403 lines
12 KiB
YAML
403 lines
12 KiB
YAML
# Default values for headlamp.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
# -- Number of desired pods
|
|
replicaCount: 1
|
|
|
|
image:
|
|
# -- Container image registry
|
|
registry: ghcr.io
|
|
# -- Container image name
|
|
repository: headlamp-k8s/headlamp
|
|
# -- Image pull policy. One of Always, Never, IfNotPresent
|
|
pullPolicy: IfNotPresent
|
|
# -- Container image tag, If "" uses appVersion in Chart.yaml
|
|
tag: ""
|
|
|
|
# -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
|
|
imagePullSecrets: []
|
|
# -- Overrides the name of the chart
|
|
nameOverride: ""
|
|
# -- Overrides the full name of the chart
|
|
fullnameOverride: ""
|
|
|
|
# -- Override the deployment namespace; defaults to .Release.Namespace
|
|
namespaceOverride: ""
|
|
|
|
# -- An optional list of init containers to be run before the main containers.
|
|
initContainers: []
|
|
|
|
# -- An optional list of extra containers to be run along side the main containers.
|
|
extraContainers: []
|
|
|
|
config:
|
|
inCluster: true
|
|
inClusterContextName: "main"
|
|
# -- base url path at which headlamp should run
|
|
baseURL: ""
|
|
# -- session token TTL in seconds (default is 24 hours)
|
|
sessionTTL: 86400
|
|
oidc:
|
|
# Option 1:
|
|
# @param config.oidc.secret - OIDC secret configuration
|
|
# If you want to use an existing secret, set create to false and provide the name of the secret.
|
|
# If you want to create a new secret, set create to true and provide the name of the secret.
|
|
# Also provide the values for clientID, clientSecret, issuerURL, and scopes.
|
|
# Example:
|
|
# config:
|
|
# oidc:
|
|
# secret:
|
|
# create: true
|
|
# name: oidc
|
|
secret:
|
|
# -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
|
|
create: true
|
|
# -- Name of the OIDC secret.
|
|
name: oidc
|
|
|
|
# Option 2:
|
|
# @param config.oidc - OIDC env configuration
|
|
# If you want to set the OIDC configuration directly, set the following values.
|
|
# Example:
|
|
# config:
|
|
# oidc:
|
|
# clientID: "clientID"
|
|
# clientSecret: "clientSecret"
|
|
# issuerURL: "issuerURL"
|
|
# scopes: "scopes"
|
|
|
|
# -- OIDC client ID
|
|
clientID: ""
|
|
# -- OIDC client secret
|
|
clientSecret: ""
|
|
# -- OIDC issuer URL
|
|
issuerURL: ""
|
|
# -- OIDC scopes to be used
|
|
scopes: ""
|
|
# -- OIDC callback URL
|
|
callbackURL: ""
|
|
|
|
# -- OIDC client to be used during token validation
|
|
validatorClientID: ""
|
|
# -- OIDC Issuer URL to be used during token validation
|
|
validatorIssuerURL: ""
|
|
# -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
|
|
useAccessToken: false
|
|
# -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
|
|
usePKCE: false
|
|
|
|
# Option 3:
|
|
# @param config.oidc - External OIDC secret configuration
|
|
# If you want to use an external secret for OIDC configuration, enable this option.
|
|
# Provide the name of the secret to use.
|
|
# Example:
|
|
# config:
|
|
# oidc:
|
|
# secret:
|
|
# create: false
|
|
# externalSecret:
|
|
# enabled: true
|
|
# name: oidc
|
|
externalSecret:
|
|
enabled: false
|
|
name: ""
|
|
|
|
# -- URL to fetch additional user info for the /me endpoint.
|
|
# For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
|
|
meUserInfoURL: ""
|
|
|
|
# -- directory to look for plugins
|
|
pluginsDir: "/headlamp/plugins"
|
|
enableHelm: false
|
|
watchPlugins: false
|
|
# tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
|
|
# tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
|
|
# Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
|
|
extraArgs: []
|
|
|
|
# -- An optional list of environment variables
|
|
# env:
|
|
# - name: KUBERNETES_SERVICE_HOST
|
|
# value: "localhost"
|
|
# - name: KUBERNETES_SERVICE_PORT
|
|
# value: "6443"
|
|
|
|
# -- Mount Service Account token in pod
|
|
automountServiceAccountToken: true
|
|
|
|
serviceAccount:
|
|
# -- Specifies whether a service account should be created
|
|
create: true
|
|
# -- Annotations to add to the service account
|
|
annotations: {}
|
|
# -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
|
|
name: ""
|
|
|
|
clusterRoleBinding:
|
|
# -- Specified whether a cluster role binding should be created
|
|
create: true
|
|
# -- Set name of the Cluster Role with limited permissions from you cluster
|
|
# for example - clusterRoleName: user-ro
|
|
clusterRoleName: cluster-admin
|
|
# -- Annotations to add to the cluster role binding
|
|
annotations: {}
|
|
|
|
# -- Annotations to add to the deployment
|
|
deploymentAnnotations: {}
|
|
|
|
# -- Annotations to add to the pod
|
|
podAnnotations: {}
|
|
|
|
# -- Labels to add to the pod
|
|
podLabels: {}
|
|
|
|
# -- Controls user namespace isolation for the Headlamp pod.
|
|
# When true (default), the pod shares the host user namespace (user namespaces are DISABLED).
|
|
# When false, the pod uses a separate user namespace (user namespaces are ENABLED) for stronger isolation,
|
|
# if supported by the cluster. Set this to false if your cluster supports user namespaces and you want
|
|
# additional isolation; leave as true if user namespaces are not available.
|
|
# See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
|
|
hostUsers: true
|
|
|
|
# -- Headlamp pod's Security Context
|
|
podSecurityContext:
|
|
{}
|
|
# fsGroup: 2000
|
|
|
|
# -- Headlamp containers Security Context
|
|
securityContext:
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
privileged: false
|
|
runAsUser: 100
|
|
runAsGroup: 101
|
|
# Uses these defaults if this is empty.
|
|
# allowPrivilegeEscalation: false
|
|
# runAsNonRoot: true
|
|
# seccompProfile:
|
|
# type: RuntimeDefault
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
|
|
|
|
service:
|
|
# -- Annotations to add to the service
|
|
annotations: {}
|
|
# -- Kubernetes Service type
|
|
type: ClusterIP
|
|
# -- Kubernetes Service port
|
|
port: 80
|
|
# -- Kubernetes Service clusterIP
|
|
clusterIP: ""
|
|
# -- Kubernetes Service loadBalancerIP
|
|
loadBalancerIP: ""
|
|
# -- Kubernetes Service loadBalancerSourceRanges
|
|
loadBalancerSourceRanges: []
|
|
# -- Kubernetes Service Nodeport
|
|
nodePort: null
|
|
|
|
# -- Headlamp containers volume mounts
|
|
volumeMounts: []
|
|
|
|
# -- Headlamp pod's volumes
|
|
volumes: []
|
|
|
|
persistentVolumeClaim:
|
|
# -- Enable Persistent Volume Claim
|
|
enabled: false
|
|
# -- Annotations to add to the persistent volume claim (if enabled)
|
|
annotations:
|
|
{}
|
|
# -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
|
|
accessModes: []
|
|
# -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
|
|
size: ""
|
|
# -- storageClassName for the persistent volume claim.
|
|
storageClassName: ""
|
|
# -- selector for the persistent volume claim.
|
|
selector: {}
|
|
# -- volumeMode for the persistent volume claim, eg: Filesystem, Block.
|
|
volumeMode: ""
|
|
|
|
ingress:
|
|
# -- Enable ingress controller resource
|
|
enabled: false
|
|
# -- Annotations for Ingress resource
|
|
annotations:
|
|
{}
|
|
# kubernetes.io/tls-acme: "true"
|
|
|
|
# -- Additional labels to add to the Ingress resource
|
|
labels: {}
|
|
# app.kubernetes.io/part-of: traefik
|
|
# environment: prod
|
|
|
|
# -- Ingress class name. replacement for the deprecated "kubernetes.io/ingress.class" annotation
|
|
ingressClassName: ""
|
|
|
|
# -- Hostname(s) for the Ingress resource
|
|
# Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
|
|
hosts:
|
|
[]
|
|
# - host: chart-example.local
|
|
# paths:
|
|
# - path: /
|
|
# type: ImplementationSpecific
|
|
# -- Ingress TLS configuration
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
# HTTPRoute configuration for Gateway API
|
|
# Please refer to https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
|
|
httpRoute:
|
|
# -- Enable HTTPRoute resource for Gateway API
|
|
enabled: false
|
|
# -- Annotations for HTTPRoute resource
|
|
annotations: {}
|
|
# -- Additional labels for HTTPRoute resource
|
|
labels: {}
|
|
# -- Parent references (REQUIRED when enabled - HTTPRoute will not work without this)
|
|
# Example:
|
|
# parentRefs:
|
|
# - name: my-gateway
|
|
# namespace: gateway-namespace
|
|
parentRefs: []
|
|
# -- Hostnames for the HTTPRoute
|
|
# Example:
|
|
# hostnames:
|
|
# - headlamp.example.com
|
|
hostnames: []
|
|
# -- Custom routing rules (optional, defaults to path prefix /)
|
|
# If not specified, a default rule routing all traffic to the service is used
|
|
rules: []
|
|
# Example custom rules:
|
|
# rules:
|
|
# - matches:
|
|
# - path:
|
|
# type: PathPrefix
|
|
# value: /headlamp
|
|
# backendRefs:
|
|
# - name: "{{ .Release.Name }}-headlamp"
|
|
# port: 80
|
|
|
|
# -- CPU/Memory resource requests/limits
|
|
resources:
|
|
{}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
# -- Node labels for pod assignment
|
|
nodeSelector: {}
|
|
|
|
# -- Toleration labels for pod assignment
|
|
tolerations: []
|
|
|
|
# -- Affinity settings for pod assignment
|
|
affinity: {}
|
|
|
|
# -- Topology Spread Constraints for pod assignment
|
|
topologySpreadConstraints: []
|
|
# - maxSkew: 1
|
|
# topologyKey: topology.kubernetes.io/zone
|
|
# whenUnsatisfiable: ScheduleAnyway
|
|
# matchLabelKeys:
|
|
# - pod-template-hash
|
|
# - maxSkew: 1
|
|
# topologyKey: kubernetes.io/hostname
|
|
# whenUnsatisfiable: DoNotSchedule
|
|
# matchLabelKeys:
|
|
# - pod-template-hash
|
|
|
|
# -- Pod priority class
|
|
priorityClassName: ""
|
|
|
|
# Plugin Manager Sidecar Container Configuration
|
|
pluginsManager:
|
|
# -- Enable plugin manager
|
|
enabled: false
|
|
# -- Plugin configuration file name
|
|
configFile: "plugin.yml"
|
|
# -- Plugin configuration content in YAML format. This is required if plugins.enabled is true.
|
|
configContent: ""
|
|
# -- Base node image to use
|
|
baseImage: node:lts-alpine
|
|
# -- Headlamp plugin package version to install
|
|
version: latest
|
|
# -- Plugin manager containers volume mounts
|
|
volumeMounts: []
|
|
# -- Plugin manager env variable configuration
|
|
# env:
|
|
# - name: HTTPS_PROXY
|
|
# value: "proxy.example.com:8080"
|
|
# -- Specify resrouces
|
|
# resources:
|
|
# requests:
|
|
# cpu: "500m"
|
|
# memory: "2048Mi"
|
|
# limits:
|
|
# cpu: "1000m"
|
|
# memory: "4096Mi"
|
|
# If omitted, the plugin manager will inherit the global securityContext
|
|
securityContext:
|
|
{}
|
|
# runAsUser: 1001
|
|
# runAsNonRoot: true
|
|
# allowPrivilegeEscalation: false
|
|
# readOnlyRootFilesystem: true
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
|
|
podDisruptionBudget:
|
|
# -- enable PodDisruptionBudget
|
|
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
|
|
enabled: false
|
|
# @schema
|
|
# type: [null, integer, string]
|
|
# @schema
|
|
# -- Minimum number/percentage of pods that should remain scheduled.
|
|
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
|
|
minAvailable: 0
|
|
# @schema
|
|
# type: [null, integer, string]
|
|
# @schema
|
|
# -- Maximum number/percentage of pods that may be made unavailable
|
|
maxUnavailable: null
|
|
# @schema
|
|
# type: [null, string]
|
|
# @schema
|
|
# -- How are unhealthy, but running, pods counted for eviction
|
|
unhealthyPodEvictionPolicy: null
|
|
|
|
# -- Additional Kubernetes manifests to be deployed. Include the manifest as nested YAML.
|
|
extraManifests: []
|
|
# - |
|
|
# apiVersion: v1
|
|
# kind: ConfigMap
|
|
# metadata:
|
|
# name: my-config
|
|
# data:
|
|
# key: value
|
|
# - |
|
|
# apiVersion: v1
|
|
# kind: ConfigMap
|
|
# metadata:
|
|
# name: my-config-too
|
|
# data:
|
|
# key: value
|