-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
410 lines (336 loc) · 9.61 KB
/
values.yaml
File metadata and controls
410 lines (336 loc) · 9.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
# BEGIN Mandatory values
# You must set these values before deploying the chart.
postgres:
username:
password:
hostname:
database: massdriver
port: 5432
smtp:
username:
password:
server: # eg. email.some-smtp-provider.com
port: 587
fromAddress: # eg. no-reply@your-domain.com
domain:
dockerhub:
username: massdrivercloud
accessToken:
licenseKey:
# END Mandatory values
# This creates a temporary user for quick access before OIDC is setup
quickstart:
email:
password:
nameOverride: ""
fullnameOverride: ""
# OpenTelemetry configuration for observability and tracing
otel:
# Enable OpenTelemetry export
enabled: false
# Service name for trace identification
serviceName: massdriver
# Exporter type (otlp, jaeger, zipkin, etc.)
exporter: otlp
# Resource attributes for trace metadata
resourceAttributes: "service.name=massdriver"
# OTLP exporter configuration - these fields become environment variables
# otlp:
# endpoint:
# headers:
# protocol: grpc
# Massdriver Variables
massdriver:
logLevel: info
# The subdomains to use for Massdriver. These will be used to construct URLs for the frontend and API.
apiSubdomain: api
appSubdomain: app
# Configuration for blob storage. This includes deployment logs, bundle/OCI storage, and Terraform/OpenTofu remote state.
blobStorage:
# S3Proxy credentials for authenticated access
username: massdriver
password: s3proxypassword
# Log level for S3Proxy (debug, info, warn, error)
logLevel: info
# This is where you specify your desired object storage backend.
# Options are "minio", "s3", "gcs", or "azureblob". For whichever type you choose, be sure to fill out the corresponding configuration section below.
type: minio
# Bucket names for Massdriver to use. The default values will work with the included MinIO deployment.
# If you are using your own S3 buckets you will need to update the values to be the actual s3 bucket names (make sure they exist).
# If you are using Azure Blob Storage, the bucket names correspond to container names in the storage account (make sure they exist).
# If you are using GCS, the bucket names correspond to GCS bucket names (make sure they exist).
# The massdriver bucket is used for bundle/OCI storage and deployment logs
massdriverBucket: massdriver
# The state bucket is used for OpenTofu/Terraform remote state storage
stateBucket: state
serviceAccount:
# Annotations to add to the ServiceAccount used by S3Proxy
# This can be used to attach cloud IAM roles/identities to the pod via ServiceAccount annotations.
# Examples:
# - AWS EKS (IRSA):
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/YourS3ProxyRole
# - GKE Workload Identity:
# iam.gke.io/gcp-service-account: your-sa@your-gcp-project.iam.gserviceaccount.com
# - Azure Workload Identity:
# azure.workload.identity/client-id: "<azure-ad-app-client-id>"
annotations: {}
# Required if using "minio" for blobStorage.type
minio:
username: minioaccesskey
password: miniosecretkey
# Required if using "s3" for blobStorage.type
s3:
region: us-east-1
# S3 access can be granted via access keys or IAM roles (IRSA for EKS) by setting the proper annotations on the service account
# If you are using access keys, set them here. If not, leave them blank and ensure the service account has the proper annotations for role binding.
accessKeyId: ""
secretAccessKey: ""
# Required if using "gcs" for blobStorage.type
gcs:
serviceAccountEmail: ""
privateKey: |-
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
# Required if using "azureblob" for blobStorage.type
azureblob:
storageAccountName: ""
# You can authenticate with either storage account key or via service principal.
# If using storage account key, set the value here and leave the service principal values blank.
storageAccountKey: ""
# If using service principal authentication, leave storageAccountKey blank and set the values below
clientId: ""
clientSecret: ""
tenantId: ""
replicaCount: 2
image:
repository: massdrivercloud/massdriver
tag: "1.2.1"
port: 4000
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 200m
memory: 300Mi
livenessProbe: {}
# httpGet:
# path: /_health
# port: http
readinessProbe:
failureThreshold: 3
httpGet:
path: /_health
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 2
timeoutSeconds: 1
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 10001
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 10001
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
create: true
automount: true
annotations: {}
service:
port: 80
ingress:
enabled: true
ingressClassName: ""
annotations: {}
# cert-manager.io/cluster-issuer: letsencrypt-prod
# nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
# nginx.ingress.kubernetes.io/proxy-body-size: 20m
tls:
# Set this to false to run Massdriver without TLS (only HTTP). This is NOT recommended for production.
enabled: true
# if secretName is unspecified the default secret name will be <release-name>-massdriver-tls
secretName:
# if you want helm to create the secret for you, set this to true and uncomment and provide the cert and key values below
createSecret: true
# cert: |-
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# key: |-
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----
epmd:
enabled: true
port: 4369
metrics:
enabled: true
port: 4021
serviceMonitor:
enabled: false
interval: 60s
scrapeTimeout: 15s
labels: {}
migration:
enabled: true
# Launch Control Variables
launchControl:
provisionerOtelEnabled: true
replicaCount: 2
image:
repository: massdrivercloud/launch-control
pullPolicy: IfNotPresent
tag: "1.0.3"
port: 8080
resources:
limits:
cpu: 500m
memory: 250Mi
requests:
cpu: 50m
memory: 50Mi
livenessProbe: {}
# httpGet:
# path: /healthz
# port: http
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 2
timeoutSeconds: 1
podSecurityContext:
fsGroup: 10001
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
podAnnotations: {}
podLabels: {}
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
create: true
automount: true
annotations: {}
service:
port: 80
# Provisioner Variables
provisioner:
serviceAccount:
create: true
automount: true
annotations: {}
ui:
image:
repository: massdrivercloud/massdriver-ui
pullPolicy: IfNotPresent
tag: "1.0.11"
port: 3000
resources:
limits:
cpu: 1
memory: 1Gi
requests:
cpu: 100m
memory: 200Mi
livenessProbe: {}
# httpGet:
# path: /health
# port: ui
readinessProbe:
failureThreshold: 3
httpGet:
path: /health
port: ui
scheme: HTTP
periodSeconds: 10
successThreshold: 2
timeoutSeconds: 1
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 10001
service:
port: 8080
# OIDC configuration
oidc: []
# This is the OIDC configuration for Massdriver. Uncomment and fill in the values below to enable OIDC
# Valid providers are "google", "github" and "microsoft"
# - provider:
# authorizeUrl:
# tokenUrl:
# clientId:
# clientSecret:
# autojoinOrganization: # The Massdriver organization to autojoin after OIDC authentication (optional)
# Extra manifests to deploy as an array of objects
extraManifests: []
# - apiVersion: v1
# kind: ConfigMap
# metadata:
# name: example-configmap
# data:
# key: value
argo-workflows:
enabled: true
server:
authModes:
- "server"
artifactRepository:
s3:
bucket: argo
# this endpoint assumes that the release name is "massdriver". This value will need to be changed if the release name is different.
endpoint: massdriver-minio.massdriver.svc:9000
insecure: true
# these both assume that the release name is "massdriver" (for the secret name). This value will need to be changed if the release name is different.
accessKeySecret:
name: massdriver-minio
key: rootUser
secretKeySecret:
name: massdriver-minio
key: rootPassword
minio:
enabled: true
# this assumes that the release name is "massdriver". This value will need to be changed if the release name is different.
existingSecret: massdriver-minio
replicas: 2
resources:
requests:
memory: 500Mi
persistence:
size: 500Gi
buckets:
- name: massdriver
policy: none
purge: false
versioning: false
objectlocking: false
- name: state
policy: none
purge: false
versioning: false
objectlocking: false
- name: argo
policy: none
purge: false
versioning: false
objectlocking: false