forked from komish/dh-plugin-workflow-hackery
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalue.yaml
307 lines (305 loc) · 13.4 KB
/
value.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
global:
dynamic:
# -- Array of YAML files listing dynamic plugins to include with those listed in the `plugins` field.
# Relative paths are resolved from the working directory of the initContainer that will install the plugins (`/opt/app-root/src`).
includes:
# -- List of dynamic plugins included inside the `janus-idp/backstage-showcase` container image, some of which are disabled by default.
# This file ONLY works with the `janus-idp/backstage-showcase` container image.
- 'dynamic-plugins.default.yaml'
# -- List of dynamic plugins, possibly overriding the plugins listed in `includes` files.
# Every item defines the plugin `package` as a [NPM package spec](https://docs.npmjs.com/cli/v10/using-npm/package-spec),
# an optional `pluginConfig` with plugin-specific backstage configuration, and an optional `disabled` flag to disable/enable a plugin
# listed in `includes` files. It also includes an `integrity` field that is used to verify the plugin package [integrity](https://w3c.github.io/webappsec-subresource-integrity/#integrity-metadata-description).
plugins: []
# -- Shorthand for users who do not want to specify a custom HOSTNAME. Used ONLY with the DEFAULT upstream.backstage.appConfig value and with OCP Route enabled.
clusterRouterBase: "apps.example.com"
# -- Custom hostname shorthand, overrides `global.clusterRouterBase`, `upstream.ingress.host`, `route.host`, and url values in `upstream.backstage.appConfig`.
host: ""
# -- Enable service authentication within Backstage instance
auth:
# -- Backend service to service authentication
# <br /> Ref: https://backstage.io/docs/auth/service-to-service-auth/
backend:
# -- Enable backend service to service authentication, unless configured otherwise it generates a secret value
enabled: true
# -- Instead of generating a secret value, refer to existing secret
existingSecret: ""
# -- Instead of generating a secret value, use the following value
value: ""
# -- Upstream Backstage [chart configuration](https://github.com/backstage/charts/blob/main/charts/backstage/values.yaml)
# @default -- Use Openshift compatible settings
upstream:
# upstream.nameOverride affects the resources created by the upstream Backstage Chart,
# like the baseUrl fields set in the app-config ConfigMap created by that Chart.
nameOverride: developer-hub
backstage:
image:
registry: registry.redhat.io
repository: rhdh/rhdh-hub-rhel9@sha256
# tag is set to digest via prepare.sh script
# tag: "${RHDH_DIGEST}"
tag: d8268197ba0466643efb818fcad8f0fc29e32463f75b0f7f51d9ce75ec717572
command: []
# FIXME (tumido): USE POSTGRES_PASSWORD and POSTGRES_USER instead of POSTGRES_ADMIN_PASSWORD
# This is a hack. In {fedora,rhel}/postgresql images, regular user is forbidden
# from creating DBs in runtime. A single DB can be created ahead of time via
# POSTGRESQL_DATABASE env variable (in this case via
# upstream.postgresql.primary.extraEnvVars value), but this doesn't allow us to
# create multiple DBs. Since Backstage requires by default 5 different DBs, we
# can't accommodate that properly.
appConfig:
auth:
providers: {}
app:
# Please update to match host in case you don't want to configure hostname via `global.clusterRouterBase` or `global.host` if not deploying on an openshift cluster.
baseUrl: 'https://{{- include "janus-idp.hostname" . }}'
backend:
baseUrl: 'https://{{- include "janus-idp.hostname" . }}'
cors:
origin: 'https://{{- include "janus-idp.hostname" . }}'
database:
connection:
password: ${POSTGRESQL_ADMIN_PASSWORD}
user: postgres
auth:
externalAccess:
- type: legacy
options:
subject: legacy-default-config
secret: ${BACKEND_SECRET}
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
resources:
requests:
cpu: 250m
memory: 1Gi
limits:
cpu: 1000m
memory: 2.5Gi
ephemeral-storage: 5Gi
startupProbe:
# This gives enough time upon container startup before the liveness and readiness probes are triggered.
# Giving (120s = initialDelaySeconds + failureThreshold * periodSeconds) to account for the worst case scenario.
httpGet:
path: /.backstage/health/v1/liveness
port: backend
scheme: HTTP
initialDelaySeconds: 30
timeoutSeconds: 4
periodSeconds: 20
successThreshold: 1
failureThreshold: 3
readinessProbe:
failureThreshold: 3
httpGet:
path: /.backstage/health/v1/readiness
port: backend
scheme: HTTP
# Both liveness and readiness probes won't be triggered until the startup probe is successful.
# The startup probe is already configured to give enough time for the application to be started.
# So removing the additional delay here allows the readiness probe to be checked right away after the startup probe,
# which helps make the application available faster to the end-user.
# initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 2
timeoutSeconds: 4
livenessProbe:
failureThreshold: 3
httpGet:
path: /.backstage/health/v1/liveness
port: backend
scheme: HTTP
# Both liveness and readiness probes won't be triggered until the startup probe is successful.
# The startup probe is already configured to give enough time for the application to be started.
# So removing the additional delay here allows the liveness probe to be checked right away after the startup probe,
# which helps make the application available faster to the end-user.
# initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 4
extraEnvVars:
- name: BACKEND_SECRET
valueFrom:
secretKeyRef:
key: backend-secret
name: '{{ include "janus-idp.backend-secret-name" $ }}'
- name: POSTGRESQL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: postgres-password
name: '{{- include "janus-idp.postgresql.secretName" . }}'
args:
# This additional `app-config`` file is generated by the initContainer below, and contains the merged configuration of installed dynamic plugins.
- '--config'
- dynamic-plugins-root/app-config.dynamic-plugins.yaml
extraVolumeMounts:
# The initContainer below will install dynamic plugins in this volume mount.
- name: dynamic-plugins-root
mountPath: /opt/app-root/src/dynamic-plugins-root
extraVolumes:
- name: dynamic-plugins-root
persistentVolumeClaim:
claimName: '{{ printf "%s-dynamic-plugins-root" .Release.Name }}'
# Volume that will expose the `dynamic-plugins.yaml` file from the `dynamic-plugins` config map.
# The `dynamic-plugins` config map is created by the helm chart from the content of the `global.dynamic` field.
- name: dynamic-plugins
configMap:
defaultMode: 420
name: '{{ printf "%s-dynamic-plugins" .Release.Name }}'
optional: true
# Optional volume that allows exposing the `.npmrc` file (through a `dynamic-plugins-npmrc` secret)
# to be used when running `npm pack` during the dynamic plugins installation by the initContainer.
- name: dynamic-plugins-npmrc
secret:
defaultMode: 420
optional: true
secretName: '{{ printf "%s-dynamic-plugins-npmrc" .Release.Name }}'
# Optional volume that allows adding a container registry `auth.json` file (through a `dynamic-plugins-registry-auth` secret)
# to be used when installing plugins from secure container registries during the dynamic plugins installation by the initContainer.
- name: dynamic-plugins-registry-auth
secret:
defaultMode: 416
optional: true
secretName: '{{ printf "%s-dynamic-plugins-registry-auth" .Release.Name }}'
- name: npmcacache
emptyDir: {}
initContainers:
- name: install-dynamic-plugins
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 1000m
memory: 2.5Gi
ephemeral-storage: 5Gi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
seccompProfile:
type: "RuntimeDefault"
# -- Image used by the initContainer to install dynamic plugins into the `dynamic-plugins-root` volume mount.
# It could be replaced by a custom image based on this one.
# @default -- `quay.io/janus-idp/backstage-showcase:latest`
image: '{{ include "backstage.image" . }}'
command:
- ./install-dynamic-plugins.sh
- /dynamic-plugins-root
env:
- name: NPM_CONFIG_USERCONFIG
value: /opt/app-root/src/.npmrc.dynamic-plugins
imagePullPolicy: Always
volumeMounts:
- mountPath: /dynamic-plugins-root
name: dynamic-plugins-root
- mountPath: /opt/app-root/src/dynamic-plugins.yaml
name: dynamic-plugins
readOnly: true
subPath: dynamic-plugins.yaml
- mountPath: /opt/app-root/src/.npmrc.dynamic-plugins
name: dynamic-plugins-npmrc
readOnly: true
subPath: .npmrc
- mountPath: /opt/app-root/src/.config/containers
name: dynamic-plugins-registry-auth
readOnly: true
- mountPath: /opt/app-root/src/.npm/_cacache
name: npmcacache
workingDir: /opt/app-root/src
installDir: /opt/app-root/src
podAnnotations:
checksum/dynamic-plugins: >-
{{- include "common.tplvalues.render" ( dict "value" .Values.global.dynamic "context" $) | sha256sum }}
ingress:
host: "{{ .Values.global.host }}"
metrics:
serviceMonitor:
enabled: false
path: /metrics
port: http-metrics
postgresql:
enabled: true
postgresqlDataDir: /var/lib/pgsql/data/userdata
image:
registry: registry.redhat.io
repository: rhel9/postgresql-15@sha256
# tag is set to digest via prepare.sh script
# tag: "${POSTGRESQL_DIGEST}"
tag: 44a08b83a6c50714b52f4cf1c3476bc16b66faec21dd9a9bc07d1be5f97b8150
auth:
secretKeys:
adminPasswordKey: postgres-password
userPasswordKey: password
primary:
# TODO: https://issues.redhat.com/browse/RHIDP-2645
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: false
resources:
requests:
cpu: 250m
memory: 256Mi
limits:
cpu: 250m
memory: 1024Mi
ephemeral-storage: 20Mi
persistence:
enabled: true
size: 1Gi
mountPath: /var/lib/pgsql/data
extraEnvVars:
- name: POSTGRESQL_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: postgres-password
name: '{{- include "postgresql.v1.secretName" . }}'
service:
extraPorts:
- name: http-metrics
port: 9464
targetPort: 9464
# -- OpenShift Route parameters
route:
# -- Route specific annotations
annotations: {}
# -- Enable the creation of the route resource
enabled: true
# -- Set the host attribute to a custom value. If not set, OpenShift will generate it, please make sure to match your baseUrl
host: "{{ .Values.global.host }}"
# -- Path that the router watches for, to route traffic for to the service.
path: "/"
# -- Wildcard policy if any for the route. Currently only 'Subdomain' or 'None' is allowed.
wildcardPolicy: None
# -- Route TLS parameters
# <br /> Ref: https://docs.openshift.com/container-platform/4.9/networking/routes/secured-routes.html
tls:
# -- Enable TLS configuration for the host defined at `route.host` parameter
enabled: true
# -- Specify TLS termination.
termination: "edge"
# -- Certificate contents
certificate: ""
# -- Key file contents
key: ""
# -- Cert authority certificate contents. Optional
caCertificate: ""
# -- Contents of the ca certificate of the final destination.
# <br /> When using reencrypt termination this file should be provided in order to have routers use it for health checks on the secure connection. If this field is not specified, the router may provide its own destination CA and perform hostname validation using the short service name (service.namespace.svc), which allows infrastructure generated certificates to automatically verify.
destinationCACertificate: ""
# -- Indicates the desired behavior for insecure connections to a route.
# <br /> While each router may make its own decisions on which ports to expose, this is normally port 80. The only valid values are None, Redirect, or empty for disabled.
insecureEdgeTerminationPolicy: "Redirect"
# RHIDP-3115: nameOverride affects the resources created by the RHDH Chart,
# like the Route host created on OCP.
# It needs to match the value provided in 'upstream.nameOverride'
# to have consistent behavior between the Route and the URLs
# from the app-config ConfigMap managed by the Chart.
nameOverride: developer-hub