-
Notifications
You must be signed in to change notification settings - Fork 92
/
values.yaml
161 lines (155 loc) · 4.01 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
namespace:
create: false
name: fulcio-system
imagePullSecrets: []
config:
contents: {}
format: json
server:
replicaCount: 1
name: server
svcPort: 80
grpcSvcPort: 5554
# -- KMS type for signing key (possible values: "" / "none", "aws")
kmsType: none
secret: fulcio-server-secret
# -- kubernetes secret name containing IAM credentials for use with AWS KMS
awsKmsCredentialsSecretName: aws-kms-credentials
# -- AWS region if using AWS KMS for signing key
awsKmsRegion: us-east-1
logging:
production: false
image:
registry: gcr.io
repository: projectsigstore/fulcio
pullPolicy: IfNotPresent
# crane digest gcr.io/projectsigstore/fulcio:v1.6.4
# -- v1.6.4
version: sha256:4b2a0f0877095aa36898af70edd00568158f89e015f6bb7f02475660d0924f3b
args:
port: 5555
grpcPort: 5554
# Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
certificateAuthority: fileca
# kms_resource: gcpkms://....
# kms_cert_chain: |-
# << your PEM encoded cert chain here. Order from active intermedate first to root last >>
hsm_caroot_id:
aws_hsm_root_ca_path:
gcp_private_ca_parent: projects/test/locations/us-east1/caPools/test
ct_log_url: ""
disable_ct_log: false
serviceAccount:
create: true
name: ""
annotations: {}
mountToken: true
service:
type: ClusterIP
ports:
- name: http
port: 80
protocol: TCP
targetPort: 5555
- name: grpc
port: 5554
protocol: TCP
targetPort: 5554
- name: 2112-tcp
port: 2112
protocol: TCP
targetPort: 2112
ingress:
http:
enabled: true
className: "nginx"
annotations: {}
hosts:
- path: /
host: "fulcio.localhost"
tls: []
grpc:
enabled: false
className: ""
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
hosts:
- host: fulcio.localhost
path: /dev.sigstore.fulcio.v2.CA
tls:
- secretName: fulcio-grpc-ingress-tls
hosts:
- fulcio.localhost
ingresses:
- enabled: false
grpc: true
http: true
name: "gce-ingress"
className: "gce"
hosts:
- path: /
host: fulcio.localhost
annotations: {}
tls: []
staticGlobalIP: lb-ext-ip
frontendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters
sslPolicy: fulcio-ssl-policy
redirectToHttps:
enabled: true
backendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
securityPolicy:
name: fulcio-security-policy
logging:
enable: true
healthCheck:
port: 5555
requestPath: "/healthz"
type: HTTP
securityContext:
runAsNonRoot: true
runAsUser: 65533
tolerations: []
nodeSelector: {}
affinity: {}
createcerts:
enabled: true
replicaCount: 1
name: createcerts
image:
registry: ghcr.io
repository: sigstore/scaffolding/createcerts
pullPolicy: IfNotPresent
# v0.7.15
version: sha256:03a5725b8812a45570a1c6ed8e5df7dc2295904cd8603c7ed537d97af174d235
ttlSecondsAfterFinished: 3600
serviceAccount:
create: true
name: ""
annotations: {}
mountToken: true
securityContext:
runAsNonRoot: true
runAsUser: 65533
annotations: {}
tolerations: []
nodeSelector: {}
affinity: {}
# Configure ctlog dependency
ctlog:
enabled: true
name: ctlog
forceNamespace: ctlog-system
fullnameOverride: ctlog
namespace:
name: ctlog-system
create: true
createtree:
name: ctlog-createtree
fullnameOverride: ctlog-createtree
createcerts:
name: ctlog-createcerts
fullnameOverride: ctlog-createcerts
createctconfig:
logPrefix: fulcio
# Force namespace of namespaced resources
forceNamespace: ""