-
Notifications
You must be signed in to change notification settings - Fork 77
/
Copy pathvalues.yaml
415 lines (378 loc) · 13 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
# Default values for step-certificates.
# kind is the type of object to use when deploying the CA.
# Changing the deployment type is experimental.
kind: StatefulSet
# replicaCount is the number of replicas of step-certificates.
# Only one replica is supported at this time.
replicaCount: 1
# nameOverride overrides the name of the chart.
nameOverride: ""
# fullnameOverride overrides the full name of the chart.
fullnameOverride: ""
# image contains the docker image for step-certificates.
image:
repository: cr.smallstep.com/smallstep/step-ca
initContainerRepository: busybox:latest
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
# commands allows to override the default command.
command: []
# args allows to override the default arguments.
args: []
# workingDir specifies the ca container working directory
workingDir: "/home/step"
# Use existing secrets instead of 'bootstrap' init-container or 'inject'-element from helm chart
# Note, the MutatingWebhookConfiguration created by autocert is not patched with CA bundle as the bootstrap init-container is not run
existingSecrets:
enabled: false
ca: false
issuer: false
certsAsSecret: false
configAsSecret: false
sshHostCa: false
sshUserCa: false
sshTemplates: false
# bootstrap contains the docker image for bootstrapping the configurations.
#
# It's also possible to disable the creation of secrets and configmaps.
bootstrap:
image:
repository: cr.smallstep.com/smallstep/step-ca-bootstrap
tag: latest
pullPolicy: IfNotPresent
# enabled defines if the bootstrap job is created.
enabled: true
# configmaps defines if the configmaps are created.
configmaps: true
# secrets defines if the secrets are created.
secrets: true
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
runAsUser: 1000
capabilities:
drop: ["ALL"]
runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault
# Extra labels
podExtraLabels: {}
# inject contains values to be injected into config maps and secrets
inject:
enabled: false
config:
files:
ca.json:
root: /home/step/certs/root_ca.crt
federateRoots: []
crt: /home/step/certs/intermediate_ca.crt
key: /home/step/secrets/intermediate_ca_key
address: 0.0.0.0:9000
dnsNames:
- ca.example.com
- mysteprelease-step-certificates.default.svc.cluster.local
- 127.0.0.1
logger:
format: json
db:
type: badger
dataSource: /home/step/db
authority:
claims:
minTLSCertDuration: 5m
maxTLSCertDuration: 24h
defaultTLSCertDuration: 24h
disableRenewal: false
minHostSSHCertDuration: 5m
maxHostSSHCertDuration: 1680h
defaultHostSSHCertDuration: 720h
minUserSSHCertDuration: 5m
maxUserSSHCertDuration: 24h
defaultUserSSHCertDuration: 24h
provisioners:
- type: ACME
name: acme
forceCN: true
claims: {}
tls:
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
minVersion: 1.2
maxVersion: 1.3
renegotiation: false
defaults.json:
ca-url: https://mysteprelease-step-certificates.default.svc.cluster.local
ca-config: /home/step/config/ca.json
fingerprint: fingerprint
root: /home/step/certs/root_ca.crt
templates:
x509_leaf.tpl: |
{
"subject": {{ toJson .Subject }},
"sans": {{ toJson .SANs }},
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"]
}
ssh.tpl: |
{
"type": {{ toJson .Type }},
"keyId": {{ toJson .KeyID }},
"principals": {{ toJson .Principals }},
"extensions": {{ toJson .Extensions }},
"criticalOptions": {{ toJson .CriticalOptions }}
}
certificates:
# certificate_issuer contains the text of the Certificate Issuer certificate in PEM format.
# when set to "", certificate issuer crt is not injected, this is the default for the JWK provisioner.
# Provide a value if using the X5C provisioner.
certificate_issuer: ""
# certificate_issuer: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# intermediate_ca contains the text of the intermediate CA Certificate
intermediate_ca: ""
# intermediate_ca: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# root_ca contains the text of the root CA Certificate
root_ca: ""
# root_ca: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# ssh_host_ca contains the text of the public ssh key for the SSH root CA
ssh_host_ca: ""
# ssh_host_ca: "ecdsa-sha2-nistp384 public-key-here=="
# ssh_user_ca contains the text of the public ssh key for the SSH root CA
ssh_user_ca: ""
# ssh_user_ca: "ecdsa-sha2-nistp384 public-key-here=="
secrets:
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
# This value must be base64 encoded.
ca_password: ""
provisioner_password: ""
certificate_issuer:
# enabled enables injection of certificate issuer certificates and keys when set to true.
enabled: false
key: ""
# key: |
# -----BEGIN ENCRYPTED PRIVATE KEY-----
# ...
# -----END ENCRYPTED PRIVATE KEY-----
# password sets the certificate issuer password that decrypts the encrypted certificate issuer key. Must be base64 encoded.
password: ""
x509:
# enabled enables injection of x509 certificates and keys when set to true.
enabled: true
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
intermediate_ca_key: ""
# intermediate_ca_key: |
# -----BEGIN EC PRIVATE KEY-----
# ...
# -----END EC PRIVATE KEY-----
# root_ca_key contains the contents of your encrypted root CA key
# Note that this value can be omitted without impacting the functionality of step-certificates
# If supplied, this should be encrypted using a unique password that is not used for encrypting
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
root_ca_key: ""
# root_ca_key: |
# -----BEGIN EC PRIVATE KEY-----
# ...
# -----END EC PRIVATE KEY-----
ssh:
# enabled enables injection of ssh certificates and keys when set to true.
enabled: true
# ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
host_ca_key: ""
# host_ca_key: |
# -----BEGIN OPENSSH PRIVATE KEY-----
# ...
# -----END OPENSSH PRIVATE KEY-----
host_ca_password: ""
# ssh_user_ca_key contains the contents of your encrypted SSH User CA key
user_ca_key: ""
# user_ca_key: |
# -----BEGIN OPENSSH PRIVATE KEY-----
# ...
# -----END OPENSSH PRIVATE KEY-----
user_ca_password: ""
# service contains configuration for the kubernes service.
service:
type: ClusterIP
port: 443
targetPort: 9000
nodePort: ""
annotations: {}
externalIPs: []
# linkedca contains the token to configure step-ca using the linkedca mode.
#
# The linked ca token can be provided using the linkedca.token value or using a
# reference to a secret.
linkedca:
# the linked ca token.
token:
# Reference to a secret name and key.
secretKeyRef:
name:
key:
# ca contains the certificate authority configuration.
ca:
# name is new public key infrastructure (PKI) names.
name: Step Certificates
# address is the HTTP listener address of step-certificates.
address: :9000
# dns is the comma separated dns names to use. Leave it empty to use the format:
# {include "step-certificates.fullname" .}.{ .Release.Namespace}.svc.cluster.local,127.0.0.1
dns:
# url is the http url where step-certificates will listen at. Leave it empty to use the format
# https://{{ include "step-certificates.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
url:
# password is the password used to encrypt the keys. Leave it empty to generate a random one.
password:
# provisioner contains the step-certificates provisioner configuration.
provisioner:
# name is the new provisioner name.
name: admin
# password is the password used to encrypt the provisioner private key.
password:
# db contains the step-certificate database configuration.
db:
# enabled defines if the database is enabled.
enabled: true
# persistent defines if a Persistent Volume Claim is used, if false and emptyDir will be used.
persistent: true
# storeageClass is Persistent Volume Storage Class
# If defined, storageClassName: <storageClass>.
# If set to "-", storageClassName: "", which disables dynamic provisioning.
# If undefined or set to null, no storageClassName spec is set, choosing the
# default provisioner (gp2 on AWS, standard on GKE, AWS & OpenStack).
storageClass:
## Persistent Volume existing claim name
## Requires ca.db.persistent: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim: ""
# accessModes defines the Persistent Volume Access Mode.
accessModes:
- ReadWriteOnce
# size is the Persistent Volume size.
size: 10Gi
# Whether to enable ssh support for step-ca
ssh:
enabled: false
# kms type to utilize
kms:
type: ""
# additional environment variables to set in the step-certificates container
env: []
bootstrap:
# Add script snippets here to be executed after the step ca init has been run
postInitHook: ""
# Use existing secret for ca-password
existingSecrets:
enabled: false
init:
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1000
capabilities:
drop: ["ALL"]
runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1000
# runAsRoot: 0 runs the ca as root instead of the step user. This is required in
# some storage provisioners.
# runAsUser: 0
capabilities:
drop: ["ALL"]
add: ["NET_BIND_SERVICE"]
runAsNonRoot: true
# seccompProfile:
# type: RuntimeDefault
# autocert is used to configure the autocert chart that depends on step-certificates.
autocert:
enabled: false
# ingress contains the configuration for an ingress controller.
ingress:
enabled: false
annotations: {}
ingressClassName: ""
hosts: []
tls: []
# resources contains the CPU/memory resource requests/limits.
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# Configure extra volumes and volume mounts as YAML expressions.
# And example that will mount an extra volume would be:
# extraVolumes:
# - name: custom-ca
# configMap:
# name: custom-ca-certs
# extraVolumeMounts:
# - name: custom-ca
# mountPath: /etc/ssl/certs/custom-ca.pem
extraVolumes: []
extraVolumeMounts: []
## extraInitContainers:
## - name: do-something
## image: busybox
## command: ['do', 'something']
##
extraInitContainers: []
## extraContainers:
## - name: do-something
## image: busybox
## command: ['do', 'something']
##
extraContainers: []
## Configure additional entries for /etc/hosts.
## hostAliases:
## - ip: 10.0.0.1
## hostnames:
## - host.domain.com
hostAliases: []
# shareProcessNamespace share a single process namespace between all of the
# containers in a pod.
shareProcessNamespace: false
# nodeSelector contains the node labels for pod assignment.
nodeSelector: {}
# tolerations contains the toleration labels for pod assignment.
tolerations: []
# affinity contains the affinity settings for pod assignment.
affinity: {}
# create or use a service account for running the ca. Useful for oidc access to kms for example
serviceaccount:
create: false
name: ""
labels: {}
annotations: {}
# default SecurityContext for pods, can be altered for containers via containerSecurityContext
podSecurityContext:
runAsUser: 1000
runAsNonRoot: true
runAsGroup: 1000
fsGroup: 1000
# seccompProfile:
# type: RuntimeDefault