## @section Global parameters ## Global Docker image parameters ## Please, note that this will override the image parameters, including dependencies, configured to use the global value ## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass ## @param global.imageRegistry Global Docker image registry ## @param global.imagePullSecrets Global Docker registry secret names as an array ## @param global.storageClass Global StorageClass for Persistent Volume(s) ## global: imageRegistry: "" ## E.g. ## imagePullSecrets: ## - myRegistryKeySecretName ## imagePullSecrets: [] storageClass: "" ## @section Common parameters ## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ## kubeVersion: "" ## @param nameOverride Release name override ## nameOverride: "" ## @param fullnameOverride Release full name override ## fullnameOverride: "" ## @param commonLabels Labels to add to all deployed objects ## commonLabels: {} ## @param commonAnnotations Annotations to add to all deployed objects ## commonAnnotations: {} ## @param extraDeploy Array of extra objects to deploy with the release ## extraDeploy: [] ## Enable diagnostic mode in the deployment(s)/statefulset(s) ## diagnosticMode: ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) ## enabled: false ## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s) ## command: - sleep ## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s) ## args: - infinity ## @section kiam image parameters ## @param image.registry kiam image registry ## @param image.repository kiam image name ## @param image.tag kiam image tag ## @param image.pullPolicy kiam image pull policy ## @param image.pullSecrets Specify docker-registry secret names as an array ## image: registry: docker.io repository: bitnami/kiam tag: 4.2.0-debian-11-r0 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ## pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## Example: ## pullSecrets: ## - myRegistryKeySecretName ## pullSecrets: [] ## @section kiam server parameters ## kiam server properties ## server: ## @param server.enabled Deploy the kiam server ## enabled: true ## @param server.containerPort HTTPS port to expose at container level ## containerPort: 8443 ## @param server.resourceType Specify how to deploy the server (allowed values: `daemonset` and `deployment`) ## resourceType: daemonset ## @param server.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] ## @param server.useHostNetwork Use host networking (ports will be directly exposed in the host) ## useHostNetwork: false ## @param server.replicaCount Number of replicas to deploy (when `server.resourceType` is `daemonset`) ## replicaCount: 1 ## @param server.logJsonOutput Use JSON format for logs ## logJsonOutput: true ## @param server.logLevel Logging level ## logLevel: info ## @param server.sslCertHostPath Path to the host system SSL certificates (necessary for contacting the AWS metadata server) ## sslCertHostPath: /etc/ssl/certs ## @param server.podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later ## @param server.podSecurityPolicy.allowedHostPaths Extra host paths to allow in the PodSecurityPolicy ## podSecurityPolicy: create: true allowedHostPaths: [] ## @param server.priorityClassName Server priorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## priorityClassName: "" ## @param server.schedulerName Name of the k8s scheduler (other than default) ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" ## @param server.topologySpreadConstraints Topology Spread Constraints for pod assignment ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## The value is evaluated as a template ## topologySpreadConstraints: [] ## Configure extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param server.startupProbe.enabled Enable startupProbe ## @param server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe ## @param server.startupProbe.periodSeconds Period seconds for startupProbe ## @param server.startupProbe.timeoutSeconds Timeout seconds for startupProbe ## @param server.startupProbe.failureThreshold Failure threshold for startupProbe ## @param server.startupProbe.successThreshold Success threshold for startupProbe ## startupProbe: enabled: false initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Configure extra options for liveness probe ## @param server.livenessProbe.enabled Enable livenessProbe ## @param server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe ## @param server.livenessProbe.periodSeconds Period seconds for livenessProbe ## @param server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe ## @param server.livenessProbe.failureThreshold Failure threshold for livenessProbe ## @param server.livenessProbe.successThreshold Success threshold for livenessProbe ## livenessProbe: enabled: true initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Configure extra options for readiness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param server.readinessProbe.enabled Enable readinessProbe ## @param server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe ## @param server.readinessProbe.periodSeconds Period seconds for readinessProbe ## @param server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe ## @param server.readinessProbe.failureThreshold Failure threshold for readinessProbe ## @param server.readinessProbe.successThreshold Success threshold for readinessProbe ## readinessProbe: enabled: true initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## @param server.customStartupProbe Override default startup probe ## customStartupProbe: {} ## @param server.customLivenessProbe Override default liveness probe ## customLivenessProbe: {} ## @param server.customReadinessProbe Override default readiness probe ## customReadinessProbe: {} ## @param server.extraArgs Extra arguments to add to the default kiam command ## extraArgs: {} ## @param server.command Override kiam default command ## command: [] ## @param server.args Override kiam default args ## args: [] ## @param server.tlsFiles [object] Base64-encoded PEM values for server's CA certificate(s), certificate and private key ## tlsFiles: ca: "" cert: "" key: "" ## @param server.gatewayTimeoutCreation Timeout when creating the kiam gateway ## gatewayTimeoutCreation: 1s ## @param server.tlsSecret Name of a secret with TLS certificates for the container ## tlsSecret: "" ## @param server.dnsPolicy Pod DNS policy ## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy ## dnsPolicy: Default ## @param server.roleBaseArn Base ARN for IAM roles. If not set kiam will detect it automatically ## If not specified use EC2 metadata service to detect ARN prefix ## roleBaseArn: "" ## @param server.cacheSyncInterval Cache synchronization interval ## cacheSyncInterval: 1m ## @param server.assumeRoleArn IAM role for the server to assume ## assumeRoleArn: "" ## @param server.sessionDuration Session duration for STS tokens ## sessionDuration: 15m ## @param server.tlsCerts [object] Agent TLS Certificate filenames ## tlsCerts: certFileName: cert.pem keyFileName: key.pem caFileName: ca.pem ## Kiam server resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## @param server.resources.limits The resources limits for the kiam container ## @param server.resources.requests The requested resources for the kiam container ## resources: ## Example: ## limits: ## cpu: 200m ## memory: 256Mi limits: {} ## Examples: ## requests: ## cpu: 200m ## memory: 10Mi requests: {} ## SecurityContext configuration ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param server.containerSecurityContext.enabled Enabled kiam server containers' Security Context ## @param server.containerSecurityContext.runAsUser Set kiam server container's Security Context runAsUser ## @param server.containerSecurityContext.runAsNonRoot Set kiam server container's Security Context runAsNonRoot ## @param server.containerSecurityContext.seLinuxOptions Set kiam server container's Security Context SE Linux options ## containerSecurityContext: enabled: true runAsUser: 1001 runAsNonRoot: true seLinuxOptions: {} ## @param server.podSecurityContext.enabled Enabled kiam server pods' Security Context ## @param server.podSecurityContext.fsGroup Set kiam server pod's Security Context fsGroup ## podSecurityContext: enabled: true fsGroup: 1001 ## @param server.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## podAffinityPreset: "" ## @param server.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## podAntiAffinityPreset: soft ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## nodeAffinityPreset: ## @param server.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## type: "" ## @param server.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. ## E.g. ## key: "kubernetes.io/e2e-az-name" ## key: "" ## @param server.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. ## E.g. ## values: ## - e2e-az1 ## - e2e-az2 ## values: [] ## @param server.affinity Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} ## @param server.nodeSelector Node labels for pod assignment ## ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## @param server.tolerations Tolerations for pod assignment ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] ## @param server.podLabels Extra labels for kiam pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} ## @param server.podAnnotations Annotations for kiam pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} ## @param server.lifecycleHooks lifecycleHooks for the kiam server container to automate configuration before or after startup. ## lifecycleHooks: {} ## @param server.updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will ## terminate the single previous pod, so that the new, incoming pod can attach to the PV ## updateStrategy: type: RollingUpdate ## @param server.extraEnvVars Array containing extra env vars to configure kiam server ## For example: ## - name: BEARER_AUTH ## value: true ## extraEnvVars: [] ## @param server.extraEnvVarsCM ConfigMap containing extra env vars to configure kiam server ## extraEnvVarsCM: "" ## @param server.extraEnvVarsSecret Secret containing extra env vars to configure kiam server (in case of sensitive data) ## extraEnvVarsSecret: "" ## @param server.extraVolumes Optionally specify extra list of additional volumes for kiam pods ## extraVolumes: [] ## @param server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for kiam container(s) ## extraVolumeMounts: [] ## @param server.initContainers Add additional init containers to the kiam pods ## Example: ## initContainers: ## - name: your-image-name ## image: your-image ## imagePullPolicy: Always ## ports: ## - name: portname ## containerPort: 1234 ## initContainers: [] ## @param server.sidecars Add additional sidecar containers to the kiam pods ## Example: ## sidecars: ## - name: your-image-name ## image: your-image ## imagePullPolicy: Always ## ports: ## - name: portname ## containerPort: 1234 ## sidecars: [] ## @section kiam server exposure parameters ## Service configuration ## service: ## @param server.service.type Kubernetes service type ## type: ClusterIP ## @param server.service.port Service grpc-lb port ## port: 8443 ## @param server.service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport ## nodePorts: http: "" metrics: "" ## @param server.service.clusterIP kiam service clusterIP IP ## clusterIP: None ## @param server.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer ## loadBalancerIP: "" ## @param server.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## Example: ## loadBalancerSourceRanges: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] ## @param server.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) ## extraPorts: [] ## @param server.service.externalTrafficPolicy Enable client source IP preservation ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Cluster ## @param server.service.annotations Annotations for kiam service ## annotations: {} ## @param server.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" ## If "ClientIP", consecutive client requests will be directed to the same Pod ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies ## sessionAffinity: None ## @param server.service.sessionAffinityConfig Additional settings for the sessionAffinity ## sessionAffinityConfig: ## clientIP: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} ## @section kiam server Service Account parameters ## Kiam server Service Account ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @param server.serviceAccount.create Specifies whether a ServiceAccount should be created ## @param server.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. ## @param server.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## @param server.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. ## serviceAccount: create: true name: "" automountServiceAccountToken: true annotations: {} ## @section kiam server metrics parameters metrics: ## @param server.metrics.enabled Enable exposing kiam statistics ## enabled: false ## @param server.metrics.port Metrics port ## port: 9621 ## @param server.metrics.syncInterval Metrics synchronization interval statistics ## syncInterval: 5s ## @param server.metrics.annotations [object] Annotations for enabling prometheus to access the metrics endpoints ## annotations: prometheus.io/scrape: "true" prometheus.io/port: '{{ .Values.server.metrics.port }}' ## Prometheus Operator ServiceMonitor configuration ## serviceMonitor: ## @param server.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator ## enabled: false ## @param server.metrics.serviceMonitor.namespace Namespace in which Prometheus is running ## namespace: "" ## @param server.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" ## @param server.metrics.serviceMonitor.interval Interval at which metrics should be scraped ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## interval: 30s ## @param server.metrics.serviceMonitor.metricRelabelings Specify Metric Relabellings to add to the scrape endpoint ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint ## metricRelabelings: [] ## @param server.metrics.serviceMonitor.relabelings Specify Relabelings to add to the scrape endpoint ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint ## relabelings: [] ## @param server.metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## scrapeTimeout: "" ## @param server.metrics.serviceMonitor.selector metrics service selector ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration ## selector: {} ## @param server.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor ## labels: {} ## @param server.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels ## honorLabels: false ## @section kiam agent parameters ## kiam agent properties ## agent: ## @param agent.enabled Deploy the kiam agent ## enabled: true ## Logging settings ## @param agent.logJsonOutput Use JSON format for logs ## @param agent.logLevel Logging level ## logJsonOutput: true logLevel: info ## @param agent.priorityClassName Server priorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## priorityClassName: "" ## @param agent.schedulerName Name of the k8s scheduler (other than default) ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## schedulerName: "" ## @param agent.topologySpreadConstraints Topology Spread Constraints for pod assignment ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ ## The value is evaluated as a template ## topologySpreadConstraints: [] ## @param agent.allowRouteRegExp Regexp with the allowed paths for agents to redirect ## allowRouteRegExp: "" ## @param agent.hostAliases Add deployment host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] ## Host networking settings ## @param agent.containerPort HTTPS port to expose at container level ## @param agent.iptables Have the agent modify the host iptables rules ## @param agent.iptablesRemoveOnShutdown Remove iptables rules when shutting down the agent node ## @param agent.hostInterface Interface for agents for redirecting requests ## containerPort: 8183 iptables: false ## Do not remove iptables forwarding rules when kiam-agent terminates ## needed for RollingUpdate strategy and for security reasons iptablesRemoveOnShutdown: false hostInterface: cali+ ## gRPC keepalive variables ## @param agent.keepaliveParams.permitWithoutStream Permit keepalive without stream ## @param agent.keepaliveParams.time Keepalive time ## @param agent.keepaliveParams.timeout Keepalive timeout ## keepaliveParams: time: "" timeout: "" permitWithoutStream: false ## @param agent.enableDeepProbe Use the probes using the `/health` endpoint ## able to communicate with servers, which may happen on ## certificate change ## enableDeepProbe: false ## @param agent.dnsPolicy Pod DNS policy ## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy ## dnsPolicy: ClusterFirstWithHostNet ## @param agent.sslCertHostPath Path to the host system SSL certificates (necessary for contacting the AWS metadata agent) ## sslCertHostPath: /etc/ssl/certs ## @param agent.tlsFiles [object] Base64-encoded PEM values for server's CA certificate(s), certificate and private key ## tlsFiles: ca: "" cert: "" key: "" ## @param agent.podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later ## @param agent.podSecurityPolicy.allowedHostPaths Extra host paths to allow in the PodSecurityPolicy ## podSecurityPolicy: create: true allowedHostPaths: [] ## @param agent.tlsSecret Name of a secret with TLS certificates for the container ## tlsSecret: "" ## @param agent.useHostNetwork Use host networking (ports will be directly exposed in the host) ## This is necessary for intercepting the metadata URL for nodes. ## useHostNetwork: true ## @param agent.tlsCerts [object] Agent TLS Certificate filenames ## tlsCerts: certFileName: cert.pem keyFileName: key.pem caFileName: ca.pem ## Configure extra options for startup probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param agent.startupProbe.enabled Enable startupProbe ## @param agent.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe ## @param agent.startupProbe.periodSeconds Period seconds for startupProbe ## @param agent.startupProbe.timeoutSeconds Timeout seconds for startupProbe ## @param agent.startupProbe.failureThreshold Failure threshold for startupProbe ## @param agent.startupProbe.successThreshold Success threshold for startupProbe ## startupProbe: enabled: false initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Configure extra options for liveness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param agent.livenessProbe.enabled Enable livenessProbe ## @param agent.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe ## @param agent.livenessProbe.periodSeconds Period seconds for livenessProbe ## @param agent.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe ## @param agent.livenessProbe.failureThreshold Failure threshold for livenessProbe ## @param agent.livenessProbe.successThreshold Success threshold for livenessProbe ## livenessProbe: enabled: true initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Configure extra options for readiness probe ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @param agent.readinessProbe.enabled Enable readinessProbe ## @param agent.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe ## @param agent.readinessProbe.periodSeconds Period seconds for readinessProbe ## @param agent.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe ## @param agent.readinessProbe.failureThreshold Failure threshold for readinessProbe ## @param agent.readinessProbe.successThreshold Success threshold for readinessProbe ## readinessProbe: enabled: true initialDelaySeconds: 5 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## @param agent.customStartupProbe Override default startup probe ## customStartupProbe: {} ## @param agent.customLivenessProbe Override default liveness probe ## customLivenessProbe: {} ## @param agent.customReadinessProbe Override default readiness probe ## customReadinessProbe: {} ## @param agent.extraArgs Extra arguments to add to the default kiam command ## extraArgs: {} ## @param agent.gatewayTimeoutCreation Timeout when creating the kiam gateway ## gatewayTimeoutCreation: 1s ## @param agent.command Override kiam default command ## command: [] ## @param agent.args Override kiam default args ## args: [] ## Container resource requests and limits ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## @param agent.resources.limits The resources limits for the kiam container ## @param agent.resources.requests The requested resources for the kiam container ## resources: ## Example: ## limits: ## cpu: 200m ## memory: 256Mi limits: {} ## Examples: ## requests: ## cpu: 200m ## memory: 10Mi requests: {} ## SecurityContext configuration ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param agent.containerSecurityContext.enabled Enabled agent containers' Security Context ## @param agent.containerSecurityContext.runAsUser Set agent container's Security Context runAsUser ## @param agent.containerSecurityContext.runAsNonRoot Set agent container's Security Context runAsNonRoot ## @param agent.containerSecurityContext.seLinuxOptions [object] Set agent container's Security Context SE Linux options ## @param agent.containerSecurityContext.capabilities.add Add capabilities for the securityContext ## containerSecurityContext: enabled: true runAsUser: 0 runAsNonRoot: false seLinuxOptions: {} capabilities: add: - NET_ADMIN ## @param agent.podSecurityContext.enabled Enabled agent pods' Security Context ## @param agent.podSecurityContext.fsGroup Set agent pod's Security Context fsGroup ## podSecurityContext: enabled: true fsGroup: 1001 ## @param agent.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## podAffinityPreset: "" ## @param agent.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## podAntiAffinityPreset: soft ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## nodeAffinityPreset: ## @param agent.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` ## type: "" ## @param agent.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set. ## E.g. ## key: "kubernetes.io/e2e-az-name" ## key: "" ## @param agent.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. ## E.g. ## values: ## - e2e-az1 ## - e2e-az2 ## values: [] ## @param agent.affinity Affinity for pod assignment ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} ## @param agent.nodeSelector Node labels for pod assignment ## ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} ## @param agent.tolerations Tolerations for pod assignment ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] ## @param agent.podLabels Extra labels for kiam pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} ## @param agent.podAnnotations Annotations for kiam pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} ## @param agent.lifecycleHooks LifecycleHooks to set additional configuration at startup. ## lifecycleHooks: {} ## @param agent.updateStrategy.type Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will ## terminate the single previous pod, so that the new, incoming pod can attach to the PV ## updateStrategy: type: RollingUpdate ## @param agent.extraEnvVars Array containing extra env vars to configure kiam agent ## For example: ## - name: BEARER_AUTH ## value: true ## extraEnvVars: [] ## @param agent.extraEnvVarsCM ConfigMap containing extra env vars to configure kiam agent ## extraEnvVarsCM: "" ## @param agent.extraEnvVarsSecret Secret containing extra env vars to configure kiam agent (in case of sensitive data) ## extraEnvVarsSecret: "" ## @param agent.extraVolumes Optionally specify extra list of additional volumes for kiam pods ## extraVolumes: [] ## @param agent.extraVolumeMounts Optionally specify extra list of additional volumeMounts for kiam container(s) ## extraVolumeMounts: [] ## @param agent.initContainers Add additional init containers to the kiam pods ## Example: ## initContainers: ## - name: your-image-name ## image: your-image ## imagePullPolicy: Always ## ports: ## - name: portname ## containerPort: 1234 ## initContainers: [] ## @param agent.sidecars Add additional sidecar containers to the kiam pods ## Example: ## sidecars: ## - name: your-image-name ## image: your-image ## imagePullPolicy: Always ## ports: ## - name: portname ## containerPort: 1234 ## sidecars: [] ## @section kiam agent exposure parameters ## Service configuration (essentially for metrics) ## service: ## @param agent.service.type Kubernetes service type ## type: ClusterIP ## @param agent.service.nodePorts [object] Specify the nodePort values for the LoadBalancer and NodePort service types. ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport ## nodePorts: metrics: "" ## @param agent.service.clusterIP kiam service clusterIP IP ## clusterIP: "" ## @param agent.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` ## ref: https://kubernetes.io/docs/user-guide/services/#type-loadbalancer ## loadBalancerIP: "" ## @param agent.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## Example: ## loadBalancerSourceRanges: ## - 10.10.10.0/24 ## loadBalancerSourceRanges: [] ## @param agent.service.externalTrafficPolicy Enable client source IP preservation ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Cluster ## @param agent.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) ## extraPorts: [] ## @param agent.service.annotations Annotations for kiam service ## annotations: {} ## @param agent.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" ## If "ClientIP", consecutive client requests will be directed to the same Pod ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies ## sessionAffinity: None ## @param agent.service.sessionAffinityConfig Additional settings for the sessionAffinity ## sessionAffinityConfig: ## clientIP: ## timeoutSeconds: 300 ## sessionAffinityConfig: {} ## @section kiam agent Service Account parameters ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ ## @param agent.serviceAccount.create Specifies whether a ServiceAccount should be created ## @param agent.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template. ## @param agent.serviceAccount.automountServiceAccountToken Automount service account token for the server service account ## @param agent.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`. ## serviceAccount: create: true name: "" automountServiceAccountToken: true annotations: {} ## @section kiam agent metrics parameters metrics: ## @param agent.metrics.enabled Enable exposing kiam statistics ## enabled: false ## @param agent.metrics.port Service HTTP management port ## port: 9620 ## @param agent.metrics.syncInterval Metrics synchronization interval statistics ## syncInterval: 5s ## @param agent.metrics.annotations [object] Annotations for enabling prometheus to access the metrics endpoints ## annotations: prometheus.io/scrape: "true" prometheus.io/port: '{{ .Values.agent.metrics.port }}' ## Prometheus Operator ServiceMonitor configuration ## serviceMonitor: ## @param agent.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator ## enabled: false ## @param agent.metrics.serviceMonitor.namespace Namespace which Prometheus is running in ## namespace: "" ## @param agent.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" ## @param agent.metrics.serviceMonitor.interval Interval at which metrics should be scraped ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## interval: 30s ## @param agent.metrics.serviceMonitor.metricRelabelings Specify Metric Relabelings to add to the scrape endpoint ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint ## metricRelabelings: [] ## @param agent.metrics.serviceMonitor.relabelings Specify Relabelings to add to the scrape endpoint ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmetricsendpoint ## relabelings: [] ## @param agent.metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## scrapeTimeout: "" ## @param agent.metrics.serviceMonitor.selector metrics service selector ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration ## selector: {} ## @param agent.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor ## labels: {} ## @param agent.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels ## honorLabels: false ## @section RBAC parameters ## Specifies whether RBAC resources should be created ## @param rbac.create Whether to create and use RBAC resources or not ## rbac: create: true