-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
645 lines (605 loc) · 19.2 KB
/
values.yaml
File metadata and controls
645 lines (605 loc) · 19.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
global:
version: "0.0.1-dev"
# Public URL - single source of truth for domain configuration
# This is used to derive ingress host and all *_PUBLIC_URL environment variables
# Supports ports for local development: "http://localhost:8081"
# Examples:
# - http://openops.example.com
# - https://openops.example.com
# - http://localhost:8080
# - https://192.168.1.100:3000
# Note: For ingress, the port is automatically stripped from the host field
publicUrl: "http://openops.example.com"
# Allow single replica deployments (for dev/test only)
# Production deployments should use at least 2 replicas
allowSingleReplica: false
# Image pull secrets for private registries (recommended for production)
imagePullSecrets: []
# Example: - name: registry-credentials
# Common labels and annotations for all resources
commonLabels: {}
commonAnnotations: {}
# Security context for all pods - ENABLED BY DEFAULT
# These are production-ready secure defaults
securityContext:
enabled: true
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
# Container security context - ENABLED BY DEFAULT
containerSecurityContext:
enabled: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false # Some apps need writable filesystem
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
# Node selector for scheduling
nodeSelector: {}
# Tolerations for taints
tolerations: []
# Graceful shutdown configuration
terminationGracePeriodSeconds: 60
# Deployment strategy for rolling updates
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# Topology spread constraints to avoid single-node concentration
topologySpreadConstraints:
enabled: true
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
# Pod affinity/anti-affinity rules
affinity:
enabled: false
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
topologyKey: kubernetes.io/hostname
# Priority class for pod scheduling
priorityClassName: ""
image:
repository: public.ecr.aws/openops
pullPolicy: IfNotPresent
openopsEnv:
OPS_PUBLIC_URL: '{{ include "openops.publicUrl" . }}'
OPS_FRONTEND_URL: '{{ include "openops.publicUrl" . }}'
OPS_ENVIRONMENT_NAME: "helm"
OPS_TRIGGER_DEFAULT_POLL_INTERVAL: "1"
OPS_WEBHOOK_TIMEOUT_SECONDS: "30"
OPS_BLOCKS_SOURCE: FILE
OPS_BLOCKS_SYNC_MODE: NONE
OPS_NGINX_CONFIG_FILE: nginx.gateway.conf
OPS_VERSION: "{{ .Values.global.version }}"
OPS_OPENOPS_TABLES_VERSION: "{{ .Values.tables.tag }}"
OPS_ANALYTICS_VERSION: "{{ .Values.analytics.tag }}"
# Authentication
OPS_OPENOPS_ADMIN_EMAIL: admin@openops.com
# Telemetry
OPS_LOG_LEVEL: info
OPS_LOG_PRETTY: "false"
OPS_TELEMETRY_MODE: COLLECTOR
OPS_TELEMETRY_COLLECTOR_URL: https://telemetry.openops.com/save
# Engine
OPS_ENGINE_URL: '{{ include "openops.engineServiceUrl" . }}/execute'
OPS_EXECUTION_MODE: SANDBOX_CODE_ONLY
# Queue
OPS_QUEUE_MODE: REDIS
OPS_REDIS_HOST: '{{ include "openops.redisHost" . }}'
OPS_REDIS_PORT: '{{ include "openops.redisPort" . }}'
# Database
OPS_DB_TYPE: POSTGRES
OPS_POSTGRES_DATABASE: openops
OPS_POSTGRES_HOST: '{{ include "openops.postgresHost" . }}'
OPS_POSTGRES_PORT: '{{ include "openops.postgresPort" . }}'
OPS_POSTGRES_USERNAME: postgres
# Tables
OPS_OPENOPS_TABLES_DATABASE_NAME: tables
OPS_OPENOPS_TABLES_API_URL: '{{ include "openops.tablesServiceUrl" . }}'
OPS_OPENOPS_TABLES_PUBLIC_URL: '{{ include "openops.publicUrl" . }}'
OPS_TABLES_TOKEN_LIFETIME_MINUTES: "60"
OPS_JWT_TOKEN_LIFETIME_HOURS: "168"
OPS_MAX_CONCURRENT_TABLES_REQUESTS: "100"
OPS_OPENOPS_TABLES_DB_HOST: '{{ include "openops.postgresHost" . }}'
# Analytics
OPS_ANALYTICS_PUBLIC_URL: '{{ include "openops.publicUrl" . }}'
OPS_ANALYTICS_PRIVATE_URL: '{{ include "openops.analyticsServiceUrl" . }}'
ANALYTICS_ALLOW_ADHOC_SUBQUERY: "true"
# AWS
OPS_AWS_ENABLE_IMPLICIT_ROLE: "false"
# Blocks custom settings
OPS_CODE_BLOCK_MEMORY_LIMIT_IN_MB: "256"
OPS_SLACK_ENABLE_INTERACTIONS: "true"
# Subagent configuration
OPS_SUBAGENTS_ENABLED: "false"
OPS_SUBAGENT_EXECUTOR_TYPE: "k8s"
OPS_SUBAGENT_K8S_NAMESPACE: '{{ .Values.subagents.namespace | default .Release.Namespace }}'
OPS_SUBAGENT_S3_BUCKET: ""
OPS_SUBAGENT_S3_REGION: ""
OPS_SUBAGENT_S3_ENDPOINT: ""
OPS_SUBAGENT_RUNNER_IMAGE: "535002847982.dkr.ecr.us-east-2.amazonaws.com/openops/subagent-runner:0fdbc6b1"
# Secret environment variables
# Any var in this section is treated as a secret (stored in K8s Secret, referenced via secretKeyRef).
# Generate secure values with: openssl rand -hex 16
openopsEnvSecrets:
OPS_ENCRYPTION_KEY: "" # REQUIRED: 32-character hex string (openssl rand -hex 16)
OPS_JWT_SECRET: "" # REQUIRED: Random secret string
OPS_OPENOPS_ADMIN_PASSWORD: "" # REQUIRED: Strong password
OPS_POSTGRES_PASSWORD: "" # REQUIRED: Strong password
OPS_ANALYTICS_ADMIN_PASSWORD: "" # REQUIRED: Strong password
ANALYTICS_POWERUSER_PASSWORD: "" # REQUIRED: Strong password
OPS_SLACK_APP_SIGNING_SECRET: ""
SUPERSET_SECRET_KEY: "thisISaSECRET_1234"
OPS_LOGZIO_TOKEN: ""
OPS_LANGFUSE_PUBLIC_KEY: ""
OPS_LANGFUSE_SECRET_KEY: ""
OPS_SSO_FRONTEGG_PUBLIC_KEY: ""
secretEnv:
create: true
existingSecret: ""
type: Opaque
immutable: false
labels: {}
annotations: {}
stringData: {}
data: {}
app:
name: openops-app
image: openops-app
repository: "" # Override global image.repository (empty = use global)
replicas: 2 # Minimum 2 for high availability
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
# Pod Disruption Budget - ENABLED BY DEFAULT
podDisruptionBudget:
enabled: true
minAvailable: 1
# Horizontal Pod Autoscaler
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Init containers (optional)
initContainers: []
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
# Prometheus metrics
metrics:
enabled: true
port: 8080
path: /metrics
engine:
name: openops-engine
image: openops-engine
repository: "" # Override global image.repository (empty = use global)
replicas: 2 # Minimum 2 for high availability
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
# Pod Disruption Budget - ENABLED BY DEFAULT
podDisruptionBudget:
enabled: true
minAvailable: 1
# Horizontal Pod Autoscaler
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Init containers (optional)
initContainers: []
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
# Prometheus metrics
metrics:
enabled: true
port: 8080
path: /metrics
env:
OPS_BASE_CODE_DIRECTORY: /tmp/codes
OPS_SERVER_API_URL: '{{ printf "%s/api/" (include "openops.appServiceUrl" .) }}'
tables:
name: openops-tables
image: openops-tables
repository: "public.ecr.aws/openops" # Always use public ECR for tables
tag: "0.2.17"
replicas: 1
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
# Pod Disruption Budget
podDisruptionBudget:
enabled: true
minAvailable: 1
# Horizontal Pod Autoscaler
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Init containers (optional)
initContainers: []
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
# Prometheus metrics
metrics:
enabled: true
port: 80
path: /api/health/
env:
BASEROW_PUBLIC_URL: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_PUBLIC_URL }}"
BASEROW_PRIVATE_URL: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_API_URL }}"
BASEROW_EXTRA_ALLOWED_HOSTS: '*'
SECRET_KEY: "{{ .Values.openopsEnvSecrets.OPS_ENCRYPTION_KEY }}"
BASEROW_JWT_SIGNING_KEY: "{{ .Values.openopsEnvSecrets.OPS_JWT_SECRET }}"
BASEROW_ADMIN_USERNAME: "{{ .Values.openopsEnv.OPS_OPENOPS_ADMIN_EMAIL }}"
BASEROW_ADMIN_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_OPENOPS_ADMIN_PASSWORD }}"
BASEROW_REFRESH_TOKEN_LIFETIME_HOURS: "{{ .Values.openopsEnv.OPS_JWT_TOKEN_LIFETIME_HOURS }}"
BASEROW_ACCESS_TOKEN_LIFETIME_MINUTES: "{{ .Values.openopsEnv.OPS_TABLES_TOKEN_LIFETIME_MINUTES }}"
SYNC_TEMPLATES_ON_STARTUP: 'false'
MIGRATE_ON_STARTUP: 'true'
DISABLE_VOLUME_CHECK: 'yes'
DATABASE_NAME: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_DATABASE_NAME }}"
DATABASE_HOST: "{{ .Values.openopsEnv.OPS_POSTGRES_HOST }}"
DATABASE_PORT: "{{ .Values.openopsEnv.OPS_POSTGRES_PORT }}"
DATABASE_USER: "{{ .Values.openopsEnv.OPS_POSTGRES_USERNAME }}"
DATABASE_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}"
REDIS_URL: '{{ include "openops.redisUrl" . }}'
storage:
size: 10Gi
storageClass: ""
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
annotations: {}
analytics:
name: openops-analytics
image: openops-analytics
repository: "public.ecr.aws/openops" # Always use public ECR for analytics
tag: "0.14.6"
replicas: 1
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "2Gi"
cpu: "1000m"
# Pod Disruption Budget
podDisruptionBudget:
enabled: true
minAvailable: 1
# Horizontal Pod Autoscaler
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 3
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Init containers (optional)
initContainers: []
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
# Prometheus metrics
metrics:
enabled: true
port: 8088
path: /health
env:
ADMIN_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_ANALYTICS_ADMIN_PASSWORD }}"
POWERUSER_PASSWORD: "{{ .Values.openopsEnvSecrets.ANALYTICS_POWERUSER_PASSWORD }}"
GUNICORN_LOGLEVEL: 'debug'
DATABASE_DIALECT: 'postgresql'
DATABASE_DB: 'analytics'
DATABASE_HOST: "{{ .Values.openopsEnv.OPS_POSTGRES_HOST }}"
DATABASE_PORT: "{{ .Values.openopsEnv.OPS_POSTGRES_PORT }}"
DATABASE_USER: "{{ .Values.openopsEnv.OPS_POSTGRES_USERNAME }}"
DATABASE_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}"
DATABASE_HOST_ALT: "{{ .Values.openopsEnv.OPS_OPENOPS_TABLES_DB_HOST }}"
SUPERSET_SECRET_KEY: "{{ .Values.openopsEnvSecrets.SUPERSET_SECRET_KEY }}"
SUPERSET_FEATURE_ALLOW_ADHOC_SUBQUERY: '"{{ .Values.openopsEnv.ANALYTICS_ALLOW_ADHOC_SUBQUERY }}"'
REDIS_HOST: "{{ .Values.openopsEnv.OPS_REDIS_HOST }}"
REDIS_PORT: "{{ .Values.openopsEnv.OPS_REDIS_PORT }}"
postgres:
name: postgres
image: postgres
tag: "18.1"
replicas: 1
# StatefulSet pod management policy: OrderedReady (default) or Parallel
podManagementPolicy: OrderedReady
# StatefulSet update strategy for safe rollouts
updateStrategy:
type: RollingUpdate
rollingUpdate:
partition: 0
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
# Anti-affinity to prevent co-location with other stateful components
affinity:
enabled: true
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values: [postgres, redis, tables]
topologyKey: kubernetes.io/hostname
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
env:
maxConnections: "300"
POSTGRES_USER: "{{ .Values.openopsEnv.OPS_POSTGRES_USERNAME }}"
POSTGRES_PASSWORD: "{{ .Values.openopsEnvSecrets.OPS_POSTGRES_PASSWORD }}"
POSTGRES_DB: "{{ .Values.openopsEnv.OPS_POSTGRES_DATABASE }}"
# Authentication configuration
auth:
enabled: false
existingSecret: ""
passwordKey: password
# TLS configuration
tls:
enabled: false
existingSecret: ""
caFile: false
# Backup annotations for backup tools (e.g., Velero, Stash)
backup:
annotations: {}
# backup.velero.io/backup-volumes: data
# pre.hook.backup.velero.io/command: '["/bin/bash", "-c", "PGPASSWORD=$POSTGRES_PASSWORD pg_dump -U $POSTGRES_USER -d $POSTGRES_DB > /var/lib/postgresql/data/backup.sql"]'
# post.hook.backup.velero.io/command: '["/bin/bash", "-c", "rm -f /var/lib/postgresql/data/backup.sql"]'
# Pod security context
securityContext:
enabled: true # Enable by default for security
fsGroup: 999 # Matches postgres user UID/GID in postgres:18.1 image
runAsUser: 999
runAsNonRoot: true
storage:
size: 20Gi
storageClass: ""
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
annotations: {}
# Example backup annotations for storage-level snapshots
# snapshot.storage.kubernetes.io/enabled: "true"
# backup.kubernetes.io/deltas: "P1D P7D P30D"
service:
port: 5432
redis:
name: redis
image: redis
tag: "7.4.0"
replicas: 1
# StatefulSet pod management policy: OrderedReady (default) or Parallel
podManagementPolicy: OrderedReady
# StatefulSet update strategy for safe rollouts
updateStrategy:
type: RollingUpdate
rollingUpdate:
partition: 0
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "200m"
# Anti-affinity to prevent co-location with other stateful components
affinity:
enabled: true
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values: [postgres, redis, tables]
topologyKey: kubernetes.io/hostname
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
# Redis persistence configuration
persistence:
enabled: true
appendonly: "yes"
appendfsync: "everysec"
save: "900 1 300 10 60 10000" # RDB snapshots
# Authentication configuration
auth:
enabled: false
existingSecret: ""
passwordKey: password
# TLS configuration
tls:
enabled: false
existingSecret: ""
caFile: false
authClients: "no"
# Backup annotations for backup tools (e.g., Velero, Stash)
backup:
annotations: {}
# backup.velero.io/backup-volumes: data
# pre.hook.backup.velero.io/command: '["/bin/sh", "-c", "redis-cli BGSAVE"]'
# Pod security context
securityContext:
enabled: true # Enable by default for security
fsGroup: 999 # Matches redis user UID/GID in redis:7.4.0 image
runAsUser: 999
runAsNonRoot: true
storage:
size: 5Gi
storageClass: ""
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
annotations: {}
# Example backup annotations for storage-level snapshots
# snapshot.storage.kubernetes.io/enabled: "true"
# backup.kubernetes.io/deltas: "P1D P7D P30D"
service:
port: 6379
nginx:
name: nginx
image: nginx
tag: "1.27.4"
replicas: 2 # Minimum 2 for high availability
resources:
requests:
memory: "256Mi"
cpu: "200m"
limits:
memory: "512Mi"
cpu: "400m"
# Pod Disruption Budget - ENABLED BY DEFAULT
podDisruptionBudget:
enabled: true
minAvailable: 1
# Horizontal Pod Autoscaler
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 5
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
# Service Account
serviceAccount:
create: true
name: ""
annotations: {}
# Security headers - ENABLED BY DEFAULT
securityHeaders:
enabled: true
xContentTypeOptions: "nosniff"
contentSecurityPolicy: "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: https://*.openops.com https://assets.frontegg.com https://fonts.cdnfonts.com https://fonts.googleapis.com https://fonts.gstatic.com https://api.github.com https://cdn.jsdelivr.net"
# Additional domains to append to the CSP default-src directive
extraCspDomains: []
# - https://example.com
permissionsPolicy: "geolocation=(), microphone=(), camera=()"
referrerPolicy: "strict-origin-when-cross-origin"
# Rate limiting - ENABLED BY DEFAULT for security
rateLimiting:
enabled: true
zone: "api:10m"
rate: "100r/s" # Reasonable default for production
burst: 200
connZone: "addr:10m"
connLimit: 100
service:
port: 80
type: LoadBalancer
ingress:
enabled: false
# TLS secret name (only used when global.publicUrl starts with https://)
tlsSecretName: "openops-tls"
# Ingress class configuration:
# - For Kubernetes 1.18+ (and most modern ingress controllers), use ingressClassName.
# - className is kept only for backward compatibility with older ingress setups.
# Important: Set at most ONE of the following fields. Do NOT set both at the same time.
# - Prefer setting ingressClassName and leave className empty ("") on new clusters.
# - Only set className if you explicitly rely on a legacy ingress controller behavior.
className: ""
ingressClassName: ""
annotations: {}
# Host and paths configuration for routing
hosts:
- paths:
- path: /
pathType: Prefix
# serviceName must match a service defined in this chart (nginx, app, engine, tables, analytics)
serviceName: nginx
servicePort: 80
# TLS-related settings below apply only to nginx ingress controller
tlsConfig:
enabled: false
sslProtocols: "TLSv1.2 TLSv1.3"
sslCiphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"
hstsMaxAge: "31536000"
hstsIncludeSubdomains: "true"
hstsPreload: "true"
# Network Policies for pod-to-pod communication restrictions - ENABLED BY DEFAULT
networkPolicy:
enabled: true
# Enforces least-privilege network access between components
# Resource limits and quotas
limitRange:
enabled: false # Optional: enforce minimum/maximum resource limits at namespace level
limits:
- max:
cpu: "4"
memory: "8Gi"
min:
cpu: "100m"
memory: "128Mi"
type: Container
# ServiceMonitor for Prometheus Operator
serviceMonitor:
enabled: false # Optional: create ServiceMonitor for Prometheus
interval: 30s
scrapeTimeout: 10s
labels: {}
# Example: release: prometheus
# External Secrets Operator configuration (optional)
# When enabled, secrets are synced from AWS Secrets Manager, GCP Secret Manager, etc.
externalSecrets:
enabled: false
secretName: ""
serviceAccount:
create: false
name: external-secrets-sa
annotations: {}
# Subagent configuration
subagents:
# Namespace where subagent pods run (defaults to same namespace as app)
namespace: ""