-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathvalues.yaml
More file actions
107 lines (101 loc) · 5.1 KB
/
values.yaml
File metadata and controls
107 lines (101 loc) · 5.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
---
# -- Dictionary of all the settings to configure this chart
# @default -- depends on the individual settings
ocpExternalSecrets:
rbac:
# -- The name of the vault role when connecting to the vault from the hub
rolename: "hub-role"
# -- ServiceAccount configuration for external secrets
# @default -- depends on the individual settings
serviceAccount:
# -- The name of the service account used by external secrets
name: "ocp-external-secrets"
# -- The namespace where the service account is created
namespace: "external-secrets"
# -- Settings relevant when using the kubernetes backend
# @default -- depends on the individual settings
kubernetes:
# -- The remote namespace used in the ClusterSecretStore
remoteNamespace: "validated-patterns-secrets"
server:
# -- The URL used in the ClusterSecretStore
url: "https://kubernetes.default"
# -- Some vault configuration entries
# @default -- depends on the individual settings
vault:
# -- If non-empty, sets the Vault API URL on the ClusterSecretStore (`spec.provider.vault.server`), for example an
# external Vault reachable at an HTTPS URL you provide. When empty, the chart uses the in-cluster hub pattern
# `vault-vault` plus `global.hubClusterDomain` (no separate parameter required).
externalAddress: ""
# -- Settings below apply only when `externalAddress` is non-empty (ignored for framework-managed hub Vault).
# @default -- depends on the individual settings
external:
# -- Arbitrary auth stanza rendered directly into `spec.provider.vault.auth` when `externalAddress` is non-empty.
# Use this for non-Kubernetes auth methods (for example AppRole, JWT/OIDC, token, LDAP, cert). When set, this
# takes precedence over `kubernetesMountPath`/`kubernetesRole` and `secretRef`.
auth: {}
# -- KV mount path segment for `spec.provider.vault.path` (e.g. `secret` or a team-specific engine). Empty keeps
# the default `secret`.
kvPath: ""
# -- KV version (`v1` or `v2`). Empty keeps the default `v2`.
kvVersion: ""
# -- Vault Kubernetes auth mount path for the external Vault. Must be set together with `kubernetesRole`; if
# either is empty, hub/spoke auth from this chart is used instead.
kubernetesMountPath: ""
# -- Vault Kubernetes auth role for the external Vault. Must be set together with `kubernetesMountPath`.
kubernetesRole: ""
# -- Secret reference used for `spec.provider.vault.auth.kubernetes.secretRef` when `externalAddress` is non-empty.
# All fields are required in that case and should point to an existing Secret holding the Kubernetes auth JWT.
# Ignored when `external.auth` is provided.
# @default -- depends on the individual settings
secretRef:
# -- Secret name for external Vault Kubernetes auth. Required when `externalAddress` is non-empty.
name: ""
# -- Namespace of the secret for external Vault Kubernetes auth. Required when `externalAddress` is non-empty.
namespace: ""
# -- Secret key containing the JWT token for external Vault Kubernetes auth. Required when `externalAddress` is non-empty.
key: ""
# -- The vault secrets' path when connecting to it from the hub
mountPath: "hub"
# -- This controls how ESO connects to vault and it allows to specify where the public key
# of the CA that signed the API endpoint to talke to the vault
# @default -- depends on the individual settings
caProvider:
# -- When set to true this uses a custom CA to talk to vault
enabled: true # If vault is exposed via a route that is signed by a non internal CA you might want to disable this
# -- Where to fetch the CA that signed the vault API endpoint when on the hub cluster
# @default -- depends on the individual settings
hostCluster:
# -- Type of object where the CA is stored
type: ConfigMap
# -- Name of object where the CA is stored
name: kube-root-ca.crt
# -- Key of object where the CA is stored
key: ca.crt
# -- Namespace of object where the CA is stored
namespace: external-secrets
# -- Where to fetch the CA that signed the vault API endpoint when on a spoke cluster
# @default -- depends on the individual settings
clientCluster:
# -- Type of object where the CA is stored
type: Secret
# -- Name of object where the CA is stored
name: hub-ca
# -- Key of object where the CA is stored
key: hub-kube-root-ca.crt
# -- Namespace of object where the CA is stored
namespace: external-secrets
# -- The global namespace containes some globally used variables used in patterns
# @default -- depends on the individual settings
global:
# -- The DNS entry for the hub cluster
hubClusterDomain: hub.example.com
# -- The DNS entry for the cluster the chart is being rendered on
clusterDomain: foo.example.com
secretStore:
# -- The backend of ESO being used in the pattern
backend: "vault"
clusterGroup:
applications: {}
# -- The variable that defines when a cluster is the HUB
# (Deprecated) isHubCluster: true