mirror of
https://github.com/vmware-tanzu/pinniped.git
synced 2026-01-04 20:24:26 +00:00
243 lines
13 KiB
YAML
243 lines
13 KiB
YAML
#! Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
|
|
#! SPDX-License-Identifier: Apache-2.0
|
|
|
|
#@ def validate_strings_map(obj):
|
|
#@ # Returns True if obj is an associative data structure string→string, and False otherwise.
|
|
#@ for key in obj:
|
|
#@ if type(key) != "string" or type(obj[key]) != "string":
|
|
#@ return False
|
|
#@ end
|
|
#@ end
|
|
#@ return True
|
|
#@ end
|
|
|
|
#@data/values-schema
|
|
---
|
|
#@schema/title "App name"
|
|
#@schema/desc "Used to help determine the names of various resources and labels."
|
|
#@schema/validation min_len=1
|
|
app_name: pinniped-supervisor
|
|
|
|
#@schema/title "Namespace"
|
|
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
|
|
#@schema/validation min_len=1
|
|
namespace: pinniped-supervisor
|
|
|
|
#@schema/title "Into namespace"
|
|
#@ into_namespace_desc = "If specified, assumes that a namespace of the given name already exists and installs the app into that namespace. \
|
|
#@ If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used."
|
|
#@schema/desc into_namespace_desc
|
|
#@schema/examples ("The name of an existing namespace", "my-preexisting-namespace")
|
|
#@schema/nullable
|
|
#@schema/validation min_len=1
|
|
into_namespace: ""
|
|
|
|
#@schema/title "Custom labels"
|
|
#@ custom_labels_desc = "All resources created statically by yaml at install-time and all resources created dynamically \
|
|
#@ by controllers at runtime will be labelled with `app: $app_name` and also with the labels specified here. The value of \
|
|
#@ `custom_labels` must be a map of string keys to string values. The app can be uninstalled either by: 1.) deleting the \
|
|
#@ static install-time yaml resources including the static namespace, which will cascade and also delete \
|
|
#@ resources that were dynamically created by controllers at runtime, or 2.) deleting all resources by label, which does \
|
|
#@ not assume that there was a static install-time yaml namespace."
|
|
#@schema/desc custom_labels_desc
|
|
#@schema/examples ("Example set of labels", {"myCustomLabelName": "myCustomLabelValue", "otherCustomLabelName": "otherCustomLabelValue"})
|
|
#@schema/type any=True
|
|
#@schema/validation ("a map of keys and values", validate_strings_map)
|
|
custom_labels: { }
|
|
|
|
#@schema/title "Replicas"
|
|
#@schema/desc "Specify how many replicas of the Pinniped server to run."
|
|
replicas: 2
|
|
|
|
#@schema/title "Image repo"
|
|
#@schema/desc "The repository for the Supervisor container image."
|
|
#@schema/validation min_len=1
|
|
image_repo: ghcr.io/vmware/pinniped/pinniped-server
|
|
|
|
#@schema/title "Image digest"
|
|
#@schema/desc "The image digest for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
|
|
#@schema/examples ("Digest", "sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8")
|
|
#@schema/nullable
|
|
#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_tag"] == None
|
|
image_digest: ""
|
|
|
|
#@schema/title "Image tag"
|
|
#@schema/desc "The image tag for the Supervisor container image. If both image_digest or an image_tag are given, only image_digest will be used."
|
|
#@schema/examples ("Tag", "v0.25.0")
|
|
#@schema/validation min_len=1, when=lambda _, ctx: ctx.parent["image_digest"] == None
|
|
image_tag: latest
|
|
|
|
#@schema/title "Image pull dockerconfigjson"
|
|
#@ image_pull_dockerconfigjson_desc = "A base64 encoded secret to be used when pulling the `image_repo` container image. \
|
|
#@ Can be used when the image_repo is a private registry. Typically, the value would be the output of: \
|
|
#@ kubectl create secret docker-registry x --docker-server=https://example.io --docker-username='USERNAME' --docker-password='PASSWORD' --dry-run=client -o json | jq -r '.data[\".dockerconfigjson\"]'"
|
|
#@schema/desc image_pull_dockerconfigjson_desc
|
|
#@ example_desc = 'base64 encoding of: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}'
|
|
#@ example_value = "eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUuaW8iOnsidXNlcm5hbWUiOiJVU0VSTkFNRSIsInBhc3N3b3JkIjoiUEFTU1dPUkQiLCJhdXRoIjoiVlZORlVrNUJUVVU2VUVGVFUxZFBVa1E9In19fQ=="
|
|
#@schema/examples (example_desc, example_value)
|
|
#@schema/nullable
|
|
#@schema/validation min_len=1
|
|
image_pull_dockerconfigjson: ""
|
|
|
|
#@schema/title "Service https nodeport port"
|
|
#@schema/desc "When specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`"
|
|
#@schema/examples ("Specify port",31243)
|
|
#@schema/nullable
|
|
service_https_nodeport_port: 0
|
|
|
|
#@schema/title "Service https nodeport nodeport"
|
|
#@schema/desc "The `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified"
|
|
#@schema/examples ("Specify port",31243)
|
|
#@schema/nullable
|
|
service_https_nodeport_nodeport: 0
|
|
|
|
#@schema/title "Service https loadbalancer port"
|
|
#@schema/desc "When specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`"
|
|
#@schema/examples ("Specify port",8443)
|
|
#@schema/nullable
|
|
service_https_loadbalancer_port: 0
|
|
|
|
#@schema/title "Service https clusterip port"
|
|
#@schema/desc "When specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`"
|
|
#@schema/examples ("Specify port",8443)
|
|
#@schema/nullable
|
|
service_https_clusterip_port: 0
|
|
|
|
#@schema/title "Service loadbalancer ip"
|
|
#@schema/desc "The `loadBalancerIP` value of the LoadBalancer Service. Ignored unless service_https_loadbalancer_port is provided."
|
|
#@schema/examples ("Example IP address","1.2.3.4")
|
|
#@schema/nullable
|
|
service_loadbalancer_ip: ""
|
|
|
|
#@schema/title "Log level"
|
|
#@ log_level_desc = "Specify the verbosity of logging: info (\"nice to know\" information), debug (developer information), trace (timing information), \
|
|
#@ or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged. \
|
|
#@ When this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs."
|
|
#@schema/desc log_level_desc
|
|
#@schema/examples ("Developer logging information","debug")
|
|
#@schema/nullable
|
|
#@schema/validation one_of=["info", "debug", "trace", "all"]
|
|
log_level: ""
|
|
|
|
#@schema/title "Run as user"
|
|
#@schema/desc "The user ID that will own the process."
|
|
#! See the Dockerfile for the reasoning behind this default value.
|
|
run_as_user: 65532
|
|
|
|
#@schema/title "Run as group"
|
|
#@schema/desc "The group ID that will own the process."
|
|
#! See the Dockerfile for the reasoning behind this default value.
|
|
run_as_group: 65532
|
|
|
|
#@schema/title "API group suffix"
|
|
#@ api_group_suffix_desc = "Specify the API group suffix for all Pinniped API groups. By default, this is set to \
|
|
#@ pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, \
|
|
#@ config.supervisor.pinniped.dev, etc. As an example, if this is set to tuna.io, then \
|
|
#@ Pinniped API groups will look like foo.tuna.io. config.supervisor.tuna.io, etc."
|
|
#@schema/desc api_group_suffix_desc
|
|
#@schema/validation min_len=1
|
|
api_group_suffix: pinniped.dev
|
|
|
|
#@schema/title "HTTPS proxy"
|
|
#@ https_proxy_desc = "Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers. \
|
|
#@ These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS, \
|
|
#@ e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider. \
|
|
#@ The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY."
|
|
#@schema/desc https_proxy_desc
|
|
#@schema/examples ("Providing a proxy endpoint","http://proxy.example.com")
|
|
#@schema/nullable
|
|
#@schema/validation min_len=1
|
|
https_proxy: ""
|
|
|
|
#@schema/title "No proxy"
|
|
#@ no_proxy_desc = "Endpoints that should not be proxied. Defaults to not proxying internal Kubernetes endpoints, \
|
|
#@ localhost endpoints, and the known instance metadata IP address for public cloud providers."
|
|
#@schema/desc no_proxy_desc
|
|
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local"
|
|
|
|
#@schema/title "Endpoints"
|
|
#@ endpoints_desc = "Control the HTTP and HTTPS listeners of the Supervisor. The current defaults are: \
|
|
#@ {\"https\":{\"network\":\"tcp\",\"address\":\":8443\"},\"http\":\"disabled\"}. \
|
|
#@ These defaults mean: 1.) for HTTPS listening, bind to all interfaces using TCP on port 8443 and \
|
|
#@ 2.) disable HTTP listening by default. \
|
|
#@ The schema of this config is as follows: \
|
|
#@ {\"https\":{\"network\":\"tcp | unix | disabled\",\"address\":\"host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix\"},\"http\":{\"network\":\"tcp | unix | disabled\",\"address\":\"same as https, except that when network=tcp then the address is only allowed to bind to loopback interfaces\"}} \
|
|
#@ The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept \
|
|
#@ traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be \
|
|
#@ used to accept traffic from outside the pod, since that would mean that the network traffic could be \
|
|
#@ transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod. \
|
|
#@ Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic \
|
|
#@ to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes. \
|
|
#@ Changing the HTTPS port number must be accompanied by matching changes to the service and deployment \
|
|
#@ manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks."
|
|
#@schema/desc endpoints_desc
|
|
#@schema/examples ("Example matching default settings", '{"https":{"network":"tcp","address":":8443"},"http":"disabled"}')
|
|
#@schema/type any=True
|
|
#@ def validate_endpoint(endpoint):
|
|
#@ if(type(endpoint) not in ["yamlfragment", "string"]):
|
|
#@ return False
|
|
#@ end
|
|
#@ if(type(endpoint) in ["string"]):
|
|
#@ if (endpoint != "disabled"):
|
|
#@ return False
|
|
#@ end
|
|
#@ end
|
|
#@ if(type(endpoint) in ["yamlfragment"]):
|
|
#@ if (endpoint["network"] not in ["tcp", "unix", "disabled"]):
|
|
#@ return False
|
|
#@ end
|
|
#@ if (type(endpoint["address"]) not in ["string"]):
|
|
#@ return False
|
|
#@ end
|
|
#@ end
|
|
#@ return True
|
|
#@ end
|
|
#@ def validate_endpoints(endpoints):
|
|
#@ """
|
|
#@ Returns True if endpoints fulfill the expected structure
|
|
#@ """
|
|
#@ http_val = endpoints["http"]
|
|
#@ https_val = endpoints["https"]
|
|
#@ return validate_endpoint(http_val) and validate_endpoint(https_val)
|
|
#@ end
|
|
#@schema/nullable
|
|
#@schema/validation ("a map with keys 'http' and 'https', whose values are either the string 'disabled' or a map having keys 'network' and 'address', and the value of 'network' must be one of the allowed values", validate_endpoints)
|
|
endpoints: { }
|
|
|
|
#@schema/title "Allowed Ciphers for TLS 1.2"
|
|
#@ allowed_ciphers_for_tls_onedottwo_desc = "When specified, only the ciphers listed will be used for TLS 1.2. \
|
|
#@ This includes both server-side and client-side TLS connections. \
|
|
#@ This list must only include cipher suites that Pinniped is configured to accept \
|
|
#@ (see internal/crypto/ptls/profiles.go and internal/crypto/ptls/profiles_fips_strict.go). \
|
|
#@ Allowing too few ciphers may cause critical parts of Pinniped to be unable to function. For example, \
|
|
#@ Kubernetes pod readiness checks, Pinniped pods acting as a client to the Kubernetes API server, \
|
|
#@ Pinniped pods acting as a client to external identity providers, or Pinniped pods acting as an APIService server \
|
|
#@ all need to be able to function with the allowed TLS cipher suites. \
|
|
#@ An empty array means accept Pinniped's defaults."
|
|
#@schema/desc allowed_ciphers_for_tls_onedottwo_desc
|
|
#@schema/examples ("Example with a few secure ciphers", ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"])
|
|
#! No type, default, or validation is required here.
|
|
#! An empty array is perfectly valid, as is any array of strings.
|
|
allowed_ciphers_for_tls_onedottwo:
|
|
- ""
|
|
|
|
#@schema/title "Audit logging configuration"
|
|
#@schema/desc "Customize the content of audit log events."
|
|
audit:
|
|
|
|
#@schema/title "Log usernames and groups"
|
|
#@ log_usernames_and_groups_desc = "Enables or disables printing usernames and group names in audit logs. Options are 'enabled' or 'disabled'. \
|
|
#@ If enabled, usernames are group names may be printed in audit log events. \
|
|
#@ If disabled, usernames and group names will be redacted from audit logs because they might contain personally identifiable information."
|
|
#@schema/desc log_usernames_and_groups_desc
|
|
#@schema/validation one_of=["enabled", "disabled"]
|
|
log_usernames_and_groups: disabled
|
|
|
|
#@schema/title "Log HTTPS requests for internal paths"
|
|
#@ log_internal_paths = "Enables or disables request logging for internal paths in audit logs. Options are 'enabled' or 'disabled'. \
|
|
#@ If enabled, requests to certain paths that are typically only used internal to the cluster (e.g. /healthz) will be enabled, which can be very verbose. \
|
|
#@ If disabled, requests to those paths will not be audit logged."
|
|
#@schema/desc log_internal_paths
|
|
#@schema/validation one_of=["enabled", "disabled"]
|
|
log_internal_paths: disabled
|