-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathvalues.yaml
More file actions
141 lines (128 loc) · 4.42 KB
/
values.yaml
File metadata and controls
141 lines (128 loc) · 4.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
---
global:
pattern: ansible-edge-gitops
clusterDomain: example.com
secretStore:
esoApiVersion: external-secrets.io/v1
name: vault-backend
kind: ClusterSecretStore
vmNamespace: gitops-vms
waitForMetalNode: false
jobTerminationGracePeriod: 3600
vmDefaults:
role: generic
externalDataSourceNamespace: openshift-virtualization-os-images
externalDataSourceAnnotations:
cdi.kubevirt.io/storage.bind.immediate.requested: "true"
cloudInitSecret: secret/data/hub/cloud-init #checkov:skip=CKV_SECRET_6:External Secret
accessMode: "ReadWriteMany"
storageClassName: "ocs-storagecluster-ceph-rbd-virtualization"
volumeMode: "Block"
count: 1
# Override per VM or per additionalDisks[].bus (e.g. sata for generic Windows images).
mainDiskStorageBus: virtio
additionalDiskStorageBus: virtio
# Always | RerunOnFailure | Manual | Halted | Once (mutually exclusive with spec.running)
runStrategy: Always
flavor: medium
workload: server
os: rhel9
efi: false
storage: 30Gi
memory: 4Gi
# Generic q35 alias (KubeVirt AMD64 default); libvirt resolves per node. Prefer this over
# pc-q35-rhel9.x.0 unless you must pin a version for live-migration homogeneity.
machineType: q35
cores: 1
sockets: 1
threads: 1
template: rhel9-server-medium
sshsecret: secret/data/hub/vm-ssh #checkov:skip=CKV_SECRET_6:External Secret
cloudinitsecret: secret/data/hub/cloud-init
sshpubkeyfield: publickey
serviceType: NodePort
routeEnableTlsBlock: false
publishService: false
#routeTlsInsecureEdgeTerminationPolicy: None
routeTlsTermination: passthrough
# extraLabels is available for default extra labels to add to the virtualmachine
# extraAnnotations is available for default extra labels to add to the virtualmachine
# The following provide defaults if they are not set in the route hash/map:
# routeTlsTermination
# routeTlsInsecureEdgeTerminationPolicy (defaults to empty/not present)
# routeTlsSecretKeyName - no default
ports:
- name: ssh
port: 22
protocol: TCP
targetPort: 22
routes: {}
# The following keys can be used/set in the route map
# name (defaults to vm-name)
# targetPort (no default)
# enableTlsBlock (defaults to false)
# tlsTermination (defaults to routeTlsTermination from above)
# tlsInsecureEdgeTerminationPolicy (defaults to routeTlsInsecureEdgeTerminationPolicy above)
# tlsSecretKeyName - no default - not needed or used if not specified
# Define the VMs you want to create with any specific attributes from vmDefaults
# in an overrides file.
# Per-VM additionalDisks (optional; can also be set under vmDefaults):
# additionalDisks:
# - name: data
# storage: 100Gi
# # bus, accessMode, storageClassName, volumeMode optional (inherit vmDefaults)
# # dataVolume: clone from a DataSource name; omit for a blank disk
vms: {}
registryCredentialExternalSecrets: {}
# EXAMPLE
# quay-creds:
# vaultKey: 'hub/quay-creds'
externalDataSources: {}
# EXAMPLE externalDataSources:
# Example pulled from quay
# - name: quay-windows
# type: registry
# url: "docker://quay.io/eduffy/win2k22-dv:thin"
# size: 50G
# registryCredentialsSecret: quay-creds # You will need to create either manually or using registryCredentialExternalSecrets above
# Example downloaded from url
# - name: ubuntu-installer
# type: http
# url: https://releases.ubuntu.com/24.04.4/ubuntu-24.04.4-live-server-amd64.iso
# size: 10G
# This field will disable ExternalSecrets for fetching SSH Authorized Keys and
# CloudInit configuration. If registry credentials are specified in
# registryCredentialExternalSecrets then they will be fetched using an
# ExternalSecret regardless of what this field is set to
disableExternalSecrets: false
serviceAccountName: ansible-edge-gitops-sa
rbac:
roles:
- name: view-machine-api
createRole: true
apiGroups:
- machine.openshift.io
scope:
cluster: true
resources:
- machinesets
verbs:
- "get"
- "list"
- "watch"
roleBindings:
- name: view-machine-api
createBinding: true
scope:
cluster: false
namespace: "openshift-machine-api"
subjects:
kind: ServiceAccount
name: ansible-edge-gitops-sa
namespace: gitops-vms
apiGroup: ""
roleRef:
kind: ClusterRole
name: view-machine-api
job:
image: image-registry.openshift-image-registry.svc:5000/openshift/cli:latest