-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathvalues.yaml
More file actions
270 lines (262 loc) · 10.3 KB
/
Copy pathvalues.yaml
File metadata and controls
270 lines (262 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
image:
repository: ghcr.io/pgdogdev/pgdog-enterprise/control
# tag defaults to .Chart.AppVersion
tag: ""
pullPolicy: IfNotPresent
pullSecrets: []
control:
port: 8080
aws:
# IRSA role for AWS API access (RDS/CloudWatch). When set, the
# ServiceAccount is annotated with eks.amazonaws.com/role-arn so the
# EKS pod-identity webhook injects AWS_ROLE_ARN +
# AWS_WEB_IDENTITY_TOKEN_FILE into the container, and the AWS SDK
# exchanges the projected SA token for temporary credentials via STS.
# Requires that an OIDC provider for the cluster is registered in IAM,
# and that the role's trust policy permits this SA
# (system:serviceaccount:<ns>:<release>-control).
roleArn: ""
# Static IAM-user credentials for testing against AWS from a cluster
# without IRSA (minikube, kind). When accessKeyId is set the chart
# renders a `<release>-aws-creds` Secret and the deployment loads it
# via envFrom. Leave empty in EKS — roleArn above is preferred.
accessKeyId: ""
secretAccessKey: ""
sessionToken: "" # optional; only for temporary credentials
# AWS region the SDK should target. Emitted as AWS_REGION on the
# container. Required when the pod isn't on an EKS node whose IMDS
# exposes one.
region: ""
rbac:
# Create a ServiceAccount, ClusterRole, and ClusterRoleBinding granting
# the control pod read access to namespaces, deployments, statefulsets,
# configmaps, and secrets across the cluster. Required for the Kube
# workload inspector in the UI.
create: true
# Override the ServiceAccount name. When empty, falls back to
# `<release>-control`.
serviceAccountName: ""
# Namespaces where the control plane is allowed to create/update/patch/delete
# workloads (deployments, statefulsets, configmaps, secrets, services).
# A Role + RoleBinding is generated in each listed namespace. Empty
# means no write access anywhere — list the release namespace
# explicitly if you want control to manage workloads alongside itself.
writeNamespaces: []
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "4Gi"
cpu: "1000m"
# Pod-level securityContext for the control deployment.
# Defaults are PSS Restricted compliant.
podSecurityContext:
fsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
seccompProfile:
type: RuntimeDefault
# Container-level securityContext for the control container.
# Defaults are PSS Restricted compliant.
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
# Runtime configuration written to /etc/pgdog-control/control.toml.
# Mirrors the control plane runtime config. Every field is optional — anything left
# unset falls back to the Rust-side default. Field names match the TOML
# keys (snake_case) so values are passed through verbatim.
config:
api: {}
# pgdog:
# ip_allowlist:
# # When enabled, restricts /api/v2/* PgDog API endpoints by the
# # direct TCP peer IP address. Forwarded headers are ignored.
# enabled: false
# # Defaults, when omitted:
# # - 10.0.0.0/8
# # - 172.16.0.0/12
# # - 192.168.0.0/16
# # - 127.0.0.0/8
# # - ::1/128
# # - fc00::/7
# allowed_cidrs: []
rds: {}
# refresh_interval_secs: 60
# Experimental: do not enable in production yet.
# autodiscovery: false
kube: {}
# refresh_interval_secs: 15
dns: {}
# refresh_interval_secs: 30
cloudwatch: {}
# refresh_interval_secs: 60
# lookback_secs: 3600
# period_secs: 60
store: {}
# tick_secs: 1
# stale_after_secs: 5
# evict_after_secs: 60
# process_notify_interval_secs: 60
# metrics_retention_secs: 300
# query_history_limit: 1000
# autoreload: off
autoscaling: {}
# pool_size: false
leader: {}
# enabled: true
# lease_name: "" # Empty means derive from Helm release.
# lease_duration_secs: 15
# renew_interval_secs: 5
# release_timeout_secs: 3
helm: {}
# chart: pgdog
# repo: pgdogdev
# repo_url: https://helm.pgdog.dev
auth: {}
# cookie_secret: "" # optional; random key generated at boot when absent
# redirect_base_url: "" # e.g. https://control.example.com
# cookie_secure: true
# session_max_age_days: 30
# state_max_age_min: 10
# github:
# client_id: ""
# client_secret: ""
# allowed_orgs: []
# # Instead of inlining client_id/client_secret above (which land in
# # the ConfigMap in plaintext), source them from an existing Secret
# # in the release namespace. Each key is injected as the matching
# # GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET env var via secretKeyRef,
# # which the control plane reads when the field is absent from
# # control.toml. When using a key here, leave the corresponding
# # client_id/client_secret above unset. The `[auth.github]` section
# # still renders (enabling the provider) as long as this block or
# # allowed_orgs is set.
# secret:
# name: "" # existing Secret in the release namespace
# clientIdKey: "" # key -> GITHUB_CLIENT_ID (optional)
# clientSecretKey: "" # key -> GITHUB_CLIENT_SECRET (optional)
# google:
# client_id: ""
# client_secret: ""
# allowed_domains: []
# secret:
# name: "" # existing Secret in the release namespace
# clientIdKey: "" # key -> GOOGLE_CLIENT_ID (optional)
# clientSecretKey: "" # key -> GOOGLE_CLIENT_SECRET (optional)
alerts: {}
# evaluation_window_secs: 300
# thresholds:
# clients_waiting: 10
# cpu: 90.0
# memory: 2048
# server_connections: 100
# incident_io:
# api_key: ""
slack: {}
# bot_token: "" # optional; defaults to SLACK_BOT_TOKEN env when absent
# channel: "" # optional; defaults to SLACK_CHANNEL env when absent
redis: {}
# url: "" # optional; defaults to in-cluster redis
# save_interval_secs: 60
redis:
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "500m"
# Pod-level securityContext for the Redis deployment.
# Defaults are PSS Restricted compliant.
podSecurityContext:
runAsNonRoot: true
runAsUser: 999
runAsGroup: 999
fsGroup: 999
seccompProfile:
type: RuntimeDefault
# Container-level securityContext for the Redis container.
# Defaults are PSS Restricted compliant.
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
networkPolicy:
enabled: false
ingress:
enabled: true
# mode selects the annotation / ingressClassName / TLS preset applied
# to the rendered Ingress. One of:
# nginx — ingress-nginx + cert-manager. TLS terminated at nginx
# via a cert-manager-issued Secret. Driven by
# ingress.nginx.*.
# aws — AWS Load Balancer Controller (ALB). TLS terminated at
# the ALB using an ACM cert. Driven by ingress.aws.*.
# gateway — Gateway API HTTPRoute. Renders an HTTPRoute instead of
# an Ingress. TLS is handled by the Gateway/LB. Driven by
# ingress.gateway.*.
# default — no preset is applied. The chart only emits the rule that
# routes to the control Service; provide your own
# annotations, ingressClassName, and tls block via the
# top-level keys below.
mode: nginx
# host is the external hostname routed to the control plane. Required when
# mode is "nginx" or "aws"; optional in "default" mode (omit to leave
# the rule unbound to a host).
# host: control.example.com
# labels are merged into metadata.labels on top of the chart's
# standard labels. Applied in all three modes.
labels: {}
# nginx-mode settings (ignored unless mode == "nginx").
nginx:
tls:
# When true, emits cert-manager.io/cluster-issuer +
# nginx.ingress.kubernetes.io/ssl-redirect annotations and a tls
# block referencing <release>-control-tls.
enabled: true
clusterIssuer: "letsencrypt-prod"
sslRedirect: "true"
# gateway-mode settings (ignored unless mode == "gateway").
# Renders a Gateway API HTTPRoute instead of an Ingress. Use this when
# traffic enters through a Gateway (Traefik, Envoy Gateway, AWS ALB
# via gateway.k8s.aws, etc.) and TLS is terminated at the Gateway or
# its backing load balancer.
gateway:
# name of the Gateway resource the HTTPRoute attaches to.
name: ""
# namespace of the Gateway resource.
namespace: ""
# sectionName selects a specific listener on the Gateway. Leave empty
# to attach to all listeners that match the hostname.
sectionName: ""
# aws-mode settings (ignored unless mode == "aws").
aws:
# scheme controls whether the ALB is internet-facing or internal.
# Valid values: "internet-facing" or "internal".
scheme: "internet-facing"
# Optional comma-separated subnet IDs for the ALB. When empty, the
# AWS Load Balancer Controller auto-discovers subnets from tags.
subnets: ""
# certificateArn is the ACM cert ARN attached to the HTTPS listener.
# Optional: when empty the ALB serves HTTP only (no 443 listener).
certificateArn: ""
# sslRedirect: when true and certificateArn is set, the ALB
# redirects HTTP:80 to HTTPS:443. Ignored when certificateArn is
# empty.
sslRedirect: true
# default-mode settings (ignored unless mode == "default"). Provide
# whatever your environment's ingress controller expects; the chart
# passes these through verbatim and adds nothing on top.
annotations: {}
ingressClassName: ""
# tls is rendered as-is under spec.tls — supply the full list of
# {hosts, secretName} entries your controller expects, e.g.:
# tls:
# - hosts: [control.example.com]
# secretName: control-tls
tls: []