# Default values for k10. # This is a YAML-formatted file. # Declare variables to be passed into your templates. rbac: create: true serviceAccount: # Specifies whether a ServiceAccount should be created create: true # The name of the ServiceAccount to use. # If not set and create is true, a name is derived using the release and chart names. name: "" scc: create: false networkPolicy: create: true global: # These are the default values for picking k10 images. They can be overridden # to specify a particular registy and tag. image: registry: gcr.io/kasten-images tag: '' pullPolicy: Always airgapped: repository: '' persistence: mountPath: "/mnt/k10state" enabled: true ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## storageClass: "" accessMode: ReadWriteOnce size: 20Gi metering: size: 2Gi catalog: size: "" jobs: size: "" logging: size: "" grafana: # Default value is set to 5Gi. This is the same as the default value # from previous releases <= 4.5.1 where the Grafana sub chart used to # reference grafana.persistence.size instead of the global values. # Since the size remains the same across upgrades, the Grafana PVC # is not deleted and recreated which means no Grafana data is lost # while upgrading from <= 4.5.1 size: 5Gi ## Set it to true while generating helm operator rhMarketPlace: false ## these values should not be provided us, these are to be used by ## red hat marketplace images: admin: '' aggregatedapis: '' ambassador: '' auth: '' bloblifecyclemanager: '' catalog: '' cephtool: '' configmap-reload: '' controllermanager: '' crypto: '' dashboardbff: '' datamover: '' dex: '' emissary: '' events: '' executor: '' frontend: '' grafana: '' init: '' jobs: '' kanister-tools: '' kanister: '' logging: '' metering: '' paygo_daemonset: '' prometheus: '' state: '' upgrade: '' vbrintegrationapi: '' garbagecollector: '' imagePullSecret: '' ingress: create: false urlPath: "" #url path for k10 gateway route: enabled: false path: "" prometheus: external: host: '' #FQDN of prometheus-service port: '' baseURL: '' network: enable_ipv6: false ## OpenShift route configuration. route: enabled: false # Host name for the route host: "" # Default path for the route path: "" annotations: {} # kubernetes.io/tls-acme: "true" # haproxy.router.openshift.io/disable_cookies: "true" # haproxy.router.openshift.io/balance: roundrobin labels: {} # key: value # TLS configuration tls: enabled: false # What to do in case of an insecure traffic edge termination insecureEdgeTerminationPolicy: "Redirect" # Where this TLS configuration should terminate termination: "edge" toolsImage: enabled: true pullPolicy: Always dexImage: registry: ghcr.io repository: dexidp image: dex kanisterToolsImage: registry: ghcr.io repository: kanisterio image: kanister-tools pullPolicy: Always ingress: create: false tls: enabled: false class: "" #Ingress controller type host: "" #ingress object host name urlPath: "" #url path for k10 gateway pathType: "ImplementationSpecific" eula: accept: false #true value if EULA accepted license: "" #base64 encoded string provided by Kasten cluster: domainName: "cluster.local" #default value is cluster.local prometheus: # Disabling init container # which uses root cmds initChownData: enabled: false rbac: create: false alertmanager: enabled: false kubeStateMetrics: enabled: false networkPolicy: enabled: true nodeExporter: enabled: false pushgateway: enabled: false scrapeCAdvisor: false server: # UID and groupid are from prometheus helm chart enabled: true securityContext: runAsUser: 65534 runAsNonRoot: true runAsGroup: 65534 fsGroup: 65534 retention: 30d strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 100% type: RollingUpdate persistentVolume: enabled: true storageClass: "" configMapOverrideName: k10-prometheus-config fullnameOverride: prometheus-server baseURL: /k10/prometheus/ prefixURL: /k10/prometheus serviceAccounts: alertmanager: create: false kubeStateMetrics: create: false nodeExporter: create: false pushgateway: create: false server: create: true jaeger: enabled: false agentDNS: "" service: externalPort: 8000 internalPort: 8000 aggregatedApiPort: 10250 gatewayAdminPort: 8877 secrets: awsAccessKeyId: '' awsSecretAccessKey: '' awsIamRole: '' googleApiKey: '' dockerConfig: '' dockerConfigPath: '' azureTenantId: '' azureClientId: '' azureClientSecret: '' azureResourceGroup: '' azureSubscriptionID: '' azureResourceMgrEndpoint: '' azureADEndpoint: '' azureADResourceID: '' azureCloudEnvID: '' apiTlsCrt: '' apiTlsKey: '' tlsSecret: '' ibmSoftLayerApiKey: '' ibmSoftLayerApiUsername: '' vsphereEndpoint: '' vsphereUsername: '' vspherePassword: '' metering: reportingKey: "" #[base64-encoded key] consumerId: "" #project: awsRegion: '' awsMarketPlaceIamRole: '' awsMarketplace: false # AWS cloud metering license mode awsManagedLicense: false # AWS managed license mode licenseConfigSecretName: '' # AWS managed license config secret for non-eks clusters serviceAccount: create: false name: "" mode: '' # controls metric and license reporting (set to `airgap` for private-network installs) redhatMarketplacePayg: false # Redhat cloud metering license mode reportCollectionPeriod: 1800 # metric report collection period in seconds reportPushPeriod: 3600 # metric report push period in seconds promoID: '' # sets the K10 promotion ID clusterName: '' executorReplicas: 3 logLevel: info externalGateway: create: false # Any standard service annotations annotations: {} # Host and domain name for the K10 API server fqdn: name: "" #Supported types route53-mapper, external-dns type: "" # ARN for the AWS ACM SSL certificate used in the K10 API server (load balancer) awsSSLCertARN: '' auth: groupAllowList: [] # - "group1" # - "group2" basicAuth: enabled: false secretName: "" #htpasswd based existing secret htpasswd: "" #htpasswd string, which will be used for basic auth tokenAuth: enabled: false oidcAuth: enabled: false providerURL: "" #URL to your OIDC provider redirectURL: "" #URL to the K10 gateway service scopes: "" #Space separated OIDC scopes required for userinfo. Example: "profile email" prompt: "select_account" #The prompt type to be requested with the OIDC provider. Default is select_account. clientID: "" #ClientID given by the OIDC provider for K10 clientSecret: "" #ClientSecret given by the OIDC provider for K10 usernameClaim: "" #Claim to be used as the username usernamePrefix: "" #Prefix that has to be used with the username obtained from the username claim groupClaim: "" #Name of a custom OpenID Connect claim for specifying user groups groupPrefix: "" #All groups will be prefixed with this value to prevent conflicts. logoutURL: "" #URL to your OIDC provider's logout endpoint #OIDC config based existing secret. #Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL. secretName: "" dex: enabled: false providerURL: "" redirectURL: "" openshift: enabled: false serviceAccount: "" #service account used as the OAuth client clientSecret: "" #The token from the service account dashboardURL: "" #The URL for accessing K10's dashboard openshiftURL: "" #The URL of the Openshift API server insecureCA: false useServiceAccountCA: false secretName: "" # The Kubernetes Secret that contains OIDC settings usernameClaim: "email" usernamePrefix: "" groupnameClaim: "groups" groupnamePrefix: "" ldap: enabled: false restartPod: false # Enable this value to force a restart of the authentication service pod dashboardURL: "" #The URL for accessing K10's dashboard host: "" insecureNoSSL: false insecureSkipVerifySSL: false startTLS: false bindDN: "" bindPW: "" bindPWSecretName: "" userSearch: baseDN: "" filter: "" username: "" idAttr: "" emailAttr: "" nameAttr: "" preferredUsernameAttr: "" groupSearch: baseDN: "" filter: "" userMatchers: [] # - userAttr: # groupAttr: nameAttr: "" secretName: "" # The Kubernetes Secret that contains OIDC settings usernameClaim: "email" usernamePrefix: "" groupnameClaim: "groups" groupnamePrefix: "" k10AdminUsers: [] k10AdminGroups: [] optionalColocatedServices: vbrintegrationapi: enabled: true cacertconfigmap: name: "" #Name of the configmap apiservices: deployed: true # If false APIService objects will not be deployed injectKanisterSidecar: enabled: false namespaceSelector: matchLabels: {} # Set objectSelector to filter workloads objectSelector: matchLabels: {} webhookServer: port: 8080 # should not conflict with config server port (8000) kanisterPodCustomLabels : "" kanisterPodCustomAnnotations : "" kanisterPodMetricSidecar: enabled: false metricLifetime: "720h" pushGatewayInterval: "1m" genericVolumeSnapshot: resources: requests: memory: "" cpu: "" limits: memory: "" cpu: "" garbagecollector: daemonPeriod: 21600 keepMaxActions: 1000 importRunActions: enabled: false retireActions: enabled: false resources: {} services: executor: hostNetwork: false workerCount: 8 maxConcurrentRestoreCsiSnapshots: 3 maxConcurrentRestoreGenericVolumeSnapshots: 3 maxConcurrentRestoreWorkloads: 3 dashboardbff: hostNetwork: false securityContext: runAsUser: 1000 fsGroup: 1000 aggregatedapis: hostNetwork: false apigateway: serviceResolver: dns limiter: genericVolumeSnapshots: 10 genericVolumeCopies: 10 genericVolumeRestores: 10 csiSnapshots: 10 providerSnapshots: 10 gateway: insecureDisableSSLVerify: false exposeAdminPort: true resources: requests: memory: 300Mi cpu: 200m limits: memory: 1Gi cpu: 1000m kanister: backupTimeout: 45 restoreTimeout: 600 deleteTimeout: 45 hookTimeout: 20 checkRepoTimeout: 20 statsTimeout: 20 efsPostRestoreTimeout: 45 podReadyWaitTimeout: 15 awsConfig: assumeRoleDuration: "" efsBackupVaultName: "k10vault" excludedApps: [] grafana: enabled: true prometheusName: prometheus-server prometheusPrefixURL: /k10/prometheus rbac: namespaced: true pspEnabled: false extraLabels: component: grafana podLabels: component: grafana encryption: primaryKey: # primaryKey is used for enabling encryption of K10 primary key awsCmkKeyId: '' # Ensures AWS CMK is used for encrypting K10 primary key vaultTransitKeyName: '' vaultTransitPath: '' vmWare: taskTimeoutMin: 60 azure: useDefaultMSI: false vault: role: "" # Role that was bound to the service account name and namespace from cluster serviceAccountTokenPath: "" # This will default to /var/run/secrets/kubernetes.io/serviceaccount/token within the code if left blank address: "http://vault.vault.svc:8200" # Address for dev mode in cluster vault server in vault namespace secretName: "" # Ensures backward compatibility for now. We can remove once we tell all customers this is deprecated. # This is how the token can be passed into default if K8S auth mode fails for whatever reason. kubeVirtVMs: snapshot: unfreezeTimeout: "5m" reporting: pdfReports: true