-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathvalues.yaml
More file actions
473 lines (444 loc) · 17.4 KB
/
Copy pathvalues.yaml
File metadata and controls
473 lines (444 loc) · 17.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
# Default values for devguard.
# This is a YAML-formatted file.
# Declare variables to be passed into templates.
################################################################################################################################################
## Authentication Related Settings (Kratos)
######
kratos:
image:
repository: oryd/kratos
tag: "v26.2.0-distroless"
digest: "sha256:481bfc3022e5427ffb94570eef84480b99c9f8158388378c57df8c1a4a104b3d"
pullPolicy: IfNotPresent
webauthn:
enabled: false
passkey:
enabled: true
password:
enabled: true
totp:
enabled: false
verificationAfterSignUp:
enabled: true
oidc:
enabled: false
providers: []
# - id: github
# provider: github
# clientId: "sample-client-id"
# disableTicketSync: false
# existingClientSecretName: github-client-secret # needs to contain key "secret"
# - id: gitlab
# provider: gitlab
# issuerUrl: https://gitlab.de
# clientId: client-id
# existingClientSecretName: gitlab-secret
# existingAdminTokenSecretName: gitlab-admin-token # needs to contain key "token"
# scope:
# - read_user
# - openid
# - profile
# - email
#ingressNamespaceSelectorKey: "role"
#ingressNamespaceSelectorValue: "ingress"
# Cleans up expired flows
cleanup:
enabled: true
# Default: every 10 minutes.
schedule: "*/10 * * * *"
# If set to "true", the user will be responsible to provide a secret for kratos.
# This is useful for situations where the helm "lookup" function cannot be used (e.g. ArgoCD)
# Requirements for that secret:
# - the secret name must match "kratos"
# - a data entry named "secretsDefault" with the corresponding secret used for session signing as value
# - a data entry named "secretsCookie" with the corresponding secret used for cookie encryption as value
# - a data entry named "secretsCipher" with the corresponding secret used for cipher as value
useExistingSecret: false
# Allows to set additional environment variables on the kratos deployment
# Expects "key: value" definitions.
# The value is parsed through the `tpl` function, so it allows to reference other values
#
# Example:
# additionalEnvs:
# TEST_CHART_VERSION: "{{ .Chart.Version }}"
# MY_ENV_VAR: "my-value"
additionalEnvs: []
mail:
# needs to contain key: "uri". Format should be like: smtps://<user>@<your-domain.com>:<secret>@<mail-server.de>:465/?skip_ssl_verify=false
existingSMTPConnectionUriSecret: ""
fromAddress: "noreply@devguard.org"
fromName: "DevGuard"
################################################################################################################################################
## Miscellaneous Settings
######
networkPolicy:
enabled: true
kyvernoPolicy:
enabled: false
# Enforce blocks non-compliant pods; Audit only logs violations
validationFailureAction: Audit
################################################################################################################################################
## DevGuard API Settings
######
api:
# Gen a keypair using the devguard-cli gen-admin-key (https://github.com/l3montree-dev/devguard/blob/main/cmd/devguard-cli/commands/gen_admin_key.go)
# command. Place only the PUBLIC key here. The corresponding private key allows you access to the instance admin /admin dashboard.
# Ensure to keep the private key secret and secure.
# Keeping it empty disables admin endpoint access.
# adminPublicKey: ""
debug:
profile: false # set to "true" to enable pprof profiling endpoints on /debug/pprof
replicaCount: 1
ciComponentBase: "https://gitlab.com/l3montree/devguard/-/raw/v1.9.0"
resources:
limits:
cpu: "2"
memory: 2048Mi
requests:
cpu: 100m
memory: 1024Mi
migrate:
resources:
limits:
cpu: "2"
memory: 3048Mi
requests:
cpu: 100m
memory: 1548Mi
csaf:
######### CSAF Keys
# needs to contain keys: "passphrase", "privateKey", "publicKey", "fingerprint"
# the openGpg keys need to be in pem format.
# Generate keys: gpg --full-generate-key
# List key ids: gpg --list-secret-keys --keyid-format LONG
# Export public key: gpg --armor --export "$KEY_ID" > public.asc
# Export private key: gpg --armor --export-secret-keys "$KEY_ID" > private.asc
# Get fingerprint: gpg --fingerprint "$KEY_ID"
# kubectl create secret generic csaf-key-pair --from-file=privateKey=private.asc --from-file=publicKey=public.asc --from-literal=passphrase="..." --from-literal=fingerprint="1C10 446..." -n devguard
####
# If you don't want to use CSAF features, leave this as empty string.
existingCsafSecretName: ""
aggregatorNamespace: "" # e.g. "example.com"
aggregatorName: "" # e.g. "Example GmbH"
aggregatorContactDetails: "" # e.g. "csaf@example.com"
image:
# Accepts either a full image string (e.g. ghcr.io/l3montree-dev/devguard:0.13.0)
# or an object with repository/tag/digest/pullPolicy.
repository: ghcr.io/l3montree-dev/devguard
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v1.9.0
imagePullSecrets: []
errorTracking:
# https://<your-error-tracking-dsn>
dsn: ""
# can be dev, stage or prod
environment: "dev"
tracing:
enabled: false
# Fraction of requests to sample for distributed tracing (0.0 - 1.0)
sampleRate: "0.1"
# OTLP endpoint the sidecar collector forwards traces to, e.g. https://jaeger:4318
otlpEndpoint: ""
# Existing secret with basic auth credentials for the OTLP exporter (keys: username, password)
existingSecretName: ""
spanMetrics:
# OTel Collector sidecar image — receives traces from the API on localhost:4317,
# generates span metrics (port 8889) and forwards traces to otlpEndpoint.
image:
repository: otel/opentelemetry-collector-contrib
tag: "0.147.0"
histogram:
buckets: [100us, 1ms, 2ms, 6ms, 10ms, 100ms, 250ms]
dimensions:
- name: http.method
- name: http.status_code
- name: http.route
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
intoto:
existingPrivateKeySecretName: ec-private-key
# GitHub App Integration Settings
github:
enabled: true
appId: abc
# needs to contain "webhookSecret"
existingWebhookSecretSecretName: github-app-webhook-secret
# needs to contain key "privateKey"
existingPrivateKeySecretName: github-app-private-key
ingress:
enabled: true
className: ""
annotations: {}
hosts:
- host: example.com
paths:
- path: /
pathType: Prefix
podAnnotations: {}
podLabels: {}
nodeSelector: {}
tolerations: []
affinity: {}
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# If set to "true", the user will be responsible to provide a secret for the Encryption Key.
# This is useful for situations where the helm "lookup" function cannot be used (e.g. ArgoCD)
# Requirements for that secret:
# - the secret name must match "devguard-encryption-key"
# - a data entry named "key" with the corresponding encryption key as value
useExistingEncryptionKeySecret: false
# If set to "true", the user will be responsible to provide a secret for the pprof password
# This is useful for situations where the helm "lookup" function cannot be used (e.g. ArgoCD)
# Requirements for that secret:
# - the secret name must match "devguard-pprof-password"
# - a data entry named "password" with the corresponding pprof password as value
useExistingPprofPasswordSecret: false
# Allows to set additional environment variables on the api deployment
# Expects "key: value" definitions.
# The value is parsed through the `tpl` function, so it allows to reference other values
#
# Example:
# additionalEnvs:
# TEST_CHART_VERSION: "{{ .Chart.Version }}"
# MY_ENV_VAR: "my-value"
additionalEnvs: []
################################################################################################################################################
## DevGuard Web Frontend Settings
######
web:
# needs to match the setting in the kratos.yaml
registrationEnabled: true
replicaCount: 1
resources:
limits:
cpu: "0.5"
memory: 1024Mi
requests:
cpu: 100m
memory: 128Mi
image:
# Accepts either a full image string (e.g. ghcr.io/l3montree-dev/devguard-web:0.13.0)
# or an object with repository/tag/digest/pullPolicy.
repository: ghcr.io/l3montree-dev/devguard-web
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v1.9.0
imagePullSecrets: []
ciComponentBase: "https://gitlab.com/l3montree/devguard/-/raw/v1.9.0"
devguardApiUrl: "http://devguard-api-service:8080"
devguardApiUrlPublicInternet: ""
privacyPolicyLink: ""
termsOfUseLink: ""
imprintLink: ""
accountDeletionMail: ""
# Custom Theme URLs (leave empty to use default theme)
themeJsUrl: ""
themeCssUrl: ""
errorTracking:
# https://<your-error-tracking-dsn>
dsn: ""
# Allows to set additional environment variables on the web deployment
# Expects "key: value" definitions.
# The value is parsed through the `tpl` function, so it allows to reference other values
#
# Example:
# additionalEnvs:
# TEST_CHART_VERSION: "{{ .Chart.Version }}"
# MY_ENV_VAR: "my-value"
additionalEnvs: []
ingress:
enabled: true
className: ""
annotations: {}
hosts:
- host: app.example.com
paths:
- path: /
pathType: Prefix
podAnnotations: {}
podLabels: {}
nodeSelector: {}
tolerations: []
affinity: {}
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
################################################################################################################################################
## DevGuard PostgreSQL Database Settings
######
postgresql:
image:
# Accepts either a full image string (e.g. ghcr.io/l3montree-dev/devguard/postgresql:v0.17.0)
# or an object with repository/tag/digest/pullPolicy.
# Please note: we are using a custom PostgreSQL image that has the required
# extensions pre-installed.
repository: ghcr.io/l3montree-dev/devguard/postgresql
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v1.9.0
pvc:
size: 21Gi
podAnnotations: {}
config:
# Max number of concurrent connections. (change requires restart)
maxConnections: "100"
# Recommended: 25% of total RAM. (change requires restart)
sharedBuffers: "1GB"
# Hint to the query planner: shared_buffers + OS page cache. Rule of thumb: 75% of total RAM.
# Does not allocate memory — only affects query planning decisions.
effectiveCacheSize: "3GB"
# Memory for VACUUM, CREATE INDEX, ALTER TABLE. Recommended: 5–10% of total RAM.
maintenanceWorkMem: "256MB"
# Per-sort / per-hash memory. Each query can use this multiple times.
# Formula: (RAM - sharedBuffers) / (maxConnections * 3) for worst-case safety.
# For web workloads with low actual concurrency, 32–64MB is a good balance.
workMem: "32MB"
# WAL write buffer. -1 = auto (1/32 of sharedBuffers). Only change if you see WAL write bottlenecks.
walBuffers: "-1"
# Concurrent I/O requests for bitmap heap scans. SSD: 200, HDD: 2–4.
# Note: for network-attached volumes (EBS, GCP PD) the optimal value varies — tune if needed.
effectiveIoConcurrency: "200"
# Planner cost for random page access relative to sequential. SSD: 1.1, HDD: 4.0 (default).
randomPageCost: "1.1"
# Lower bound on WAL disk space retained. Prevents constant WAL recycling under write load.
minWalSize: "1GB"
# Max WAL size before forcing a checkpoint. Higher = fewer checkpoints, more I/O smoothing.
maxWalSize: "4GB"
# Total background worker processes. Should not exceed CPU count. (change requires restart)
maxWorkerProcesses: "4"
# Max parallel workers across all parallel operations. Should not exceed CPU count.
maxParallelWorkers: "4"
# Shared memory size for /dev/shm. Should be at least as large as sharedBuffers.
# Kubernetes caps /dev/shm at 64Mi by default — this overrides that limit.
shm:
sizeLimit: 2Gi
# An init container that chowns the data directory to UID/GID 999 before
# postgres starts. Required because the chart's postgresql image ships with
# USER 999 baked in, which prevents the upstream entrypoint from chowning
# the volume itself. On storage classes that mount volumes as root (e.g.
# Azure Disk on AKS, hostpath on minikube), this init container is what
# makes the data dir writable by the postgres user.
volumePermissions:
enabled: true
image:
repository: busybox
tag: "1.37.0@sha256:1487d0af5f52b4ba31c7e465126ee2123fe3f2305d638e7827681e7cf6c83d5e"
pullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
# Pod-level security context. fsGroup is left unset by default — the init
# container above handles ownership. Set fsGroup if you need it for other
# reasons (e.g. shared sidecar access to the data volume).
podSecurityContext: {}
# Container-level security context for the postgresql container. Runs as
# UID 999 (matches the image's USER directive); the volume has already
# been chowned by the init container.
containerSecurityContext:
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
capabilities:
drop:
- ALL
resources:
limits:
cpu: 4000m
memory: 8024Mi
requests:
cpu: 1000m
memory: 2056Mi
# If set to "true", the user will be responsible to provide a secret for the database.
# This is useful for situations where the helm "lookup" function cannot be used (e.g. ArgoCD)
# Requirements for that secret:
# - the secret name must match "db-secret"
# - a data entry named "postgres-password" with the corresponding password for the "devguard" database user as value
# - a data entry named "password" with the corresponding password for the "postgres" admin user as value
# - a data entry named "replication-password" with the corresponding password for the replication user as value
# - a data entry named "postgres-exporter-dsn" with the value "postgresql://devguard:[POSTGRES-PASSWORD]@localhost:5432/devguard?sslmode=disable", where "[POSTGRES-PASSWORD]" matches the value from the "postgres-password" key
useExistingSecret: false
# If set to "true", the user will be responsible to provide a secret for the kratos database.
# This is useful for situations where the helm "lookup" function cannot be used (e.g. ArgoCD)
# Requirements for that secret:
# - the secret name must match "kratos-db-secret"
# - a data entry named "password" with the corresponding password for the "kratos" database user as value
useExistingKratosDatabaseSecret: false
# Allows to set additional environment variables on the postgresql statefulset
# Expects "key: value" definitions.
# The value is parsed through the `tpl` function, so it allows to reference other values
#
# Example:
# additionalEnvs:
# TEST_CHART_VERSION: "{{ .Chart.Version }}"
# MY_ENV_VAR: "my-value"
additionalEnvs: []
################################################################################################################################################
## Observability Settings
######
observability:
serviceMonitor:
# Set to true if you have the Prometheus Operator installed
enabled: false
# Labels added to every ServiceMonitor (used by Prometheus Operator to discover monitors)
additionalLabels: {}
# Namespace where Prometheus is running — used to open NetworkPolicy egress
prometheusNamespace: monitoring
# Namespace selector key/value used in NetworkPolicy to allow Prometheus scraping
prometheusNamespaceSelectorKey: "kubernetes.io/metadata.name"
interval: 30s
scrapeTimeout: 10s
grafanaDashboard:
# Set to true to deploy Grafana dashboard ConfigMaps for span metrics and postgresql
# Requires the Grafana sidecar to watch for ConfigMaps with the label you can configure below
enabled: false
# The label name which the Grafana sidecar is searching for. Defaults to "grafana_dashboard"
# labelName: "grafana_dashboard"
# The label value which the Grafana sidecar is searching for. Defaults to "1"
# labelValue: "1"
api:
metrics:
# Path of the metrics endpoint exposed by the DevGuard API
path: /api/v1/metrics
postgresql:
exporter:
image:
repository: prometheuscommunity/postgres-exporter
tag: v0.19.1
pullPolicy: IfNotPresent
# Container-level security context for the postgres-exporter sidecar.
containerSecurityContext:
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65534
capabilities:
drop:
- ALL
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 32Mi