# Default values for k10.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
rbac:
create: true
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is derived using the release and chart names.
name: ""
scc:
create: false
networkPolicy:
create: true
global:
# These are the default values for picking k10 images. They can be overridden
# to specify a particular registy and tag.
image:
registry: gcr.io/kasten-images
tag: ''
pullPolicy: Always
airgapped:
repository: ''
persistence:
mountPath: "/mnt/k10state"
enabled: true
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass: ""
accessMode: ReadWriteOnce
size: 20Gi
metering:
size: 2Gi
catalog:
size: ""
jobs:
size: ""
logging:
size: ""
grafana:
# Default value is set to 5Gi. This is the same as the default value
# from previous releases <= 4.5.1 where the Grafana sub chart used to
# reference grafana.persistence.size instead of the global values.
# Since the size remains the same across upgrades, the Grafana PVC
# is not deleted and recreated which means no Grafana data is lost
# while upgrading from <= 4.5.1
size: 5Gi
## Set it to true while generating helm operator
rhMarketPlace: false
## these values should not be provided us, these are to be used by
## red hat marketplace
images:
admin: ''
aggregatedapis: ''
ambassador: ''
auth: ''
bloblifecyclemanager: ''
catalog: ''
cephtool: ''
configmap-reload: ''
controllermanager: ''
crypto: ''
dashboardbff: ''
datamover: ''
dex: ''
emissary: ''
events: ''
executor: ''
frontend: ''
grafana: ''
init: ''
jobs: ''
kanister-tools: ''
kanister: ''
logging: ''
metering: ''
paygo_daemonset: ''
prometheus: ''
state: ''
upgrade: ''
vbrintegrationapi: ''
garbagecollector: ''
metric-sidecar: ''
imagePullSecret: ''
ingress:
create: false
urlPath: "" #url path for k10 gateway
route:
enabled: false
path: ""
prometheus:
external:
host: '' #FQDN of prometheus-service
port: ''
baseURL: ''
network:
enable_ipv6: false
## OpenShift route configuration.
route:
enabled: false
# Host name for the route
host: ""
# Default path for the route
path: ""
annotations: {}
# kubernetes.io/tls-acme: "true"
# haproxy.router.openshift.io/disable_cookies: "true"
# haproxy.router.openshift.io/balance: roundrobin
labels: {}
# key: value
# TLS configuration
tls:
enabled: false
# What to do in case of an insecure traffic edge termination
insecureEdgeTerminationPolicy: "Redirect"
# Where this TLS configuration should terminate
termination: "edge"
toolsImage:
enabled: true
pullPolicy: Always
dexImage:
registry: ghcr.io
repository: dexidp
image: dex
kanisterToolsImage:
registry: ghcr.io
repository: kanisterio
image: kanister-tools
pullPolicy: Always
ingress:
create: false
tls:
enabled: false
class: "" #Ingress controller type
host: "" #ingress object host name
urlPath: "" #url path for k10 gateway
pathType: "ImplementationSpecific"
eula:
accept: false #true value if EULA accepted
license: "" #base64 encoded string provided by Kasten
cluster:
domainName: "cluster.local" #default value is cluster.local
prometheus:
# Disabling init container
# which uses root cmds
initChownData:
enabled: false
rbac:
create: false
alertmanager:
enabled: false
kubeStateMetrics:
enabled: false
networkPolicy:
enabled: true
nodeExporter:
enabled: false
pushgateway:
enabled: false
scrapeCAdvisor: false
server:
# UID and groupid are from prometheus helm chart
enabled: true
securityContext:
runAsUser: 65534
runAsNonRoot: true
runAsGroup: 65534
fsGroup: 65534
retention: 30d
strategy:
rollingUpdate:
maxSurge: 100%
maxUnavailable: 100%
type: RollingUpdate
persistentVolume:
enabled: true
storageClass: ""
configMapOverrideName: k10-prometheus-config
fullnameOverride: prometheus-server
baseURL: /k10/prometheus/
prefixURL: /k10/prometheus
serviceAccounts:
alertmanager:
create: false
kubeStateMetrics:
create: false
nodeExporter:
create: false
pushgateway:
create: false
server:
create: true
jaeger:
enabled: false
agentDNS: ""
service:
externalPort: 8000
internalPort: 8000
aggregatedApiPort: 10250
gatewayAdminPort: 8877
secrets:
awsAccessKeyId: ''
awsSecretAccessKey: ''
awsIamRole: ''
googleApiKey: ''
googleProjectId: ''
dockerConfig: ''
dockerConfigPath: ''
azureTenantId: ''
azureClientId: ''
azureClientSecret: ''
azureResourceGroup: ''
azureSubscriptionID: ''
azureResourceMgrEndpoint: ''
azureADEndpoint: ''
azureADResourceID: ''
azureCloudEnvID: ''
apiTlsCrt: ''
apiTlsKey: ''
tlsSecret: ''
ibmSoftLayerApiKey: ''
ibmSoftLayerApiUsername: ''
vsphereEndpoint: ''
vsphereUsername: ''
vspherePassword: ''
metering:
reportingKey: "" #[base64-encoded key]
consumerId: "" #project:<project_id>
awsRegion: ''
awsMarketPlaceIamRole: ''
awsMarketplace: false # AWS cloud metering license mode
awsManagedLicense: false # AWS managed license mode
licenseConfigSecretName: '' # AWS managed license config secret for non-eks clusters
serviceAccount:
create: false
name: ""
mode: '' # controls metric and license reporting (set to `airgap` for private-network installs)
redhatMarketplacePayg: false # Redhat cloud metering license mode
reportCollectionPeriod: 1800 # metric report collection period in seconds
reportPushPeriod: 3600 # metric report push period in seconds
promoID: '' # sets the K10 promotion ID
clusterName: ''
executorReplicas: 3
logLevel: info
externalGateway:
create: false
# Any standard service annotations
annotations: {}
# Host and domain name for the K10 API server
fqdn:
name: ""
#Supported types route53-mapper, external-dns
type: ""
# ARN for the AWS ACM SSL certificate used in the K10 API server (load balancer)
awsSSLCertARN: ''
auth:
groupAllowList: []
# - "group1"
# - "group2"
basicAuth:
enabled: false
secretName: "" #htpasswd based existing secret
htpasswd: "" #htpasswd string, which will be used for basic auth
tokenAuth:
enabled: false
oidcAuth:
enabled: false
providerURL: "" #URL to your OIDC provider
redirectURL: "" #URL to the K10 gateway service
scopes: "" #Space separated OIDC scopes required for userinfo. Example: "profile email"
prompt: "select_account" #The prompt type to be requested with the OIDC provider. Default is select_account.
clientID: "" #ClientID given by the OIDC provider for K10
clientSecret: "" #ClientSecret given by the OIDC provider for K10
usernameClaim: "" #Claim to be used as the username
usernamePrefix: "" #Prefix that has to be used with the username obtained from the username claim
groupClaim: "" #Name of a custom OpenID Connect claim for specifying user groups
groupPrefix: "" #All groups will be prefixed with this value to prevent conflicts.
logoutURL: "" #URL to your OIDC provider's logout endpoint
#OIDC config based existing secret.
#Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL.
secretName: ""
dex:
enabled: false
providerURL: ""
redirectURL: ""
openshift:
enabled: false
serviceAccount: "" #service account used as the OAuth client
clientSecret: "" #The token from the service account
dashboardURL: "" #The URL for accessing K10's dashboard
openshiftURL: "" #The URL of the Openshift API server
insecureCA: false
useServiceAccountCA: false
secretName: "" # The Kubernetes Secret that contains OIDC settings
usernameClaim: "email"
usernamePrefix: ""
groupnameClaim: "groups"
groupnamePrefix: ""
ldap:
enabled: false
restartPod: false # Enable this value to force a restart of the authentication service pod
dashboardURL: "" #The URL for accessing K10's dashboard
host: ""
insecureNoSSL: false
insecureSkipVerifySSL: false
startTLS: false
bindDN: ""
bindPW: ""
bindPWSecretName: ""
userSearch:
baseDN: ""
filter: ""
username: ""
idAttr: ""
emailAttr: ""
nameAttr: ""
preferredUsernameAttr: ""
groupSearch:
baseDN: ""
filter: ""
userMatchers: []
# - userAttr:
# groupAttr:
nameAttr: ""
secretName: "" # The Kubernetes Secret that contains OIDC settings
usernameClaim: "email"
usernamePrefix: ""
groupnameClaim: "groups"
groupnamePrefix: ""
k10AdminUsers: []
k10AdminGroups: []
optionalColocatedServices:
vbrintegrationapi:
enabled: true
cacertconfigmap:
name: "" #Name of the configmap
apiservices:
deployed: true # If false APIService objects will not be deployed
injectKanisterSidecar:
enabled: false
namespaceSelector:
matchLabels: {}
# Set objectSelector to filter workloads
objectSelector:
matchLabels: {}
webhookServer:
port: 8080 # should not conflict with config server port (8000)
kanisterPodCustomLabels : ""
kanisterPodCustomAnnotations : ""
kanisterPodMetricSidecar:
enabled: true
metricLifetime: "2m"
pushGatewayInterval: "30s"
genericVolumeSnapshot:
resources:
requests:
memory: ""
cpu: ""
limits:
memory: ""
cpu: ""
garbagecollector:
daemonPeriod: 21600
keepMaxActions: 1000
importRunActions:
enabled: false
retireActions:
enabled: false
resources: {}
services:
executor:
hostNetwork: false
workerCount: 8
maxConcurrentRestoreCsiSnapshots: 3
maxConcurrentRestoreGenericVolumeSnapshots: 3
maxConcurrentRestoreWorkloads: 3
dashboardbff:
hostNetwork: false
securityContext:
runAsUser: 1000
fsGroup: 1000
aggregatedapis:
hostNetwork: false
apigateway:
serviceResolver: dns
limiter:
genericVolumeSnapshots: 10
genericVolumeCopies: 10
genericVolumeRestores: 10
csiSnapshots: 10
providerSnapshots: 10
gateway:
insecureDisableSSLVerify: false
exposeAdminPort: true
resources:
requests:
memory: 300Mi
cpu: 200m
limits:
memory: 1Gi
cpu: 1000m
kanister:
backupTimeout: 45
restoreTimeout: 600
deleteTimeout: 45
hookTimeout: 20
checkRepoTimeout: 20
statsTimeout: 20
efsPostRestoreTimeout: 45
podReadyWaitTimeout: 15
awsConfig:
assumeRoleDuration: ""
efsBackupVaultName: "k10vault"
excludedApps: ["kube-system", "kube-ingress", "kube-node-lease", "kube-public", "kube-rook-ceph"]
grafana:
enabled: true
prometheusName: prometheus-server
prometheusPrefixURL: /k10/prometheus
rbac:
namespaced: true
pspEnabled: false
extraLabels:
component: grafana
podLabels:
component: grafana
encryption:
primaryKey: # primaryKey is used for enabling encryption of K10 primary key
awsCmkKeyId: '' # Ensures AWS CMK is used for encrypting K10 primary key
vaultTransitKeyName: ''
vaultTransitPath: ''
vmWare:
taskTimeoutMin: 60
azure:
useDefaultMSI: false
vault:
role: "" # Role that was bound to the service account name and namespace from cluster
serviceAccountTokenPath: "" # This will default to /var/run/secrets/kubernetes.io/serviceaccount/token within the code if left blank
address: "http://vault.vault.svc:8200" # Address for dev mode in cluster vault server in vault namespace
secretName: "" # Ensures backward compatibility for now. We can remove once we tell all customers this is deprecated.
# This is how the token can be passed into default if K8S auth mode fails for whatever reason.
kubeVirtVMs:
snapshot:
unfreezeTimeout: "5m"
reporting:
pdfReports: true
maxJobWaitDuration: ""