pinniped/deploy/concierge/values.yaml

#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ def validate_strings_map(obj):
#@   # Returns True if obj is an associative data structure string→string, and False otherwise.
#@   for key in obj:
#@     if type(key) != "string" or type(obj[key]) != "string":
#@       return False
#@     end
#@   end
#@   return True
#@ end

#@data/values-schema
---
#@schema/title "App name"
#@schema/desc "Used to help determine the names of various resources and labels."
#@schema/validation min_len=1
app_name: pinniped-concierge

#@schema/title "Namespace"
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
#@schema/validation min_len=1
namespace: pinniped-concierge

#@schema/title "Into namespace"
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
#@schema/desc into_namespace_desc
#@schema/examples ("The name of an existing namespace", "my-preexisting-namespace")
#@schema/nullable
#@schema/validation min_len=1
into_namespace: ""

#@schema/title "Custom labels"
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of \
#@ `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1.) deleting the \
#@ static install-time yaml resources including the static namespace, which will cascade and also delete \
#@ resources that were dynamically created by controllers at runtime, or 2.) deleting all resources by label, which does \
#@ not assume that there was a static install-time yaml namespace."
#@schema/desc custom_labels_desc
#@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"})
#@schema/type any=True
#@schema/validation ("a map of string keys and string values", validate_strings_map)
custom_labels: { }

#@schema/title "Replicas"
#@schema/desc "Specify how many replicas of the Pinniped server to run."
replicas: 2

#@schema/title "Image repo"
#@schema/desc "The repository for the Concierge container image."
#@schema/validation min_len=1
image_repo: ghcr.io/vmware/pinniped/pinniped-server

#@schema/title "Image digest"
#@schema/desc "The image digest for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
#@schema/examples ("Providing a digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
#@schema/nullable
#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
image_digest: ""

#@schema/title "Image tag"
#@schema/desc "The image tag for the Concierge container image. If both image_digest or an image_tag are given, only image_digest will be used."
#@schema/examples ("Providing a tag", "v0.25.0")
#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
image_tag: latest

#@schema/title "Kube Cert Agent image"
#@ kube_cert_agent_image_desc = "Optionally specify a different image for the 'kube-cert-agent' pod which is scheduled \
#@ on the control plane. This image needs only to include `sleep` and `cat` binaries. \
#@ By default, the same image specified for image_repo/image_digest/image_tag will be re-used."
#@schema/desc kube_cert_agent_image_desc
#@schema/examples ("Image including tag or digest", "ghcr.io/vmware/pinniped/pinniped-server:latest")
#@schema/nullable
#@schema/validation min_len=1
kube_cert_agent_image: ""

#@schema/title "Kube Cert Agent Priority Class Name"
#@ kube_cert_agent_priority_class_name_desc = "Optionally specify a PriorityClassName for the 'kube-cert-agent' pod. \
#@ See https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ for more details. \
#@ By default, this is the empty string."
#@schema/desc kube_cert_agent_priority_class_name_desc
#@schema/examples ("name of a PriorityClass object", "high-priority")
#@schema/validation min_len=0
kube_cert_agent_priority_class_name: ""

#@schema/title "Image pull dockerconfigjson"
#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
#@ kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]'"
#@schema/desc image_pull_dockerconfigjson_desc
#@ example_desc = 'base64 encoding of: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}'
#@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
#@schema/examples (example_desc, example_value)
#@schema/nullable
#@schema/validation min_len=1
image_pull_dockerconfigjson: ""

#@schema/title "Discovery URL"
#@schema/desc "Pinniped will try to guess the right K8s API URL for sharing that information with potential clients. This setting allows the guess to be overridden."
#@schema/examples ("Kubernetes API URL","https://example.com")
#@schema/nullable
#@schema/validation min_len=1
discovery_url: ""

#@schema/title "API serving certificate duration seconds"
#@ api_serving_certificate_duration_seconds_desc = "Specify the duration for the API serving certificate. \
#@ The default is set to expire the cert about every 30 days. \
#@ Specify this as an integer or as a string which contains an integer value."
#@schema/desc api_serving_certificate_duration_seconds_desc
#@schema/type any=True
#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"])
api_serving_certificate_duration_seconds: 2592000

#@schema/title "API serving certificate renew before seconds"
#@ api_serving_certificate_renew_before_seconds_desc = "Specify the renewal interval for the API serving certificate. \
#@ The default is set to rotate it about every 25 days. \
#@ Specify this as an integer or as a string which contains an integer value."
#@schema/desc api_serving_certificate_renew_before_seconds_desc
#@schema/type any=True
#@schema/validation ("an int or string which contains an integer value", lambda v: type(v) in ["int", "string"])
api_serving_certificate_renew_before_seconds: 2160000

#@schema/title "Log level"
#@ log_level_desc = "Specify the verbosity of logging: info (\"nice to know\" information), debug (developer information), trace (timing information), \
#@ or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged. \
#@ When this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
#@schema/desc log_level_desc
#@schema/examples ("Developer logging information","debug")
#@schema/nullable
#@schema/validation one_of=["info", "debug", "trace", "all"]
log_level: ""

#@schema/title "Run as user"
#@schema/desc "The user ID that will own the process."
#! See the Dockerfile for the reasoning behind this default value.
run_as_user: 65532

#@schema/title "Run as group"
#@schema/desc "The group ID that will own the process."
#! See the Dockerfile for the reasoning behind this default value.
run_as_group: 65532

#@schema/title "API group suffix"
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
#@ authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
#@ Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc."
#@schema/desc api_group_suffix_desc
#@schema/validation min_len=1
api_group_suffix: pinniped.dev

#@schema/title "Impersonation proxy spec"
#@schema/desc "Customize CredentialIssuer.spec.impersonationProxy to change how the concierge handles impersonation."
impersonation_proxy_spec:

  #@schema/title "Mode"
  #@ impersonation_mode_desc = "Enables or disables the impersonation proxy. Options are 'auto', 'disabled' or 'enabled'. \
  #@ If auto, the impersonation proxy will run only if the cluster signing key is \
  #@ not available and the other strategy does not work. \
  #@ If enabled, the impersonation proxy will always run regardless of other strategies available. \
  #@ If disabled, the impersonation proxy will never run, which could mean \
  #@ that the concierge doesn't work at all."
  #@schema/desc impersonation_mode_desc
  #@schema/validation one_of=["auto", "disabled", "enabled"]
  mode: auto

  #@schema/title "External endpoint"
  #@ external_endpoint_desc = "The endpoint which the client should use to connect to the impersonation proxy. \
  #@ If left unset, the client will default to connecting based on the ClusterIP or LoadBalancer endpoint."
  #@schema/desc external_endpoint_desc
  #@schema/examples ("Specified impersonation proxy endpoint", "https://1.2.3.4:5678")
  #@schema/nullable
  #@schema/validation min_len=1
  external_endpoint: ""

  #@schema/title "Service"
  #@schema/desc "The impersonation proxy service configuration"
  service:

    #@schema/title "Type"
    #@ impersonation_service_type_desc = "Service backing the impersonation proxy. Options are 'LoadBalancer', 'ClusterIP' \
    #@ and 'None'. LoadBalancer automatically provisions a Service of type LoadBalancer pointing at the impersonation \
    #@ proxy. Some cloud providers will allocate a public IP address by default even on private clusters. ClusterIP \
    #@ automatically provisions a Service of type ClusterIP pointing at the impersonation proxy. None does not provision \
    #@ either and assumes that you have set the external_endpoint and set up your own ingress to connect to the impersonation proxy."
    #@schema/desc impersonation_service_type_desc
    #@schema/validation one_of=["LoadBalancer", "ClusterIP", "None"]
    type: LoadBalancer

    #@schema/title "Annotations"
    #@ annotations_desc = "The annotations that should be set on the ClusterIP or LoadBalancer Service. The default includes \
    #@ a value for the AWS-specific service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout annotation, which will \
    #@ be ignored except when using AWS to provide load balancer Services."
    #@schema/desc annotations_desc
    #@schema/nullable
    #@schema/type any=True
    #@schema/validation ("a map of string keys and string values", validate_strings_map)
    annotations:

    #@schema/title "Load balancer IP"
    #@schema/desc "When mode LoadBalancer is set, this will set the LoadBalancer Service's spec.loadBalancerIP."
    #@schema/examples ("Specifying an IP", "1.2.3.4")
    #@schema/nullable
    #@schema/validation min_len=1
    load_balancer_ip: ""

#@schema/title "HTTPS proxy"
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Concierge containers. \
#@ These will be used when the Concierge makes backend-to-backend calls to authenticators using HTTPS, \
#@ e.g. when the Concierge fetches discovery documents and JWKS keys for JWTAuthenticators and POSTs to webhooks for WebhookAuthenticators. \
#@ The Concierge never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY."
#@schema/desc https_proxy_desc
#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com")
#@schema/nullable
#@schema/validation min_len=1
https_proxy: ""

#@schema/title "No proxy"
#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \
#@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
#@schema/desc no_proxy_desc
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"

#@schema/title "Allowed Ciphers for TLS 1.2"
#@ allowed_ciphers_for_tls_onedottwo_desc = "When specified, only the ciphers listed will be used for TLS 1.2. \
#@ This includes both server-side and client-side TLS connections. \
#@ This list must only include cipher suites that Pinniped is configured to accept \
#@ (see internal/crypto/ptls/profiles.go and internal/crypto/ptls/profiles_fips_strict.go). \
#@ Allowing too few ciphers may cause critical parts of Pinniped to be unable to function. For example, \
#@ Kubernetes pod readiness checks, Pinniped pods acting as a client to the Kubernetes API server, \
#@ Pinniped pods acting as a client to external identity providers, or Pinniped pods acting as an APIService server \
#@ all need to be able to function with the allowed TLS cipher suites. \
#@ An empty array means accept Pinniped's defaults."
#@schema/desc allowed_ciphers_for_tls_onedottwo_desc
#@schema/examples ("Example with a few secure ciphers", ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"])
#! No type, default, or validation is required here.
#! An empty array is perfectly valid, as is any array of strings.
allowed_ciphers_for_tls_onedottwo:
- ""

#@schema/title "Audit logging configuration"
#@schema/desc "Customize the content of audit log events."
audit:

  #@schema/title "Log usernames and groups"
  #@ log_usernames_and_groups_desc = "Enables or disables printing usernames and group names in audit logs. Options are 'enabled' or 'disabled'. \
  #@ If enabled, usernames are group names may be printed in audit log events. \
  #@ If disabled, usernames and group names will be redacted from audit logs because they might contain personally identifiable information."
  #@schema/desc log_usernames_and_groups_desc
  #@schema/validation one_of=["enabled", "disabled"]
  log_usernames_and_groups: disabled