232 lines
9.6 KiB
YAML
232 lines
9.6 KiB
YAML
# NGINX Service Mesh image registry settings.
|
|
registry:
|
|
# Hostname:port (if needed) for registry and path to images.
|
|
# Affects: nginx-mesh-controller, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
|
|
server: "docker-registry.nginx.com/nsm"
|
|
|
|
# Tag used for pulling images from registry
|
|
# Affects: nginx-mesh-controller, nginx-mesh-cert-reloader, nginx-mesh-init, nginx-mesh-metrics, nginx-mesh-sidecar
|
|
imageTag: "2.0.0"
|
|
|
|
# Note: Currently only works with Google Cloud registry.
|
|
# Contents of your Google Cloud JSON key file. Can be set via "--set-file registry.key=<your-key-file>.json"
|
|
# Cannot be used with username or password.
|
|
key: ""
|
|
|
|
# Username for accessing private registry.
|
|
# Requires password to be set. Cannot be used with key.
|
|
username: ""
|
|
|
|
# Password for accessing private registry.
|
|
# Requires username to be set. Cannot be used with key.
|
|
password: ""
|
|
|
|
# Do not pull third party images from public repositories.
|
|
# If true, registry.server is used for all images.
|
|
disablePublicImages: false
|
|
|
|
# Image pull policy
|
|
# Valid values: Always, IfNotPresent, Never
|
|
imagePullPolicy: "IfNotPresent"
|
|
|
|
# Default access control mode for service-to-service communication.
|
|
# Valid values: allow, deny
|
|
accessControlMode: "allow"
|
|
|
|
# Environment to deploy the mesh into.
|
|
# Valid values: kubernetes, openshift
|
|
environment: "kubernetes"
|
|
|
|
# Enable UDP traffic proxying (beta). Linux kernel 4.18 or greater is required.
|
|
enableUDP: false
|
|
|
|
# NGINX error log level.
|
|
# Valid values: debug, info, notice, warn, error, crit, alert, emerg
|
|
nginxErrorLogLevel: "warn"
|
|
|
|
# NGINX log format.
|
|
# Valid values: default, json
|
|
nginxLogFormat: "default"
|
|
|
|
# NGINX load balancing method.
|
|
# Valid values: [least_conn, least_time, least_time last_byte, least_time last_byte inflight,
|
|
# random, random two, random two least_conn, random two least_time, random two least_time=last_byte, round_robin]
|
|
nginxLBMethod: "least_time"
|
|
|
|
# NGINX client max body size.
|
|
# Setting to "0" disables checking of client request body size.
|
|
clientMaxBodySize: "1m"
|
|
|
|
# The address of a Prometheus server deployed in your Kubernetes cluster.
|
|
# Address should be in the format <service-name>.<namespace>:<service-port>.
|
|
prometheusAddress: ""
|
|
|
|
# NGINX Service Mesh telemetry settings.
|
|
# To enable telemetry, uncomment the following object
|
|
telemetry: {}
|
|
# # The percentage of traces that are processed and exported to the telemetry backend. Float between 0 and 1.
|
|
# samplerRatio: 0.01
|
|
# # The configuration of exporters to send telemetry data to.
|
|
# exporters:
|
|
# # The configuration for an OTLP gRPC exporter.
|
|
# otlp:
|
|
# # The host of the OpenTelemetry gRPC exporter to connect to. Must be accessible from within the cluster.
|
|
# host: ""
|
|
# # The port of the OpenTelemetry gRPC exporter to connect to.
|
|
# port: 4317
|
|
|
|
# Mutual TLS settings. See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls for more info.
|
|
mtls:
|
|
# mTLS mode for pod-to-pod communication.
|
|
# Valid values: off, permissive, strict
|
|
mode: "permissive"
|
|
|
|
# The CA/signing key TTL in hours(h). Min value 24h. Max value 999999h.
|
|
caTTL: "720h"
|
|
|
|
# The TTL of certificates issued to workloads in hours(h) or minutes(m). Max value is 999999.
|
|
svidTTL: "1h"
|
|
|
|
# The trust domain of NGINX Service Mesh.
|
|
trustDomain: "example.org"
|
|
|
|
# Use persistent storage; "on" assumes that a StorageClass exists.
|
|
# Valid values: on, off
|
|
persistentStorage: "on"
|
|
|
|
# Storage logic for SPIRE Server's private keys.
|
|
# Valid values: disk, memory
|
|
spireServerKeyManager: "disk"
|
|
|
|
# The key type used for the SPIRE Server CA.
|
|
# Valid values: ec-p256, ec-p384, rsa-2048, rsa-4096
|
|
caKeyType: "ec-p256"
|
|
|
|
## Upstream authority settings. If left empty, SPIRE is used as the upstream authority.
|
|
## Only uncomment and fill out the object pertinent to you (disk, awsPCA, awsSecret, vault, certManager).
|
|
upstreamAuthority: {}
|
|
|
|
# # Disk object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_disk.md)
|
|
# disk:
|
|
# # Contents of your PEM encoded certificate file. Can be set via "--set-file mtls.upstreamAuthority.disk.cert=<cert-file-path>"
|
|
# cert: ""
|
|
# # Contents of your PEM encoded key file. Can be set via "--set-file mtls.upstreamAuthority.disk.key=<key-file-path>"
|
|
# key: ""
|
|
# # Optional; contents of your CA bundle file. Can be set via "--set-file mtls.upstreamAuthority.disk.bundle=<bundle-file-path>"
|
|
# bundle: ""
|
|
|
|
# # AWS PCA object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_aws_pca.md)
|
|
# awsPCA:
|
|
# # AWS region to use
|
|
# region: ""
|
|
# # ARN of the upstream CA certificate
|
|
# certificateAuthorityArn: ""
|
|
|
|
# ## Optional auth fields
|
|
# ## See https://docs.nginx.com/nginx-service-mesh/guides/secure-traffic-mtls/#deploy-using-an-upstream-root-ca for instructions on configuring auth for aws_pca
|
|
|
|
# # AWS access key ID
|
|
# # This access key ID will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod
|
|
# awsAccessKeyID: ""
|
|
# # AWS secret access key
|
|
# # This secret access key will be encoded, stored in a Kubernetes Secret, and mounted to the SPIRE server Pod
|
|
# awsSecretAccessKey: ""
|
|
# # ARN of the signing template to use for the server's CA
|
|
# # ARN of an IAM role to assume
|
|
# # The SPIRE server will need permission to assume this IAM role. Either attach an IAM role to the EC2 instance with the capability to assume this role, or provide your AWS credentials
|
|
# assumeRoleArn: ""
|
|
|
|
# ## Other optional fields
|
|
# caSigningTemplateArn: ""
|
|
# # Signing algorithm to use for the server's CA
|
|
# signingAlgorithm: ""
|
|
# # Endpoint as hostname or fully-qualified URI that overrides the default endpoint
|
|
# endpoint: ""
|
|
# # Contents of a PEM encoded CA certificates file that should be additionally included in the bundle.
|
|
# # Can be set via "--set-file mtls.upstreamAuthority.awsPCA.supplementalBundle=<supplemental-bundle-file-path>"
|
|
# supplementalBundle: ""
|
|
|
|
# # AWS Secret object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
|
|
# awsSecret:
|
|
# # AWS region to use
|
|
# region: ""
|
|
# # ARN of the upstream CA certificate
|
|
# certFileArn: ""
|
|
# # ARN of the upstream CA key file
|
|
# keyFileArn: ""
|
|
|
|
# ## Choose an appropriate auth method
|
|
|
|
# # AWS access key ID. This access key ID will be stored in plaintext in the Spire server configmap.
|
|
# # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
|
|
# awsAccessKeyID: ""
|
|
# # AWS secret access key. This secret access key ID will be stored in plaintext in the Spire server configmap.
|
|
# # For other AWS authentication options see: (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_awssecret.md)
|
|
# awsSecretAccessKey: ""
|
|
# # AWS secret token
|
|
# awsSecretToken: ""
|
|
# # ARN of role to assume
|
|
# assumeRoleArn: ""
|
|
|
|
# # Vault object (see https://github.com/spiffe/spire/blob/v0.12/doc/plugin_server_upstreamauthority_vault.md)
|
|
# vault:
|
|
# # URL of the Vault server
|
|
# vaultAddr: ""
|
|
# # Vault namespace
|
|
# namespace: ""
|
|
# # Contents of a PEM encoded CA certificate file to verify the Vault server certificate.
|
|
# # Can be set via "--set-file mtls.upstreamAuthority.vault.caCert=<ca-cert-file-path>"
|
|
# caCert: ""
|
|
# # Name of the mount point where the PKI secret engine is mounted
|
|
# pkiMountPoint: "pki"
|
|
# # If true, vault client accepts any server certificates
|
|
# insecureSkipVerify: false
|
|
|
|
# # Client Certificate Authentication
|
|
# certAuth:
|
|
# # Contents of your client cert file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientCert=<cert-file-path>"
|
|
# clientCert: ""
|
|
# # Contents of your client key file. Can be set via "--set-file mtls.upstreamAuthority.vault.certAuth.clientKey=<key-file-path>"
|
|
# clientKey: ""
|
|
|
|
# ## Optional fields
|
|
|
|
# # Name of the mount point where TLS certificate auth method is mounted
|
|
# certAuthMountPoint: "cert"
|
|
# # Name of the vault role. If given, the plugin authenticates against only the named role. Default to trying all roles.
|
|
# certAuthRoleName: ""
|
|
|
|
# # Token Authentication
|
|
# tokenAuth:
|
|
# # Token string set into "X-Vault-Token" header
|
|
# token: ""
|
|
|
|
# # AppRole Authentication
|
|
# approleAuth:
|
|
# # An identifier of AppRole
|
|
# approleID: ""
|
|
# # A credential of AppRole
|
|
# approleSecretID: ""
|
|
|
|
# # Name of the mount point where the AppRole auth method is mounted
|
|
# approleAuthMountPoint: "approle"
|
|
|
|
# # Cert Manager object (see https://github.com/spiffe/spire/blob/v1.0/doc/plugin_server_upstreamauthority_cert_manager.md)
|
|
# certManager:
|
|
# # The namespace to create CertificateRequests for signing.
|
|
# namespace: ""
|
|
# # The name of the issuer to reference in CertificateRequests.
|
|
# issuerName: ""
|
|
|
|
# ## Optional fields
|
|
|
|
# # The kind of the issuer to reference in CertificateRequests.
|
|
# issuerKind: "Issuer"
|
|
|
|
# # The group of the issuer to reference in CertificateRequests.
|
|
# issuerGroup: "cert-manager.io"
|
|
|
|
# # Contents of the kubeconfig file used to connect to the Kubernetes cluster. Empty file will attempt to use an in-cluster config.
|
|
# # Can be set via "--set-file mtls.upstreamAuthority.certManager.kubeConfig=<kube-config-file-path>".
|
|
# kubeConfig: ""
|