199 lines
5.7 KiB
YAML
199 lines
5.7 KiB
YAML
# Default values for radar.
|
|
|
|
replicaCount: 1
|
|
|
|
image:
|
|
repository: ghcr.io/skyhook-io/radar
|
|
pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
tag: ""
|
|
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
|
|
# RBAC configuration
|
|
rbac:
|
|
# Create ClusterRole and ClusterRoleBinding
|
|
create: true
|
|
# Additional rules to add to the ClusterRole
|
|
additionalRules: []
|
|
|
|
# Privileged permissions (disabled by default for security)
|
|
# Enable these based on features you need:
|
|
|
|
# Allow Helm write operations (install, upgrade, rollback, uninstall, apply values)
|
|
# Requires broad permissions - grants create/update/patch/delete on all resource types,
|
|
# since Helm charts can create any kind of Kubernetes resource.
|
|
# Automatically enables secrets read access (needed for Helm release storage).
|
|
helm: false
|
|
|
|
# Allow reading secrets (shows secrets in resource list)
|
|
secrets: false
|
|
|
|
# Allow pod exec (enables terminal feature)
|
|
podExec: false
|
|
|
|
# Allow pod logs (enables log viewer)
|
|
# This is relatively safe - only reads logs, no write access
|
|
podLogs: true
|
|
|
|
# Allow port forwarding (enables port forward feature)
|
|
portForward: false
|
|
|
|
# Traffic visibility (Hubble/Cilium integration)
|
|
# Grants read access ONLY to hubble-relay-client-certs secret for TLS auth
|
|
traffic: true
|
|
|
|
# CRD access - all common groups enabled by default
|
|
# Granting RBAC for CRDs that don't exist has no effect.
|
|
crdGroups:
|
|
# Set to true to grant read access to ALL CRDs (overrides individual settings below)
|
|
# Simpler but broader permissions - some orgs may not allow this
|
|
all: false
|
|
|
|
argo: true # argoproj.io
|
|
awx: true # awx.ansible.com
|
|
certManager: true # cert-manager.io
|
|
cloudnativePg: true # cloudnative-pg.io
|
|
crossplane: true # crossplane.io, pkg.crossplane.io
|
|
descheduler: true # descheduler.alpha.kubernetes.io
|
|
envoyGateway: true # gateway.envoyproxy.io
|
|
externalDns: true # externaldns.k8s.io
|
|
externalSecrets: true # external-secrets.io
|
|
flux: true # *.toolkit.fluxcd.io
|
|
gatewayApi: true # gateway.networking.k8s.io
|
|
gcpMonitoring: true # monitoring.googleapis.com
|
|
grafana: true # monitoring.grafana.com, tempo/loki/grafana.integreatly.org
|
|
istio: true # networking.istio.io, security.istio.io
|
|
karpenter: true # karpenter.sh, karpenter.k8s.aws
|
|
keda: true # keda.sh
|
|
knative: true # serving.knative.dev, eventing.knative.dev
|
|
kubeshark: true # kubeshark.io
|
|
kured: true # kured.io
|
|
kyverno: true # kyverno.io, wgpolicyk8s.io, reports.kyverno.io
|
|
mariadb: true # mariadb.mmontes.io
|
|
nginx: true # nginx.org
|
|
openshift: true # observability.openshift.io
|
|
opentelemetry: true # opentelemetry.io
|
|
prometheus: true # monitoring.coreos.com
|
|
reflector: true # reflector.v1.k8s.emberstack.com
|
|
reloader: true # reloader.stakater.com
|
|
sealedSecrets: true # sealed-secrets.bitnami.com
|
|
strimzi: true # strimzi.io, kafka.strimzi.io
|
|
tekton: true # tekton.dev
|
|
traefik: true # traefik.io, traefik.containo.us
|
|
velero: true # velero.io
|
|
|
|
# Additional CRD API groups for custom/unlisted CRDs
|
|
# Example: ["mycompany.io", "custom.example.com"]
|
|
additionalCrdGroups: []
|
|
|
|
podAnnotations: {}
|
|
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
runAsGroup: 65532
|
|
fsGroup: 65532
|
|
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 9280
|
|
|
|
ingress:
|
|
enabled: false
|
|
className: ""
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- host: radar.example.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
# - secretName: radar-tls
|
|
# hosts:
|
|
# - radar.example.com
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 128Mi
|
|
|
|
# Timeline storage configuration
|
|
timeline:
|
|
# Storage backend: "memory" or "sqlite"
|
|
storage: memory
|
|
# Path to SQLite database (only used when storage is "sqlite")
|
|
# Note: Requires a PVC when using sqlite
|
|
dbPath: /data/timeline.db
|
|
# Maximum number of events to retain
|
|
historyLimit: 10000
|
|
|
|
# Traffic source configuration
|
|
traffic:
|
|
# Manual Prometheus/VictoriaMetrics URL (bypasses auto-discovery)
|
|
# Use this when auto-discovery doesn't find your metrics service.
|
|
# Examples:
|
|
# http://prometheus-server.monitoring:80
|
|
# http://vmsingle.victoria-metrics:8428
|
|
# http://vmselect.victoria-metrics:8481/select/0/prometheus
|
|
prometheusUrl: ""
|
|
|
|
# Persistence for SQLite timeline storage
|
|
# Required when timeline.storage is "sqlite" (readOnlyRootFilesystem prevents local writes)
|
|
persistence:
|
|
enabled: false
|
|
# storageClassName: ""
|
|
accessMode: ReadWriteOnce
|
|
size: 1Gi
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
# Additional environment variables
|
|
env: []
|
|
# - name: DEBUG
|
|
# value: "true"
|
|
|
|
# Liveness and readiness probes
|
|
probes:
|
|
liveness:
|
|
enabled: true
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 30
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
readiness:
|
|
enabled: true
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|