openstack/openstack-helm-infra
Code Issues Proposed changes
f31cfb2ef9
openstack-helm-infra/ingress/values.yaml
Brian Haley f31cfb2ef9 support image registries with authentication 
Based on spec in openstack-helm repo,
support-OCI-image-registry-with-authentication-turned-on.rst

Each Helm chart can configure an OCI image registry and
credentials to use. A Kubernetes secret is then created with these
info. Service Accounts then specify an imagePullSecret specifying
the Secret with creds for the registry. Then any pod using one
of these ServiceAccounts may pull images from an authenticated
container registry.

Change-Id: Iebda4c7a861aa13db921328776b20c14ba346269
2022-07-20 14:28:47 -05:00

355 lines
9.1 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ingress.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
deployment:
mode: namespace
type: Deployment
cluster:
class: "nginx-cluster"
images:
tags:
entrypoint: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
ingress: k8s.gcr.io/ingress-nginx/controller:v1.1.3
ingress_module_init: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
ingress_routed_vip: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
error_pages: k8s.gcr.io/defaultbackend:1.4
keepalived: docker.io/osixia/keepalived:1.4.5
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/library/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
pod:
security_context:
error_pages:
pod:
runAsUser: 65534
container:
ingress_error_pages:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
server:
pod:
runAsUser: 65534
container:
ingress_vip_kernel_modules:
capabilities:
add:
- SYS_MODULE
readOnlyRootFilesystem: true
runAsUser: 0
ingress_vip_init:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: true
runAsUser: 0
ingress:
readOnlyRootFilesystem: false
runAsUser: 101
ingress_vip:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: true
runAsUser: 0
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
tolerations:
ingress:
enabled: false
tolerations:
- key: node-role.kubernetes.io/master
operator: Exists
effect: NoSchedule
dns_policy: "ClusterFirstWithHostNet"
replicas:
ingress: 1
error_page: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
termination_grace_period:
server:
timeout: 60
error_pages:
timeout: 60
resources:
enabled: false
ingress:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
error_pages:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
error_server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
host_namespace: false
vip:
manage: false
# what type of vip manage machanism will be used
# possible options: routed, keepalived
mode: routed
interface: ingress-vip
addr: 172.18.0.1/32
keepalived_router_id: 100
# Use .network.vip.addr as an external IP for the service
# Useful if the CNI or provider can set up routes, etc.
assign_as_external_ip: false
ingress:
annotations:
# NOTE(portdirect): if left blank this is populated from
# .deployment.cluster.class
kubernetes.io/ingress.class: null
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: deny";
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
more_set_headers "Content-Security-Policy: script-src 'self'";
external_policy_local: false
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ingress-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
error_pages:
jobs: null
ingress:
jobs: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
monitoring:
prometheus:
enabled: true
ingress_exporter:
scrape: true
port: 10254
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oci_image_registry:
name: oci-image-registry
namespace: oci-image-registry
auth:
enabled: false
ingress:
username: ingress
password: password
hosts:
default: localhost
host_fqdn_override:
default: null
port:
registry:
default: null
ingress:
hosts:
default: ingress
error_pages: ingress-error-pages
host_fqdn_override:
default: null
# NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls
# will be used for the default SSL certificate.
# See also the .conf.default_ssl_certificate options below.
public:
tls:
crt: ""
key: ""
port:
http:
default: 80
https:
default: 443
healthz:
default: 10254
status:
default: 10246
stream:
default: 10247
profiler:
default: 10245
server:
default: 8181
ingress_exporter:
namespace: null
hosts:
default: ingress-exporter
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
metrics:
default: 10254
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
ingress:
ingress:
- {}
egress:
- {}
secrets:
oci_image_registry:
ingress: ingress-oci-image-registry-key
tls:
ingress:
api:
# .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert"
# NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls
public: default-tls-public
dhparam:
secret_dhparam: |
conf:
controller:
# NOTE(portdirect): if left blank this is populated from
# .deployment.cluster.class in cluster mode, or set to
# "nginx" in namespace mode
INGRESS_CLASS: null
ingress:
enable-underscores-in-headers: "true"
# NOTE(portdirect): if left blank this is populated from
# .network.vip.addr when running in host networking
# and .network.vip.manage=true, otherwise it is left as
# an empty string (the default).
bind-address: null
enable-vts-status: "true"
server-tokens: "false"
ssl-dh-param: openstack/secret-dhparam
# This block sets the --default-ssl-certificate option
# https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
default_ssl_certificate:
# .conf.default_ssl_certificate.enabled=true: use a default certificate
enabled: false
# If referencing an existing TLS secret with the default cert
# .conf.default_ssl_certificate.name="name of the secret"
# (defaults to value of .secrets.tls.ingress.api.public)
# .conf.default_ssl_certificate.namespace="namespace of the secret"
# (optional, defaults to release namespace)
name: ""
namespace: ""
# NOTE: To create a new secret to hold the default certificate, leave the
# above values empty, and specify:
# .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
# .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
# .manifests.secret_ingress_tls=true
services:
tcp: null
udp: null
manifests:
configmap_bin: true
configmap_conf: true
configmap_services_tcp: true
configmap_services_udp: true
deployment_error: true
deployment_ingress: true
endpoints_ingress: true
ingress: true
secret_ingress_tls: false
secret_dhparam: false
service_error: true
service_ingress: true
job_image_repo_sync: true
monitoring:
prometheus:
service_exporter: true
network_policy: false
secret_registry: true
...
View Git Blame Copy Permalink