diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yml similarity index 92% rename from .github/workflows/workflow.yaml rename to .github/workflows/workflow.yml index 1a3eec4f..0dea8493 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yml @@ -17,6 +17,8 @@ jobs: yaml-check: uses: ai-cfia/github-workflows/.github/workflows/workflow-yaml-check.yml@main + with: + config-file-path: '.yamllint.yml' repo-standard: uses: diff --git a/.vscode/settings.json b/.vscode/settings.json index bbf84028..d3fe7a60 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,8 @@ { "editor.rulers": [80], + "[yaml]": { + "editor.rulers": [120] + }, "files.trimTrailingWhitespace": true, "files.trimFinalNewlines": true, "files.insertFinalNewline": true diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 00000000..ceae6326 --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,7 @@ +--- +extends: default + +rules: + line-length: + max: 120 + allow-non-breakable-inline-mappings: true diff --git a/apply-terraform.yml b/apply-terraform.yml index 455ab410..b4442e1a 100644 --- a/apply-terraform.yml +++ b/apply-terraform.yml @@ -1,61 +1,77 @@ --- trigger: - - main + branches: + include: + - main + +pr: none pool: - vmImage: 'ubuntu-latest' + vmImage: "ubuntu-latest" variables: - group: terraform-backend-settings stages: - stage: InitAndPlan - displayName: 'Initialize and Plan' + displayName: "Initialize and Plan" jobs: - job: TerraformInitPlan - displayName: 'Terraform Init and Plan' + displayName: "Terraform Init and Plan" steps: - task: TerraformTaskV2@2 displayName: Terra Init inputs: - provider: 'azurerm' - command: 'init' - workingDirectory: - '$(System.DefaultWorkingDirectory)/terraform/staging' - backendServiceArm: '$(serviceConnectionName)' - backendAzureRmResourceGroupName: '$(resourceGroupName)' - backendAzureRmStorageAccountName: '$(storageAccountName)' - backendAzureRmContainerName: '$(containerName)' - backendAzureRmKey: '$(stateKey)' + provider: "azurerm" + command: "init" + workingDirectory: "$(System.DefaultWorkingDirectory)/terraform/staging" + backendServiceArm: "$(serviceConnectionName)" + backendAzureRmResourceGroupName: "$(resourceGroupName)" + backendAzureRmStorageAccountName: "$(storageAccountName)" + backendAzureRmContainerName: "$(containerName)" + backendAzureRmKey: "$(stateKey)" - task: TerraformTaskV2@2 displayName: Terra Plan inputs: - provider: 'azurerm' - command: 'plan' - workingDirectory: - '$(System.DefaultWorkingDirectory)/terraform/staging' - environmentServiceNameAzureRM: '$(serviceConnectionName)' + provider: "azurerm" + command: "plan" + workingDirectory: "$(System.DefaultWorkingDirectory)/terraform/staging" + environmentServiceNameAzureRM: "$(serviceConnectionName)" - stage: Apply - displayName: 'Apply Terraform Plan' + displayName: "Apply Terraform Plan" dependsOn: InitAndPlan condition: succeeded() jobs: + - job: TerraformInit + displayName: "Terraform Init" + steps: + - task: TerraformTaskV2@2 + displayName: Terra Init + inputs: + provider: "azurerm" + command: "init" + workingDirectory: "$(System.DefaultWorkingDirectory)/terraform/staging" + backendServiceArm: "$(serviceConnectionName)" + backendAzureRmResourceGroupName: "$(resourceGroupName)" + backendAzureRmStorageAccountName: "$(storageAccountName)" + backendAzureRmContainerName: "$(containerName)" + backendAzureRmKey: "$(stateKey)" + - deployment: TerraformApply - displayName: 'Terraform Apply' + displayName: "Terraform Apply" pool: - vmImage: 'ubuntu-latest' - environment: 'ProductionApproval' + vmImage: "ubuntu-latest" + environment: "ProductionApproval" strategy: runOnce: deploy: steps: - task: TerraformTaskV2@2 - displayName: 'Terra Apply' + displayName: "Terra Apply" inputs: - provider: 'azurerm' - command: 'apply' - workingDirectory: - '$(System.DefaultWorkingDirectory)/terraform/staging' - environmentServiceNameAzureRM: '$(serviceConnectionName)' + provider: "azurerm" + command: "apply" + workingDirectory: "$(System.DefaultWorkingDirectory)/terraform/staging" + environmentServiceNameAzureRM: "$(serviceConnectionName)" diff --git a/kubernetes/apps/finesse/finesse-backend-deployment.yml b/kubernetes/apps/finesse/finesse-backend-deployment.yml index 42f0342d..157d7084 100644 --- a/kubernetes/apps/finesse/finesse-backend-deployment.yml +++ b/kubernetes/apps/finesse/finesse-backend-deployment.yml @@ -45,22 +45,22 @@ spec: spec: serviceAccountName: secrets-reader containers: - - name: finesse-backend - image: ghcr.io/ai-cfia/finesse-backend:main - imagePullPolicy: Always - command: ["/bin/sh", "-c"] - args: - - > - cp /vault/secrets/.env . && - gunicorn --bind :8080 --workers 1 --threads 8 --timeout 0 --forwarded-allow-ips "*" app:app - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 60 - periodSeconds: 10 + - name: finesse-backend + image: ghcr.io/ai-cfia/finesse-backend:main + imagePullPolicy: Always + command: ["/bin/sh", "-c"] + args: + - > + cp /vault/secrets/.env . && + gunicorn --bind :8080 --workers 1 --threads 8 --timeout 0 --forwarded-allow-ips "*" app:app + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 --- apiVersion: v1 diff --git a/kubernetes/apps/finesse/finesse-frontend-deployment.yml b/kubernetes/apps/finesse/finesse-frontend-deployment.yml index d1ad36f7..7b9d3610 100644 --- a/kubernetes/apps/finesse/finesse-frontend-deployment.yml +++ b/kubernetes/apps/finesse/finesse-frontend-deployment.yml @@ -16,17 +16,17 @@ spec: spec: serviceAccountName: secrets-reader containers: - - name: finesse-frontend - image: ghcr.io/ai-cfia/finesse-frontend:main - imagePullPolicy: Always - ports: - - containerPort: 3000 - livenessProbe: - httpGet: - path: /health - port: 3000 - initialDelaySeconds: 60 - periodSeconds: 10 + - name: finesse-frontend + image: ghcr.io/ai-cfia/finesse-frontend:main + imagePullPolicy: Always + ports: + - containerPort: 3000 + livenessProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 60 + periodSeconds: 10 --- apiVersion: v1 diff --git a/kubernetes/apps/finesse/finesse-ingress.yml b/kubernetes/apps/finesse/finesse-ingress.yml index 548b10a4..53a766f3 100644 --- a/kubernetes/apps/finesse/finesse-ingress.yml +++ b/kubernetes/apps/finesse/finesse-ingress.yml @@ -6,27 +6,27 @@ metadata: namespace: finesse annotations: nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/rewrite-target: /$2 # https://kubernetes.github.io/ingress-nginx/examples/rewrite/ + nginx.ingress.kubernetes.io/rewrite-target: /$2 # https://kubernetes.github.io/ingress-nginx/examples/rewrite/ cert-manager.io/cluster-issuer: letsencrypt-http ingress.kubernetes.io/force-ssl-redirect: "true" kubernetes.io/tls-acme: "true" spec: ingressClassName: nginx tls: - - hosts: - - finesse.ninebasetwo.xyz - secretName: aciacfia-tls + - hosts: + - finesse.ninebasetwo.xyz + secretName: aciacfia-tls rules: - - host: finesse.ninebasetwo.xyz - http: - paths: - - path: /api(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: finesse-backend-svc - port: - number: 8080 + - host: finesse.ninebasetwo.xyz + http: + paths: + - path: /api(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: finesse-backend-svc + port: + number: 8080 --- # For more information check https://github.com/nginxinc/kubernetes-ingress/issues/323 @@ -44,17 +44,17 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - finesse.ninebasetwo.xyz - secretName: aciacfia-tls + - hosts: + - finesse.ninebasetwo.xyz + secretName: aciacfia-tls rules: - - host: finesse.ninebasetwo.xyz - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: finesse-frontend-svc - port: - number: 3000 + - host: finesse.ninebasetwo.xyz + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: finesse-frontend-svc + port: + number: 3000 diff --git a/kubernetes/apps/nachet/nachet-backend-deployment.yml b/kubernetes/apps/nachet/nachet-backend-deployment.yml index c4739ac6..118c3748 100644 --- a/kubernetes/apps/nachet/nachet-backend-deployment.yml +++ b/kubernetes/apps/nachet/nachet-backend-deployment.yml @@ -38,21 +38,21 @@ spec: spec: serviceAccountName: secrets-reader containers: - - name: nachet-backend - image: ghcr.io/ai-cfia/nachet-backend:48 - imagePullPolicy: Always - command: ["/bin/sh", "-c"] - args: - - > - cp /vault/secrets/.env . && hypercorn -b :8080 app:app - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /health - port: 8080 - initialDelaySeconds: 60 - periodSeconds: 10 + - name: nachet-backend + image: ghcr.io/ai-cfia/nachet-backend:48 + imagePullPolicy: Always + command: ["/bin/sh", "-c"] + args: + - > + cp /vault/secrets/.env . && hypercorn -b :8080 app:app + ports: + - containerPort: 8080 + livenessProbe: + httpGet: + path: /health + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 10 --- apiVersion: v1 diff --git a/kubernetes/apps/nachet/nachet-frontend-deployment.yml b/kubernetes/apps/nachet/nachet-frontend-deployment.yml index 867a1353..8fdcec53 100644 --- a/kubernetes/apps/nachet/nachet-frontend-deployment.yml +++ b/kubernetes/apps/nachet/nachet-frontend-deployment.yml @@ -1,3 +1,4 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -15,21 +16,21 @@ spec: spec: serviceAccountName: secrets-reader containers: - - name: nachet-frontend - image: ghcr.io/ai-cfia/nachet-frontend:main - imagePullPolicy: Always - ports: - - containerPort: 3000 - livenessProbe: - httpGet: - path: / - port: 3000 - initialDelaySeconds: 60 - periodSeconds: 10 + - name: nachet-frontend + image: ghcr.io/ai-cfia/nachet-frontend:main + imagePullPolicy: Always + ports: + - containerPort: 3000 + livenessProbe: + httpGet: + path: / + port: 3000 + initialDelaySeconds: 60 + periodSeconds: 10 --- apiVersion: v1 -kind: Service +kind: Service metadata: name: nachet-frontend-svc namespace: nachet diff --git a/kubernetes/apps/nachet/nachet-ingress.yml b/kubernetes/apps/nachet/nachet-ingress.yml index 6a67d2ab..9e66542a 100644 --- a/kubernetes/apps/nachet/nachet-ingress.yml +++ b/kubernetes/apps/nachet/nachet-ingress.yml @@ -6,7 +6,7 @@ metadata: namespace: nachet annotations: nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/rewrite-target: /$2 # https://kubernetes.github.io/ingress-nginx/examples/rewrite/ + nginx.ingress.kubernetes.io/rewrite-target: /$2 # https://kubernetes.github.io/ingress-nginx/examples/rewrite/ nginx.ingress.kubernetes.io/proxy-body-size: "50m" nginx.ingress.kubernetes.io/proxy-read-timeout: "120" cert-manager.io/cluster-issuer: letsencrypt-http @@ -15,20 +15,20 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - nachet.ninebasetwo.xyz - secretName: aciacfia-tls + - hosts: + - nachet.ninebasetwo.xyz + secretName: aciacfia-tls rules: - - host: nachet.ninebasetwo.xyz - http: - paths: - - path: /api(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: nachet-backend-svc - port: - number: 8080 + - host: nachet.ninebasetwo.xyz + http: + paths: + - path: /api(/|$)(.*) + pathType: ImplementationSpecific + backend: + service: + name: nachet-backend-svc + port: + number: 8080 --- # For more information check https://github.com/nginxinc/kubernetes-ingress/issues/323 @@ -47,17 +47,17 @@ metadata: spec: ingressClassName: nginx tls: - - hosts: - - nachet.ninebasetwo.xyz - secretName: aciacfia-tls + - hosts: + - nachet.ninebasetwo.xyz + secretName: aciacfia-tls rules: - - host: nachet.ninebasetwo.xyz - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: nachet-frontend-svc - port: - number: 3000 + - host: nachet.ninebasetwo.xyz + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nachet-frontend-svc + port: + number: 3000 diff --git a/kubernetes/system/cert-manager/cert-manager.yml b/kubernetes/system/cert-manager/cert-manager.yml index 50852d2d..ef041312 100644 --- a/kubernetes/system/cert-manager/cert-manager.yml +++ b/kubernetes/system/cert-manager/cert-manager.yml @@ -1,6 +1,7 @@ # Default values for cert-manager. # This is a YAML-formatted file. # Declare variables to be passed into your templates. +--- global: # Reference to one or more secrets to be used when pulling images imagePullSecrets: [] @@ -54,10 +55,10 @@ installCRDs: true replicaCount: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 podDisruptionBudget: enabled: false @@ -161,18 +162,18 @@ dns01RecursiveNameserversOnly: false # To see all available flags run docker run # quay.io/jetstack/cert-manager-controller: --help extraArgs: [] - # Use this flag to enable or disable arbitrary controllers, - # for example, disable the CertificiateRequests approver - # - --controllers=*,-certificaterequests-approver +# Use this flag to enable or disable arbitrary controllers, +# for example, disable the CertificiateRequests approver +# - --controllers=*,-certificaterequests-approver extraEnv: [] # - name: SOME_VAR # value: 'some value' resources: {} - # requests: - # cpu: 10m - # memory: 32Mi +# requests: +# cpu: 10m +# memory: 32Mi securityContext: runAsNonRoot: true @@ -183,9 +184,9 @@ containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true volumes: [] @@ -221,9 +222,9 @@ nodeSelector: kubernetes.io/os: linux ingressShim: {} - # defaultIssuerName: "" - # defaultIssuerKind: "" - # defaultIssuerGroup: "" +# defaultIssuerName: "" +# defaultIssuerKind: "" +# defaultIssuerGroup: "" prometheus: enabled: true @@ -308,25 +309,25 @@ webhook: # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. config: - # apiVersion: webhook.config.cert-manager.io/v1alpha1 - # kind: WebhookConfiguration - - # The port that the webhook should listen on for requests. - # In GKE private clusters, by default kubernetes apiservers are allowed to - # talk to the cluster nodes only on 443 and 10250. so configuring - # securePort: 10250, will work out of the box without needing - # to add firewall rules or requiring NET_BIND_SERVICE capabilities - # to bind port numbers <1000. - # This should be uncommented and set as a default by the chart once we - # graduate - # the apiVersion of WebhookConfiguration past v1alpha1. - # securePort: 10250 + # apiVersion: webhook.config.cert-manager.io/v1alpha1 + # kind: WebhookConfiguration + + # The port that the webhook should listen on for requests. + # In GKE private clusters, by default kubernetes apiservers are allowed to + # talk to the cluster nodes only on 443 and 10250. so configuring + # securePort: 10250, will work out of the box without needing + # to add firewall rules or requiring NET_BIND_SERVICE capabilities + # to bind port numbers <1000. + # This should be uncommented and set as a default by the chart once we + # graduate + # the apiVersion of WebhookConfiguration past v1alpha1. + # securePort: 10250 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 # Pod Security Context to be set on the webhook component Pod securityContext: @@ -349,9 +350,9 @@ webhook: allowPrivilegeEscalation: false capabilities: drop: - - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true # Optional additional annotations to add to the webhook Deployment # deploymentAnnotations: {} @@ -383,9 +384,9 @@ webhook: featureGates: "" resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi ## Liveness and readiness probe values livenessProbe: @@ -474,32 +475,32 @@ webhook: # Overrides the mutating webhook and validating webhook so they reach # the webhook service using the `url` field instead of a service. url: {} - # host: + # host: # Enables default network policies for webhooks. networkPolicy: enabled: false ingress: - - from: - - ipBlock: - cidr: 0.0.0.0/0 + - from: + - ipBlock: + cidr: 0.0.0.0/0 egress: - - ports: - - port: 80 - protocol: TCP - - port: 443 - protocol: TCP - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP - # On OpenShift and OKD, the Kubernetes API server listens on - # port 6443. - - port: 6443 - protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 + - ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + # On OpenShift and OKD, the Kubernetes API server listens on + # port 6443. + - port: 6443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 volumes: [] volumeMounts: [] @@ -514,10 +515,10 @@ cainjector: replicaCount: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 # Pod Security Context to be set on the cainjector component Pod securityContext: @@ -540,9 +541,9 @@ cainjector: allowPrivilegeEscalation: false capabilities: drop: - - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true # Optional additional annotations to add to the cainjector Deployment @@ -557,9 +558,9 @@ cainjector: # - --enable-profiling=true resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi nodeSelector: kubernetes.io/os: linux @@ -646,9 +647,9 @@ startupapicheck: allowPrivilegeEscalation: false capabilities: drop: - - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true # Timeout for 'kubectl check api' command timeout: 1m @@ -669,9 +670,9 @@ startupapicheck: extraArgs: [] resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi nodeSelector: kubernetes.io/os: linux diff --git a/kubernetes/system/cert-manager/issuer.yml b/kubernetes/system/cert-manager/issuer.yml index 7154c1e7..9f4335fe 100644 --- a/kubernetes/system/cert-manager/issuer.yml +++ b/kubernetes/system/cert-manager/issuer.yml @@ -1,3 +1,4 @@ +--- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: @@ -9,6 +10,6 @@ spec: privateKeySecretRef: name: letsencrypt-private-key solvers: - - http01: - ingress: - class: nginx + - http01: + ingress: + class: nginx diff --git a/kubernetes/system/ingress-nginx/ingress-nginx.yml b/kubernetes/system/ingress-nginx/ingress-nginx.yml index 18e5a661..07a10feb 100644 --- a/kubernetes/system/ingress-nginx/ingress-nginx.yml +++ b/kubernetes/system/ingress-nginx/ingress-nginx.yml @@ -8,6 +8,7 @@ ## Labels to apply to all resources ## +--- commonLabels: {} # scmhash: abc123 # myLabel: aakkmd @@ -190,53 +191,53 @@ controller: # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" affinity: {} - # # An example of preferred pod anti-affinity, weight is in the range 1-100 - # podAntiAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # podAffinityTerm: - # labelSelector: - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/instance - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/component - # operator: In - # values: - # - controller - # topologyKey: kubernetes.io/hostname - - # # An example of required pod anti-affinity - # podAntiAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/instance - # operator: In - # values: - # - ingress-nginx - # - key: app.kubernetes.io/component - # operator: In - # values: - # - controller - # topologyKey: "kubernetes.io/hostname" + # # An example of preferred pod anti-affinity, weight is in the range 1-100 + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: kubernetes.io/hostname + + # # An example of required pod anti-affinity + # podAntiAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: app.kubernetes.io/name + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/instance + # operator: In + # values: + # - ingress-nginx + # - key: app.kubernetes.io/component + # operator: In + # values: + # - controller + # topologyKey: "kubernetes.io/hostname" topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: failure-domain.beta.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - # labelSelector: - # matchLabels: - # app.kubernetes.io/instance: ingress-nginx-internal + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: ingress-nginx-internal # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready ## wait up to five minutes for the drain of connections @@ -303,9 +304,9 @@ controller: minAvailable: 1 resources: - ## limits: - ## cpu: 100m - ## memory: 90Mi + ## limits: + ## cpu: 100m + ## memory: 90Mi requests: cpu: 100m memory: 90Mi @@ -318,18 +319,18 @@ controller: targetCPUUtilizationPercentage: 50 targetMemoryUtilizationPercentage: 50 behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 autoscalingTemplate: [] # Custom or additional autoscaling metrics @@ -359,26 +360,26 @@ controller: # annotations: # key: value triggers: [] - # - type: prometheus - # metadata: - # serverAddress: http://:9090 - # metricName: http_requests_total - # threshold: '100' - # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) + # - type: prometheus + # metadata: + # serverAddress: http://:9090 + # metricName: http_requests_total + # threshold: '100' + # query: sum(rate(http_requests_total{deployment="my-deployment"}[2m])) behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + # periodSeconds: 60 # -- Enable mimalloc as a drop-in replacement for malloc. ## ref: https://github.com/microsoft/mimalloc @@ -530,12 +531,12 @@ controller: createSecretJob: resources: {} - # limits: - # cpu: 10m - # memory: 20Mi - # requests: - # cpu: 10m - # memory: 20Mi + # limits: + # cpu: 10m + # memory: 20Mi + # requests: + # cpu: 10m + # memory: 20Mi patchWebhookJob: resources: {} diff --git a/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml b/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml index 314285a6..b0d41bc9 100644 --- a/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml +++ b/kubernetes/system/kube-prometheus-stack/kube-prometheus-stack.yml @@ -2,7 +2,7 @@ # Default values for prometheus. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - +--- rbac: create: true @@ -38,14 +38,14 @@ configmapReload: ## env sets environment variables to pass to the container. Can be set as name/value pairs, ## read from secrets or configmaps. env: [] - # - name: SOMEVAR - # value: somevalue - # - name: PASSWORD - # valueFrom: - # secretKeyRef: - # name: mysecret - # key: password - # optional: false + # - name: SOMEVAR + # value: somevalue + # - name: PASSWORD + # valueFrom: + # secretKeyRef: + # name: mysecret + # key: password + # optional: false prometheus: ## If false, the configmap-reload container will not be deployed @@ -82,11 +82,11 @@ configmapReload: ## Additional configmap-reload mounts ## extraConfigmapMounts: [] - # - name: prometheus-alerts - # mountPath: /etc/alerts.d - # subPath: "" - # configMap: prometheus-alerts - # readOnly: true + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true ## Security context to be added to configmap-reload container containerSecurityContext: {} @@ -108,8 +108,10 @@ server: ## Use a ClusterRole (and ClusterRoleBinding) ## - If set to false - we define a RoleBinding in the defined namespaces ONLY ## - ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. - ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges + ## to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on + ## their own namespaces, instead of clusterwide. ## ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. ## @@ -123,7 +125,8 @@ server: # If releaseNamespace and namespaces are both set a merged list will be monitored. releaseNamespace: false - ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + ## namespaces to monitor (instead of monitoring all - clusterwide). + # Needed if you want to run without Cluster-admin privileges. # namespaces: # - yournamespace @@ -255,20 +258,20 @@ server: ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tsdb ## tsdb: {} - # out_of_order_time_window: 0s + # out_of_order_time_window: 0s ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#exemplars ## Must be enabled via --enable-feature=exemplar-storage ## exemplars: {} - # max_exemplars: 100000 + # max_exemplars: 100000 ## Custom HTTP headers for Liveness/Readiness/Startup Probe ## ## Useful for providing HTTP Basic Auth to healthchecks probeHeaders: [] - # - name: "Authorization" - # value: "Bearer ABCDEabcde12345" + # - name: "Authorization" + # value: "Bearer ABCDEabcde12345" ## Additional Prometheus server container arguments ## @@ -289,27 +292,27 @@ server: ## Additional Prometheus server hostPath mounts ## extraHostPathMounts: [] - # - name: certs-dir - # mountPath: /etc/kubernetes/certs - # subPath: "" - # hostPath: /etc/kubernetes/certs - # readOnly: true + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true extraConfigmapMounts: [] - # - name: certs-configmap - # mountPath: /prometheus - # subPath: "" - # configMap: certs-configmap - # readOnly: true + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true ## Additional Prometheus server Secret mounts # Defines additional mounts with secrets. Secrets must be manually created in the namespace. extraSecretMounts: [] - # - name: secret-files - # mountPath: /etc/secrets - # subPath: "" - # secretName: prom-secret-files - # readOnly: true + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} ## Defining configMapOverrideName will cause templates/server-configmap.yaml @@ -326,7 +329,6 @@ server: enabled: false # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName - # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # ingressClassName: nginx ## Prometheus server Ingress annotations @@ -383,10 +385,10 @@ server: ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ ## tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" ## Node labels for Prometheus server pod assignment ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ @@ -500,7 +502,7 @@ server: ## Annotations to be added to Prometheus server pods ## podAnnotations: {} - # iam.amazonaws.com/role: prometheus + # iam.amazonaws.com/role: prometheus ## Labels to be added to Prometheus server pods ## @@ -515,14 +517,14 @@ server: ## podSecurityPolicy: annotations: {} - ## Specify pod annotations - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl - ## - # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) ## @@ -617,7 +619,8 @@ server: ## Vertical Pod Autoscaler config ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler verticalAutoscaler: - ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above + ## configs) enabled: false # updateMode: "Auto" # containerPolicies: @@ -625,14 +628,14 @@ server: # Custom DNS configuration to be added to prometheus server pods dnsConfig: {} - # nameservers: - # - 1.2.3.4 - # searches: - # - ns1.svc.cluster-domain.example - # - my.dns.search.suffix - # options: - # - name: ndots - # value: "2" + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" # - name: edns0 ## Security context to be added to server pods @@ -737,7 +740,7 @@ serverFiles: rule_files: - /etc/config/recording_rules.yml - /etc/config/alerting_rules.yml - ## Below two files are DEPRECATED will be removed from this default values file + ## Below two files are DEPRECATED will be removed from this default values file - /etc/config/rules - /etc/config/alerts @@ -745,7 +748,7 @@ serverFiles: - job_name: prometheus static_configs: - targets: - - localhost:9090 + - localhost:9090 # A scrape configuration for running Prometheus on a Kubernetes cluster. # This uses separate scrape configs for cluster components (i.e. API server, node) @@ -791,7 +794,8 @@ serverFiles: # will add targets for each API server which Kubernetes adds an endpoint to # the default/kubernetes service. relabel_configs: - - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + - source_labels: > + [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] action: keep regex: default;kubernetes;https @@ -873,11 +877,14 @@ serverFiles: target_label: __metrics_path__ replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor - # Metric relabel configs to apply to samples before ingestion. - # [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) - # metric_relabel_configs: - # - action: labeldrop - # regex: (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os|beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone) + # Metric relabel configs to apply to samples before ingestion. + # [Metric Relabeling] + # (https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + # metric_relabel_configs: + # - action: labeldrop + # regex: + # (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os| + # beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone) # Scrape config for service endpoints. # @@ -1157,28 +1164,28 @@ serverFiles: # must be a string so you have to add a | after extraScrapeConfigs: # example adds prometheus-blackbox-exporter scrape config extraScrapeConfigs: "" - # - job_name: 'prometheus-blackbox-exporter' - # metrics_path: /probe - # params: - # module: [http_2xx] - # static_configs: - # - targets: - # - https://example.com - # relabel_configs: - # - source_labels: [__address__] - # target_label: __param_target - # - source_labels: [__param_target] - # target_label: instance - # - target_label: __address__ - # replacement: prometheus-blackbox-exporter:9115 +# - job_name: 'prometheus-blackbox-exporter' +# metrics_path: /probe +# params: +# module: [http_2xx] +# static_configs: +# - targets: +# - https://example.com +# relabel_configs: +# - source_labels: [__address__] +# target_label: __param_target +# - source_labels: [__param_target] +# target_label: instance +# - target_label: __address__ +# replacement: prometheus-blackbox-exporter:9115 # Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager # useful in H/A prometheus with different external labels but the same alerts alertRelabelConfigs: {} - # alert_relabel_configs: - # - source_labels: [dc] - # regex: (.+)\d+ - # target_label: dc +# alert_relabel_configs: +# - source_labels: [dc] +# regex: (.+)\d+ +# target_label: dc networkPolicy: ## Enable creation of NetworkPolicy resources. @@ -1190,14 +1197,14 @@ forceNamespace: "" # Extra manifests to deploy as an array extraManifests: [] - # - | - # apiVersion: v1 - # kind: ConfigMap - # metadata: - # labels: - # name: prometheus-extra - # data: - # extra-data: "value" +# - | +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# labels: +# name: prometheus-extra +# data: +# extra-data: "value" # Configuration of subcharts defined in Chart.yaml diff --git a/kubernetes/system/kube-prometheus-stack/namespace.yml b/kubernetes/system/kube-prometheus-stack/namespace.yml index 90d12efd..55181763 100644 --- a/kubernetes/system/kube-prometheus-stack/namespace.yml +++ b/kubernetes/system/kube-prometheus-stack/namespace.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: diff --git a/kubernetes/system/vault/namespace.yml b/kubernetes/system/vault/namespace.yml index beb4bbe8..770a7065 100644 --- a/kubernetes/system/vault/namespace.yml +++ b/kubernetes/system/vault/namespace.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Namespace metadata: diff --git a/kubernetes/system/vault/vault.yml b/kubernetes/system/vault/vault.yml index 6f53a230..ca2a2c4d 100644 --- a/kubernetes/system/vault/vault.yml +++ b/kubernetes/system/vault/vault.yml @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 # Available parameters and their default values for the Vault chart. - +--- global: # enabled is the master enabled switch. Setting this to true or false # will enable or disable all the components within this chart by default. @@ -145,8 +145,6 @@ injector: # matchPolicy specifies the approach to accepting changes based on the rules of # the MutatingWebhookConfiguration. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchpolicy - # for more details. # matchPolicy: Exact @@ -160,8 +158,6 @@ injector: # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector - # for more details. # Example: # namespaceSelector: # matchLabels: @@ -170,8 +166,6 @@ injector: # objectSelector is the selector for restricting the webhook to only # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector - # for more details. # Example: # objectSelector: # matchLabels: @@ -197,7 +191,6 @@ injector: # Deprecated: please use 'webhook.namespaceSelector' instead # namespaceSelector is the selector for restricting the webhook to only # specific namespaces. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector # for more details. # Example: # namespaceSelector: @@ -208,7 +201,6 @@ injector: # Deprecated: please use 'webhook.objectSelector' instead # objectSelector is the selector for restricting the webhook to only # specific labels. - # See https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-objectselector # for more details. # Example: # objectSelector: @@ -396,20 +388,21 @@ server: ingress: enabled: false labels: {} - # traffic: external + # traffic: external annotations: {} - # | - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - # or - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" + # | + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # or + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" # Optionally use ingressClassName instead of deprecated annotation. # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation ingressClassName: "" - # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be sufficient in most cases. + # As of Kubernetes 1.19, all Ingress Paths must have a pathType configured. The default value below should be + # sufficient in most cases. # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types for other possible values. pathType: Prefix @@ -466,20 +459,6 @@ server: # This is useful if you need to run a script to provision TLS certificates or # write out configuration files in a dynamic way. extraInitContainers: null - # # This example installs a plugin pulled from github into the /usr/local/libexec/vault/oauthapp folder, - # # which is defined in the volumes value. - # - name: oauthapp - # image: "alpine" - # command: [sh, -c] - # args: - # - cd /tmp && - # wget https://github.com/puppetlabs/vault-plugin-secrets-oauthapp/releases/download/v1.2.0/vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64.tar.xz -O oauthapp.xz && - # tar -xf oauthapp.xz && - # mv vault-plugin-secrets-oauthapp-v1.2.0-linux-amd64 /usr/local/libexec/vault/oauthapp && - # chmod +x /usr/local/libexec/vault/oauthapp - # volumeMounts: - # - name: plugins - # mountPath: /usr/local/libexec/vault # extraContainers is a list of sidecar containers. Specified as a YAML list. extraContainers: null @@ -494,8 +473,8 @@ server: # extraPorts is a list of extra ports. Specified as a YAML list. # This is useful if you need to add additional ports to the statefulset in dynamic way. extraPorts: null - # - containerPort: 8300 - # name: http-monitoring + # - containerPort: 8300 + # name: http-monitoring # Used to define custom readinessProbe settings readinessProbe: @@ -507,7 +486,7 @@ server: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 - + # Used to enable a livenessProbe for the pods livenessProbe: enabled: true @@ -548,38 +527,38 @@ server: # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set. # These variables take value from existing Secret objects. extraSecretEnvironmentVars: [] - # - envName: AWS_SECRET_ACCESS_KEY - # secretName: vault - # secretKey: AWS_SECRET_ACCESS_KEY + # - envName: AWS_SECRET_ACCESS_KEY + # secretName: vault + # secretKey: AWS_SECRET_ACCESS_KEY # Deprecated: please use 'volumes' instead. # extraVolumes is a list of extra volumes to mount. These will be exposed # to Vault in the path `/vault/userconfig//`. The value below is # an array of objects, examples are shown below. extraVolumes: [] - # - type: secret (or "configMap") - # name: my-secret - # path: null # default is `/vault/userconfig` + # - type: secret (or "configMap") + # name: my-secret + # path: null # default is `/vault/userconfig` # volumes is a list of volumes made available to all containers. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. volumes: - - name: vault-ha-tls - secret: - secretName: vault-ha-tls - - name: kms-creds - secret: - secretName: kms-creds + - name: vault-ha-tls + secret: + secretName: vault-ha-tls + - name: kms-creds + secret: + secretName: kms-creds # volumeMounts is a list of volumeMounts for the main server container. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. volumeMounts: - - name: vault-ha-tls - mountPath: /vault/userconfig/vault-ha-tls - - name: kms-creds - mountPath: /vault/userconfig/kms-creds + - name: vault-ha-tls + mountPath: /vault/userconfig/vault-ha-tls + - name: kms-creds + mountPath: /vault/userconfig/kms-creds # Affinity Settings # Commenting out or setting as empty the affinity variable, will allow @@ -626,12 +605,12 @@ server: # port: 443 ingress: - from: - - namespaceSelector: {} + - namespaceSelector: {} ports: - - port: 8200 - protocol: TCP - - port: 8201 - protocol: TCP + - port: 8200 + protocol: TCP + - port: 8201 + protocol: TCP # Priority class for server pods priorityClassName: "" @@ -687,11 +666,12 @@ server: # These are only supported for kubernetes versions >=1.23.0 # # Configures the service's supported IP family policy, can be either: - # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first + # configured service cluster IP range. # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. ipFamilyPolicy: "" - + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. # Can be IPv4 and/or IPv6. ipFamilies: [] @@ -709,17 +689,17 @@ server: # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #nodePort: 30000 + # nodePort: 30000 # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #activeNodePort: 30001 + # activeNodePort: 30001 # When HA mode is enabled # If type is set to "NodePort", a specific nodePort value can be configured, # will be random if left blank. - #standbyNodePort: 30002 + # standbyNodePort: 30002 # Port on which Vault server is listening port: 8200 @@ -860,8 +840,8 @@ server: disruptionBudget: enabled: true - # maxUnavailable will default to (n/2)-1 where n is the number of - # replicas. If you'd like a custom value, you can specify an override here. + # maxUnavailable will default to (n/2)-1 where n is the number of + # replicas. If you'd like a custom value, you can specify an override here. maxUnavailable: null # Definition of the serviceAccount used to run Vault. @@ -875,7 +855,8 @@ server: name: "" # Create a Secret API object to store a non-expiring token for the service account. # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default. - # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible. + # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if + # possible. # For more details, see https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets # serviceAccount.create must be equal to 'true' in order to use this feature. createSecret: false @@ -941,7 +922,8 @@ ui: # These are only supported for kubernetes versions >=1.23.0 # # Configures the service's supported IP family, can be either: - # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first configured service cluster IP range. + # SingleStack: Single-stack service. The control plane allocates a cluster IP for the Service, using the first + # configured service cluster IP range. # PreferDualStack: Allocates IPv4 and IPv6 cluster IPs for the Service. # RequireDualStack: Allocates Service .spec.ClusterIPs from both IPv4 and IPv6 address ranges. serviceIPFamilyPolicy: "" @@ -956,7 +938,7 @@ ui: # ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-traffic-policy externalTrafficPolicy: Cluster - #loadBalancerSourceRanges: + # loadBalancerSourceRanges: # - 10.0.0.0/16 # - 1.78.23.3/32 @@ -988,9 +970,9 @@ csi: # via toYaml rather than pre-processed like the extraVolumes value. # The purpose is to make it easy to share volumes between containers. volumes: - - name: vault-ha-tls - secret: - secretName: vault-ha-tls + - name: vault-ha-tls + secret: + secretName: vault-ha-tls # volumeMounts is a list of volumeMounts for the main server container. These are rendered # via toYaml rather than pre-processed like the extraVolumes value. @@ -1117,8 +1099,8 @@ csi: # See https://developer.hashicorp.com/vault/docs/platform/k8s/csi/configurations#command-line-arguments # for the available command line flags. extraArgs: - - "-vault-tls-ca-cert=/vault/userconfig/vault-ha-tls/vault.ca" - - "-vault-addr=https://vault.vault:8200" + - "-vault-tls-ca-cert=/vault/userconfig/vault-ha-tls/vault.ca" + - "-vault-addr=https://vault.vault:8200" # Vault is able to collect and publish various runtime metrics. # Enabling this feature requires setting adding `telemetry{}` stanza to @@ -1172,33 +1154,32 @@ serverTelemetry: scrapeTimeout: 10s prometheusRules: - # The Prometheus operator *must* be installed before enabling this feature, - # if not the chart will fail to install due to missing CustomResourceDefinitions - # provided by the operator. - - # Deploy the PrometheusRule custom resource for AlertManager based alerts. - # Requires that AlertManager is properly deployed. - enabled: false - - # Selector labels to add to the PrometheusRules. - # When empty, defaults to: - # release: prometheus - selectors: {} - - # Some example rules. - rules: [] - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 500ms on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 - # for: 5m - # labels: - # severity: warning - # - alert: vault-HighResponseTime - # annotations: - # message: The response time of Vault is over 1s on average over the last 5 minutes. - # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 - # for: 5m - # labels: - # severity: critical + # The Prometheus operator *must* be installed before enabling this feature, + # if not the chart will fail to install due to missing CustomResourceDefinitions + # provided by the operator. + + # Deploy the PrometheusRule custom resource for AlertManager based alerts. + # Requires that AlertManager is properly deployed. + enabled: false + + # Selector labels to add to the PrometheusRules. + # When empty, defaults to: + # release: prometheus + selectors: {} + # Some example rules. + rules: [] + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 500ms on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 500 + # for: 5m + # labels: + # severity: warning + # - alert: vault-HighResponseTime + # annotations: + # message: The response time of Vault is over 1s on average over the last 5 minutes. + # expr: vault_core_handle_request{quantile="0.5", namespace="mynamespace"} > 1000 + # for: 5m + # labels: + # severity: critical