This repository has been archived by the owner on Jul 3, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathvalues.yaml
338 lines (314 loc) · 11.1 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
##############
### Common ###
##############
# fullnameOverride:
# nameOverride:
###########
### Dex ###
###########
dex:
enabled: false
name: dex
# Image
image:
repository: quay.io/dexidp/dex
tag: v2.25.0
pullPolicy: IfNotPresent
# Deployment settings
replicas: 1
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
port: 8080
servicePort: 8080
# Ingress
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: 'true'
hosts:
- dex.example.local
tls: []
# - secretName: dex-example-tls
# hosts:
# - dex.example.local
# RBAC
rbac:
create: true
# Uncomment if rbac.create is false
# serviceAccountName:
# Dex configuration
# See https://github.com/coreos/dex/tree/master/Documentation
config:
issuer: https://dex.k8s.example.org/dex
storage:
# Kubernetes storage by default, Dex will create CRD on first launch:
# * authcodes.dex.coreos.com
# * authrequests.dex.coreos.com
# * connectors.dex.coreos.com
# * oauth2clients.dex.coreos.com
# * offlinesessionses.dex.coreos.com
# * passwords.dex.coreos.com
# * refreshtokens.dex.coreos.com
# * signingkeies.dex.coreos.com
type: kubernetes
config:
inCluster: true
web:
# Be careful this should be equals to dex.port
http: 0.0.0.0:8080
logger:
level: "debug"
format: json
connectors:
- type: ldap
# Required field for connector id.
id: ldap
# Required field for connector name.
name: LDAP
config:
# Host and optional port of the LDAP server in the form "host:port".
# If the port is not supplied, it will be guessed based on "insecureNoSSL",
# and "startTLS" flags. 389 for insecure or StartTLS connections, 636
# otherwise.
host: ldap.k8s.example.org:1389
# Following field is required if the LDAP host is not using TLS (port 389).
# Because this option inherently leaks passwords to anyone on the same network
# as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.
#
insecureNoSSL: true
# If a custom certificate isn't provide, this option can be used to turn on
# TLS certificate checks. As noted, it is insecure and shouldn't be used outside
# of explorative phases.
#
insecureSkipVerify: true
# When connecting to the server, connect using the ldap:// protocol then issue
# a StartTLS command. If unspecified, connections will use the ldaps:// protocol
#
# startTLS: true
# Path to a trusted root certificate file. Default: use the host's root CA.
#rootCA: /etc/dex/ldap.ca
# A raw certificate file can also be provided inline.
#rootCAData:
# The DN and password for an application service account. The connector uses
# these credentials to search for users and groups. Not required if the LDAP
# server provides access for anonymous auth.
# Please note that if the bind password contains a `$`, it has to be saved in an
# environment variable which should be given as the value to `bindPW`.
bindDN: cn=admin,dc=example,dc=org
bindPW: admin
# User search maps a username and password entered by a user to a LDAP entry.
userSearch:
# BaseDN to start the search from. It will translate to the query
# "(&(objectClass=person)(uid=<username>))".
baseDN: ou=People,dc=example,dc=org
# Optional filter to apply when searching the directory.
filter: "(objectClass=posixAccount)"
# username attribute used for comparing user entries. This will be translated
# and combine with the other filter as "(<attr>=<username>)".
username: mail
# The following three fields are direct mappings of attributes on the user entry.
# String representation of the user.
idAttr: uid
# Required. Attribute to map to Email.
emailAttr: mail
# Maps to display name of users. No default value.
nameAttr: uid
# Group search queries for groups given a user entry.
groupSearch:
# BaseDN to start the search from. It will translate to the query
# "(&(objectClass=group)(member=<user uid>))".
baseDN: ou=Groups,dc=example,dc=org
# Optional filter to apply when searching the directory.
filter: "(objectClass=posixGroup)"
# Following two fields are used to match a user to a group. It adds an additional
# requirement to the filter that an attribute in the group must match the user's
# attribute value.
userAttr: uid
groupAttr: memberUid
# Represents group name.
nameAttr: cn
oauth2:
skipApprovalScreen: true
# Configure static clients.
# Warning: ID fields must match client-id field on
# your kubernetes API server configuration
# Use trusted peers feature if more than one
# app should be used by kubernetes.
staticClients:
- id: cli
redirectURIs:
- 'https://loginapp.example.local/callback'
name: 'Login Application'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
# If keycloak is enabled, uncomment and complete
# following lines:
#- id: login
# redirectURIs:
# - 'https://dashboard.example.local/oauth/callback'
# name: 'Dashboard Application'
# secret: iCeiqu5phogh3Eesh5iPu3gaph9eexo6
# trustedPeers:
# - cli
################
### Loginapp ###
################
loginapp:
enabled: false
name: loginapp
# Image
image:
repository: quay.io/fydrah/loginapp
tag: v3.1.0
pullPolicy: IfNotPresent
# Deployment settings
replicas: 1
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
port: 8080
servicePort: 8080
# Ingress
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: 'true'
hosts:
- loginapp.example.local
tls: []
# - secretName: loginapp-example-tls
# hosts:
# - loginapp.example.local
# Loginapp configuration
# see: https://github.com/fydrah/loginapp#configuration
config:
name: "Login Application"
listen: "0.0.0.0:5555"
oidc:
client:
id: "loginapp"
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
redirect_url: "https://loginapp.example.local/callback"
issuer:
root_ca: "/etc/ssl/ca.pem"
url: "https://dex.example.local"
# Issuer certificate authority
issuerCA: ""
#
# Example: Letsencrypt CA
# issuerCA: |
# -----BEGIN CERTIFICATE-----
# MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
# MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
# DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
# PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
# Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
# AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
# rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
# OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
# xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
# 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
# aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
# HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
# SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
# ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
# AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
# R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
# JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
# Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
# -----END CERTIFICATE-----
######################
### Keycloak Proxy ###
######################
keycloakProxy:
enabled: false
name: keycloak-proxy
# Image
image:
repository: keycloak/keycloak-gatekeeper
tag: 7.0.0
pullPolicy: IfNotPresent
# Deployment settings
replicas: 1
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
podAnnotations: {}
port: 8080
servicePort: 8080
# Ingress
ingress:
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: 'true'
hosts:
- dashboard.example.local
tls: []
# - secretName: dashboard-example-tls
# hosts:
# - dashboard.example.local
# Keycloak-proxy configuration
# See https://www.keycloak.org/docs/latest/securing_apps/index.html#example-usage-and-configuration
config:
client-id: CLIENT_ID
client-secret: CLIENT_SECRET
listen: ":8080"
enable-refresh-tokens: true
discovery-url: https://dex.example.org/dex/.well-known/openid-configuration
encryption-key: 0626a8d4c2544b141e629a9abf6c5db378b0e353
# By default, insecure communication between
# keycloak proxy and k8s dashboard (in-cluster communication)
upstream-url: http://kubernetes-dashboard.kube-system:80
scopes: []
resources: []
# Issuer certificate authority
issuerCA: ""
#
# Example: Letsencrypt CA
# issuerCA: |
# -----BEGIN CERTIFICATE-----
# MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
# MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
# DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
# PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
# Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
# AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
# rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
# OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
# xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
# 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
# aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
# HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
# SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
# ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
# AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
# R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
# JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
# Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
# -----END CERTIFICATE-----