# Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Default values for ingress. # This is a YAML-formatted file. # Declare name/value pairs to be passed into your templates. # name: value --- deployment: mode: namespace type: Deployment cluster: class: "nginx-cluster" images: tags: entrypoint: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 ingress: k8s.gcr.io/ingress-nginx/controller:v1.5.1 ingress_module_init: docker.io/openstackhelm/neutron:xena-ubuntu_focal ingress_routed_vip: docker.io/openstackhelm/neutron:xena-ubuntu_focal error_pages: k8s.gcr.io/defaultbackend:1.4 keepalived: docker.io/osixia/keepalived:1.4.5 dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 image_repo_sync: docker.io/library/docker:17.07.0 pull_policy: "IfNotPresent" local_registry: active: false exclude: - dep_check - image_repo_sync pod: security_context: error_pages: pod: runAsUser: 65534 container: ingress_error_pages: allowPrivilegeEscalation: false readOnlyRootFilesystem: true server: pod: runAsUser: 65534 container: ingress_vip_kernel_modules: capabilities: add: - SYS_MODULE readOnlyRootFilesystem: true runAsUser: 0 ingress_vip_init: capabilities: add: - NET_ADMIN readOnlyRootFilesystem: true runAsUser: 0 ingress: readOnlyRootFilesystem: false runAsUser: 101 ingress_vip: capabilities: add: - NET_ADMIN readOnlyRootFilesystem: true runAsUser: 0 affinity: anti: type: default: preferredDuringSchedulingIgnoredDuringExecution topologyKey: default: kubernetes.io/hostname weight: default: 10 tolerations: ingress: enabled: false tolerations: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule dns_policy: "ClusterFirstWithHostNet" replicas: ingress: 1 error_page: 1 lifecycle: upgrades: deployments: revision_history: 3 pod_replacement_strategy: RollingUpdate rolling_update: max_unavailable: 1 max_surge: 3 termination_grace_period: server: timeout: 60 error_pages: timeout: 60 resources: enabled: false ingress: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" error_pages: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" jobs: image_repo_sync: requests: memory: "128Mi" cpu: "100m" limits: memory: "1024Mi" cpu: "2000m" labels: server: node_selector_key: openstack-control-plane node_selector_value: enabled error_server: node_selector_key: openstack-control-plane node_selector_value: enabled network: host_namespace: false vip: manage: false # what type of vip manage machanism will be used # possible options: routed, keepalived mode: routed interface: ingress-vip addr: 172.18.0.1/32 keepalived_router_id: 100 # Use .network.vip.addr as an external IP for the service # Useful if the CNI or provider can set up routes, etc. assign_as_external_ip: false ingress: node_port: enabled: false http_port: 30080 https_port: 30443 annotations: # NOTE(portdirect): if left blank this is populated from # .deployment.cluster.class kubernetes.io/ingress.class: null nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/configuration-snippet: | more_set_headers "X-Content-Type-Options: nosniff"; more_set_headers "X-Frame-Options: deny"; more_set_headers "X-Permitted-Cross-Domain-Policies: none"; more_set_headers "Content-Security-Policy: script-src 'self'"; external_policy_local: false dependencies: dynamic: common: local_image_registry: jobs: - ingress-image-repo-sync services: - endpoint: node service: local_image_registry static: error_pages: jobs: null ingress: jobs: null image_repo_sync: services: - endpoint: internal service: local_image_registry monitoring: prometheus: enabled: true ingress_exporter: scrape: true port: 10254 endpoints: cluster_domain_suffix: cluster.local local_image_registry: name: docker-registry namespace: docker-registry hosts: default: localhost internal: docker-registry node: localhost host_fqdn_override: default: null port: registry: node: 5000 oci_image_registry: name: oci-image-registry namespace: oci-image-registry auth: enabled: false ingress: username: ingress password: password hosts: default: localhost host_fqdn_override: default: null port: registry: default: null ingress: hosts: default: ingress error_pages: ingress-error-pages host_fqdn_override: default: null # NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls # will be used for the default SSL certificate. # See also the .conf.default_ssl_certificate options below. public: tls: crt: "" key: "" port: http: default: 80 https: default: 443 healthz: default: 10254 status: default: 10246 stream: default: 10247 profiler: default: 10245 server: default: 8181 ingress_exporter: namespace: null hosts: default: ingress-exporter host_fqdn_override: default: null path: default: null scheme: default: 'http' port: metrics: default: 10254 kube_dns: namespace: kube-system name: kubernetes-dns hosts: default: kube-dns host_fqdn_override: default: null path: default: null scheme: http port: dns_tcp: default: 53 dns: default: 53 protocol: UDP network_policy: ingress: ingress: - {} egress: - {} secrets: oci_image_registry: ingress: ingress-oci-image-registry-key tls: ingress: api: # .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert" # NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls public: default-tls-public dhparam: secret_dhparam: | conf: controller: # NOTE(portdirect): if left blank this is populated from # .deployment.cluster.class in cluster mode, or set to # "nginx" in namespace mode INGRESS_CLASS: null ingress: enable-underscores-in-headers: "true" # NOTE(portdirect): if left blank this is populated from # .network.vip.addr when running in host networking # and .network.vip.manage=true, otherwise it is left as # an empty string (the default). bind-address: null enable-vts-status: "true" server-tokens: "false" ssl-dh-param: openstack/secret-dhparam # This block sets the --default-ssl-certificate option # https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate default_ssl_certificate: # .conf.default_ssl_certificate.enabled=true: use a default certificate enabled: false # If referencing an existing TLS secret with the default cert # .conf.default_ssl_certificate.name="name of the secret" # (defaults to value of .secrets.tls.ingress.api.public) # .conf.default_ssl_certificate.namespace="namespace of the secret" # (optional, defaults to release namespace) name: "" namespace: "" # NOTE: To create a new secret to hold the default certificate, leave the # above values empty, and specify: # .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data" # .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data" # .manifests.secret_ingress_tls=true services: tcp: null udp: null manifests: configmap_bin: true configmap_conf: true configmap_services_tcp: true configmap_services_udp: true deployment_error: true deployment_ingress: true endpoints_ingress: true ingress: true secret_ingress_tls: false secret_dhparam: false service_error: true service_ingress: true job_image_repo_sync: true monitoring: prometheus: service_exporter: true network_policy: false secret_registry: true ...