forked from janus-idp/helm-backstage
-
Notifications
You must be signed in to change notification settings - Fork 0
/
values.yaml
231 lines (214 loc) · 9.57 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
global:
dynamic:
# -- Array of YAML files listing dynamic plugins to include with those listed in the `plugins` field.
# Relative paths are resolved from the working directory of the initContainer that will install the plugins (`/opt/app-root/src`).
includes:
# -- List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default.
# This file ONLY works with the `janus-idp/backstage-showcase` container image.
- 'dynamic-plugins.default.yaml'
# -- List of dynamic plugins, possibly overriding the plugins listed in `includes` files.
# Every item defines the plugin `package` as a [NPM package spec](https://docs.npmjs.com/cli/v10/using-npm/package-spec),
# an optional `pluginConfig` with plugin-specific backstage configuration, and an optional `disabled` flag to disable/enable a plugin
# listed in `includes` files. It also includes an `integrity` field that is used to verify the plugin package [integrity](https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description).
plugins: []
# -- Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled.
clusterRouterBase: apps.example.com
# -- Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig`
host: ""
# -- Enable service authentication within Backstage instance
auth:
# -- Backend service to service authentication
# <br /> Ref: https://backstage.io/docs/auth/service-to-service-auth/
backend:
# -- Enable backend service to service authentication, unless configured otherwise it generates a secret value
enabled: true
# -- Instead of generating a secret value, refer to existing secret
existingSecret: ""
# -- Instead of generating a secret value, use fo;lowing value
value: ""
# -- Upstream Backstage [chart configuration](https://github.com/backstage/charts/blob/main/charts/backstage/values.yaml)
# @default -- Use Openshift compatible settings
upstream:
nameOverride: backstage
backstage:
image:
registry: quay.io
repository: janus-idp/backstage-showcase
tag: latest
command: []
# FIXME (tumido): USE POSTGRES_PASSWORD and POSTGRES_USER instead of POSTGRES_ADMIN_PASSWORD
# This is a hack. In {fedora,rhel}/postgresql images, regular user is forbidden
# from creating DBs in runtime. A single DB can be created ahead of time via
# POSTGRESQL_DATABASE env variable (in this case via
# upstream.postgresql.primary.extraEnvVars value), but this doesn't allow us to
# create multiple DBs. Since Backstage requires by default 5 different DBs, we
# can't accommodate that properly.
appConfig:
app:
# Please update to match host in case you don't want to configure hostname via `global.clusterRouterBase` or `global.host`.
baseUrl: 'https://{{- include "janus-idp.hostname" . }}'
backend:
baseUrl: 'https://{{- include "janus-idp.hostname" . }}'
cors:
origin: 'https://{{- include "janus-idp.hostname" . }}'
database:
connection:
password: ${POSTGRESQL_ADMIN_PASSWORD}
user: postgres
auth:
keys:
- secret: ${BACKEND_SECRET}
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthcheck
port: 7007
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 2
timeoutSeconds: 2
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthcheck
port: 7007
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
extraEnvVars:
- name: BACKEND_SECRET
valueFrom:
secretKeyRef:
key: backend-secret
name: '{{ include "janus-idp.backend-secret-name" $ }}'
- name: POSTGRESQL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: postgres-password
name: '{{- include "janus-idp.postgresql.secretName" . }}'
args:
# This additional `app-config`` file is generated by the initContainer below, and contains the merged configuration of installed dynamic plugins.
- '--config'
- dynamic-plugins-root/app-config.dynamic-plugins.yaml
extraVolumeMounts:
# The initContainer below will install dynamic plugins in this volume mount.
- name: dynamic-plugins-root
mountPath: /opt/app-root/src/dynamic-plugins-root
extraVolumes:
# -- Ephemeral volume that will contain the dynamic plugins installed by the initContainer below at start.
- name: dynamic-plugins-root
ephemeral:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
# -- Size of the volume that will contain the dynamic plugins. It should be large enough to contain all the plugins.
storage: 1Gi
# Volume that will expose the `dynamic-plugins.yaml` file from the `dynamic-plugins` config map.
# The `dynamic-plugins` config map is created by the helm chart from the content of the `global.dynamic` field.
- name: dynamic-plugins
configMap:
defaultMode: 420
name: dynamic-plugins
optional: true
# Optional volume that allows exposing the `.npmrc` file (through a `dynamic-plugins-npmrc` secret)
# to be used when running `npm pack` during the dynamic plugins installation by the initContainer.
- name: dynamic-plugins-npmrc
secret:
defaultMode: 420
optional: true
secretName: dynamic-plugins-npmrc
initContainers:
- name: install-dynamic-plugins
# -- Image used by the initContainer to install dynamic plugins into the `dynamic-plugins-root` volume mount.
# It could be replaced by a custom image based on this one.
# @default -- `quay.io/janus-idp/backstage-showcase:latest`
image: '{{ include "backstage.image" . }}'
command:
- ./install-dynamic-plugins.sh
- /dynamic-plugins-root
env:
- name: NPM_CONFIG_USERCONFIG
value: /opt/app-root/src/.npmrc.dynamic-plugins
imagePullPolicy: Always
volumeMounts:
- mountPath: /dynamic-plugins-root
name: dynamic-plugins-root
- mountPath: /opt/app-root/src/dynamic-plugins.yaml
name: dynamic-plugins
readOnly: true
subPath: dynamic-plugins.yaml
- mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
name: dynamic-plugins-npmrc
readOnly: true
subPath: .npmrc
workingDir: /opt/app-root/src
installDir: /opt/app-root/src
podAnnotations:
checksum/dynamic-plugins: >-
{{- include "common.tplvalues.render" ( dict "value"
.Values.global.dynamic "context" $) | sha256sum }}
postgresql:
enabled: true
postgresqlDataDir: /var/lib/pgsql/data/userdata
image:
registry: quay.io
repository: fedora/postgresql-15
tag: latest
auth:
secretKeys:
adminPasswordKey: postgres-password
userPasswordKey: password
primary:
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: false
persistence:
enabled: true
size: 1Gi
mountPath: /var/lib/pgsql/data
extraEnvVars:
- name: POSTGRESQL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: postgres-password
name: '{{- include "postgresql.v1.secretName" . }}'
ingress:
host: "{{ .Values.global.host }}"
# -- OpenShift Route parameters
route:
# -- Route specific annotations
annotations: {}
# -- Enable the creation of the route resource
enabled: true
# -- Set the host attribute to a custom value. If not set, OpenShift will generate it, please make sure to match your baseUrl
host: "{{ .Values.global.host }}"
# -- Path that the router watches for, to route traffic for to the service.
path: "/"
# -- Wildcard policy if any for the route. Currently only 'Subdomain' or 'None' is allowed.
wildcardPolicy: None
# -- Route TLS parameters
# <br /> Ref: https://docs.openshift.com/container-platform/4.9/networking/routes/secured-routes.html
tls:
# -- Enable TLS configuration for the host defined at `route.host` parameter
enabled: true
# -- Specify TLS termination.
termination: "edge"
# -- Certificate contents
certificate: ""
# -- Key file contents
key: ""
# -- Cert authority certificate contents. Optional
caCertificate: ""
# -- Contents of the ca certificate of the final destination.
# <br /> When using reencrypt termination this file should be provided in order to have routers use it for health checks on the secure connection. If this field is not specified, the router may provide its own destination CA and perform hostname validation using the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify.
destinationCACertificate: ""
# -- Indicates the desired behavior for insecure connections to a route.
# <br /> While each router may make its own decisions on which ports to expose, this is normally port 80. The only valid values are None, Redirect, or empty for disabled.
insecureEdgeTerminationPolicy: "Redirect"