$schema: https://json-schema.org/draft/2020-12/schema $id: https://github.com/elastisys/compliantkubernetes-apps/raw/main/config/schemas/config.yaml title: Welkin Apps Config description: |- This describes the structure of the config for both the service and workload clusters. Keep in mind that this is evaluated on the merged config, and each config file will contain different properties. $defs: component: deprecated: true additionalProperties: false description: This is meant to describe the base class if you will, for Welkin resources. properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' enabled: type: boolean nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' extraArgs: $ref: '#/$defs/extraArgs' required: [] # Shouldn't at least 'enabled' be required? title: Common Resource type: object cpumem: deprecated: true description: |- Use `.$defs.kubernetesQuantity` instead. additionalProperties: false properties: cpu: default: 100m pattern: ^[1-9][0-9]*m?$ type: - string - integer memory: default: 128Mi pattern: ^[0-9]+(\.[0-9]+)?([KMG]i)?$ type: - string - integer title: CPU and Memory Specifications type: object extraArgs: items: type: string title: Extra Arguments description: |- Extra arguments passed to a container type: array fluentdBuffer: title: Fluentd Buffer Config description: |- Fluentd buffer configuration parameters. > [!note] > See [upstream documentation for reference](https://docs.fluentd.org/configuration/buffer-section#parameters), set keys will be converted from `camelCase` to `snake_case`. additionalProperties: title: Additional Properties description: |- Additional properties $comment: Assuming that these are never structures, only scalars not: title: Invalid Additional Properties Types description: |- Invalid additional properties types type: - object - array type: - string - integer - boolean type: object properties: timekey: title: Time Key description: |- Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys). [Common/Time parameters](https://docs.fluentd.org/configuration/buffer-section#argument) examples: - 10m type: string timekeyUseUtc: title: Timekey Use UTC description: |- Output plugin decides to use UTC or not to format placeholders using timekey. [Common/Time parameters](https://docs.fluentd.org/configuration/buffer-section#argument) type: boolean timekeyWait: title: Timekey wait description: |- Output plugin will write chunks after timekey_wait seconds later after timekey expiration. If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour. [Common/Time parameters](https://docs.fluentd.org/configuration/buffer-section#argument) examples: - 1m type: string chunkLimitSize: title: Chunk Limit Size description: |- Events will be written into chunks until the size of chunks become `chunkLimitSize`. [Buffering parameters](https://docs.fluentd.org/configuration/buffer-section#buffering-parameters) examples: - 50MB type: string totalLimitSize: title: Total Limit Size description: |- The size limitation of this buffer plugin instance. Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost). [Buffering parameters](https://docs.fluentd.org/configuration/buffer-section#buffering-parameters) examples: - 9GB type: string flushInterval: title: Flush Interval description: |- Flushes the buffer each `flushInterval`, if `flushMode` is equal to `interval`. [Flushing parameters](https://docs.fluentd.org/configuration/buffer-section#flushing-parameters) examples: - 15m type: string flushMode: title: Flush Mode description: |- The flush mode to use. [Flushing parameters](https://docs.fluentd.org/configuration/buffer-section#flushing-parameters) enum: - lazy - interval - immediate meta:enum: lazy: Flushes/writes chunks once per timekey interval: Flushes/writes chunks per specified time via flushInterval immediate: Flushes/writes chunks immediately after events are appended into chunks type: string flushThreadBurstInterval: title: Flush Thread Burst Interval description: |- The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones. [Flushing parameters](https://docs.fluentd.org/configuration/buffer-section#flushing-parameters) type: number flushThreadCount: title: Flush Thread Count description: |- The number of threads to flush/write chunks in parallel. [Flushing parameters](https://docs.fluentd.org/configuration/buffer-section#flushing-parameters) type: integer retryForever: title: Retry Forever description: |- If true, plugin will ignore `retryTimeout` and `retryMaxTimes` options and retry flushing forever. [Retries parameters](https://docs.fluentd.org/configuration/buffer-section#retries-parameters) type: boolean retryType: title: Retry Type description: |- The retry algorithm type to use. [Retries parameters](https://docs.fluentd.org/configuration/buffer-section#retries-parameters) enum: - exponential_backoff - periodic meta:enum: exponential_backoff: Increase the wait time, in seconds, exponentially per failure periodic: Output plugin will retry periodically with fixed intervals (configured via retryWait) type: string retryMaxInterval: title: Retry Max Interval description: |- The maximum interval (seconds) for exponential backoff between retries while failing. [Retries parameters](https://docs.fluentd.org/configuration/buffer-section#retries-parameters) type: integer goDuration: title: Duration String description: |- A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". examples: - 2h45m0s pattern: ^([-+]?[0-9]+(.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ type: string iplist: title: List Of IP Netmasks description: |- List of IP netmasks items: type: string pattern: ^[0-9a-f.:]{2,45}/[0-9]{1,3}$ description: A IP address with netmask examples: - 0.0.0.0/0 - 192.0.2.1/24 - 2001:db8:0:1234::/64 type: array netpolRule: title: IP And Port List description: |- Network policy rule [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) additionalProperties: false properties: enabled: type: boolean ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' type: object kubernetesNodeSelector: title: Kubernetes Node Selector description: |- Kubernetes node selector [Kubernetes assign pod node](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) additionalProperties: type: string examples: - kubernetes.io/os: linux type: object percentage: description: Percentage, 0% - 100% maximum: 100 minimum: 0 title: Percentage type: number port: maximum: 65535 minimum: 1 type: integer portlist: title: Port Number List description: |- A 16 bit unsigned integer items: $ref: '#/$defs/port' type: array kubernetesResourceRequirements: title: Kubernetes Resource Requirements description: |- Resource requests are used by the kube-scheduler to pick a node to schedule pods on. Limits are enforced. Resources are commonly 'cpu' and 'memory'. additionalProperties: false properties: requests: $ref: '#/$defs/kubernetesQuantityMap' limits: $ref: '#/$defs/kubernetesQuantityMap' type: object examples: - requests: memory: 128Mi cpu: 100m limits: memory: 256Mi cpu: 250m timeRange: title: Time Range description: |- An amount of time examples: - 300s - 72h - 3d pattern: ^[0-9]+[hmsd]+$ type: string kubernetesTolerations: title: Kubernetes Tolerations description: |- Kubernetes Tolerations [Kubernetes taint and toleration](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.Toleration' default: {} type: array kubernetesTopologySpreadConstraints: title: Kubernetes Topology Spread Constraints description: |- TopologySpreadConstraints describes how pods should spread across topology domains. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.TopologySpreadConstraint' default: {} type: array kubernetesQuantityMap: title: Kubernetes Quantity Map description: "" type: object additionalProperties: $ref: '#/$defs/kubernetesQuantity' kubernetesQuantity: title: Kubernetes Quantity type: - string - number regex: ^[-+]?[0-9]+([KMGTPE]i|[eE][0-9]+|[mkMGTPE])?$ description: |- Used for CPU shares, memory and storage size etc. See kubernetesPersistentVolumeClaim: title: Kubernetes Persistent Volume Claim description: |- PersistentVolumeClaim additionalProperties: false properties: size: default: 1Gi type: string type: object io.k8s.api.core.v1.Affinity: title: Affinity description: |- Affinity is a group of affinity scheduling rules. properties: nodeAffinity: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.NodeAffinity' description: Describes node affinity scheduling rules for the pod. podAffinity: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.PodAffinity' description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). podAntiAffinity: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.PodAntiAffinity' description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). type: object containerImage: title: URI for a container image type: string examples: - registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement: title: Label Selector Requirement description: |- A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: default: "" description: key is the label key that the selector applies to. type: string operator: default: "" description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: title: Values description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. items: default: "" type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object io.k8s.api.core.v1.NodeAffinity: title: NodeAffinity description: |- Node affinity is a group of node affinity scheduling rules. properties: preferredDuringSchedulingIgnoredDuringExecution: title: Preferred During Scheduling Ignored During Execution description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.PreferredSchedulingTerm' default: {} type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.NodeSelector' description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. type: object $comment: Imported from Kubernetes project io.k8s.api.core.v1.PodAffinity: title: PodAffinity description: |- Pod affinity is a group of inter pod affinity scheduling rules. properties: preferredDuringSchedulingIgnoredDuringExecution: title: Preferred During Scheduling Ignored During Execution description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.WeightedPodAffinityTerm' default: {} type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: title: Required During Scheduling Ignored During Execution description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.PodAffinityTerm' default: {} type: array x-kubernetes-list-type: atomic type: object $comment: Imported from Kubernetes project io.k8s.api.core.v1.PodAntiAffinity: title: PodAntiAffinity description: |- Pod anti affinity is a group of inter pod anti affinity scheduling rules. properties: preferredDuringSchedulingIgnoredDuringExecution: title: Preferred During Scheduling Ignored During Execution description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.WeightedPodAffinityTerm' default: {} type: array x-kubernetes-list-type: atomic requiredDuringSchedulingIgnoredDuringExecution: title: Required During Scheduling Ignored During Execution description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.PodAffinityTerm' default: {} type: array x-kubernetes-list-type: atomic type: object $comment: Imported from Kubernetes project io.k8s.api.core.v1.PreferredSchedulingTerm: title: PreferredSchedulingTerm description: |- An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). properties: preference: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.NodeSelectorTerm' default: {} description: A node selector term, associated with the corresponding weight. weight: default: 0 description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. format: int32 type: integer required: - weight - preference type: object $comment: Imported from Kubernetes project io.k8s.api.core.v1.NodeSelector: title: NodeSelector description: |- A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms. properties: nodeSelectorTerms: title: Node Selector Terms description: Required. A list of node selector terms. The terms are ORed. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.NodeSelectorTerm' default: {} type: array x-kubernetes-list-type: atomic required: - nodeSelectorTerms type: object x-kubernetes-map-type: atomic $comment: Imported from Kubernetes project io.k8s.api.core.v1.WeightedPodAffinityTerm: title: WeightedPodAffinityTerm description: |- The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) properties: podAffinityTerm: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.PodAffinityTerm' default: {} description: Required. A pod affinity term, associated with the corresponding weight. weight: default: 0 description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. format: int32 type: integer required: - weight - podAffinityTerm type: object $comment: Imported from Kubernetes project io.k8s.api.core.v1.PodAffinityTerm: title: PodAffinityTerm description: |- Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running properties: labelSelector: allOf: - $ref: '#/$defs/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector' description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. matchLabelKeys: title: Match Label Keys description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: default: "" type: string type: array x-kubernetes-list-type: atomic mismatchLabelKeys: title: Mismatch Label Keys description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. items: default: "" type: string type: array x-kubernetes-list-type: atomic namespaceSelector: allOf: - $ref: '#/$defs/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector' description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. namespaces: title: Namespaces description: namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace". items: default: "" type: string type: array x-kubernetes-list-type: atomic topologyKey: default: "" description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. type: string required: - topologyKey type: object $comment: Imported from Kubernetes project io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector: title: LabelSelector description: |- A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. properties: matchExpressions: title: Match Expressions description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: allOf: - $ref: '#/$defs/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement' default: {} type: array x-kubernetes-list-type: atomic matchLabels: additionalProperties: default: "" type: string description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic $comment: Imported from Kubernetes project io.k8s.api.core.v1.NodeSelectorTerm: title: NodeSelectorTerm description: |- A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. properties: matchExpressions: title: Match Expressions description: A list of node selector requirements by node's labels. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.NodeSelectorRequirement' default: {} type: array x-kubernetes-list-type: atomic matchFields: title: Match Fields description: A list of node selector requirements by node's fields. items: allOf: - $ref: '#/$defs/io.k8s.api.core.v1.NodeSelectorRequirement' default: {} type: array x-kubernetes-list-type: atomic type: object x-kubernetes-map-type: atomic io.k8s.api.core.v1.NodeSelectorRequirement: title: NodeSelectorRequirement description: |- A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: default: "" description: The label key that the selector applies to. type: string operator: default: "" description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. type: string values: title: Values description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. items: default: "" type: string type: array x-kubernetes-list-type: atomic required: - key - operator type: object $comment: Imported from Kubernetes project io.k8s.api.core.v1.EnvVar: title: Environment Variable description: EnvVar represents an environment variable present in a Container. type: object properties: name: title: Environment Variable Name description: |- Name of the environment variable. Must be a C_IDENTIFIER. type: string value: title: Environment Variable Value description: |- Variable references `$(VAR_NAME)` are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double `$$` are reduced to a single `$`, which allows for escaping the `$(VAR_NAME)` syntax: i.e. `$$(VAR_NAME)` will produce the string literal `$(VAR_NAME)`. Escaped references will never be expanded, regardless of whether the variable exists or not. type: string valueFrom: $ref: '#/$defs/io.k8s.api.core.v1.EnvVarSource' required: - name $comment: Imported from Kubernetes project io.k8s.api.core.v1.EnvVarSource: title: Environment Variable Source description: Environment Variable Source represents a source for the value of an Environment Variable. type: object properties: configMapKeyRef: $ref: '#/components/schemas/io.k8s.api.core.v1.ConfigMapKeySelector' fieldRef: $ref: '#/components/schemas/io.k8s.api.core.v1.ObjectFieldSelector' resourceFieldRef: $ref: '#/components/schemas/io.k8s.api.core.v1.ResourceFieldSelector' secretKeyRef: $ref: '#/components/schemas/io.k8s.api.core.v1.SecretKeySelector' $comment: Imported from Kubernetes project io.k8s.api.core.v1.ConfigMapKeySelector: title: Config Map Key Selector description: Selects a key from a ConfigMap. type: object properties: key: title: Config Map Key description: The key to select. type: string default: "" name: title: Config Map Name type: string description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names default: "" optional: title: Config Map Optional description: Specify whether the ConfigMap or its key must be defined. type: boolean required: - key $comment: Imported from Kubernetes project io.k8s.api.core.v1.ObjectFieldSelector: title: Object Field Selector description: ObjectFieldSelector selects an APIVersioned field of an object. properties: apiVersion: title: API Version description: Version of the schema the FieldPath is written in terms of, defaults to `v1`. type: string fieldPath: title: Field Path default: "" description: Path of the field to select in the specified API version. type: string required: - fieldPath $comment: Imported from Kubernetes project io.k8s.api.core.v1.ResourceFieldSelector: title: Resource Field Selector description: ResourceFieldSelector represents container resources (cpu, memory) and their output format. type: object properties: containerName: title: Container Name description: Container name, required for volumes, optional for env vars type: string divisor: title: Divisor description: Specifies the output format of the exposed resources, defaults to `1`. $ref: "#/$defs/KubernetesQuantity" resource: title: Resource description: Required, resource to select. type: string default: "" $comment: Imported from Kubernetes project io.k8s.api.core.v1.SecretKeySelector: title: Secret Key Selector description: SecretKeySelector selects a key of a Secret. type: object properties: key: description: |- The key of the secret to select from. Must be a valid secret key. type: string default: "" name: description: |- Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string default: "" optional: description: Specify whether the Secret or its key must be defined type: boolean required: - key $comment: Imported from Kubernetes project io.k8s.api.core.v1.TopologySpreadConstraint: title: Topology Spread Constraint description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. properties: labelSelector: allOf: - $ref: '#/$defs/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector' description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. matchLabelKeys: title: Match Label Keys description: |- MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector. This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default). items: default: "" type: string type: array x-kubernetes-list-type: atomic maxSkew: default: 0 description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It''s a required field. Default value is 1 and 0 is not allowed.' format: int32 type: integer minDomains: description: |- MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule. For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew. format: int32 type: integer nodeAffinityPolicy: description: |- NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations. If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string nodeTaintsPolicy: description: |- NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included. If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag. type: string topologyKey: default: "" description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field. type: string whenUnsatisfiable: default: "" description: |- WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field. type: string required: - maxSkew - topologyKey - whenUnsatisfiable type: object io.k8s.api.core.v1.Toleration: title: Toleration description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . properties: effect: description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. type: string key: description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. type: string operator: description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. type: string tolerationSeconds: description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. type: string type: object io.k8s.api.rbac.v1.Subject: title: Subject description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. properties: apiGroup: title: Kind description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: title: Kind description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string enum: - Group - ServiceAccount - User name: title: Name description: Name of the object being referenced. type: string namespace: title: Namespace description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: - kind - name type: object io.k8s.api.rbac.v1.PolicyRule: title: PolicyRule description: PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to. properties: apiGroups: title: APIGroups description: APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. items: type: string type: array nonResourceURLs: title: NonResourceURLs description: NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. items: type: string type: array resourceNames: title: ResourceNames description: ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed. items: type: string type: array resources: title: Resources description: Resources is a list of resources this rule applies to. ResourceAll represents all resources. items: type: string type: array verbs: title: Verbs description: Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. VerbAll represents all kinds. items: type: string type: array required: - verbs type: object cronSchedule: type: string pattern: ^(((\*\/)?([0-5]?[0-9])((\,|\-|\/)([0-5]?[0-9]))*|\*)[^\S\r\n]+((\*\/)?((2[0-3]|1[0-9]|[0-9]|00))((\,|\-|\/)(2[0-3]|1[0-9]|[0-9]|00))*|\*)[^\S\r\n]+((\*\/)?([1-9]|[12][0-9]|3[01])((\,|\-|\/)([1-9]|[12][0-9]|3[01]))*|\*)[^\S\r\n]+((\*\/)?([1-9]|1[0-2])((\,|\-|\/)([1-9]|1[0-2]))*|\*|(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec))[^\S\r\n]+((\*\/)?[0-6]((\,|\-|\/)[0-6])*|\*|00|(sun|mon|tue|wed|thu|fri|sat)))$|^@(annually|yearly|monthly|weekly|daily|hourly|reboot)$ scrapeTimeout: type: string pattern: ^((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)$ type: object required: - global allOf: - if: properties: trivy: properties: enabled: type: boolean const: true then: properties: networkPolicies: properties: global: properties: trivy: properties: ips: $ref: '#/$defs/iplist' - if: properties: kured: properties: enabled: type: boolean const: true notification: properties: slack: properties: enabled: type: boolean const: true then: properties: networkPolicies: properties: kured: properties: notificationSlack: properties: ips: $ref: '#/$defs/iplist' - if: properties: falco: properties: enabled: type: boolean const: true networkPolicies: properties: falco: properties: enabled: type: boolean const: true then: properties: networkPolicies: properties: falco: properties: plugins: properties: ips: $ref: '#/$defs/iplist' - if: properties: externalDns: properties: enabled: type: boolean const: true networkPolicies: properties: externalDns: properties: enabled: type: boolean const: true then: properties: networkPolicies: properties: externalDns: properties: ips: $ref: '#/$defs/iplist' - if: properties: harbor: properties: persistence: properties: type: type: string const: swift thanos: properties: objectStorage: properties: type: type: string const: swift then: properties: networkPolicies: properties: global: properties: objectStorageSwift: properties: ips: $ref: '#/$defs/iplist' - if: properties: harbor: properties: enabled: type: boolean const: true networkPolicies: properties: harbor: properties: enabled: type: boolean const: true then: properties: networkPolicies: properties: harbor: properties: registries: properties: ips: $ref: '#/$defs/iplist' jobservice: properties: ips: $ref: '#/$defs/iplist' trivy: properties: ips: $ref: '#/$defs/iplist' - if: properties: objectStorage: properties: sync: properties: enabled: type: boolean const: true type: type: string const: s3 then: properties: networkPolicies: properties: rclone: properties: sync: properties: objectStorage: properties: ips: $ref: '#/$defs/iplist' - if: properties: objectStorage: properties: sync: properties: enabled: type: boolean const: true anyOf: - properties: harbor: properties: persistence: properties: type: type: string const: swift objectStorage: properties: sync: properties: buckets: if: contains: properties: source: pattern: '.*harbor.*' then: contains: properties: source: pattern: '.*harbor.*' destinationType: const: "swift" - properties: thanos: properties: objectStorage: properties: type: type: string const: swift objectStorage: properties: sync: properties: buckets: if: contains: properties: source: pattern: '.*thanos.*' then: contains: properties: source: pattern: '.*thanos.*' destinationType: const: "swift" - properties: objectStorage: properties: sync: properties: buckets: contains: required: - destinationType properties: destinationType: const: "swift" then: properties: networkPolicies: properties: rclone: properties: sync: properties: objectStorageSwift: properties: ips: $ref: '#/$defs/iplist' - if: properties: objectStorage: properties: sync: properties: secondaryUrl: type: string format: uri not: properties: objectStorage: properties: sync: properties: secondaryUrl: const: "" then: properties: networkPolicies: properties: rclone: properties: sync: properties: secondaryUrl: properties: ips: $ref: '#/$defs/iplist' - if: properties: networkPolicies: properties: ingressNginx: properties: ingressOverride: properties: enabled: type: boolean const: true then: properties: networkPolicies: properties: ingressNginx: properties: ingressOverride: properties: ips: title: Network Policies Ingress Override IPs $ref: '#/$defs/iplist' - if: allOf: - properties: harbor: properties: persistence: properties: type: const: objectStorage objectStorage: properties: type: const: azure - anyOf: - properties: objectStorage: properties: sync: properties: enabled: const: true - properties: objectStorage: properties: restore: properties: enabled: const: true addTargetsFromSync: const: true then: properties: objectStorage: properties: sync: properties: syncDefaultBuckets: const: false - if: properties: networkPolicies: properties: kyverno: properties: enabled: const: true kyverno: properties: enabled: const: true then: properties: networkPolicies: properties: kyverno: properties: imageRegistry: properties: ips: title: NetworkPolicies Kyverno Image Registry IPs $ref: '#/$defs/iplist' ports: title: NetworkPolicies Kyverno Image Registry Ports $ref: '#/$defs/portlist' properties: global: title: Global options description: Some common options used in various helm charts. type: object required: - ck8sVersion - ck8sCloudProvider - ck8sEnvironmentName - ck8sFlavor - ck8sK8sInstaller - baseDomain - opsDomain properties: ck8sVersion: title: Welkin Apps version description: |- Use version number if you are exactly at a release tag. Otherwise use full commit hash of current commit. `any`, can be used to disable this validation. type: string examples: - v0.42.1 - any - 424442541a567646c232d949bad1af2b5b7cb885 ck8sCloudProvider: type: string enum: - aws - azure - baremetal - citycloud - elastx - exoscale - none - safespring - upcloud - openstack ck8sEnvironmentName: title: Environment name type: string examples: - my-welkin-cluster ck8sFlavor: type: string enum: - prod - dev - air-gapped ck8sK8sInstaller: type: string enum: - capi - kubespray - none baseDomain: title: Base Domain description: |- Domain intended for ingress usage in the workload cluster and to reach application developer facing services such as Grafana, Harbor and OpenSearch Dashboards. E.g. with 'prod.domain.com', OpenSearch Dashboards is reached via 'opensearch.prod.domain.com'. type: string format: hostname opsDomain: description: |- Domain intended for ingress usage in the service cluster and to reach non-user facing services such as Thanos and OpenSearch. E.g. with 'ops.prod.domain.com', OpenSearch is reached via 'opensearch.ops.prod.domain.com'. type: string format: hostname scDomain: description: If baseDomain for wc and sc are not the same, set the domain of the sc cluster. type: string oneOf: # Templates do not handle missing values so they must be empty strings to disable. Future FIXME? - const: "" - format: hostname scOpsDomain: description: If opsDomain for wc and sc are not the same, set the ops domain of the sc cluster. type: string oneOf: - const: "" - format: hostname issuer: description: |- Default cert-manager issuer to use for issuing certificates for ingresses. Normally one of `letsencrypt-staging` or `letsencrypt-prod`. type: string default: letsencrypt-staging examples: - letsencrypt-staging - letsencrypt-prod - selfsigned verifyTls: description: Verify ingress certificates type: boolean default: true clusterDns: description: IP of the cluster DNS in kubernetes type: string default: 10.233.0.3 format: ip-address clusterName: type: string clustersMonitoring: title: Clusters Monitoring description: |- Configure the names of the workload clusters that sends metrics to the service cluster. Mainly used to filter metrics. type: array items: type: string pattern: -[sw]c$ containerRuntime: title: Container runtime default: containerd type: string enum: - containerd - docker ck8sConfigSerial: title: Timestamp of last migration description: |- This property is used during migrations to track state and ensure that the same version is used during `ck8s upgrade prepare` as during `ck8s upgrade apply`. type: string examples: - "2025-04-29T08:34:21+00:00" enforceIPFamilyPolicy: title: Enforce ipFamilyPolicy to all services that doesn't explicitly set it. description: |- Enforce ipFamilyPolicy to all services that doesn't explicitly set it. This is done using a mutating webhook to all services that doesn't set this. The value it sets is taken from `.global.ipFamilyPolicy` type: boolean default: false enforceIPFamilies: title: Enforce ipFamilies to all services that doesn't explicitly set it. description: |- Enforce ipFamilyPolicy to all services that doesn't explicitly set it. This is done using a mutating webhook to all services that doesn't set this. The value it sets is taken from `.global.ipFamilies` type: boolean default: false ipFamilyPolicy: title: Global setting for ipFamilyPolicy for services description: |- Used to set the ipFamilyPolicy for all configurable services. type: string enum: - SingleStack - PreferDualStack - RequireDualStack meta:enum: SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. PreferDualStack: Allocates both IPv4 and IPv6 cluster IPs for the Service when dual-stack is enabled. If dual-stack is not enabled or supported, it falls back to single-stack behavior. RequireDualStack: Allocates Service `.spec.clusterIPs` from both IPv4 and IPv6 address ranges when dual-stack is enabled. If dual-stack is not enabled or supported, the Service API object creation fails. default: "SingleStack" examples: - SingleStack - PreferDualStack - RequireDualStack ipFamilies: title: Global setting for ipFamilies for services description: |- Used to set the ipFamilyPolicy for all configurable services. items: type: string enum: - "IPv4" - "IPv6" type: array uniqueItems: true default: ["IPv4"] additionalProperties: false clusterApi: additionalProperties: false title: ClusterAPI Config description: |- Set to true if kubernetes is installed with cluster-api. type: object properties: clusters: title: "Clusters" description: |- List of clusters to monitor. Used when monitoring clusters for autoscaling. items: type: string type: array enabled: title: ClusterAPI Enabled default: false type: boolean monitoring: title: ClusterAPI Monitoring description: |- Enable autoscaling monitoring of cluster API clusters. additionalProperties: false properties: enabled: title: ClusterAPI Autoscaling Monitoring Enabled default: false type: boolean type: object user: additionalProperties: false title: User Config description: |- Configuration for Application Developers (users), that use the workload cluster type: object properties: adminGroups: title: Admin Groups description: |- List of groups that Application Developers are apart of that should have access to the cluster. items: examples: - admins type: string type: array adminUsers: title: Admin Users description: |- List of Application Developers that should have access to the cluster. items: examples: - admin@example.com type: string type: array constraints: title: Constraints description: |- Any namespace listed in constraints are exempted from HNC managed namespaces. This to override the Pod Security Admission level. Example of constraint can be found here: [`Example Constraint`](https://github.com/elastisys/compliantkubernetes-apps/blob/main/helmfile.d/charts/gatekeeper/podsecuritypolicies/values.yaml) The only extra label `psaLevel: `` is shown in the following example: ``` : psaLevel: : ... ``` additionalProperties: title: AdditionalProperties description: |- Additional properties for user. additionalProperties: title: AdditionalProperties description: |- Additional properties for user. properties: {} type: object properties: psaLevel: title: Pod Security Admission level on the namespace type: string propertyNames: title: Service name type: string type: object properties: {} propertyNames: title: Namespace type: string type: object createNamespaces: title: Enable Create Namespaces description: |- This only controls if the namespaces should be created, user RBAC is always created. type: boolean namespaces: title: Namespaces description: |- List of namespaces that should be created for Application Developer. It is common to create one namespace for the Application Developer and then create namespaces via HNC. Requires that `user.createNamespaces` is enabled. items: examples: - production - staging type: string type: array serviceAccounts: title: ServiceAccounts description: |- List of serviceAccounts to create RBAC rules for, used for dev situations. [Application developer kube-config for contributors](https://github.com/elastisys/compliantkubernetes-apps/blob/main/docs/application-developer-dev-kubeconfig.md) items: type: string type: array sealedSecrets: title: SealedSecrets description: |- Installs required cluster resources needed to install sealedSecrets. Requires that `gatekeeper.allowUserCRDs.enabled` is enabled. type: object properties: enabled: title: Enable SealedSecrets type: boolean additionalProperties: false mongodb: title: MongoDB description: |- Installs required cluster resources needed to install MongoDB. Requires that `gatekeeper.allowUserCRDs.enabled` is enabled. type: object properties: enabled: title: Enable MongoDB type: boolean additionalProperties: false fluxv2: title: Fluxv2 description: |- Installs required cluster resources needed to install fluxv2. Requires that `gatekeeper.allowUserCRDs.enabled` is enabled. type: object properties: enabled: title: Enable Fluxv2 type: boolean additionalProperties: false kafka: title: Kafka description: |- Installs required cluster resources needed to install kafka-operator. Requires that `gatekeeper.allowUserCRDs.enabled` is enabled. type: object properties: enabled: title: Enable Kafka type: boolean additionalProperties: false extraRoles: title: Extra Application Developer Roles description: | Configure extra Roles for Application Developers The Roles are added to all Application Developer namespaces configured in user.namespaces type: object properties: {} additionalProperties: properties: rules: title: PolicyRules for this Role description: | PolicyRules for this Role Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-v1/ items: $ref: '#/$defs/io.k8s.api.rbac.v1.PolicyRule' type: array default: [] additionalProperties: false extraRoleBindings: title: Extra Application Developer RoleBindings description: | Configure extra RoleBindings for Application Developers The RoleBindings are added to all Application Developer namespaces configured in user.namespaces type: object properties: {} additionalProperties: properties: roleRef: title: The reference to a role to use for this RoleBinding description: The reference to a role to use for this RoleBinding type: object properties: name: title: Name of the Role or ClusterRole to bind subjects with description: Name of the Role or ClusterRole to bind subjects with type: string kind: title: Either ClusterRole or Role type: string default: Role enum: - ClusterRole - Role additionalProperties: false subjects: title: Subjects to apply role to description: | Configure Subjects that a role apply to Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/ items: $ref: '#/$defs/io.k8s.api.rbac.v1.Subject' type: array default: [] additionalProperties: false extraClusterRoles: title: Extra Application Developer ClusterRoles description: | Configure extra ClusterRoles that are not originally part of Welkin These are intended to be used for Application Developers type: object properties: {} additionalProperties: properties: rules: title: PolicyRules for this Role description: | PolicyRules for this ClusterRole Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/ items: $ref: '#/$defs/io.k8s.api.rbac.v1.PolicyRule' type: array default: [] additionalProperties: false extraClusterRoleBindings: title: Extra Application Developer ClusterRoleBindings description: | Configure extra ClusterRoleBindings for Application Developers type: object properties: {} additionalProperties: properties: roleRef: title: The reference to a role to use for this RoleBinding description: The reference to a role to use for this RoleBinding type: object properties: name: title: Name of the ClusterRole to bind subjects with type: string additionalProperties: false subjects: title: Subjects to apply role to description: | Configure Subjects that a role apply to Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/ items: $ref: '#/$defs/io.k8s.api.rbac.v1.Subject' type: array default: [] additionalProperties: false hnc: additionalProperties: false title: HNC (Hierarchical Namespace Controller) Config description: |- Configuration for Hierarchical Namespace Controller. > [!note] > See [upstream documentation for reference](https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/README.md). type: object properties: enabled: title: Enable HNC description: |- Enable HNC type: boolean default: true additionalAllowPropagateResources: title: Additional Allow Propagate Resources List description: |- Additional resources to enable opt-in propagation for. Objects that should be propagated must have one of the annotations listed here https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#limit-the-propagation-of-an-object-to-descendant-namespaces items: title: Additional Allow Propagate Resources description: |- Additional allow propagate resources for hnc. additionalProperties: false properties: group: examples: - networking.k8s.io type: string resource: examples: - networkpolicies - secrets type: string type: object examples: - resource: secrets - resource: networkpolicies group: networking.k8s.io type: array excludedNamespaces: title: Excluded Namespaces description: |- Namespaces excluded by HNC, here you can configure a list of namespaces to exclude from HNC in addition to the default excluded namespaces. [Including and excluding namespaces](https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#including-and-excluding-namespaces-from-hnc) items: examples: - mongodb-system - sealed-secrets type: string type: array ha: title: Enable Ha (High Availability) description: |- Enable HA mode for hnc webhooks. type: boolean default: true includedNamespacesRegex: title: Included Namespaces Regex description: |- Included namespaces, empty string will include all. [Including and excluding namespaces](https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#including-and-excluding-namespaces-from-hnc) type: string managedNamespaceAnnotations: title: Managed Namespace Annotations description: |- Annotations that will be propagated to subnamespaces (allows regex). items: type: string type: array managedNamespaceLabels: title: Managed Namespace Labels description: |- Labels that will be propagated to subnamespaces (allows regex). Labels in particular must also be configured in the HierarchyConfiguration object to be propagated. items: examples: - pod-security.kubernetes.io/audit - pod-security.kubernetes.io/enforce - pod-security.kubernetes.io/warn type: string type: array manager: title: Manager Config description: |- Configuration for Manager. $ref: '#/$defs/component' serviceMonitor: title: Service Monitor description: Service monitor for Hierarchical Namespace Controller. additionalProperties: false properties: relabelings: title: Relabelings description: |- Relabeling items: {} type: array type: object unpropagatedAnnotations: title: Unpropagated Annotations description: |- Annotations that will be stripped from propagated objects items: {} type: array webhook: title: Webhook Config description: Webhook for Hierarchical Namespace Controller. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' replicaCount: type: integer resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' type: object webhookMatchConditions: title: Webhook Match Conditions Enable description: |- Fine grained mach conditions for webhook. This feature is only available in Kubernetes v1.28+. type: boolean harbor: additionalProperties: false title: Harbor Config description: |- Configuration options for Harbor. Harbor is a container registry that deployed for the application developers to use when deploying their applications. > [!note] > See [upstream documentation for reference](https://github.com/goharbor/harbor-helm#configuration). > All config variables that exists in harbor are not exposed via our config. type: object properties: enabled: title: Enable Harbor default: true type: boolean alerts: title: Alert Config description: |- Configuration options for Harbor Alerts. additionalProperties: false properties: maxTotalArtifacts: title: Alert For Max Total Artifacts description: |- Alert when the total number of artifacts is above the set number. default: 3000 type: number maxTotalStorageUsedGB: title: Alert For Max Total Storage Used (GB) description: |- Alert when the total storage usage is above the set number. default: 1500 type: number type: object backup: title: Backup Job Config description: |- Configuration options for Backup Job. additionalProperties: false properties: enabled: title: Enable Harbor Backup default: true type: boolean ephemeralBackupStore: title: Ephemeral Backup Store Config description: |- EphemeralBackupStore configuration for Harbor `StorageSize` defines how large the ephemeral volumes will be. properties: enabled: title: Enable Ephemeral Backup Store type: boolean storageSize: title: Storage Size type: string default: 10Gi type: object retentionDays: title: Backup Retention Days description: |- `RetentionDays` defines how old a backup should be before deleting it. default: 7 type: number schedule: title: Schedule for backup job description: |- `schedule` defines when the backup job for Harbor will run. This should be set to run shortly after Velero backups in the workload cluster, in order to ensure that images needed for Velero backups are backed up in Harbor. Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. default: "30 0 * * *" $ref: '#/$defs/cronSchedule' type: object mpuCleaner: title: MultipartUpload cleaner job configuration description: |- Configuration options for MultipartUpload cleaner job additionalProperties: false properties: enabled: title: Enable Harbor MultipartUpload cleaner default: true type: boolean maxAgeDays: title: Max age description: |- `maxAgeDays` defines how old an unfinished multipartupload is allowed to be before deleting it. default: 7 type: number schedule: title: Schedule for MultipartUpload cleaner job description: |- `schedule` defines when the cleaner job for Harbor will run. Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. default: "30 2 * * *" $ref: '#/$defs/cronSchedule' type: object core: title: Core Config description: |- Configuration options for Core. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' replicas: title: Core replication description: |- Number of Core pods default: 1 type: number resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object database: title: Database Config description: |- Configuration options for Database used by Harbor Set `type` to define which type of redis Harbor should use. Only `external` or `internal` database can be enabled at the same time. `External`: Defines an external postgres that harbor will use. For more details how to configure harbor to use an external database check the [README](https://github.com/elastisys/compliantkubernetes-apps?tab=readme-ov-file#harbor-ha---work-in-progress) `Internal`: Use the internal database that is packaged with harbor. additionalProperties: false properties: external: title: External Database Config description: |- Configuration options for External Database. additionalProperties: false properties: coreDatabase: title: Core Database description: |- Name of the database for Core default: registry type: string notaryServerDatabase: title: Notary Server Database description: |- Name of the database for Notary Server default: notaryserver type: string notarySignerDatabase: title: Notary Signer Database description: |- Name of the database for Notary Signer default: notarysigner type: string port: title: Database Port description: |- Database listening port default: "5432" type: string sslmode: title: SSL mode type default: disable enum: - disable - require - verify-ca - verify-full meta:enum: disable: No SSL require: Skip verification verify-ca: Always SSL (verify that the certificate presented by the server was signed by a trusted CA) verify-full: Always SSL (verify that the certification presented by the server was signed by a trusted CA and the server host name matches the one in the certificate) type: string type: object internal: title: Internal Database Config description: |- Configuration options for Internal Database. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' persistentVolumeClaim: $ref: '#/$defs/kubernetesPersistentVolumeClaim' resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object type: default: internal type: string type: object gc: title: GC (Garbage Collection) Config description: |- Configuration options for GC (Garbage Collection). additionalProperties: false properties: enabled: title: Enable GC (Garbage Collection) default: true type: boolean forceConfigure: title: Force Configure default: false type: boolean schedule: title: Schedule description: |- Defines a CRON schedule when the garbage collection job should run. Uses a special Cron format that adds "seconds" as the first entry. Order: "seconds, minutes, hours, day of month, month, day of week". default: 0 0 0 * * SUN type: string type: object ingress: title: Ingress Config description: |- Configuration options for Ingress. additionalProperties: false properties: additionalAnnotations: title: Additional Annotations type: object defaultAnnotations: title: DefaultAnnotations description: |- Default annotations for ingress additionalProperties: false properties: nginx.ingress.kubernetes.io/proxy-buffering: title: Nginx Config proxy-buffering default: off type: string nginx.ingress.kubernetes.io/proxy-request-buffering: title: Nginx Config proxy-request-buffering default: off type: string type: object type: object jobservice: title: Jobservice Config description: |- Configuration options for Jobservice. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' jobLog: title: JobLog Config description: |- Job log configuration additionalProperties: false properties: persistentVolumeClaim: $ref: '#/$defs/kubernetesPersistentVolumeClaim' type: object jobLoggers: title: JobLoggers Config description: |- Configuration options for JobLoggers items: default: file type: string type: array replicas: title: Jobservice replication description: |- Number of Jobservice pods default: 1 type: number resources: $ref: '#/$defs/kubernetesResourceRequirements' scanDataExports: title: Scan Data Exports Config description: |- Scan data exports configuration additionalProperties: false properties: persistentVolumeClaim: $ref: '#/$defs/kubernetesPersistentVolumeClaim' type: object type: object nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' notary: title: Notary Config description: |- Configuration options for Notary. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' replicas: default: 1 type: number resources: $ref: '#/$defs/kubernetesResourceRequirements' subdomain: default: notary.harbor type: string type: object notarySigner: title: NotarySigner Config description: |- Configuration options for Notary signer. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object oidc: title: OIDC (OpenID Connector) Config description: |- Configuration options for OIDC. additionalProperties: false properties: adminGroupName: type: string groupClaimName: default: groups type: string scope: default: openid,email,profile,offline_access,groups type: string type: object persistence: title: Persistence Config description: |- Configuration options for Persistence. additionalProperties: false properties: disableRedirect: title: Harbor registry disable object storage redirect type: boolean description: |- Controls whether or not Harbor registry redirects users to the object storage endpoint. Set this to true if the object storage is not reachable by users when pushing images to Harbor, e.g. if you run into this timeout error: ```console dial tcp :: i/o timeout ``` default: false type: title: Persistence type description: This should match what is set in global config type: string enum: - filesystem - swift - objectStorage meta:enum: filesystem: Persistent volume swift: Swift objectStorage: S3 type: object portal: title: Portal Config description: |- Configuration options for Portal. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' replicas: default: 1 type: number resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object redis: title: Redis Config description: |- Configuration options for Redis used by Harbor Set `type` to define which type of redis Harbor should use. Only `external` or `internal` redis can be enabled at the same time. `External`: Defines an external redis that harbor will use. For more details how to configure harbor to use an external redis check the [README](https://github.com/elastisys/compliantkubernetes-apps?tab=readme-ov-file#harbor-ha---work-in-progress) `Internal`: Use the internal redis that is packaged with harbor. additionalProperties: false properties: external: title: External Redis Config description: |- Configuration options when external Redis is set additionalProperties: false properties: addr: examples: - rfs-redis-harbor.redis-system.svc.cluster.local:26379 type: string sentinelMasterSet: type: string type: object internal: title: Internal Redis Config description: |- Configuration options when internal Redis is set additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' persistentVolumeClaim: $ref: '#/$defs/kubernetesPersistentVolumeClaim' resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object type: default: internal type: string type: object registry: title: Registry config description: |- Registry configuration additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' controller: title: Controller description: |- Controller configuration additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object persistentVolumeClaim: $ref: '#/$defs/kubernetesPersistentVolumeClaim' replicas: default: 1 type: number resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object s3: title: Storage Driver S3 Config description: |- Configuration options for S3. [Storage Driver S3](https://distribution.github.io/distribution/storage-drivers/s3/) additionalProperties: false properties: multipartcopychunksize: title: Multi Part Copy Chunk Size description: |- Default chunk size for all but the last S3 Multipart Upload part when copying stored objects. type: - integer - string multipartcopymaxconcurrency: title: Multi Part Copy Max Concurrency description: |- Max number of concurrent S3 Multipart Upload operations when copying stored objects. type: - integer - string multipartcopythresholdsize: title: Multi Part Copy Threshold Size description: |- Default object size above which S3 Multipart Upload will be used when copying stored objects. default: "536870912" type: string $comment: turn into number? type: object subdomain: title: Sub Domain default: harbor type: string tolerations: $ref: '#/$defs/kubernetesTolerations' trivy: title: Trivy Config description: |- Configuration options for Trivy. additionalProperties: false properties: affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' persistentVolumeClaim: $ref: '#/$defs/kubernetesPersistentVolumeClaim' replicas: default: 1 type: number resources: $ref: '#/$defs/kubernetesResourceRequirements' extraEnvVars: type: array title: Trivy extra environment variables description: |- Array of additional environment variables to pass to Trivy items: type: object title: Settings to pass to Trivy description: |- name/value combination properties: name: type: string value: type: string type: object exporter: title: Exporter Config description: |- Configuration options for Exporter. additionalProperties: false properties: external: title: External description: |- External configuration additionalProperties: false properties: coreDatabase: title: Core Database examples: - registry type: string port: title: Database Port examples: - "5432" type: string type: object resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object storageClasses: additionalProperties: false title: Storage Classes Config description: |- Configuration options for using block storage in Welkin properties: default: description: The StorageClass to use for all persistent volumes in Welkin. type: string default: default type: object objectStorage: additionalProperties: false title: Object Storage Config description: |- Configuration options for using object storage in Welkin This is used for: - Fluentd audit logs - Fluentd service cluster logs - Harbor database backups and registry storage - OpenSearch workload cluster log snapshots - Rclone object storage sync source and restore destination - Thanos metrics storage - Velero resource backups and volume snapshots Harbor, Rclone, and Thanos have additional configuration to use Swift. type: object properties: buckets: title: Object Storage Buckets description: |- Buckets or containers for each respective application to use for application data or backup storage. Keys are used as identifiers for buckets or containers, while the values are used as the bucket or container name. Additional entries added here will have monitoring enabled. type: object additionalProperties: title: Bucket Name description: The bucket or container name. type: string type: title: Object Storage Type description: |- Object storage type to use. In addition to this Harbor, Rclone, and Thanos have additional configuration to use Swift. type: string enum: - azure - gcs - s3 - none azure: additionalProperties: false title: Azure Backend Config description: Only supports Azure Public Cloud. type: object properties: storageAccountName: title: Azure Storage Account Name description: Name of the storage account type: string resourceGroup: title: Azure Resource Group description: Resource group of the storage account. type: string s3: additionalProperties: false title: S3 Backend Config description: Supports both AWS and non-AWS implementations. type: object properties: region: title: S3 Region description: Region to store data. type: string regionEndpoint: title: S3 Region Endpoint description: |- Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. `https://`). type: string format: uri forcePathStyle: title: S3 Force Path Style description: |- Force the use of path style access instead of virtual host style access. Generally `false` when using AWS, Exoscale, and UpCloud and `true` for other providers. type: boolean v2Auth: title: S3 v2 authentication description: |- Force the use of v2 authentication, will default to using v4 authentication otherwise. type: boolean default: false swift: additionalProperties: false title: Swift Backend Config description: |- > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. type: object properties: authVersion: title: OpenStack Authentication Version description: |- OpenStack authentication version. Set `0` for auto detect from authentication url. type: integer default: 0 authUrl: title: OpenStack Authentication URL description: |- OpenStack authentication URL. Make sure to prepend the protocol (e.g. `https://`) and append the authentication version (e.g. `/v3`). type: string format: uri region: title: OpenStack Region description: |- OpenStack region. type: string domainId: title: OpenStack Domain ID description: |- The user domain ID to use. User domain is required when authenticating with `username`, set either `domainId` or `domainName`. type: string domainName: title: OpenStack Domain Name description: |- The user domain name to use. User domain is required when authenticating with `username`, set either `domainId` or `domainName`. type: string projectDomainId: title: OpenStack Project Domain ID description: |- The project domain ID to use. Project domain is required when authenticating with `projectName`, set either `projectDomainId` or `projectDomainName`. type: string projectDomainName: title: OpenStack Project Domain Name description: |- The project domain name to use. Project domain is required when authenticating with `projectName`, set either `projectDomainId` or `projectDomainName`. type: string projectId: title: OpenStack Project ID description: |- The project ID to use. Project is required when authenticating with `username`, set either `projectId` or `projectName`. type: string projectName: title: OpenStack Project Name description: |- The project name to use, requires project domain to be set. Project is required when authenticating with `username`, set either `projectId` or `projectName`. type: string segmentsContainerSuffix: title: Swift Segments Container Suffix description: |- The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. type: string default: +segments sync: additionalProperties: false title: Rclone Sync Config description: |- Sync object storage from the primary site to a secondary site with Rclone. type: object properties: activeDeadlineSeconds: title: Rclone Cronjob Active Deadline Seconds description: |- The maximum amount of time that the Rclone job is allowed to run (in seconds). type: number default: 14400 enabled: title: Rclone Sync Enable type: boolean default: false dryrun: title: Rclone Sync Dryrun description: Deploy Rclone with dryrun enabled. type: boolean default: false syncDefaultBuckets: title: Rclone Sync Default Buckets description: Sync the buckets or containers set under `.objectStorage.buckets`. type: boolean default: false defaultSchedule: title: Rclone Sync Default Schedule description: |- Default schedule to run the sync CronJobs. Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. default: 0 5 * * * $ref: '#/$defs/cronSchedule' buckets: title: Rclone Sync Buckets description: Additional buckets to sync. type: array default: [] items: title: Buckets to sync description: |- List of buckets to sync when `syncDefaultBuckets` is false type: object examples: - source: azure-environment-harbor sourceType: azure sourcePath: //docker destinationPath: /docker destinationType: s3 nameSuffix: docker - source: azure-environemnt-harbor sourceType: azure sourcePath: /backups destinationPath: /backups destinationType: s3 nameSuffix: backups required: - source properties: source: type: string title: Source bucket to sync destination: type: string title: Destination bucket to sync schedule: type: string title: Sync schedule for this bucket description: |- Defaults to `.objectStorage.sync.defaultSchedule` Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. $ref: '#/$defs/cronSchedule' sourceType: type: string title: Type of source examples: - s3 - swift - azure sourcePath: type: string title: Path to sync from description: |- Rclone will sync all files from this path. Defaults to "" (root of bucket). default: "" destinationType: type: string title: Type of destination examples: - s3 - swift - azure destinationPath: type: string title: Path to sync to description: |- Rclone will sync files to this patch. Defaults to "" (root of bucket). default: "" nameSuffix: type: string title: Suffix to cronjob name description: |- Suffix added to the end of cronjob name. Defaults to "custom". The default buckets have "default" as suffix additionalProperties: false destinationType: title: Rclone Sync Destination Type description: |- Object storage type to use. type: string enum: - azure - gcs - s3 - swift secondaryUrl: title: Rclone Sync Secondary URL type: string format: uri azure: $ref: '#/properties/objectStorage/properties/azure' s3: $ref: '#/properties/objectStorage/properties/s3' swift: $ref: '#/properties/objectStorage/properties/swift' resources: $ref: '#/$defs/kubernetesResourceRequirements' encrypt: additionalProperties: false title: Rclone Crypt description: |- Encrypt data when syncing and decrypt data when restoring. properties: enabled: title: Rclone Crypt Enable type: boolean default: false fileNames: title: Rclone Crypt Crypt File Names description: Encrypt file names when syncing. type: boolean default: false directoryNames: title: Rclone Crypt Crypt Directory Names description: Encrypt directory names when syncing, requires file names to be encrypted. type: boolean default: false type: object sourceType: title: Rclone Sync Source Type description: Object storage type to use. Defaults to .objectStorage.type type: string examples: - azure - gcs - s3 - swift restore: additionalProperties: false title: Rclone Restore Config description: |- Restore object storage from a secondary site to the primary site with Rclone. > [!note] > When enabled this will disable Rclone sync to prevent it from modifying the secondary site. type: object properties: enabled: title: Rclone Restore Enable type: boolean default: false dryrun: title: Rclone Restore Dryrun description: Deploy Rclone with dryrun enabled. type: boolean default: false addTargetsFromSync: title: Rclone Restore Targets From Sync description: |- Automatically configure the restore from a secondary site to the primary site. Essentially this will configure Rclone restore to do the inverse of Rclone sync. type: boolean default: false targets: title: Rclone Restore Targets description: Targets to restore type: array default: [] items: title: Rclone restore target description: |- Details of a bucket to restore. type: object required: - destinationName properties: destinationName: type: string title: Destination bucket to sync destinationType: type: string title: Type of destination examples: - s3 - swift - azure destinationPath: type: string title: Path to restore to description: |- Rclone will sync files to this patch. Defaults to "" (root of bucket). default: "" sourceName: type: string title: Source bucket to sync sourceType: type: string title: Type of source examples: - s3 - swift - azure sourcePath: type: string title: Path to sync from description: |- Rclone will sync all files from this path. Defaults to "" (root of bucket). default: "" nameSuffix: type: string title: Suffix to cronjob name description: |- Suffix added to the end of cronjob name. Defaults to "custom". additionalProperties: false timestamp: title: Rclone Restore Timestamp description: |- Perform point-in-time restore if possible. This is only supported for S3 sources. type: string default: "" destinations: title: Rclone Restore Destinations description: |- Allows for complete or partial overrides of the destinations of the restore, the main object storage configuration. type: object properties: azure: $ref: '#/properties/objectStorage/properties/azure' s3: $ref: '#/properties/objectStorage/properties/s3' swift: $ref: '#/properties/objectStorage/properties/swift' default: {} sources: title: Rclone Restore Sources description: |- Allows for complete or partial overrides of the sources of the restore, the sync object storage configuration. type: object properties: azure: $ref: '#/properties/objectStorage/properties/azure' s3: $ref: '#/properties/objectStorage/properties/s3' swift: $ref: '#/properties/objectStorage/properties/swift' default: {} decrypt: description: |- Allows for complete or partial overrides of the decrypt of the restore, the sync encrypt configuration. $ref: '#/properties/objectStorage/properties/sync/properties/encrypt' default: {} rookCeph: title: Rook Ceph Config description: |- Configure support for Rook Ceph. This is deprecated and should be configured via compliantkubernetes-kubespray if used. type: object additionalProperties: false properties: gatekeeperPsp: title: Rook Ceph Pod Security Policies description: Configure Pod Security Policies for Rook Ceph. additionalProperties: false type: object properties: enabled: title: Rook Ceph Pod Security Policies Enabled type: boolean default: false monitoring: title: Rook Ceph Monitoring description: Configure Monitoring for Rook Ceph. additionalProperties: false type: object properties: enabled: title: Rook Ceph Monitoring Enabled type: boolean default: false velero: title: Velero Config description: |- Configure Velero, the backup and snapshot tool for Kubernetes resources and volumes. This requires that `objectStorage` is configured, and will use the bucket or container set in `objectStorage.buckets.velero`. type: object additionalProperties: false properties: enabled: title: Velero Enabled type: boolean default: true uploaderType: title: Velero Uploader Type type: string enum: - kopia - restic useVolumeSnapshots: title: Velero Use Volume Snapshots type: boolean default: false schedule: title: Velero Backup Schedule description: |- Schedule for Velero backup schedule "velero-daily-backup" Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. default: 0 0 * * * $ref: '#/$defs/cronSchedule' retentionPeriod: title: Velero Backup Retention Period $ref: '#/$defs/goDuration' default: 720h0m0s excludedNamespaces: title: Velero Excluded namespaces description: Configure system namespaces to exclude from backups. type: array items: title: Namespace type: string excludedExtraNamespaces: title: Velero Excluded namespaces description: Configure dynamic namespaces to exclude from backups, prefer this for overrides over `excludedNamespaces`. type: array items: title: Namespace type: string restoreResourcePriorities: title: Velero Restore Resource Priority description: |- Configure restore order for resources > [!note] > See [upstream documentation for reference](https://velero.io/docs/main/restore-reference/#restore-order) type: array items: title: Resource type: string storagePrefix: title: Velero Storage Prefix description: |- Configure unique storage prefix for this cluster when storing backups and snapshots in object storage. When multiple workload clusters share the same bucket or container ensure that they use separate storage prefixes. type: string examples: - service-cluster - workload-cluster nodeAgent: title: Velero Node Agent description: Configure the node agent of Velero, used to take snapshots of volumes. additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' type: object resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' clusterAdmin: title: Cluster Admin description: Configure the cluster admins. type: object additionalProperties: false properties: groups: title: Admin Groups description: Configure the cluster admin groups. type: array items: title: Admin Group type: string users: title: Admin Users description: Configure the cluster admin users. type: array items: title: Admin User type: string dex: title: Dex Config description: |- Configure Dex, the federated OIDC Identity Provider. > [!note] > Dex is installed in the service cluster, so this configuration mainly applies there. type: object additionalProperties: false properties: replicaCount: title: Dex Replicas type: number default: 2 subdomain: title: Dex Subdomain description: |- Subdomain of `baseDomain` that the Ingress to Dex will be created with. > [!note] > Must be set for both service and workload clusters. type: string default: dex additionalKubeloginRedirects: title: Dex Kubelogin Redirects description: Configure Dex with additional Kubelogin redirects. type: array items: title: Dex Kubelogin Redirect type: string format: uri examples: - http://localhost:8080/redirect enableStaticLogin: title: Dex Static Login description: Configure Dex with a static password login `admin@example.com`. type: boolean default: true expiry: title: Dex Expiry description: Configure expiry when authenticating with Dex. type: object additionalProperties: false properties: deviceRequests: $ref: '#/$defs/timeRange' default: 5m signingKeys: $ref: '#/$defs/timeRange' default: 6h idToken: $ref: '#/$defs/timeRange' default: 24h refreshTokens: title: Dex Expiry Refresh Tokens description: Configure expiry of refresh tokens when authenticating with Dex. type: object additionalProperties: false properties: absoluteLifetime: $ref: '#/$defs/timeRange' default: 3960h validIfNotUsedFor: $ref: '#/$defs/timeRange' default: 2160h reuseInterval: $ref: '#/$defs/timeRange' default: 3s google: title: Dex Google Config description: Configure Dex with specific options when using the Google connector. type: object additionalProperties: false properties: groupSupport: title: Dex Google Group Support Enabled type: boolean default: false SASecretName: title: Dex Google Service Account Secret Name type: string default: "" if: properties: groupSupport: title: Dex Google Group Support Enabled const: true then: required: - SASecretName serviceMonitor: title: Dex Service Monitor description: Configure the Service Monitor collecting metrics from Dex. type: object additionalProperties: false properties: enabled: title: Dex Service Monitor Enabled type: boolean default: true resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' externalTrafficPolicy: title: External Traffic Policy description: |- Configure global ingress external traffic policy. type: object additionalProperties: false properties: local: title: Local External Traffic Policy type: boolean default: true whitelistRange: title: Allowlist Range description: |- Configure allowlist CIDR ranges for ingresses. This is done via the ingress annotation `nginx.ingress.kubernetes.io/whitelist-source-range`. Set to `false` to explicitly opt-out of this annotation. type: object additionalProperties: default: 0.0.0.0/0 type: - boolean - string falco: additionalProperties: false title: Falco Config description: Configuration for Falco, runtime security tool and threat detection. type: object properties: enabled: title: Falco Enabled type: boolean default: true alerts: additionalProperties: false title: Falco Alerts description: Configure Falco alerts sent from Falco sidekick. type: object properties: enabled: title: Falco Alerts Enabled type: boolean default: false type: title: Falco Alerts Type description: Configure the notification channel for Falco alerts. type: string default: alertmanager enum: - alertmanager - slack - none hostPort: title: Falco Alerts Host Port description: Configure the notification channel for Falco alerts. type: string format: uri default: http://alertmanager-operated.monitoring:9093 priority: title: Falco Alerts Priority description: Configure the notification priority for Falco alerts. type: string default: notice driver: title: Falco Driver description: |- Configuration for the Falco syscall driver used to collect events. See [the upstream documentation](https://falco.org/docs/concepts/event-sources/kernel/) for more information. type: object properties: kind: title: Falco Driver Kind type: string default: kmod enum: - kmod - modern-bpf - ebpf meta:enum: kmod: Kernel module (default) modern-bpf: Modern eBPF probe ebpf: Legacy eBPF probe if: properties: kind: const: kmod then: properties: module: additionalProperties: false title: Falco Kmod Driver Config description: Configuration for the Falco Kmod Driver. type: object properties: repoURL: title: Falco Kmod Driver URL description: Override the URL used to download driver modules, e.g. to use a self hosted file server in an air-gapped environment type: string oneOf: - contst: "" - format: uri else: properties: kind: type: string enum: - modern-bpf - ebpf ebpf: additionalProperties: false title: Falco eBPF Driver Config description: Configuration for the Falco eBPF Driver. type: object properties: hostNetwork: title: Falco eBPF Host Network description: |- Needed to enable eBPF JIT at runtime for performance reasons. Can be skipped if eBPF JIT is enabled from outside the container type: boolean default: false path: title: Falco eBPF Path description: |- Path where the eBPF probe is located. It comes in handy when the probe have been installed in the nodes using tools other than the init container deployed with the chart. type: string default: "" artifact: title: Falcoctl Artifact description: |- Configure Falcoctl artefact management. See [the upstream repository](https://github.com/falcosecurity/falcoctl) for reference. additionalProperties: false type: object properties: install: title: Falcoctl Artifact Install description: Configure Falcoctl artefact install. additionalProperties: false type: object properties: enabled: title: Falcoctl Artifact Install Enabled description: |- Configure Falcoctl to install additional artifacts before Falco starts. Set this to false in an air-gapped environment, unless artifacts are self-hosted and `customIndexes` are configured. type: boolean default: false customIndexes: title: Falcoctl Custom Artifact Indices description: Configure custom artefact indices for Falcoctl. type: array items: title: Falcoctl Custom Artifact Index description: Configure custom artefact index for Falcoctl. type: object properties: name: title: Falcoctl Artifact Index Name type: string url: title: Falcoctl Artifact Index URL type: string format: uri rulesFiles: title: Falco Rule Files description: |- Configure standard rules to use in Falco. See [the upstream documentation](https://falcosecurity.github.io/rules/) for reference. additionalProperties: false type: object properties: default: additionalProperties: false title: Falco Default Rules description: Configure Falco default rules type: object properties: enabled: title: Falco Default Rules Enabled type: boolean default: true version: title: Falco Default Rules Version type: string default: 3.0.1 incubating: additionalProperties: false title: Falco Incubating Rules description: Configure Falco incubating rules type: object properties: enabled: title: Falco Incubating Rules Enabled type: boolean default: false version: title: Falco Incubating Rules Version type: string default: 3.0.1 sandbox: additionalProperties: false title: Falco Sandbox Rules description: Configure Falco sandbox rules type: object properties: enabled: title: Falco Sandbox Rules Enabled type: boolean default: false version: title: Falco Sandbox Rules Version type: string default: 3.0.1 customRules: title: Falco Custom Rules description: |- Configure custom rules to use in Falco. > [!note] > See [the upstream documentation](https://falco.org/docs/rules/) for reference. > > The keys will become the file name of the generated rule file, and all files are parsed in alphabetical order. additionalProperties: format: yaml type: string type: object tty: title: Falco Allocate TTY description: |- Attach the Falco process to a TTY inside the container. Needed to flush Falco logs as soon as they are emitted. type: boolean default: true falcoSidekick: additionalProperties: false title: Falco Sidekick description: Basic configuration for Falco Sidekick, the deployment that forwards Falco alerts to Alertmanager. type: object properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' useContainerEngine: title: Use the new containerEngine collector description: Use the new container engine collector that replaces the old docker, containerd, crio and podman collectors. type: boolean default: true resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' gatekeeper: title: OPA Gatekeeper Config description: |- Configure OPA Gatekeeper to give application developer access to Custom Resource Definitions. Some preconfigured services can be found under the key `user`. > [!note] > See [the admin docs](https://elastisys.io/welkin/operator-manual/user-managed-crds/) for context. type: object additionalProperties: false properties: enabled: title: Gatekeeper Enabled type: boolean default: true allowUserCRDs: title: Allow Dev CRDs description: Configure access to Custom Resource Definitions for application developers. type: object additionalProperties: false properties: enabled: title: Dev CRDs Enabled type: boolean default: false enforcement: title: Dev CRDs Enforcement type: string default: deny enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. adminConfUser: title: Dev CRDs Admin Config User description: |- Configure the admin config user of the `/etc/kubernetes/admin.conf` found on the control plane nodes. This is necessary if Kubespray is used for managing the cluster. type: string default: kubernetes-admin extraCRDs: title: Dev CRDs Extra CRDs description: Configure extra CRDs to allow for application developers. type: array items: title: Dev CRDs Extra CRDs description: Configure extra CRDs to allow for application developers. type: object properties: group: title: CRD Group description: Configure the group of the CRDs. type: string names: title: CRD Names description: Configure the names of the CRDs. type: array items: title: CRD Name type: string examples: - - group: example.com names: - resource.example.com extraServiceAccounts: title: Dev CRDs Extra Service Accounts description: Configure extra service accounts to allow access to configured CRDs. type: array items: title: Dev CRDs Extra Service Account description: Configure an extra service account to allow access to configured CRDs. type: object additionalProperties: false properties: namespace: title: Service Account Namespace type: string name: title: Service Account Name type: string examples: - - namespace: example-namespace name: example-controller kured: additionalProperties: false title: Kured Config description: |- Configuration for Kured (Kubernetes Reboot Daemon). Kured orchestrates node reboots to allow nodes to automatically perform system updates and patches. type: object properties: enabled: title: Kured Enabled default: false type: boolean configuration: title: Kured Config description: |- Kured configuration parameters. See [the upstream documentation for reference](https://kured.dev/docs/configuration/). Most parameters are mapped from `camelCase` to `--kebab-case`, others can be set via `extraArgs`. type: object properties: drainTimeout: title: Kured Drain Timeout description: |- Timeout after which the drain is aborted. Default 0, infinite time. $ref: '#/$defs/goDuration' default: "0" timeZone: title: Kured Schedule Time Zone type: string default: UTC startTime: title: Kured Schedule Start Time description: Schedule reboots only after this time of day. type: string default: 0:00 endTime: title: Kured Schedule End Time description: Schedule reboots only before this time of day. type: string default: 23:59:59 rebootDays: title: Kured Schedule Reboot Days description: Only reboot on these days. type: array items: type: string examples: - mo - tu - we - th - fr - sa - su default: - mo - tu - we - th - fr - sa - su period: title: Kured Reboot Check Period description: Sentinel check period. $ref: '#/$defs/goDuration' default: 1h lockReleaseDelay: title: Kured Reboot Lock Release Delay description: Hold lock after reboot by this amount of time. $ref: '#/$defs/goDuration' default: 5m extraArgs: $ref: '#/$defs/extraArgs' extraEnvVars: type: object metrics: title: Kured Metrics description: Configuration for Kured metrics additionalProperties: false properties: enabled: title: Kured Metrics Enabled type: boolean default: true interval: title: Kured Metrics Duration $ref: "#/$defs/goDuration" default: 60s labels: title: Kured Metrics Labels type: object type: object notification: title: Kured Notification description: Send notification from Kured when nodes are rebooted. additionalProperties: false type: object properties: slack: title: Kured Slack Notification description: Send notification from Kured to Slack when nodes are rebooted. additionalProperties: false type: object properties: enabled: title: Kured Slack Notification Enabled default: false type: boolean channel: title: Kured Slack Notification Channel default: "" type: string dsAnnotations: type: object resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' opa: title: Open Policy Agent Config description: |- Configure Open Policy Agent, constraints and mutations enforced by Gatekeeper. [Welkin contains multiple safeguards to make it easy to follow security best practices](https://elastisys.io/welkin/user-guide/safeguards/). This includes an implementation of constraints and mutations with similar behaviour as Pod Security Policies, and application developer centric safeguards. type: object additionalProperties: false properties: auditChunkSize: title: Gatekeeper Audit Chunk Size default: 500 type: number auditFromCache: title: Gatekeeper Audit From Cache default: false type: boolean auditIntervalSeconds: title: Gatekeeper Audit Interval default: 600 type: number constraintViolationsLimit: title: Gatekeeper Audit Constraints Violation Limits default: 20 type: number disallowedTags: title: Safeguard Disallowed Tags description: |- Configure constraint to disallow configured tags on container images. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-no-latest-tag/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Disallowed Tags Enabled type: boolean default: true enforcement: title: Safeguard Disallowed Tags Enforcement type: string default: deny enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. tags: title: Safeguard Disallowed Tags description: Configure the tags that should be disallowed by the constraint. type: array items: title: Safeguard Disallowed Tag type: string default: latest imageRegistry: title: Safeguard Trusted Registries description: |- Configure constraint to only allow configured registries for container images. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-trusted-registries/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Trusted Registries Enabled type: boolean default: true enforcement: title: Safeguard Trusted Registries Enforcement type: string default: warn enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. URL: title: Safeguard Trusted Registries URLs description: |- Configure the registries that should be trusted by the constraint. > [!note] > To support issuing certificates with HTTP-01 challenges the registry `quay.io/jetstack/cert-manager-acmesolver` must be added. type: array items: title: Safeguard Trusted Registries URL type: string examples: - harbor.example.com - quay.io/jetstack/cert-manager-acmesolver minimumDeploymentReplicas: title: Safeguard Minimum Replicas description: |- Configure constraint to only allow Deployments and StatefulSets with more than one replica. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-minimum-replicas/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Minimum Replicas Enabled type: boolean default: true enforcement: title: Safeguard Minimum Replicas Enforcement type: string default: warn enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. rejectLocalStorageEmptyDir: title: Safeguard Reject Local Storage EmptyDir description: |- Configure constraint to reject usage of local storage emptydir. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-no-local-storage-emptydir/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Rejecting Local Storage EmptyDir Enabled type: boolean default: false enforcement: title: Safeguard Reject Local Storage EmptyDir Enforcement type: string default: warn enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. rejectPodWithoutController: title: Safeguard Reject Pod Without Controller description: |- Configure constraint to reject pods without a controller. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-no-pod-without-controller) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Reject Pod Without Controller Enabled type: boolean default: false enforcement: title: Safeguard Reject Pod Without Controller Enforcement type: string default: warn enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. restrictPodDisruptionBudgets: title: Safeguard Restrict PodDisruptionBudget description: |- Configure constraint to reject PodDisruptionBudgets and connected Pod controllers if the PDB does not allow for at least 1 pod disruption. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-restricted-pod-disruption-budgets/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Restrict PodDisruptionBudget Enabled type: boolean default: true enforcement: title: Safeguard Restrict PodDisruptionBudget Enforcement type: string default: deny enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. networkPolicies: title: Safeguard Network Policies description: |- Configure constraint to only allow Pods targeted by NetworkPolicies. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-networkpolicies/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Network Policies Enabled type: boolean default: true enforcement: title: Safeguard Network Policies Enforcement type: string default: warn enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. rejectLoadBalancerService: title: Safeguard Reject Load Balancer Service description: |- Configure constraint to reject creation of Services with the type LoadBalancer. Advantageous if the cluster cannot automatically provision LoadBalancers, e.g. because the infrastructure provider do not offer such Kubernetes integration. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-no-load-balancer-service/) for context. type: object additionalProperties: false properties: enabled: title: Safeguard Reject Load Balancer Service Enabled type: boolean default: false enforcement: title: Safeguard Reject Load Balancer Service Enforcement type: string default: deny enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. preventAccidentalDeletion: title: Safeguard Prevent Accidental Deletion description: |- Configure constraint to reject deletion of sensitive resources. type: object additionalProperties: false properties: enabled: title: Safeguard Prevent Accidental Deletion type: boolean default: false enforcement: title: Safeguard Prevent Accidental Deletion Enforcement type: string default: deny enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. resourceRequests: title: Safeguard Resource Requests description: |- Configure constraint to only allow Pods configured with resource requests. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-resources/) for context. additionalProperties: false properties: enabled: title: Safeguard Resource Requests Enabled type: boolean default: true enforcement: title: Safeguard Resource Requests Enforcement type: string default: deny enum: - deny - warn - dryrun meta:enum: deny: Deny actions violating the constraint. warn: Warn actions violating the constraint. dryrun: Dryrun actions violating the constraint. type: object mutations: title: Mutations description: Configure mutations to set defaults in deployed resources. type: object additionalProperties: false properties: enabled: title: Mutations Enabled default: true type: boolean jobTTL: title: Mutation Job TTL description: |- Configure mutations to set time to live on deployed Jobs. > [!note] > See [the dev docs](https://elastisys.io/welkin/user-guide/safeguards/enforce-job-ttl/) for context. type: object additionalProperties: false properties: enabled: title: Mutation Job TTL Enabled type: boolean default: true ttlSeconds: title: Mutation Job TTL Seconds $comment: Default is 7 days. type: number default: 604800 ndots: title: Mutation Ndots description: Configure mutations to set ndots on deployed Pods. type: object additionalProperties: false properties: enabled: title: Mutation Ndots Enabled default: false type: boolean ndotAmount: title: Mutation Ndots Amount type: integer default: 3 labelSelector: title: Mutation Ndots Label Selector description: Configure the label selector for pods to be targeted by this mutation. type: object additionalProperties: false properties: matchLabels: title: Mutation Ndots Match Labels description: |- Configure the label selector for pods to be targeted by this mutation. Default `{}` targets all Pods. type: object additionalProperties: title: Labels type: string default: {} audit: title: OPA Gatekeeper Audit description: Configure the Audit deployment of OPA Gatekeeper. type: object additionalProperties: false properties: writeToRAMDisk: title: OPA Gatekeeper Audit Write To RAM Disk type: boolean default: false resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' controllerManager: $ref: '#/$defs/component' mutatingWebhookTimeoutSeconds: default: 5 type: number validatingWebhookTimeoutSeconds: default: 5 type: number trivy: title: Trivy Config description: |- Configure Trivy Operator. Trivy automatically scans the cluster for vulnerabilities, misconfigurations, and exposed secrets. type: object additionalProperties: false patternProperties: \w+Enabled$: $comment: |- This definition applies to any key that ends with 'Enabled', which are all booleans. In the future it may be desirable to replace this with individual entries under `properties` in order to provide documentation for each scanner. description: Enable or disable various security scanners type: boolean properties: enabled: title: Trivy Config Enabled type: boolean default: true excludeNamespaces: title: Trivy Config Excluded Namespaces description: Configure a comma separated list of namespaces (or glob patterns) to be excluded from Trivy scanners. type: string scanJobs: title: Trivy Scan Jobs description: Configure the scan jobs created by Trivy. type: object additionalProperties: false properties: concurrentLimit: title: Trivy Scan Job Concurrent Limit type: number default: 1 retryDelay: title: Trivy Scan Job Retry Delay type: string default: 1m timeout: title: Trivy Scan Job Timeout type: string default: 5m scanner: title: Trivy Scanner description: |- Configure the scanner used by Trivy. > [!note] > Many of these must be configured to support an air-gapped environment. > See [the admin documentation](https://elastisys.io/welkin/operator-manual/air-gapped/#trivy) for reference. type: object additionalProperties: false properties: offlineScanEnabled: title: Trivy Offline Scan Enabled type: boolean dbRegistry: title: Trivy DB Registry type: string dbRepository: title: Trivy DB Repository type: string dbRepositoryInsecure: title: Trivy DB Repository Insecure type: boolean javaDbRegistry: title: Trivy Java DB Registry type: string javaDbRepository: title: Trivy Java DB Repository type: string imagePullSecret: title: Trivy Image Pull Secret description: |- Configure an image pull secret for Trivy to use. Create the secret in the `monitoring` namespace then configure the name here. additionalProperties: false type: object properties: name: title: Secret Name type: string registry: title: Trivy Registry description: Configure registries for Trivy. type: object properties: mirror: title: Trivy Registry Mirror description: |- Configure registry mirrors for Trivy. The key represents the original registry and the value the mirror registry. type: object additionalProperties: description: Registry Mirror examples: - registry.example.com:5000 type: string examples: - docker.io: registry.example.com:5000 gcr.io: registry.example.com:5000 ghcr.io: registry.example.com:5000 index.docker.io: registry.example.com:5000 quay.io: registry.example.com:5000 registry.k8s.io: registry.example.com:5000 timeout: $ref: '#/$defs/goDuration' resources: $ref: '#/$defs/kubernetesResourceRequirements' vulnerabilityScanner: title: Trivy Vulnerability Scanner description: Configure the vulnerability scanner for Trivy. type: object additionalProperties: false properties: scanOnlyCurrentRevisions: title: Trivy Scan Current Revisions type: boolean default: true scannerReportTTL: title: Trivy Scan Report TTL $ref: '#/$defs/timeRange' default: 720h serviceMonitor: title: Trivy Service Monitor description: Configure the service monitor collecting metrics from Trivy. type: object additionalProperties: false properties: enabled: title: Trivy Service Monitor Enabled type: boolean default: true interval: $ref: '#/$defs/timeRange' nodeCollector: title: Trivy Node Collector description: Configure the node collector created by Trivy. type: object additionalProperties: false properties: tolerations: $ref: '#/$defs/kubernetesTolerations' resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' required: - enabled alerts: title: Alerts Config description: Configure alerting. type: object additionalProperties: false if: properties: alertTo: type: string const: slack then: properties: slack: properties: channel: title: Slack Channel type: string properties: alertTo: title: Alert To type: string customReceivers: title: Alert Custom Receivers type: array description: |- Additional receivers that will be added to the configuration of alertmanager > [!note] > See [the upstream documentation](https://prometheus.io/docs/alerting/latest/configuration/#receiver) for reference. customRoutes: title: Additional custom routes description: |- Additional route receivers that will be added to the configuration of alertmanager > [!note] > See [the upstream documentation](https://prometheus.io/docs/alerting/latest/configuration/#route) for reference. default: [] type: array opsGenie: title: Alert OpsGenie Config description: Configure alerting to OpsGenie. type: object additionalProperties: false properties: apiUrl: title: OpsGenine URL type: string format: uri default: https://api.eu.opsgenie.com updateAlerts: title: Whether to dynamically update existing alerts type: boolean default: false opsGenieHeartbeat: title: Alert OpsGenie Heartbeat description: Configure heartbeats to OpsGenie. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: required: - name - url properties: name: title: OpsGenie Heartbeat Name type: string url: title: OpsGenie Heartbeat URL type: string format: uri default: https://api.eu.opsgenie.com/v2/heartbeats properties: enabled: title: OpsGenie Heartbeat Enabled type: boolean default: false name: true url: true required: - enabled slack: title: Alert Slack Config description: Configure alerting to Slack. type: object additionalProperties: false properties: channel: true customTemplate: title: Slack Custom Template type: string runbookUrls: title: Alert runbooks description: |- Configure runbooks for alerts Runbooks can be configured on an alert group level or per individual alert type: object additionalProperties: false $defs: upstreamRunbook: title: Runbooks for alerts description: |- Example: group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook Uses upstream runbooks by default https://runbooks.prometheus-operator.dev/runbooks/ type: object additionalProperties: type: string description: Alert runbook URL properties: group: title: Alert group runbook URL type: string noUpstreamRunbook: title: Runbooks for alerts description: |- Example: group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook Uses no upstream runbook by default type: object additionalProperties: type: string description: Alert runbook URL properties: group: title: Alert group runbook URL type: string properties: alertmanager: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' backupStatus: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' blackbox: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' certManager: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' clusterApi: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' clusterAutoscaler: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' clusterCapacityManagement: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' configReloaders: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' coreDns: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' dailyChecks: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' diskPerf: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' falco: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' fluentd: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' general: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' harbor: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' hnc: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' kubeStateMetrics: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' kubernetesApps: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' kubernetesResources: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' kubernetesStorage: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' kubernetesSystem: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' kured: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' missingMetrics: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' nodeExporter: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' nodeNetwork: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' opensearch: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' openstack: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' packetsDropped: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' prometheusOperator: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' prometheus: $ref: '#/properties/alerts/properties/runbookUrls/$defs/upstreamRunbook' thanos: title: Runbooks for thanos alerts description: |- Example: group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook Uses upstream runbooks by default https://github.com/thanos-io/thanos/tree/main/mixin/runbook.md type: object additionalProperties: type: string description: Alert runbook URL properties: group: title: Alert group runbook URL type: string webhook: $ref: '#/properties/alerts/properties/runbookUrls/$defs/noUpstreamRunbook' grafana: title: Grafana Config description: |- Configure Grafana, the metrics visualisation dashboard. Welkin hosts two instances of Grafana one for the Platform Administrator and one for the Application Developer. > [!note] > Grafana is installed in the service cluster, so this configuration mainly applies there. type: object additionalProperties: false properties: ops: title: Grafana description: Configure Grafana. type: object additionalProperties: false properties: enabled: title: Grafana Enabled type: boolean default: true subdomain: title: Grafana Subdomain description: |- For Admin Grafana the subdomain of `opsDomain` that the Ingress to Admin Grafana will be created with. For Dev Grafana the subdomain of `baseDomain` that the Ingress to Dev Grafana will be created with. > [!note] > Must be set for both service and workload clusters. default: grafana type: string oidc: title: Grafana OIDC description: Configure authentication to Grafana via Dex. type: object additionalProperties: false properties: enabled: title: Grafana OIDC Enabled type: boolean default: true allowedDomains: title: Grafana OIDC Allowed Domains description: Configure the domains of the users allowed to authenticate to Grafana. items: title: Grafana OIDC Allowed Domain type: string type: array scopes: title: Grafana OIDC Scopes type: string default: openid profile email groups skipRoleSync: title: Grafana Skip Role Sync description: When enabled the roles for user can be managed within Grafana. type: boolean userGroups: title: Grafana OIDC Groups description: Configure the roles for groups. type: object additionalProperties: false properties: grafanaAdmin: title: Grafana OIDC Admin Group type: string default: grafana_admin grafanaEditor: title: Grafana OIDC Editor Group type: string default: grafana_editor grafanaViewer: title: Grafana OIDC Viewer Group type: string default: grafana_viewer viewersCanEdit: title: Grafana Viewers Can Edit type: boolean default: true additionalConfigValues: title: Grafana Additional Config Values type: string format: yaml additionalDatasources: title: Grafana Additional Datasources type: object dataproxy: title: Grafana dataproxy values description: Configure Grafana dataproxy values type: object properties: timeout: title: Grafana dataproxy timeout type: number default: 600 plugins: title: Grafana Additional Plugins type: array trailingDots: title: Grafana Trailing Dots description: |- Configure Grafana to use absolute domain names. > [!warning] > Some operating systems and web browsers may have problems accessing Grafana when with this enabled. type: boolean default: true sidecar: title: Grafana Sidecar description: Configure the sidecar provisioning dashboards from ConfigMaps in Grafana. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' user: $ref: '#/properties/grafana/properties/ops' grafanaLabelEnforcer: title: Grafana Label Enforcer Config description: Configure Grafana Label Enforcer, responsible to filter metrics from different clusters for Grafana datasources. additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' type: object kubeStateMetrics: title: Kube State Metrics description: |- Configure the kube-state-metrics exporter. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' metricsServer: title: Metrics Server description: Configure the metrics-server exporter, used to provide for the metrics API in Kubernetes. type: object additionalProperties: false properties: enabled: title: Metrics Server Enabled type: boolean default: true resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' openstackMonitoring: title: Openstack Monitoring description: Configure the collection of metrics for OpenStack components. type: object additionalProperties: false properties: enabled: title: Openstack Monitoring Enabled type: boolean default: false prometheus: title: Prometheus Config description: |- Configure Prometheus. Prometheus automatically collects metrics via ServiceMonitors, PodMonitors, and Probes, and pushes metrics to Thanos for long term storage. Additionally Prometheus evaluates recording rules for both service and workload cluster, and all alerting rules for the workload cluster. > [!note] > Prometheus is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions. type: object $defs: capacityManagementAlerts: title: Capacity Management Alerts description: Definitions for capacity management alerts. type: object properties: persistentVolume: title: Capacity Management Alerts Persistent Volumes description: Configure capacity management alerts on persistent volumes. type: object additionalProperties: false properties: enabled: $ref: "#/properties/prometheus/$defs/capacityManagementAlerts/properties/persistentVolumeEnabled" limit: $ref: "#/properties/prometheus/$defs/capacityManagementAlerts/properties/persistentVolumeLimit" persistentVolumeEnabled: title: Capacity Management Alerts Persistent Volumes Enabled type: boolean default: true persistentVolumeLimit: title: Capacity Management Alerts Persistent Volumes Enabled description: Alert when a persistent volume's usage reaches the limit in percent. type: number default: 75 disklimit: title: Capacity Management Alerts Disk Limit description: Alert when a disk's usage reaches the limit in percent. type: number default: 75 requestLimit: title: Capacity Management Alerts Request Limit description: Alert when a node's resource requests reaches the limits in percent. type: object additionalProperties: false properties: cpu: title: Capacity Management Alerts CPU Request Limit description: Configure a CPU request percentage limit to alert for. type: number default: 80 memory: title: Capacity Management Alerts Memory Request Limit description: Configure a memory request percentage limit to alert for. type: number default: 80 nodeGroupRequestsExcludePattern: title: Capacity Management Alerts Request Exclude Pattern description: Configure a pattern of node groups to exclude from the resource request alerts. This can be used to exclude certain node groups from request alerts, while still getting usage alerts for those node groups. type: string default: "" examples: - ".*redis.*|.*postgres.*" diskAlerts: title: Disk Alerts description: Definitions for disk alerts. type: object additionalProperties: false properties: storage: title: Disk Alerts Storage description: Configure disk alerts based on storage usage. type: object additionalProperties: false properties: predictLinear: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/patternRules" space: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/patternRules" inode: title: Disk Alerts Inode description: Configure disk alerts based on inode usage. type: object additionalProperties: false properties: predictLinear: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/patternRules" space: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/patternRules" patternRules: title: Disk Alert Pattern Rules description: Configure disk alerts when disk usage is predicted to reach the limit. type: array items: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/patternRule" patternRule: title: Disk Alert Pattern Rule description: |- Configure disk alerts when disk usage is predicted to reach the limit. The `hours` key is only supported when configured under `predictLinear`. type: object additionalProperties: false properties: hours: title: Alert Rule Prediction Window type: number default: 24 freeSpacePercentage: $ref: '#/$defs/percentage' default: 5 for: $ref: '#/$defs/timeRange' default: 1h severity: title: Alert Rule Severity type: string default: warning pattern: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/patterns" patterns: title: Disk Alert Patterns description: Select applicable nodes and disks to include or exclude using patterns. type: object additionalProperties: false properties: include: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/pattern" exclude: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/pattern" pattern: title: Disk Alert Pattern description: Select applicable nodes and disks using patterns. type: object additionalProperties: false properties: node: title: Disk Alert Node Pattern type: string default: "" disk: title: Disk Alert Disk Pattern type: string default: "" perf: title: Disk Alerts Perf description: Configure performance disk alerts. type: object properties: enabled: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/perfEnabled" queueSizeThreshold: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/perfQueueSizeThreshold" readWaitTimeThreshold: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/perfReadWaitTimeThreshold" writeWaitTimeThreshold: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/perfWriteWaitTimeThreshold" perfEnabled: title: Disk Alerts Perf Enabled type: boolean perfQueueSizeThreshold: title: Disk Alerts Perf Queue Size type: number default: 5 perfReadWaitTimeThreshold: title: Disk Alerts Perf Read Wait type: number default: 1 perfWriteWaitTimeThreshold: title: Disk Alerts Perf Write Wait type: number default: 1 s3BucketAlerts: title: S3 Bucket Alerts description: Definitions for S3 bucket alerts. type: object additionalProperties: false properties: objects: title: S3 Bucket Alerts Objects description: Alert when an S3 buckets reaches the set percentage of the set number of objects. type: object additionalProperties: false properties: enabled: title: S3 Bucket Alerts Objects Enabled type: boolean default: false percent: title: S3 Bucket Alerts Objects Percentage $ref: '#/$defs/percentage' default: 80 count: title: S3 Bucket Alerts Objects Quota default: 1638400 type: number size: title: S3 Bucket Alerts Size description: Alert when an S3 bucket reaches the set percentage of the set size. type: object additionalProperties: false properties: enabled: title: S3 Bucket Alerts Size Enabled type: boolean default: false percent: title: S3 Bucket Alerts Size Percentage $ref: '#/$defs/percentage' default: 80 sizeQuotaGB: title: S3 Bucket Alerts Size Quota type: number default: 1000 totalSize: title: S3 Bucket Alerts Total Size description: Alert when all S3 buckets reaches the set percentage of the set size. type: object additionalProperties: false properties: enabled: title: S3 Bucket Alerts Total Size Enabled type: boolean default: false percent: title: S3 Bucket Alerts Total Size Percentage $ref: '#/$defs/percentage' default: 80 sizeQuotaGB: title: S3 Bucket Alerts Total Size Quota type: number default: 1000 exclude: title: S3 Bucket Alerts Exclude description: Exclude buckets from S3 alerts. type: array items: title: S3 Bucket Name type: string buckets: title: S3 Bucket Specific Alerts description: Definitions for specific S3 bucket alerts. items: title: S3 Bucket Specific Alert description: S3 Bucket Alert configuration for specific bucket additionalProperties: false properties: name: examples: - -thanos type: string objects: title: S3 Bucket Specific Alerts Objects description: Alert when the S3 bucket reaches the set percentage of the set number of objects. additionalProperties: false properties: enabled: title: S3 Bucket Alerts Objects Enabled type: boolean default: false percent: title: S3 Bucket Alerts Objects Percentage $ref: '#/$defs/percentage' default: 80 count: title: S3 Bucket Alerts Objects Quota default: 1638400 type: number type: object size: title: S3 Bucket Specific Alerts Size description: Alert when the S3 bucket reaches the set percentage of the set size. additionalProperties: false properties: enabled: title: S3 Bucket Alerts Size Enabled type: boolean default: false percent: title: S3 Bucket Alerts Size Percentage $ref: '#/$defs/percentage' default: 80 sizeQuotaGB: title: S3 Bucket Alerts Size Quota type: number default: 1000 type: object type: object type: array autoscaledNodeGroupAlerts: title: Autoscaled NodeGroup Alerts description: Configure whether to split KubeletDownForXm alerts into autoscaled and non-autoscaled nodes groups. type: object additionalProperties: false properties: groupLabel: title: Autoscaled node group label description: The label to identity whether a node belongs to an autoscaled node group. type: string default: "node-restriction.kubernetes.io/autoscaled-node-type" groupLabelValues: title: Autoscaled node group label values description: The label values to a autoscaled node group if their are multiple autoscaled node groups. type: array items: type: string additionalProperties: false properties: replicas: title: Prometheus Relicas type: number default: 1 storage: title: Prometheus Storage description: Configure the persistent volume claim used for Promtheus storage. additionalProperties: false properties: enabled: title: Proemtheus Storage Enabled description: |- By default Prometheus instances run without storage and are treated as ephemeral. See [ADR-0007](https://elastisys.io/welkin/adr/0007-make-monitoring-forwarders-storage-independent/) for context. type: boolean default: false size: title: Proemtheus Storage Size type: string default: 5Gi type: object retention: title: Prometheus Retention description: Configure retention for Prometheus. type: object additionalProperties: false properties: age: title: Prometheus Retention Age description: Configure the time range Prometheus will retain metrics for. type: string default: 3d size: title: Prometheus Retention Size description: Configure the total size Prometheus will retain metrics for. type: string default: 4GiB alertmanager: title: Prometheus Retention Alertmanager description: Configure the time range Alertmanager will retain metrics for. $ref: '#/$defs/timeRange' default: 72h additionalScrapeConfigs: title: Prometheus Additional Scrape Configs description: |- Configure additional scrape configs for Prometheus. > [!note] > See [the upstream documentation](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for reference. type: array devAlertmanager: title: Application Developer Alertmanager description: Configuration options for deploying an application developer-specific Alertmanager. Configuration shared with the service cluster alertmanager can be configured via `.alertmanagerSpec`. type: object properties: enabled: title: Enable user Alertmanager description: Allows to enable alertmanager for application developer. type: boolean namespace: title: Enable alertmanager in separate Namespace description: Allows to have alertmanager running in custom namespace type: string default: alertmanager ingressEnabled: title: Enable User Alertmanager ingress description: Allows to have ingress for application developer alertmanager with basic auth type: boolean username: title: Username for Alertmanager login type: string alertmanagerSpec: title: Alertmanager Config description: |- Configure service cluster & workload cluster Alertmanager. Alertmanager receives alerts from Prometheus and Thanos and forwards them to the configured notification channel. > [!note] > Alertmanager is installed in both service cluster and workload cluster, however this configuration key only applies to the service cluster, use `user.alertmanager` to configure it in the workload cluster. type: object additionalProperties: false properties: replicas: title: Alertmanager Replicas type: number default: 2 storage: title: Alertmanager Storage description: Configure persistent storage for Alertmanager. type: object additionalProperties: false properties: volumeClaimTemplate: title: Alertmanager Volume Claim Template description: Configure persistent storage for Alertmanager. type: object additionalProperties: false properties: spec: title: Alertmanager Volume Claim Spec description: Configure persistent storage for Alertmanager. type: object additionalProperties: false properties: accessModes: title: Alertmanager Volume Access Mode description: Configure the access mode of the persistent storage for Alertmanager. type: array items: type: string default: ReadWriteOnce resources: title: Alertmanager Volume Resources description: Configure the resources of the persistent storage for Alertmanager. $ref: '#/$defs/kubernetesResourceRequirements' groupBy: title: Alertmanager Group By description: |- Configure Alertmanager to group certain alerts based on labels. > [!note] > See [the upstream documentation](https://prometheus.io/docs/alerting/latest/configuration/) for reference. items: default: '...' type: string type: array resources: $ref: '#/$defs/kubernetesResourceRequirements' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' capacityManagementAlerts: title: Capacity Management Alerts description: Configure capacity management alerts. type: object additionalProperties: type: number properties: enabled: title: Capacity Management Alerts Enabled type: boolean default: true predictUsage: title: Capacity Management Alerts Predict Usage type: boolean default: false persistentVolume: $ref: "#/properties/prometheus/$defs/capacityManagementAlerts/properties/persistentVolume" disklimit: $ref: "#/properties/prometheus/$defs/capacityManagementAlerts/properties/disklimit" requestLimit: $ref: "#/properties/prometheus/$defs/capacityManagementAlerts/properties/requestLimit" nodeGroupRequestsExcludePattern: $ref: "#/properties/prometheus/$defs/capacityManagementAlerts/properties/nodeGroupRequestsExcludePattern" usagelimit: default: 95 type: number diskAlerts: title: Disk Alerts description: Configure disk alerts. type: object additionalProperties: false properties: storage: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/storage" inode: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/inode" perf: $ref: "#/properties/prometheus/$defs/diskAlerts/properties/perf" s3BucketAlerts: title: S3 Bucket Alerts description: Configure S3 bucket alerts. type: object additionalProperties: false properties: objects: $ref: "#/properties/prometheus/$defs/s3BucketAlerts/properties/objects" size: $ref: "#/properties/prometheus/$defs/s3BucketAlerts/properties/size" totalSize: $ref: "#/properties/prometheus/$defs/s3BucketAlerts/properties/totalSize" exclude: $ref: "#/properties/prometheus/$defs/s3BucketAlerts/properties/exclude" buckets: $ref: "#/properties/prometheus/$defs/s3BucketAlerts/properties/buckets" webhookAlerts: title: Webhook Alerts description: Configure webhook alerts. type: object properties: enabled: title: Webhook Alerts Enabled type: boolean default: true autoscaledNodeGroupAlerts: title: Autoscaled NodeGroup Alerts description: Configure whether to split KubeletDownForXm alerts into autoscaled and non-autoscaled nodes groups. type: object properties: enabled: title: Enabled aleter splitting for autoscaled nodes. type: boolean default: true groupLabel: $ref: "#/properties/prometheus/$defs/autoscaledNodeGroupAlerts/properties/groupLabel" groupLabelValues: $ref: "#/properties/prometheus/$defs/autoscaledNodeGroupAlerts/properties/groupLabelValues" resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' prometheusOperator: title: Prometheus Operator description: Configure Prometheus Operator. type: object additionalProperties: false properties: prometheusConfigReloader: title: Prometheus Operator Config Reloader description: Configure Prometheus Operator config reloader. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' resources: $ref: '#/$defs/kubernetesResourceRequirements' prometheusBlackboxExporter: title: Prometheus Blackbox Exporter description: Configure Prometheus Blackbox Exporter, the exporter used for probing endpoints. type: object additionalProperties: false properties: targets: title: Prometheus Blackbox Exporter Targets description: Configure the targets Prometheus Blackbox Exporter should probe. type: object additionalProperties: type: boolean customKubeapiTargets: title: Prometheus Blackbox Exporter Custom Kube API Targets description: Configure custom Kube API targets Prometheus Blackbox Exporter should probe. type: array items: title: Custom Kube API target description: Custom Kube API target Prometheus Blackbox Exporter should probe. type: object additionalProperties: false properties: name: title: Custom Kube API Target Name type: string domain: title: Custom Kube API Target Domain type: string format: hostname hostAliases: title: Host Aliases description: Configure host aliases to resolve internally within the Pod. type: array items: title: Host Alias description: Configure a host alias to resolve internally within the Pod. type: object additionalProperties: false properties: hostNames: title: Host Names description: Configure the hostname for the host alias. type: array items: title: Host Name type: string ip: title: IP Address description: Configure the IP address for the host alias. type: string format: ipv4 resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' prometheusNodeExporter: title: Prometheus Node Exporter description: Configure Prometheus Node Exporter, the exporter used for collecting node metrics. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' scrapeTimeout: title: Prometheus Node Exporter ServiceMonitor scrape timeout description: | Configure Prometheus Node Exporter ServiceMonitor scrape timeout. If not set, the upstream default of 10s is used default: "" $ref: '#/$defs/scrapeTimeout' s3Exporter: title: S3 Exporter description: Configure S3 exporter, used to collect metrics about S3 usage. type: object additionalProperties: false properties: enabled: title: S3 Exporter Enabled type: boolean default: true interval: title: S3 Exporter Interval type: string default: 60m scrapeTimeout: title: S3 Exporter Scrape Timeout default: 10m $ref: '#/$defs/scrapeTimeout' resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' thanos: title: Thanos Config description: |- Configuration for Thanos. Thanos ingests metrics sent from Prometheus in both the service and workload clusters, and stores them in object storage. This requires that `objectStorage` is configured, and will use the bucket or container set in `objectStorage.buckets.thanos`. > [!note] > Thanos and its components are installed in the service cluster, so this configuration mainly applies there. type: object additionalProperties: false properties: enabled: title: Thanos Enabled description: |- > [!note] > Must be set for both service and workload cluster. type: boolean default: true objectStorage: title: Thanos Object Storage description: |- Configure Object Storage for Thanos. Allows for using OpenStack Swift as the object storage backend type. additionalProperties: false properties: type: title: Thanos Object Storage Type default: "" type: string enum: - "" - swift meta:enum: "": Use global object storage type (default). swift: Use OpenStack Swift object storage type. type: object bucketweb: title: Thanos Bucket Web description: Configure Thanos Bucket Web, the UI to view the state of the bucket or container in use by Thanos. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' compactor: title: Thanos Compactor description: |- Configure Thanos Compactor, the component compacting and deduplicating metrics stored by Thanos. > [!note] > See [the upstream documentation](https://thanos.io/tip/components/compact.md/) for reference. type: object additionalProperties: false properties: verticalCompaction: title: Thanos Vertical Compactor description: When enabled series of metrics from multiple replicas will be merged into one. type: boolean default: false deduplication: title: Thanos Deduplication description: Configure deduplication of metrics. type: string default: none enum: - none - receiverReplicas - prometheusReplicas meta:enum: none: Disable deduplication of metrics (default). receiverReplicas: Enable light deduplication of metrics from different Thanos Receiver replicas. prometheusReplicas: Enable heavy deduplication of metrics from different Prometheus replicas. persistence: title: Thanos Compactor Persistence description: Configure persistence for Thanos Compactor. type: object additionalProperties: false properties: enabled: title: Thanos Compactor Persistence Enabled type: boolean default: true size: title: Thanos Compactor Persistence Size type: string default: 8Gi retentionResolutionRaw: description: The retention duration of metrics with raw resolution. $ref: '#/$defs/timeRange' default: 30d retentionResolution5m: description: The retention duration of metrics with 5m resolution. $ref: '#/$defs/timeRange' default: 90d retentionResolution1h: description: The retention duration of metrics with 1h resolution. $ref: '#/$defs/timeRange' default: 0s resources: $ref: '#/$defs/kubernetesResourceRequirements' queryFrontend: title: Thanos Query Frontend description: Configure Thanos Query Frontend, the component serving query requests from Grafana. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' query: title: Thanos Query description: Configure Thanos Query, the component executing metric queries. type: object additionalProperties: false properties: enabled: title: Thanos Query Enabled type: boolean default: true replicaCount: title: Thanos Query Replicas type: number default: 1 resources: $ref: '#/$defs/kubernetesResourceRequirements' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' receiveDistributor: title: Thanos Receive Distributor description: |- Configure Thanos Receive Distributor, the component serving remote write requests from Prometheus. Also called routing receiver upstream. type: object additionalProperties: false properties: replicaCount: title: Thanos receiveDistributor Replicas type: integer default: 3 receiveHashringsAlgorithm: title: Thanos receiveDistributor algolrithm description: Algorithm used for distributing writes across Thanos receive replicas. type: string enum: - hashmod - ketama default: ketama receiveMaxConcurrency: title: Thanos receiveDistributor maximum Concurrency description: Maximum number of concurrent write requests allowed by Thanos receiveDistributor. type: integer default: 5 extraFlags: title: Thanos receiveDistributor extraFlags description: |- When set, the arguments will be passed onto the component as command-line flags. Refer to the [upstream doc](https://github.com/bitnami/charts/blob/main/bitnami/thanos/README.md#adding-extra-flags) for more details. type: array replicationFactor: title: Thanos Replication Factor description: Requires that incoming remote write requests are replicated `(replicationFactor + 1) / 2`. type: number default: 1 resources: $ref: '#/$defs/kubernetesResourceRequirements' receiver: title: Thanos Receiver description: |- Configure Thanos Receiver, the component ingesting metrics collected by Prometheus and storing them in object storage. Also called ingesting receiver upstream. additionalProperties: false properties: enabled: title: Thanos Receiver Enabled type: boolean default: true mode: title: Thanos Receiver Mode type: string default: dual-mode enum: - standalone - dual-mode meta:enum: standalone: Run only the ingesting receiver dual-mode: Run both the routing and ingesting receiver basic_auth: title: Thanos Receiver Basic Auth description: Configure authentication to Thanos Receiver, additionalProperties: false properties: username: title: Thanos Receiver Basic Auth Username description: |- Configure the username for authenticating to Thanos Receiver. > [!note] > Must be set for both service and workload clusters. type: string default: thanos type: object subdomain: title: Thanos Receive Subdomain description: |- Subdomain of `opsDomain` that the Ingress to Thanos Receive will be created with. > [!note] > Must be set for both service and workload clusters. type: string format: hostname default: thanos-receiver outOfOrderTimeWindow: title: Thanos Out Of Order Time Window type: string default: 600s tsdbRetention: title: Thanos TSDB Retention type: string default: 15d replicaCount: title: Thanos Receiver Replcias type: number default: 2 persistence: title: Thanos Receiver Persistence description: Configure persistence for Thanos Receiver. type: object additionalProperties: false properties: enabled: title: Thanos Receiver Persistence Enabled type: boolean default: true size: title: Thanos Receiver Persistence Size type: string default: 50Gi resources: $ref: '#/$defs/kubernetesResourceRequirements' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' type: object ruler: title: Thanos Ruler description: Configure Thanos Ruler, the component evaluating alerting and recording rules. type: object additionalProperties: false properties: enabled: title: Thanos Ruler Enabled type: boolean default: true replicaCount: title: Thanos Ruler Replcias type: number default: 2 persistence: title: Thanos Ruler Persistence description: Configure persistence for Thanos Ruler. type: object additionalProperties: false properties: enabled: title: Thanos Ruler Persistence Enabled type: boolean default: false size: title: Thanos Ruler Persistence Size type: string default: 8Gi configReloader: title: Thanos Ruler Config Reloader description: Configure the config reloader sidecar for Thanos Ruler. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' resources: $ref: '#/$defs/kubernetesResourceRequirements' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' storegateway: title: Thanos Store Gateway description: Configure Thanos Store Gateway, the component fetching metrics from object storage. type: object additionalProperties: false properties: persistence: title: Thanos Store Gateway Persistence description: Configure persistence for Thanos Store Gateway. type: object additionalProperties: false properties: size: title: Thanos Store Gateway Persistence Size type: string default: 8Gi resources: $ref: '#/$defs/kubernetesResourceRequirements' metrics: title: Thanos Metrics description: Configure metrics collected from Thanos. type: object additionalProperties: false properties: enabled: title: Thanos Metrics Enabled type: boolean default: true serviceMonitor: title: Thanos Metrics Service Monitor description: Configure the service monitor used to collect metrics from Thanos. type: object additionalProperties: false properties: enabled: title: Thanos Metrics Service Monitor Enabled type: boolean default: true wcProbeIngress: title: Workcload Cluster Ingress Probe description: Configure a probe for the workload cluster Ingress Controller. type: object additionalProperties: false properties: enabled: title: Workcload Cluster Ingress Probe Enabled type: boolean welcomingDashboard: title: Welcoming Dashboard additionalProperties: false description: |- If you want to add extra text to the grafana/opensearch "welcoming dashboards" then write the text in these values as a one-line string. Note, first line of the string is a header, not all characters are supported. For newline in Grafana dashboard use format `\\n` properties: extraTextGrafana: title: Extra Text Grafana description: Extra text added to the Grafana welcoming dashboard. type: string format: markdown examples: - Hello\n\n[This is an example link](https:/elastisys.io) extraTextOpensearch: title: Extra Text OpenSearch type: string format: markdown description: Extra text added to the Opensearch welcoming dashboard. extraVersions: title: Extra Versions description: List of additional components to list on the welcoming dashboard. items: title: Extra Version description: Additional component to list on the welcoming dashboard. additionalProperties: false properties: name: description: Name of the component. examples: - Dex - Postgres type: string releasenotes: description: Link to release notes for the component examples: - https://elastisys.io/welkin/release-notes/ format: uri type: string subdomain: description: Link to a subdomain of `.global.baseDomain` format: hostname type: string url: description: Link to a full URL, instead of `subdomain` examples: - https://www.postgresql.org/ format: uri type: string version: description: Version number. examples: - v2.37 - "11" type: string required: - name type: object type: array type: object fluentd: title: Fluentd Config description: |- Configuration for Fluentd. Fluentd automatically collects logs from all containers running in the environment. In the service cluster audit, application, and platform logs can be shipped to object storage. In the workload cluster audit logs can be shipped to object storage and application and platform logs to OpenSearch running in the service cluster. Logs are collected using a daemon set, and in the workload cluster two sets are deployed, one for the system nodes and one for the worker nodes. Application developer can modify two ConfigMaps to add additional configuration and plugins to the set running on the worker nodes. When logs are shipped to object storage a stateful aggregator is deployed that buffers logs with persistence before they are shipped. When logs are shipped to OpenSearch it is done directly from the forwarder daemons. Shipping audit and service cluster logs requires that `objectStorage` is configured, and will use the bucket or container set in `objectStorage.buckets.audit` and `objectStorage.buckets.scLogs` respectively. > [!note] > Fluentd is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions. $defs: logManager: title: Log Manager Definitions description: Definitions for log-manager compaction and retention. type: object properties: compaction: title: Log Manager Compaction description: Configure the compaction of logs stored in object storage. type: object additionalProperties: false properties: enabled: $ref: "#/properties/fluentd/$defs/logManager/properties/jobEnabled" days: $ref: "#/properties/fluentd/$defs/logManager/properties/jobDays" schedule: $ref: "#/properties/fluentd/$defs/logManager/properties/jobSchedule" ephemeralVolumes: $ref: "#/properties/fluentd/$defs/logManager/properties/jobEphemeralVolumes" retention: title: Log Manager Retention description: Configure the retention of logs stored in object storage. type: object additionalProperties: false properties: enabled: $ref: "#/properties/fluentd/$defs/logManager/properties/jobEnabled" days: $ref: "#/properties/fluentd/$defs/logManager/properties/jobDays" schedule: $ref: "#/properties/fluentd/$defs/logManager/properties/jobSchedule" jobEnabled: title: Log Manager Job Enabled type: boolean default: true jobDays: title: Log Manager Job Enabled description: Configure the days to consider for compaction or the days to retain. type: number jobSchedule: title: Log Manager Job Schema description: |- Schema for when to run Log Manager Job. Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. $ref: '#/$defs/cronSchedule' jobEphemeralVolumes: title: Log Manager Job Ephemeral Volume description: Configure the job to run with an ephemeral volume if the nodes risk running out of storage. type: object additionalProperties: false properties: enabled: title: Log Manager Job Ephemeral Volume Enabled type: boolean default: false type: object additionalProperties: false properties: enabled: title: Fluentd Enabled type: boolean default: true audit: title: Fluentd Audit description: Configure Fluentd audit log collection. type: object additionalProperties: false properties: enabled: title: Fluentd Audit Enabled type: boolean default: false filters: title: Fluentd Audit Filters description: |- Configure Fluentd audit log filter stages. To capture audit logs label the logs with the `@AUDIT` label. type: string default: "" compaction: $ref: "#/properties/fluentd/$defs/logManager/properties/compaction" retention: $ref: "#/properties/fluentd/$defs/logManager/properties/retention" scLogs: title: Fluentd SC Logs description: Configure Fluentd service cluster log collection. type: object additionalProperties: false properties: enabled: title: Fluentd SC Logs Enabled type: boolean default: true compaction: $ref: "#/properties/fluentd/$defs/logManager/properties/compaction" retention: $ref: "#/properties/fluentd/$defs/logManager/properties/retention" aggregator: title: Fluentd Aggregator description: Configure Fluentd aggregator, used to buffer logs with persistence before they are shipped to object storage. type: object additionalProperties: false properties: buffer: $ref: '#/$defs/fluentdBuffer' persistence: title: Fluentd Aggregator Persistence description: Configure Fluentd aggregator persistence. additionalProperties: false properties: storage: title: Fluentd Aggregator Storage default: 10Gi type: string type: object resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' forwarder: title: Fluentd Forwarder description: Configure Fluentd forwarder, used to collect and forward logs on system nodes. type: object additionalProperties: false properties: image: title: Fluentd Forwarder Image Config description: Configure Fluentd forwarder image repository and tag type: object properties: repository: default: ghcr.io/elastisys/fluentd-forwarder type: string tag: default: v4.7.5-ck8s1 type: string buffer: $ref: '#/$defs/fluentdBuffer' livenessThresholdSeconds: default: 900 type: number stuckThresholdSeconds: default: 1200 type: number requestTimeout: default: 60s type: string resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' user: title: Fluentd Forwarder User description: Configure Fluentd forwarder, used to collect and forward logs on worker nodes that applications developers run their workload on. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' logManager: title: Log Manager description: Configure log-manager, used to manage compaction and retention of logs store in object storage. type: object additionalProperties: false properties: compaction: title: Log Manager Compaction description: Configure log-manager compaction. type: object additionalProperties: false properties: azureCopyBufferGB: type: number description: Configure the memory buffer size in GB (accepts decimals) for Azure copy operations. azureCopyConcurrency: type: number description: Configure the maximum number of concurrent download requests for Azure copy operations. volume: title: Log Manager Compaction Volume description: Configure log-manager compaction volume. type: object additionalProperties: false properties: storage: title: Log Manager Compaction Volume Size description: Configure log-manager compaction volume size. type: string default: 5Gi resources: $ref: '#/$defs/kubernetesResourceRequirements' retention: title: Log Manager Retention description: Configure log-manager retention. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' extraConfigMaps: title: Fluentd Extra ConfigMaps description: |- Configure extra ConfigMaps for Fluentd. > [!note] > This is only applicable for Fluentd forwarder running on system nodes in the workload cluster. type: object properties: {} additionalProperties: type: string description: ConfigMap content opensearch: title: OpenSearch Config description: |- Configuration for OpenSearch. OpenSearch ingests logs sent from Fluentd in the workload cluster, and presents them in OpenSearch Dashboards. > [!note] > OpenSearch and its components are installed in the service cluster, so this configuration mainly applies there. type: object additionalProperties: false $defs: node: title: OpenSearch Node description: Definitions for OpenSearch nodes. type: object properties: javaOpts: title: OpenSearch Node Java Options description: |- Set Java Virtual Machine Options to control the memory allocation of OpenSearch. As a rule of thumb the minimum allocation `-Xms` and maximum allocation `-Xmx` arguments should be the same to be more predictable. Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache. type: string default: -Xms512m -Xmx512m storageClass: title: OpenSearch Node Storage Class type: - string - "null" description: |- Set storage class for OpenSearch. - If set to `null`, the default storage class will be used to provision the volumes. - If set to `-`, no storage class will be used to provision the volumes. storageSize: title: OpenSearch Node Storage Size description: Configure the requested size of the persistent volume for this OpenSerch node. type: string role: title: OpenSearch Role description: Definitions for OpenSearch roles. type: object properties: name: title: OpenSearch Role Name description: Configures the name of the create role. type: string definition: title: OpenSearch Role Definition description: Configures the permissions the role will have. $comment: This schema does not cover the entire upstream object. type: object properties: cluster_permissions: $ref: "#/properties/opensearch/$defs/role/properties/clusterPermissions" index_permissions: $ref: "#/properties/opensearch/$defs/role/properties/indexPermissions" clusterPermissions: title: OpenSearch Role Cluster Permissions description: Configure permissions that applies cluster-wide. type: array items: title: OpenSearch Cluster Permission type: string indexPermissions: title: OpenSearch Role Index Permissions description: Configure permissions that applies per index. type: array items: title: OpenSearch Role Index Permission description: Configure permission that applies per index. type: object properties: index_patterns: $ref: "#/properties/opensearch/$defs/role/properties/indexPatterns" allowed_actions: $ref: "#/properties/opensearch/$defs/role/properties/allowedActions" indexPatterns: title: OpenSearch Role Index Patterns description: Configure the index pattern this permission applies to. type: array items: title: OpenSearch Role Index Pattern type: string allowedActions: title: OpenSearch Role Allowed Actions description: Configure the actions this permission allows. type: array items: title: OpenSearch Role Allowed Action type: string roleMapping: title: OpenSearch Role Mapping description: Definitions for OpenSearch role mappings. type: object properties: name: title: OpenSearch Role Mapping Name type: string definition: title: OpenSearch Role Mapping Definition description: Configures the backend roles or groups and users the role mapping applies to. $comment: This schema does not cover the entire upstream object. type: object properties: backend_roles: $ref: "#/properties/opensearch/$defs/roleMapping/properties/groups" users: $ref: "#/properties/opensearch/$defs/roleMapping/properties/users" groups: title: OpenSearch Role Mapping Groups description: Configures the backend roles or groups that this role mapping applies to. type: array items: type: string users: title: OpenSearch Role Mapping Users description: Configures the user that this role mapping applies to. type: array items: type: string properties: enabled: title: OpenSearch Enabled description: |- > [!note] > Must be set for both service and workload cluster. type: boolean default: true clusterName: title: OpenSearch Cluster Name default: opensearch type: string subdomain: title: OpenSearch Subdomain description: |- Subdomain of `opsDomain` that the Ingress to OpenSearch will be created with. > [!note] > Must be set for both service and workload cluster. type: string format: hostname default: opensearch sso: title: OpenSearch Single Sign On description: Configures Single Sign On to OpenSearch via Dex. type: object additionalProperties: false properties: enabled: title: OpenSearch Single Sign On default: false type: boolean scope: title: OpenSearch Single Sign On Scopes default: openid profile email groups type: string subjectKey: title: OpenSearch Single Sign On Subject Key default: email type: string rolesKey: title: OpenSearch Single Sign On Roles Key default: groups type: string dashboards: title: OpenSearch Dashboards description: |- Configures the Dashboards deployment of OpenSearch providing the UI to view and query logs. type: object additionalProperties: false properties: subdomain: title: OpenSearch Dashboards Subdomain description: |- Subdomain of `baseDomain` that the Ingress to OpenSearch Dashboards will be created with. > [!note] > Must be set for both service and workload cluster. default: opensearch type: string resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' cookieTtl: title: OpenSearch Dashboards Cookie TTL description: Time-to-live for the session cookie in milliseconds. Overrides OpenSearch Dashboards internal default if set. type: integer sessionTtl: title: OpenSearch Dashboards Session TTL description: Time-to-live for the session itself in milliseconds. Overrides OpenSearch Dashboards internal default if set. type: integer sessionKeepalive: title: OpenSearch Dashboards Session Keepalive description: Whether the session TTL should be extended upon user activity. Overrides OpenSearch Dashboards internal default if set. type: boolean masterNode: title: OpenSearch Master Node description: |- Configures the main stateful set of OpenSearch that takes on all roles not provided by other nodes (`dataNode`, `clientNode`). type: object additionalProperties: false properties: count: title: OpenSearch Master Node Replicas default: 1 type: number javaOpts: $ref: "#/properties/opensearch/$defs/node/properties/javaOpts" storageClass: $ref: "#/properties/opensearch/$defs/node/properties/storageClass" storageSize: $ref: "#/properties/opensearch/$defs/node/properties/storageSize" default: 8Gi resources: $ref: '#/$defs/kubernetesResourceRequirements' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' dataNode: title: OpenSearch Data Node description: |- Configures the data stateful set of OpenSearch that takes on the roll to index and store logs. type: object additionalProperties: false properties: dedicatedPods: title: OpenSearch Data Node Enabled description: When disabled the master nodes will take on these rolls. type: boolean default: true count: title: OpenSearch Data Node Replicas type: number default: 2 javaOpts: $ref: "#/properties/opensearch/$defs/node/properties/javaOpts" storageClass: $ref: "#/properties/opensearch/$defs/node/properties/storageClass" storageSize: $ref: "#/properties/opensearch/$defs/node/properties/storageSize" default: 25Gi resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' clientNode: title: OpenSearch Client Node description: |- Configures the client stateful set of OpenSearch that takes on the roll to ingest and query logs. type: object additionalProperties: false properties: dedicatedPods: title: OpenSearch Client Node Enabled description: When disabled the master nodes will take on these rolls. type: boolean default: true count: title: OpenSearch Client Node Replicas type: number default: 1 javaOpts: $ref: "#/properties/opensearch/$defs/node/properties/javaOpts" resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' extraRoles: title: OpenSearch Extra Roles description: Configures extra roles for OpenSearch Security. type: array items: title: OpenSearch Role description: |- Configures a role for OpenSearch Security. > [!note] > See [the upstream documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) for reference. type: object additionalProperties: false properties: role_name: $ref: "#/properties/opensearch/$defs/role/properties/name" definition: $ref: "#/properties/opensearch/$defs/role/properties/definition" extraRoleMappings: title: OpenSearch Extra Role Mappings description: |- Configures extra role mappings for OpenSearch Security. Extra users can be configured in `secrets.yaml` under `extraUsers` and extra roles under `extraRoles`. type: array items: title: OpenSearch Role Mapping description: |- Configures a role mapping for OpenSearch Security. > [!note] > See [the upstream documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) for reference. type: object additionalProperties: false properties: mapping_name: $ref: "#/properties/opensearch/$defs/roleMapping/properties/name" definition: $ref: "#/properties/opensearch/$defs/roleMapping/properties/definition" indexPerNamespace: title: OpenSearch Index Per Namespace description: |- When enabled logs are ingested into multiple indices per namespace. When disabled logs are ingested into a single `kubernetes` index. > [!note] > Must be set for both service and workload cluster. type: boolean default: false defaultTemplates: title: OpenSearch Default Templates description: |- When enabled OpenSearch will be configured with the default index templates for: - `authlog` - `kubeaudit` - `kubernetes` - `other` type: boolean default: true overwriteTemplates: title: OpenSearch Overwrite Templates description: |- When set OpenSearch can be configured with index templates via `additionalTemplates` that overwrite the ones configured via `defaultTemplates`. type: boolean default: true additionalTemplates: title: OpenSearch Additional Templates description: |- When set OpenSearch will be configured with additional index templates. The keys will be used as the name of the index templates. > [!note] > See [the upstream documentation](https://opensearch.org/docs/latest/im-plugin/index-templates/) for reference. type: object additionalProperties: type: string format: json createIndices: title: OpenSearch Create Indices description: |- When enabled OpenSearch will be configured with initial indices for: - `authlog` - `kubeaudit` - `kubernetes` - `other` type: boolean default: true ism: title: OpenSearch Index State Management description: Configures index state management in OpenSearch. type: object additionalProperties: false properties: defaultPolicies: title: OpenSearch Default Policies description: |- When enabled OpenSearch will be configured with the default index state management policies for: - `authlog` - `kubeaudit` - `kubernetes` - `other` type: boolean default: true overwritePolicies: title: OpenSearch Overwrite Policies description: |- When set OpenSearch can be configured with index state management policies via `additionalPolicies` that overwrite the ones configured via `defaultPolicies`. type: boolean default: true additionalPolicies: title: OpenSearch Additional Policies description: |- When set OpenSearch will be configured with additional index state management policies. The keys will be used as the name of the index state management policy. > [!note] > See [the upstream documentation](https://opensearch.org/docs/latest/im-plugin/ism/policies/) for reference. type: object additionalProperties: type: string format: json rolloverAgeDays: title: OpenSearch Rollover Age Days description: Configures the age a write index must reach before it is rolled over to a new one. type: number default: 1 rolloverSizeGB: title: OpenSearch Rollover Size GB description: Configures the size a write index must reach before it is rolled over to a new one. type: number default: 1 ingress: title: OpenSearch Ingress description: Configures the ingress for OpenSearch master or client nodes. type: object additionalProperties: false properties: maxbodysize: title: OpenSearch Ingress Max Body type: string default: 32m maxClauseCount: title: OpenSearch Maximum Clause Count description: Configures the maximum number of clauses permitted in a query. type: number default: 1024 maxShardsPerNode: title: OpenSearch Maximum Shards Per Node description: Configures the maximum number of shards permitted on one node. type: number default: 1000 curator: title: OpenSearch Curator description: Configures the CronJob that removes indices. type: object additionalProperties: false properties: enabled: title: OpenSearch Curator Enabled type: boolean default: true retention: title: OpenSearch Curator Retention description: Configures the retention of indices in OpenSearch. type: array items: title: OpenSearch Curator Retention description: Configures the retention of indices in OpenSearch. additionalProperties: false type: object properties: pattern: title: OpenSearch Curator Index Pattern type: string ageDays: title: OpenSearch Curator Index Age Days type: number sizeGB: title: OpenSearch Curator Index Pattern Size GB description: |- > [!note] > This is evaluated against the entire index pattern. type: number default: - pattern: authlog-* ageDays: 30 sizeGB: 1 - pattern: kubeaudit-* ageDays: 30 sizeGB: 50 - pattern: kubernetes-* ageDays: 30 sizeGB: 50 - pattern: other-* ageDays: 7 sizeGB: 1 - pattern: security-auditlog-* ageDays: 7 sizeGB: 1 startingDeadlineSeconds: title: OpenSearch Curator Starting Deadline Seconds type: number default: 600 activeDeadlineSeconds: title: OpenSearch Curator Active Deadline Seconds type: number default: 2700 resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' snapshot: title: OpenSearch Snapshot description: |- Configure OpenSearch snapshot creation and retention. This requires that `objectStorage` is configured, and will use the bucket or container set in `objectStorage.buckets.opensearch`. type: object additionalProperties: false properties: enabled: title: OpenSearch Snapshot Enabled type: boolean default: true repository: title: OpenSearch Snapshot Repository type: string default: opensearch-snapshots min: title: OpenSearch Minimum Retained Snapshots type: number default: 7 max: title: OpenSearch Maximum Retained Snapshots default: 14 type: number backupSchedule: title: OpenSearch Snapshot Backup Schedule description: |- Schedule to trigger Opensearch backups. Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. default: 0 */2 * * * $ref: '#/$defs/cronSchedule' retentionSchedule: title: OpenSearch Snapshot Retention Schedule description: |- Schedule to check for and remove old snapshots. Uses the Cron format, see https://en.wikipedia.org/wiki/Cron. default: '0 0 * * *' $ref: '#/$defs/cronSchedule' retentionAge: title: OpenSearch Maximum Snapshot Age type: string default: '10d' securityadmin: title: OpenSearch Security Admin description: Configures the Job that initialises OpenSearch Security. type: object additionalProperties: false properties: enabled: title: OpenSearch Security Admin Enabled type: boolean default: true activeDeadlineSeconds: title: OpenSearch Security Admin Active Deadline Seconds type: number default: 1200 resources: $ref: '#/$defs/kubernetesResourceRequirements' exporter: title: OpenSearch Exporter description: Configures the exporter exposing metrics from OpenSearch. type: object additionalProperties: false properties: serviceMonitor: title: OpenSearch Exporter Service Monitor description: Configures the service monitor of the exporter. type: object additionalProperties: false properties: interval: title: Scrape interval for the service monitor. type: string default: 30s scrapeTimeout: title: Scrape timeout for the service monitor. default: 30s $ref: '#/$defs/scrapeTimeout' resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' promIndexAlerts: title: OpenSearch Prometheus Index Alerts description: Configures the index alerts monitoring the function of index state management. type: array items: title: OpenSearch Prometheus Index Alert description: Configures the index alert monitoring the function of index state management. type: object additionalProperties: false properties: prefix: title: OpenSearch Index Prefix type: string alertSizeMB: title: OpenSearch Index Alert Size type: number default: - prefix: authlog-default alertSizeMB: 2 - prefix: kubeaudit-default alertSizeMB: 5500 - prefix: kubernetes-default alertSizeMB: 5500 - prefix: other-default alertSizeMB: 400 plugins: title: OpenSearch Plugins description: Configures plugins used in OpenSearch. additionalProperties: false properties: installExternalObjectStoragePlugin: title: OpenSearch Install External Object Storage Plugin description: |- When enabled OpenSearch will install the required object storage plugin when it starts. In an air-gapped environment where the nodes are not connected to the Internet, set this to `false` to prevent downloading any external object storage plugins. type: boolean additionalPlugins: title: OpenSearch Install Additional Plugins description: |- Configures OpenSearch to install plugins when it starts. In an air-gapped environment this can be used to install plugins from known sources. type: array type: object required: - enabled - subdomain - indexPerNamespace - dashboards networkPlugin: title: Network Plugin description: Configure the network plugin used in the cluster. type: object additionalProperties: false properties: type: title: Network plugin type description: Configure the type of network plugin type: string enum: - calico - cilium calico: title: Calico network plugin description: Configuration when network plugin is set to calico type: object additionalProperties: false properties: calicoAccountant: title: Calico Accountant description: Configure Calico accountant, used to collect metrics about packets affected by Network Policies when using Calico. additionalProperties: false properties: backend: title: Calico Accountant Backend type: string enum: - iptables - nftables meta:enum: iptables: The classical kernel netfilter interface. Use with Ubuntu 20.04 and older nftables: More modern netfilter interface. Use with Ubuntu 22.04 and newer default: nftables enabled: default: true type: boolean resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' type: object calicoFelixMetrics: title: Calico Felix Metrics description: Configure Calico Felix metrics, used to collect metrics about Calico. type: object additionalProperties: false properties: enabled: title: Calico Felix Metrics Enabled type: boolean default: true required: - calicoAccountant - calicoFelixMetrics required: - type - calico if: properties: calico: anyOf: - properties: calicoAccountant: properties: enabled: type: boolean const: true - properties: calicoFelixMetrics: properties: enabled: type: boolean const: true then: properties: type: const: "calico" certmanager: title: cert-manager Config description: Configure cert-manager, used to provision certificates either self-signed or via Let's Encrypt. additionalProperties: false properties: extraArgs: $ref: '#/$defs/extraArgs' cainjector: $ref: '#/$defs/component' webhook: $ref: '#/$defs/component' resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' type: object ingressNginx: title: Ingress-NGINX Controller Config description: |- Configure Ingress-NGINX, the ingress controller. $defs: service: title: Ingress-NGINX Service description: Definition of Ingress-NGINX Service type: object properties: enabled: title: Ingress-NGINX Service Enabled type: boolean annotations: title: Service Annotations type: object additionalProperties: title: Annotation type: string description: Kubernetes annotations should be strings, but other scalars may be coerced during templating. default: {} type: title: Service Type description: Configure the type of the Service. type: string enum: - ClusterIP - LoadBalancer - NodePort clusterIP: title: Service ClusterIP type: string oneOf: - const: "" - format: ipv4 ipFamilyPolicy: title: Service IP Family Policy description: |- Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field. See [reference](https://kubernetes.io/docs/concepts/services-networking/dual-stack/) type: string enum: - "" - SingleStack - PreferDualStack - RequireDualStack default: SingleStack ipFamilies: title: Service IP Families description: |- List of IP families (e.g. IPv4, IPv6) assigned to the service. Default is IPv4 only. When utilizing an internal loadbalancer service (ie MetalLB), IPv6 would also need to be included in order for the ingress service to allocate an address in that family. type: array uniqueItems: true items: title: Service IP Family type: string enum: - IPv4 - IPv6 default: - IPv4 allocateLoadBalancerNodePorts: title: Load Balancer Node Ports description: |- When enabled node ports will be allocated for the Load Balancer Service. This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic. See [reference](https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation) type: boolean default: false loadBalancerIP: title: Load Balancer IP description: |- Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider. > [!important] > With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation `loadbalancer.openstack.org/keep-floatingip: "true"` to prevent the floating IP to be deleted. type: string default: "" loadBalancerSourceRanges: title: Load Balancer Source Ranges description: |- Configure the source ranges to allow via the Load Balancer Service. type: array items: type: string default: [] nodePorts: title: Node Ports description: Configure the node ports to allocate for the Service. type: object additionalProperties: false properties: http: default: 30080 $ref: '#/$defs/port' https: default: 30443 $ref: '#/$defs/port' disabledCondition: title: Ingress-NGINX Service Disabled description: Condition for when the Service is disabled. type: object properties: enabled: const: false type: boolean enabledCondition: title: Ingress-NGINX Service Enabled description: Condition for when the Service is enabled. type: object properties: enabled: const: true type: boolean required: - annotations - type allOf: - $ref: "#/properties/ingressNginx/$defs/service/properties/clusterIpCondition" - $ref: "#/properties/ingressNginx/$defs/service/properties/loadBalancerCondition" - $ref: "#/properties/ingressNginx/$defs/service/properties/nodePortCondition" clusterIpCondition: title: Ingress-NGINX Service ClusterIP Enabled description: Condition for when the Service is using ClusterIP type. if: properties: type: const: ClusterIP required: - type then: required: - annotations - type loadBalancerCondition: title: Ingress-NGINX Service LoadBalancer Enabled description: Condition for when the Service is using LoadBalancer type. if: properties: type: const: LoadBalancer required: - type then: required: - type - allocateLoadBalancerNodePorts nodePortCondition: title: Ingress-NGINX Service NodePort Enabled description: Condition for when the Service is using NodePort type. if: properties: type: const: NodePort required: - type then: required: - annotations - type - nodePorts type: object additionalProperties: false properties: subDomain: title: Ingress-NGINX Subdomain type: string controller: title: Ingress-NGINX Controller description: Configure the controller daemonset of Ingress-NGINX. type: object additionalProperties: false properties: chroot: title: Ingress-NGINX Controller Chroot description: |- When enabled NGINX itself will run in a chroot under the controller namespace for increased separation between the controller and the proxy. This requires a special seccomp profile to be available to give the controller the `SYS_ADMIN` capability, which will be provided by a separate daemon set. type: boolean default: true allowSnippetAnnotations: title: Ingress-NGINX Allow Snippet Annotations description: |- When enabled annotations on Ingress resources can add snippets to the config of NGINX. > [!danger] > Only enable this after evaluating the risks it poses. > [!note] > See [the upstream documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations) for reference. type: boolean default: false config: title: Ingress-NGINX Config description: Configure the Ingress-NGINX controller. type: object additionalProperties: false properties: annotationsRiskLevel: title: Ingress-NGINX Annotations Risk Level type: string description: |- Configure the accepted risk level of annotations on Ingress resources. > [!note] > See [the upstream documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#annotations-risk-level) for reference. enum: - Critical - High - Medium - Low default: Critical useProxyProtocol: title: Ingress-NGINX PROXY Protocol type: boolean enableAnnotationValidations: title: Ingress-NGINX Annotation Validation description: |- When enabled annotations on Ingress resources are validated. This is disabled by default due to the maturity of the feature and lack of documentation. type: boolean default: true additionalConfig: title: Ingress-NGINX Additional Config description: |- Configure additional configuration for Ingress-NGINX controller. > [!note] > See [the upstream documentation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/) for reference. type: object additionalProperties: title: Ingress NGINX Config type: string default: {} extraArgs: title: Ingress NGINX Extra Args description: Configure extra args to pass to Ingress NGINX Controller. type: object additionalProperties: title: Ingress NGINX Arg type: string default: {} extraEnvs: title: Ingress NGINX Extra Environment Variables description: Configure extra environment variables to Ingress NGINX Controller. type: array default: [] enablepublishService: title: Ingress-NGINX Publish Service description: |- When enabled it allows customisation of the IP or FQDN to report the external address of the Service in the Ingress status field. When disabled it reports the IPs of the nodes where the controller pods are running. default: false type: boolean service: title: Ingress-NGINX Service description: Configure the Service for traffic to Ingress-NGINX. type: object properties: enabled: $ref: "#/properties/ingressNginx/$defs/service/properties/enabled" annotations: $ref: "#/properties/ingressNginx/$defs/service/properties/annotations" type: $ref: "#/properties/ingressNginx/$defs/service/properties/type" clusterIP: $ref: "#/properties/ingressNginx/$defs/service/properties/clusterIP" ipFamilyPolicy: $ref: "#/properties/ingressNginx/$defs/service/properties/ipFamilyPolicy" ipFamilies: $ref: "#/properties/ingressNginx/$defs/service/properties/ipFamilies" allocateLoadBalancerNodePorts: $ref: "#/properties/ingressNginx/$defs/service/properties/allocateLoadBalancerNodePorts" loadBalancerIP: $ref: "#/properties/ingressNginx/$defs/service/properties/loadBalancerIP" loadBalancerSourceRanges: $ref: "#/properties/ingressNginx/$defs/service/properties/loadBalancerSourceRanges" nodePorts: $ref: "#/properties/ingressNginx/$defs/service/properties/nodePorts" internal: title: Ingress-NGINX Internal Service description: Configure the Internal Service for traffic to Ingress-NGINX. type: object properties: enabled: $ref: "#/properties/ingressNginx/$defs/service/properties/enabled" annotations: $ref: "#/properties/ingressNginx/$defs/service/properties/annotations" type: $ref: "#/properties/ingressNginx/$defs/service/properties/type" clusterIP: $ref: "#/properties/ingressNginx/$defs/service/properties/clusterIP" ipFamilyPolicy: $ref: "#/properties/ingressNginx/$defs/service/properties/ipFamilyPolicy" allocateLoadBalancerNodePorts: $ref: "#/properties/ingressNginx/$defs/service/properties/allocateLoadBalancerNodePorts" loadBalancerIP: $ref: "#/properties/ingressNginx/$defs/service/properties/loadBalancerIP" loadBalancerSourceRanges: $ref: "#/properties/ingressNginx/$defs/service/properties/loadBalancerSourceRanges" nodePorts: $ref: "#/properties/ingressNginx/$defs/service/properties/nodePorts" anyOf: - $ref: "#/properties/ingressNginx/$defs/service/properties/disabledCondition" - $ref: "#/properties/ingressNginx/$defs/service/properties/enabledCondition" anyOf: - $ref: "#/properties/ingressNginx/$defs/service/properties/disabledCondition" - $ref: "#/properties/ingressNginx/$defs/service/properties/enabledCondition" useHostPort: title: Ingress-NGINX Host Port description: |- When enabled ingress traffic is directly forwarded from target ports on the nodes to reach Ingress-NGINX. This requires the namespace to use Pod Security Standard `privileged`. type: boolean resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' defaultBackend: title: Ingress-NGINX Default Backend description: Configure the default backend deployment of Ingress-NGINX. type: object additionalProperties: false properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' issuers: title: Issuers Config description: Configure issuers for cert-manager. type: object additionalProperties: false properties: letsencrypt: title: Issuers Let's Encrypt description: Configure issuers for cert-manager using Let's Encrypt. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: properties: prod: properties: email: title: Issuer Email type: string staging: properties: email: title: Issuer Email type: string properties: enabled: title: Let's Encrypt Enabled type: boolean default: true prod: title: Let's Encrypt Prod description: Configure Let's Encrypt production issuer. type: object additionalProperties: false properties: email: true solvers: title: Issuer Solver type: array staging: title: Let's Encrypt Staging description: Configure Let's Encrypt staging issuer. type: object additionalProperties: false properties: email: true solvers: title: Issuer Solver type: array extraIssuers: title: Extra Issuers type: array networkPolicies: title: Network Policies Config description: |- Configure Network Policies. Most common Network Policy rules can be updated by running `./bin/ck8s update-ips `. additionalProperties: false properties: enabled: title: Network Policies Enabled type: boolean default: true enableAlerting: title: Network Policies Alerting Enabled type: boolean default: true global: title: Network Policies Global description: |- Configure global network policy rules. type: object additionalProperties: false properties: externalLoadBalancer: title: Network Policies External Load Balancer description: |- When enabled create Network Policy rules for ingress via external load balancer. type: boolean ingressUsingHostNetwork: title: Network Policies Ingress Host Network description: |- When enabled create Network Policy rules for ingress via host network. type: boolean objectStorage: title: Network Policies ObjectStorage description: |- Configure object storage network policy rules. This configuration should match the object storage service configured under `objectStorage`. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' required: - ips objectStorageSwift: title: Network Policies ObjectStorage Swift description: |- Configure OpenStack Swift object storage network policy rules. This configuration should match the object storage service configured under `objectStorage.swift` if used by any component. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 5000 required: - ips scApiserver: title: Network Policies SC API Server description: |- Configure service cluster API server network policy rules. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' port: $ref: '#/$defs/port' default: 6443 required: - ips scIngress: title: Network Policies SC Ingress description: |- Configure service cluster ingress network policy rules. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' required: - ips scNodes: title: Network Policies SC Nodes description: |- Configure service cluster nodes network policy rules. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' required: - ips wcApiserver: title: Network Policies WC API Server description: |- Configure workload cluster API server network policy rules. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' port: $ref: '#/$defs/port' wcIngress: title: Network Policies WC Ingress description: |- Configure workload cluster ingress network policy rules. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' required: - ips wcNodes: title: Network Policies WC Nodes description: |- Configure workload cluster nodes network policy rules. > [!tip] > Automatically populated by `./bin/ck8s update-ips `. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' trivy: title: Network Policies Trivy description: |- Configure Trivy network policy rules. Used for Trivy to fetch vulnerability databases both in Harbor and Trivy Operator. additionalProperties: false properties: ips: true port: $ref: '#/$defs/port' default: 443 required: - ips type: object required: - externalLoadBalancer - ingressUsingHostNetwork ingressNginx: title: Network Policies Ingress NGINX description: Configure Ingress NGINX network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Ingress NGINX Enabled type: boolean default: true ingressOverride: title: Network Policies Ingress Override description: |- Configure override to the ingress rules for Ingress NGINX. Required when cluster ingress uses direct routing. type: object additionalProperties: false properties: enabled: title: Network Policies Ingress Override Enabled type: boolean default: false ips: true certManager: title: Network Policies cert-manager description: Configure cert-manager network policy rules. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: properties: letsencrypt: properties: ips: $ref: '#/$defs/iplist' properties: enabled: title: Network Policies cert-manager Enabled type: boolean default: true letsencrypt: title: Network Policies cert-manager Let's Encrypt description: |- Configure network policy rule to allow cert-manager to reach Let's Encrypt. > [!note] > Let's Encrypt by choice does not publish a list of their endpoints, so this is required to be `ips: [ 0.0.0.0/0 ]`. type: object additionalProperties: false properties: ips: true http01: title: Network Policies cert-manager HTTP-01 description: Configure network policy rule to allow cert-manager perform HTTP-01 challenges on other endpoints than the ingress-controller. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' dns01: title: Network Policies cert-manager DNS-01 description: Configure network policy rule to allow cert-manager perform DNS-01 challenges. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' namespaces: title: Network Policies cert-manager namespaces description: Configure namespaces to allow cert-manager HTTP-01 perform HTTP-01 challenges. type: array items: title: Network Policies cert-manager namespace type: string default: [] examples: - - dex - harbor - monitoring - opensearch-system - thanos externalDns: title: Network Policies ExternalDNS description: Configure ExternalDNS [network policy](https://kubernetes.io/docs/concepts/services-networking/network-policies/) rules. additionalProperties: false properties: enabled: type: boolean ips: true ports: $ref: '#/$defs/portlist' type: object dex: title: Network Policies Dex description: Configure Dex network policy rules. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: properties: connectors: properties: ips: $ref: '#/$defs/iplist' properties: enabled: title: Network Policies Dex Enabled type: boolean default: true connectors: title: Network Policies Dex Connectors description: Configure network policy rule to allow Dex to reach configured connectors. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 gatekeeper: title: Network Policies Gatekeeper description: Configure Gatekeeper network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Gatekeeper Enabled type: boolean default: true harbor: title: Network Policies Harbor description: Configure Harbor network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Harbor Enabled default: true type: boolean database: title: Network Policies Harbor Database description: |- Configure network policies for the database used by Harbor. type: object additionalProperties: false properties: externalEgress: title: Network Policies Harbor Database External Egress description: |- Configure network policy egress rules to the external database of Harbor. type: object additionalProperties: false properties: peers: title: Network Policy Peers type: array ports: title: Network Policy Ports type: array internalIngress: title: Network Policies Harbor Database Internal Ingress description: |- Configure network policy ingress rules to the internal database of Harbor. type: object additionalProperties: false properties: peers: title: Network Policy Peers type: array ports: title: Network Policy Ports type: array redis: title: Network Policies Harbor Redis description: |- Configure network policies for the Redis used by Harbor. type: object additionalProperties: false properties: externalEgress: title: Network Policies Harbor Redis External Egress description: |- Configure network policy egress rules to the external Redis of Harbor. type: object additionalProperties: false properties: peers: title: Network Policy Peers type: array ports: title: Network Policy Ports type: array registries: title: Network Policies Harbor Registries description: |- Configure network policies for external registries used by Harbor. Applies to harbor-core and harbor-jobservice when replication is enabled. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 jobservice: title: Network Policies Harbor Job Service description: Configure network policies for the job service in Harbor. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 trivy: title: Network Policies Harbor Trivy description: Configure network policies for the Trivy scanner in Harbor. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 fluentd: title: Network Policies Fluentd description: Configure Fluentd network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Fluentd Enabled type: boolean default: true extraOutput: title: Extra Output Rule description: |- Configure extra output egress rules. This may be used to allow application developers to send logs externally from user Fluentd with extra config and plugins. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' opensearch: title: Network Policies OpenSearch description: Configure OpenSearch network policy rules. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: properties: plugins: properties: ips: $ref: '#/$defs/iplist' properties: enabled: title: Network Policies OpenSearch Enabled type: boolean default: true plugins: title: Network Policies OpenSearch Plugins description: Configure network policy rules to allow OpenSearch to install plugins during startup. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 monitoring: title: Network Policies Monitoring description: Configure monitoring network policy rules. type: object additionalProperties: false if: properties: enabled: type: boolean const: true grafana: properties: externalDataSources: properties: enabled: type: boolean const: true then: properties: grafana: properties: externalDataSources: properties: ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' default: - 443 properties: enabled: title: Network Policies Monitoring Enabled type: boolean default: true grafana: title: Network Policies Grafana description: Configure Grafana network policy rules. type: object additionalProperties: false properties: externalDashboardProvider: title: Grafana External Dashboards description: Configure network policy rules to allow Grafana to use external dashboards. type: object additionalProperties: false properties: ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' default: - 443 externalDataSources: title: Grafana External Datasources description: Configure network policy rules to allow Grafana to use external datasources. type: object properties: enabled: title: Grafana External Datasources Enabled default: false type: boolean ips: true ports: true alertmanager: title: Network Policies Alertmanager description: Configure Alertmanager network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Alertmanager Enabled type: boolean alertReceivers: $ref: '#/$defs/netpolRule' prometheus: title: Network Policies Prometheus description: Configure Prometheus network policy rules. type: object additionalProperties: false properties: internalAccess: title: Network Policies Prometheus Internal Access description: |- Configure network policy rules to allow internal access to Prometheus. This requires the allowed namespaces to be configured under `namespaces` and the allowed pods to be labeled `elastisys.io/prometheus-access: allowed`. type: object additionalProperties: false properties: enabled: title: Prometheus Internal Access Enabled type: boolean default: false namespaces: title: Prometheus Internal Access Namespaces description: Configure the namespaces to allow internal access to Prometheus. type: array items: title: Namespace Name type: string default: [] s3Exporter: title: Network Policies S3 Exporter description: Configure S3 exporter network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies S3 Exporter Enabled type: boolean default: true tektonPipelines: title: Network Policies Tekton Pipeline description: |- Enable network policies for tekton and the pipeline. type: object additionalProperties: false properties: enabled: title: Network Policies Tekton Enabled type: boolean default: true pipeline: title: Network Policies Tekton Pipeline description: |- Add required networkpolicies for the pipeline under the section pipeline. The networkpolicies should follow the network policies generator. As such, it is possible to use pre-defined network policies rules. The pre-defined rules can be found [here](https://github.com/elastisys/compliantkubernetes-apps/blob/main/helmfile.d/values/networkpolicies/common/common.yaml.gotmpl). ```yaml pipeline: clone-config-pod: podSelectorLabels: tekton.dev/pipeline: upgrade-pipeline ingress: {} egress: - rule: egress-rule-dns # pre-defined network policies rule. - name: egress-rule-config-access peers: - cidr: 1.2.3.4/32 ports: - tcp: 22 ``` type: object thanos: title: Network Policies Thanos description: Configure Thanos network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Thanos Enabled type: boolean default: true falco: title: Network Policies Falco description: Configure Falco network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Falco Enabled default: true type: boolean plugins: title: Network Policies Falco Plugins description: Configure network policy rules to allow Falco to install plugins during startup. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 kured: title: Network Policies Kured description: Configure Kured network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Kured Enabled type: boolean default: true notificationSlack: title: Network Policies Kured Notifications Slack description: Configure network policy rules to allow Kured to send Slack notifications. type: object additionalProperties: false properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 kyverno: title: Network Policies Kyverno description: Configure Kyverno network policy rules. type: object properties: enabled: title: Network Policies Kyverno Enabled type: boolean default: true imageRegistry: title: Network Policies Kyverno Image Registry description: Configure network policy that allows Kyverno to access image registries. This is required for signed image verification. type: object properties: ips: true ports: true rclone: title: Network Policies Rclone description: Configure Rclone network policy rules. type: object properties: enabled: title: Network Policies Rclone Enabled type: boolean sync: title: Network Policies Rclone Sync description: Configure network policy rules to allow rclone to sync. type: object additionalProperties: false properties: objectStorage: title: Network Policies Rclone Sync Object Storage description: Configure network policy rules to allow rclone to sync object storage. type: object properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 objectStorageSwift: title: Network Policies Rclone Sync Object Storage description: Configure network policy rules to allow rclone to sync object storage with Swift. type: object properties: ips: true ports: $ref: '#/$defs/portlist' default: - 5000 secondaryUrl: title: Network Policies Rclone Sync Object Storage description: Configure network policy rules to allow rclone to sync with a secondary URL. type: object properties: ips: true ports: $ref: '#/$defs/portlist' default: - 443 velero: title: Network Policies Velero description: Configure Velero network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Velero Enabled type: boolean default: true kubeSystem: title: Network Policies Kube System description: Configure kube-system network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Kube System Enabled type: boolean default: true openstack: title: Network Policies OpenStack description: Configure OpenStack network policy rules. type: object properties: enabled: title: Network Policies OpenStack Enabled type: boolean ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' upcloud: title: Network Policies UpCloud description: Configure UpCloud network policy rules. type: object properties: enabled: title: Network Policies UpCloud Enabled type: boolean ips: $ref: '#/$defs/iplist' ports: $ref: '#/$defs/portlist' dnsAutoscaler: title: Network Policies DNS Autoscaler description: Configure DNS Autoscaler network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies DNS Autoscaler Enabled type: boolean default: true coredns: title: Network Policies CoreDNS description: Configure CoreDNS network policy rules. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: properties: externalDns: properties: ips: $ref: '#/$defs/iplist' serviceIp: properties: ips: $ref: '#/$defs/iplist' properties: enabled: title: Network Policies CoreDNS type: boolean default: true externalDns: title: Network Policies CoreDNS External DNS description: Configure network policy rule to allow CoreDNS to query the upstream DNS servers. type: object additionalProperties: false properties: ips: true serviceIp: title: Network Policies CoreDNS Service IP description: Configure network policy rule to allow CoreDNS to query the internal service IP. type: object additionalProperties: false properties: ips: true rookCeph: title: Network Policies Rook Ceph description: Configure Rook Ceph network policy rules. type: object additionalProperties: false properties: enabled: title: Network Policies Rook Ceph Enabled default: false type: boolean defaultDeny: default: false type: boolean allowedNameSpaces: title: Network Policies Allowed Namespaces type: array additionalEgressPolicies: title: Network Policies Egress Policies type: array additionalIngressPolicies: title: Network Policies Ingress Policies type: array additional: title: Network Policies Additional Policies description: Configure additional network policies. type: string format: yaml type: object nodeLocalDns: title: Node Local DNS description: Configure node-local-dns, node local DNS resolving and caching. type: object additionalProperties: false properties: customConfig: title: Custom Config description: |- Configure custom options for the CoreDNS instance running as part of node-local-dns. > [!note] > See [the upstream documentation](https://coredns.io/manual/configuration/) for reference. type: string default: "" examples: - |- example.com:53 { errors cache 30 reload loop forward . 127.0.0.1:9005 } hostZone: title: Host zone for node-local-dns description: Configure the host zone for node-local-dns type: object additionalProperties: false properties: extraConfig: title: Extra config for host zone description: |- Configure extra config for the host zone .53 for node-local-dns. > [!note] > See [the upstream documentation](https://coredns.io/manual/configuration/) for reference. type: string default: "" examples: - |- template ANY ANY { rcode NXDOMAIN } resources: $ref: '#/$defs/kubernetesResourceRequirements' externalDns: title: External DNS Config description: |- Configure External DNS. External DNS manages DNS records based on Kubernetes resources, and can automatically configure DNS records from: - CRD resources - Ingress resources - Service resources Currently only AWS Route 53 is supported as the DNS provider. > [!note] > See [the upstream documentation](https://kubernetes-sigs.github.io/external-dns/) for reference. type: object additionalProperties: false if: properties: enabled: type: boolean const: true then: properties: txtOwnerId: title: External DNS TXT Owner ID type: string properties: enabled: title: External DNS Enabled type: boolean namespaced: title: External DNS Namespaced type: boolean provider: title: External DNS Provider type: string examples: - aws sources: title: External DNS Sources description: Configure the sources External DNS should manage DNS records for. type: object additionalProperties: false properties: crd: title: External DNS CRD type: boolean ingress: title: External DNS Ingress type: boolean service: title: External DNS Service type: boolean domains: title: External DNS Domains description: Configure the domains External DNS should manage. type: array items: title: External DNS Domain type: string txtOwnerId: true txtPrefix: title: External DNS TXT Prefix type: string description: |- Configure a prefix to TXT records. This is required with AWS Route 53 if CNAME records are preferred over A/AAAA records as it cannot handle both at the same time. endpoints: title: External DNS Endpoints description: |- Configure the endpoints to create DNS records for. Requires `externalDns.sources.crd` to be enabled. type: array items: title: External DNS Endpoint description: Configure an endpoint to create a DNS record for. type: object additionalProperties: false properties: dnsName: title: Record Subdomain type: string examples: - kube recordType: title: Record Type type: string examples: - A recordTTL: title: Record TTL type: integer targets: title: Record Targets description: Configure the targets to create the DNS record for. type: array items: title: Record Target type: string examples: - wc control-plane nodes extraArgs: title: External DNS Extra Args description: |- Configure extra args for External DNS. When using a load balancer service with a hostname is used you must configure External DNS to prefer CNAME records over A/AAAA records. Example is in OpenStack environments using PROXY protocol. For AWS Route 53 this is done with the arg `--aws-prefer-cname`. $ref: '#/$defs/extraArgs' logLevel: title: External DNS Log Level type: string examples: - info resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' tektonPipelines: title: Tekton Pipelines Config description: Configure Tekton Pipelines type: object properties: enabled: title: Enable Tekton Flag type: boolean controller: title: Tekton Controller Config description: Configure the Tekton Controller type: object properties: replicas: title: Number of controller replicas type: integer resources: $ref: '#/$defs/kubernetesResourceRequirements' webhook: title: Tekton Webhook Config description: Configure the Tekton Webhook type: object properties: replicas: title: Number of webhook replicas type: integer resources: $ref: '#/$defs/kubernetesResourceRequirements' remoteResolvers: title: Tekton Remote Resolvers Config description: Configure the Tekton Remote Resolver type: object properties: replicas: title: Number of remote resolver replicas type: integer resources: $ref: '#/$defs/kubernetesResourceRequirements' customConfigDefaults: title: Custom default config description: |- Configure custom default options for Tekton > [!note] > See [the upstream documentation](https://tekton.dev/docs/pipelines/additional-configs/) for available default config options. examples: - default-timeout-minutes: "30" type: object gpu: title: GPU Config description: Configure the GPU Operator and its dependencies type: object properties: enabled: title: GPU Operator Enabled default: false type: boolean operator: title: GPU Operator Config description: Configure GPU Operator type: object properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' nodeFeatureDiscovery: title: Node Feature Discovery Config description: Configure Node Feature Discovery type: object properties: controlPlane: title: Node Feature Discovery Control Plane Config description: Configure Node Feature Discovery Control Plane type: object properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' worker: title: Node Feature Discovery worker Config description: Configure Node Feature Discovery workers type: object properties: resources: $ref: '#/$defs/kubernetesResourceRequirements' tolerations: $ref: '#/$defs/kubernetesTolerations' affinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' daemonsets: title: GPU Daemonsets Config description: Configure GPU Daemonsets type: object properties: tolerations: $ref: '#/$defs/kubernetesTolerations' mig: title: MIG Configuration description: Configure MIG options like strategy type: object properties: strategy: title: MIG Strategy description: None ignores MIG entirely, single makes MIG devices a standard GPU resource, and shared creates one resource type for each MIG configuration type: string enum: - mixed - single - none devicePlugin: title: Device Plugin Configuration description: Configuration for the device plugin, e.g. timeslicing type: object extraMetrics: title: Enable Additional DCGM Metrics description: Adds some profiling metrics in DCGM if it's available in your GPU setup type: boolean kyverno: title: Kyverno Config description: Configure Kyverno and Kyverno Policies type: object properties: enabled: title: Enable Kyverno default: false type: boolean resources: $ref: '#/$defs/kubernetesResourceRequirements' nodeSelector: $ref: '#/$defs/kubernetesNodeSelector' podAffinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' nodeAffinity: $ref: '#/$defs/io.k8s.api.core.v1.Affinity' topologySpreadConstraints: $ref: '#/$defs/kubernetesTopologySpreadConstraints' tolerations: $ref: '#/$defs/kubernetesTolerations' policies: title: Kyverno policies description: Kyverno policies configuration type: object properties: verifyImageSignature: title: Verify Image Signature Kyverno policy description: A policy that requires that all images in HNC controlled namespaces are signed type: object properties: enabled: title: Enable the Verify Image Signature policy default: false type: boolean type: title: Method of signature validation type: string enum: - Cosign - Notary ignoreRekorTlog: title: Ignore Rekor transparency log when verifying image signatures default: false type: boolean attestor: description: A public key (Cosign) or certificate (Notary) used to verify image signatures type: string examples: - | -----BEGIN PUBLIC KEY----- MFkwEwY... -----END PUBLIC KEY----- - | -----BEGIN CERTIFICATE----- MIIDTTCCA... -----END CERTIFICATE----- images: title: Images Configuration description: |- Configure individual container URI for images of all Welkin components, and (optionally) enable support for global registry and/or repository. type: object additionalProperties: false properties: global: title: Global image settings description: |- Global image registry and repository settings. If a global registry is supplied and enabled, and an image is specified that doesn't have a registry, the global registry will be used instead. If a global repository is supplied and enabled, and an image is specified that doesn't have a repository, the global repository will be used instead. type: object additionalProperties: false properties: registry: title: Global image registry description: If enabled it will be used as the registry of images that don't supply their own. type: object additionalProperties: false properties: enabled: title: Enable the global image registry type: boolean uri: title: Global image registry URI type: string examples: - registry.k8s.io pattern: "\\..*" if: properties: enabled: const: true required: - enabled then: required: - uri required: - enabled repository: title: Global image repository description: If enabled it will be used as the repository of images that don't supply their own. additionalProperties: false type: object properties: enabled: title: Enable the global image repository type: boolean uri: title: Global image repository examples: - ingress-nginx type: string if: properties: enabled: const: true required: - enabled then: required: - uri required: - enabled calico: title: calico stack image configuration description: calico stack image configuration type: object additionalProperties: false properties: accountant: $ref: '#/$defs/containerImage' certManager: title: cert-manager stack image configuration description: cert-manager stack image configuration type: object additionalProperties: false properties: controller: $ref: '#/$defs/containerImage' webhook: $ref: '#/$defs/containerImage' cainjector: $ref: '#/$defs/containerImage' startupapicheck: $ref: '#/$defs/containerImage' dex: title: dex stack image configuration description: dex stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' externalDns: title: external-dns stack image configuration description: external-dns stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' falco: title: falco stack image configuration description: falco stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' driverLoaderInit: $ref: '#/$defs/containerImage' falcoctl: $ref: '#/$defs/containerImage' sidekick: $ref: '#/$defs/containerImage' fluentd: title: fluentd stack image configuration description: fluentd stack image configuration type: object additionalProperties: false properties: aggregator: $ref: '#/$defs/containerImage' forwarder: $ref: '#/$defs/containerImage' logManager: $ref: '#/$defs/containerImage' gatekeeper: title: gatekeeper stack image configuration description: gatekeeper stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' preInstallCRDs: $ref: '#/$defs/containerImage' postInstallLabelNamespace: $ref: '#/$defs/containerImage' kubectl: $ref: '#/$defs/containerImage' gpuOperator: title: gpu-operator stack image configuration description: gpu-operator stack image configuration type: object additionalProperties: false properties: operator: $ref: '#/$defs/containerImage' nodeFeatureDiscovery: $ref: '#/$defs/containerImage' harbor: title: harbor stack image configuration description: harbor stack image configuration type: object additionalProperties: false properties: core: $ref: '#/$defs/containerImage' exporter: $ref: '#/$defs/containerImage' jobservice: $ref: '#/$defs/containerImage' portal: $ref: '#/$defs/containerImage' registry: $ref: '#/$defs/containerImage' registryController: $ref: '#/$defs/containerImage' database: $ref: '#/$defs/containerImage' redis: $ref: '#/$defs/containerImage' trivyAdapter: $ref: '#/$defs/containerImage' initJob: $ref: '#/$defs/containerImage' backupJob: $ref: '#/$defs/containerImage' mpuCleaner: $ref: '#/$defs/containerImage' hnc: title: hnc stack image configuration description: hnc stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' ingressNginx: title: ingress-nginx stack image configuration description: ingress-nginx stack image configuration type: object additionalProperties: false properties: controller: $ref: '#/$defs/containerImage' controllerChroot: $ref: '#/$defs/containerImage' defaultBackend: $ref: '#/$defs/containerImage' admissionWebhooksPatch: $ref: '#/$defs/containerImage' fileCopier: $ref: '#/$defs/containerImage' kured: title: kured stack image configuration description: kured stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' kyverno: title: kyverno stack image configuration description: kyverno stack image configuration type: object additionalProperties: false properties: main: $ref: '#/$defs/containerImage' init: $ref: '#/$defs/containerImage' webhooksCleanup: $ref: '#/$defs/containerImage' crdsMigration: $ref: '#/$defs/containerImage' monitoring: title: monitoring stack image configuration description: monitoring stack image configuration type: object additionalProperties: false properties: nodeExporter: $ref: '#/$defs/containerImage' kubeStateMetrics: $ref: '#/$defs/containerImage' prometheusOperator: $ref: '#/$defs/containerImage' configReloader: $ref: '#/$defs/containerImage' alertmanager: $ref: '#/$defs/containerImage' prometheus: $ref: '#/$defs/containerImage' admissionWebhooksPatch: $ref: '#/$defs/containerImage' grafana: $ref: '#/$defs/containerImage' grafanaSidecar: $ref: '#/$defs/containerImage' blackboxExporter: $ref: '#/$defs/containerImage' grafanaLabelEnforcer: $ref: '#/$defs/containerImage' s3Exporter: $ref: '#/$defs/containerImage' metricsServer: $ref: '#/$defs/containerImage' trivyOperator: $ref: '#/$defs/containerImage' nodeLocalDns: title: node-local-dns stack image configuration description: node-local-dns stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' opensearch: title: opensearch stack image configuration description: opensearch stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' initSysctl: $ref: '#/$defs/containerImage' dashboards: $ref: '#/$defs/containerImage' configurerJob: $ref: '#/$defs/containerImage' curatorCronjob: $ref: '#/$defs/containerImage' exporter: $ref: '#/$defs/containerImage' rclone: title: rclone stack image configuration description: rclone stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' tekton: title: tekton stack image configuration description: tekton stack image configuration type: object additionalProperties: false properties: controller: $ref: '#/$defs/containerImage' remoteResolvers: $ref: '#/$defs/containerImage' webhook: $ref: '#/$defs/containerImage' thanos: title: thanos stack image configuration description: thanos stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' velero: title: velero stack image configuration description: velero stack image configuration type: object additionalProperties: false properties: image: $ref: '#/$defs/containerImage' pluginCsi: $ref: '#/$defs/containerImage' pluginAws: $ref: '#/$defs/containerImage' pluginGcp: $ref: '#/$defs/containerImage' pluginAzure: $ref: '#/$defs/containerImage' kubectl: $ref: '#/$defs/containerImage' additionalProperties: title: Additional Properties description: Configure additional properties not covered by the schema. type: object properties: {}