## edp-install configuration ## Ref: https://github.com/epam/edp-install ## ## global: # -- EDP version version: "3.8.0" # -- platform type that can be "kubernetes" or "openshift" platform: "kubernetes" # -- a cluster DNS wildcard name dnsWildCard: # -- Can be gerrit, github or gitlab. Default: github gitProviders: - github # - gitlab # - gerrit # Define the Image Registry that will be used in Pipelines. # This section is optional, and users can configure the registry within the EDP Portal user interface. # Ref: https://epam.github.io/edp-install/user-guide/manage-container-registries/#add-container-registry # # For example to integrate platform with ecr and publish image under 'edp' prefix: # dockerRegistry: # type: "ecr" # url: ".dkr.ecr..amazonaws.com" # space: "edp" # awsRegion: "eu-central-1" # As a result all image artifacts are published under ".dkr.ecr..amazonaws.com/edp/simple-project:0.1.0-SNAPSHOT.1" # # For example to integrate platform with harbor and publish image under 'edp' project name: # dockerRegistry: # type: "harbor" # url: "registry.example.com" # space: "edp" # As a result all image artifacts are published under https://registry.example.com/edp/simple-project # # For example to integrate platform with dockerhub and publish image under 'my_user' account: # dockerRegistry: # type: "dockerhub" # url: "docker.io" # space: "my_user" # As a result all image artifacts are published under https://hub.docker.com/repository/docker/my_user # # For example to integrate platform with openshift and publish image under 'edp' project name: # dockerRegistry: # type: "openshift" # url: "image-registry.openshift-image-registry.svc:5000" # space: "edp" # By default, Kubernetes Service Account has the ability to push images to the registry # within the namespace where EDP is installed. # Ref: https://github.com/epam/edp-tekton/blob/master/charts/pipelines-library/templates/resources/rolebinding-tekton-registry-editor.yaml # # For example to integrate platform with nexus and publish image under 'edp' project name: # dockerRegistry: # type: "nexus" # url: "nexus-container.example.com" # space: "edp" # As a result all image artifacts are published under https://nexus-container.example.com/edp dockerRegistry: # -- Defines type of registry. One of `ecr`, `harbor`, `dockerhub`, `openshift` or `nexus`. # 'openshift' registry is available only in case if platform is deployed on the OpenShift cluster and the variable global.platform is set to 'openshift'. type: "" # Below is an example of endpoint values for each registry type: # type: | url # ============================= # ecr | .dkr.ecr..amazonaws.com # harbor | # dockerhub | 'docker.io' # openshift | # nexus | # -- Defines registry endpoint URL. url: "" # Below is a description of space values for each registry type: # type: | description # ================================================= # ecr | The suffix project name in registry. # harbor | The project name in registry. # dockerhub | The user account id or community user account id with push permission. # openshift | The project name in registry. # nexus | The project name in registry. # -- Defines project name. space: "" # -- Defines the geographic area where the (AWS) Elastic Container Registry repository is hosted (optional). E.g. "eu-central-1". # Mandatory if 'global.dockerRegistry.type=ecr' for kaniko build-task. # Ref: https://github.com/epam/edp-tekton/blob/release/0.10/charts/pipelines-library/templates/tasks/kaniko.yaml#L73 awsRegion: "" # Configure External Secrets Operator to provision secrets for Platform and/or EDP. Required External Secrets Operator deployment: https://epam.github.io/edp-install/operator-guide/install-external-secrets-operator/ # https://external-secrets.io/latest/provider-aws-secrets-manager/ # Description of secrets that can be created using this approach - available in the documentation: https://epam.github.io/edp-install/operator-guide/external-secrets-operator-integration/ externalSecrets: # -- Configure External Secrets for EDP platform. Deploy SecretStore. Default: false enabled: false # -- Defines provider type. One of `aws` or `generic`. type: "aws" secretProvider: aws: # -- Use AWS as a Secret Provider. Can be ParameterStore or SecretsManager service: ParameterStore # -- IAM Role to be used for Accessing AWS either Parameter Store or Secret Manager. Format: arn:aws:iam:::role/ role: # -- AWS Region where secrets are stored, e.g. eu-central-1 region: eu-central-1 generic: # Defines Secret Store configuration. Used when externalSecrets.type is set to "generic". secretStore: # -- Defines SecretStore name. name: "example-secret-store" # -- Defines SecretStore provider configuration. providerConfig: {} # gcpsm: # projectID: "alphabet-123" # When installing EDP, three secrets must be created: ci-argocd, ci-defectdojo, ci-dependency-track, kaniko-docker-config and other. # see https://github.com/epam/edp-install/tree/master/deploy-templates/templates/external-secrets, https://epam.github.io/edp-install/operator-guide/external-secrets-operator-integration # manageEDPInstallSecrets creates required secrets using ExternalSecretOperator # Ensure external secret source is configured properly # -- Create necessary secrets for EDP installation, using External Secret Operator manageEDPInstallSecrets: true # -- Value name in AWS ParameterStore or AWS SecretsManager. Used when manageEDPInstallSecrets is true manageEDPInstallSecretsName: /edp/deploy-secrets annotations: {} codebase-operator: enabled: true # image: # repository: epamedp/codebase-operator # tag: # envs: # - name: RECONCILATION_PERIOD # value: "360" # The value should be typed in minutes # # Maximum number of parallel reconciliation codebasebranches # - name: CODEBASE_BRANCH_MAX_CONCURRENT_RECONCILES # value: 3 # jira: # integration: false # name: "jira" # apiUrl: "https://jiraeu-api.example.com" # rootUrl: "https://jiraeu.example.com" # credentialName: "ci-jira" cd-pipeline-operator: enabled: true # image: # repository: epamedp/cd-pipeline-operator # tag: # -- Defines the type of the tenant engine that can be "none", "kiosk" or "capsule"; # for Stages with external cluster tenancyEngine will be ignored. Default: none tenancyEngine: "none" # -- Required tenancyEngine: capsule. Specify Capsule Tenant specification for Environments. capsuleTenant: # Enable Capsule Tenant creation as a part of cd-pipeline-operator deployment. Active if tenancyEngine="capsule" create: true spec: # ingressOptions: # allowWildcardHostnames: false # allowedHostnames: # # Enable restriction pattern for ingress hostname creation. # allowedRegex: ^.*example.com$ # hostnameCollisionScope: Tenant # limitRanges: # items: # - limits: # # Default limits for cintainer if not specified in upstream manifest # - default: # cpu: 256m # memory: 512Mi # # Default requests for cintainer if not specified in upstream manifest # defaultRequest: # cpu: 128m # memory: 128Mi # type: Container # # Manage PVC creation # - limits: # - max: # storage: 0Gi # min: # storage: 0Gi # type: PersistentVolumeClaim # # Maximum count of namespace to be created by cd-pipeline-operator # namespaceOptions: # quota: 3 # networkPolicies: # items: # - ingress: # - from: # - namespaceSelector: # matchLabels: # # Please fill namespace for match selector # capsule.clastix.io/tenant: # - podSelector: {} # - ipBlock: # cidr: 172.16.0.0/16 # podSelector: {} # policyTypes: # - Ingress # resourceQuotas: # items: # - hard: # limits.cpu: 512m # limits.memory: 512Mi # - hard: # # Maximum count of pods to be deployed # pods: '5' # scope: Tenant # serviceOptions: # allowedServices: # # Restrict 'externalName', 'LoadBalancer' and 'NodePort' service type creation # externalName: false # loadBalancer: false # nodePort: false # -- should the operator manage(create/delete) namespaces for stages # Refer to the guide for managing namespace (https://epam.github.io/edp-install/operator-guide/namespace-management/) manageNamespace: true # -- Flag indicating whether the operator should manage secrets for stages. # This parameter controls the provisioning of the 'regcred' secret within deployed environments, facilitating access to private container registries. # Set the parameter to "none" under the following conditions: # - If 'global.dockerRegistry.type=ecr' and IRSA is enabled, or # - If 'global.dockerRegistry.type=openshift'. # For private registries, choose the most appropriate method to provide credentials to deployed environments. Refer to the guide for managing container registries (https://epam.github.io/edp-install/user-guide/manage-container-registries/). # Possible values: own/eso/none. # - own: Copies the secret once from the parent namespace, without subsequent reconciliation. If updated in the parent namespace, manual updating in all created namespaces is required. # - eso: The secret will be managed by the External Secrets Operator (requires installation and configuration in the cluster: https://epam.github.io/edp-install/operator-guide/install-external-secrets-operator/). # - none: Disables secrets management logic. secretManager: none gerrit-operator: enabled: false # image: # repository: epamedp/gerrit-operator # tag: # gerrit: # deploy: true # name: "gerrit" # image: "openfrontier/gerrit" # version: # imagePullSecrets: # storage: # size: 1Gi # class: gp2 # gerrit: # # Provide external endpoint access. Default Ingress/Route host pattern: gerrit-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} # ingress: # # -- Enable external endpoint access. Default Ingress/Route host pattern: gerrit-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} # annotations: {} # # -- pathType is only for k8s >= 1.1= # pathType: Prefix # # -- For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # # -- See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # # ingressClassName: nginx # tls: [] # # - secretName: chart-example-tls # # hosts: # # - gerrit-edp.example.com edp-headlamp: enabled: true ingress: # -- Enable external endpoint access. Default Ingress/Route host pattern: portal-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} enabled: true # -- Annotations for Ingress resource annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # -- Hostname(s) for the Ingress resource # -- Ingress TLS configuration tls: [] # - secretName: chart-example-tls # hosts: # - portal-edp.example.com config: # -- base url path at which headlamp should run baseURL: "" # -- Ensure that the specified client is associated with cluster OIDC integration. # -- For detailed instructions, refer to: https://epam.github.io/edp-install/operator-guide/configure-keycloak-oidc-eks/, https://epam.github.io/edp-install/operator-guide/headlamp-oidc/ oidc: # Enable OIDC integration. Default: false enabled: false # -- Keycloak URL keycloakUrl: "https://keycloak.example.com" # -- OIDC client ID clientID: "" # -- OIDC client secret name clientSecretName: "keycloak-client-headlamp-secret" # -- OIDC client secret key clientSecretKey: "clientSecret" # -- OIDC issuer realm issuerRealm: "" # -- OIDC scopes to be used scopes: "" # image: # repository: epamedp/edp-headlamp # tag: edp-tekton: enabled: true tekton-cache: # Deploy tekton-cache helm-chart. enabled: true # Tekton cache endpoint for pipeline-library helm chart. See charts/pipelines-library/templates/resources/cm-tekton-cache.yaml # url: http://tekton-cache:8080 dashboard: # -- Deploy Tekton Dashboard as a part of pipeline library when true. Default: true # -- WARNING: Default deployment of the dashboard does not involve any proxy and may be accessible to the public. # -- To enable proxy protect use openshift_proxy or oauth2_proxy sections. # -- More details: # -- https://epam.github.io/edp-install/operator-guide/oauth2-proxy/ enabled: true # -- Define mode for Tekton Dashboard. Enable/disaable capability to create/modify/remove Tekton objects via Tekton Dashboard. Default: false. readOnly: false # -- Make it possible to use openshift as OIDC provider to hide tekton-dashboard. # -- Only for openshift deploy scenario, # -- For EKS scenario - uncomment dashboard.ingress.annotations block and # -- set the value of the oauth2_proxy.enable to true # -- More details: # -- https://epam.github.io/edp-install/operator-guide/oauth2-proxy/?h=#enable-oauth2-proxy-on-tekton-dashboard openshift_proxy: # -- Enable oauth-proxy to include authorization layer on tekton-dashboard. Default: flase enabled: false ingress: # -- Enable external endpoint access. Default Ingress/Route host pattern: tekton-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} enabled: true # -- Annotations for Ingress resource annotations: {} # -- Uncomment it to enable tekton-dashboard OIDC on EKS cluster # nginx.ingress.kubernetes.io/auth-signin: 'https:///oauth2/start?rd=https://$host$request_uri' # nginx.ingress.kubernetes.io/auth-url: 'http://oauth2-proxy.edp.svc.cluster.local:8080/oauth2/auth' tls: [] # - secretName: chart-example-tls # hosts: # - tekton-edp.example.com # GitServers configuration section # GitServer creation depends on the gitProviders configuration, if gitProvider is not enabled, # the GitServer will not be created. gitServers: {} # my-github: # gitProvider: github # host: github.com # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # my-gitlab: # gitProvider: gitlab # host: gitlab.com # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # my-gerrit: # gitProvider: gerrit # host: gerrit.example.com # gitUser: ci-user # httpsPort: 443 # nameSshKeySecret: gerrit-ciuser-sshkey # sshPort: 30022 # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # SSO (OAuth2-proxy) configuration section # The section configures the OAuth2-proxy for single Sign-On (SSO) protection of application endpoints. # # More details on setup and deployment: # - https://epam.github.io/edp-install/operator-guide/oauth2-proxy/ # # OAuth2-proxy requires Keycloak and Keycloak-operator are properly configured before deployment. # Ref: # - https://epam.github.io/edp-install/operator-guide/install-keycloak/ # - https://github.com/epam/edp-cluster-add-ons # - https://github.com/epam/edp-keycloak-operator sso: # -- Install OAuth2-proxy and Keycloak CRs as a part of EDP deployment. enabled: false # -- Defines Keycloak realm name that is used as the Identity Provider (IdP) realm realmName: "broker" # -- Keycloak URL. keycloakUrl: https://keycloak.example.com # -- Administrators of your tenant. admins: - "stub_user_one@example.com" # -- Developers of your tenant developers: - "stub_user_one@example.com" - "stub_user_two@example.com" # Oauth2-proxy image image: # -- OAuth2-proxy image repository repository: quay.io/oauth2-proxy/oauth2-proxy # -- OAuth2-proxy image tag tag: v7.4.0 # Create a cookie-secret with the following command: # 'openssl rand -base64 32 | head -c 32 | base64' # Use an existing secret for OAuth2 cookie-secret existingSecret: # -- Secret name which stores cookie-secret secretName: oauth2-proxy-cookie-secret # -- Secret key which stores cookie-secret secretKey: cookie-secret # -- Additional container environment variables extraEnv: [] # -- Extra arguments to provide to the OAuth2-proxy extraArgs: {} # -- Additional volumes to be added to the OAuth2-proxy pod extraVolumes: [] # - name: custom-ca # secret: # defaultMode: 420 # secretName: custom-ca # -- Additional volumeMounts to be added to the OAuth2-proxy container extraVolumeMounts: [] # - name: custom-ca # mountPath: /etc/ssl/certs/CA.crt # readOnly: true # subPath: CA.crt ingress: # -- Additional ingress annotations annotations: {} # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # Ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # -- Defines which ingress controller will implement the resource, e.g. nginx ingressClassName: "" # -- Ingress TLS configuration tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local # -- Node labels for pod assignment nodeSelector: {} # -- Toleration labels for pod assignment tolerations: [] # -- Affinity settings for pod assignment affinity: {} # -- Define platform Quick Links, more details: https://github.com/epam/edp-codebase-operator/ # @default -- `` quickLinks: # argocd: "" # defectdojo: "" # dependency_track: "" # docker_registry: "" # grafana: "" # kibana: "" # nexus: "" # sonar: "" # -- Define extra Quick Links, more details: https://github.com/epam/edp-codebase-operator/ extraQuickLinks: {} # - prometheus: # url: https://ingress-prometheus.example.com # visible: true # icon: icon_in_base64 # - another_tool: # url: https://ingress-anothertool.example.com # visible: true # icon: icon_in_base64 # -- Array of extra K8s manifests to deploy extraObjects: [] # - apiVersion: external-secrets.io/v1beta1 # kind: ExternalSecret # metadata: # name: example-secret-1 # spec: # data: # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-1.username # secretKey: username # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-1.password # secretKey: password # secretStoreRef: # kind: SecretStore # name: example-parameterstore # - | # apiVersion: external-secrets.io/v1beta1 # kind: ExternalSecret # metadata: # name: example-secret-2 # spec: # data: # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-2.username # secretKey: username # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-2.password # secretKey: password # secretStoreRef: # kind: SecretStore # name: example-parameterstore