---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dkp-insights-1.0.1-d2iq-defaults
  namespace: ${releaseNamespace}
data:
  values.yaml: |
    backend:
      alertExpirationTime: 72h
      alertmanager:
        db_channel_buffer_size: "16"
      apiPort: "8090"
      engineConfig:
        dkpIdentification:
          appRoots:
            Certificate-kapps:
              groupKind:
                group: cert-manager.io
                kind: Certificate
              nameRegexp: chartmuseum-tls|etcd-metrics-proxy-tls-cert|kommander-ca|kommander-karma-client-cert|kommander-kubecost-thanos-client-cert|kommander-thanos-client-cert
            ClusterIssuer-kapps:
              groupKind:
                group: cert-manager.io
                kind: ClusterIssuer
              nameRegexp: kommander-ca|selfsigned-issuer
            ClusterRole-kapps:
              groupKind:
                group: rbac.authorization.k8s.io
                kind: ClusterRole
              nameRegexp: check-dkp-ceph-crd|crd-controller-kommander-flux|dkp-centralized-kubecost-admin|dkp-centralized-kubecost-edit|dkp-centralized-kubecost-view|dkp-grafana-logging-admin|dkp-grafana-logging-edit|dkp-grafana-logging-view|dkp-jaeger-admin|dkp-jaeger-edit|dkp-jaeger-view|dkp-karma-admin|dkp-karma-edit|dkp-karma-view|dkp-kiali-admin|dkp-kiali-edit|dkp-kiali-view|dkp-kubecost-admin|dkp-kubecost-edit|dkp-kubecost-view|dkp-kubernetes-dashboard-admin|dkp-kubernetes-dashboard-edit|dkp-kubernetes-dashboard-view|dkp-thanos-query-admin|dkp-thanos-query-edit|dkp-thanos-query-view|dkp-traefik-admin|dkp-traefik-edit|dkp-traefik-view|etcd-metrics|etcd-metrics-proxy|flux-edit-kommander-flux|flux-view-kommander-flux|kubecost-configmap-edit
            ClusterRoleBinding-kapps:
              groupKind:
                group: rbac.authorization.k8s.io
                kind: ClusterRoleBinding
              nameRegexp: check-dkp-ceph-crd|cluster-reconciler-kommander-flux|crd-controller-kommander-flux|etcd-metrics-proxy|etcd-metrics-rolebinding|kubecost-configmap-edit
            ConfigMap-kapps:
              groupKind:
                group: ""
                kind: ConfigMap
              nameRegexp: .*?-d2iq-defaults|ai-navigator-app-config|alertmanager-app-dashboard-info|centralized-grafana-app-dashboard-info|dashboard-app-dashboard-info|grafana-app-dashboard-info|grafana-logging-app-dashboard-info|jaeger-app-dashboard-info|karma-app-dashboard-info|kiali-app-dashboard-info|kubecost-app-dashboard-info|prometheus-app-dashboard-info|rook-ceph-cluster-dashboard-info|traefik-app-dashboard-info|traefik-plugin-rewritebody
            ConstraintTemplate-kapps:
              groupKind:
                group: templates.gatekeeper.sh
                kind: ConstraintTemplate
              nameRegexp: requiredserviceaccountname
            CustomResourceDefinition-kapps:
              groupKind:
                group: apiextensions.k8s.io
                kind: CustomResourceDefinition
              nameRegexp: alerts.notification.toolkit.fluxcd.io|buckets.source.toolkit.fluxcd.io|gitrepositories.source.toolkit.fluxcd.io|helmcharts.source.toolkit.fluxcd.io|helmreleases.helm.toolkit.fluxcd.io|helmrepositories.source.toolkit.fluxcd.io|kustomizations.kustomize.toolkit.fluxcd.io|ocirepositories.source.toolkit.fluxcd.io|providers.notification.toolkit.fluxcd.io|receivers.notification.toolkit.fluxcd.io
            DaemonSet-kapps:
              groupKind:
                group: apps
                kind: DaemonSet
              nameRegexp: etcd-metrics-proxy
            Daemonsets-additional:
              groupKind:
                group: apps
                kind: DaemonSet
              nameRegexp: ebs-csi-node|calico-system|calico-node|csi-node-driver|capz-nmi|kube-prometheus-stack-prometheus-node-exporter|logging-operator-logging-fluentbit|kube-proxy|node-feature-discovery-worker|etcd-metrics-proxy|aws-cloud-controller-manager|istio-cni-node|dkp-insights-kubebench-.*?
            Deployment-kapps:
              groupKind:
                group: apps
                kind: Deployment
              nameRegexp: ai-navigator-app|helm-controller|kustomize-controller|not-used-in-a-patch|notification-controller|source-controller|velero-backup-storage-location-updater
            Deployments-additional:
              groupKind:
                group: apps
                kind: Deployment
              nameRegexp: calico-kube-controllers|calico-typha|capa-controller-manager|capg-controller-manager|capi-kubeadm-control-plane-controller-manager|capi-kubeadm-bootstrap-controller-manager|capv-controller-manager|capvcd-controller-manager|capz-controller-manager|cert-manager|cert-manager-cainjector|cert-manager-webhook|kommander-appmanagement|cluster-autoscaler|coredns|ebs-csi-controller|capi-kubeadm-control-plane-system|capi-system|capi-kubeadm-control-plane-system|capi-controller-manager|cappp-controller-manager|cappp-system|cluster-observer|ebs-csi-controller|tigera-operator|snapshot-controller|node-feature-discovery-master|velero-backup-storage-location-updater
            Deployments-additional-istio:
              groupKind:
                group: apps
                kind: Deployment
              nameRegexp: istiod|istio-ingressgateway
            FederatedTypeConfig-kapps:
              groupKind:
                group: core.kubefed.io
                kind: FederatedTypeConfig
              nameRegexp: clusterrolebindings.rbac.authorization.k8s.io|limitranges|networkpolicies.networking.k8s.io|resourcequotas|rolebindings.rbac.authorization.k8s.io|roles.rbac.authorization.k8s.io
            Flow-kapps:
              groupKind:
                group: logging.banzaicloud.io
                kind: Flow
              nameRegexp: project-logging-flow
            HelmRelease-additional:
              groupKind:
                group: helm.toolkit.fluxcd.io
                kind: HelmRelease
              nameRegexp: .*?-kubecost-.*?|.*?-prometheus-.*?|metallb|nvidia|cluster-observer-.*?|dkp-insights
            HelmRelease-kapps:
              groupKind:
                group: helm.toolkit.fluxcd.io
                kind: HelmRelease
              nameRegexp: ai-navigator-cluster-info-agent|ai-navigator-cluster-info-api|centralized-grafana|centralized-kubecost|cert-manager|cert-manager-crds|chartmuseum|dex|dex-k8s-authenticator|dkp-insights|dkp-insights-management|external-dns|fluent-bit|gatekeeper|gatekeeper-proxy-mutations|gitea|grafana-logging|grafana-loki|istio|jaeger|karma|karma-traefik|kiali|knative|kommander|kommander-appmanagement|kommander-ui|kube-oidc-proxy|kube-prometheus-stack|kubecost|kubecost-thanos-traefik|kubefed|kubernetes-dashboard|kubetunnel|logging-operator|logging-operator-logging|nfs-server-provisioner|nvidia-gpu-operator|object-bucket-claims|project-grafana-logging|project-grafana-loki|project-loki-object-bucket-claims|prometheus-adapter|prometheus-thanos-traefik|reloader|rook-ceph|rook-ceph-cluster|thanos|traefik|traefik-forward-auth|traefik-forward-auth-mgmt|velero
            Ingress-additional:
              groupKind:
                group: networking.k8s.io
                kind: Ingress
              nameRegexp: kubecost-grafana
            Ingress-kapps:
              groupKind:
                group: networking.k8s.io
                kind: Ingress
              nameRegexp: traefik-dashboard|velero-ceph
            Job-additional:
              groupKind:
                group: batch
                kind: Job
              nameRegexp: delete-jaeger-deployment|delete-node-exporter-daemonset|delete-prometheus-adapter-deployment|update-tenant-crd-metadata|delete-obc-jobs
            Job-kapps:
              groupKind:
                group: batch
                kind: Job
              nameRegexp: copy-kubecost-grafana-datasource-cm|create-kommander-thanos-query-stores-configmap|create-kubecost-thanos-query-stores-configmap|dkp-ceph-prereq-job|grafana-loki-pre-install|velero-pre-install
            Kustomization-additional:
              groupKind:
                group: kustomize.toolkit.fluxcd.io
                kind: Kustomization
              nameRegexp: fluent-bit-resource-quota|grafana-dashboards-core-components|grafana-dashboards-logging-operator|jaeger-pre-upgrade|kube-prometheus-stack-pre-upgrade|prometheus-adapter-pre-upgrade|rook-ceph-cluster-obc-pre-upgrade
            Kustomization-kapps:
              groupKind:
                group: kustomize.toolkit.fluxcd.io
                kind: Kustomization
              nameRegexp: ai-navigator-cluster-info-agent-helmrelease|ai-navigator-cluster-info-api-helmrelease|centralized-kubecost-post-install-jobs|centralized-kubecost-release|cert-manager-namespace|cert-manager-priorityclass-resource-quota|cert-manager-release|cert-manager-root-ca|dkp-insights-helmrelease|dkp-insights-management-helmrelease|etcd-metrics-proxy|gatekeeper-constraint-templates|gatekeeper-constraints|gatekeeper-release|grafana-loki-helmrelease|grafana-loki-pre-install|istio-helmrelease|jaeger-helmrelease|kube-federation-system-namespace|kube-prometheus-stack-helmrelease|kubefed-federatedtypeconfigs|kubefed-release|nvidia-gpu-operator-helmrelease|object-bucket-claims-helmrelease|prometheus-adapter-helmrelease|rook-ceph-cluster-helmrelease|rook-ceph-cluster-prereq-jobs-v1.12.6|rook-ceph-helmrelease|thanos-jobs|velero-helmrelease|velero-post-install|velero-pre-install
            Namespace-additional:
              groupKind:
                group: ""
                kind: Namespace
              nameRegexp: node-feature-discovery|calico-system|cap.*?-system|kube-node-lease|kube-public|kube-system|kubecost|metallb-system|tigera-operator
            Namespace-kapps:
              groupKind:
                group: ""
                kind: Namespace
              nameRegexp: cert-manager|kommander-flux|kube-federation-system
            NetworkPolicy-kapps:
              groupKind:
                group: networking.k8s.io
                kind: NetworkPolicy
              nameRegexp: allow-egress|allow-scraping|allow-source|allow-webhooks|not-used-in-a-patch
            Output-kapps:
              groupKind:
                group: logging.banzaicloud.io
                kind: Output
              nameRegexp: project-logging-loki
            PersistentVolumeClaim-kapps:
              groupKind:
                group: ""
                kind: PersistentVolumeClaim
              nameRegexp: chartmuseum
            Pod-additional:
              groupKind:
                group: ""
                kind: Pod
              nameRegexp: kube-scheduler-ip-.*?|check-dkp-loki-.*?|check-dkp-velero-.*?
            RequiredServiceAccountName-kapps:
              groupKind:
                group: constraints.gatekeeper.sh
                kind: RequiredServiceAccountName
              nameRegexp: helmrelease-must-have-sa|kustomization-must-have-sa
            ResourceQuota-kapps:
              groupKind:
                group: ""
                kind: ResourceQuota
              nameRegexp: cert-manager-critical-pods|critical-pods-kommander-flux
            Role-additional:
              groupKind:
                group: rbac.authorization.k8s.io
                kind: Role
              nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|obc-pre-upgrade|prometheus-adapter-pre-upgrade
            Role-kapps:
              groupKind:
                group: rbac.authorization.k8s.io
                kind: Role
              nameRegexp: ai-navigator-app|d2iq-traefik-certmanager-init|grafana-loki-pre-install|kommander-thanos-configmap-edit|kubecost-thanos-configmap-edit|velero-post-install|velero-pre-install
            RoleBinding-additional:
              groupKind:
                group: rbac.authorization.k8s.io
                kind: RoleBinding
              nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|obc-pre-upgrade|prometheus-adapter-pre-upgrade
            RoleBinding-kapps:
              groupKind:
                group: rbac.authorization.k8s.io
                kind: RoleBinding
              nameRegexp: ai-navigator-app|d2iq-traefik-certmanager-init|grafana-loki-pre-install|kommander-thanos-configmap-edit|kubecost-thanos-configmap-edit|velero-post-install|velero-pre-install
            Service-kapps:
              groupKind:
                group: ""
                kind: Service
              nameRegexp: ai-navigator-app|etcd-metrics-proxy|kommander-traefik-dashboard|kommander-traefik-prometheus|notification-controller|source-controller|webhook-receiver
            ServiceAccount-additional:
              groupKind:
                group: ""
                kind: ServiceAccount
              nameRegexp: jaeger-pre-upgrade|kps-pre-upgrade|prometheus-adapter-pre-upgrade|kube-prometheus-stack-prometheus|check-dkp-ceph-crd|obc-pre-upgrade|grafana-loki-pre-install
            ServiceAccount-kapps:
              groupKind:
                group: ""
                kind: ServiceAccount
              nameRegexp: ai-navigator-app|check-dkp-ceph-crd|etcd-metrics-proxy|grafana-loki-pre-install|helm-controller|kommander-thanos-configmap-edit|kubecost-configmap-edit|kubecost-thanos-configmap-edit|kustomize-controller|notification-controller|source-controller|velero-post-install|velero-pre-install
          enabled: true
          filteredNamespacesRegexp: cert-manager|calico-system|cap.*?-system|kommander-flux|kube-federation-system|kube-node-lease|kube-public|kube-system|kubecost|metallb-system|tigera-operator
          insightClassNames: Nova|Pluto|PolarisAudit
        mode: daytwo
        replay:
          apiServerService: dkp-insights-replay-troubleshoot-live
      eventExpirationTime: 1h
      livenessProbe:
        failureThreshold: 3
        initialDelaySeconds: 60
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
      log_level: INFO
      readinessProbe:
        failureThreshold: 3
        initialDelaySeconds: 60
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
      resources:
        limits:
          cpu: 1000m
          memory: 512Mi
        requests:
          cpu: 250m
          memory: 128Mi
      s3:
        bucketSize: 1G
        enableObjectBucketClaim: true
        endpoint: rook-ceph-rgw-dkp-object-store
        port: 80
        region: us-east-1
        storageClassName: dkp-object-store
      synchronous_view_details: false
      thresholds:
        storage:
          disk:
            critical: "0.95"
            notice: "0.80"
            warning: "0.90"
          pvc:
            critical: "0.95"
            notice: "0.80"
            warning: "0.90"
      webhookPort: "8080"
    cleanup:
      alertsTTL: 168h
      dbSizeLimit: 8Gi
      eventsTTL: 168h
      insightsTTL: 168h
      logLevel: INFO
      rejectedAlertsTTL: 168h
      resolutionAggregatesTTL: 10000h
      resources:
        limits:
          cpu: 250m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 64Mi
      schedule: '@every 37m'
    image:
      imagePullPolicy: IfNotPresent
      registry: docker.io
      repository: mesosphere/insights
      tag: v1.0.1
    initdb:
      resources:
        limits:
          cpu: 250m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 64Mi
    kubeBench:
      config:
        image:
          pullPolicy: IfNotPresent
          repository: aquasec/kube-bench
          tag: v0.6.10
        nodeSubsets:
          all-nodes:
            defaultSetup: nodes-default
            setupAutodetection:
              aks: nodes-aks
              eks: nodes-eks
              gke: nodes-gke
            tolerations:
              - effect: NoSchedule
                key: ""
                operator: Exists
          control-plane:
            defaultSetup: control-plane-default
            nodeSelector:
              node-role.kubernetes.io/control-plane: ""
            setupAutodetection: {}
            tolerations:
              - effect: NoSchedule
                key: node-role.kubernetes.io/control-plane
                operator: Exists
              - effect: NoSchedule
                key: node-role.kubernetes.io/master
                operator: Exists
        pause:
          image:
            pullPolicy: IfNotPresent
            repository: gcr.io/google_containers/pause
            tag: "3.2"
          resources:
            limits:
              cpu: 100m
              memory: 128Mi
            requests:
              cpu: 10m
              memory: 10Mi
        resources:
          limits:
            cpu: 100m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 512Mi
        setups:
          control-plane-default:
            additionalArgs:
              - --targets
              - master
            hostPID: true
            hostPaths:
              - /var/lib/etcd
              - /var/lib/kubelet
              - /var/lib/kube-scheduler
              - /var/lib/kube-controller-manager
              - /etc/systemd
              - /lib/systemd
              - /srv/kubernetes
              - /etc/kubernetes
              - /etc/cni/net.d/
              - /opt/cni/bin/
              - /etc/passwd
              - /etc/group
            skip: []
          nodes-aks:
            additionalArgs:
              - --targets
              - node
            hostPID: true
            hostPaths:
              - /var/lib/kubelet
              - /etc/systemd
              - /etc/default
              - /etc/kubernetes
            skip: []
          nodes-default:
            additionalArgs:
              - --targets
              - node
            hostPID: true
            hostPaths:
              - /var/lib/etcd
              - /var/lib/kubelet
              - /var/lib/kube-scheduler
              - /var/lib/kube-controller-manager
              - /etc/systemd
              - /lib/systemd
              - /srv/kubernetes
              - /etc/kubernetes
              - /etc/cni/net.d/
              - /opt/cni/bin/
            skip: []
          nodes-eks:
            additionalArgs:
              - --targets
              - node
            hostPID: true
            hostPaths:
              - /var/lib/kubelet
              - /etc/systemd
              - /etc/kubernetes
            skip: []
          nodes-gke:
            additionalArgs:
              - --targets
              - node,policies,managedservices
            hostPID: true
            hostPaths:
              - /var/lib/kubelet
              - /etc/systemd
              - /etc/kubernetes
              - /home/kubernetes
            skip: []
        upload:
          logLevel: INFO
          resources:
            limits:
              cpu: 100m
              memory: 128Mi
            requests:
              cpu: 100m
              memory: 64Mi
      enabled: true
      launcher:
        baseEvaluationTimeout: 1m
        daemonSetRemovalDelay: 0s
        daemonSetWaitTimeout: 240m
        logLevel: INFO
        resources:
          limits:
            cpu: 100m
            memory: 512Mi
          requests:
            cpu: 100m
            memory: 512Mi
      schedule: '@every 35m'
    nova:
      baseEvaluationTimeout: 1m
      enabled: true
      helmRepositoryURLs: []
      image:
        pullPolicy: IfNotPresent
        repository: quay.io/fairwinds/nova
        tag: 3.4.0
      resources:
        limits:
          cpu: 100m
          memory: 512Mi
        requests:
          cpu: 100m
          memory: 512Mi
      schedule: '@every 35m'
      upload:
        logLevel: INFO
        resources:
          limits:
            cpu: 250m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 64Mi
    pluto:
      baseEvaluationTimeout: 1m
      enabled: true
      image:
        pullPolicy: IfNotPresent
        repository: quay.io/fairwinds/pluto
        tag: v5.10.6
      resources:
        limits:
          cpu: 100m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 128Mi
      schedule: '@every 41m'
      upload:
        logLevel: INFO
        resources:
          limits:
            cpu: 250m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 64Mi
    polaris:
      baseEvaluationTimeout: 5m
      config:
        checks:
          cpuLimitsMissing: warning
          cpuRequestsMissing: warning
          dangerousCapabilities: danger
          deploymentMissingReplicas: warning
          hostIPCSet: danger
          hostNetworkSet: danger
          hostPIDSet: danger
          hostPortSet: warning
          insecureCapabilities: warning
          livenessProbeMissing: warning
          memoryLimitsMissing: warning
          memoryRequestsMissing: warning
          metadataAndNameMismatched: ignore
          missingPodDisruptionBudget: ignore
          notReadOnlyRootFilesystem: warning
          pdbDisruptionsIsZero: warning
          priorityClassNotSet: ignore
          privilegeEscalationAllowed: danger
          pullPolicyNotAlways: warning
          readinessProbeMissing: warning
          runAsPrivileged: danger
          runAsRootAllowed: danger
          tagNotSpecified: danger
          tlsSettingsMissing: warning
      enabled: true
      image:
        pullPolicy: IfNotPresent
        repository: quay.io/fairwinds/polaris
        tag: "5.1"
      resources:
        limits:
          cpu: 100m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 128Mi
      schedule: '@every 37m'
      upload:
        logLevel: INFO
        resources:
          limits:
            cpu: 250m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 64Mi
    postgresql:
      global:
        connectionPool:
          connectionMaxLifetime: 1h
          maxIdleConnections: 30
          maxOpenConnections: 50
        postgresql:
          auth:
            database: dkp-insights
            postgresPassword: dkp-insights
          servicePort: 5432
      primary:
        persistence:
          size: 8Gi
        priorityClassName: dkp-critical-priority
        resources:
          limits:
            cpu: 250m
            memory: 1Gi
          requests:
            cpu: 250m
            memory: 1Gi
    preUpgrade:
      resources:
        limits:
          cpu: 250m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 64Mi
    priorityClassName: dkp-critical-priority
    reforwarder:
      resources:
        limits:
          cpu: 250m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 64Mi
    resolutionCM:
      resources:
        limits:
          cpu: 250m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 64Mi
    selfAlerting:
      postgres:
        enabled: true
        memoryWorkingSetToRequestsThreshold: 0.75
    trivy:
      baseEvaluationTimeout: 10m
      enabled: false
      envSecret:
        enabled: false
        name: dkp-insights-trivy-env
      image:
        imageFull: mesosphere/trivy-bundles:0.45.1-20231019T024033Z
        pullPolicy: IfNotPresent
      resources:
        limits:
          cpu: 200m
          memory: 10Gi
        requests:
          cpu: 200m
          memory: 10Gi
      schedule: '@every 2h'
      timeout: 90m
      upload:
        logLevel: INFO
        resources:
          limits:
            cpu: 250m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 64Mi
    uninstall:
      resources:
        limits:
          cpu: 250m
          memory: 128Mi
        requests:
          cpu: 100m
          memory: 64Mi