mirror of
https://github.com/michaelthomson0797/fleet-infra.git
synced 2026-02-04 04:59:54 +00:00
220 lines
8.2 KiB
YAML
220 lines
8.2 KiB
YAML
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: weave-gitops
|
|
namespace: weave-gitops
|
|
spec:
|
|
chart:
|
|
spec:
|
|
chart: weave-gitops
|
|
version: 4.x
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: weave-gitops
|
|
namespace: flux-system
|
|
interval: 15m
|
|
timeout: 5m
|
|
releaseName: weave-gitops
|
|
values:
|
|
# Default values for chart.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
# Note: paragraphs starting with `# --` will end up in our manual -
|
|
# see https://github.com/norwoodj/helm-docs
|
|
replicaCount: 1
|
|
image:
|
|
# FIXME check the app name
|
|
repository: ghcr.io/weaveworks/wego-app
|
|
pullPolicy: IfNotPresent
|
|
# Overrides the image tag whose default is the chart appVersion.
|
|
tag: "v0.37.0"
|
|
imagePullSecrets: []
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
# -- What log level to output. Valid levels are 'debug', 'info', 'warn' and 'error'
|
|
logLevel: info
|
|
# -- Additional arguments to pass in to the gitops-server
|
|
additionalArgs: []
|
|
# Any other environment variables:
|
|
envVars:
|
|
- name: WEAVE_GITOPS_FEATURE_TENANCY
|
|
value: "true"
|
|
- name: WEAVE_GITOPS_FEATURE_CLUSTER
|
|
value: "false"
|
|
# -- Annotations to add to the deployment
|
|
annotations: {}
|
|
# Should the 'oidc-auth' secret be created. For a detailed
|
|
# explanation of these attributes please see our documentation:
|
|
# https://docs.gitops.weave.works/docs/configuration/securing-access-to-the-dashboard/#login-via-an-oidc-provider
|
|
oidcSecret:
|
|
create: false
|
|
# clientID:
|
|
# clientSecret:
|
|
# issuerURL:
|
|
# redirectURL:
|
|
# -- If non empty, additional keys can be added to the OIDC secret
|
|
additionalKeys: {}
|
|
# additionalKeys:
|
|
# claimUsername: "email"
|
|
# claimGroups: "groups"
|
|
# customScopes: "openid,offline_access,email,groups"
|
|
serviceAccount:
|
|
# -- Specifies whether a service account should be created
|
|
create: true
|
|
# -- Annotations to add to the service account
|
|
annotations: {}
|
|
# -- The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name: ""
|
|
rbac:
|
|
# -- Specifies whether the clusterRole & binding to the service account should be created
|
|
create: true
|
|
# -- If non-empty, this limits the resources that the service
|
|
# account can impersonate. This applies to both users and groups, e.g.
|
|
# `['user1@corporation.com', 'user2@corporation.com', 'operations']`
|
|
impersonationResourceNames: []
|
|
# -- Limit the type of principal that can be impersonated
|
|
impersonationResources: ["users", "groups"]
|
|
# -- If non-empty, this limits the secrets that can be accessed by
|
|
# the service account to the specified ones, e.g. `['weave-gitops-enterprise-credentials']`
|
|
viewSecretsResourceNames: ["cluster-user-auth", "oidc-auth"]
|
|
# -- If non-empty, these additional rules will be appended to the RBAC role and the cluster role.
|
|
# for example,
|
|
# additionalRules:
|
|
# - apiGroups: ["infra.contrib.fluxcd.io"]
|
|
# resources: ["terraforms"]
|
|
# verbs: [ "get", "list", "patch" ]
|
|
additionalRules: []
|
|
adminUser:
|
|
# -- Whether the local admin user should be created.
|
|
# If you use this make sure you add it to `rbac.impersonationResourceNames`.
|
|
create: false
|
|
# -- Specifies whether the clusterRole & binding to the admin user should be created.
|
|
# Will be created only if `adminUser.create` is enabled. Without this,
|
|
# the adminUser will only be able to see resources in the target namespace.
|
|
createClusterRole: true
|
|
# -- Whether we should create the secret for the local
|
|
# adminUser. Will be created only if `adminUser.create` is
|
|
# enabled. Without this, we'll still set up the roles and
|
|
# permissions, but the secret with username and password has to be
|
|
# provided separately.
|
|
createSecret: true
|
|
# -- Set username for local admin user, this should match the value in the secret `cluster-user-auth`
|
|
# which can be created with `adminUser.createSecret`. Requires `adminUser.create`.
|
|
username: gitops-test-user
|
|
# -- (string) Set the password for local admin user. Requires `adminUser.create` and `adminUser.createSecret`
|
|
# This needs to have been hashed using bcrypt.
|
|
# You can do this via our CLI with `gitops get bcrypt-hash`.
|
|
passwordHash:
|
|
podAnnotations: {}
|
|
podLabels: {}
|
|
# aadpodidbinding: identity
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
runAsUser: 1000
|
|
readOnlyRootFilesystem: true
|
|
service:
|
|
create: true
|
|
type: ClusterIP
|
|
port: 9001
|
|
# nodePort:
|
|
annotations: {}
|
|
ingress:
|
|
enabled: true
|
|
className: ""
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
hosts:
|
|
- host: weave-gitops.michaelthomson.dev
|
|
paths:
|
|
- path: /
|
|
pathType: ImplementationSpecific
|
|
tls:
|
|
- secretName: letsencrypt-wildcard-cert-michaelthomson.dev
|
|
hosts:
|
|
- weave-gitops.michaelthomson.dev
|
|
extraVolumes: []
|
|
extraVolumeMounts: []
|
|
# Example using extraVolumes and extraVolumeMounts to load 'oidc-auth' secret
|
|
# with a secrets store CSI driver. Specify the secretName 'oidc-auth' in the
|
|
# secretProviderClass so this will be created by the secrets store CSI driver.
|
|
# See https://secrets-store-csi-driver.sigs.k8s.io/topics/sync-as-kubernetes-secret.html
|
|
# extraVolumeMounts:
|
|
# - name: ww-gitops-oauth-volume
|
|
# mountPath: /mnt/secrets
|
|
# readOnly: true
|
|
# extraVolumes:
|
|
# - name: ww-gitops-oauth-volume
|
|
# csi:
|
|
# driver: secrets-store.csi.k8s.io
|
|
# readOnly: true
|
|
# volumeAttributes:
|
|
# secretProviderClass: ww-gitops-oauth-provider
|
|
resources: {}
|
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
|
# choice for the user. This also increases chances charts run on environments with little
|
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
|
# limits:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
# requests:
|
|
# cpu: 100m
|
|
# memory: 128Mi
|
|
|
|
networkPolicy:
|
|
# -- Specifies whether default network policies should be created.
|
|
create: true
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
serverTLS:
|
|
# -- Enable TLS termination in gitops itself. If you enable this,
|
|
# you need to create a secret, and specify the secretName. Another
|
|
# option is to create an ingress.
|
|
enable: false
|
|
# -- Specify the tls secret name. This type of secrets have a key called `tls.crt` and `tls.key` containing their corresponding values in base64 format.
|
|
# See
|
|
# https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more details and examples
|
|
secretName: "my-secret-tls"
|
|
# Example of tls secret
|
|
#
|
|
# apiVersion: v1
|
|
# kind: Secret
|
|
# metadata:
|
|
# name: my-secret-tls
|
|
# type: kubernetes.io/tls
|
|
# data:
|
|
# # the data is abbreviated in this example
|
|
# tls.crt: |
|
|
# MIIC2DCCAcCgAwIBAgIBATANBgkqh ...
|
|
# tls.key: |
|
|
# MIIEpgIBAAKCAQEA7yn3bRHQ5FHMQ ...
|
|
#
|
|
# You can also create a tls secre t from files whith this k8s command:
|
|
# kubectl create secret tls my-tls-secret \
|
|
# --cert=path/to/cert/file \
|
|
# --key=path/to/key/file
|
|
metrics:
|
|
# -- Start the metrics exporter
|
|
enabled: false
|
|
service:
|
|
# -- Port to start the metrics exporter on
|
|
port: 2112
|
|
# -- Annotations to set on the service
|
|
annotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/path: "/metrics"
|
|
prometheus.io/port: "{{ .Values.metrics.service.port }}"
|