This repository has been archived by the owner on May 15, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathvalues.yaml
77 lines (59 loc) · 3.39 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Copyright 2019 The Forseti Security Authors. All rights reserved.
#
# Licensed under the Apache License, Versisn 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# image is the container image used by the config-validator
image: gcr.io/forseti-containers/config-validator
# imageTag is the tag for the config-validator image.
imageTag: 572e207
# loadBalancer is the type of load balancer to deploy for the config-validator
# if desired: none, external, internal
loadBalancer: none
networkPolicy:
# networkPolicy.enable enables pod network policy to limit the connectivty to the config-validator.
enabled: false
# networkPolicyIngressCidr is a list of CIDR's from which to allow
# communication to the config-validator. This is only relevant for client connectivity
# from outside the Kubernetes cluster.
ingressCidr: []
# nodeSelectors is a list of strings in the form of label=value describing
# on which nodes to run the Forseti on-GKE pods.
nodeSelectors: []
policyLibrary:
# bucket is the GCS storage bucket containing the policy-library. This overrides policyLibrary.respositoryURL. Omit the gs://.
bucket: ""
# policyLibrary.bucketFolder is the folder inside the policyLibrary.bucket containing all the policy-library lib and policies folders.
bucketFolder: "policy-library"
# policyLibrary.repositoryURL is a Git repository pointing to a policy-library.
# GCP Cloud Source format: https://cloud.google.com/source-repositories/docs/authentication#manually-generated-credentials
repositoryURL: ""
# policyLibrary.repositoryBranch is the specific git branch containing the policies.
repositoryBranch: "master"
gitSync:
# policyLibrary.gitSync.enabled determines if the Git repository will be polled periodically for changes.
enabled: false
# policyLibrary.gitSync.image is the container image used by the config-validator git-sync side-car
image: gcr.io/google-containers/git-sync
# policyLibrary.gitSync.imageTag is the container image tag used by the config-validator git-sync side-car
imageTag: v3.1.2
# policyLibrary.gitSync.kubeProxyImage is the container image used by the config-validator's kube-proxy sidecar to periodically delete the git-sync pod
kubeProxyImage: docker.io/bitnami/kubectl
# policyLibrary.gitSync.kubeProxyImageTag is the container image tag used by the config-validator's kube-proxy sidecar to periodically delete the git-sync pod
kubeProxyImageTag: "1.15"
# policyLibrary.gitSync.privateSSHKey is the private OpenSSH key generated to allow the git-sync to clone the policy library repository over SSH.
# Omitting this value will sync the policy-library over HTTPS.
privateSSHKey: ""
# policyLibrary.gitSync.wait the time number of seconds between git-syncs
wait: 30
# workloadIdentity is a GCP IAM Service account with the storage.objects.list (e.g. roles/storage.objectViewer)
# Setting this assumes that workloadIdentity is configured for the GKE cluster.
workloadIdentity: ""