mirror of
https://github.com/bitnami/charts.git
synced 2026-03-08 17:27:20 +08:00
496 lines
13 KiB
YAML
496 lines
13 KiB
YAML
## Global Docker image parameters
|
|
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
|
|
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
|
|
##
|
|
# global:
|
|
# imageRegistry: myRegistryName
|
|
# imagePullSecrets:
|
|
# - myRegistryKeySecretName
|
|
# storageClass: myStorageClass
|
|
|
|
## Bitnami EJBCA image version
|
|
## ref: https://hub.docker.com/r/bitnami/ejbca/tags/
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: bitnami/ejbca
|
|
tag: 6.15.2-6-debian-10-r194
|
|
## Specify a imagePullPolicy
|
|
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
|
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
|
|
##
|
|
pullPolicy: IfNotPresent
|
|
## Optionally specify an array of imagePullSecrets.
|
|
## Secrets must be manually created in the namespace.
|
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
##
|
|
# pullSecrets:
|
|
# - myRegistryKeySecretName
|
|
## Set to true if you would like to see extra information on logs
|
|
##
|
|
|
|
## Force target Kubernetes version (using Helm capabilites if not set)
|
|
##
|
|
kubeVersion:
|
|
|
|
## String to partially override ebjca.fullname template (will maintain the release name)
|
|
##
|
|
# nameOverride:
|
|
|
|
## String to fully override ebjca.fullname template
|
|
##
|
|
# fullnameOverride:
|
|
|
|
## Deployment pod host aliases
|
|
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
|
|
##
|
|
hostAliases: []
|
|
|
|
## Number of EJBCA replicas to deploy.
|
|
##
|
|
replicaCount: 1
|
|
|
|
## Admin of the application
|
|
## ref: https://github.com/bitnami/bitnami-docker-ejbca#environment-variables
|
|
##
|
|
ejbcaAdminUsername: bitnami
|
|
|
|
## Password for the administrator account
|
|
## If the password is not specified, a random one will be generated
|
|
##
|
|
# ejbcaAdminPassword:
|
|
|
|
## Alternatively, you can provide the name of an existing secret containing
|
|
## a key named "ejbca-admin-password"
|
|
## NOTE: This will override the password defined at ejbcaAdminPassword
|
|
##
|
|
# existingSecret:
|
|
|
|
## Options used to launch the WildFly server
|
|
## E.g. ejbcaJavaOpts: "-Xms2048m -Xmx2048m"
|
|
# ejbcaJavaOpts:
|
|
|
|
## Details regarding the CA that EJBCA will instantiate
|
|
##
|
|
ejbcaCA:
|
|
## The name of the CA
|
|
##
|
|
name: "ManagementCA"
|
|
|
|
## The base DomainName of the CA
|
|
##
|
|
## e.g. baseDN: "O=Example CA,C=SE,UID=c-5ca04c9328c8208704310f7c2ed16414"
|
|
##
|
|
baseDN:
|
|
|
|
## Name of an existing Secret containing a Keystore object
|
|
## to be imported by EBJCA.
|
|
##
|
|
## It should contain at the following two keys:
|
|
##
|
|
## "keystore.jks" --> The actual keystore object
|
|
## "keystore-password" --> Password used to encrypt keystore.jks
|
|
##
|
|
## ejbcaKeystoreExistingSecret:
|
|
##
|
|
|
|
## Additional container environment variables
|
|
## extraEnv:
|
|
## - name:
|
|
## value:
|
|
##
|
|
extraEnv: []
|
|
|
|
## Custom command to override image cmd
|
|
##
|
|
# command: []
|
|
|
|
## Custom args for the custom command:
|
|
# args: []
|
|
|
|
## Additional volume mounts
|
|
## Example: Mount CA file
|
|
## extraVolumeMounts
|
|
## - name: ca-cert
|
|
## subPath: ca_cert
|
|
## mountPath: /path/to/ca_cert
|
|
##
|
|
extraVolumeMounts: []
|
|
|
|
## Additional volumes
|
|
## Example: Add secret volume
|
|
## extraVolumes:
|
|
## - name: ca-cert
|
|
## secret:
|
|
## secretName: ca-cert
|
|
## items:
|
|
## - key: ca-cert
|
|
## path: ca_cert
|
|
##
|
|
extraVolumes: []
|
|
|
|
## EJBCA containers' resource requests and limits
|
|
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
|
##
|
|
resources:
|
|
limits: {}
|
|
requests:
|
|
memory: 512Mi
|
|
cpu: 300m
|
|
|
|
## Pod annotations
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
##
|
|
podAnnotations: {}
|
|
|
|
## Additional pod labels
|
|
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
##
|
|
podLabels: {}
|
|
|
|
## Add labels to all the deployed resources
|
|
##
|
|
commonLabels: {}
|
|
|
|
## Add annotations to all the deployed resources
|
|
##
|
|
commonAnnotations: {}
|
|
|
|
## K8s Security Context for EJBCA pods
|
|
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
##
|
|
podSecurityContext:
|
|
enabled: true
|
|
fsGroup: 1001
|
|
|
|
## K8s Security Context for EJBCA container
|
|
##
|
|
containerSecurityContext:
|
|
enabled: true
|
|
runAsUser: 1001
|
|
|
|
## Pod affinity preset
|
|
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
podAffinityPreset: ""
|
|
|
|
## Pod anti-affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
podAntiAffinityPreset: soft
|
|
|
|
## Node affinity preset
|
|
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
|
|
## Allowed values: soft, hard
|
|
##
|
|
nodeAffinityPreset:
|
|
## Node affinity type
|
|
## Allowed values: soft, hard
|
|
##
|
|
type: ""
|
|
## Node label key to match
|
|
## E.g.
|
|
## key: "kubernetes.io/e2e-az-name"
|
|
##
|
|
key: ""
|
|
## Node label values to match
|
|
## E.g.
|
|
## values:
|
|
## - e2e-az1
|
|
## - e2e-az2
|
|
##
|
|
values: []
|
|
|
|
## Affinity for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
|
|
##
|
|
affinity: {}
|
|
|
|
## Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
|
|
## Tolerations for pod assignment
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
|
|
## EJBCA pod extra options for liveness and readiness probes
|
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
|
|
##
|
|
livenessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 500
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
readinessProbe:
|
|
enabled: true
|
|
initialDelaySeconds: 500
|
|
periodSeconds: 10
|
|
timeoutSeconds: 5
|
|
failureThreshold: 6
|
|
successThreshold: 1
|
|
|
|
## Custom liveness and readiness probes (evaluated as a template)
|
|
##
|
|
customLivenessProbe: {}
|
|
customReadinessProbe: {}
|
|
|
|
## EJBCA Container ports to open
|
|
##
|
|
containerPorts:
|
|
http: 8080
|
|
https: 8443
|
|
|
|
## Kubernetes configuration
|
|
## For minikube, set this to NodePort, elsewhere use LoadBalancer or ClusterIP
|
|
##
|
|
service:
|
|
type: LoadBalancer
|
|
## HTTP Port
|
|
##
|
|
port: 8080
|
|
## HTTPS Port
|
|
##
|
|
# httpsPort: 8443
|
|
httpsPort: 8443
|
|
## HTTPS Advertised port
|
|
##
|
|
advertisedHttpsPort: 443
|
|
|
|
## HTTPS Target Port
|
|
## defaults to https unless overridden to the specified port.
|
|
## if you want the target port to be "http" or "80" you can specify that here.
|
|
##
|
|
httpsTargetPort: https
|
|
## Node Ports to expose
|
|
## nodePorts:
|
|
## http: <to set explicitly, choose port between 30000-32767>
|
|
## https: <to set explicitly, choose port between 30000-32767>
|
|
##
|
|
nodePorts:
|
|
http: ""
|
|
https: ""
|
|
## Enable client source IP preservation
|
|
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
|
|
##
|
|
externalTrafficPolicy: Cluster
|
|
annotations: {}
|
|
## Limits which cidr blocks can connect to service's load balancer
|
|
## Only valid if service.type: LoadBalancer
|
|
##
|
|
loadBalancerSourceRanges: []
|
|
## Extra ports to expose (normally used with the `sidecar` value)
|
|
# extraPorts:
|
|
|
|
## Configure the ingress resource that allows you to access the
|
|
## EJBCA installation. Set up the URL
|
|
## ref: http://kubernetes.io/docs/user-guide/ingress/
|
|
##
|
|
ingress:
|
|
## Set to true to enable ingress record generation
|
|
##
|
|
enabled: false
|
|
|
|
## Set this to true in order to add the corresponding annotations for cert-manager
|
|
##
|
|
certManager: false
|
|
|
|
## Ingress Path type
|
|
##
|
|
pathType: ImplementationSpecific
|
|
|
|
## Override API Version (automatically detected if not set)
|
|
##
|
|
apiVersion:
|
|
|
|
## When the ingress is enabled, a host pointing to this will be created
|
|
##
|
|
hostname: ejbca.local
|
|
|
|
## The Path to EJBCA. You may need to set this to '/*' in order to use this
|
|
## with ALB ingress controllers.
|
|
##
|
|
path: /
|
|
|
|
## Ingress annotations done as key:value pairs
|
|
## For a full list of possible ingress annotations, please see
|
|
## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
|
|
##
|
|
## If certManager is set to true, annotation kubernetes.io/tls-acme: "true" will automatically be set
|
|
##
|
|
annotations: {}
|
|
|
|
## Enable TLS configuration for the hostname defined at ingress.hostname parameter
|
|
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
|
|
## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
|
|
##
|
|
tls: false
|
|
|
|
## The list of additional hostnames to be covered with this ingress record.
|
|
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
|
|
## extraHosts:
|
|
## - name: ejbca.local
|
|
## path: /
|
|
##
|
|
|
|
## Any additional arbitrary paths that may need to be added to the ingress under the main host.
|
|
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
|
|
## extraPaths:
|
|
## - path: /*
|
|
## backend:
|
|
## serviceName: ssl-redirect
|
|
## servicePort: use-annotation
|
|
##
|
|
|
|
## The tls configuration for additional hostnames to be covered with this ingress record.
|
|
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
|
|
## extraTls:
|
|
## - hosts:
|
|
## - ejbca.local
|
|
## secretName: ejbca.local-tls
|
|
##
|
|
|
|
## If you're providing your own certificates, please use this to add the certificates as secrets
|
|
## key and certificate should start with -----BEGIN CERTIFICATE----- or
|
|
## -----BEGIN RSA PRIVATE KEY-----
|
|
##
|
|
## name should line up with a tlsSecret set further up
|
|
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
|
|
##
|
|
## It is also possible to create and manage the certificates outside of this helm chart
|
|
## Please see README.md for more information
|
|
##
|
|
secrets: []
|
|
## - name: ejbca.local-tls
|
|
## key:
|
|
## certificate:
|
|
##
|
|
|
|
## Enable persistence using Persistent Volume Claims
|
|
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
|
##
|
|
persistence:
|
|
enabled: true
|
|
## EJBCA data Persistent Volume Storage Class
|
|
## If defined, storageClassName: <storageClass>
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
## GKE, AWS & OpenStack)
|
|
##
|
|
# storageClass: "-"
|
|
##
|
|
## If you want to reuse an existing claim, you can pass the name of the PVC using
|
|
## the existingClaim variable
|
|
# existingClaim: your-claim
|
|
accessMode: ReadWriteOnce
|
|
size: 2Gi
|
|
|
|
##
|
|
## MariaDB chart configuration
|
|
##
|
|
## https://github.com/bitnami/charts/blob/master/bitnami/mariadb/values.yaml
|
|
##
|
|
mariadb:
|
|
## Whether to deploy a mariadb server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters
|
|
##
|
|
enabled: true
|
|
|
|
## MariaDB architecture. Allowed values: standalone or replication
|
|
##
|
|
architecture: standalone
|
|
|
|
## MariaDB Authentication parameters
|
|
##
|
|
auth:
|
|
## MariaDB root password
|
|
## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run
|
|
##
|
|
rootPassword: ""
|
|
## MariaDB custom user and database
|
|
## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-on-first-run
|
|
## ref: https://github.com/bitnami/bitnami-docker-mariadb/blob/master/README.md#creating-a-database-user-on-first-run
|
|
##
|
|
database: bitnami_ejbca
|
|
username: bn_ejbca
|
|
password: ""
|
|
|
|
primary:
|
|
## Enable persistence using Persistent Volume Claims
|
|
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
|
##
|
|
persistence:
|
|
enabled: true
|
|
## mariadb data Persistent Volume Storage Class
|
|
## If defined, storageClassName: <storageClass>
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
## GKE, AWS & OpenStack)
|
|
##
|
|
storageClass:
|
|
accessMode: ReadWriteOnce
|
|
size: 8Gi
|
|
## Set path in case you want to use local host path volumes (not recommended in production)
|
|
##
|
|
hostPath:
|
|
## Use an existing PVC
|
|
##
|
|
existingClaim:
|
|
|
|
##
|
|
## External Database Configuration
|
|
##
|
|
## All of these values are only used when mariadb.enabled is set to false
|
|
##
|
|
externalDatabase:
|
|
## Database host
|
|
##
|
|
host: localhost
|
|
## non-root Username for EJBCA Database
|
|
##
|
|
user: bn_ejbca
|
|
## Database password
|
|
##
|
|
password: ""
|
|
## Name of an existing secret resource containing the DB password in a 'mariadb-password' key
|
|
##
|
|
existingSecret: ""
|
|
## Database name
|
|
##
|
|
database: bitnami_ejbca
|
|
|
|
## Database port number
|
|
##
|
|
port: 3306
|
|
|
|
## Add sidecars to the pod.
|
|
## Example:
|
|
## sidecars:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
## ports:
|
|
## - name: portname
|
|
## containerPort: 1234
|
|
##
|
|
sidecars: {}
|
|
|
|
## Add init containers to the pod.
|
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
|
|
## Example:
|
|
## initContainers:
|
|
## - name: your-image-name
|
|
## image: your-image
|
|
## imagePullPolicy: Always
|
|
##
|
|
initContainers: {}
|