openstack/openstack-helm-infra
Code Issues Proposed changes
62b10c7d49
openstack-helm-infra/ingress/values.yaml
KHIYANI, RAHUL (rk0850) 24a0dcdee4 Ingress: Configure ingress dhparam secret 
Configuring dhparam secret to generate 2048 DH group for
nginx openstack ingress

Change-Id: I8d8add9d518cbf928f58bfcac71e2b6c74075060
2020-09-15 14:16:50 -05:00

327 lines
8.4 KiB
YAML
Raw Blame History

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for ingress.
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
---
deployment:
mode: namespace
type: Deployment
cluster:
class: "nginx-cluster"
images:
tags:
entrypoint: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
ingress: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.32.0
ingress_module_init: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
ingress_routed_vip: docker.io/openstackhelm/neutron:stein-ubuntu_bionic
error_pages: gcr.io/google_containers/defaultbackend:1.4
keepalived: docker.io/osixia/keepalived:1.4.5
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
image_repo_sync: docker.io/docker:17.07.0
pull_policy: "IfNotPresent"
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
pod:
security_context:
error_pages:
pod:
runAsUser: 65534
container:
ingress_error_pages:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
server:
pod:
runAsUser: 65534
container:
ingress_vip_kernel_modules:
capabilities:
add:
- SYS_MODULE
readOnlyRootFilesystem: true
runAsUser: 0
ingress_vip_init:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: true
runAsUser: 0
ingress:
readOnlyRootFilesystem: false
runAsUser: 101
ingress_vip:
capabilities:
add:
- NET_ADMIN
readOnlyRootFilesystem: true
runAsUser: 0
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
dns_policy: "ClusterFirstWithHostNet"
replicas:
ingress: 1
error_page: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
termination_grace_period:
server:
timeout: 60
error_pages:
timeout: 60
resources:
enabled: false
ingress:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
error_pages:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
labels:
server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
error_server:
node_selector_key: openstack-control-plane
node_selector_value: enabled
network:
host_namespace: false
vip:
manage: false
# what type of vip manage machanism will be used
# possible options: routed, keepalived
mode: routed
interface: ingress-vip
addr: 172.18.0.1/32
keepalived_router_id: 100
ingress:
annotations:
# NOTE(portdirect): if left blank this is populated from
# .deployment.cluster.class
kubernetes.io/ingress.class: null
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Content-Type-Options: nosniff";
more_set_headers "X-Frame-Options: deny";
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
more_set_headers "Content-Security-Policy: script-src 'self'";
external_policy_local: false
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- ingress-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
error_pages:
jobs: null
ingress:
jobs: null
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
monitoring:
prometheus:
enabled: true
ingress_exporter:
scrape: true
port: 10254
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
ingress:
hosts:
default: ingress
error_pages: ingress-error-pages
host_fqdn_override:
default: null
# NOTE: The values under .endpoints.ingress.host_fqdn_override.public.tls
# will be used for the default SSL certificate.
# See also the .conf.default_ssl_certificate options below.
public:
tls:
crt: ""
key: ""
port:
http:
default: 80
https:
default: 443
healthz:
default: 10254
status:
default: 10246
stream:
default: 10247
profiler:
default: 10245
server:
default: 8181
ingress_exporter:
namespace: null
hosts:
default: ingress-exporter
host_fqdn_override:
default: null
path:
default: null
scheme:
default: 'http'
port:
metrics:
default: 10254
kube_dns:
namespace: kube-system
name: kubernetes-dns
hosts:
default: kube-dns
host_fqdn_override:
default: null
path:
default: null
scheme: http
port:
dns_tcp:
default: 53
dns:
default: 53
protocol: UDP
network_policy:
ingress:
ingress:
- {}
egress:
- {}
secrets:
tls:
ingress:
api:
# .secrets.tls.ingress.api.public="name of the TLS secret to create for the default cert"
# NOTE: The contents of the secret are from .endpoints.ingress.host_fqdn_override.public.tls
public: default-tls-public
dhparam:
secret_dhparam: |
conf:
controller:
# NOTE(portdirect): if left blank this is populated from
# .deployment.cluster.class in cluster mode, or set to
# "nginx" in namespace mode
INGRESS_CLASS: null
ingress:
enable-underscores-in-headers: "true"
# NOTE(portdirect): if left blank this is populated from
# .network.vip.addr when running in host networking
# and .network.vip.manage=true, otherwise it is left as
# an empty string (the default).
bind-address: null
enable-vts-status: "true"
server-tokens: "false"
ssl-dh-param: openstack/secret-dhparam
# This block sets the --default-ssl-certificate option
# https://kubernetes.github.io/ingress-nginx/user-guide/tls/#default-ssl-certificate
default_ssl_certificate:
# .conf.default_ssl_certificate.enabled=true: use a default certificate
enabled: false
# If referencing an existing TLS secret with the default cert
# .conf.default_ssl_certificate.name="name of the secret"
# (defaults to value of .secrets.tls.ingress.api.public)
# .conf.default_ssl_certificate.namespace="namespace of the secret"
# (optional, defaults to release namespace)
name: ""
namespace: ""
# NOTE: To create a new secret to hold the default certificate, leave the
# above values empty, and specify:
# .endpoints.ingress.host_fqdn_override.public.tls.crt="PEM cert data"
# .endpoints.ingress.host_fqdn_override.public.tls.key="PEM key data"
# .manifests.secret_ingress_tls=true
services:
tcp: null
udp: null
manifests:
configmap_bin: true
configmap_conf: true
configmap_services_tcp: true
configmap_services_udp: true
deployment_error: true
deployment_ingress: true
endpoints_ingress: true
ingress: true
secret_ingress_tls: false
secret_dhparam: false
service_error: true
service_ingress: true
job_image_repo_sync: true
monitoring:
prometheus:
service_exporter: true
network_policy: false
...
View Git Blame Copy Permalink