-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
414 lines (378 loc) · 16.8 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
# Copyright Cyral, Inc.
# SPDX-License-Identifier: APACHE-2.0
## @section Required Cyral configuration
## @param cyral.sidecarId Sidecar identifier
## @param cyral.controlPlane Address of the control plane - <tenant>.cyral.com
## @param cyral.credentials.clientId The client ID assigned to the sidecar. Optional - required only if existingSecret is not provided.
## @param cyral.credentials.clientSecret The client secret assigned to the sidecar. Optional - required only if existingSecret is not provided.
## @param image.tag Cyral Sidecar image tag (this is the sidecar version)
## @section Certificates configuration
## @param cyral.sidecar.certificates.ca.existingSecret Name of an existing Kubernetes secret containing a private key and a certificate for the internal CA.
## @param cyral.sidecar.certificates.tls.existingSecret Name of an existing Kubernetes secret containing a private key and a certificate to terminate TLS connections.
## @section Cyral deployment properties configuration
## @param cyral.deploymentProperties.cloud Cloud provider where the Cyral Sidecar is hosted.
## @param cyral.deploymentProperties.deploymentType Deployment type choosen to deploy the Cyral Sidecar. Defaults to `helm-kubernetes`.
## @param cyral.deploymentProperties.endpoint Fully qualified domain name that will be used to access the Cyral Sidecar.
## @section Snowflake configuration
## @param cyral.sidecar.snowflake.idpCertificate The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal new line characters (\n) specifying the line breaks.
## @param cyral.sidecar.snowflake.sidecarIdpCertificate The public certificate used to verify signatures for SAML Assertions generated by the sidecar. Required if using SSO with Snowflake.
## @param cyral.sidecar.snowflake.sidecarIdpPrivateKey The private key used to sign SAML Assertions generated by the sidecar. Required if using SSO with Snowflake.
## @param cyral.sidecar.snowflake.SSOLoginURL The IdP SSO URL for the IdP being used with Snowflake.
## @section Other Cyral configuration
## @param cyral.credentials.existingSecret Name of an existing Kubernetes secret containing client ID and client secret. The secret must contain the `clientId` and `clientSecret` keys.
## @param cyral.sidecar.dnsName Fully qualified domain name that will be used to access the Cyral Sidecar
## @section Common configuration
## @param commonAnnotations Common annotations to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template
## @param commonLabels Common labels to add to all Cyral Sidecar resources (sub-charts are not considered). Evaluated as a template
## @param clusterDomain Kubernetes cluster domain
## @param fullnameOverride String to fully override common.names.fullname template with a string
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name)
## @section Deployment configuration
## @param affinity Affinity for pod assignment
## @param extraEnvVars Extra environment variables to be set on Cyral Sidecar containers
## @param extraEnvVarsCM ConfigMap with extra environment variables
## @param extraEnvVarsSecret Secret with extra environment variables
## @param extraVolumes Array of extra volumes to be added to the Cyral Sidecar deployment (evaluated as template). Requires setting `extraVolumeMounts`
## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
## @param nodeSelector Node labels for pod assignment. Evaluated as a template.
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## @param replicaCount Number of Cyral Sidecar replicas to deploy
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## @param tolerations Tolerations for pod assignment. Evaluated as a template.
## @section Image configuration
## @param image.debug Enable image debug mode
## @param image.digest Cyral Sidecar image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
## @param image.pullPolicy Cyral Sidecar image pull policy
## @param image.pullSecrets Cyral Sidecar image pull secrets
## @param image.registry [default: public.ecr.aws/cyral] Cyral Sidecar image registry
## @param image.repository [default: cyral-sidecar] Cyral Sidecar image repository
## @section Ports configuration
## @param containerPorts [object] Map of all ports inside Cyral Sidecar container
## @param extraContainerPorts Array of additional container ports for the Cyral Sidecar container
## @section Prometheus metrics
## @param metrics.enabled Enable exposing Cyral Sidecar metrics to be gathered by Prometheus
## @param metrics.podAnnotations [object] Annotations for enabling prometheus to access the metrics endpoint
## @param metrics.serviceMonitor.annotations Extra annotations for the ServiceMonitor
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
## @param metrics.serviceMonitor.interval Specify the interval at which metrics should be scraped
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion
## @param metrics.serviceMonitor.namespace Specify the namespace in which the serviceMonitor resource will be created
## @param metrics.serviceMonitor.params Define the HTTP URL parameters used by ServiceMonitor
## @param metrics.serviceMonitor.path Define the path used by ServiceMonitor to scrap metrics
## @param metrics.serviceMonitor.podTargetLabels Used to keep given pod's labels in target
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
## @param metrics.serviceMonitor.selector ServiceMonitor selector labels
## @param metrics.serviceMonitor.targetLabels Used to keep given service's labels in target
## @section RBAC configuration
## @param rbac.create Create Role and RoleBinding
## @param rbac.rules Custom RBAC rules to set
## @section Security context configuration
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
## @param containerSecurityContext.enabled Enabled containers' Security Context
## @param containerSecurityContext.privileged Set container's Security Context privileged
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
## @param podSecurityContext.enabled Enabled Cyral Sidecar pods' Security Context
## @param podSecurityContext.fsGroup Set Cyral Sidecar pod's Security Context fsGroup
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
## @param podSecurityContext.sysctls [array] Set kernel settings using the sysctl interface
## @section Service account configuration
## @param serviceAccount.annotations Annotations for service account. Evaluated as a template.
## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
## @param serviceAccount.create Enable creation of ServiceAccount for Cyral Sidecar pod
## @param serviceAccount.name The name of the ServiceAccount to use.
## @section Service configuration
## @param service.annotations Service annotations
## @param service.clusterIP Cyral Sidecar service Cluster IP
## @param service.externalTrafficPolicy Enable client source IP preservation
## @param service.loadBalancerClass service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
## @param service.loadBalancerIP LoadBalancer service IP address
## @param service.loadBalancerSourceRanges Cyral Sidecar service Load Balancer sources
## @param service.nodePorts [object] Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types.
## @param service.ports [object] Map of Cyral Sidecar service ports
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
## @param service.targetPort [object] Target port reference value for the Loadbalancer service types can be specified explicitly.
## @param service.type Service type
cyral:
sidecarId: ""
controlPlane: ""
credentials:
clientId: ""
clientSecret: ""
existingSecret: ""
sidecar:
dnsName: ""
certificates:
ca:
existingSecret: ""
tls:
existingSecret: ""
snowflake:
SSOLoginURL: ""
idpCertificate: ""
sidecarIdpCertificate: ""
sidecarIdpPrivateKey: ""
deploymentProperties:
cloud: ""
endpoint: ""
deploymentType: helm-kubernetes
commonAnnotations: {}
commonLabels: {}
clusterDomain: cluster.local
fullnameOverride: ""
kubeVersion: ""
nameOverride: ""
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
nodeAffinityPreset:
## E.g.
## key: "kubernetes.io/e2e-az-name"
key: ""
## E.g.
## values:
## - e2e-az1
## - e2e-az2
type: ""
values: []
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinityPreset: ""
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAntiAffinityPreset: hard
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
##
affinity: {}
## E.g:
## extraEnvVars:
## - name: FOO
## value: BAR
##
extraEnvVars: []
extraEnvVarsCM: ""
extraEnvVarsSecret: ""
replicaCount: 1
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
##
nodeSelector: {}
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
##
extraVolumes: []
## Pods Service Account
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
create: true
## If not set and create is true, a name is generated using the `common.names.fullname` template
name: ""
## Only used if `create` is `true`.
annotations: {}
automountServiceAccountToken: true
## ref: https://hub.docker.com/r/cyral/sidecar/tags/
image:
registry: public.ecr.aws/cyral
repository: cyral-sidecar
tag: ""
digest: ""
## Specify a imagePullPolicy
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
## e.g:
## pullSecrets:
## - myRegistryKeySecretName
pullSecrets: []
## Enable debug mode
debug: false
## Role Based Access
## Ref: https://kubernetes.io/docs/admin/authorization/rbac/
rbac:
create: true
## e.g:
## rules:
## - apiGroups:
## - ""
## resources:
## - pods
## verbs:
## - get
## - list
##
rules: []
## Cyral Sidecar pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
enabled: true
fsGroupChangePolicy: Always
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
value: "0"
supplementalGroups: []
fsGroup: 1001
## Cyral Sidecar containers' Security Context.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext:
enabled: true
seLinuxOptions: null
runAsUser: 65534
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: false
allowPrivilegeEscalation: false
seccompProfile:
type: "RuntimeDefault"
## Configures the ports Cyral Sidecar listens on
containerPorts:
metrics: 9000
denodo0: 9996
denodo1: 9999
dremio: 31010
dynamodb: 463
sqlserver: 1433
mongodb0: 27017
mongodb1: 27018
mongodb2: 27019
mysql: 3306
oracle: 1521
pg: 5432
redshift: 5439
s3: 453
snowflake: 443
## e.g:
## extraContainerPorts:
## - 4317
##
extraContainerPorts: []
service:
type: LoadBalancer
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
nodePorts:
sidecar: []
ports:
metrics: 9000
denodo0: 9996
denodo1: 9999
dremio: 31010
dynamodb: 463
sqlserver: 1433
mongodb0: 27017
mongodb1: 27018
mongodb2: 27019
mysql: 3306
oracle: 1521
pg: 5432
redshift: 5439
s3: 453
snowflake: 443
## Listeners for the Loadbalancer can be custom mapped to the any Cyral Sidecar service.
## Example: Mapping the mysql listener to targetPort mysql [mysql: mysql]
targetPort:
denodo0: denodo0
denodo1: denodo1
dremio: dremio
dynamodb: dynamodb
sqlserver: sqlserver
mongodb0: mongodb0
mongodb1: mongodb1
mongodb2: mongodb2
mysql: mysql
oracle: oracle
pg: pg
redshift: redshift
s3: s3
snowflake: snowflake
## e.g.:
## clusterIP: None
clusterIP: ""
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
loadBalancerIP: ""
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
## e.g:
## loadBalancerSourceRanges:
## - 10.10.10.0/24
loadBalancerSourceRanges: []
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
loadBalancerClass: ""
## If "ClientIP", consecutive client requests will be directed to the same Pod
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
sessionAffinity: None
## sessionAffinityConfig:
## clientIP:
## timeoutSeconds: 300
sessionAffinityConfig: {}
## This can be used to set the LoadBalancer service type to internal only.
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
annotations: {}
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
externalTrafficPolicy: Cluster
## Prometheus Metrics
##
metrics:
enabled: false
## Prometheus pod annotations
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.service.ports.metrics }}"
## Prometheus Service Monitor
## ref: https://github.com/coreos/prometheus-operator
##
serviceMonitor:
enabled: false
namespace: ""
interval: 30s
## e.g:
## scrapeTimeout: 30s
##
scrapeTimeout: ""
jobLabel: ""
relabelings: []
metricRelabelings: []
honorLabels: false
## e.g:
## - app.kubernetes.io/name
##
targetLabels: {}
## e.g:
## - app.kubernetes.io/name
##
podTargetLabels: {}
## Could be /metrics for aggregated metrics or /metrics/per-object for more details
##
path: ""
params: {}
## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration
##
## selector:
## prometheus: my-prometheus
##
selector: {}
labels: {}
annotations: {}