-
Notifications
You must be signed in to change notification settings - Fork 179
Expand file tree
/
Copy pathvalues.yaml
More file actions
133 lines (118 loc) · 6.51 KB
/
values.yaml
File metadata and controls
133 lines (118 loc) · 6.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# SPDX-FileCopyrightText: the secureCodeBox authors
#
# SPDX-License-Identifier: Apache-2.0
# Default values for operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# telemetryEnabled -- The Operator sends anonymous telemetry data, to give the team an overview how much the secureCodeBox is used. Find out more at https://www.securecodebox.io/telemetry
telemetryEnabled: true
# -- Define imagePullSecrets when a private registry is used (see: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/)
imagePullSecrets: []
image:
# image.repository -- The operator image repository
repository: docker.io/securecodebox/operator
# image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
# -- Setup for Custom CA certificates. These are automatically mounted into every secureCodeBox component (lurker, parser & hooks).
# Requires that every namespace has a configmap with the CA certificate(s)
customCACertificate:
# -- name of the configMap holding the ca certificate(s), needs to be the same across all namespaces
existingCertificate: null
# -- key in the configmap holding the certificate(s)
certificate: "public.crt"
serviceAccount:
# -- Name of the serviceAccount the operator uses to talk to the k8s api
name: securecodebox-operator
# -- Annotations of the serviceAccount the operator uses to talk to the k8s api
annotations: {}
# -- Labels of the serviceAccount the operator uses to talk to the k8s api
labels: {}
# -- Sets the securityContext on the operators container level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
securityContext:
# securityContext.runAsNonRoot -- Enforces that the Operator image is run as a non root user
runAsNonRoot: true
# securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system
readOnlyRootFilesystem: true
# securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated
allowPrivilegeEscalation: false
# securityContext.privileged -- Ensures that the operator container is not run in privileged mode
privileged: false
capabilities:
drop:
# securityContext.capabilities.drop[0] -- This drops all linux privileges from the operator container. They are not required
- all
# -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
podSecurityContext: {}
nodeSelector: {}
# -- Configuration for the metrics the operator exports
metrics:
serviceMonitor:
# -- Creates a prometheus operator ServiceMonitor rule to automatically scrape the operators metrics: https://github.com/prometheus-operator/prometheus-operator
enabled: false
lurker:
image:
# lurker.image.repository -- The operator image repository
repository: docker.io/securecodebox/lurker
# lurker.image.tag -- Parser image tag
# @default -- defaults to the charts version
tag: null
# -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
pullPolicy: IfNotPresent
# -- Minio default config. More config options an info: https://github.com/minio/minio/blob/master/helm/minio/values.yaml
minio:
# -- Enable this to use minio as storage backend instead of a cloud bucket provider like AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
enabled: true
tls:
enabled: false
defaultBuckets: "securecodebox"
# Overwrite Minio's default 4Gi memory request
resources:
requests:
memory: "256Mi"
auth:
rootUser: "admin" # placeholder user
rootPassword: "password" # placeholder password
# Config for external s3 systems
s3:
# s3.enabled Enable this and disable minio if you want to directly connect against AWS S3, Google Cloud Storage, DigitalOcean Spaces etc.
enabled: false
tls:
enabled: true
endpoint: "fra1.digitaloceanspaces.com"
bucket: "my-bucket"
# Implicit 443. You probably only need to change this when the system uses a non default port
port: null
# s3.authType -- Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox)
authType: access-secret-key
# Name to a k8s secret in the same namespace as this release with credentials to the s3 bucket. Only used when s3.authType is set to "access-secret-key"
# By default this assumes to have 'accesskey' and 'secretkey' as attributes
# Example creation via kubectl:
# kubectl create secret generic my-secret --from-literal=accesskey='******' --from-literal=secretkey='******' -n <namespace>
keySecret: my-secret
# Names to the attributes in the s3 secret
secretAttributeNames:
accesskey: accesskey
secretkey: secretkey
# s3.awsStsEndpoint -- STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa"
awsStsEndpoint: "https://sts.amazonaws.com"
# -- Go Template that generates the path used to store raw result file and findings.json file in the s3 bucket. Can be used to store the files in a subfolder of the s3 bucket
# @default -- scan-{{ .Scan.UID }}/{{ .Filename }}
urlTemplate: null
# resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/)
resources:
limits:
cpu: 100m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
# presignedUrlExpirationTimes -- Duration how long presigned urls are valid
presignedUrlExpirationTimes:
scanners: "12h"
parsers: "1h"
hooks: "1h"
# -- Sets the value of the istio sidecar annotation ("sidecar.istio.io/inject") for jobs started by the operator (scans, parser and hooks). defaults to false to prevent jobs hanging indefinitely due to the sidecar never terminating. If you aren't using istio this setting/annotation has no effect.
allowIstioSidecarInjectionInJobs: false