mirror of
https://github.com/bitnami/charts.git
synced 2026-03-08 08:47:24 +08:00
[bitnami/concourse] feat: ✨ 🔒 Add readOnlyRootFilesystem support (#23878)
Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> Signed-off-by: Javier J. Salmerón-García <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
committed by
GitHub
GitHub
parent
8e3887bf81
commit
e2a4425b31
@@ -37,4 +37,4 @@ maintainers:
|
||||
name: concourse
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/concourse
|
||||
version: 3.5.3
|
||||
version: 3.6.0
|
||||
|
||||
@@ -104,236 +104,247 @@ The command removes all the Kubernetes components associated with the chart and
|
||||
|
||||
### Concourse Web parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------- |
|
||||
| `web.enabled` | Enable Concourse web component | `true` |
|
||||
| `web.baseUrl` | url | `/` |
|
||||
| `web.logLevel` | Minimum level of logs to see. Possible options: debug, info, error. | `debug` |
|
||||
| `web.clusterName` | A name for this Concourse cluster, to be displayed on the dashboard page. | `""` |
|
||||
| `web.bindIp` | IP address on which to listen for HTTP traffic (web UI and API). | `0.0.0.0` |
|
||||
| `web.peerAddress` | Network address of this web node, reachable by other web nodes. | `""` |
|
||||
| `web.externalUrl` | URL used to reach any ATC from the outside world. | `""` |
|
||||
| `web.auth.cookieSecure` | use cookie secure true or false | `false` |
|
||||
| `web.auth.duration` | Length of time for which tokens are valid. Afterwards, users will have to log back in. | `24h` |
|
||||
| `web.auth.passwordConnector` | The connector to use for password authentication for `fly login -u ... -p ...`. | `""` |
|
||||
| `web.auth.mainTeam.config` | Configuration file for specifying the main teams params. | `""` |
|
||||
| `web.auth.mainTeam.localUser` | Comma-separated list of local Concourse users to be included as members of the `main` team. | `user` |
|
||||
| `web.existingSecret` | Use an existing secret for the Web service credentials | `""` |
|
||||
| `web.enableAcrossStep` | Enable the experimental across step to be used in jobs. The API is subject to change. | `false` |
|
||||
| `web.enablePipelineInstances` | Enable the creation of instanced pipelines. | `false` |
|
||||
| `web.enableCacheStreamedVolumes` | Enable caching streamed resource volumes on the destination worker. | `false` |
|
||||
| `web.baseResourceTypeDefaults` | Configuration file for specifying defaults for base resource types | `""` |
|
||||
| `web.tsa.logLevel` | Minimum level of logs to see. Possible values: debug, info, error | `debug` |
|
||||
| `web.tsa.bindIp` | IP address on which to listen for SSH | `0.0.0.0` |
|
||||
| `web.tsa.debugBindIp` | IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1) | `127.0.0.1` |
|
||||
| `web.tsa.heartbeatInterval` | Interval on which to heartbeat workers to the ATC | `30s` |
|
||||
| `web.tsa.gardenRequestTimeout` | How long to wait for requests to Garden to complete. 0 means no timeout | `""` |
|
||||
| `web.tls.enabled` | enable serving HTTPS traffic directly through the web component. | `false` |
|
||||
| `web.configRBAC` | Set RBAC configuration | `""` |
|
||||
| `web.conjur.enabled` | Enable the use of Conjur as a credential manager | `false` |
|
||||
| `web.conjur.applianceUrl` | URL of the Conjur instance. | `""` |
|
||||
| `web.conjur.pipelineSecretTemplate` | Path used to locate pipeline-level secret | `concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}` |
|
||||
| `web.conjur.teamSecretTemplate` | Path used to locate team-level secret | `concourse/{{.Team}}/{{.Secret}}` |
|
||||
| `web.conjur.secretTemplate` | Path used to locate a vault or safe-level secret | `concourse/{{.Secret}}` |
|
||||
| `web.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for web | `""` |
|
||||
| `web.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `web.args` | Override default container args (useful when using custom images) | `[]` |
|
||||
| `web.extraEnvVars` | Array with extra environment variables to add to Concourse web nodes | `[]` |
|
||||
| `web.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse web nodes | `""` |
|
||||
| `web.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse web nodes | `""` |
|
||||
| `web.replicaCount` | Number of Concourse web replicas to deploy | `1` |
|
||||
| `web.containerPorts.http` | Concourse web UI and API HTTP container port | `8080` |
|
||||
| `web.containerPorts.https` | Concourse web UI and API HTTPS container port | `8443` |
|
||||
| `web.containerPorts.tsa` | Concourse web TSA SSH container port | `2222` |
|
||||
| `web.containerPorts.pprof` | Concourse web TSA pprof server container port | `2221` |
|
||||
| `web.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `web.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `web.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `web.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
|
||||
| `web.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `web.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
|
||||
| `web.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `web.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `web.livenessProbe.enabled` | Enable livenessProbe on Concourse web containers | `true` |
|
||||
| `web.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
| `web.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` |
|
||||
| `web.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` |
|
||||
| `web.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` |
|
||||
| `web.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `web.readinessProbe.enabled` | Enable readinessProbe on Concourse web containers | `true` |
|
||||
| `web.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
|
||||
| `web.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` |
|
||||
| `web.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
|
||||
| `web.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` |
|
||||
| `web.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `web.startupProbe.enabled` | Enable startupProbe on Concourse web containers | `false` |
|
||||
| `web.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `web.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `web.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
|
||||
| `web.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
|
||||
| `web.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `none` |
|
||||
| `web.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` |
|
||||
| `web.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `web.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `web.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `web.podSecurityContext.fsGroup` | Set web pod's Security Context fsGroup | `1001` |
|
||||
| `web.containerSecurityContext.enabled` | Enabled web containers' Security Context | `true` |
|
||||
| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `web.containerSecurityContext.runAsUser` | Set web containers' Security Context runAsUser | `1001` |
|
||||
| `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `web.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
|
||||
| `web.hostAliases` | Concourse web pod host aliases | `[]` |
|
||||
| `web.podLabels` | Extra labels for Concourse web pods | `{}` |
|
||||
| `web.podAnnotations` | Annotations for Concourse web pods | `{}` |
|
||||
| `web.podAffinityPreset` | Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `web.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `web.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `web.nodeAffinityPreset.key` | Node label key to match. Ignored if `web.affinity` is set | `""` |
|
||||
| `web.nodeAffinityPreset.values` | Node label values to match. Ignored if `web.affinity` is set | `[]` |
|
||||
| `web.affinity` | Affinity for web pods assignment | `{}` |
|
||||
| `web.nodeSelector` | Node labels for web pods assignment | `{}` |
|
||||
| `web.tolerations` | Tolerations for web pods assignment | `[]` |
|
||||
| `web.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
| `web.priorityClassName` | Priority Class to use for each pod (Concourse web) | `""` |
|
||||
| `web.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
|
||||
| `web.terminationGracePeriodSeconds` | Seconds Concourse web pod needs to terminate gracefully | `""` |
|
||||
| `web.updateStrategy.rollingUpdate` | Concourse web statefulset rolling update configuration parameters | `{}` |
|
||||
| `web.updateStrategy.type` | Concourse web statefulset strategy type | `RollingUpdate` |
|
||||
| `web.lifecycleHooks` | lifecycleHooks for the Concourse web container(s) | `{}` |
|
||||
| `web.extraVolumes` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
|
||||
| `web.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
|
||||
| `web.sidecars` | Add additional sidecar containers to the Concourse web pod(s) | `[]` |
|
||||
| `web.initContainers` | Add additional init containers to the Concourse web pod(s) | `[]` |
|
||||
| `web.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
|
||||
| `web.rbac.create` | Specifies whether RBAC resources should be created | `true` |
|
||||
| `web.rbac.rules` | Custom RBAC rules to set | `[]` |
|
||||
| `web.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
|
||||
| `web.serviceAccount.name` | Override Web service account name | `""` |
|
||||
| `web.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `web.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| Name | Description | Value |
|
||||
| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------- |
|
||||
| `web.enabled` | Enable Concourse web component | `true` |
|
||||
| `web.baseUrl` | url | `/` |
|
||||
| `web.logLevel` | Minimum level of logs to see. Possible options: debug, info, error. | `debug` |
|
||||
| `web.clusterName` | A name for this Concourse cluster, to be displayed on the dashboard page. | `""` |
|
||||
| `web.bindIp` | IP address on which to listen for HTTP traffic (web UI and API). | `0.0.0.0` |
|
||||
| `web.peerAddress` | Network address of this web node, reachable by other web nodes. | `""` |
|
||||
| `web.externalUrl` | URL used to reach any ATC from the outside world. | `""` |
|
||||
| `web.auth.cookieSecure` | use cookie secure true or false | `false` |
|
||||
| `web.auth.duration` | Length of time for which tokens are valid. Afterwards, users will have to log back in. | `24h` |
|
||||
| `web.auth.passwordConnector` | The connector to use for password authentication for `fly login -u ... -p ...`. | `""` |
|
||||
| `web.auth.mainTeam.config` | Configuration file for specifying the main teams params. | `""` |
|
||||
| `web.auth.mainTeam.localUser` | Comma-separated list of local Concourse users to be included as members of the `main` team. | `user` |
|
||||
| `web.existingSecret` | Use an existing secret for the Web service credentials | `""` |
|
||||
| `web.enableAcrossStep` | Enable the experimental across step to be used in jobs. The API is subject to change. | `false` |
|
||||
| `web.enablePipelineInstances` | Enable the creation of instanced pipelines. | `false` |
|
||||
| `web.enableCacheStreamedVolumes` | Enable caching streamed resource volumes on the destination worker. | `false` |
|
||||
| `web.baseResourceTypeDefaults` | Configuration file for specifying defaults for base resource types | `""` |
|
||||
| `web.tsa.logLevel` | Minimum level of logs to see. Possible values: debug, info, error | `debug` |
|
||||
| `web.tsa.bindIp` | IP address on which to listen for SSH | `0.0.0.0` |
|
||||
| `web.tsa.debugBindIp` | IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1) | `127.0.0.1` |
|
||||
| `web.tsa.heartbeatInterval` | Interval on which to heartbeat workers to the ATC | `30s` |
|
||||
| `web.tsa.gardenRequestTimeout` | How long to wait for requests to Garden to complete. 0 means no timeout | `""` |
|
||||
| `web.tls.enabled` | enable serving HTTPS traffic directly through the web component. | `false` |
|
||||
| `web.configRBAC` | Set RBAC configuration | `""` |
|
||||
| `web.conjur.enabled` | Enable the use of Conjur as a credential manager | `false` |
|
||||
| `web.conjur.applianceUrl` | URL of the Conjur instance. | `""` |
|
||||
| `web.conjur.pipelineSecretTemplate` | Path used to locate pipeline-level secret | `concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}` |
|
||||
| `web.conjur.teamSecretTemplate` | Path used to locate team-level secret | `concourse/{{.Team}}/{{.Secret}}` |
|
||||
| `web.conjur.secretTemplate` | Path used to locate a vault or safe-level secret | `concourse/{{.Secret}}` |
|
||||
| `web.existingConfigmap` | The name of an existing ConfigMap with your custom configuration for web | `""` |
|
||||
| `web.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `web.args` | Override default container args (useful when using custom images) | `[]` |
|
||||
| `web.extraEnvVars` | Array with extra environment variables to add to Concourse web nodes | `[]` |
|
||||
| `web.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse web nodes | `""` |
|
||||
| `web.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse web nodes | `""` |
|
||||
| `web.replicaCount` | Number of Concourse web replicas to deploy | `1` |
|
||||
| `web.containerPorts.http` | Concourse web UI and API HTTP container port | `8080` |
|
||||
| `web.containerPorts.https` | Concourse web UI and API HTTPS container port | `8443` |
|
||||
| `web.containerPorts.tsa` | Concourse web TSA SSH container port | `2222` |
|
||||
| `web.containerPorts.pprof` | Concourse web TSA pprof server container port | `2221` |
|
||||
| `web.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `web.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `web.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `web.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
|
||||
| `web.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `web.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
|
||||
| `web.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `web.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `web.livenessProbe.enabled` | Enable livenessProbe on Concourse web containers | `true` |
|
||||
| `web.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
| `web.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` |
|
||||
| `web.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` |
|
||||
| `web.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` |
|
||||
| `web.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `web.readinessProbe.enabled` | Enable readinessProbe on Concourse web containers | `true` |
|
||||
| `web.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
|
||||
| `web.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` |
|
||||
| `web.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
|
||||
| `web.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` |
|
||||
| `web.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `web.startupProbe.enabled` | Enable startupProbe on Concourse web containers | `false` |
|
||||
| `web.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `web.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `web.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
|
||||
| `web.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
|
||||
| `web.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `web.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `web.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `web.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `web.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if web.resources is set (web.resources is recommended for production). | `none` |
|
||||
| `web.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `web.podSecurityContext.enabled` | Enabled web pods' Security Context | `true` |
|
||||
| `web.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `web.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `web.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `web.podSecurityContext.fsGroup` | Set web pod's Security Context fsGroup | `1001` |
|
||||
| `web.containerSecurityContext.enabled` | web container securityContext | `true` |
|
||||
| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `web.containerSecurityContext.runAsUser` | User ID for the web container | `1001` |
|
||||
| `web.containerSecurityContext.runAsGroup` | Group ID for the web container | `0` |
|
||||
| `web.containerSecurityContext.runAsNonRoot` | Set web container's Security Context runAsNonRoot | `true` |
|
||||
| `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` |
|
||||
| `web.containerSecurityContext.allowPrivilegeEscalation` | Set web container's Security Context allowPrivilegeEscalation | `false` |
|
||||
| `web.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `web.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `web.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `web.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
|
||||
| `web.hostAliases` | Concourse web pod host aliases | `[]` |
|
||||
| `web.podLabels` | Extra labels for Concourse web pods | `{}` |
|
||||
| `web.podAnnotations` | Annotations for Concourse web pods | `{}` |
|
||||
| `web.podAffinityPreset` | Pod affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `web.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
|
||||
| `web.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `web.affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `web.nodeAffinityPreset.key` | Node label key to match. Ignored if `web.affinity` is set | `""` |
|
||||
| `web.nodeAffinityPreset.values` | Node label values to match. Ignored if `web.affinity` is set | `[]` |
|
||||
| `web.affinity` | Affinity for web pods assignment | `{}` |
|
||||
| `web.nodeSelector` | Node labels for web pods assignment | `{}` |
|
||||
| `web.tolerations` | Tolerations for web pods assignment | `[]` |
|
||||
| `web.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
| `web.priorityClassName` | Priority Class to use for each pod (Concourse web) | `""` |
|
||||
| `web.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
|
||||
| `web.terminationGracePeriodSeconds` | Seconds Concourse web pod needs to terminate gracefully | `""` |
|
||||
| `web.updateStrategy.rollingUpdate` | Concourse web statefulset rolling update configuration parameters | `{}` |
|
||||
| `web.updateStrategy.type` | Concourse web statefulset strategy type | `RollingUpdate` |
|
||||
| `web.lifecycleHooks` | lifecycleHooks for the Concourse web container(s) | `{}` |
|
||||
| `web.extraVolumes` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
|
||||
| `web.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse web container(s) | `[]` |
|
||||
| `web.sidecars` | Add additional sidecar containers to the Concourse web pod(s) | `[]` |
|
||||
| `web.initContainers` | Add additional init containers to the Concourse web pod(s) | `[]` |
|
||||
| `web.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
|
||||
| `web.rbac.create` | Specifies whether RBAC resources should be created | `true` |
|
||||
| `web.rbac.rules` | Custom RBAC rules to set | `[]` |
|
||||
| `web.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
|
||||
| `web.serviceAccount.name` | Override Web service account name | `""` |
|
||||
| `web.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `web.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
|
||||
### Concourse Worker parameters
|
||||
|
||||
| Name | Description | Value |
|
||||
| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- |
|
||||
| `worker.enabled` | Enable Concourse worker nodes | `true` |
|
||||
| `worker.runtime` | Set CONCURSE_RUNTIME in worker nodes. Please note the default runtime (guardian) only supports cgroupsv1. | `containerd` |
|
||||
| `worker.logLevel` | Minimum level of logs to see. Possible options: debug, info, error | `debug` |
|
||||
| `worker.bindIp` | IP address on which to listen for the Garden server. | `127.0.0.1` |
|
||||
| `worker.tsa.hosts` | TSA host(s) to forward the worker through | `[]` |
|
||||
| `worker.existingSecret` | name of an existing secret resource containing the keys and the pub | `""` |
|
||||
| `worker.baggageclaim.logLevel` | Minimum level of logs to see. Allowed values: `debug`, `info`, and `error` | `info` |
|
||||
| `worker.baggageclaim.bindIp` | IP address on which to listen for API traffic | `127.0.0.1` |
|
||||
| `worker.baggageclaim.debugBindIp` | IP address on which to listen for the pprof debugger endpoints | `127.0.0.1` |
|
||||
| `worker.baggageclaim.disableUserNamespaces` | Disable remapping of user/group IDs in unprivileged volumes | `""` |
|
||||
| `worker.baggageclaim.volumes` | Directory in which to place volume data | `""` |
|
||||
| `worker.baggageclaim.driver` | Driver to use for managing volumes. Allowed values: `detect`, `naive`, `btrfs`, and `overlay` | `""` |
|
||||
| `worker.baggageclaim.btrfsBin` | Path to btrfs binary | `btrfs` |
|
||||
| `worker.baggageclaim.mkfsBin` | Path to mkfs.btrfs binary | `mkfs.btrfs` |
|
||||
| `worker.baggageclaim.overlaysDir` | Path to directory in which to store overlay data | `""` |
|
||||
| `worker.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `worker.args` | Override worker default args | `[]` |
|
||||
| `worker.replicaCount` | Number of worker replicas | `2` |
|
||||
| `worker.mode` | Selects kind of Deployment. Allowed values: `deployment` or `statefulset` | `deployment` |
|
||||
| `worker.containerPorts.garden` | Concourse worker Garden server container port | `7777` |
|
||||
| `worker.containerPorts.health` | Concourse worker health-check container port | `8888` |
|
||||
| `worker.containerPorts.baggageclaim` | Concourse worker baggageclaim API container port | `7788` |
|
||||
| `worker.containerPorts.pprof` | Concourse worker baggageclaim pprof server container port | `7787` |
|
||||
| `worker.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `worker.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `worker.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `worker.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
|
||||
| `worker.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `worker.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
|
||||
| `worker.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `worker.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `worker.livenessProbe.enabled` | Enable livenessProbe on Concourse worker containers | `true` |
|
||||
| `worker.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
| `worker.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` |
|
||||
| `worker.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` |
|
||||
| `worker.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` |
|
||||
| `worker.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `worker.readinessProbe.enabled` | Enable readinessProbe on Concourse worker containers | `true` |
|
||||
| `worker.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
|
||||
| `worker.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` |
|
||||
| `worker.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
|
||||
| `worker.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` |
|
||||
| `worker.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `worker.startupProbe.enabled` | Enable startupProbe on Concourse worker containers | `false` |
|
||||
| `worker.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `worker.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `worker.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
|
||||
| `worker.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
|
||||
| `worker.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `worker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `none` |
|
||||
| `worker.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `worker.podSecurityContext.enabled` | Enabled worker pods' Security Context | `true` |
|
||||
| `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `worker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `worker.podSecurityContext.fsGroup` | Set worker pod's Security Context fsGroup | `1001` |
|
||||
| `worker.containerSecurityContext.enabled` | Enabled worker containers' Security Context | `true` |
|
||||
| `worker.containerSecurityContext.privileged` | Set worker containers' Security Context with privileged or not | `true` |
|
||||
| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `worker.containerSecurityContext.runAsUser` | Set worker containers' Security Context user | `0` |
|
||||
| `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `worker.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
|
||||
| `worker.hostAliases` | Concourse worker pod host aliases | `[]` |
|
||||
| `worker.podLabels` | Custom labels for Concourse worker pods | `{}` |
|
||||
| `worker.podAnnotations` | Annotations for Concourse worker pods | `{}` |
|
||||
| `worker.podAffinityPreset` | Pod affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `worker.podAntiAffinityPreset` | Pod anti-affinity preset | `soft` |
|
||||
| `worker.nodeAffinityPreset.type` | Node affinity type | `""` |
|
||||
| `worker.nodeAffinityPreset.key` | Node label key to match | `""` |
|
||||
| `worker.nodeAffinityPreset.values` | Node label values to match | `[]` |
|
||||
| `worker.affinity` | Affinity for pod assignment | `{}` |
|
||||
| `worker.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `worker.tolerations` | Tolerations for worker pod assignment | `[]` |
|
||||
| `worker.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
| `worker.priorityClassName` | Priority Class to use for each pod (Concourse worker) | `""` |
|
||||
| `worker.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
|
||||
| `worker.terminationGracePeriodSeconds` | Seconds Concourse worker pod needs to terminate gracefully | `""` |
|
||||
| `worker.podManagementPolicy` | Statefulset Pod Management Policy Type. Allowed values: `OrderedReady` or `Parallel` | `OrderedReady` |
|
||||
| `worker.updateStrategy.rollingUpdate` | Concourse worker statefulset rolling update configuration parameters | `{}` |
|
||||
| `worker.updateStrategy.type` | Concourse worker statefulset strategy type | `RollingUpdate` |
|
||||
| `worker.lifecycleHooks` | for the Concourse worker container(s) to automate configuration before or after startup | `{}` |
|
||||
| `worker.extraEnvVars` | Array with extra environment variables to add to Concourse worker nodes | `[]` |
|
||||
| `worker.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse worker nodes | `""` |
|
||||
| `worker.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse worker nodes | `""` |
|
||||
| `worker.extraVolumes` | Optionally specify extra list of additional volumes for the Concourse worker pod(s) | `[]` |
|
||||
| `worker.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse worker container(s) | `[]` |
|
||||
| `worker.sidecars` | Add additional sidecar containers to the Concourse worker pod(s) | `[]` |
|
||||
| `worker.initContainers` | Add additional init containers to the Concourse worker pod(s) | `[]` |
|
||||
| `worker.autoscaling.enabled` | Enable autoscaling for the Concourse worker nodes | `false` |
|
||||
| `worker.autoscaling.maxReplicas` | Set maximum number of replicas to the Concourse worker nodes | `""` |
|
||||
| `worker.autoscaling.minReplicas` | Set minimum number of replicas to the Concourse worker nodes | `""` |
|
||||
| `worker.autoscaling.builtInMetrics` | Array with built-in metrics | `[]` |
|
||||
| `worker.autoscaling.customMetrics` | Array with custom metrics | `[]` |
|
||||
| `worker.pdb.create` | Create Pod disruption budget object for Concourse worker nodes | `true` |
|
||||
| `worker.pdb.minAvailable` | Minimum number / percentage of Concourse worker pods that should remain scheduled | `2` |
|
||||
| `worker.pdb.maxUnavailable` | Maximum number/percentage of Concourse worker pods that may be made unavailable | `""` |
|
||||
| `worker.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
|
||||
| `worker.persistence.enabled` | Enable Concourse worker data persistence using PVC | `true` |
|
||||
| `worker.persistence.existingClaim` | Name of an existing PVC to use | `""` |
|
||||
| `worker.persistence.storageClass` | PVC Storage Class for Concourse worker data volume | `""` |
|
||||
| `worker.persistence.accessModes` | PVC Access Mode for Concourse worker volume | `["ReadWriteOnce"]` |
|
||||
| `worker.persistence.size` | PVC Storage Request for Concourse worker volume | `8Gi` |
|
||||
| `worker.persistence.annotations` | Annotations for the PVC | `{}` |
|
||||
| `worker.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
|
||||
| `worker.rbac.create` | Specifies whether RBAC resources should be created | `true` |
|
||||
| `worker.rbac.rules` | Custom RBAC rules to set | `[]` |
|
||||
| `worker.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
|
||||
| `worker.serviceAccount.name` | Override worker service account name | `""` |
|
||||
| `worker.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `worker.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
| Name | Description | Value |
|
||||
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------- |
|
||||
| `worker.enabled` | Enable Concourse worker nodes | `true` |
|
||||
| `worker.runtime` | Set CONCURSE_RUNTIME in worker nodes. Please note the default runtime (guardian) only supports cgroupsv1. | `containerd` |
|
||||
| `worker.logLevel` | Minimum level of logs to see. Possible options: debug, info, error | `debug` |
|
||||
| `worker.bindIp` | IP address on which to listen for the Garden server. | `127.0.0.1` |
|
||||
| `worker.tsa.hosts` | TSA host(s) to forward the worker through | `[]` |
|
||||
| `worker.existingSecret` | name of an existing secret resource containing the keys and the pub | `""` |
|
||||
| `worker.baggageclaim.logLevel` | Minimum level of logs to see. Allowed values: `debug`, `info`, and `error` | `info` |
|
||||
| `worker.baggageclaim.bindIp` | IP address on which to listen for API traffic | `127.0.0.1` |
|
||||
| `worker.baggageclaim.debugBindIp` | IP address on which to listen for the pprof debugger endpoints | `127.0.0.1` |
|
||||
| `worker.baggageclaim.disableUserNamespaces` | Disable remapping of user/group IDs in unprivileged volumes | `""` |
|
||||
| `worker.baggageclaim.volumes` | Directory in which to place volume data | `""` |
|
||||
| `worker.baggageclaim.driver` | Driver to use for managing volumes. Allowed values: `detect`, `naive`, `btrfs`, and `overlay` | `""` |
|
||||
| `worker.baggageclaim.btrfsBin` | Path to btrfs binary | `btrfs` |
|
||||
| `worker.baggageclaim.mkfsBin` | Path to mkfs.btrfs binary | `mkfs.btrfs` |
|
||||
| `worker.baggageclaim.overlaysDir` | Path to directory in which to store overlay data | `""` |
|
||||
| `worker.command` | Override default container command (useful when using custom images) | `[]` |
|
||||
| `worker.args` | Override worker default args | `[]` |
|
||||
| `worker.replicaCount` | Number of worker replicas | `2` |
|
||||
| `worker.mode` | Selects kind of Deployment. Allowed values: `deployment` or `statefulset` | `deployment` |
|
||||
| `worker.containerPorts.garden` | Concourse worker Garden server container port | `7777` |
|
||||
| `worker.containerPorts.health` | Concourse worker health-check container port | `8888` |
|
||||
| `worker.containerPorts.baggageclaim` | Concourse worker baggageclaim API container port | `7788` |
|
||||
| `worker.containerPorts.pprof` | Concourse worker baggageclaim pprof server container port | `7787` |
|
||||
| `worker.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
|
||||
| `worker.networkPolicy.allowExternal` | Don't require server label for connections | `true` |
|
||||
| `worker.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
|
||||
| `worker.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
|
||||
| `worker.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
|
||||
| `worker.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` |
|
||||
| `worker.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `worker.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
|
||||
| `worker.livenessProbe.enabled` | Enable livenessProbe on Concourse worker containers | `true` |
|
||||
| `worker.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` |
|
||||
| `worker.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` |
|
||||
| `worker.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `3` |
|
||||
| `worker.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `1` |
|
||||
| `worker.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
|
||||
| `worker.readinessProbe.enabled` | Enable readinessProbe on Concourse worker containers | `true` |
|
||||
| `worker.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `10` |
|
||||
| `worker.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `15` |
|
||||
| `worker.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` |
|
||||
| `worker.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `1` |
|
||||
| `worker.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
|
||||
| `worker.startupProbe.enabled` | Enable startupProbe on Concourse worker containers | `false` |
|
||||
| `worker.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
|
||||
| `worker.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` |
|
||||
| `worker.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
|
||||
| `worker.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` |
|
||||
| `worker.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
|
||||
| `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` |
|
||||
| `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` |
|
||||
| `worker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` |
|
||||
| `worker.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `none` |
|
||||
| `worker.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
|
||||
| `worker.podSecurityContext.enabled` | Enabled worker pods' Security Context | `true` |
|
||||
| `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
|
||||
| `worker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
|
||||
| `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
|
||||
| `worker.podSecurityContext.fsGroup` | Set worker pod's Security Context fsGroup | `1001` |
|
||||
| `worker.containerSecurityContext.enabled` | worker container securityContext | `true` |
|
||||
| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
|
||||
| `worker.containerSecurityContext.runAsUser` | User ID for the worker container | `0` |
|
||||
| `worker.containerSecurityContext.runAsGroup` | Group ID for the worker container | `0` |
|
||||
| `worker.containerSecurityContext.runAsNonRoot` | Set worker container's Security Context runAsNonRoot | `false` |
|
||||
| `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `true` |
|
||||
| `worker.containerSecurityContext.allowPrivilegeEscalation` | Set worker container's Security Context allowPrivilegeEscalation | `true` |
|
||||
| `worker.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
|
||||
| `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
|
||||
| `worker.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
|
||||
| `worker.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
|
||||
| `worker.hostAliases` | Concourse worker pod host aliases | `[]` |
|
||||
| `worker.podLabels` | Custom labels for Concourse worker pods | `{}` |
|
||||
| `worker.podAnnotations` | Annotations for Concourse worker pods | `{}` |
|
||||
| `worker.podAffinityPreset` | Pod affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard` | `""` |
|
||||
| `worker.podAntiAffinityPreset` | Pod anti-affinity preset | `soft` |
|
||||
| `worker.nodeAffinityPreset.type` | Node affinity type | `""` |
|
||||
| `worker.nodeAffinityPreset.key` | Node label key to match | `""` |
|
||||
| `worker.nodeAffinityPreset.values` | Node label values to match | `[]` |
|
||||
| `worker.affinity` | Affinity for pod assignment | `{}` |
|
||||
| `worker.nodeSelector` | Node labels for pod assignment | `{}` |
|
||||
| `worker.tolerations` | Tolerations for worker pod assignment | `[]` |
|
||||
| `worker.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` |
|
||||
| `worker.priorityClassName` | Priority Class to use for each pod (Concourse worker) | `""` |
|
||||
| `worker.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` |
|
||||
| `worker.terminationGracePeriodSeconds` | Seconds Concourse worker pod needs to terminate gracefully | `""` |
|
||||
| `worker.podManagementPolicy` | Statefulset Pod Management Policy Type. Allowed values: `OrderedReady` or `Parallel` | `OrderedReady` |
|
||||
| `worker.updateStrategy.rollingUpdate` | Concourse worker statefulset rolling update configuration parameters | `{}` |
|
||||
| `worker.updateStrategy.type` | Concourse worker statefulset strategy type | `RollingUpdate` |
|
||||
| `worker.lifecycleHooks` | for the Concourse worker container(s) to automate configuration before or after startup | `{}` |
|
||||
| `worker.extraEnvVars` | Array with extra environment variables to add to Concourse worker nodes | `[]` |
|
||||
| `worker.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for Concourse worker nodes | `""` |
|
||||
| `worker.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for Concourse worker nodes | `""` |
|
||||
| `worker.extraVolumes` | Optionally specify extra list of additional volumes for the Concourse worker pod(s) | `[]` |
|
||||
| `worker.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Concourse worker container(s) | `[]` |
|
||||
| `worker.sidecars` | Add additional sidecar containers to the Concourse worker pod(s) | `[]` |
|
||||
| `worker.initContainers` | Add additional init containers to the Concourse worker pod(s) | `[]` |
|
||||
| `worker.autoscaling.enabled` | Enable autoscaling for the Concourse worker nodes | `false` |
|
||||
| `worker.autoscaling.maxReplicas` | Set maximum number of replicas to the Concourse worker nodes | `""` |
|
||||
| `worker.autoscaling.minReplicas` | Set minimum number of replicas to the Concourse worker nodes | `""` |
|
||||
| `worker.autoscaling.builtInMetrics` | Array with built-in metrics | `[]` |
|
||||
| `worker.autoscaling.customMetrics` | Array with custom metrics | `[]` |
|
||||
| `worker.pdb.create` | Create Pod disruption budget object for Concourse worker nodes | `true` |
|
||||
| `worker.pdb.minAvailable` | Minimum number / percentage of Concourse worker pods that should remain scheduled | `2` |
|
||||
| `worker.pdb.maxUnavailable` | Maximum number/percentage of Concourse worker pods that may be made unavailable | `""` |
|
||||
| `worker.psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` |
|
||||
| `worker.persistence.enabled` | Enable Concourse worker data persistence using PVC | `true` |
|
||||
| `worker.persistence.existingClaim` | Name of an existing PVC to use | `""` |
|
||||
| `worker.persistence.storageClass` | PVC Storage Class for Concourse worker data volume | `""` |
|
||||
| `worker.persistence.accessModes` | PVC Access Mode for Concourse worker volume | `["ReadWriteOnce"]` |
|
||||
| `worker.persistence.size` | PVC Storage Request for Concourse worker volume | `8Gi` |
|
||||
| `worker.persistence.annotations` | Annotations for the PVC | `{}` |
|
||||
| `worker.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` |
|
||||
| `worker.rbac.create` | Specifies whether RBAC resources should be created | `true` |
|
||||
| `worker.rbac.rules` | Custom RBAC rules to set | `[]` |
|
||||
| `worker.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
|
||||
| `worker.serviceAccount.name` | Override worker service account name | `""` |
|
||||
| `worker.serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
|
||||
| `worker.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
|
||||
|
||||
### Traffic exposure parameters
|
||||
|
||||
|
||||
@@ -522,15 +522,28 @@ web:
|
||||
fsGroup: 1001
|
||||
## Configure Container Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
## @param web.containerSecurityContext.enabled Enabled web containers' Security Context
|
||||
## @param web.containerSecurityContext.enabled web container securityContext
|
||||
## @param web.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param web.containerSecurityContext.runAsUser Set web containers' Security Context runAsUser
|
||||
## @param web.containerSecurityContext.runAsUser User ID for the web container
|
||||
## @param web.containerSecurityContext.runAsGroup Group ID for the web container
|
||||
## @param web.containerSecurityContext.runAsNonRoot Set web container's Security Context runAsNonRoot
|
||||
## @param web.containerSecurityContext.privileged Set web container's Security Context privileged
|
||||
## @param web.containerSecurityContext.allowPrivilegeEscalation Set web container's Security Context allowPrivilegeEscalation
|
||||
## @param web.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
## @param web.containerSecurityContext.capabilities.drop List of capabilities to be dropped
|
||||
## @param web.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 1001
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: true
|
||||
privileged: false
|
||||
allowPrivilegeEscalation: false
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
## @param web.automountServiceAccountToken Mount Service Account token in pod
|
||||
@@ -887,17 +900,28 @@ worker:
|
||||
fsGroup: 1001
|
||||
## Configure Container Security Context
|
||||
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
|
||||
## @param worker.containerSecurityContext.enabled Enabled worker containers' Security Context
|
||||
## @param worker.containerSecurityContext.privileged Set worker containers' Security Context with privileged or not
|
||||
## @param worker.containerSecurityContext.enabled worker container securityContext
|
||||
## @param worker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
|
||||
## @param worker.containerSecurityContext.runAsUser Set worker containers' Security Context user
|
||||
## @param worker.containerSecurityContext.runAsUser User ID for the worker container
|
||||
## @param worker.containerSecurityContext.runAsGroup Group ID for the worker container
|
||||
## @param worker.containerSecurityContext.runAsNonRoot Set worker container's Security Context runAsNonRoot
|
||||
## @param worker.containerSecurityContext.privileged Set worker container's Security Context privileged
|
||||
## @param worker.containerSecurityContext.allowPrivilegeEscalation Set worker container's Security Context allowPrivilegeEscalation
|
||||
## @param worker.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
|
||||
## @param worker.containerSecurityContext.capabilities.drop List of capabilities to be dropped
|
||||
## @param worker.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
|
||||
##
|
||||
containerSecurityContext:
|
||||
enabled: true
|
||||
privileged: true
|
||||
seLinuxOptions: null
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
runAsNonRoot: false
|
||||
privileged: true
|
||||
allowPrivilegeEscalation: true
|
||||
readOnlyRootFilesystem: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
## @param worker.automountServiceAccountToken Mount Service Account token in pod
|
||||
|
||||
Reference in New Issue
Block a user