rancher-partner-charts/charts/f5/nginx-service-mesh/values.schema.json

525 lines
17 KiB
JSON

{
"$schema": "https://json-schema.org/draft-07/schema#",
"title": "NGINX Service Mesh Values",
"type": "object",
"properties": {
"mtls": {
"type": "object",
"properties": {
"mode": {
"description": "mTLS mode for pod-to-pod communication",
"type": "string",
"enum": ["off", "permissive", "strict"],
"default": "permissive"
},
"caTTL": {
"description": "The CA/signing key TTL in hours(h). Min value 24h. Max value 999999h.",
"type": "string",
"pattern": "^1[0-9]{2,5}(h)|2[4-9](h)|2[0-9][0-9]{1,5}(h)|[3-9][0-9]{1,5}(h)$",
"default": "720h"
},
"svidTTL": {
"description": "The TTL of certificates issued to workloads in hours(h) or minutes(m). Max value is 999999.",
"type": "string",
"pattern": "^[1-9][0-9]{0,5}(h|m)$",
"default": "1h"
},
"trustDomain": {
"description": "The trust domain of the NGINX Service Mesh",
"type": "string",
"default": "example.org"
},
"persistentStorage": {
"description": "Use persistent storage",
"type": "string",
"enum": ["on", "off"],
"default": "on"
},
"spireServerKeyManager": {
"description": "Storage logic for SPIRE Server's private keys",
"type": "string",
"enum": ["disk", "memory"],
"default": "disk"
},
"caKeyType": {
"description": "The key type used for the SPIRE Server CA",
"type": "string",
"enum": [
"ec-p256",
"ec-p384",
"rsa-2048",
"rsa-4096"
],
"default": "ec-p256"
},
"upstreamAuthority": {
"description": "Upstream authority settings",
"type": "object",
"properties": {
"disk": {
"description": "Disk object",
"type": "object",
"properties": {
"cert": {
"description": "Contents of your PEM encoded certificate file",
"type": "string",
"minLength": 1
},
"key": {
"description": "Contents of your PEM encoded key file",
"type": "string",
"minLength": 1
},
"bundle": {
"description": "Contents of your CA bundle file",
"type": "string"
}
},
"required": ["cert", "key"]
},
"awsPCA": {
"description": "AWS PCA object",
"type": "object",
"properties": {
"region": {
"description": "AWS region to use",
"type": "string",
"minLength": 1
},
"certificateAuthorityArn": {
"description": "ARN of the upstream CA certificate",
"type": "string",
"minLength": 1
},
"awsAccessKeyID": {
"description": "AWS access key ID",
"type": "string"
},
"awsSecretAccessKey": {
"description": "AWS secret access key",
"type": "string"
},
"caSigningTemplateArn": {
"description": "ARN of the signing template to use for the server's CA",
"type": "string"
},
"signingAlgorithm": {
"description": "Signing algorithm to use for the server's CA",
"type": "string"
},
"assumeRoleArn": {
"description": " ARN of an IAM role to assume",
"type": "string"
},
"endpoint": {
"description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint",
"type": "string"
},
"supplementalBundle": {
"description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle",
"type": "string"
}
},
"required": ["region", "certificateAuthorityArn"]
},
"awsSecret": {
"description": "AWS Secret object",
"type": "object",
"properties": {
"region": {
"description": "AWS region to use",
"type": "string",
"minLength": 1
},
"certFileArn": {
"description": "ARN of the upstream CA certificate",
"type": "string",
"minLength": 1
},
"keyFileArn": {
"description": "ARN of the upstream CA key file",
"type": "string",
"minLength": 1
},
"awsAccessKeyID": {
"description": "AWS access key ID",
"type": "string"
},
"awsSecretKeyID": {
"description": "AWS secret access key",
"type": "string"
},
"awsSecretToken": {
"description": "AWS secret token",
"type": "string"
},
"assumeRoleArn": {
"description": "ARN of role to assume",
"type": "string"
}
},
"required": [
"region",
"certFileArn",
"keyFileArn"
]
},
"vault": {
"description": "Vault object",
"type": "object",
"properties": {
"vaultAddr": {
"description": "URL of the Vault server",
"type": "string",
"minLength": 1
},
"namespace": {
"description": "Vault namespace",
"type": "string",
"minLength": 1
},
"caCert": {
"description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate",
"type": "string",
"minLength": 1
},
"pkiMountPoint": {
"description": "Name of the mount point where the PKI secret engine is mounted",
"type": "string",
"default": "pki"
},
"insecureSkipVerify": {
"description": "If true, vault client accepts any server certificates",
"type": "boolean",
"default": false
},
"certAuth": {
"description": "Client certificate authentication object",
"type": "object",
"properties": {
"clientCert": {
"description": "Contents of your client cert file",
"type": "string",
"minLength": 1
},
"clientKey": {
"description": "Contents of your client key file",
"type": "string",
"minLength": 1
},
"certAuthMountPoint": {
"description": "Name of the mount point where TLS certificate auth method is mounted",
"type": "string",
"default": "cert"
},
"certAuthRoleName": {
"description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.",
"type": "string"
}
},
"required": ["clientCert", "clientKey"]
},
"tokenAuth": {
"description": "Token authentication object",
"type": "object",
"properties": {
"token": {
"description": "Token string set into X-Vault-Token header",
"type": "string",
"minLength": 1
}
},
"required": ["token"]
},
"approleAuth": {
"description": "AppRole authentication object",
"type": "object",
"properties": {
"approleID": {
"description": "An identifier of AppRole",
"type": "string",
"minLength": 1
},
"approleSecretID": {
"description": "A credential of AppRole",
"type": "string",
"minLength": 1
},
"approleAuthMountPoint": {
"description": "Name of the mount point where the AppRole auth method is mounted",
"type": "string",
"default": "approle"
}
},
"required": ["approleID", "approleSecretID"]
}
},
"required": [
"vaultAddr",
"namespace",
"caCert"
],
"oneOf": [
{"required": ["certAuth"]},
{"required": ["tokenAuth"]},
{"required": ["approleAuth"]}
]
},
"certManager": {
"description": "Cert Manager object",
"type": "object",
"properties": {
"namespace": {
"description": "The namespace to create CertificateRequests for signing",
"type": "string",
"minLength": 1
},
"issuerName": {
"description": "The name of the issuer to reference in CertificateRequests",
"type": "string",
"minLength": 1
},
"issuerKind": {
"description": "The kind of the issuer to reference in CertificateRequests",
"type": "string",
"default": "Issuer"
},
"issuerGroup": {
"description": "The group of the issuer to reference in CertificateRequests",
"type": "string",
"default": "cert-manager.io"
},
"kubeConfig": {
"description": "Contents of the kubeconfig file used to connect to the Kubernetes cluster",
"type": "string"
}
},
"required": ["namespace", "issuerName"]
}
},
"oneOf": [
{"$ref": "#/definitions/emptyObject"},
{"required": ["disk"]},
{"required": ["awsPCA"]},
{"required": ["awsSecret"]},
{"required": ["vault"]},
{"required": ["certManager"]}
]
}
},
"required": [
"mode",
"caTTL",
"svidTTL",
"trustDomain",
"persistentStorage",
"spireServerKeyManager"
]
},
"registry": {
"description": "NGINX Service Mesh image registry settings",
"type": "object",
"properties": {
"server": {
"description": "Hostname:port (if needed) for registry and path to images",
"type": "string",
"default": "docker-registry.nginx.com/nsm"
},
"imageTag": {
"description": "Tag used for pulling images from registry",
"type": "string",
"default": "2.0.0"
},
"key": {
"description": "Contents of your Google Cloud JSON key file",
"type": "string"
},
"username": {
"description": "Username for accessing private registry",
"type": "string"
},
"password": {
"description": "Password for accessing private registry",
"type": "string"
},
"disablePublicImages": {
"description": "Disable the pulling of third party images from public repositories",
"type": "boolean",
"default": false
},
"imagePullPolicy": {
"description": "Image pull policy",
"type": "string",
"enum": [
"Never",
"IfNotPresent",
"Always"
],
"default": "IfNotPresent"
}
},
"oneOf": [
{
"properties": {
"username": {"$ref": "#/definitions/nonEmptyString"},
"password": {"$ref": "#/definitions/nonEmptyString"},
"key": {"$ref": "#/definitions/emptyString"}
}
},
{
"properties": {
"key": {"$ref": "#/definitions/nonEmptyString"},
"username": {"$ref": "#/definitions/emptyString"},
"password": {"$ref": "#/definitions/emptyString"}
}
},
{
"properties": {
"key": {"$ref": "#/definitions/emptyString"},
"username": {"$ref": "#/definitions/emptyString"},
"password": {"$ref": "#/definitions/emptyString"}
}
}
],
"required": [
"server",
"imageTag",
"disablePublicImages",
"imagePullPolicy"
]
},
"accessControlMode": {
"description": "Default access control mode for service-to-service communication",
"type": "string",
"enum": ["allow", "deny"]
},
"environment": {
"description": "Environment to deploy the mesh into",
"type": "string",
"enum": ["kubernetes", "openshift"]
},
"enableUDP": {
"description": "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.",
"type": "boolean"
},
"nginxErrorLogLevel": {
"description": "NGINX error log level",
"type": "string",
"enum": [
"debug",
"info",
"notice",
"warn",
"error",
"crit",
"alert",
"emerg"
]
},
"nginxLogFormat": {
"description": "NGINX log format",
"type": "string",
"enum": ["default", "json"]
},
"nginxLBMethod": {
"description": "NGINX load balancing method",
"type": "string",
"enum": [
"least_conn",
"least_time",
"least_time last_byte",
"least_time last_byte inflight",
"random",
"random two",
"random two least_conn",
"random two least_time",
"random two least_time=last_byte",
"round_robin"
]
},
"clientMaxBodySize": {
"description": "NGINX client max body size",
"type": "string",
"pattern": "^\\d+[kKmMgG]?$"
},
"prometheusAddress": {
"description": "The address of a Prometheus server deployed in your Kubernetes cluster",
"type": "string"
},
"telemetry": {
"description": "NGINX Service Mesh telemetry settings",
"type": "object",
"oneOf": [
{"$ref": "#/definitions/telemetryConfig"},
{"$ref": "#/definitions/emptyObject"}
]
}
},
"definitions": {
"nonEmptyString": {
"type": "string",
"minLength": 1
},
"emptyString": {
"type": "string",
"const": ""
},
"nonEmptyArray": {
"type": "array",
"minItems": 1
},
"emptyArray": {
"type": "array",
"maxItems": 0
},
"emptyObject": {
"type": "object",
"additionalProperties": false,
"properties": {}
},
"telemetryConfig": {
"properties": {
"samplerRatio": {
"description": "The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1",
"type": "number",
"minimum": 0.0,
"maximum": 1.0
},
"exporters": {
"type": "object",
"properties": {
"otlp": {
"type": "object",
"description": "The configuration for an OTLP gRPC exporter",
"properties": {
"host": {
"description": "The host of the OpenTelemetry gRPC exporter to connect to",
"type": "string",
"minLength": 1
},
"port": {
"description": "The port of the OpenTelemetry gRPC exporter to connect to",
"type": "number",
"minimum": 0,
"maximum": 65535
}
},
"required": ["host", "port"]
}
}
}
},
"required": ["samplerRatio", "exporters"]
}
},
"required": [
"mtls",
"registry",
"accessControlMode",
"environment",
"nginxErrorLogLevel",
"nginxLogFormat",
"nginxLBMethod"
]
}