From 641be5041ad96ee8532c57b21fb77ef7d6e114b4 Mon Sep 17 00:00:00 2001 From: Stefan Andres Date: Wed, 4 Dec 2024 13:54:05 +0100 Subject: [PATCH] Add documentation to values Signed-off-by: Stefan Andres --- charts/kargo/README.md | 152 ++++++++++++++++++++++----------------- charts/kargo/values.yaml | 18 +++++ 2 files changed, 103 insertions(+), 67 deletions(-) diff --git a/charts/kargo/README.md b/charts/kargo/README.md index 447e259b8..a8b6622da 100644 --- a/charts/kargo/README.md +++ b/charts/kargo/README.md @@ -67,73 +67,91 @@ the Kargo controller is running. ### API -| Name | Description | Value | -| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | -| `api.enabled` | Whether the API server is enabled. | `true` | -| `api.replicas` | The number of API server pods. | `1` | -| `api.host` | The domain name where Kargo's API server will be accessible. When applicable, this is used for generation of an Ingress resource, certificates, and the OpenID Connect issuer and callback URLs. Note: The value in this field MAY include a port number and MUST NOT specify the protocol (http vs https), which is automatically inferred from other configuration options. | `localhost` | -| `api.logLevel` | The log level for the API server. | `INFO` | -| `api.labels` | Labels to add to the api resources. Merges with `global.labels`, allowing you to override or add to the global labels. | `{}` | -| `api.annotations` | Annotations to add to the api resources. Merges with `global.annotations`, allowing you to override or add to the global annotations. | `{}` | -| `api.podLabels` | Optional labels to add to pods. Merges with `global.podLabels`, allowing you to override or add to the global labels. | `{}` | -| `api.podAnnotations` | Optional annotations to add to pods. Merges with `global.podAnnotations`, allowing you to override or add to the global annotations. | `{}` | -| `api.secretManagementEnabled` | Specifies whether Secret management is enabled. This affects the API server's ability to manage repository credentials and other Project-level Secrets, such as those used by AnalysisRuns for verification purposes. If using GitOps to manage Kargo Projects declaratively, the API's Secret management capabilities are not needed and can be disabled to effectively reduce the API server's attackable surface. | `true` | -| `api.resources` | Resources limits and requests for the api containers. | `{}` | -| `api.nodeSelector` | Node selector for api pods. Defaults to `global.nodeSelector`. | `{}` | -| `api.tolerations` | Tolerations for api pods. Defaults to `global.tolerations`. | `[]` | -| `api.affinity` | Specifies pod affinity for api pods. Defaults to `global.affinity`. | `{}` | -| `api.securityContext` | Security context for api pods. Defaults to `global.securityContext`. | `{}` | -| `api.cabundle.configMapName` | Specifies the name of an optional ConfigMap containing CA certs that is managed "out of band." Values in the ConfigMap named here should each contain a single PEM-encoded CA cert. If secretName is also defined, it will take precedence over this field. | `""` | -| `api.cabundle.secretName` | Specifies the name of an optional Secret containing CA certs that is managed "out of band." Values in the Secret named here should each contain a single PEM-encoded CA cert. If defined, the value of this field takes precedence over any in configMapName. | `""` | -| `api.env` | Environment variables to add to API server pods. | `[]` | -| `api.envFrom` | Environment variables to add to API server pods from ConfigMaps or Secrets. | `[]` | -| `api.probes.enabled` | Whether liveness and readiness probes should be included in the API server deployment. It is sometimes advantageous to disable these during local development. | `true` | -| `api.tls.enabled` | Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`. | `true` | -| `api.tls.selfSignedCert` | Whether to generate a self-signed certificate for use by the API server. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-cert` **must** be provided in the same namespace as Kargo. | `true` | -| `api.permissiveCORSPolicyEnabled` | Whether to enable a permissive CORS (Cross Origin Resource Sharing) policy. This is sometimes advantageous during local development, but otherwise, should generally be left disabled. | `false` | -| `api.ingress.enabled` | Whether to enable ingress. By default, this is disabled. Enabling ingress is advanced usage. | `false` | -| `api.ingress.annotations` | Annotations specified by your ingress controller to customize the behavior of the ingress resource. | `{}` | -| `api.ingress.ingressClassName` | From Kubernetes 1.18+, this field is supported if implemented by your ingress controller. When set, you do not need to add the ingress class as annotation. | `nil` | -| `api.ingress.tls.enabled` | Whether to enable TLS for the ingress. All other settings in this section will be ignored when this is set to `false`. | `true` | -| `api.ingress.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. | `true` | -| `api.ingress.pathType` | You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific` | `ImplementationSpecific` | -| `api.service.type` | If you're not going to use an ingress controller, you may want to change this value to `LoadBalancer` for production deployments. If running locally, you may want to change it to `NodePort` OR leave it as `ClusterIP` and use `kubectl port-forward` to map a port on the local network interface to the service. | `ClusterIP` | -| `api.service.nodePort` | Host port the `Service` will be mapped to when `type` is either `NodePort` or `LoadBalancer`. If not specified, Kubernetes chooses. | `undefined` | -| `api.service.annotations` | Annotations to add to the API server's service. Merges with `global.annotations`, allowing you to override or add to the global annotations. | `{}` | -| `api.secret.name` | Specifies the name of an existing Secret which contains the `ADMIN_ACCOUNT_PASSWORD_HASH` and `ADMIN_ACCOUNT_TOKEN_SIGNING_KEY` values. By setting this, the Secret will **not** be generated by Helm. | `""` | -| `api.adminAccount.enabled` | Whether to enable the admin account. | `true` | -| `api.adminAccount.passwordHash` | Bcrypt password hash for the admin account. A value **must** be provided for this field unless `api.secret.name` is specified. | `""` | -| `api.adminAccount.tokenSigningKey` | Key used to sign ID tokens (JWTs) for the admin account. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut`. A value **must** be provided for this field, unless `api.secret.name` is specified. | `""` | -| `api.adminAccount.tokenTTL` | Specifies how long ID tokens for the admin account are valid. (i.e. The expiry will be the time of issue plus this duration.) | `24h` | -| `api.oidc.enabled` | Whether to enable authentication using Open ID Connect. | `false` | -| `api.oidc.issuerURL` | The issuer URL for the identity provider. If Dex is enabled, this value will be ignored and the issuer URL will be automatically configured. If Dex is not enabled, this should be set to the issuer URL provided to you by your identity provider. | `nil` | -| `api.oidc.clientID` | The client ID for the OIDC client. If Dex is enabled, this value will be ignored and the client ID will be automatically configured. If Dex is not enabled, this should be set to the client ID provided to you by your identity provider. | `nil` | -| `api.oidc.cliClientID` | The client ID for the OIDC client used by CLI (optional). Needed by some OIDC providers (such as Dex) that require a separate Client ID for web app login vs. CLI login (`http://localhost`). If Dex is enabled, this value will be ignored and cli client ID will be automatically configured. If Dex is not enabled, and a different client app is configured for localhost CLI login, this should be the client ID configured in the IdP. | `nil` | -| `api.oidc.additionalScopes` | The additional scopes to send to the OIDC provider. This should be set to the scopes you wish to be provided to your identity provider from clients of Kargo, the scopes openid, profile and email are always requested and don't need to be added, this value is intended for any additional ones you require. | `["groups"]` | -| `api.oidc.admins.claims` | Subjects having any of these claims will automatically be Kargo admins. | `{}` | -| `api.oidc.viewers.claims` | Subjects having any of these claims will automatically receive read-only access to all Kargo resources. | `{}` | -| `api.oidc.globalServiceAccounts.namespaces` | List of namespaces to look for shared service accounts. | `[]` | -| `api.oidc.dex.enabled` | Whether to enable Dex as the identity provider. When set to true, the Kargo installation will include a Dex server and the Kargo API server will be configured to make the /dex endpoint a reverse proxy for the Dex server. | `false` | -| `api.oidc.dex.image.repository` | Image repository of Dex | `ghcr.io/dexidp/dex` | -| `api.oidc.dex.image.tag` | Image tag for Dex. | `v2.37.0` | -| `api.oidc.dex.image.pullPolicy` | Image pull policy for Dex. | `IfNotPresent` | -| `api.oidc.dex.image.pullSecrets` | List of imagePullSecrets. | `[]` | -| `api.oidc.dex.env` | Environment variables to add to Dex server pods. This is convenient for cases where api.oidc.dex.connectors needs to reference environment variables from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `[]` | -| `api.oidc.dex.envFrom` | Environment variables to add to Dex server pods from ConfigMaps or Secrets. This is especially convenient for cases where api.oidc.dex.connectors needs to reference environment variables from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `[]` | -| `api.oidc.dex.volumes` | Add additional volumes to Dex pods. This is convenient for cases where api.oidc.dex.connectors needs to reference mounted data from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `[]` | -| `api.oidc.dex.volumeMounts` | Add additional volume mounts to Dex pods. This is convenient for cases where api.oidc.dex.connectors needs to reference mounted data from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `nil` | -| `api.oidc.dex.probes.enabled` | Whether liveness and readiness probes should be included in the Dex server deployment. It is sometimes advantageous to disable these during local development. | `true` | -| `api.oidc.dex.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with Dex. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-dex-server-cert` **must** be provided in the same namespace as Kargo. There is no provision for running Dex without TLS. | `true` | -| `api.oidc.dex.skipApprovalScreen` | Whether to skip Dex's own approval screen. Since upstream identity providers will already request user consent, this second approval screen from Dex can be both superfluous and confusing. | `true` | -| `api.oidc.dex.connectors` | Configure [Dex connectors](https://dexidp.io/docs/connectors/) to one or more upstream identity providers. | `[]` | -| `api.oidc.dex.resources` | Resources limits and requests for the Dex server containers. | `{}` | -| `api.oidc.dex.nodeSelector` | Node selector for Dex server pods. Defaults to `global.nodeSelector`. | `{}` | -| `api.oidc.dex.tolerations` | Tolerations for Dex server pods. Defaults to `global.tolerations`. | `[]` | -| `api.oidc.dex.affinity` | Specifies pod affinity for the Dex server pods. Defaults to `global.affinity`. | `{}` | -| `api.oidc.dex.annotations` | Annotations to add to the Dex server pods. Merges with `global.annotations`, allowing you to override or add to the global annotations. | `{}` | -| `api.oidc.dex.securityContext` | Security context for Dex server pods. Defaults to `global.securityContext`. | `{}` | -| `api.argocd.urls` | Mapping of Argo CD shards names to URLs to support deep links to Argo CD URLs. If sharding is not used, map the empty string to the single Argo CD URL. | `nil` | -| `api.rollouts.integrationEnabled` | Specifies whether Argo Rollouts integration is enabled. When not enabled, the API server will not be capable of creating/updating/applying AnalysesTemplate resources in the Kargo control plane. When enabled, the API server will perform a sanity check at startup. If Argo Rollouts CRDs are not found, the API server will proceed as if this integration had been explicitly disabled. Explicitly disabling is still preferable if this integration is not desired, as it will grant fewer permissions to the API server. | `true` | +| Name | Description | Value | +| -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | +| `api.enabled` | Whether the API server is enabled. | `true` | +| `api.replicas` | The number of API server pods. | `1` | +| `api.host` | The domain name where Kargo's API server will be accessible. When applicable, this is used for generation of an Ingress resource, certificates, and the OpenID Connect issuer and callback URLs. Note: The value in this field MAY include a port number and MUST NOT specify the protocol (http vs https), which is automatically inferred from other configuration options. | `localhost` | +| `api.logLevel` | The log level for the API server. | `INFO` | +| `api.labels` | Labels to add to the api resources. Merges with `global.labels`, allowing you to override or add to the global labels. | `{}` | +| `api.annotations` | Annotations to add to the api resources. Merges with `global.annotations`, allowing you to override or add to the global annotations. | `{}` | +| `api.podLabels` | Optional labels to add to pods. Merges with `global.podLabels`, allowing you to override or add to the global labels. | `{}` | +| `api.podAnnotations` | Optional annotations to add to pods. Merges with `global.podAnnotations`, allowing you to override or add to the global annotations. | `{}` | +| `api.secretManagementEnabled` | Specifies whether Secret management is enabled. This affects the API server's ability to manage repository credentials and other Project-level Secrets, such as those used by AnalysisRuns for verification purposes. If using GitOps to manage Kargo Projects declaratively, the API's Secret management capabilities are not needed and can be disabled to effectively reduce the API server's attackable surface. | `true` | +| `api.resources` | Resources limits and requests for the api containers. | `{}` | +| `api.nodeSelector` | Node selector for api pods. Defaults to `global.nodeSelector`. | `{}` | +| `api.tolerations` | Tolerations for api pods. Defaults to `global.tolerations`. | `[]` | +| `api.affinity` | Specifies pod affinity for api pods. Defaults to `global.affinity`. | `{}` | +| `api.securityContext` | Security context for api pods. Defaults to `global.securityContext`. | `{}` | +| `api.cabundle.configMapName` | Specifies the name of an optional ConfigMap containing CA certs that is managed "out of band." Values in the ConfigMap named here should each contain a single PEM-encoded CA cert. If secretName is also defined, it will take precedence over this field. | `""` | +| `api.cabundle.secretName` | Specifies the name of an optional Secret containing CA certs that is managed "out of band." Values in the Secret named here should each contain a single PEM-encoded CA cert. If defined, the value of this field takes precedence over any in configMapName. | `""` | +| `api.env` | Environment variables to add to API server pods. | `[]` | +| `api.envFrom` | Environment variables to add to API server pods from ConfigMaps or Secrets. | `[]` | +| `api.probes.enabled` | Whether liveness and readiness probes should be included in the API server deployment. It is sometimes advantageous to disable these during local development. | `true` | +| `api.probes.livenessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated. | `10` | +| `api.probes.livenessProbe.exec.command` | Command is the command line to execute inside the container. | `["/usr/local/bin/grpc_health_probe","-addr=:8080","-tls","-tls-no-verify"]` | +| `api.probes.readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated. | `5` | +| `api.probes.readinessProbe.exec.command` | Command is the command line to execute inside the container. | `["/usr/local/bin/grpc_health_probe","-addr=:8080","-tls","-tls-no-verify"]` | +| `api.tls.enabled` | Whether to enable TLS directly on the API server. This is helpful if you do not intend to use an ingress controller or if you require TLS end-to-end. All other settings in this section will be ignored when this is set to `false`. | `true` | +| `api.tls.selfSignedCert` | Whether to generate a self-signed certificate for use by the API server. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-cert` **must** be provided in the same namespace as Kargo. | `true` | +| `api.permissiveCORSPolicyEnabled` | Whether to enable a permissive CORS (Cross Origin Resource Sharing) policy. This is sometimes advantageous during local development, but otherwise, should generally be left disabled. | `false` | +| `api.ingress.enabled` | Whether to enable ingress. By default, this is disabled. Enabling ingress is advanced usage. | `false` | +| `api.ingress.annotations` | Annotations specified by your ingress controller to customize the behavior of the ingress resource. | `{}` | +| `api.ingress.ingressClassName` | From Kubernetes 1.18+, this field is supported if implemented by your ingress controller. When set, you do not need to add the ingress class as annotation. | `nil` | +| `api.ingress.tls.enabled` | Whether to enable TLS for the ingress. All other settings in this section will be ignored when this is set to `false`. | `true` | +| `api.ingress.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with the API server's Ingress resource. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-api-ingress-cert` **must** be provided in the same namespace as Kargo. | `true` | +| `api.ingress.pathType` | You may want to use `Prefix` for some controllers (like AWS LoadBalancer Ingress controller), which don't support `/` as wildcard path when pathType is set to `ImplementationSpecific` | `ImplementationSpecific` | +| `api.service.type` | If you're not going to use an ingress controller, you may want to change this value to `LoadBalancer` for production deployments. If running locally, you may want to change it to `NodePort` OR leave it as `ClusterIP` and use `kubectl port-forward` to map a port on the local network interface to the service. | `ClusterIP` | +| `api.service.nodePort` | Host port the `Service` will be mapped to when `type` is either `NodePort` or `LoadBalancer`. If not specified, Kubernetes chooses. | `undefined` | +| `api.service.annotations` | Annotations to add to the API server's service. Merges with `global.annotations`, allowing you to override or add to the global annotations. | `{}` | +| `api.secret.name` | Specifies the name of an existing Secret which contains the `ADMIN_ACCOUNT_PASSWORD_HASH` and `ADMIN_ACCOUNT_TOKEN_SIGNING_KEY` values. By setting this, the Secret will **not** be generated by Helm. | `""` | +| `api.adminAccount.enabled` | Whether to enable the admin account. | `true` | +| `api.adminAccount.passwordHash` | Bcrypt password hash for the admin account. A value **must** be provided for this field unless `api.secret.name` is specified. | `""` | +| `api.adminAccount.tokenSigningKey` | Key used to sign ID tokens (JWTs) for the admin account. It is suggested that you generate this using a password manager or a command like: `openssl rand -base64 29 \| tr -d "=+/" \| cut`. A value **must** be provided for this field, unless `api.secret.name` is specified. | `""` | +| `api.adminAccount.tokenTTL` | Specifies how long ID tokens for the admin account are valid. (i.e. The expiry will be the time of issue plus this duration.) | `24h` | +| `api.oidc.enabled` | Whether to enable authentication using Open ID Connect. | `false` | +| `api.oidc.issuerURL` | The issuer URL for the identity provider. If Dex is enabled, this value will be ignored and the issuer URL will be automatically configured. If Dex is not enabled, this should be set to the issuer URL provided to you by your identity provider. | `nil` | +| `api.oidc.clientID` | The client ID for the OIDC client. If Dex is enabled, this value will be ignored and the client ID will be automatically configured. If Dex is not enabled, this should be set to the client ID provided to you by your identity provider. | `nil` | +| `api.oidc.cliClientID` | The client ID for the OIDC client used by CLI (optional). Needed by some OIDC providers (such as Dex) that require a separate Client ID for web app login vs. CLI login (`http://localhost`). If Dex is enabled, this value will be ignored and cli client ID will be automatically configured. If Dex is not enabled, and a different client app is configured for localhost CLI login, this should be the client ID configured in the IdP. | `nil` | +| `api.oidc.additionalScopes` | The additional scopes to send to the OIDC provider. This should be set to the scopes you wish to be provided to your identity provider from clients of Kargo, the scopes openid, profile and email are always requested and don't need to be added, this value is intended for any additional ones you require. | `["groups"]` | +| `api.oidc.admins.claims` | Subjects having any of these claims will automatically be Kargo admins. | `{}` | +| `api.oidc.viewers.claims` | Subjects having any of these claims will automatically receive read-only access to all Kargo resources. | `{}` | +| `api.oidc.globalServiceAccounts.namespaces` | List of namespaces to look for shared service accounts. | `[]` | +| `api.oidc.dex.enabled` | Whether to enable Dex as the identity provider. When set to true, the Kargo installation will include a Dex server and the Kargo API server will be configured to make the /dex endpoint a reverse proxy for the Dex server. | `false` | +| `api.oidc.dex.image.repository` | Image repository of Dex | `ghcr.io/dexidp/dex` | +| `api.oidc.dex.image.tag` | Image tag for Dex. | `v2.37.0` | +| `api.oidc.dex.image.pullPolicy` | Image pull policy for Dex. | `IfNotPresent` | +| `api.oidc.dex.image.pullSecrets` | List of imagePullSecrets. | `[]` | +| `api.oidc.dex.env` | Environment variables to add to Dex server pods. This is convenient for cases where api.oidc.dex.connectors needs to reference environment variables from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `[]` | +| `api.oidc.dex.envFrom` | Environment variables to add to Dex server pods from ConfigMaps or Secrets. This is especially convenient for cases where api.oidc.dex.connectors needs to reference environment variables from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `[]` | +| `api.oidc.dex.volumes` | Add additional volumes to Dex pods. This is convenient for cases where api.oidc.dex.connectors needs to reference mounted data from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `[]` | +| `api.oidc.dex.volumeMounts` | Add additional volume mounts to Dex pods. This is convenient for cases where api.oidc.dex.connectors needs to reference mounted data from a Secret that is managed "out of band" with a secret management solution such as Sealed Secrets. | `nil` | +| `api.oidc.dex.probes.enabled` | Whether liveness and readiness probes should be included in the Dex server deployment. It is sometimes advantageous to disable these during local development. | `true` | +| `api.oidc.dex.probes.livenessProbe.httpGet.path` | Path to access on the HTTP server. | `/healthz/live` | +| `api.oidc.dex.probes.livenessProbe.httpGet.port` | Name or number of the port to access on the container. | `5558` | +| `api.oidc.dex.probes.livenessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated. | `10` | +| `api.oidc.dex.probes.livenessProbe.periodSeconds` | How often (in seconds) to perform the probe. | `10` | +| `api.oidc.dex.probes.livenessProbe.timeoutSeconds` | Number of seconds after which the probe times out. | `1` | +| `api.oidc.dex.probes.livenessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | +| `api.oidc.dex.probes.livenessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `300` | +| `api.oidc.dex.probes.readinessProbe.httpGet.path` | Path to access on the HTTP server. | `/healthz/ready` | +| `api.oidc.dex.probes.readinessProbe.httpGet.port` | Name or number of the port to access on the container. | `5558` | +| `api.oidc.dex.probes.readinessProbe.initialDelaySeconds` | Number of seconds after the container has started before liveness probes are initiated. | `10` | +| `api.oidc.dex.probes.readinessProbe.periodSeconds` | How often (in seconds) to perform the probe. | `10` | +| `api.oidc.dex.probes.readinessProbe.timeoutSeconds` | Number of seconds after which the probe times out. | `1` | +| `api.oidc.dex.probes.readinessProbe.successThreshold` | Minimum consecutive successes for the probe to be considered successful after having failed. | `1` | +| `api.oidc.dex.probes.readinessProbe.failureThreshold` | Minimum consecutive failures for the probe to be considered failed after having succeeded. | `300` | +| `api.oidc.dex.tls.selfSignedCert` | Whether to generate a self-signed certificate for use with Dex. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-dex-server-cert` **must** be provided in the same namespace as Kargo. There is no provision for running Dex without TLS. | `true` | +| `api.oidc.dex.skipApprovalScreen` | Whether to skip Dex's own approval screen. Since upstream identity providers will already request user consent, this second approval screen from Dex can be both superfluous and confusing. | `true` | +| `api.oidc.dex.connectors` | Configure [Dex connectors](https://dexidp.io/docs/connectors/) to one or more upstream identity providers. | `[]` | +| `api.oidc.dex.resources` | Resources limits and requests for the Dex server containers. | `{}` | +| `api.oidc.dex.nodeSelector` | Node selector for Dex server pods. Defaults to `global.nodeSelector`. | `{}` | +| `api.oidc.dex.tolerations` | Tolerations for Dex server pods. Defaults to `global.tolerations`. | `[]` | +| `api.oidc.dex.affinity` | Specifies pod affinity for the Dex server pods. Defaults to `global.affinity`. | `{}` | +| `api.oidc.dex.annotations` | Annotations to add to the Dex server pods. Merges with `global.annotations`, allowing you to override or add to the global annotations. | `{}` | +| `api.oidc.dex.securityContext` | Security context for Dex server pods. Defaults to `global.securityContext`. | `{}` | +| `api.argocd.urls` | Mapping of Argo CD shards names to URLs to support deep links to Argo CD URLs. If sharding is not used, map the empty string to the single Argo CD URL. | `nil` | +| `api.rollouts.integrationEnabled` | Specifies whether Argo Rollouts integration is enabled. When not enabled, the API server will not be capable of creating/updating/applying AnalysesTemplate resources in the Kargo control plane. When enabled, the API server will perform a sanity check at startup. If Argo Rollouts CRDs are not found, the API server will proceed as if this integration had been explicitly disabled. Explicitly disabling is still preferable if this integration is not desired, as it will grant fewer permissions to the API server. | `true` | ### Controller diff --git a/charts/kargo/values.yaml b/charts/kargo/values.yaml index cb5965714..b96eee437 100755 --- a/charts/kargo/values.yaml +++ b/charts/kargo/values.yaml @@ -145,8 +145,10 @@ api: ## @param api.probes.enabled Whether liveness and readiness probes should be included in the API server deployment. It is sometimes advantageous to disable these during local development. enabled: true livenessProbe: + ## @param api.probes.livenessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. initialDelaySeconds: 10 exec: + ## @param api.probes.livenessProbe.exec.command Command is the command line to execute inside the container. command: - /usr/local/bin/grpc_health_probe - -addr=:8080 @@ -154,8 +156,10 @@ api: - -tls - -tls-no-verify readinessProbe: + ## @param api.probes.readinessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. initialDelaySeconds: 5 exec: + ## @param api.probes.readinessProbe.exec.command Command is the command line to execute inside the container. command: - /usr/local/bin/grpc_health_probe - -addr=:8080 @@ -303,21 +307,35 @@ api: enabled: true livenessProbe: httpGet: + ## @param api.oidc.dex.probes.livenessProbe.httpGet.path Path to access on the HTTP server. path: /healthz/live + ## @param api.oidc.dex.probes.livenessProbe.httpGet.port Name or number of the port to access on the container. port: 5558 + ## @param api.oidc.dex.probes.livenessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. initialDelaySeconds: 10 + ## @param api.oidc.dex.probes.livenessProbe.periodSeconds How often (in seconds) to perform the probe. periodSeconds: 10 + ## @param api.oidc.dex.probes.livenessProbe.timeoutSeconds Number of seconds after which the probe times out. timeoutSeconds: 1 + ## @param api.oidc.dex.probes.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. successThreshold: 1 + ## @param api.oidc.dex.probes.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. failureThreshold: 300 readinessProbe: httpGet: + ## @param api.oidc.dex.probes.readinessProbe.httpGet.path Path to access on the HTTP server. path: /healthz/ready + ## @param api.oidc.dex.probes.readinessProbe.httpGet.port Name or number of the port to access on the container. port: 5558 + ## @param api.oidc.dex.probes.readinessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated. initialDelaySeconds: 10 + ## @param api.oidc.dex.probes.readinessProbe.periodSeconds How often (in seconds) to perform the probe. periodSeconds: 10 + ## @param api.oidc.dex.probes.readinessProbe.timeoutSeconds Number of seconds after which the probe times out. timeoutSeconds: 1 + ## @param api.oidc.dex.probes.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed. successThreshold: 1 + ## @param api.oidc.dex.probes.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded. failureThreshold: 300 tls: ## @param api.oidc.dex.tls.selfSignedCert Whether to generate a self-signed certificate for use with Dex. If `true`, `cert-manager` CRDs **must** be present in the cluster. Kargo will create and use its own namespaced issuer. If `false`, a cert secret named `kargo-dex-server-cert` **must** be provided in the same namespace as Kargo. There is no provision for running Dex without TLS.