# IMPORTANT: The following command has to be adapted so that every admin, masternode and workernode is included
sudo tee /etc/hosts <<EOL_ETC_HOSTS
127.0.0.1 localhost
<admin ip> <admin hostname>
<master1 ip> <master1 hostname>
<master2 ip> <master2 hostname>
<master3 ip> <master3 hostname>
...
<worker1 ip> <worker1 hostname>
<worker2 ip> <worker2 hostname>
<worker3 ip> <worker3 hostname>
...
EOL_ETC_HOSTS

ssh-keygen -q -t ed25519 -f ~/.ssh/id_ed25519 -N ""

# IMPORTANT: The following command has to be adapted so that every admin, masternode and workernode is included
ssh-copy-id -i ~/.ssh/id_ed25519 <admin hostname>
ssh-copy-id -i ~/.ssh/id_ed25519 <master1 hostname>
ssh-copy-id -i ~/.ssh/id_ed25519 <master2 hostname>
ssh-copy-id -i ~/.ssh/id_ed25519 <master3 hostname>
...
ssh-copy-id -i ~/.ssh/id_ed25519 <worker1 hostname>
ssh-copy-id -i ~/.ssh/id_ed25519 <worker2 hostname>
ssh-copy-id -i ~/.ssh/id_ed25519 <worker3 hostname>
...

# IMPORTANT: The following command has to be adapted so that every admin, masternode and workernode is included
ssh-keyscan <admin hostname> >> ~/.ssh/known_hosts
ssh-keyscan <admin ip> >> ~/.ssh/known_hosts
ssh-keyscan <master1 hostname> >> ~/.ssh/known_hosts
ssh-keyscan <master1 ip> >> ~/.ssh/known_hosts
ssh-keyscan <master2 hostname> >> ~/.ssh/known_hosts
ssh-keyscan <master2 ip> >> ~/.ssh/known_hosts
ssh-keyscan <master3 hostname> >> ~/.ssh/known_hosts
ssh-keyscan <master3 ip> >> ~/.ssh/known_hosts
...
ssh-keyscan <worker1 hostname> >> ~/.ssh/known_hosts
ssh-keyscan <worker1 ip> >> ~/.ssh/known_hosts
ssh-keyscan <worker2 hostname> >> ~/.ssh/known_hosts
ssh-keyscan <worker2 ip> >> ~/.ssh/known_hosts
ssh-keyscan <worker3 hostname> >> ~/.ssh/known_hosts
ssh-keyscan <worker3 ip> >> ~/.ssh/known_hosts
...

# IMPORTANT: The following command has to be adapted so that every admin, masternode and workernode is included
ssh <admin hostname> exit
ssh <admin ip> exit
ssh <master1 hostname> exit
ssh <master1 ip> exit
ssh <master2 hostname> exit
ssh <master2 ip> exit
ssh <master3 hostname> exit
ssh <master3 ip> exit
...
ssh <worker1 hostname> exit
ssh <worker1 ip> exit
ssh <worker2 hostname> exit
ssh <worker2 ip> exit
ssh <worker3 hostname> exit
ssh <worker3 ip> exit
...

chronyc tracking
chronyc sources -v

# file ~/.bashrc
# Append these values to the end of your ~/.bashrc file
export KUBEOPSROOT=/home/<yourUser>/kubeops
export XDG_RUNTIME_DIR=$KUBEOPSROOT

source ~/.bashrc
echo $KUBEOPSROOT
echo $XDG_RUNTIME_DIR

mkdir ~/kubeops
cd ~/kubeops
cp -R /var/kubeops/kosi/ .
cp -R /var/kubeops/plugins/ .

# file $KUBEOPSROOT/kosi/config.yaml
apiversion: kubernative/sina/config/v2

spec:
  hub: https://dispatcher.kubeops.net/v4/dispatcher/ # <-- set hub url
  plugins: <your kubeopsroot>/kubeops/plugins/ # <-- set the path to your plugin folder (~ for home or $KUBEOPSROOT don't work, it has to be the full path)
  workspace: /tmp/kosi/process/
  logging: info
  housekeeping: false
  proxy: false

kosi install --hub kosi-enterprise kosi/enterprise-plugins:2.0.0

kosi login -u <yourUser>

# file cluster-values.yaml
apiVersion: kubeops/kubeopsctl/cluster/beta/v1
imagePullRegistry: registry.kubeops.net/kubeops/kubeops
airgap: false
clusterName: <your cluster name>
clusterUser: <your user name>
kubernetesVersion: <your kubernetesversion>
kubeVipEnabled: false
virtualIP: <your master1 ip>
firewall: nftables
pluginNetwork: calico
containerRuntime: containerd
kubeOpsRoot: <your kubeopsroot path>
serviceSubnet: 192.168.128.0/17
podSubnet: 192.168.0.0/17
debug: true
packageRepository: https://packagerepo.kubeops.net/
changeCluster: true
zones:
# IMPORTANT: The following part has to be adapted so that every one of your masternodes and workernodes is included
# This file only includes the minimum requirements for the amount of masters and workers and an example usage of zones
# You should adapt this part to your amount of masters and workers and cluster them into as many zones as you like
- name: zone1
  nodes:
  - name: <your master1 hostname>
    iPAddress: <your master1 ip>
    type: controlplane
    kubeVersion: <kubernetesversion from above>
  - name: <your worker1 hostname>
    iPAddress: <your worker1 ip>
    type: worker
    kubeVersion: <kubernetesversion from above>
- name: zone2
  nodes:
  - name: <your master2 hostname>
    iPAddress: <your master2 ip>
    type: controlplane
    kubeVersion: <kubernetesversion from above>
  - name: <your worker2 hostname>
    iPAddress: <your worker2 ip>
    type: worker
    kubeVersion: <kubernetesversion from above>
- name: zone3
  nodes:
  - name: <your master3 hostname>
    iPAddress: <your master3 ip>
    type: controlplane
    kubeVersion: <kubernetesversion from above>
  - name: <your worker3 hostname>
    iPAddress: <your worker3 ip>
    type: worker
    kubeVersion: <kubernetesversion from above>

kubeVipEnabled: true
virtualIP: <IP in your cluster ip range which is not given yet>

kubeVipEnabled: false
virtualIP: <master1 ip>

kubeopsctl pull

kubeopsctl pull --kubernetesVersion <x.xx.x>

kosi install -p $KUBEOPSROOT/lima/podman_5.2.2.tgz -f cluster-values.yaml

kosi install -p $KUBEOPSROOT/lima/helm_v3.16.4.tgz

kosi install -p $KUBEOPSROOT/lima/kubernetes-tools_<your kubernetes version>.tgz -f cluster-values.yaml

kosi login -u <your username>

cat $KUBEOPSROOT/kosi/config.yaml

ls -1 $KUBEOPSROOT/lima

kubeopsctl apply -f cluster-values.yaml

kubeopsctl pull

  - name: demo-controlplaneXX
    iPAddress: 10.2.10.XXX
    type: controlplane
    kubeVersion: 1.31.6 

# file cluster-values.yaml
apiVersion: kubeops/kubeopsctl/cluster/beta/v1
imagePullRegistry: registry.kubeops.net/kubeops/kubeops
airgap: false
clusterName: myCluster
clusterUser: root
kubernetesVersion: 1.31.6       # -> actual version
kubeVipEnabled: false           
virtualIP: 10.2.10.110
firewall: nftables
pluginNetwork: calico
containerRuntime: containerd
kubeOpsRoot: /home/myuser/kubeops
serviceSubnet: 192.168.128.0/17
podSubnet: 192.168.0.0/17
debug: true
systemCpu: 250m
systemMemory: 256Mi
packageRepository: https://packagerepo.kubeops.net/
changeCluster: true             # -> has to be set
zones:
- name: zone1
  nodes:
  - name: demo-controlplane01
    iPAddress: 10.2.10.110
    type: controlplane
    kubeVersion: 1.31.6       
  - name: demo-controlplaneXX   # -> has to be changed
    iPAddress: 10.2.10.XXX      # -> has to be changed
    type: controlplane
    kubeVersion: 1.31.6         # -> check with actual version
  - name: demo-worker01
    iPAddress: 10.2.10.210
    type: worker
    kubeVersion: 1.31.6       
- name: zone2
  nodes:
  - name: demo-controlplane02
    iPAddress: 10.2.10.120
    type: controlplane
    kubeVersion: 1.31.6       
  - name: demo-worker02
    iPAddress: 10.2.10.220
    type: worker
    kubeVersion: 1.31.6       
- name: zone3
  nodes:
  - name: demo-controlplane03
    iPAddress: 10.2.10.130
    type: controlplane
    kubeVersion: 1.31.6      
  - name: demo-worker03
    iPAddress: 10.2.10.230
    type: worker
    kubeVersion: 1.31.6      

kubeopsctl apply -f cluster-values.yaml

kubeopsctl pull

  - name: demo-workerXX
    iPAddress: 10.2.10.XX
    type: worker
    kubeVersion: 1.31.6      

# file cluster-values.yaml
apiVersion: kubeops/kubeopsctl/cluster/beta/v1
imagePullRegistry: registry.kubeops.net/kubeops/kubeops
airgap: false
clusterName: myCluster
clusterUser: root
kubernetesVersion: 1.31.6        # -> actual version
kubeVipEnabled: false           
virtualIP: 10.2.10.110
firewall: nftables
pluginNetwork: calico
containerRuntime: containerd
kubeOpsRoot: /home/myuser/kubeops
serviceSubnet: 192.168.128.0/17
podSubnet: 192.168.0.0/17
debug: true
systemCpu: 250m
systemMemory: 256Mi
packageRepository: https://packagerepo.kubeops.net/
changeCluster: true              # -> has to be set
zones:
- name: zone1
  nodes:
  - name: demo-controlplane01
    iPAddress: 10.2.10.110
    type: controlplane
    kubeVersion: 1.31.6       
  - name: demo-worker01
    iPAddress: 10.2.10.210
    type: worker
    kubeVersion: 1.31.6       
- name: zone2
  nodes:
  - name: demo-controlplane02
    iPAddress: 10.2.10.120
    type: controlplane
    kubeVersion: 1.31.6       
  - name: demo-worker02
    iPAddress: 10.2.10.220
    type: worker
    kubeVersion: 1.31.6       
  - name: demo-workerXX          # -> has to be changed
    iPAddress: 10.2.10.XX        # -> has to be changed
    type: worker
    kubeVersion: 1.31.6          # -> check with actual version     
- name: zone3
  nodes:
  - name: demo-controlplane03
    iPAddress: 10.2.10.130
    type: controlplane
    kubeVersion: 1.31.6      
  - name: demo-worker03
    iPAddress: 10.2.10.230
    type: worker
    kubeVersion: 1.31.6      

kubeopsctl apply -f cluster-values.yaml

kubectl scale deploy rook-ceph-operator -n rook-ceph --replicas=0

kubectl exec -it deploy/rook-ceph-tools -n rook-ceph -- ceph osd tree

ID   CLASS  WEIGHT   TYPE NAME              STATUS  REWEIGHT  PRI-AFF
 -1         0.21478  root default
 -9         0.04880      zone zone1
 -7         0.04880          host worker01                              # worker01 is being removed
  0    ssd  0.04880              osd.0          up   1.00000  1.00000   # osd.0 is being removed
-15         0.04880          host worker04
  3    ssd  0.04880              osd.3          up   1.00000  1.00000
-11         0.10739      zone zone2
 -3         0.05859          host worker02
  1    ssd  0.05859              osd.1          up   0.95001  1.00000
-13         0.05859      zone zone3
 -5         0.05859          host worker03
  2    ssd  0.05859              osd.2          up   0.95001  1.00000

kubectl scale deploy -n rook-ceph rook-ceph-osd-<x> --replicas=0
# Example: kubectl scale deploy -n rook-ceph rook-ceph-osd-0 --replicas=0

kubectl exec -it deploy/rook-ceph-tools -n rook-ceph -- bash
# show OSD tree
ceph osd tree
# mark OSD out
ceph osd out <x>
# Example: ceph osd out 0
ceph osd purge <x> --yes-i-really-mean-it
# Example: ceph osd purge 0 --yes-i-really-mean-it
ceph auth del osd.<x>
# adjust CRUSH map
ceph osd crush remove <nodename>
# exit from ceph-tools
exit
# show OSD tree (now without the deleted node)
kubectl exec -it deploy/rook-ceph-tools -n rook-ceph -- ceph osd tree

kubectl delete deploy -n rook-ceph rook-ceph-osd-<x> rook-ceph-mon-<y>

kubectl scale deploy rook-ceph-operator -n rook-ceph --replicas=1

kubectl exec -it deploy/rook-ceph-tools -n rook-ceph -- ceph status
kubectl exec -it deploy/rook-ceph-tools -n rook-ceph -- ceph pg stat

  openssl s_client -showcerts -connect dev04.kubeops.net:443 /dev/null | openssl x509 -outform PEM > keycloak-ca.crt

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: headlamp-admin-user

subjects:

- kind: Group

  name: "oidc:headlamp" # Der 'sub' oder 'preferred_username' from the Keycloak-Token

  apiGroup: rbac.authorization.k8s.io

roleRef:

  kind: ClusterRole

  name: cluster-admin

  apiGroup: rbac.authorization.k8s.io

    kubectl apply -f headlamp-clusterrolebinding.yaml

packages:

- name: kubeops-dashboard

  enabled: true

  values:

    standard:

      namespace: monitoring

      service:

        nodePort: 30007

      hostname: "headlamp.dev04.kubeops.net"

      path: "/"

    advanced:

      config:

        extraArgs:

          - "--in-cluster"

          - "--plugins-dir=/headlamp/plugins"

          - "--oidc-client-id=headlamp"

          - "--oidc-idp-issuer-url=https://dev04.kubeops.net/keycloak/realms/master"

          - "--oidc-scopes=openid,profile,email"

          - "--insecure-ssl"

          - "--oidc-client-secret=<client-secret>"

oidc_client_id: harbor
oidc_client_secret: <CLIENT_SECRET>

kubectl create secret generic <your_secret_name> -n <you_harbor_namespace> \
    --from-literal client_id=<your_oidc_client_id> \
    --from-literal client_secret=<your_oidc_client_secret> \

apiVersion: kubeops/kubeopsctl/enterprise/beta/v1

deleteNs: false
localRegistry: false

packages:
  - name: harbor
    enabled: true
    values:
      standard:
        namespace: <you_harbor_namespace>
        harborpass: "password"
        databasePassword: "password"
        redisPassword: "password"
        externalURL: <your_DNS_name>
        nodePort: 30002
        hostname: harbor.dev04.kubeops.net
        harborPersistence:
          persistentVolumeClaim:
            registry:
              size: 40Gi
              storageClass: "rook-cephfs"
            jobservice:
              jobLog:
                size: 1Gi
                storageClass: "rook-cephfs"
            database:
              size: 1Gi
              storageClass: "rook-cephfs"
            redis:
              size: 1Gi
              storageClass: "rook-cephfs"
            trivy:
              size: 5Gi
              storageClass: "rook-cephfs"

      advanced:
        core:
          extraEnvVars:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-harbor 
                  key: client_id
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-harbor 
                  key: client_secret
            - name: CONFIG_OVERWRITE_JSON
              value: |
                {
                  "auth_mode": "oidc_auth",
                  "oidc_name": "keycloak",
                  "oidc_endpoint": "https://<your_DNS_name>/keycloak/realms/kubeops-dashboards",
                  "oidc_client_id": "$(OIDC_CLIENT_ID)",
                  "oidc_client_secret": "$(OIDC_CLIENT_SECRET)",
                  "oidc_scope": "openid,profile,email",
                  "oidc_verify_cert": true,
                  "oidc_auto_onboard": true
                }                

oidc_client_id: rook-ceph
oidc_client_secret: <CLIENT_SECRET>

python3 -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

kubectl create secret generic oauth2-proxy-credentials   --from-literal=client-id="ceph-dashboard"   --from-literal=client-secret="<client-secret>"   --from-literal=cookie-secret="<cookie-secret>"   -n rook-ceph

global:

  # Global registry to pull the images from

  imageRegistry: ""

  # To help compatibility with other charts which use global.imagePullSecrets.

  imagePullSecrets: []

  #   - name: pullSecret1

  #   - name: pullSecret2

## Override the deployment namespace

##

namespaceOverride: ""

# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).

# This is especially useful for `helm template` as capabilities are always empty

# due to the fact that it doesn't query an actual cluster

kubeVersion:

# Oauth client configuration specifics

config:

  # Add config annotations

  annotations: {}

  # OAuth client ID

  clientID: "ceph-dashboard"

  # OAuth client secret

  clientSecret: "<client-secret>"

  # List of secret keys to include in the secret and expose as environment variables.

  # By default, all three secrets are required. To exclude certain secrets

  # (e.g., when using federated token authentication), remove them from this list.

  # Example to exclude client-secret:

  # requiredSecretKeys:

  #   - client-id

  #   - cookie-secret

  requiredSecretKeys:

    - client-id

    - client-secret

    - cookie-secret

  # Create a new secret with the following command

  # openssl rand -base64 32 | head -c 32 | base64

  # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)

  # Example:

  # existingSecret: secret

  cookieSecret: "<cookie-secret>"

  # The name of the cookie that oauth2-proxy will create

  # If left empty, it will default to the release name

  cookieName: ""

  google: {}

    # adminEmail: xxxx

    # useApplicationDefaultCredentials: true

    # targetPrincipal: xxxx

    # serviceAccountJson: xxxx

    # Alternatively, use an existing secret (see google-secret.yaml for required fields)

    # Example:

    # existingSecret: google-secret

    # groups: []

    # Example:

    #  - group1@example.com

    #  - group2@example.com

  # Default configuration, to be overridden

  configFile: |-

    provider = "keycloak-oidc"

    oidc_issuer_url = "https://dev04.kubeops.net/keycloak/realms/master"

    email_domains = [ "*" ]

    upstreams = [ "file:///dev/null" ]

   

    pass_user_headers = true

    set_xauthrequest = true

    pass_access_token = true

  # Custom configuration file: oauth2_proxy.cfg

  # configFile: |-

  #   pass_basic_auth = false

  #   pass_access_token = true

  # Use an existing config map (see configmap.yaml for required fields)

  # Example:

  # existingConfig: config

alphaConfig:

  enabled: false

  # Add config annotations

  annotations: {}

  # Arbitrary configuration data to append to the server section

  serverConfigData: {}

  # Arbitrary configuration data to append to the metrics section

  metricsConfigData: {}

  # Arbitrary configuration data to append

  configData: {}

  # Arbitrary configuration to append

  # This is treated as a Go template and rendered with the root context

  configFile: ""

  # Use an existing config map (see secret-alpha.yaml for required fields)

  existingConfig: ~

  # Use an existing secret

  existingSecret: "oauth2-proxy-credentials"

image:

  registry: ""

  repository: "oauth2-proxy/oauth2-proxy"

  # appVersion is used by default

  tag: ""

  pullPolicy: "IfNotPresent"

  command: []

# Optionally specify an array of imagePullSecrets.

# Secrets must be manually created in the namespace.

# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod

imagePullSecrets: []

  # - name: myRegistryKeySecretName

# Set a custom containerPort if required.

# This will default to 4180 if this value is not set and the httpScheme set to http

# This will default to 4443 if this value is not set and the httpScheme set to https

# containerPort: 4180

extraArgs:

  - --provider=keycloak-oidc

  - --set-xauthrequest=true

  - --pass-user-headers=true

  - --pass-access-token=true

  - --skip-oidc-discovery=true

  - --oidc-issuer-url=https://dev04.kubeops.net/keycloak/realms/master

  - --login-url=https://dev04.kubeops.net/keycloak/realms/master/protocol/openid-connect/auth

  - --redeem-url=https://dev04.kubeops.net/keycloak/realms/master/protocol/openid-connect/token

  - --validate-url=https://dev04.kubeops.net/keycloak/realms/master/protocol/openid-connect/userinfo

  - --oidc-jwks-url=https://dev04.kubeops.net/keycloak/realms/master/protocol/openid-connect/certs

  - --ssl-insecure-skip-verify=true

  - --cookie-secure=true

extraEnv: []

envFrom: []

# Load environment variables from a ConfigMap(s) and/or Secret(s)

# that already exists (created and managed by you).

# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables

#

# PS: Changes in these ConfigMaps or Secrets will not be automatically

#     detected and you must manually restart the relevant Pods after changes.

#

#  - configMapRef:

#      name: special-config

#  - secretRef:

#      name: special-config-secret

# -- Custom labels to add into metadata

customLabels: {}

# To authorize individual email addresses

# That is part of extraArgs but since this needs special treatment we need to do a separate section

authenticatedEmailsFile:

  enabled: false

  # Defines how the email addresses file will be projected, via a configmap or secret

  persistence: configmap

  # template is the name of the configmap what contains the email user list but has been configured without this chart.

  # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.

  # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the

  # provided value in restrictedUserAccessKey field.

  template: ""

  # The configmap/secret key under which the list of email access is stored

  # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility

  restrictedUserAccessKey: ""

  # One email per line

  # example:

  # restricted_access: |-

  #   name1@domain

  #   name2@domain

  # If you override the config with restricted_access it will configure a user list within this chart what takes care of the

  # config map resource.

  restricted_access: ""

  annotations: {}

  # helm.sh/resource-policy: keep

service:

  type: ClusterIP

  # when service.type is ClusterIP ...

  # clusterIP: 192.0.2.20

  # when service.type is LoadBalancer ...

  # loadBalancerIP: 198.51.100.40

  # loadBalancerSourceRanges: 203.0.113.0/24

  # when service.type is NodePort ...

  # nodePort: 80

  portNumber: 80

  # Protocol set on the service

  appProtocol: http

  annotations: {}

  # foo.io/bar: "true"

  # configure externalTrafficPolicy

  externalTrafficPolicy: ""

  # configure internalTrafficPolicy

  internalTrafficPolicy: ""

  # configure service target port

  targetPort: ""

  # Configures the service to use IPv4/IPv6 dual-stack.

  # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/

  ipDualStack:

    enabled: false

    ipFamilies: ["IPv6", "IPv4"]

    ipFamilyPolicy: "PreferDualStack"

  # Configure traffic distribution for the service

  # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution

  trafficDistribution: ""

## Create or use ServiceAccount

serviceAccount:

  ## Specifies whether a ServiceAccount should be created

  enabled: true

  ## The name of the ServiceAccount to use.

  ## If not set and create is true, a name is generated using the fullname template

  name:

  automountServiceAccountToken: true

  annotations: {}

  ## imagePullSecrets for the service account

  imagePullSecrets: []

    # - name: myRegistryKeySecretName

# Network policy settings.

networkPolicy:

  create: false

  ingress: []

  egress: []

ingress:

  enabled: false

  # className: nginx

  path: /

  # Only used if API capabilities (networking.k8s.io/v1) allow it

  pathType: ImplementationSpecific

  # Used to create an Ingress record.

  # hosts:

  # - chart-example.local

  # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.

  # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)

  # extraPaths:

  # - path: /*

  #   pathType: ImplementationSpecific

  #   backend:

  #     service:

  #       name: ssl-redirect

  #       port:

  #         name: use-annotation

  labels: {}

  # annotations:

  #   kubernetes.io/ingress.class: nginx

  #   kubernetes.io/tls-acme: "true"

  # tls:

  # Secrets must be manually created in the namespace.

  # - secretName: chart-example-tls

  #   hosts:

  #     - chart-example.local

# Gateway API HTTPRoute configuration

# Ref: https://gateway-api.sigs.k8s.io/api-types/httproute/

gatewayApi:

  enabled: false

  # The name of the Gateway resource to attach the HTTPRoute to

  # Example:

  # gatewayRef:

  #   name: gateway

  #   namespace: gateway-system

  gatewayRef:

    name: ""

    namespace: ""

  # HTTPRoute rule configuration

  # rules:

  # - matches:

  #   - path:

  #       type: PathPrefix

  #       value: /

  rules: []

  # Hostnames to match in the HTTPRoute

  # hostnames:

  # - chart-example.local

  hostnames: []

  # Additional labels to add to the HTTPRoute

  labels: {}

  # Additional annotations to add to the HTTPRoute

  annotations: {}

resources: {}

  # limits:

  #   cpu: 100m

  #   memory: 300Mi

  # requests:

  #   cpu: 100m

  #   memory: 300Mi

# Container resize policy for runtime resource updates

# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources/

resizePolicy: []

  # - resourceName: cpu

  #   restartPolicy: NotRequired

  # - resourceName: memory

  #   restartPolicy: RestartContainer

extraVolumes: []

  # - name: ca-bundle-cert

  #   secret:

  #     secretName: <secret-name>

extraVolumeMounts: []

  # - mountPath: /etc/ssl/certs/

  #   name: ca-bundle-cert

# Additional containers to be added to the pod.

extraContainers: []

  #  - name: my-sidecar

  #    image: nginx:latest

# Additional Init containers to be added to the pod.

extraInitContainers: []

  #  - name: wait-for-idp

  #    image: my-idp-wait:latest

  #    command:

  #    - sh

  #    - -c

  #    - wait-for-idp.sh

priorityClassName: ""

# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution

hostAliases: []

# - ip: "10.xxx.xxx.xxx"

#   hostnames:

#     - "auth.example.com"

# - ip: 127.0.0.1

#   hostnames:

#     - chart-example.local

#     - example.local

# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.

# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling

# topologySpreadConstraints: []

# Affinity for pod assignment

# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

# affinity: {}

# Tolerations for pod assignment

# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

tolerations: []

# Node labels for pod assignment

# Ref: https://kubernetes.io/docs/user-guide/node-selection/

nodeSelector: {}

# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables

proxyVarsAsSecrets: true

# Configure Kubernetes liveness and readiness probes.

# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks

livenessProbe:

  enabled: true

  initialDelaySeconds: 0

  timeoutSeconds: 1

readinessProbe:

  enabled: true

  initialDelaySeconds: 0

  timeoutSeconds: 5

  periodSeconds: 10

  successThreshold: 1

# Configure Kubernetes security context for container

# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

securityContext:

  enabled: true

  allowPrivilegeEscalation: false

  capabilities:

    drop:

      - ALL

  readOnlyRootFilesystem: true

  runAsNonRoot: true

  runAsUser: 2000

  runAsGroup: 2000

  seccompProfile:

    type: RuntimeDefault

deploymentAnnotations: {}

podAnnotations: {}

podLabels: {}

replicaCount: 1

revisionHistoryLimit: 10

strategy: {}

enableServiceLinks: true

## PodDisruptionBudget settings

## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/

## One of maxUnavailable and minAvailable must be set to null.

podDisruptionBudget:

  enabled: true

  maxUnavailable: null

  minAvailable: 1

  # Policy for when unhealthy pods should be considered for eviction.

  # Valid values are "IfHealthyBudget" and "AlwaysAllow".

  # Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy

  unhealthyPodEvictionPolicy: ""

## Horizontal Pod Autoscaling

## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

autoscaling:

  enabled: false

  minReplicas: 1

  maxReplicas: 10

  targetCPUUtilizationPercentage: 80

  # targetMemoryUtilizationPercentage: 80

  annotations: {}

  # Configure HPA behavior policies for scaling if needed

  # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configuring-scaling-behavior

  behavior: {}

    # scaleDown:

    #   stabilizationWindowSeconds: 300

    #   policies:

    #   - type: Percent

    #     value: 100

    #     periodSeconds: 15

    #   selectPolicy: Min

    # scaleUp:

    #   stabilizationWindowSeconds: 0

    #   policies:

    #   - type: Percent

    #     value: 100

    #     periodSeconds: 15

    #   - type: Pods

    #     value: 4

    #     periodSeconds: 15

    #   selectPolicy: Max

# Configure Kubernetes security context for pod

# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

podSecurityContext: {}

# whether to use http or https

httpScheme: http

initContainers:

  # if the redis sub-chart is enabled, wait for it to be ready

  # before starting the proxy

  # creates a role binding to get, list, watch, the redis master pod

  # if service account is enabled

  waitForRedis:

    enabled: true

    image:

      repository: "alpine"

      tag: "latest"

      pullPolicy: "IfNotPresent"

    # uses the kubernetes version of the cluster

    # the chart is deployed on, if not set

    kubectlVersion: ""

    securityContext:

      enabled: true

      allowPrivilegeEscalation: false

      capabilities:

        drop:

          - ALL

      readOnlyRootFilesystem: true

      runAsNonRoot: true

      runAsUser: 65534

      runAsGroup: 65534

      seccompProfile:

        type: RuntimeDefault

    timeout: 180

    resources: {}

      # limits:

      #   cpu: 100m

      #   memory: 300Mi

      # requests:

      #   cpu: 100m

      #   memory: 300Mi

# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.

# Alternatively supply an existing secret which contains the required information.

htpasswdFile:

  enabled: false

  existingSecret: ""

  entries: []

  # One row for each user

  # example:

  # entries:

  #  - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy

# Configure the session storage type, between cookie and redis

sessionStorage:

  # Can be one of the supported session storage cookie|redis

  type: cookie

  redis:

    # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)

    existingSecret: ""

    # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence

    password: ""

    # Key of the Kubernetes secret data containing the redis password value. If you use the redis sub chart, make sure

    # this password matches the one used in redis-ha.redisPassword (see below).

    passwordKey: "redis-password"

    # Can be one of standalone|cluster|sentinel

    clientType: "standalone"

    standalone:

      # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set

      connectionUrl: ""

    cluster:

      # List of Redis cluster connection URLs. Array or single string allowed.

      connectionUrls: []

      # - "redis://127.0.0.1:8000"

      # - "redis://127.0.0.1:8001"

    sentinel:

      # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`

      existingSecret: ""

      # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`

      password: ""

      # Key of the Kubernetes secret data containing the redis sentinel password value

      passwordKey: "redis-sentinel-password"

      # Redis sentinel master name

      masterName: ""

      # List of Redis cluster connection URLs. Array or single string allowed.

      connectionUrls: []

      # - "redis://127.0.0.1:8000"

      # - "redis://127.0.0.1:8001"

# Enables and configure the automatic deployment of the redis-ha subchart

redis-ha:

  # provision an instance of the redis-ha sub-chart

  enabled: false

  # Redis specific helm chart settings, please see:

  # https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#general-parameters

  #

  # Recommended:

  #

  # redisPassword: xxxxx

  # replicas: 1

  # persistentVolume:

  #   enabled: false

  #

  # If you install Redis using this sub chart, make sure that the password of the sub chart matches the password

  # you set in sessionStorage.redis.password (see above).

  #

  # If you want to use redis in sentinel mode see:

  # https://artifacthub.io/packages/helm/dandydev-charts/redis-ha#redis-sentinel-parameters

# Enables apiVersion deprecation checks

checkDeprecation: true

# Allows graceful shutdown

# terminationGracePeriodSeconds: 65

# lifecycle:

#   preStop:

#     exec:

#       command: [ "sh", "-c", "sleep 60" ]

metrics:

  # Enable Prometheus metrics endpoint

  enabled: true

  # Serve Prometheus metrics on this port

  port: 44180

  # when service.type is NodePort ...

  # nodePort: 44180

  # Protocol set on the service for the metrics port

  service:

    appProtocol: http

  serviceMonitor:

    # Enable Prometheus Operator ServiceMonitor

    enabled: false

    # Define the namespace where to deploy the ServiceMonitor resource

    namespace: ""

    # Prometheus Instance definition

    prometheusInstance: default

    # Prometheus scrape interval

    interval: 60s

    # Prometheus scrape timeout

    scrapeTimeout: 30s

    # Add custom labels to the ServiceMonitor resource

    labels: {}

    ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.

    scheme: ""

    ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.

    ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig

    tlsConfig: {}

    ## bearerTokenFile: Path to bearer token file.

    bearerTokenFile: ""

    ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with

    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec

    annotations: {}

    ## Metric relabel configs to apply to samples before ingestion.

    ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)

    metricRelabelings: []

    # - action: keep

    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'

    #   sourceLabels: [__name__]

    ## Relabel configs to apply to samples before ingestion.

    ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)

    relabelings: []

    # - sourceLabels: [__meta_kubernetes_pod_node_name]

    #   separator: ;

    #   regex: ^(.*)$

    #   targetLabel: nodename

    #   replacement: $1

    #   action: replace

# Extra K8s manifests to deploy

extraObjects: []