270 lines
8.1 KiB
YAML
270 lines
8.1 KiB
YAML
## Confluent operator name
|
|
##
|
|
name: confluent-operator
|
|
##
|
|
## license Key
|
|
##
|
|
licenseKey: ""
|
|
##
|
|
## Load license either from the secret or through directoryPath.
|
|
## This will take precedence over licenseKey field.
|
|
##
|
|
license:
|
|
##
|
|
## The license secret reference name is injected through
|
|
## CONFLUENT_LICENSE_SECRET_NAME environment variable.
|
|
## The expected key: license.txt. license.txt contains raw license data.
|
|
## For backward compatibility, licenseSecretRef field takes precedence if configured.
|
|
secretRef: ""
|
|
## The directoryPathInContainer value is injected through
|
|
## CONFLUENT_LICENSE_DIRECTORY_PATH environment variable.
|
|
## The expected key: license.txt. license.txt file must have value in pattern `license=<replace_with_key>`.
|
|
##
|
|
## This configuration takes precedence over license.secretRef or licenseSecretRef field.
|
|
##
|
|
directoryPathInContainer: ""
|
|
|
|
##
|
|
## AutoGenerated certificates configuration.
|
|
## We will continue using older model of reading CA from secret "ca-pair-sslcerts" unless
|
|
## managedCerts.enabled is set to true.
|
|
##
|
|
managedCerts:
|
|
##
|
|
## Denotes whether CFK managed certs are configured with helm values. If this is set to true
|
|
## values below will be used for auto-generated certificates and will cause a cluster roll
|
|
## first time after this is enabled.
|
|
##
|
|
enabled: false
|
|
##
|
|
## CA certificate pair for AutoGenerated certificates in this CFK operator deployment.
|
|
##
|
|
caCertificate:
|
|
##
|
|
## CA pair secret reference name is injected through
|
|
## CONFLUENT_MANAGED_CERTS_SECRET_NAME environment variable.
|
|
## The expected keys are tls.crt and tls.key for CA Certificate and CA Certificate Key
|
|
## respectively.
|
|
##
|
|
secretRef: ""
|
|
## The directoryPathInContainer value for CA pair certificates are injected through
|
|
## CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH environment variable.
|
|
## The expected files are tls.crt and tls.key for CA Certificate and CA Certificate Key
|
|
## respectively.
|
|
##
|
|
directoryPathInContainer: ""
|
|
##
|
|
## Validity for Auto-generated certificates is injected through
|
|
## CONFLUENT_MANAGED_CERTS_DURATION_DAYS environment variable.
|
|
##
|
|
certDurationInDays: 60
|
|
##
|
|
## Renewal time for Auto-generated certificates is injected through
|
|
## CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS environment variable.
|
|
##
|
|
renewBeforeInDays: 30
|
|
##
|
|
## SANs to be added for all auto-generated certificates generated by this
|
|
## CFK operator. This is injected through CONFLUENT_MANAGED_CERTS_SANS
|
|
## environment variable.
|
|
## Use this for adding wild card SANs. Modifying this will trigger regeneration of
|
|
## certs for all CP clusters managed by the CFK operator.
|
|
##
|
|
sans: ""
|
|
|
|
###
|
|
## Image pull secret
|
|
imagePullSecretRef: confluent-registry
|
|
## Confluent Operator Image Information
|
|
##
|
|
image:
|
|
registry: docker.io
|
|
repository: confluentinc/confluent-operator
|
|
pullPolicy: IfNotPresent
|
|
tag: "0.1033.22"
|
|
|
|
###
|
|
## Priority class for Confluent Operator pod
|
|
priorityClassName: ""
|
|
## Number of pods for Operator
|
|
## Enables leader election if more than one replica
|
|
replicas: 1
|
|
## Confluent Operator Cluster Access
|
|
## If true, operator only creates roles/rolebinding for the release namespace
|
|
## Otherwise, it has cluster access with clusterrole/clusterrrolebinding
|
|
namespaced: true
|
|
### list of namespaces to watch by operator
|
|
### This field only takes in effect if `namespaced=true`. By default, it will only watch the release namespace
|
|
### Otherwise, it will watch specified namespaces. If watching only release namespace, do not specify this field
|
|
namespaceList: []
|
|
## Confluent Operator Pod Resources
|
|
##
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
## Pod termination grace-period
|
|
##
|
|
terminationGracePeriodSeconds: 30
|
|
## Enable debugging
|
|
##
|
|
debug: false
|
|
## Enable Fips Mode
|
|
##
|
|
fipsmode: false
|
|
## Set number of day2 workers
|
|
##
|
|
numDay2Worker: ""
|
|
##
|
|
## Configure affinity,
|
|
## More information here https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
|
##
|
|
affinity: {}
|
|
## Example for nodeAffinity, configure as required.
|
|
##affinity:
|
|
## nodeAffinity:
|
|
## requiredDuringSchedulingIgnoredDuringExecution:
|
|
## nodeSelectorTerms:
|
|
## - matchExpressions:
|
|
## - key: "node-role.kubernetes.io/compute"
|
|
## operator: In
|
|
## values:
|
|
## - "true"
|
|
|
|
##
|
|
## Configure tolerations
|
|
## https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
##
|
|
tolerations: []
|
|
##
|
|
##tolerations:
|
|
##- key: "dedicated"
|
|
## operator: "Equal"
|
|
## value: "operator"
|
|
## effect: "NoSchedule"
|
|
|
|
## Pod Security Context
|
|
##
|
|
podSecurity:
|
|
enabled: true
|
|
securityContext:
|
|
fsGroup: 1001
|
|
runAsUser: 1001
|
|
runAsNonRoot: true
|
|
|
|
## Container Security Context
|
|
## Container security context overrides security context defined at pod level.
|
|
## For example following container security context would override the
|
|
## default PodSecurityContext defined above
|
|
##
|
|
## securityContext:
|
|
## runAsUser: 2001
|
|
## runAsNonRoot: false
|
|
##
|
|
## Refer to this documentation on how configure security context for container
|
|
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containerh
|
|
##
|
|
containerSecurity:
|
|
enabled: false
|
|
securityContext: {}
|
|
|
|
##
|
|
## ServiceAccount
|
|
## If enabled it will create, otherwise it will
|
|
## not create
|
|
##
|
|
serviceAccount:
|
|
create: true
|
|
name: ""
|
|
## Enable Kubernetes RBAC
|
|
## When set to true, it will create a proper role/rolebinding or cluster/clusterrolebinding based on namespaced field.
|
|
## If a user doesn't have permission to create role/rolebinding then they can disable rbac field and
|
|
## create required resources out of band to be used by the Operator. In this case, follow the
|
|
## templates/clusterrole.yaml and templates/clusterrolebiding.yaml to create proper required resources.
|
|
rbac: true
|
|
|
|
## Enable extra Kubernetes API groups in role/clusterrole resource
|
|
## When set to true, it will add apiGroups to role/clusterrole for OpenShift route resource
|
|
clusterRole:
|
|
openshift: true
|
|
|
|
###
|
|
### Confluent Telemetry Report configuration
|
|
## The secretRef contains following data,
|
|
## telemetry.txt: |-
|
|
## api.key=<api_key>
|
|
## api.secret=<api_secret>
|
|
## proxy.url=<proxy_url> # only required if proxy is enabled
|
|
## proxy.username=<proxy_username> # only required if proxy requires credential
|
|
## proxy.password=<proxy_password>
|
|
##
|
|
telemetry:
|
|
operator:
|
|
enabled: false
|
|
enabled: false
|
|
proxy:
|
|
enabled: false
|
|
credentialRequired: false
|
|
secretRef: ""
|
|
## To use directoryPathInContainer, need to make sure
|
|
## you mount telemetry.txt in the path you provided here in each pod
|
|
directoryPathInContainer: ""
|
|
|
|
## In case of KRaft, we need to preserve the KRaft ClusterID in PV annotation
|
|
## for disaster recovery case. Enabling this ensures we create proper ClusterRoles
|
|
## to be able to set this annotation in PersistentVolumes.
|
|
kRaftEnabled: false
|
|
|
|
###
|
|
### Webhooks configuration
|
|
## To enable webhooks, it requires TLS certificates to set up webhook server,
|
|
## which used for secure communication between webhook server and kubernetes api server.
|
|
## Please provide the TLS keys and certificates with format as mentioned in this doc:
|
|
## https://docs.confluent.io/operator/current/co-network-encryption.html#provide-tls-keys-and-certificates-in-pem-format.
|
|
## The certificate must have the Subject Alternative Name (SAN) of the form: confluent-operator.<namespace>.svc
|
|
webhooks:
|
|
enabled: false
|
|
port: 8443
|
|
tls:
|
|
secretRef: ""
|
|
directoryPathInContainer: ""
|
|
|
|
##
|
|
## Pod annotations/labels configurations
|
|
##
|
|
pod:
|
|
annotations:
|
|
prometheus.io/path: "/metrics"
|
|
prometheus.io/port: "7778"
|
|
prometheus.io/scrape: "true"
|
|
labels: {}
|
|
# labels:
|
|
# key: "value"
|
|
|
|
##
|
|
## Load license from the secret reference
|
|
## +Deprecated, use license.secretRef instead.
|
|
##
|
|
licenseSecretRef: ""
|
|
|
|
##
|
|
## Volumes to mount on CFK operator
|
|
## Refer to the Kubernetes volume/volumeMounts format: https://kubernetes.io/docs/concepts/storage/volumes/
|
|
##
|
|
## Example with a PVC.
|
|
## mountedVolumes:
|
|
## volumes:
|
|
## - name: custom-volume
|
|
## persistentVolumeClaim:
|
|
## claimName: pvc-test
|
|
## volumeMounts:
|
|
## - name: custom-volume
|
|
## mountPath: /mnt/<path_of_your_choice>
|
|
##
|
|
mountedVolumes:
|
|
volumes: []
|
|
volumeMounts: []
|