universe-tenant-control-plane
Chart version: 0.5.0-dev
AppVersion: 0.5.0-dev
Description: A Helm chart with Universe components for tenant cluster
- universe-k8s-tenant-resource-plugin
- universe-k8s-tenant-workload-plugin
- universe-k8s-tenant-workload-rule-plugin
Name |
Version |
Repository |
---|---|---|
universe-k8s-tenant-resource-plugin | 0.5.0-dev | built-in |
universe-k8s-tenant-workload-plugin | 0.5.0-dev | built-in |
universe-k8s-tenant-workload-rule-plugin | 0.5.0-dev | built-in |
lib-universe-proxy | 0.0.0 | file://../lib-universe-proxy |
lib-vault-integration | 0.0.0 | file://../lib-vault-integration |
>
global
(object): global settings which will apply for all subchartsDefault: see default values for nested options
>
global.image.tag
(string): this tag will be used for most images in all subcharts if tag doesn’t set explicitly fot the imageDefault:
null
>
global.image.registry
(string): this registry will be used for most images in all subcharts if registry doesn’t set explicitly fot the imageDefault:
null
>
global.imagePullSecrets
(list): imagePullSecrets will be added to all components. If imagePullSecrets explicitly set for a components then global value will be ignored for it.Default:
[]
>
global.nodeSelector
(object): nodeSelector will be added to all components. If nodeSelector explicitly set for a components then global value will be ignored for it.Default:
{}
>
global.tolerations
(list): tolerations will be added to all components. If tolerations explicitly set for a components then global value will be ignored for it.Default:
[]
>
global.sidecars
(object): setting for common sidecar containersDefault:
{ "proxy": { "config": { "enabled": true, "listener": { "access_log": { "enabled": true, "log_format": { "json_format": { "bytes_received": "%BYTES_RECEIVED%", "bytes_sent": "%BYTES_SENT%", "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%", "downstream": "%DOWNSTREAM_REMOTE_ADDRESS%", "duration": "%DURATION%", "grpc_status": "%GRPC_STATUS%", "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "protocol": "%PROTOCOL%", "start_time": "%START_TIME(%s.%3f)%", "tls_local_uri_san": "%DOWNSTREAM_LOCAL_URI_SAN%", "tls_peer_cert_end": "%DOWNSTREAM_PEER_CERT_V_END%", "tls_peer_cert_start": "%DOWNSTREAM_PEER_CERT_V_START%", "tls_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%", "tls_peer_serial": "%DOWNSTREAM_PEER_SERIAL%", "tls_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%", "tls_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%", "tls_requested_server_name": "%REQUESTED_SERVER_NAME%", "upstream": "%UPSTREAM_HOST%", "upstream_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%" }, "omit_empty_values": true } }, "address": "127.0.0.1", "inject_headers": null, "port": 59090 }, "upstream": { "address": null, "clientTLS": { "cert": "/vault/secrets/client.cert", "enabled": false, "key": "/vault/secrets/client.key" }, "peerValidation": { "ca": "/vault/secrets/ca.cert", "enabled": false }, "port": null } }, "enabled": true, "image": { "pullPolicy": "IfNotPresent", "registry": "", "repository": "universe-grpc-proxy", "tag": "" } } }
>
global.sidecars.proxy.enabled
(bool): enables or disables deployment of proxy sidecar containerDefault:
true
>
global.sidecars.proxy.image.registry
(string): registry for proxy imageDefault:
""
>
global.sidecars.proxy.image.repository
(string): proxy image nameDefault:
"universe-grpc-proxy"
>
global.sidecars.proxy.image.pullPolicy
(string): pullPolicy for proxy imageDefault:
"IfNotPresent"
>
global.sidecars.proxy.image.tag
(string): tag for proxy image if not set, Helm chart appVersion will be used as tagDefault:
""
>
global.sidecars.proxy.config
(object): will be translated to ConfigMap which holds envoy configurationDefault: see default values for nested options
>
global.sidecars.proxy.config.enabled
(bool): enables or disables deployment of proxy sidecar configurationDefault:
true
>
global.sidecars.proxy.config.listener.inject_headers
(string): allows to inject custom headers to GRPC requests which are forwarder to upstream cluster, e.g. inject_headers: {“tenant-id”: “tenant1”}Default:
null
>
global.sidecars.proxy.config.listener.access_log.enabled
(bool): enables or disables access_log for proxy containerDefault:
true
>
global.sidecars.proxy.config.listener.access_log.log_format
(object): format of the access log, will be injected as is to envoy’s config fileDefault:
{ "json_format": { "bytes_received": "%BYTES_RECEIVED%", "bytes_sent": "%BYTES_SENT%", "connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%", "downstream": "%DOWNSTREAM_REMOTE_ADDRESS%", "duration": "%DURATION%", "grpc_status": "%GRPC_STATUS%", "path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%", "protocol": "%PROTOCOL%", "start_time": "%START_TIME(%s.%3f)%", "tls_local_uri_san": "%DOWNSTREAM_LOCAL_URI_SAN%", "tls_peer_cert_end": "%DOWNSTREAM_PEER_CERT_V_END%", "tls_peer_cert_start": "%DOWNSTREAM_PEER_CERT_V_START%", "tls_peer_issuer": "%DOWNSTREAM_PEER_ISSUER%", "tls_peer_serial": "%DOWNSTREAM_PEER_SERIAL%", "tls_peer_subject": "%DOWNSTREAM_PEER_SUBJECT%", "tls_peer_uri_san": "%DOWNSTREAM_PEER_URI_SAN%", "tls_requested_server_name": "%REQUESTED_SERVER_NAME%", "upstream": "%UPSTREAM_HOST%", "upstream_failure_reason": "%UPSTREAM_TRANSPORT_FAILURE_REASON%" }, "omit_empty_values": true }
>
global.sidecars.proxy.config.listener.address
(string): proxy container will listen on this addressDefault:
"127.0.0.1"
>
global.sidecars.proxy.config.listener.port
(int): proxy container will listen on this portDefault:
59090
>
global.sidecars.proxy.config.upstream.address
(string): upstream server addressDefault:
null
>
global.sidecars.proxy.config.upstream.port
(string): upstream server addressDefault:
null
>
global.sidecars.proxy.config.upstream.clientTLS
(object): client configuration for mTLS when connecting to upstream serverDefault:
{ "cert": "/vault/secrets/client.cert", "enabled": false, "key": "/vault/secrets/client.key" }
>
global.sidecars.proxy.config.upstream.peerValidation
(object): configuration for upstream server certificate validationDefault:
{ "ca": "/vault/secrets/ca.cert", "enabled": false }
>
global.vaultApproleSecret
(object): settings for Secret which store roleID and secretID for approle auth method in Vault. Config from this secret is read by vault-sidecar container and used to authenticate in Vault server If vaultApproleSecret settings explicitly set for a components then global value will be ignored for it.Default: see default values for nested options
>
global.vaultApproleSecret.create
(bool): enables or disables creation of the SecretDefault:
false
>
global.vaultApproleSecret.name
(string): override for default Secret nameDefault: if not set explicitly Helm release name + “-secret” will be used
>
global.vaultApproleSecret.roleID
(string): roleID which vault-sidecar will use for authentication in Vault serverDefault:
null
>
global.vaultApproleSecret.secretID
(string): secretID which vault-sidecar will use for authentication in Vault serverDefault:
null
>
global.vaultAnnotations
(object): configuration for Vault related Pod annotations. These annotations are used by vault-injector mutating webhook to determine configuration of the vault-sidecar container which will be attached to the plugin Pod. If vaultAnnotations settings explicitly set for a components then global value will be ignored for it.Default: see default values for nested options
>
global.vaultAnnotations.addAnnotations
(bool): enables or disables addition of the annotationsDefault:
false
>
global.vaultAnnotations.namespace
(string): namespace in vault-server (namespaces are available only in Vault Enterprise)Default:
null
>
global.vaultAnnotations.role
(string): add label with role NameDefault:
null
>
global.vaultAnnotations.clientCertSecret
(string): vault PKI cert issue pathDefault:
"pki_universe/issue/local"
>
global.vaultAnnotations.clientCertCommonName
(string): common name for generated certificateDefault:
"proxy.local"
>
global.vaultAnnotations.clientCertTTL
(string): TTL for generated certificateDefault:
"24h"
>
universe-k8s-tenant-resource-plugin
(object): settings for universe-k8s-tenant-resource-plugin subchart,Default: check universe-k8s-tenant-resource-plugin chart documentation
>
universe-k8s-tenant-resource-plugin.enabled
(bool): enables or disables deployment of universe-k8s-tenant-resource-pluginDefault:
false
>
universe-k8s-tenant-workload-plugin
(object): settings for universe-k8s-tenant-workload-plugin subchart,Default: check universe-k8s-tenant-workload-plugin chart documentation
>
universe-k8s-tenant-workload-plugin.enabled
(bool): enables or disables deployment of universe-k8s-tenant-workload-pluginDefault:
false
>
universe-k8s-tenant-workload-rule-plugin
(object): settings for universe-k8s-tenant-workload-rule-plugin subchart,Default: check universe-k8s-tenant-workload-rule-plugin chart documentation
>
universe-k8s-tenant-workload-rule-plugin.enabled
(bool): enables or disables deployment of universe-k8s-tenant-workload-rule-pluginDefault:
false
example-values-secure.yaml
global:
image:
tag: latest
registry: harbor.mellanox.com/cloud-orchestration-dev/
# imagePullSecrets:
# - name: nvcrio-cred
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/control-plane
sidecars:
proxy:
config:
listener:
inject_headers:
tenant-id: tenant1
upstream:
address: 172.18.0.2 # Infra API gateway address
port: 30001
clientTLS:
enabled: true
peerValidation:
enabled: true
vaultAnnotations:
addAnnotations: true
vaultApproleSecret:
create: true
roleID: dc15780f-1b8a-b285-f875-07d7930f4b95 # vault roleID, will be shared by all plugins
secretID: 98fbf93d-9441-0266-274f-b479a09b60e1 # vault secretID, will be shared by all plugins
universe-k8s-tenant-resource-plugin:
enabled: true
universe-k8s-tenant-workload-plugin:
enabled: true
universe-k8s-tenant-workload-rule-plugin:
enabled: true
example-values-dev.yaml
global:
image:
tag: latest
registry: harbor.mellanox.com/cloud-orchestration-dev/
# imagePullSecrets:
# - name: nvcrio-cred
nodeSelector:
node-role.kubernetes.io/control-plane: ""
tolerations:
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/master
- effect: NoSchedule
operator: "Exists"
key: node-role.kubernetes.io/control-plane
sidecars:
proxy:
config:
listener:
inject_headers:
tenant-id: tenant1
upstream:
address: 172.18.0.2 # Infra API gateway address
port: 30001
universe-k8s-tenant-resource-plugin:
enabled: true
universe-k8s-tenant-workload-plugin:
enabled: true
universe-k8s-tenant-workload-rule-plugin:
enabled: true