andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-charts/charts/neuvector/102.0.2+up2.4.5/values.yaml

415 lines
11 KiB
YAML
Raw Blame History

# Default values for neuvector.
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
global:
cattle:
systemDefaultRegistry: ""
psp:
enabled: false # PSP enablement should default to false
openshift: false
registry: docker.io
oem:
rbac: true
serviceAccount: neuvector
internal: # enable when cert-manager is installed for the internal certificates
certmanager:
enabled: false
secretname: neuvector-internal
controller:
# If false, controller will not be installed
enabled: true
annotations: {}
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
image:
repository: rancher/mirrored-neuvector-controller
tag: 5.1.3
hash:
replicas: 3
disruptionbudget: 0
schedulerName:
priorityClassName:
podLabels: {}
podAnnotations: {}
env: []
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- neuvector-controller-pod
topologyKey: "kubernetes.io/hostname"
tolerations: []
nodeSelector: {}
# key1: value1
# key2: value2
apisvc:
type:
annotations: {}
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
enabled: false
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
ranchersso:
enabled: true
pvc:
enabled: false
existingClaim: false
accessModes:
- ReadWriteMany
storageClass:
capacity:
azureFileShare:
enabled: false
secretName:
shareName:
certificate:
secret:
keyFile: tls.key
pemFile: tls.pem
internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector"
certificate:
secret: neuvector-internal
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
federation:
mastersvc:
type:
# Federation Master Ingress
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
annotations: {}
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
enabled: false
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
managedsvc:
type:
# Federation Managed Ingress
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
annotations: {}
# OpenShift Route configuration
# Controller supports HTTPS only, so edge termination not supported
route:
enabled: false
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
configmap:
enabled: false
data:
# passwordprofileinitcfg.yaml: |
# ...
# roleinitcfg.yaml: |
# ...
# ldapinitcfg.yaml: |
# ...
# oidcinitcfg.yaml: |
# ...
# samlinitcfg.yaml: |
# ...
# sysinitcfg.yaml: |
# ...
# userinitcfg.yaml: |
# ...
secret:
# NOTE: files defined here have preferrence over the ones defined in the configmap section
enabled: false
data: {}
# passwordprofileinitcfg.yaml: |
# ...
# roleinitcfg.yaml: |
# ...
# ldapinitcfg.yaml:
# directory: OpenLDAP
# ...
# oidcinitcfg.yaml:
# Issuer: https://...
# ...
# samlinitcfg.yaml:
# ...
# sysinitcfg.yaml:
# ...
# userinitcfg.yaml:
# ...
enforcer:
# If false, enforcer will not be installed
enabled: true
image:
repository: rancher/mirrored-neuvector-enforcer
tag: 5.1.3
hash:
updateStrategy:
type: RollingUpdate
priorityClassName:
podLabels: {}
podAnnotations: {}
env: []
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector"
certificate:
secret: neuvector-internal
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
manager:
# If false, manager will not be installed
enabled: true
image:
repository: rancher/mirrored-neuvector-manager
tag: 5.1.3
hash:
priorityClassName:
env:
ssl: true
svc:
type: NodePort # should be set to - ClusterIP
loadBalancerIP:
annotations: {}
# azure
# service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
# OpenShift Route configuration
# Make sure manager env ssl is false for edge termination
route:
enabled: true
termination: passthrough
host:
tls:
#certificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#caCertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#destinationCACertificate: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
#key: |
# -----BEGIN PRIVATE KEY-----
# -----END PRIVATE KEY-----
certificate:
secret:
keyFile: tls.key
pemFile: tls.pem
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
ingressClassName: ""
path: "/"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# kubernetes.io/ingress.class: my-nginx
# nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1"
# nginx.ingress.kubernetes.io/rewrite-target: /
# nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
# only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert
tls: false
secretName: # my-tls-secret
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
affinity: {}
podLabels: {}
podAnnotations: {}
tolerations: []
nodeSelector: {}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
cve:
updater:
# If false, cve updater will not be installed
enabled: true
secure: false
image:
repository: rancher/mirrored-neuvector-updater
tag: latest
hash:
schedule: "0 0 * * *"
priorityClassName:
podLabels: {}
podAnnotations: {}
nodeSelector: {}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
scanner:
enabled: true
replicas: 3
dockerPath: ""
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
image:
repository: rancher/mirrored-neuvector-scanner
tag: latest
hash:
priorityClassName:
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
affinity: {}
podLabels: {}
podAnnotations: {}
env: []
tolerations: []
nodeSelector: {}
# key1: value1
# key2: value2
runAsUser: # MUST be set for Rancher hardened cluster
internal: # this is used for internal communication. Please use the SAME CA for all the components ( controller, scanner, and enforcer ) The cert needs to have a CN of "NeuVector"
certificate:
secret: neuvector-internal
keyFile: tls.key
pemFile: tls.crt
caFile: ca.crt # must be the same CA for all internal.
docker:
path: /var/run/docker.sock
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
k3s:
enabled: false
runtimePath: /run/k3s/containerd/containerd.sock
bottlerocket:
enabled: false
runtimePath: /run/dockershim.sock
containerd:
enabled: false
path: /var/run/containerd/containerd.sock
crio:
enabled: false
path: /var/run/crio/crio.sock
admissionwebhook:
type: ClusterIP
crdwebhook:
enabled: true
type: ClusterIP
Reference in New Issue View Git Blame Copy Permalink