebooted. |
| kured. |
string | — | Kured Slack Notification Channel |
| kured. |
boolean | — | Kured Slack Notification Enabled |
| kured. |
object | — | See note |
| kured. |
object | — | Kubernetes Quantity Map |
| kured. |
object | — | Kubernetes Quantity Map |
| kured. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
Notes for kured.configuration
Kured Config: Kured configuration parameters.
See the upstream documentation for reference.
Most parameters are mapped from camelCase to --kebab-case, others can be set via extraArgs.
Notes for kured.configuration.drainTimeout
Duration String: A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.configuration.lockReleaseDelay
Duration String: A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.configuration.period
Duration String: A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.metrics.interval
Duration String: A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for kured.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
kyverno¶
Kyverno Config: Configure Kyverno and Kyverno Policies
| Key | Type | Default | Title and Description |
|---|---|---|---|
| kyverno. |
boolean | — | Enable Kyverno |
| kyverno. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| kyverno. |
— | — | Describes node affinity scheduling rules for the pod. |
| kyverno. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
object | — | See note |
| kyverno. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| kyverno. |
— | — | Describes node affinity scheduling rules for the pod. |
| kyverno. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
object | — | Kyverno policies: Kyverno policies configuration |
| kyverno. |
object | — | Verify Image Signature Kyverno policy: A policy that requires that all images in HNC controlled namespaces are signed |
| kyverno. |
string | — | See note |
| kyverno. |
boolean | — | Enable the Verify Image Signature policy |
| kyverno. |
boolean | — | Ignore Rekor transparency log when verifying image signatures |
| kyverno. |
string | — | See note |
| kyverno. |
object | — | See note |
| kyverno. |
object | — | Kubernetes Quantity Map |
| kyverno. |
object | — | Kubernetes Quantity Map |
| kyverno. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| kyverno. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
Notes for kyverno.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for kyverno.policies.verifyImageSignature.attestor
A public key (Cosign) or certificate (Notary) used to verify image signatures
Examples:
-----BEGIN PUBLIC KEY-----
MFkwEwY...
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIDTTCCA...
-----END CERTIFICATE-----
Notes for kyverno.policies.verifyImageSignature.type
Method of signature validation
Possible values:
Cosign
Notary
Notes for kyverno.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
metricsServer¶
Metrics Server: Configure the metrics-server exporter, used to provide for the metrics API in Kubernetes.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| metricsServer. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| metricsServer. |
— | — | Describes node affinity scheduling rules for the pod. |
| metricsServer. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| metricsServer. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| metricsServer. |
boolean | True |
Metrics Server Enabled |
| metricsServer. |
object | — | See note |
| metricsServer. |
object | — | Kubernetes Quantity Map |
| metricsServer. |
object | — | Kubernetes Quantity Map |
| metricsServer. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
Notes for metricsServer.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
networkPlugin¶
Network Plugin: Configure the network plugin used in the cluster.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| networkPlugin. |
object | — | Calico network plugin: Configuration when network plugin is set to calico |
| networkPlugin. |
object | — | Calico Accountant: Configure Calico accountant, used to collect metrics about packets affected by Network Policies when using Calico. |
| networkPlugin. |
string | nftables |
See note |
| networkPlugin. |
boolean | True |
— |
| networkPlugin. |
object | — | See note |
| networkPlugin. |
object | — | Kubernetes Quantity Map |
| networkPlugin. |
object | — | Kubernetes Quantity Map |
| networkPlugin. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| networkPlugin. |
object | — | Calico Felix Metrics: Configure Calico Felix metrics, used to collect metrics about Calico. |
| networkPlugin. |
boolean | True |
Calico Felix Metrics Enabled |
| networkPlugin. |
string | — | See note |
Notes for networkPlugin.calico.calicoAccountant.backend
Calico Accountant Backend
Possible values:
iptables
nftables
Notes for networkPlugin.calico.calicoAccountant.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for networkPlugin.type
Network plugin type: Configure the type of network plugin
Possible values:
calico
cilium
networkPolicies¶
Network Policies Config: Configure Network Policies.
Most common Network Policy rules can be updated by running ./bin/ck8s update-ips <both|sc|wc>.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| networkPolicies. |
string | — | Network Policies Additional Policies: Configure additional network policies. |
| networkPolicies. |
array | — | Network Policies Egress Policies |
| networkPolicies. |
array | — | Network Policies Ingress Policies |
| networkPolicies. |
object | — | Network Policies Alertmanager: Configure Alertmanager network policy rules. |
| networkPolicies. |
object | — | IP And Port List: Network policy rule Kubernetes network policies |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
boolean | — | Network Policies Alertmanager Enabled |
| networkPolicies. |
array | — | Network Policies Allowed Namespaces |
| networkPolicies. |
object | — | Network Policies cert-manager: Configure cert-manager network policy rules. |
| networkPolicies. |
object | — | Network Policies cert-manager DNS-01: Configure network policy rule to allow cert-manager perform DNS-01 challenges. |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
boolean | True |
Network Policies cert-manager Enabled |
| networkPolicies. |
object | — | Network Policies cert-manager HTTP-01: Configure network policy rule to allow cert-manager perform HTTP-01 challenges on other endpoints than the ingress-controller. |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | See note |
| networkPolicies. |
object | — | Network Policies CoreDNS: Configure CoreDNS network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies CoreDNS |
| networkPolicies. |
object | — | Network Policies CoreDNS External DNS: Configure network policy rule to allow CoreDNS to query the upstream DNS servers. |
| networkPolicies. |
object | — | Network Policies CoreDNS Service IP: Configure network policy rule to allow CoreDNS to query the internal service IP. |
| networkPolicies. |
object | — | Network Policies Crossplane: Configure Crossplane network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Crossplane Enabled |
| networkPolicies. |
object | — | Crossplane Package Registry: Configure network policy rules to allow Crossplane to access the Package registry |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
object | — | Network Policies Dex: Configure Dex network policy rules. |
| networkPolicies. |
object | — | Network Policies Dex Connectors: Configure network policy rule to allow Dex to reach configured connectors. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
boolean | True |
Network Policies Dex Enabled |
| networkPolicies. |
object | — | Network Policies DNS Autoscaler: Configure DNS Autoscaler network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies DNS Autoscaler Enabled |
| networkPolicies. |
boolean | True |
Network Policies Alerting Enabled |
| networkPolicies. |
boolean | True |
Network Policies Enabled |
| networkPolicies. |
object | — | Network Policies ExternalDNS: Configure ExternalDNS network policy rules. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Falco: Configure Falco network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Falco Enabled |
| networkPolicies. |
object | — | Network Policies Falco Plugins: Configure network policy rules to allow Falco to install plugins during startup. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Fluentd: Configure Fluentd network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Fluentd Enabled |
| networkPolicies. |
object | — | Extra Output Rule: Configure extra output egress rules. This may be used to allow application developers to send logs externally from user Fluentd with extra config and plugins. |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Gatekeeper: Configure Gatekeeper network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Gatekeeper Enabled |
| networkPolicies. |
object | — | Network Policies Global: Configure global network policy rules. |
| networkPolicies. |
boolean | — | Network Policies External Load Balancer: When enabled create Network Policy rules for ingress via external load balancer. |
| networkPolicies. |
boolean | — | Network Policies Ingress Host Network: When enabled create Network Policy rules for ingress via host network. |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
integer | — | — |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | Network Policies Trivy: Configure Trivy network policy rules. Used for Trivy to fetch vulnerability databases both in Harbor and Trivy Operator. |
| networkPolicies. |
integer | — | — |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
integer | — | — |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | Network Policies Harbor: Configure Harbor network policy rules. |
| networkPolicies. |
object | — | Network Policies Harbor Database: Configure network policies for the database used by Harbor. |
| networkPolicies. |
object | — | Network Policies Harbor Database External Egress: Configure network policy egress rules to the external database of Harbor. |
| networkPolicies. |
array | — | Network Policy Peers |
| networkPolicies. |
array | — | Network Policy Ports |
| networkPolicies. |
object | — | Network Policies Harbor Database Internal Ingress: Configure network policy ingress rules to the internal database of Harbor. |
| networkPolicies. |
array | — | Network Policy Peers |
| networkPolicies. |
array | — | Network Policy Ports |
| networkPolicies. |
boolean | True |
Network Policies Harbor Enabled |
| networkPolicies. |
object | — | Network Policies Harbor Job Service: Configure network policies for the job service in Harbor. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Harbor Redis: Configure network policies for the Redis used by Harbor. |
| networkPolicies. |
object | — | Network Policies Harbor Redis External Egress: Configure network policy egress rules to the external Redis of Harbor. |
| networkPolicies. |
array | — | Network Policy Peers |
| networkPolicies. |
array | — | Network Policy Ports |
| networkPolicies. |
object | — | Network Policies Harbor Registries: Configure network policies for external registries used by Harbor. Applies to harbor-core and harbor-jobservice when replication is enabled. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Harbor Trivy: Configure network policies for the Trivy scanner in Harbor. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Ingress NGINX: Configure Ingress NGINX network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Ingress NGINX Enabled |
| networkPolicies. |
object | — | Network Policies Ingress Override: Configure override to the ingress rules for Ingress NGINX. Required when cluster ingress uses direct routing. |
| networkPolicies. |
boolean | — | Network Policies Ingress Override Enabled |
| networkPolicies. |
object | — | Network Policies Kube System: Configure kube-system network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Kube System Enabled |
| networkPolicies. |
object | — | Network Policies OpenStack: Configure OpenStack network policy rules. |
| networkPolicies. |
boolean | — | Network Policies OpenStack Enabled |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies UpCloud: Configure UpCloud network policy rules. |
| networkPolicies. |
boolean | — | Network Policies UpCloud Enabled |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Kured: Configure Kured network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Kured Enabled |
| networkPolicies. |
object | — | Network Policies Kured Notifications Slack: Configure network policy rules to allow Kured to send Slack notifications. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Kyverno: Configure Kyverno network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Kyverno Enabled |
| networkPolicies. |
object | — | Network Policies Kyverno Image Registry: Configure network policy that allows Kyverno to access image registries. This is required for signed image verification. |
| networkPolicies. |
object | — | Network Policies Monitoring: Configure monitoring network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Monitoring Enabled |
| networkPolicies. |
object | — | Network Policies Grafana: Configure Grafana network policy rules. |
| networkPolicies. |
object | — | Grafana External Dashboards: Configure network policy rules to allow Grafana to use external dashboards. |
| networkPolicies. |
array of string | — | List Of IP Netmasks: List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Grafana External Datasources: Configure network policy rules to allow Grafana to use external datasources. |
| networkPolicies. |
boolean | — | Grafana External Datasources Enabled |
| networkPolicies. |
object | — | Network Policies OpenSearch: Configure OpenSearch network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies OpenSearch Enabled |
| networkPolicies. |
object | — | Network Policies OpenSearch Plugins: Configure network policy rules to allow OpenSearch to install plugins during startup. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Prometheus: Configure Prometheus network policy rules. |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
boolean | — | Prometheus Internal Access Enabled |
| networkPolicies. |
array of string | — | Prometheus Internal Access Namespaces: Configure the namespaces to allow internal access to Prometheus. |
| networkPolicies. |
object | — | Network Policies Rclone: Configure Rclone network policy rules. |
| networkPolicies. |
boolean | — | Network Policies Rclone Enabled |
| networkPolicies. |
object | — | Network Policies Rclone Sync: Configure network policy rules to allow rclone to sync. |
| networkPolicies. |
object | — | Network Policies Rclone Sync Object Storage: Configure network policy rules to allow rclone to sync object storage. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Rclone Sync Object Storage: Configure network policy rules to allow rclone to sync object storage with Swift. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Rclone Sync Object Storage: Configure network policy rules to allow rclone to sync with a secondary URL. |
| networkPolicies. |
array of integer | — | Port Number List: A 16 bit unsigned integer |
| networkPolicies. |
object | — | Network Policies Rook Ceph: Configure Rook Ceph network policy rules. |
| networkPolicies. |
boolean | — | Network Policies Rook Ceph Enabled |
| networkPolicies. |
object | — | Network Policies S3 Exporter: Configure S3 exporter network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies S3 Exporter Enabled |
| networkPolicies. |
object | — | Network Policies Tekton Pipeline: Enable network policies for tekton and the pipeline. |
| networkPolicies. |
boolean | True |
Network Policies Tekton Enabled |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
object | — | Network Policies Thanos: Configure Thanos network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Thanos Enabled |
| networkPolicies. |
object | — | Network Policies Velero: Configure Velero network policy rules. |
| networkPolicies. |
boolean | True |
Network Policies Velero Enabled |
Notes for networkPolicies.certManager.letsencrypt
Network Policies cert-manager Let's Encrypt: Configure network policy rule to allow cert-manager to reach Let's Encrypt.
Note
Let's Encrypt by choice does not publish a list of their endpoints, so this is required to be ips: [ 0.0.0.0/0 ].
Notes for networkPolicies.certManager.namespaces[]
Network Policies cert-manager namespaces: Configure namespaces to allow cert-manager HTTP-01 perform HTTP-01 challenges.
Examples:
['dex', 'harbor', 'monitoring', 'opensearch-system', 'thanos']
Notes for networkPolicies.global.objectStorage
Network Policies ObjectStorage: Configure object storage network policy rules.
This configuration should match the object storage service configured under objectStorage.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.objectStorageSwift
Network Policies ObjectStorage Swift: Configure OpenStack Swift object storage network policy rules.
This configuration should match the object storage service configured under objectStorage.swift if used by any component.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.scApiserver
Network Policies SC API Server: Configure service cluster API server network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.scIngress
Network Policies SC Ingress: Configure service cluster ingress network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.scNodes
Network Policies SC Nodes: Configure service cluster nodes network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.wcApiserver
Network Policies WC API Server: Configure workload cluster API server network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.wcIngress
Network Policies WC Ingress: Configure workload cluster ingress network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.wcNodes
Network Policies WC Nodes: Configure workload cluster nodes network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.prometheus.internalAccess
Network Policies Prometheus Internal Access: Configure network policy rules to allow internal access to Prometheus.
This requires the allowed namespaces to be configured under namespaces and the allowed pods to be labeled elastisys.io/prometheus-access: allowed.
Notes for networkPolicies.tektonPipelines.pipeline
Network Policies Tekton Pipeline: Add required networkpolicies for the pipeline under the section pipeline.
The networkpolicies should follow the network policies generator. As such, it is possible to use pre-defined network policies rules. The pre-defined rules can be found here.
pipeline:
clone-config-pod:
podSelectorLabels:
tekton.dev/pipeline: upgrade-pipeline
ingress: {}
egress:
- rule: egress-rule-dns # pre-defined network policies rule.
- name: egress-rule-config-access
peers:
- cidr: 1.2.3.4/32
ports:
- tcp: 22
nodeLocalDns¶
Node Local DNS: Configure node-local-dns, node local DNS resolving and caching.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| nodeLocalDns. |
string | — | See note |
| nodeLocalDns. |
object | — | Host zone for node-local-dns: Configure the host zone for node-local-dns |
| nodeLocalDns. |
string | — | See note |
| nodeLocalDns. |
object | — | See note |
| nodeLocalDns. |
object | — | Kubernetes Quantity Map |
| nodeLocalDns. |
object | — | Kubernetes Quantity Map |
Notes for nodeLocalDns.customConfig
Custom Config: Configure custom options for the CoreDNS instance running as part of node-local-dns.
Note
See the upstream documentation for reference.
Examples:
example.com:53 {
errors
cache 30
reload
loop
forward . 127.0.0.1:9005
}
Notes for nodeLocalDns.hostZone.extraConfig
Extra config for host zone: Configure extra config for the host zone .53 for node-local-dns.
Note
See the upstream documentation for reference.
Examples:
template ANY ANY {
rcode NXDOMAIN
}
Notes for nodeLocalDns.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
objectStorage¶
Object Storage Config: Configuration options for using object storage in Welkin
This is used for:
- Fluentd audit logs
- Fluentd service cluster logs
- Harbor database backups and registry storage
- OpenSearch workload cluster log snapshots
- Rclone object storage sync source and restore destination
- Thanos metrics storage
- Velero resource backups and volume snapshots
Harbor, Rclone, and Thanos have additional configuration to use Swift.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| objectStorage. |
object | — | Azure Backend Config: Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Azure Resource Group: Resource group of the storage account. |
| objectStorage. |
string | — | Azure Storage Account Name: Name of the storage account |
| objectStorage. |
object | — | See note |
| objectStorage. |
object | — | See note |
| objectStorage. |
boolean | — | Rclone Restore Targets From Sync: Automatically configure the restore from a secondary site to the primary site. Essentially this will configure Rclone restore to do the inverse of Rclone sync. |
| objectStorage. |
object | — | Rclone Crypt: Encrypt data when syncing and decrypt data when restoring. |
| objectStorage. |
boolean | — | Rclone Crypt Crypt Directory Names: Encrypt directory names when syncing, requires file names to be encrypted. |
| objectStorage. |
boolean | — | Rclone Crypt Enable |
| objectStorage. |
boolean | — | Rclone Crypt Crypt File Names: Encrypt file names when syncing. |
| objectStorage. |
object | — | Rclone Restore Destinations: Allows for complete or partial overrides of the destinations of the restore, the main object storage configuration. |
| objectStorage. |
object | — | Azure Backend Config: Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Azure Resource Group: Resource group of the storage account. |
| objectStorage. |
string | — | Azure Storage Account Name: Name of the storage account |
| objectStorage. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| objectStorage. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | S3 Region: Region to store data. |
| objectStorage. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
object | — | Swift Backend Config: > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack Authentication URL: OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack Authentication Version: OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | OpenStack Domain ID: The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Domain Name: The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Project Domain ID: The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project Domain Name: The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project ID: The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Project Name: The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Region: OpenStack region. |
| objectStorage. |
string | +segments |
Swift Segments Container Suffix: The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
boolean | — | Rclone Restore Dryrun: Deploy Rclone with dryrun enabled. |
| objectStorage. |
boolean | — | Rclone Restore Enable |
| objectStorage. |
object | — | Rclone Restore Sources: Allows for complete or partial overrides of the sources of the restore, the sync object storage configuration. |
| objectStorage. |
object | — | Azure Backend Config: Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Azure Resource Group: Resource group of the storage account. |
| objectStorage. |
string | — | Azure Storage Account Name: Name of the storage account |
| objectStorage. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| objectStorage. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | S3 Region: Region to store data. |
| objectStorage. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
object | — | Swift Backend Config: > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack Authentication URL: OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack Authentication Version: OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | OpenStack Domain ID: The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Domain Name: The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Project Domain ID: The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project Domain Name: The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project ID: The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Project Name: The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Region: OpenStack region. |
| objectStorage. |
string | +segments |
Swift Segments Container Suffix: The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
array of object | — | Rclone Restore Targets: Targets to restore Details of a bucket to restore. |
| objectStorage. |
string | — | Rclone Restore Timestamp: Perform point-in-time restore if possible. This is only supported for S3 sources. |
| objectStorage. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| objectStorage. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | S3 Region: Region to store data. |
| objectStorage. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
object | — | Swift Backend Config: > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack Authentication URL: OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack Authentication Version: OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | OpenStack Domain ID: The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Domain Name: The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Project Domain ID: The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project Domain Name: The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project ID: The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Project Name: The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Region: OpenStack region. |
| objectStorage. |
string | +segments |
Swift Segments Container Suffix: The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
object | — | Rclone Sync Config: Sync object storage from the primary site to a secondary site with Rclone. |
| objectStorage. |
number | 14400 |
Rclone Cronjob Active Deadline Seconds: The maximum amount of time that the Rclone job is allowed to run (in seconds). |
| objectStorage. |
object | — | Azure Backend Config: Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Azure Resource Group: Resource group of the storage account. |
| objectStorage. |
string | — | Azure Storage Account Name: Name of the storage account |
| objectStorage. |
array of object | — | Rclone Sync Buckets: Additional buckets to sync. List of buckets to sync when syncDefaultBuckets is false |
| objectStorage. |
string | — | — |
| objectStorage. |
string | — | See note |
| objectStorage. |
boolean | — | Rclone Sync Dryrun: Deploy Rclone with dryrun enabled. |
| objectStorage. |
boolean | — | Rclone Sync Enable |
| objectStorage. |
object | — | Rclone Crypt: Encrypt data when syncing and decrypt data when restoring. |
| objectStorage. |
boolean | — | Rclone Crypt Crypt Directory Names: Encrypt directory names when syncing, requires file names to be encrypted. |
| objectStorage. |
boolean | — | Rclone Crypt Enable |
| objectStorage. |
boolean | — | Rclone Crypt Crypt File Names: Encrypt file names when syncing. |
| objectStorage. |
object | — | See note |
| objectStorage. |
object | — | Kubernetes Quantity Map |
| objectStorage. |
object | — | Kubernetes Quantity Map |
| objectStorage. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| objectStorage. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | S3 Region: Region to store data. |
| objectStorage. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
string | — | Rclone Sync Secondary URL |
| objectStorage. |
string | — | See note |
| objectStorage. |
object | — | Swift Backend Config: > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack Authentication URL: OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack Authentication Version: OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | OpenStack Domain ID: The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Domain Name: The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | OpenStack Project Domain ID: The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project Domain Name: The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | OpenStack Project ID: The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Project Name: The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack Region: OpenStack region. |
| objectStorage. |
string | +segments |
Swift Segments Container Suffix: The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
boolean | — | Rclone Sync Default Buckets: Sync the buckets or containers set under .objectStorage.buckets. |
| objectStorage. |
string | — | See note |
Notes for objectStorage.buckets
Object Storage Buckets: Buckets or containers for each respective application to use for application data or backup storage.
Keys are used as identifiers for buckets or containers, while the values are used as the bucket or container name.
Additional entries added here will have monitoring enabled.
Notes for objectStorage.restore
Rclone Restore Config: Restore object storage from a secondary site to the primary site with Rclone.
Note
When enabled this will disable Rclone sync to prevent it from modifying the secondary site.
Notes for objectStorage.sync.destinationType
Rclone Sync Destination Type: Object storage type to use.
Possible values:
azure
gcs
s3
swift
Notes for objectStorage.sync.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for objectStorage.sync.sourceType
Rclone Sync Source Type: Object storage type to use. Defaults to .objectStorage.type
Examples:
azure
gcs
s3
swift
Notes for objectStorage.type
Object Storage Type: Object storage type to use.
In addition to this Harbor, Rclone, and Thanos have additional configuration to use Swift.
Possible values:
azure
gcs
s3
none
opa¶
Open Policy Agent Config: Configure Open Policy Agent, constraints and mutations enforced by Gatekeeper.
Welkin contains multiple safeguards to make it easy to follow security best practices.
This includes an implementation of constraints and mutations with similar behaviour as Pod Security Policies, and application developer centric safeguards.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| opa. |
object | — | OPA Gatekeeper Audit: Configure the Audit deployment of OPA Gatekeeper. |
| opa. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opa. |
— | — | Describes node affinity scheduling rules for the pod. |
| opa. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opa. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opa. |
object | — | See note |
| opa. |
object | — | See note |
| opa. |
object | — | Kubernetes Quantity Map |
| opa. |
object | — | Kubernetes Quantity Map |
| opa. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opa. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| opa. |
boolean | — | OPA Gatekeeper Audit Write To RAM Disk |
| opa. |
number | 500 |
Gatekeeper Audit Chunk Size |
| opa. |
boolean | — | Gatekeeper Audit From Cache |
| opa. |
number | 600 |
Gatekeeper Audit Interval |
| opa. |
number | 20 |
Gatekeeper Audit Constraints Violation Limits |
| opa. |
object | — | Common Resource: This is meant to describe the base class if you will, for Welkin resources. |
| opa. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opa. |
— | — | Describes node affinity scheduling rules for the pod. |
| opa. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opa. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opa. |
boolean | — | — |
| opa. |
array of string | — | Extra Arguments: Extra arguments passed to a container |
| opa. |
object | — | See note |
| opa. |
object | — | See note |
| opa. |
object | — | Kubernetes Quantity Map |
| opa. |
object | — | Kubernetes Quantity Map |
| opa. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opa. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| opa. |
object | — | See note |
| opa. |
boolean | True |
Safeguard Disallowed Tags Enabled |
| opa. |
string | deny |
See note |
| opa. |
array of string | — | Safeguard Disallowed Tags: Configure the tags that should be disallowed by the constraint. |
| opa. |
object | — | See note |
| opa. |
array of string | — | See note |
| opa. |
boolean | True |
Safeguard Trusted Registries Enabled |
| opa. |
string | warn |
See note |
| opa. |
object | — | See note |
| opa. |
boolean | True |
Safeguard Minimum Replicas Enabled |
| opa. |
string | warn |
See note |
| opa. |
number | 5 |
— |
| opa. |
object | — | Mutations: Configure mutations to set defaults in deployed resources. |
| opa. |
boolean | True |
Mutations Enabled |
| opa. |
object | — | See note |
| opa. |
boolean | True |
Mutation Job TTL Enabled |
| opa. |
number | 604800 |
Mutation Job TTL Seconds |
| opa. |
object | — | Mutation Ndots: Configure mutations to set ndots on deployed Pods. |
| opa. |
boolean | — | Mutation Ndots Enabled |
| opa. |
object | — | Mutation Ndots Label Selector: Configure the label selector for pods to be targeted by this mutation. |
| opa. |
object | — | Mutation Ndots Match Labels: Configure the label selector for pods to be targeted by this mutation. Default {} targets all Pods. |
| opa. |
integer | 3 |
Mutation Ndots Amount |
| opa. |
object | — | See note |
| opa. |
boolean | True |
Safeguard Network Policies Enabled |
| opa. |
string | warn |
See note |
| opa. |
object | — | Safeguard Prevent Accidental Deletion: Configure constraint to reject deletion of sensitive resources. |
| opa. |
boolean | — | Safeguard Prevent Accidental Deletion |
| opa. |
string | deny |
See note |
| opa. |
object | — | See note |
| opa. |
boolean | — | Safeguard Reject Load Balancer Service Enabled |
| opa. |
string | deny |
See note |
| opa. |
object | — | See note |
| opa. |
boolean | — | Safeguard Rejecting Local Storage EmptyDir Enabled |
| opa. |
string | warn |
See note |
| opa. |
object | — | See note |
| opa. |
boolean | — | Safeguard Reject Pod Without Controller Enabled |
| opa. |
string | warn |
See note |
| opa. |
object | — | See note |
| opa. |
boolean | True |
Safeguard Resource Requests Enabled |
| opa. |
string | deny |
See note |
| opa. |
object | — | See note |
| opa. |
boolean | True |
Safeguard Restrict PodDisruptionBudget Enabled |
| opa. |
string | deny |
See note |
| opa. |
number | 5 |
— |
Notes for opa.audit.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opa.audit.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opa.controllerManager.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opa.controllerManager.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opa.disallowedTags
Safeguard Disallowed Tags: Configure constraint to disallow configured tags on container images.
Note
See the dev docs for context.
Notes for opa.disallowedTags.enforcement
Safeguard Disallowed Tags Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.imageRegistry
Safeguard Trusted Registries: Configure constraint to only allow configured registries for container images.
Note
See the dev docs for context.
Notes for opa.imageRegistry.URL[]
Safeguard Trusted Registries URLs: Configure the registries that should be trusted by the constraint.
Note
To support issuing certificates with HTTP-01 challenges the registry quay.io/jetstack/cert-manager-acmesolver must be added.
Notes for opa.imageRegistry.enforcement
Safeguard Trusted Registries Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.minimumDeploymentReplicas
Safeguard Minimum Replicas: Configure constraint to only allow Deployments and StatefulSets with more than one replica.
Note
See the dev docs for context.
Notes for opa.minimumDeploymentReplicas.enforcement
Safeguard Minimum Replicas Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.mutations.jobTTL
Mutation Job TTL: Configure mutations to set time to live on deployed Jobs.
Note
See the dev docs for context.
Notes for opa.networkPolicies
Safeguard Network Policies: Configure constraint to only allow Pods targeted by NetworkPolicies.
Note
See the dev docs for context.
Notes for opa.networkPolicies.enforcement
Safeguard Network Policies Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.preventAccidentalDeletion.enforcement
Safeguard Prevent Accidental Deletion Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.rejectLoadBalancerService
Safeguard Reject Load Balancer Service: Configure constraint to reject creation of Services with the type LoadBalancer.
Advantageous if the cluster cannot automatically provision LoadBalancers, e.g. because the infrastructure provider do not offer such Kubernetes integration.
Note
See the dev docs for context.
Notes for opa.rejectLoadBalancerService.enforcement
Safeguard Reject Load Balancer Service Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.rejectLocalStorageEmptyDir
Safeguard Reject Local Storage EmptyDir: Configure constraint to reject usage of local storage emptydir.
Note
See the dev docs for context.
Notes for opa.rejectLocalStorageEmptyDir.enforcement
Safeguard Reject Local Storage EmptyDir Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.rejectPodWithoutController
Safeguard Reject Pod Without Controller: Configure constraint to reject pods without a controller.
Note
See the dev docs for context.
Notes for opa.rejectPodWithoutController.enforcement
Safeguard Reject Pod Without Controller Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.resourceRequests
Safeguard Resource Requests: Configure constraint to only allow Pods configured with resource requests.
Note
See the dev docs for context.
Notes for opa.resourceRequests.enforcement
Safeguard Resource Requests Enforcement
Possible values:
deny
warn
dryrun
Notes for opa.restrictPodDisruptionBudgets
Safeguard Restrict PodDisruptionBudget: Configure constraint to reject PodDisruptionBudgets and connected Pod controllers if the PDB does not allow for at least 1 pod disruption.
Note
See the dev docs for context.
Notes for opa.restrictPodDisruptionBudgets.enforcement
Safeguard Restrict PodDisruptionBudget Enforcement
Possible values:
deny
warn
dryrun
opensearch¶
OpenSearch Config: Configuration for OpenSearch.
OpenSearch ingests logs sent from Fluentd in the workload cluster, and presents them in OpenSearch Dashboards.
Note
OpenSearch and its components are installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| opensearch. |
object | — | See note |
| opensearch. |
object | — | OpenSearch Client Node: Configures the client stateful set of OpenSearch that takes on the roll to ingest and query logs. |
| opensearch. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | 1 |
OpenSearch Client Node Replicas |
| opensearch. |
boolean | True |
OpenSearch Client Node Enabled: When disabled the master nodes will take on these rolls. |
| opensearch. |
string | -Xms512m -Xmx512m |
See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
string | opensearch |
OpenSearch Cluster Name |
| opensearch. |
boolean | True |
See note |
| opensearch. |
object | — | OpenSearch Curator: Configures the CronJob that removes indices. |
| opensearch. |
number | 2700 |
OpenSearch Curator Active Deadline Seconds |
| opensearch. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
boolean | True |
OpenSearch Curator Enabled |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
array of object | [{'pattern': 'authlog-*', 'ageDays': 30, 'sizeGB': 1}, {'pattern': 'kubeaudit-*', 'ageDays': 30, 'sizeGB': 50}, {'pattern': 'kubernetes-*', 'ageDays': 30, 'sizeGB': 50}, {'pattern': 'other-*', 'ageDays': 7, 'sizeGB': 1}, {'pattern': 'security-auditlog-*', 'ageDays': 7, 'sizeGB': 1}] |
OpenSearch Curator Retention: Configures the retention of indices in OpenSearch. Configures the retention of indices in OpenSearch. |
| opensearch. |
number | 600 |
OpenSearch Curator Starting Deadline Seconds |
| opensearch. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
object | — | OpenSearch Dashboards: Configures the Dashboards deployment of OpenSearch providing the UI to view and query logs. |
| opensearch. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | — | Autocomplete setting for number of documents to query in Dashboards |
| opensearch. |
object | — | Content-Security-Policy rules: Configure Content-Security-Policy header rules Reference: https://content-security-policy.com/ |
| opensearch. |
integer | — | OpenSearch Dashboards Cookie TTL: Time-to-live for the session cookie in milliseconds. Overrides OpenSearch Dashboards internal default if set. |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
boolean | — | OpenSearch Dashboards Session Keepalive: Whether the session TTL should be extended upon user activity. Overrides OpenSearch Dashboards internal default if set. |
| opensearch. |
integer | — | OpenSearch Dashboards Session TTL: Time-to-live for the session itself in milliseconds. Overrides OpenSearch Dashboards internal default if set. |
| opensearch. |
string | opensearch |
See note |
| opensearch. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| opensearch. |
object | — | OpenSearch Data Node: Configures the data stateful set of OpenSearch that takes on the roll to index and store logs. |
| opensearch. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | 2 |
OpenSearch Data Node Replicas |
| opensearch. |
boolean | True |
OpenSearch Data Node Enabled: When disabled the master nodes will take on these rolls. |
| opensearch. |
string | -Xms512m -Xmx512m |
See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
-string- -null- | — | See note |
| opensearch. |
string | — | OpenSearch Node Storage Size: Configure the requested size of the persistent volume for this OpenSerch node. |
| opensearch. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
boolean | True |
See note |
| opensearch. |
boolean | True |
OpenSearch Enabled: > [!note] > Must be set for both service and workload cluster. |
| opensearch. |
object | — | OpenSearch Exporter: Configures the exporter exposing metrics from OpenSearch. |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | OpenSearch Exporter Service Monitor: Configures the service monitor of the exporter. |
| opensearch. |
string | 30s |
Scrape interval for the service monitor. |
| opensearch. |
string | — | — |
| opensearch. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
array of object | — | See note |
| opensearch. |
array of object | — | See note |
| opensearch. |
boolean | — | See note |
| opensearch. |
object | — | OpenSearch Ingress: Configures the ingress for OpenSearch master or client nodes. |
| opensearch. |
string | 32m |
OpenSearch Ingress Max Body |
| opensearch. |
object | — | OpenSearch Index State Management: Configures index state management in OpenSearch. |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | OpenSearch Rollover Configuration for authlog index: Configures rollover for authlog index |
| opensearch. |
number | 1 |
OpenSearch Rollover Age Days: Configures the age a write index must reach before it is rolled over to a new one. |
| opensearch. |
number | 1000 |
OpenSearch Rollover Size MB: Configures the size a write index must reach before it is rolled over to a new one. |
| opensearch. |
boolean | True |
See note |
| opensearch. |
object | — | OpenSearch Rollover Configuration for kubeaudit index: Configures rollover for kubeaudit index |
| opensearch. |
number | 1 |
OpenSearch Rollover Age Days: Configures the age a write index must reach before it is rolled over to a new one. |
| opensearch. |
number | 1000 |
OpenSearch Rollover Size MB: Configures the size a write index must reach before it is rolled over to a new one. |
| opensearch. |
object | — | OpenSearch Rollover Configuration for kubernetes index: Configures rollover for kubernetes index |
| opensearch. |
number | 1 |
OpenSearch Rollover Age Days: Configures the age a write index must reach before it is rolled over to a new one. |
| opensearch. |
number | 1000 |
OpenSearch Rollover Size MB: Configures the size a write index must reach before it is rolled over to a new one. |
| opensearch. |
object | — | OpenSearch Rollover Configuration for other index: Configures rollover for other index |
| opensearch. |
number | 1 |
OpenSearch Rollover Age Days: Configures the age a write index must reach before it is rolled over to a new one. |
| opensearch. |
number | 1000 |
OpenSearch Rollover Size MB: Configures the size a write index must reach before it is rolled over to a new one. |
| opensearch. |
boolean | True |
OpenSearch Overwrite Policies: When set OpenSearch can be configured with index state management policies via additionalPolicies that overwrite the ones configured via defaultPolicies. |
| opensearch. |
object | — | OpenSearch Master Node: Configures the main stateful set of OpenSearch that takes on all roles not provided by other nodes (dataNode, clientNode). |
| opensearch. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | 1 |
OpenSearch Master Node Replicas |
| opensearch. |
string | -Xms512m -Xmx512m |
See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
-string- -null- | — | See note |
| opensearch. |
string | — | OpenSearch Node Storage Size: Configure the requested size of the persistent volume for this OpenSerch node. |
| opensearch. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
number | 1024 |
OpenSearch Maximum Clause Count: Configures the maximum number of clauses permitted in a query. |
| opensearch. |
number | 1000 |
OpenSearch Maximum Shards Per Node: Configures the maximum number of shards permitted on one node. |
| opensearch. |
object | — | Object Storage Configuration.: Configuration options for using object storage specific to OpenSearch. |
| opensearch. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| opensearch. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| opensearch. |
string | — | S3 Region: Region to store data. |
| opensearch. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| opensearch. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| opensearch. |
boolean | True |
OpenSearch Overwrite Templates: When set OpenSearch can be configured with index templates via additionalTemplates that overwrite the ones configured via defaultTemplates. |
| opensearch. |
object | — | OpenSearch Plugins: Configures plugins used in OpenSearch. |
| opensearch. |
array | — | OpenSearch Install Additional Plugins: Configures OpenSearch to install plugins when it starts. In an air-gapped environment this can be used to install plugins from known sources. |
| opensearch. |
boolean | — | See note |
| opensearch. |
array of object | [{'prefix': 'authlog-default', 'alertSizeMB': 3}, {'prefix': 'kubeaudit-default', 'alertSizeMB': 5500}, {'prefix': 'kubernetes-default', 'alertSizeMB': 5500}, {'prefix': 'other-default', 'alertSizeMB': 400}] |
OpenSearch Prometheus Index Alerts: Configures the index alerts monitoring the function of index state management. Configures the index alert monitoring the function of index state management. |
| opensearch. |
object | — | OpenSearch Security Admin: Configures the Job that initialises OpenSearch Security. |
| opensearch. |
number | 1200 |
OpenSearch Security Admin Active Deadline Seconds |
| opensearch. |
boolean | True |
OpenSearch Security Admin Enabled |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | Kubernetes Quantity Map |
| opensearch. |
object | — | See note |
| opensearch. |
string | — | — |
| opensearch. |
boolean | True |
OpenSearch Snapshot Enabled |
| opensearch. |
number | 14 |
OpenSearch Maximum Retained Snapshots |
| opensearch. |
number | 7 |
OpenSearch Minimum Retained Snapshots |
| opensearch. |
string | opensearch-snapshots |
OpenSearch Snapshot Repository |
| opensearch. |
string | 10d |
OpenSearch Maximum Snapshot Age |
| opensearch. |
string | — | — |
| opensearch. |
object | — | OpenSearch Single Sign On: Configures Single Sign On to OpenSearch via Dex. |
| opensearch. |
boolean | — | OpenSearch Single Sign On |
| opensearch. |
string | groups |
OpenSearch Single Sign On Roles Key |
| opensearch. |
string | openid profile email groups |
OpenSearch Single Sign On Scopes |
| opensearch. |
string | email |
OpenSearch Single Sign On Subject Key |
| opensearch. |
string | opensearch |
See note |
Notes for opensearch.additionalTemplates
OpenSearch Additional Templates: When set OpenSearch will be configured with additional index templates.
The keys will be used as the name of the index templates.
Note
See the upstream documentation for reference.
Notes for opensearch.clientNode.javaOpts
OpenSearch Node Java Options: Set Java Virtual Machine Options to control the memory allocation of OpenSearch.
As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable.
Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.
Notes for opensearch.clientNode.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.clientNode.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.createIndices
OpenSearch Create Indices: When enabled OpenSearch will be configured with initial indices for:
authlogkubeauditkubernetesother
Notes for opensearch.curator.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.curator.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.dashboards.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.dashboards.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.dashboards.subdomain
OpenSearch Dashboards Subdomain: Subdomain of baseDomain that the Ingress to OpenSearch Dashboards will be created with.
Note
Must be set for both service and workload cluster.
Notes for opensearch.dataNode.javaOpts
OpenSearch Node Java Options: Set Java Virtual Machine Options to control the memory allocation of OpenSearch.
As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable.
Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.
Notes for opensearch.dataNode.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.dataNode.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.dataNode.storageClass
OpenSearch Node Storage Class: Set storage class for OpenSearch.
- If set to
null, the default storage class will be used to provision the volumes. - If set to
-, no storage class will be used to provision the volumes.
Notes for opensearch.defaultTemplates
OpenSearch Default Templates: When enabled OpenSearch will be configured with the default index templates for:
authlogkubeauditkubernetesother
Notes for opensearch.exporter.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.extraRoleMappings[]
OpenSearch Extra Role Mappings: Configures extra role mappings for OpenSearch Security.
Extra users can be configured in secrets.yaml under extraUsers and extra roles under extraRoles.
Configures a role mapping for OpenSearch Security.
Note
See the upstream documentation for reference.
Notes for opensearch.extraRoles[]
OpenSearch Extra Roles: Configures extra roles for OpenSearch Security.
Configures a role for OpenSearch Security.
Note
See the upstream documentation for reference.
Notes for opensearch.indexPerNamespace
OpenSearch Index Per Namespace: When enabled logs are ingested into multiple indices per namespace.
When disabled logs are ingested into a single kubernetes index.
Important
When enabling this feature, you must also add an entry to opensearch.curator.retention in sc-config.yaml with pattern: ^[^.].* which matches all non-system indices.
Note
Must be set for both service and workload cluster.
Notes for opensearch.ism.additionalPolicies
OpenSearch Additional Policies: When set OpenSearch will be configured with additional index state management policies.
The keys will be used as the name of the index state management policy.
Note
See the upstream documentation for reference.
Notes for opensearch.ism.defaultPolicies
OpenSearch Default Policies: When enabled OpenSearch will be configured with the default index state management policies for:
authlogkubeauditkubernetesother
Notes for opensearch.masterNode.javaOpts
OpenSearch Node Java Options: Set Java Virtual Machine Options to control the memory allocation of OpenSearch.
As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable.
Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.
Notes for opensearch.masterNode.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.masterNode.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.masterNode.storageClass
OpenSearch Node Storage Class: Set storage class for OpenSearch.
- If set to
null, the default storage class will be used to provision the volumes. - If set to
-, no storage class will be used to provision the volumes.
Notes for opensearch.plugins.installExternalObjectStoragePlugin
OpenSearch Install External Object Storage Plugin: When enabled OpenSearch will install the required object storage plugin when it starts.
In an air-gapped environment where the nodes are not connected to the Internet, set this to false to prevent downloading any external object storage plugins.
Notes for opensearch.securityadmin.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.snapshot
OpenSearch Snapshot: Configure OpenSearch snapshot creation and retention.
This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.opensearch.
Notes for opensearch.subdomain
OpenSearch Subdomain: Subdomain of opsDomain that the Ingress to OpenSearch will be created with.
Note
Must be set for both service and workload cluster.
openstackMonitoring¶
Openstack Monitoring: Configure the collection of metrics for OpenStack components.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| openstackMonitoring. |
boolean | — | Openstack Monitoring Enabled |
prometheus¶
Prometheus Config: Configure Prometheus.
Prometheus automatically collects metrics via ServiceMonitors, PodMonitors, and Probes, and pushes metrics to Thanos for long term storage. Additionally Prometheus evaluates recording rules for both service and workload cluster, and all alerting rules for the workload cluster.
Note
Prometheus is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| prometheus. |
array | — | See note |
| prometheus. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| prometheus. |
— | — | Describes node affinity scheduling rules for the pod. |
| prometheus. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| prometheus. |
— | — | Describes node affinity scheduling rules for the pod. |
| prometheus. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
array of string | — | See note |
| prometheus. |
number | 2 |
Alertmanager Replicas |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | Kubernetes Quantity Map |
| prometheus. |
object | — | Kubernetes Quantity Map |
| prometheus. |
object | — | Alertmanager Storage: Configure persistent storage for Alertmanager. |
| prometheus. |
object | — | Alertmanager Volume Claim Template: Configure persistent storage for Alertmanager. |
| prometheus. |
object | — | Alertmanager Volume Claim Spec: Configure persistent storage for Alertmanager. |
| prometheus. |
array of string | — | Alertmanager Volume Access Mode: Configure the access mode of the persistent storage for Alertmanager. |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | Kubernetes Quantity Map |
| prometheus. |
object | — | Kubernetes Quantity Map |
| prometheus. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| prometheus. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| prometheus. |
object | — | Autoscaled NodeGroup Alerts: Configure whether to split KubeletDownForXm alerts into autoscaled and non-autoscaled nodes groups. |
| prometheus. |
boolean | True |
Enabled aleter splitting for autoscaled nodes. |
| prometheus. |
string | node-restriction.kubernetes.io/autoscaled-node-type |
Autoscaled node group label: The label to identity whether a node belongs to an autoscaled node group. |
| prometheus. |
array of string | — | Autoscaled node group label values: The label values to a autoscaled node group if their are multiple autoscaled node groups. |
| prometheus. |
object | — | Capacity Management Alerts: Configure capacity management alerts. |
| prometheus. |
number | 75 |
Capacity Management Alerts Disk Limit: Alert when a disk's usage reaches the limit in percent. |
| prometheus. |
boolean | True |
Capacity Management Alerts Enabled |
| prometheus. |
string | — | See note |
| prometheus. |
object | — | Capacity Management Alerts Persistent Volumes: Configure capacity management alerts on persistent volumes. |
| prometheus. |
boolean | True |
Capacity Management Alerts Persistent Volumes Enabled |
| prometheus. |
number | 75 |
Capacity Management Alerts Persistent Volumes Enabled: Alert when a persistent volume's usage reaches the limit in percent. |
| prometheus. |
boolean | — | Capacity Management Alerts Predict Usage |
| prometheus. |
object | — | Capacity Management Alerts Request Limit: Alert when a node's resource requests reaches the limits in percent. |
| prometheus. |
number | 80 |
Capacity Management Alerts CPU Request Limit: Configure a CPU request percentage limit to alert for. |
| prometheus. |
number | 80 |
Capacity Management Alerts Memory Request Limit: Configure a memory request percentage limit to alert for. |
| prometheus. |
number | 95 |
— |
| prometheus. |
object | — | See note |
| prometheus. |
boolean | — | Enable user Alertmanager: Allows to enable alertmanager for application developer. |
| prometheus. |
boolean | — | Enable User Alertmanager ingress: Allows to have ingress for application developer alertmanager with basic auth |
| prometheus. |
string | alertmanager |
Enable alertmanager in separate Namespace: Allows to have alertmanager running in custom namespace |
| prometheus. |
string | — | Username for Alertmanager login |
| prometheus. |
object | — | Disk Alerts: Configure disk alerts. |
| prometheus. |
object | — | Disk Alerts Inode: Configure disk alerts based on inode usage. |
| prometheus. |
array of object | — | See note |
| prometheus. |
array of object | — | See note |
| prometheus. |
object | — | Disk Alerts Perf: Configure performance disk alerts. |
| prometheus. |
boolean | — | Disk Alerts Perf Enabled |
| prometheus. |
number | 5 |
Disk Alerts Perf Queue Size |
| prometheus. |
number | 1 |
Disk Alerts Perf Read Wait |
| prometheus. |
number | 1 |
Disk Alerts Perf Write Wait |
| prometheus. |
object | — | Disk Alerts Storage: Configure disk alerts based on storage usage. |
| prometheus. |
array of object | — | See note |
| prometheus. |
array of object | — | See note |
| prometheus. |
object | — | See note |
| prometheus. |
number | 1 |
Prometheus Relicas |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | Kubernetes Quantity Map |
| prometheus. |
object | — | Kubernetes Quantity Map |
| prometheus. |
object | — | Prometheus Retention: Configure retention for Prometheus. |
| prometheus. |
string | 3d |
Prometheus Retention Age: Configure the time range Prometheus will retain metrics for. |
| prometheus. |
string | — | See note |
| prometheus. |
string | 4GiB |
Prometheus Retention Size: Configure the total size Prometheus will retain metrics for. |
| prometheus. |
object | — | S3 Bucket Alerts: Configure S3 bucket alerts. |
| prometheus. |
array of object | — | S3 Bucket Specific Alerts: Definitions for specific S3 bucket alerts. S3 Bucket Alert configuration for specific bucket |
| prometheus. |
array of string | — | S3 Bucket Alerts Exclude: Exclude buckets from S3 alerts. |
| prometheus. |
object | — | S3 Bucket Alerts Objects: Alert when an S3 buckets reaches the set percentage of the set number of objects. |
| prometheus. |
number | 1638400 |
S3 Bucket Alerts Objects Quota |
| prometheus. |
boolean | — | S3 Bucket Alerts Objects Enabled |
| prometheus. |
number | — | Percentage: Percentage, 0% - 100% |
| prometheus. |
object | — | S3 Bucket Alerts Size: Alert when an S3 bucket reaches the set percentage of the set size. |
| prometheus. |
boolean | — | S3 Bucket Alerts Size Enabled |
| prometheus. |
number | — | Percentage: Percentage, 0% - 100% |
| prometheus. |
number | 1000 |
S3 Bucket Alerts Size Quota |
| prometheus. |
object | — | S3 Bucket Alerts Total Size: Alert when all S3 buckets reaches the set percentage of the set size. |
| prometheus. |
boolean | — | S3 Bucket Alerts Total Size Enabled |
| prometheus. |
number | — | Percentage: Percentage, 0% - 100% |
| prometheus. |
number | 1000 |
S3 Bucket Alerts Total Size Quota |
| prometheus. |
object | — | Prometheus Storage: Configure the persistent volume claim used for Promtheus storage. |
| prometheus. |
boolean | — | See note |
| prometheus. |
string | 5Gi |
Proemtheus Storage Size |
| prometheus. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| prometheus. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| prometheus. |
object | — | Webhook Alerts: Configure webhook alerts. |
| prometheus. |
boolean | True |
Webhook Alerts Enabled |
Notes for prometheus.additionalScrapeConfigs[]
Prometheus Additional Scrape Configs: Configure additional scrape configs for Prometheus.
Note
See the upstream documentation for reference.
Notes for prometheus.alertmanagerSpec
Alertmanager Config: Configure service cluster & workload cluster Alertmanager.
Alertmanager receives alerts from Prometheus and Thanos and forwards them to the configured notification channel.
Note
Alertmanager is installed in both service cluster and workload cluster, however this configuration key only applies to the service cluster, use user.alertmanager to configure it in the workload cluster.
Notes for prometheus.alertmanagerSpec.groupBy[]
Alertmanager Group By: Configure Alertmanager to group certain alerts based on labels.
Note
See the upstream documentation for reference.
Notes for prometheus.alertmanagerSpec.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheus.capacityManagementAlerts.nodeGroupRequestsExcludePattern
Capacity Management Alerts Request Exclude Pattern: Configure a pattern of node groups to exclude from the resource request alerts. This can be used to exclude certain node groups from request alerts, while still getting usage alerts for those node groups.
Examples:
.*redis.*|.*postgres.*
Notes for prometheus.devAlertmanager
Application Developer Alertmanager: Configuration options for deploying an application developer-specific Alertmanager. Configuration shared with the service cluster alertmanager can be configured via .alertmanagerSpec.
Notes for prometheus.diskAlerts.inode.predictLinear[]
Disk Alert Pattern Rules: Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.diskAlerts.inode.space[]
Disk Alert Pattern Rules: Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.diskAlerts.storage.predictLinear[]
Disk Alert Pattern Rules: Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.diskAlerts.storage.space[]
Disk Alert Pattern Rules: Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for prometheus.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheus.retention.alertmanager
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for prometheus.storage.enabled
Proemtheus Storage Enabled: By default Prometheus instances run without storage and are treated as ephemeral. See ADR-0007 for context.
prometheusBlackboxExporter¶
Prometheus Blackbox Exporter: Configure Prometheus Blackbox Exporter, the exporter used for probing endpoints.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| prometheusBlackboxExporter. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| prometheusBlackboxExporter. |
— | — | Describes node affinity scheduling rules for the pod. |
| prometheusBlackboxExporter. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| prometheusBlackboxExporter. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| prometheusBlackboxExporter. |
array of object | — | Prometheus Blackbox Exporter Custom Kube API Targets: Configure custom Kube API targets Prometheus Blackbox Exporter should probe. Custom Kube API target Prometheus Blackbox Exporter should probe. |
| prometheusBlackboxExporter. |
array of object | — | Host Aliases: Configure host aliases to resolve internally within the Pod. Configure a host alias to resolve internally within the Pod. |
| prometheusBlackboxExporter. |
object | — | See note |
| prometheusBlackboxExporter. |
object | — | Kubernetes Quantity Map |
| prometheusBlackboxExporter. |
object | — | Kubernetes Quantity Map |
| prometheusBlackboxExporter. |
object | — | Prometheus Blackbox Exporter Targets: Configure the targets Prometheus Blackbox Exporter should probe. |
| prometheusBlackboxExporter. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
Notes for prometheusBlackboxExporter.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
prometheusNodeExporter¶
Prometheus Node Exporter: Configure Prometheus Node Exporter, the exporter used for collecting node metrics.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| prometheusNodeExporter. |
object | — | See note |
| prometheusNodeExporter. |
object | — | Kubernetes Quantity Map |
| prometheusNodeExporter. |
object | — | Kubernetes Quantity Map |
| prometheusNodeExporter. |
string | — | — |
Notes for prometheusNodeExporter.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
prometheusOperator¶
Prometheus Operator: Configure Prometheus Operator.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| prometheusOperator. |
object | — | Prometheus Operator Config Reloader: Configure Prometheus Operator config reloader. |
| prometheusOperator. |
object | — | See note |
| prometheusOperator. |
object | — | Kubernetes Quantity Map |
| prometheusOperator. |
object | — | Kubernetes Quantity Map |
| prometheusOperator. |
object | — | See note |
| prometheusOperator. |
object | — | Kubernetes Quantity Map |
| prometheusOperator. |
object | — | Kubernetes Quantity Map |
Notes for prometheusOperator.prometheusConfigReloader.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheusOperator.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
rookCeph¶
Rook Ceph Config: Configure support for Rook Ceph.
This is deprecated and should be configured via compliantkubernetes-kubespray if used.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| rookCeph. |
object | — | Rook Ceph Pod Security Policies: Configure Pod Security Policies for Rook Ceph. |
| rookCeph. |
boolean | — | Rook Ceph Pod Security Policies Enabled |
| rookCeph. |
object | — | Rook Ceph Monitoring: Configure Monitoring for Rook Ceph. |
| rookCeph. |
boolean | — | Rook Ceph Monitoring Enabled |
s3Exporter¶
S3 Exporter: Configure S3 exporter, used to collect metrics about S3 usage.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| s3Exporter. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| s3Exporter. |
— | — | Describes node affinity scheduling rules for the pod. |
| s3Exporter. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| s3Exporter. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| s3Exporter. |
boolean | True |
S3 Exporter Enabled |
| s3Exporter. |
string | 60m |
S3 Exporter Interval |
| s3Exporter. |
object | — | See note |
| s3Exporter. |
object | — | See note |
| s3Exporter. |
object | — | Kubernetes Quantity Map |
| s3Exporter. |
object | — | Kubernetes Quantity Map |
| s3Exporter. |
string | — | — |
| s3Exporter. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
Notes for s3Exporter.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for s3Exporter.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
storageClasses¶
Storage Classes Config: Configuration options for using block storage in Welkin
| Key | Type | Default | Title and Description |
|---|---|---|---|
| storageClasses. |
string | default |
The StorageClass to use for all persistent volumes in Welkin. |
tektonPipelines¶
Tekton Pipelines Config: Configure Tekton Pipelines
| Key | Type | Default | Title and Description |
|---|---|---|---|
| tektonPipelines. |
object | — | Tekton Controller Config: Configure the Tekton Controller |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
object | — | Kubernetes Quantity Map |
| tektonPipelines. |
object | — | Kubernetes Quantity Map |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
boolean | — | Enable Tekton Flag |
| tektonPipelines. |
object | — | Tekton Remote Resolvers Config: Configure the Tekton Remote Resolver |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
object | — | Kubernetes Quantity Map |
| tektonPipelines. |
object | — | Kubernetes Quantity Map |
| tektonPipelines. |
object | — | Tekton Webhook Config: Configure the Tekton Webhook |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
object | — | Kubernetes Quantity Map |
| tektonPipelines. |
object | — | Kubernetes Quantity Map |
Notes for tektonPipelines.controller.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for tektonPipelines.customConfigDefaults
Custom default config: Configure custom default options for Tekton
Note
See the upstream documentation for available default config options.
Examples:
{'default-timeout-minutes': '30'}
Notes for tektonPipelines.remoteResolvers.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for tektonPipelines.webhook.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
thanos¶
Thanos Config: Configuration for Thanos.
Thanos ingests metrics sent from Prometheus in both the service and workload clusters, and stores them in object storage.
This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.thanos.
Note
Thanos and its components are installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| thanos. |
object | — | Thanos Bucket Web: Configure Thanos Bucket Web, the UI to view the state of the bucket or container in use by Thanos. |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | See note |
| thanos. |
string | none |
See note |
| thanos. |
object | — | Thanos Compactor Persistence: Configure persistence for Thanos Compactor. |
| thanos. |
boolean | True |
Thanos Compactor Persistence Enabled |
| thanos. |
string | 8Gi |
Thanos Compactor Persistence Size |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
string | — | See note |
| thanos. |
string | — | See note |
| thanos. |
string | — | See note |
| thanos. |
boolean | — | Thanos Vertical Compactor: When enabled series of metrics from multiple replicas will be merged into one. |
| thanos. |
boolean | True |
Thanos Enabled: > [!note] > Must be set for both service and workload cluster. |
| thanos. |
object | — | Thanos Metrics: Configure metrics collected from Thanos. |
| thanos. |
boolean | True |
Thanos Metrics Enabled |
| thanos. |
object | — | Thanos Metrics Service Monitor: Configure the service monitor used to collect metrics from Thanos. |
| thanos. |
boolean | True |
Thanos Metrics Service Monitor Enabled |
| thanos. |
object | — | Thanos Object Storage: Configure Object Storage for Thanos. Allows for using OpenStack Swift as the object storage backend type. Also allows use separate configuration of s3 specific to Thanos. |
| thanos. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| thanos. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| thanos. |
string | — | S3 Region: Region to store data. |
| thanos. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| thanos. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| thanos. |
string | — | See note |
| thanos. |
object | — | Thanos Query: Configure Thanos Query, the component executing metric queries. |
| thanos. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| thanos. |
— | — | Describes node affinity scheduling rules for the pod. |
| thanos. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
boolean | True |
Thanos Query Enabled |
| thanos. |
number | 1 |
Thanos Query Replicas |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| thanos. |
object | — | Thanos Query Frontend: Configure Thanos Query Frontend, the component serving query requests from Grafana. |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Thanos Receive Distributor: Configure Thanos Receive Distributor, the component serving remote write requests from Prometheus. Also called routing receiver upstream. |
| thanos. |
array | — | See note |
| thanos. |
string | ketama |
See note |
| thanos. |
integer | 5 |
Thanos receiveDistributor maximum Concurrency: Maximum number of concurrent write requests allowed by Thanos receiveDistributor. |
| thanos. |
integer | 3 |
Thanos receiveDistributor Replicas |
| thanos. |
number | 1 |
Thanos Replication Factor: Requires that incoming remote write requests are replicated (replicationFactor + 1) / 2. |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Thanos Receiver: Configure Thanos Receiver, the component ingesting metrics collected by Prometheus and storing them in object storage. Also called ingesting receiver upstream. |
| thanos. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| thanos. |
— | — | Describes node affinity scheduling rules for the pod. |
| thanos. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
object | — | Thanos Receiver Basic Auth: Configure authentication to Thanos Receiver, |
| thanos. |
string | thanos |
See note |
| thanos. |
boolean | True |
Thanos Receiver Enabled |
| thanos. |
string | dual-mode |
See note |
| thanos. |
string | 600s |
Thanos Out Of Order Time Window |
| thanos. |
object | — | Thanos Receiver Persistence: Configure persistence for Thanos Receiver. |
| thanos. |
boolean | True |
Thanos Receiver Persistence Enabled |
| thanos. |
string | 50Gi |
Thanos Receiver Persistence Size |
| thanos. |
number | 2 |
Thanos Receiver Replcias |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
string | thanos-receiver |
See note |
| thanos. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| thanos. |
string | 15d |
Thanos TSDB Retention |
| thanos. |
object | — | Thanos Ruler: Configure Thanos Ruler, the component evaluating alerting and recording rules. |
| thanos. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| thanos. |
— | — | Describes node affinity scheduling rules for the pod. |
| thanos. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
object | — | Thanos Ruler Config Reloader: Configure the config reloader sidecar for Thanos Ruler. |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
boolean | True |
Thanos Ruler Enabled |
| thanos. |
object | — | Thanos Ruler Persistence: Configure persistence for Thanos Ruler. |
| thanos. |
boolean | — | Thanos Ruler Persistence Enabled |
| thanos. |
string | 8Gi |
Thanos Ruler Persistence Size |
| thanos. |
number | 2 |
Thanos Ruler Replcias |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
array | — | Kubernetes Topology Spread Constraints: TopologySpreadConstraints describes how pods should spread across topology domains. |
| thanos. |
object | — | Thanos Store Gateway: Configure Thanos Store Gateway, the component fetching metrics from object storage. |
| thanos. |
object | — | Thanos Store Gateway Persistence: Configure persistence for Thanos Store Gateway. |
| thanos. |
string | 8Gi |
Thanos Store Gateway Persistence Size |
| thanos. |
object | — | See note |
| thanos. |
object | — | Kubernetes Quantity Map |
| thanos. |
object | — | Kubernetes Quantity Map |
Notes for thanos.bucketweb.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.compactor
Thanos Compactor: Configure Thanos Compactor, the component compacting and deduplicating metrics stored by Thanos.
Note
See the upstream documentation for reference.
Notes for thanos.compactor.deduplication
Thanos Deduplication: Configure deduplication of metrics.
Possible values:
none
receiverReplicas
prometheusReplicas
Notes for thanos.compactor.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.compactor.retentionResolution1h
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for thanos.compactor.retentionResolution5m
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for thanos.compactor.retentionResolutionRaw
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for thanos.objectStorage.type
Thanos Object Storage Type
Possible values:
swift
Notes for thanos.query.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.queryFrontend.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.receiveDistributor.extraFlags[]
Thanos receiveDistributor extraFlags: When set, the arguments will be passed onto the component as command-line flags. Refer to the upstream doc for more details.
Notes for thanos.receiveDistributor.receiveHashringsAlgorithm
Thanos receiveDistributor algolrithm: Algorithm used for distributing writes across Thanos receive replicas.
Possible values:
hashmod
ketama
Notes for thanos.receiveDistributor.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.receiver.basic_auth.username
Thanos Receiver Basic Auth Username: Configure the username for authenticating to Thanos Receiver.
Note
Must be set for both service and workload clusters.
Notes for thanos.receiver.mode
Thanos Receiver Mode
Possible values:
standalone
dual-mode
Notes for thanos.receiver.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.receiver.subdomain
Thanos Receive Subdomain: Subdomain of opsDomain that the Ingress to Thanos Receive will be created with.
Note
Must be set for both service and workload clusters.
Notes for thanos.ruler.configReloader.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.ruler.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.storegateway.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
trivy¶
Trivy Config: Configure Trivy Operator.
Trivy automatically scans the cluster for vulnerabilities, misconfigurations, and exposed secrets.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| trivy. |
object | — | Affinity: Affinity is a group of affinity scheduling rules. |
| trivy. |
— | — | Describes node affinity scheduling rules for the pod. |
| trivy. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| trivy. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| trivy. |
boolean | True |
Trivy Config Enabled |
| trivy. |
string | — | Trivy Config Excluded Namespaces: Configure a comma separated list of namespaces (or glob patterns) to be excluded from Trivy scanners. |
| trivy. |
object | — | Trivy Node Collector: Configure the node collector created by Trivy. |
| trivy. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| trivy. |
object | — | See note |
| trivy. |
object | — | Kubernetes Quantity Map |
| trivy. |
object | — | Kubernetes Quantity Map |
| trivy. |
object | — | Trivy Scan Jobs: Configure the scan jobs created by Trivy. |
| trivy. |
number | 1 |
Trivy Scan Job Concurrent Limit |
| trivy. |
string | 1m |
Trivy Scan Job Retry Delay |
| trivy. |
string | 5m |
Trivy Scan Job Timeout |
| trivy. |
object | — | See note |
| trivy. |
string | — | Trivy DB Registry |
| trivy. |
string | — | Trivy DB Repository |
| trivy. |
boolean | — | Trivy DB Repository Insecure |
| trivy. |
object | — | Trivy Image Pull Secret: Configure an image pull secret for Trivy to use. Create the secret in the monitoring namespace then configure the name here. |
| trivy. |
string | — | Secret Name |
| trivy. |
string | — | Trivy Java DB Registry |
| trivy. |
string | — | Trivy Java DB Repository |
| trivy. |
boolean | — | Trivy Offline Scan Enabled |
| trivy. |
object | — | Trivy Registry: Configure registries for Trivy. |
| trivy. |
object | — | See note |
| trivy. |
object | — | See note |
| trivy. |
object | — | Kubernetes Quantity Map |
| trivy. |
object | — | Kubernetes Quantity Map |
| trivy. |
string | — | See note |
| trivy. |
object | — | Trivy Service Monitor: Configure the service monitor collecting metrics from Trivy. |
| trivy. |
boolean | True |
Trivy Service Monitor Enabled |
| trivy. |
string | — | See note |
| trivy. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| trivy. |
object | — | Trivy Vulnerability Scanner: Configure the vulnerability scanner for Trivy. |
| trivy. |
boolean | True |
Trivy Scan Current Revisions |
| trivy. |
string | — | See note |
Notes for trivy.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for trivy.scanner
Trivy Scanner: Configure the scanner used by Trivy.
Note
Many of these must be configured to support an air-gapped environment. See the admin documentation for reference.
Notes for trivy.scanner.registry.mirror
Trivy Registry Mirror: Configure registry mirrors for Trivy.
The key represents the original registry and the value the mirror registry.
Examples:
{'docker.io': 'registry.example.com:5000', 'gcr.io': 'registry.example.com:5000', 'ghcr.io': 'registry.example.com:5000', 'index.docker.io': 'registry.example.com:5000', 'quay.io': 'registry.example.com:5000', 'registry.k8s.io': 'registry.example.com:5000'}
Notes for trivy.scanner.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for trivy.scanner.timeout
Duration String: A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for trivy.serviceMonitor.interval
Time Range: An amount of time
Examples:
300s
72h
3d
Notes for trivy.vulnerabilityScanner.scannerReportTTL
Time Range: An amount of time
Examples:
300s
72h
3d
user¶
User Config: Configuration for Application Developers (users), that use the workload cluster
| Key | Type | Default | Title and Description |
|---|---|---|---|
| user. |
array of string | — | Admin Groups: List of groups that Application Developers are apart of that should have access to the cluster. |
| user. |
array of string | — | Admin Users: List of Application Developers that should have access to the cluster. |
| user. |
object | — | See note |
| user. |
boolean | — | Enable Create Namespaces: This only controls if the namespaces should be created, user RBAC is always created. |
| user. |
object | — | Extra Application Developer ClusterRoleBindings: Configure extra ClusterRoleBindings for Application Developers |
| user. |
object | — | Extra Application Developer ClusterRoles: Configure extra ClusterRoles that are not originally part of Welkin These are intended to be used for Application Developers |
| user. |
object | — | Extra Application Developer RoleBindings: Configure extra RoleBindings for Application Developers The RoleBindings are added to all Application Developer namespaces configured in user.namespaces |
| user. |
object | — | Extra Application Developer Roles: Configure extra Roles for Application Developers The Roles are added to all Application Developer namespaces configured in user.namespaces |
| user. |
object | — | Fluxv2: Installs required cluster resources needed to install fluxv2. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | Enable Fluxv2 |
| user. |
object | — | Jaeger: Installs required cluster resources needed to install jaeger. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | Enable Jaeger |
| user. |
object | — | Kafka: Installs required cluster resources needed to install kafka-operator. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | Enable Kafka |
| user. |
object | — | MongoDB: Installs required cluster resources needed to install MongoDB. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | Enable MongoDB |
| user. |
array of string | — | See note |
| user. |
object | — | SealedSecrets: Installs required cluster resources needed to install sealedSecrets. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | Enable SealedSecrets |
| user. |
array of string | — | See note |
Notes for user.constraints
Constraints: Any namespace listed in constraints are exempted from HNC managed namespaces.
This to override the Pod Security Admission level.
Example of constraint can be found here: Example Constraint
The only extra label `psaLevel:
<namespace>:
psaLevel: <baseline/privileged>
<service-name>:
...
Notes for user.namespaces[]
Namespaces: List of namespaces that should be created for Application Developer.
It is common to create one namespace for the Application Developer and then create namespaces via HNC.
Requires that user.createNamespaces is enabled.
Notes for user.serviceAccounts[]
ServiceAccounts: List of serviceAccounts to create RBAC rules for, used for dev situations.
Application developer kube-config for contributors
velero¶
Velero Config: Configure Velero, the backup and snapshot tool for Kubernetes resources and volumes.
This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.velero.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| velero. |
boolean | True |
Velero Enabled |
| velero. |
array of string | — | Velero Excluded namespaces: Configure dynamic namespaces to exclude from backups, prefer this for overrides over excludedNamespaces. |
| velero. |
array of string | — | Velero Excluded namespaces: Configure system namespaces to exclude from backups. |
| velero. |
object | — | Velero Node Agent: Configure the node agent of Velero, used to take snapshots of volumes. |
| velero. |
object | — | See note |
| velero. |
object | — | Kubernetes Quantity Map |
| velero. |
object | — | Kubernetes Quantity Map |
| velero. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| velero. |
object | — | See note |
| velero. |
object | — | Object Storage Configuration.: Configuration options for using object storage specific to Velero. |
| velero. |
object | — | S3 Storage Configurations: Configurations for using S3 storage. |
| velero. |
boolean | — | S3 Force Path Style: Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| velero. |
string | — | S3 Region: Region to store data. |
| velero. |
string | — | S3 Region Endpoint: Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| velero. |
boolean | — | S3 v2 authentication: Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| velero. |
object | — | See note |
| velero. |
object | — | Kubernetes Quantity Map |
| velero. |
object | — | Kubernetes Quantity Map |
| velero. |
array of string | — | See note |
| velero. |
string | — | See note |
| velero. |
string | — | — |
| velero. |
string | — | See note |
| velero. |
array | — | Kubernetes Tolerations: Kubernetes Tolerations Kubernetes taint and toleration |
| velero. |
string | — | See note |
| velero. |
boolean | — | Velero Use Volume Snapshots |
Notes for velero.nodeAgent.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for velero.nodeSelector
Kubernetes Node Selector: Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for velero.resources
Kubernetes Resource Requirements: Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for velero.restoreResourcePriorities[]
Velero Restore Resource Priority: Configure restore order for resources
Note
Notes for velero.retentionPeriod
Duration String: A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for velero.storagePrefix
Velero Storage Prefix: Configure unique storage prefix for this cluster when storing backups and snapshots in object storage.
When multiple workload clusters share the same bucket or container ensure that they use separate storage prefixes.
Examples:
service-cluster
workload-cluster
Notes for velero.uploaderType
Velero Uploader Type
Possible values:
kopia
restic
wcProbeIngress¶
Workcload Cluster Ingress Probe: Configure a probe for the workload cluster Ingress Controller.
| Key | Type | Default | Title and Description |
|---|---|---|---|
| wcProbeIngress. |
boolean | — | Workcload Cluster Ingress Probe Enabled |
welcomingDashboard¶
Welcoming Dashboard: If you want to add extra text to the grafana/opensearch "welcoming dashboards"
then write the text in these values as a one-line string.
Note, first line of the string is a header, not all characters are supported.
For newline in Grafana dashboard use format \\n
| Key | Type | Default | Title and Description |
|---|---|---|---|
| welcomingDashboard. |
string | — | See note |
| welcomingDashboard. |
string | — | Extra Text OpenSearch: Extra text added to the Opensearch welcoming dashboard. |
| welcomingDashboard. |
array of object | — | Extra Versions: List of additional components to list on the welcoming dashboard. Additional component to list on the welcoming dashboard. |
Notes for welcomingDashboard.extraTextGrafana
Extra Text Grafana: Extra text added to the Grafana welcoming dashboard.
Examples:
Hello\n\n[This is an example link](https:/elastisys.io)