|
| 1 | +# Controller Options |
| 2 | +options: |
| 3 | + # -- Set the listening port of the capsule-proxy |
| 4 | + listeningPort: 9001 |
| 5 | + # -- Set leader election to true if you are running n-replicas |
| 6 | + leaderElection: false |
| 7 | + # -- Set the log verbosity of the capsule-proxy with a value from 1 to 10 |
| 8 | + logLevel: 4 |
| 9 | + # -- Name of the CapsuleConfiguration custom resource used by Capsule, required to identify the user groups |
| 10 | + capsuleConfigurationName: default |
| 11 | + # -- Define which groups must be ignored while proxying requests |
| 12 | + ignoredUserGroups: |
| 13 | + - "group-1" |
| 14 | + - "group-2" |
| 15 | + # -- Names of the groups which are not used for impersonation (considered after impersonation-group-regexp) |
| 16 | + ignoredImpersonationGroups: |
| 17 | + - "group-1" |
| 18 | + - "group-2" |
| 19 | + # -- Regular expression to match the groups which are considered for impersonation |
| 20 | + impersonationGroupRegexp: "some-regex-.*" |
| 21 | + # -- Specify if capsule-proxy will use SSL |
| 22 | + oidcUsernameClaim: preferred_username |
| 23 | + # -- Specify if capsule-proxy will use SSL |
| 24 | + enableSSL: true |
| 25 | + # -- Set the directory, where SSL certificate and keyfile will be located |
| 26 | + SSLDirectory: /opt/capsule-proxy |
| 27 | + # -- Set the name of SSL certificate file |
| 28 | + SSLCertFileName: tls.crt |
| 29 | + # -- Set the name of SSL key file |
| 30 | + SSLKeyFileName: tls.key |
| 31 | + # -- Specify if capsule-proxy will generate self-signed SSL certificates |
| 32 | + generateCertificates: false |
| 33 | + # -- Specify additional subject alternative names for the self-signed SSL |
| 34 | + additionalSANs: [] |
| 35 | + # -- Specify an override for the Secret containing the certificate for SSL. Default value is empty and referring to the generated certificate. |
| 36 | + certificateVolumeName: "" |
| 37 | + # -- Set the role bindings reflector resync period, a local cache to store mappings between users and their namespaces. [Use a lower value in case of flaky etcd server connections.](https://github.com/projectcapsule/capsule-proxy/issues/174) |
| 38 | + rolebindingsResyncPeriod: 10h |
| 39 | + # -- Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector. |
| 40 | + disableCaching: false |
| 41 | + # -- Enable the rolebinding reflector, which allows to list the namespaces, where a rolebinding mentions a user. |
| 42 | + roleBindingReflector: false |
| 43 | + # -- Authentication types to be used for requests. Possible Auth Types: [BearerToken, TLSCertificate,XForwardedClientCert] |
| 44 | + authPreferredTypes: "BearerToken,TLSCertificate" |
| 45 | + # -- QPS to use for interacting with Kubernetes API Server. |
| 46 | + clientConnectionQPS: 20 |
| 47 | + # -- Burst to use for interacting with kubernetes API Server. |
| 48 | + clientConnectionBurst: 30 |
| 49 | + # -- Enable Pprof for profiling |
| 50 | + pprof: false |
| 51 | + # -- CIDR ranges of trusted proxies allowed to make requests to the proxy |
| 52 | + trustedProxyCidrs: |
| 53 | + - "127.0.0.1/32" |
| 54 | + extraArgs: |
| 55 | + - "--feature-gates=ProxyClusterScoped=true" |
0 commit comments