525 lines
17 KiB
JSON
525 lines
17 KiB
JSON
{
|
|
"$schema": "https://json-schema.org/draft-07/schema#",
|
|
"title": "NGINX Service Mesh Values",
|
|
"type": "object",
|
|
"properties": {
|
|
"mtls": {
|
|
"type": "object",
|
|
"properties": {
|
|
"mode": {
|
|
"description": "mTLS mode for pod-to-pod communication",
|
|
"type": "string",
|
|
"enum": ["off", "permissive", "strict"],
|
|
"default": "permissive"
|
|
},
|
|
"caTTL": {
|
|
"description": "The CA/signing key TTL in hours(h). Min value 24h. Max value 999999h.",
|
|
"type": "string",
|
|
"pattern": "^1[0-9]{2,5}(h)|2[4-9](h)|2[0-9][0-9]{1,5}(h)|[3-9][0-9]{1,5}(h)$",
|
|
"default": "720h"
|
|
},
|
|
"svidTTL": {
|
|
"description": "The TTL of certificates issued to workloads in hours(h) or minutes(m). Max value is 999999.",
|
|
"type": "string",
|
|
"pattern": "^[1-9][0-9]{0,5}(h|m)$",
|
|
"default": "1h"
|
|
},
|
|
"trustDomain": {
|
|
"description": "The trust domain of the NGINX Service Mesh",
|
|
"type": "string",
|
|
"default": "example.org"
|
|
},
|
|
"persistentStorage": {
|
|
"description": "Use persistent storage",
|
|
"type": "string",
|
|
"enum": ["on", "off"],
|
|
"default": "on"
|
|
},
|
|
"spireServerKeyManager": {
|
|
"description": "Storage logic for SPIRE Server's private keys",
|
|
"type": "string",
|
|
"enum": ["disk", "memory"],
|
|
"default": "disk"
|
|
},
|
|
"caKeyType": {
|
|
"description": "The key type used for the SPIRE Server CA",
|
|
"type": "string",
|
|
"enum": [
|
|
"ec-p256",
|
|
"ec-p384",
|
|
"rsa-2048",
|
|
"rsa-4096"
|
|
],
|
|
"default": "ec-p256"
|
|
},
|
|
"upstreamAuthority": {
|
|
"description": "Upstream authority settings",
|
|
"type": "object",
|
|
"properties": {
|
|
"disk": {
|
|
"description": "Disk object",
|
|
"type": "object",
|
|
"properties": {
|
|
"cert": {
|
|
"description": "Contents of your PEM encoded certificate file",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"key": {
|
|
"description": "Contents of your PEM encoded key file",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"bundle": {
|
|
"description": "Contents of your CA bundle file",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["cert", "key"]
|
|
},
|
|
"awsPCA": {
|
|
"description": "AWS PCA object",
|
|
"type": "object",
|
|
"properties": {
|
|
"region": {
|
|
"description": "AWS region to use",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"certificateAuthorityArn": {
|
|
"description": "ARN of the upstream CA certificate",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"awsAccessKeyID": {
|
|
"description": "AWS access key ID",
|
|
"type": "string"
|
|
},
|
|
"awsSecretAccessKey": {
|
|
"description": "AWS secret access key",
|
|
"type": "string"
|
|
},
|
|
"caSigningTemplateArn": {
|
|
"description": "ARN of the signing template to use for the server's CA",
|
|
"type": "string"
|
|
},
|
|
"signingAlgorithm": {
|
|
"description": "Signing algorithm to use for the server's CA",
|
|
"type": "string"
|
|
},
|
|
"assumeRoleArn": {
|
|
"description": " ARN of an IAM role to assume",
|
|
"type": "string"
|
|
},
|
|
"endpoint": {
|
|
"description": "Endpoint as hostname or fully-qualified URI that overrides the default endpoint",
|
|
"type": "string"
|
|
},
|
|
"supplementalBundle": {
|
|
"description": "Contents of a PEM encoded CA certificates file that should be additionally included in the bundle",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["region", "certificateAuthorityArn"]
|
|
},
|
|
"awsSecret": {
|
|
"description": "AWS Secret object",
|
|
"type": "object",
|
|
"properties": {
|
|
"region": {
|
|
"description": "AWS region to use",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"certFileArn": {
|
|
"description": "ARN of the upstream CA certificate",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"keyFileArn": {
|
|
"description": "ARN of the upstream CA key file",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"awsAccessKeyID": {
|
|
"description": "AWS access key ID",
|
|
"type": "string"
|
|
},
|
|
"awsSecretKeyID": {
|
|
"description": "AWS secret access key",
|
|
"type": "string"
|
|
},
|
|
"awsSecretToken": {
|
|
"description": "AWS secret token",
|
|
"type": "string"
|
|
},
|
|
"assumeRoleArn": {
|
|
"description": "ARN of role to assume",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"region",
|
|
"certFileArn",
|
|
"keyFileArn"
|
|
]
|
|
},
|
|
"vault": {
|
|
"description": "Vault object",
|
|
"type": "object",
|
|
"properties": {
|
|
"vaultAddr": {
|
|
"description": "URL of the Vault server",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"namespace": {
|
|
"description": "Vault namespace",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"caCert": {
|
|
"description": "Contents of a PEM encoded CA certificate file to verify the Vault server certificate",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"pkiMountPoint": {
|
|
"description": "Name of the mount point where the PKI secret engine is mounted",
|
|
"type": "string",
|
|
"default": "pki"
|
|
},
|
|
"insecureSkipVerify": {
|
|
"description": "If true, vault client accepts any server certificates",
|
|
"type": "boolean",
|
|
"default": false
|
|
},
|
|
"certAuth": {
|
|
"description": "Client certificate authentication object",
|
|
"type": "object",
|
|
"properties": {
|
|
"clientCert": {
|
|
"description": "Contents of your client cert file",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"clientKey": {
|
|
"description": "Contents of your client key file",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"certAuthMountPoint": {
|
|
"description": "Name of the mount point where TLS certificate auth method is mounted",
|
|
"type": "string",
|
|
"default": "cert"
|
|
},
|
|
"certAuthRoleName": {
|
|
"description": "Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["clientCert", "clientKey"]
|
|
},
|
|
"tokenAuth": {
|
|
"description": "Token authentication object",
|
|
"type": "object",
|
|
"properties": {
|
|
"token": {
|
|
"description": "Token string set into X-Vault-Token header",
|
|
"type": "string",
|
|
"minLength": 1
|
|
}
|
|
},
|
|
"required": ["token"]
|
|
},
|
|
"approleAuth": {
|
|
"description": "AppRole authentication object",
|
|
"type": "object",
|
|
"properties": {
|
|
"approleID": {
|
|
"description": "An identifier of AppRole",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"approleSecretID": {
|
|
"description": "A credential of AppRole",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"approleAuthMountPoint": {
|
|
"description": "Name of the mount point where the AppRole auth method is mounted",
|
|
"type": "string",
|
|
"default": "approle"
|
|
}
|
|
},
|
|
"required": ["approleID", "approleSecretID"]
|
|
}
|
|
},
|
|
"required": [
|
|
"vaultAddr",
|
|
"namespace",
|
|
"caCert"
|
|
],
|
|
"oneOf": [
|
|
{"required": ["certAuth"]},
|
|
{"required": ["tokenAuth"]},
|
|
{"required": ["approleAuth"]}
|
|
]
|
|
},
|
|
"certManager": {
|
|
"description": "Cert Manager object",
|
|
"type": "object",
|
|
"properties": {
|
|
"namespace": {
|
|
"description": "The namespace to create CertificateRequests for signing",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"issuerName": {
|
|
"description": "The name of the issuer to reference in CertificateRequests",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"issuerKind": {
|
|
"description": "The kind of the issuer to reference in CertificateRequests",
|
|
"type": "string",
|
|
"default": "Issuer"
|
|
},
|
|
"issuerGroup": {
|
|
"description": "The group of the issuer to reference in CertificateRequests",
|
|
"type": "string",
|
|
"default": "cert-manager.io"
|
|
},
|
|
"kubeConfig": {
|
|
"description": "Contents of the kubeconfig file used to connect to the Kubernetes cluster",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": ["namespace", "issuerName"]
|
|
}
|
|
},
|
|
"oneOf": [
|
|
{"$ref": "#/definitions/emptyObject"},
|
|
{"required": ["disk"]},
|
|
{"required": ["awsPCA"]},
|
|
{"required": ["awsSecret"]},
|
|
{"required": ["vault"]},
|
|
{"required": ["certManager"]}
|
|
]
|
|
}
|
|
},
|
|
"required": [
|
|
"mode",
|
|
"caTTL",
|
|
"svidTTL",
|
|
"trustDomain",
|
|
"persistentStorage",
|
|
"spireServerKeyManager"
|
|
]
|
|
},
|
|
"registry": {
|
|
"description": "NGINX Service Mesh image registry settings",
|
|
"type": "object",
|
|
"properties": {
|
|
"server": {
|
|
"description": "Hostname:port (if needed) for registry and path to images",
|
|
"type": "string",
|
|
"default": "docker-registry.nginx.com/nsm"
|
|
},
|
|
"imageTag": {
|
|
"description": "Tag used for pulling images from registry",
|
|
"type": "string",
|
|
"default": "2.0.0"
|
|
},
|
|
"key": {
|
|
"description": "Contents of your Google Cloud JSON key file",
|
|
"type": "string"
|
|
},
|
|
"username": {
|
|
"description": "Username for accessing private registry",
|
|
"type": "string"
|
|
},
|
|
"password": {
|
|
"description": "Password for accessing private registry",
|
|
"type": "string"
|
|
},
|
|
"disablePublicImages": {
|
|
"description": "Disable the pulling of third party images from public repositories",
|
|
"type": "boolean",
|
|
"default": false
|
|
},
|
|
"imagePullPolicy": {
|
|
"description": "Image pull policy",
|
|
"type": "string",
|
|
"enum": [
|
|
"Never",
|
|
"IfNotPresent",
|
|
"Always"
|
|
],
|
|
"default": "IfNotPresent"
|
|
}
|
|
},
|
|
"oneOf": [
|
|
{
|
|
"properties": {
|
|
"username": {"$ref": "#/definitions/nonEmptyString"},
|
|
"password": {"$ref": "#/definitions/nonEmptyString"},
|
|
"key": {"$ref": "#/definitions/emptyString"}
|
|
}
|
|
},
|
|
{
|
|
"properties": {
|
|
"key": {"$ref": "#/definitions/nonEmptyString"},
|
|
"username": {"$ref": "#/definitions/emptyString"},
|
|
"password": {"$ref": "#/definitions/emptyString"}
|
|
}
|
|
},
|
|
{
|
|
"properties": {
|
|
"key": {"$ref": "#/definitions/emptyString"},
|
|
"username": {"$ref": "#/definitions/emptyString"},
|
|
"password": {"$ref": "#/definitions/emptyString"}
|
|
}
|
|
}
|
|
],
|
|
"required": [
|
|
"server",
|
|
"imageTag",
|
|
"disablePublicImages",
|
|
"imagePullPolicy"
|
|
]
|
|
},
|
|
"accessControlMode": {
|
|
"description": "Default access control mode for service-to-service communication",
|
|
"type": "string",
|
|
"enum": ["allow", "deny"]
|
|
},
|
|
"environment": {
|
|
"description": "Environment to deploy the mesh into",
|
|
"type": "string",
|
|
"enum": ["kubernetes", "openshift"]
|
|
},
|
|
"enableUDP": {
|
|
"description": "Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.",
|
|
"type": "boolean"
|
|
},
|
|
"nginxErrorLogLevel": {
|
|
"description": "NGINX error log level",
|
|
"type": "string",
|
|
"enum": [
|
|
"debug",
|
|
"info",
|
|
"notice",
|
|
"warn",
|
|
"error",
|
|
"crit",
|
|
"alert",
|
|
"emerg"
|
|
]
|
|
},
|
|
"nginxLogFormat": {
|
|
"description": "NGINX log format",
|
|
"type": "string",
|
|
"enum": ["default", "json"]
|
|
},
|
|
"nginxLBMethod": {
|
|
"description": "NGINX load balancing method",
|
|
"type": "string",
|
|
"enum": [
|
|
"least_conn",
|
|
"least_time",
|
|
"least_time last_byte",
|
|
"least_time last_byte inflight",
|
|
"random",
|
|
"random two",
|
|
"random two least_conn",
|
|
"random two least_time",
|
|
"random two least_time=last_byte",
|
|
"round_robin"
|
|
]
|
|
},
|
|
"clientMaxBodySize": {
|
|
"description": "NGINX client max body size",
|
|
"type": "string",
|
|
"pattern": "^\\d+[kKmMgG]?$"
|
|
},
|
|
"prometheusAddress": {
|
|
"description": "The address of a Prometheus server deployed in your Kubernetes cluster",
|
|
"type": "string"
|
|
},
|
|
"telemetry": {
|
|
"description": "NGINX Service Mesh telemetry settings",
|
|
"type": "object",
|
|
"oneOf": [
|
|
{"$ref": "#/definitions/telemetryConfig"},
|
|
{"$ref": "#/definitions/emptyObject"}
|
|
]
|
|
}
|
|
},
|
|
"definitions": {
|
|
"nonEmptyString": {
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"emptyString": {
|
|
"type": "string",
|
|
"const": ""
|
|
},
|
|
"nonEmptyArray": {
|
|
"type": "array",
|
|
"minItems": 1
|
|
},
|
|
"emptyArray": {
|
|
"type": "array",
|
|
"maxItems": 0
|
|
},
|
|
"emptyObject": {
|
|
"type": "object",
|
|
"additionalProperties": false,
|
|
"properties": {}
|
|
},
|
|
"telemetryConfig": {
|
|
"properties": {
|
|
"samplerRatio": {
|
|
"description": "The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1",
|
|
"type": "number",
|
|
"minimum": 0.0,
|
|
"maximum": 1.0
|
|
},
|
|
"exporters": {
|
|
"type": "object",
|
|
"properties": {
|
|
"otlp": {
|
|
"type": "object",
|
|
"description": "The configuration for an OTLP gRPC exporter",
|
|
"properties": {
|
|
"host": {
|
|
"description": "The host of the OpenTelemetry gRPC exporter to connect to",
|
|
"type": "string",
|
|
"minLength": 1
|
|
},
|
|
"port": {
|
|
"description": "The port of the OpenTelemetry gRPC exporter to connect to",
|
|
"type": "number",
|
|
"minimum": 0,
|
|
"maximum": 65535
|
|
}
|
|
},
|
|
"required": ["host", "port"]
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"required": ["samplerRatio", "exporters"]
|
|
}
|
|
},
|
|
"required": [
|
|
"mtls",
|
|
"registry",
|
|
"accessControlMode",
|
|
"environment",
|
|
"nginxErrorLogLevel",
|
|
"nginxLogFormat",
|
|
"nginxLBMethod"
|
|
]
|
|
}
|