apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: weave-gitops namespace: weave-gitops spec: chart: spec: chart: weave-gitops version: 4.x sourceRef: kind: HelmRepository name: weave-gitops namespace: flux-system interval: 15m timeout: 5m releaseName: weave-gitops values: # Default values for chart. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Note: paragraphs starting with `# --` will end up in our manual - # see https://github.com/norwoodj/helm-docs replicaCount: 1 image: # FIXME check the app name repository: ghcr.io/weaveworks/wego-app pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "v0.37.0" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" # -- What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error' logLevel: info # -- Additional arguments to pass in to the gitops-server additionalArgs: [] # Any other environment variables: envVars: - name: WEAVE_GITOPS_FEATURE_TENANCY value: "true" - name: WEAVE_GITOPS_FEATURE_CLUSTER value: "false" # -- Annotations to add to the deployment annotations: {} # Should the 'oidc-auth' secret be created. For a detailed # explanation of these attributes please see our documentation: # https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-an-oidc-provider oidcSecret: create: false # clientID: # clientSecret: # issuerURL: # redirectURL: # -- If non empty, additional keys can be added to the OIDC secret additionalKeys: {} # additionalKeys: # claimUsername: "email" # claimGroups: "groups" # customScopes: "openid,offline_access,email,groups" serviceAccount: # -- Specifies whether a service account should be created create: true # -- Annotations to add to the service account annotations: {} # -- The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" rbac: # -- Specifies whether the clusterRole & binding to the service account should be created create: true # -- If non-empty, this limits the resources that the service # account can impersonate. This applies to both users and groups, e.g. # `['user1@corporation.com', 'user2@corporation.com', 'operations']` impersonationResourceNames: [] # -- Limit the type of principal that can be impersonated impersonationResources: ["users", "groups"] # -- If non-empty, this limits the secrets that can be accessed by # the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']` viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"] # -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role. # for example, # additionalRules: # - apiGroups: ["infra.contrib.fluxcd.io"] # resources: ["terraforms"] # verbs: [ "get", "list", "patch" ] additionalRules: [] adminUser: # -- Whether the local admin user should be created. # If you use this make sure you add it to `rbac.impersonationResourceNames`. create: false # -- Specifies whether the clusterRole & binding to the admin user should be created. # Will be created only if `adminUser.create` is enabled. Without this, # the adminUser will only be able to see resources in the target namespace. createClusterRole: true # -- Whether we should create the secret for the local # adminUser. Will be created only if `adminUser.create` is # enabled. Without this, we'll still set up the roles and # permissions, but the secret with username and password has to be # provided separately. createSecret: true # -- Set username for local admin user, this should match the value in the secret `cluster-user-auth` # which can be created with `adminUser.createSecret`. Requires `adminUser.create`. username: gitops-test-user # -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret` # This needs to have been hashed using bcrypt. # You can do this via our CLI with `gitops get bcrypt-hash`. passwordHash: podAnnotations: {} podLabels: {} # aadpodidbinding: identity podSecurityContext: {} # fsGroup: 2000 securityContext: runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault runAsUser: 1000 readOnlyRootFilesystem: true service: create: true type: ClusterIP port: 9001 # nodePort: annotations: {} ingress: enabled: true className: "" annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" hosts: - host: weave-gitops.michaelthomson.dev paths: - path: / pathType: ImplementationSpecific tls: - secretName: letsencrypt-wildcard-cert-michaelthomson.dev hosts: - weave-gitops.michaelthomson.dev extraVolumes: [] extraVolumeMounts: [] # Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret # with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the # secretProviderClass so this will be created by the secrets store CSI driver. # See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html # extraVolumeMounts: # - name: ww-gitops-oauth-volume # mountPath: /mnt/secrets # readOnly: true # extraVolumes: # - name: ww-gitops-oauth-volume # csi: # driver: secrets-store.csi.k8s.io # readOnly: true # volumeAttributes: # secretProviderClass: ww-gitops-oauth-provider resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi networkPolicy: # -- Specifies whether default network policies should be created. create: true nodeSelector: {} tolerations: [] affinity: {} serverTLS: # -- Enable TLS termination in gitops itself. If you enable this, # you need to create a secret, and specify the secretName. Another # option is to create an ingress. enable: false # -- Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format. # See # https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples secretName: "my-secret-tls" # Example of tls secret # # apiVersion: v1 # kind: Secret # metadata: # name: my-secret-tls # type: kubernetes.io/tls # data: # # the data is abbreviated in this example # tls.crt: | # MIIC2DCCAcCgAwIBAgIBATANBgkqh ... # tls.key: | # MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ... # # You can also create a tls secre t from files whith this k8s command: # kubectl create secret tls my-tls-secret \ # --cert=path/to/cert/file \ # --key=path/to/key/file metrics: # -- Start the metrics exporter enabled: false service: # -- Port to start the metrics exporter on port: 2112 # -- Annotations to set on the service annotations: prometheus.io/scrape: "true" prometheus.io/path: "/metrics" prometheus.io/port: "{{ .Values.metrics.service.port }}"