values.yaml

# Default values for jetstack-agent.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

metrics:
  # Enable the metrics server.
  # If false, the metrics server will be disabled and the other metrics fields below will be ignored.
  enabled: true
  podmonitor:
    # Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator.
    # See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor
    enabled: false

    # The namespace that the pod monitor should live in.
    # Defaults to the venafi-kubernetes-agent namespace.
    # +docs:property
    # namespace: venafi

    # Specifies the `prometheus` label on the created PodMonitor.
    # This is used when different Prometheus instances have label selectors
    # matching different PodMonitors.
    prometheusInstance: default

    # The interval to scrape metrics.
    interval: 60s

    # The timeout before a metrics scrape fails.
    scrapeTimeout: 30s

    # Additional labels to add to the PodMonitor.
    labels: {}

    # Additional annotations to add to the PodMonitor.
    annotations: {}

    # Keep labels from scraped data, overriding server-side labels.
    honorLabels: false

    # EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
    #
    # For example:
    #  endpointAdditionalProperties:
    #   relabelings:
    #   - action: replace
    #     sourceLabels:
    #     - __meta_kubernetes_pod_node_name
    #     targetLabel: instance
    endpointAdditionalProperties: {}

# default replicas, do not scale up
replicaCount: 1

image:
  # The container image for the Venafi Enhanced Issuer manager.
  repository: registry.venafi.cloud/venafi-agent/venafi-agent

  # Kubernetes imagePullPolicy on Deployment.
  pullPolicy: IfNotPresent

  # Overrides the image tag whose default is the chart appVersion.
  tag: "v0.0.0"

# Specify image pull credentials if using a private registry. Example:
#  - name: my-pull-secret
imagePullSecrets: []

# Helm default setting to override release name, usually leave blank.
nameOverride: ""

# Helm default setting, use this to shorten the full install name.
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created.
  create: true
  # Annotations YAML to add to the service account.
  annotations: {}
  # The name of the service account to use. If blank and `serviceAccount.create`
  # is true, a name is generated using the fullname template of the release.
  name: ""

# Additional YAML annotations to add the the pod.
podAnnotations: {}

# Optional Pod (all containers) `SecurityContext` options, see
# https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
#
# Example:
#
#  podSecurityContext
#    runAsUser: 1000
#    runAsGroup: 3000
#    fsGroup: 2000
podSecurityContext: {}

# Use these variables to configure the HTTP_PROXY environment variables.

# Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
# +docs:property
# http_proxy: "http://proxy:8080"

# Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
# +docs:property
# https_proxy: "https://proxy:8080"

# Configures the NO_PROXY environment variable where a HTTP proxy is required,
# but certain domains should be excluded.
# +docs:property
# no_proxy: 127.0.0.1,localhost

# Add Container specific SecurityContext settings to the container. Takes
# precedence over `podSecurityContext` when set. See
# https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
securityContext:
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true

# Set resource requests and limits for the pod.
#
# Read [Venafi Kubernetes components deployment best
# practices](https://docs.venafi.cloud/vaas/k8s-components/c-k8s-components-best-practice/#scaling)
# to learn how to choose suitable CPU and memory resource requests and limits.
resources:
  requests:
    memory: 200Mi
    cpu: 200m
  limits:
    memory: 500Mi

# Embed YAML for nodeSelector settings, see
# https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
nodeSelector: {}

# Embed YAML for toleration settings, see
# https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
tolerations: []

# Embed YAML for Node affinity settings, see
# https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/.
affinity: {}

# Specify the command to run overriding default binary.
command: []

# Specify additional arguments to pass to the agent binary.
# For example, to enable JSON logging use `--logging-format`, or
# to increase the logging verbosity use `--log-level`.
# The log levels are: 0=Info, 1=Debug, 2=Trace.
# Use 6-9 for increasingly verbose HTTP request logging.
# The default log level is 0.
#
# Example:
#  extraArgs:
#  - --logging-format=json
#  - --log-level=6 # To enable HTTP request logging
extraArgs: []

# Additional volumes to add to the Venafi Kubernetes Agent container. This is
# useful for mounting a custom CA bundle. For example:
#
#     volumes:
#       - name: cabundle
#         configMap:
#           name: cabundle
#           optional: false
#           defaultMode: 0644
#
# In order to create the ConfigMap, you can use the following command:
#
#     kubectl create configmap cabundle \
#       --from-file=cabundle=./your/custom/ca/bundle.pem
volumes: []

# Additional volume mounts to add to the Venafi Kubernetes Agent container.
# This is useful for mounting a custom CA bundle. Any PEM certificate mounted
# under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For
# example:
#
#     volumeMounts:
#       - name: cabundle
#         mountPath: /etc/ssl/certs/cabundle
#         subPath: cabundle
#         readOnly: true
volumeMounts: []

# Authentication details for the Venafi Kubernetes Agent
authentication:
  # Name of the secret containing the private key
  secretName: agent-credentials
  # Key name in the referenced secret
  secretKey: "privatekey.pem"

  # +docs:section=Venafi Connection
  # Configure VenafiConnection authentication
  venafiConnection:
    # When set to true, the Venafi Kubernetes Agent will authenticate to
    # Venafi using the configuration in a VenafiConnection resource.
    # Use `venafiConnection.enabled=true` for [secretless authentication](https://docs.venafi.cloud/vaas/k8s-components/t-install-tlspk-agent/).
    # When set to true, the `authentication.secret` values will be ignored and the
    # Secret with `authentication.secretName` will _not_ be mounted into the
    # Venafi Kubernetes Agent Pod.
    enabled: false
    # The name of a VenafiConnection resource which contains the configuration
    # for authenticating to Venafi.
    name: venafi-components
    # The namespace of a VenafiConnection resource which contains the
    # configuration for authenticating to Venafi.
    namespace: venafi

# Configuration section for the Venafi Kubernetes Agent itself
config:
  # API URL of the Venafi Control Plane API. For EU tenants, set this value to
  # https://api.venafi.eu/. If you are using the VenafiConnection authentication
  # method, you must set the API URL using the field `spec.vcp.url` on the
  # VenafiConnection resource instead.
  server: "https://api.venafi.cloud/"
  # The client-id to be used for authenticating with the Venafi Control
  # Plane. Only useful when using a Key Pair Service Account in the Venafi
  # Control Plane. You can obtain the cliend ID by creating a Key Pair Service
  # Account in the Venafi Control Plane.
  clientId: ""
  # Send data back to the platform every minute unless changed.
  period: "0h1m0s"
  # Name for the cluster resource if it needs to be created in Venafi Control
  # Plane.
  clusterName: ""
  # Description for the cluster resource if it needs to be created in Venafi
  # Control Plane.
  clusterDescription: ""

  # Reduce the memory usage of the agent and reduce the load on the Kubernetes
  # API server by omitting various common Secret types when listing Secrets.
  # These Secret types will be added to a "type!=<type>" field selector in the
  # agent config.
  # * https://docs.venafi.cloud/vaas/k8s-components/t-cfg-tlspk-agent/#configuration
  # * https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
  # * https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors/#list-of-supported-fields
  ignoredSecretTypes:
    - kubernetes.io/service-account-token
    - kubernetes.io/dockercfg
    - kubernetes.io/dockerconfigjson
    - kubernetes.io/basic-auth
    - kubernetes.io/ssh-auth
    - bootstrap.kubernetes.io/token
    - helm.sh/release.v1

  # You can configure Venafi Kubernetes Agent to exclude some annotations or
  # labels from being pushed to the Venafi Control Plane. All Kubernetes objects
  # are affected. The objects are still pushed, but the specified annotations
  # and labels are removed before being sent to the Venafi Control Plane.
  #
  # Dots is the only character that needs to be escaped in the regex. Use either
  # double quotes with escaped single quotes or unquoted strings for the regex
  # to avoid YAML parsing issues with `\.`.
  #
  # Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
  excludeAnnotationKeysRegex: []
  excludeLabelKeysRegex: []

  # Specify ConfigMap details to load config from an existing resource.
  # This should be blank by default unless you have you own config.
  configmap:
    name:
    key:

# Configure a PodDisruptionBudget for the agent's Deployment. If running with multiple
# replicas, consider setting podDisruptionBudget.enabled to true.
podDisruptionBudget:
  # Enable or disable the PodDisruptionBudget resource, which helps prevent downtime
  # during voluntary disruptions such as during a Node upgrade.
  enabled: false

  # Configure the minimum available pods for disruptions. Can either be set to
  # an integer (e.g. 1) or a percentage value (e.g. 25%).
  # Cannot be used if `maxUnavailable` is set.
  # +docs:property
  # minAvailable: 1

  # Configure the maximum unavailable pods for disruptions. Can either be set to
  # an integer (e.g. 1) or a percentage value (e.g. 25%).
  # Cannot be used if `minAvailable` is set.
  # +docs:property
  # maxUnavailable: 1

# Optionally include the VenafiConnection CRDs
venafiConnection:
  # When set to false, the rendered output does not contain the
  # VenafiConnection CRDs and RBAC. This is useful for when the
  # Venafi Connection resources are already installed separately.
  include: false

# +docs:section=CRDs
# The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this
# prevents them from being accidentally removed by Helm when this chart is deleted. After
# deleting the installed chart, the user still has to manually remove the remaining CRDs.
crds:
  # The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below.
  # This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that
  # improves how validation is performed.
  # This option allows to force the 'x-kubernetes-validations' annotation to be excluded,
  # even on Kubernetes 1.25+ clusters.
  forceRemoveValidationAnnotations: false

  # This option makes it so that the "helm.sh/resource-policy": keep
  # annotation is added to the CRD. This will prevent Helm from uninstalling
  # the CRD when the Helm release is uninstalled.
  keep: false