################################################################################################ ### CONFIGURATION ### ################################################################################################ # ------------ # # Defaults # # ------------ # default: ## Disable Helm version check # checkHelmVersion: false ## Type of platform used in the cluster. ## ## You choice: ## - `kubernetes` ## - `openshift` ## platform: kubernetes ## Cluster's default domain # clusterDnsZone: cluster.local ## Default domain name for all ingresses and product-specific environment variables ## domain: "" ## Root path for KCS images in the container registry. ## May be used for a vendor's container registry or self-hosted container registry mirror (remote registry). ## ## Example: ## `registryRoot: registry.domain.corp/docker/kcs` ## registryRoot: repo.kcs.kaspersky.com/images ## Enabling a features: ## - force pull image (`pullPolicy: Always` in Deployments and Daemonset) ## - force recreate objects ## # environment: dev ## Default StorageClass for all PVC (if persistentVolume.*.storageClass is not filled) ## If neither value is filled in, the default cluster StorageClass is used. ## # storageClass: "" ## ServiceAccount name for KCS services, linked with serviceAccount.kcs.imagePullSecret ## serviceAccount: kcs ## Default NodeSelector for all Deployments and StatefulSets. ## ## Example: ## nodeSelector: ## type_node: appsec ## location: datacenter-1 ## # nodeSelector: [] ## Common labels for all created Kubernetes objects. ## labels: app: kcs ## Common labels for all created Kubernetes pods only. ## # podLabels: # foo: bar ## Common annotations for all created Kubernetes pods only. ## # podAnnotations: # foo: bar ## Ingress default values. ## ingress: ## Enable Ingress creation ('true'). ## ## If 'false' you should create an Ingress object manually - `ingress.*` section is completely ignored. ## ## Information for manual Ingress: ## ## Ingress (domain) -> kcs-panel (service) :8080 (port) / (path) ## -> kcs-mw-ingress (service) :8443 (port) /api (path) ## -> kcs-mw-ingress (service) :8443 (port) /public/swagger (path) ## -> kcs-mw-ingress (service) :8443 (port) /public/redoc (path) ## -> kcs-ab-hb (service) :8437 (port) /agent-api/heartbeat (path) ## -> kcs-ab-ci (service) :8438 (port) /agent-api/cluster (path) ## -> kcs-ab-bench (service) :8439 (port) /agent-api/bench (path) ## -> kcs-ab-others (service) :8440 (port) /agent-api/others (path) ## -> kcs-eb-ingress (service) :8880 (port) /clickhouse (path) ## -> kcs-updates (service) :8080 (port) /kuu (path) ## create: true ## Default IngressClass for all ingress objects (if ingress.*.ingressClass not filled) ## ## Example: ## `class: nginx` ## # class: "" ## NetworkPolicy configuration ## networkPolicies: ## Enable NetworkPolicies creation for KCS services within the KCS namespace ## create: true ## Set the Ingress Controller namespace name for NetworkPolicy (MIDDLEWARE and PANEL) ## Urgent! If value default.networkPolicies.create is true, specifying namespace as a list is mandatory ## ingressControllerNamespaces: # - ingress-nginx # - openshift-host-network ## Interservice certificates generation ## ## Your choice: ## - `files` - to create secrets with their own certificates ## - `helm` - to create autogenerated secrets by Helm (recommended) ## - `vault` - disables autogeneration of all certificates, it is expected to add them only via annotations ## certSource: helm ## Force certificates re-creation ## ## Re-create CA cert, CA key and internal services certificates ## After updating the chart with new certificates, ## it is necessary to manually recreate all pods with the controller type 'StatefulSet' ## for the changes to take effect (exp. kcs-s3, kcs-clickhouse, kcs-memcached, kcs-postgres) ## # forceGenCerts: false # ------------ # # Services # # ------------ # ## Here you can change the default values for 'resources', set `nodeSelector` and `tolerations` of any chart component ## ## Example: ## ## kcs-ih: ## resources: ## requests: ## memory: "1Gi" ## cpu: "500m" ## ephemeral-storage: 4Gi ## limits: ## memory: "8Gi" ## cpu: "4" ## ephemeral-storage: 8Gi ## nodeSelector: ## kubernetes.io/hostname: worker-1.example.nodename ## tolerations: ## - key: reserved ## operator: Equal ## value: example ## effect: NoSchedule kcs-ih: ## Replica count for IMAGE HANDLER service. ## This parameter can be increased to meet the image scanning requirements. ## replicaCount: 3 ## ## This parameter disables more than one replica of the component from existing on a node # podAntiAffinity: true kcs-ab: ## Replica count for AGENT BROKER service. ## This parameter can be increased according to the number of agents installed, depending on: ## `kcs-ab` per 2000 `node-agent` ## replicaCount: 1 # kcs-middleware: ## When scanWorkers is increased, 'resources.requests.cpu' and 'resources.limits.cpu' must be increased accordingly to the formula: ## `memory` = default_memory * scanWorkers/2 ## `cpu` = default_cpu * scanWorkers ## # scanWorkers: 1 ## Default values for 'resources' ## # resources: # requests: # memory: "2Gi" # cpu: "500m" # limits: # memory: "4Gi" # cpu: "1" postgresql: ## Use external PostgreSQL ## external: false resources: requests: cpu: "2" memory: "4Gi" limits: cpu: "8" memory: "16Gi" kcs-s3: ## Use S3 for feature `Reports` ## enabled: true external: false kcs-clickhouse: ## Use ClickHouse with PersistentVolume ## external: false persistent: true resources: requests: cpu: 200m memory: 1Gi limits: cpu: "2" memory: "2Gi" updates: ## Use an internal KCS UPDATES service in the same namespace (no proxy, no internet access) ## enabled: false ## No proxy domains. If you need to exclude specific resources from the proxy, add them here, separating with commas (without spaces). ## All essential KCS services will be added automatically. ## # NO_PROXY: # ---------------- # # Pull Secrets # # ---------------- # pullSecret: ## Default pullsecret associated with all ServiceAccounts (Values.serviceAccount) ## kcs-pullsecret: ## Credentials for pullsecret: container registry URL ## registry: "repo.kcs.kaspersky.com" ## Credentials for pullsecret: container registry username ## username: "" ## Credentials for pullsecret: container registry user password ## password: "" ## Credentials for pullsecret: container registry user email ## email: "" # ------------------- # # Service accounts # # ------------------- # ## KCS service accounts linked to pullsecrets. ## Editing is not required ## serviceAccount: kcs: imagePullSecret: - kcs-pullsecret kcs-middleware: imagePullSecret: - kcs-pullsecret role: - ns-pods ## Disables the automatic creation of `Role`, `RoleBindings`, `ClusterRole`, `ClusterRoleBindings` ## in the cluster while checking for their existence before installation. ## # manualRoleCreation: true # ------------- # # Ingresses # # ------------- # ingress: ## Ingress configuration for the KCS Frontend and API. ## All paths for the `kcs` Ingress are defined in the service configuration (within the `Architecture` block). ## Service configuration is linked to the ingress in the `ingress:` section, using the Ingress name. ## Traffic from the Ingress `kcs` path to PANEL and MIDDLEWARE services. ## kcs: ## Domain name. ## # domain: "kcs.apps-crc.testing" ## Determine the type of ingress traffic. ## ## Your choice: ## - `http` ## - `https` ## ## For `https``, a secret with a name from `ingress.kcs.secret` created from a file is used. ## If you planned to serve the secret yourself, comment section `secret.cert-ingress`. ## externalTrafficType: http ## Secret name with TLS certificates ## secret: cert-ingress ## IngressClass for the Ingress object ## If the value is not filled, the default IngressClass is used (default.ingress.class). ## If neither value is filled in, the default cluster IngressClass is used. ## # ingressClass: "" ## Annotations for Ingress. ## It may be used to configure various Ingress types. ## Annotations for integration with cert-manager can also be added here. ## annotations: ## Required annotation for the NGINX Ingress controller. ## nginx.ingress.kubernetes.io/proxy-body-size: 1500m ## Required annotation for the HAproxy Ingress controller. ## # haproxy.router.openshift.io/proxy-body-size: 1500m # ---------------------- # # Persistent Volumes # # ---------------------- # ## ## `size` ## ------ ## Size for PersistentVolumeClaim. ## ## Example: ## `size: 10Gi` ## ## `storageClass` ## -------------- ## StorageClass for PersistentVolumeClaim ## ## If value not filled default storageClass is used (default.StorageClass). ## If neither value is filled in, the default cluster StorageClass is used. ## ## If `local-storage` is used as the `storageClass`, you need to specify the following parameters ## and create the specified directories on the node. ## ## Example: ## ## postgresql: ## size: 20Gi ## storageClass: local-storage ## path: /path/example ## nodename: worker-1.example.nodename ## persistentVolume: ## PVC for PostgreSQL ## postgresql: size: 20Gi # storageClass: "" ## PVC for S3 ## pvc-minio: size: 2Gi # storageClass: "" ## PVC for ClickHouse ## The size of the PVC type `cold` for ClickHouse must be at least equal to the number of worker nodes in the cluster ## The PVC type `cold` may be slow for I/O operations ## PVC of type `hot` should be optimized for fast I/O operations ## pvc-clickhouse-cold: size: 40Gi # storageClass: "" pvc-clickhouse-hot: size: 20Gi # storageClass: "" # -------------- # # ConfigMaps # # -------------- # configmap: ## Main ConfigMap with environment variables for the KCS services. ## infraconfig: type: fromEnvs envs: ## ----------------------- ## ## Internal certificates ## ## ----------------------- ## ## Interservice communication with TLS. ## If you need to enable inter-service communication using TLS certificates: ## ## 1a. Set `default.certSource: helm` ## or ## 1b. Set `default.certSource: files` ## and ## Generate certificates for each of the services (you can use the script in ./certs/gen_certs_internal.sh) ## and ## uncomment the `secret.cert-*` blocks for services. ## 2. Set the value of the `TLS_INTERNAL` variable to `true` (`TLS_INTERNAL: true`). ## TLS_INTERNAL: true ## TLS configuration for public port services. ## ## Example: ## `TLS_INGRESS: true` // enable TLS on pod ports (MIDDLEWARE & PANEL) ## May be used only with customer self-serving Ingress & Ingress Controller with passthrough or re-encrypt scenario. ## ## `TLS_INGRESS: false` // disable TLS on pod ports (MIDDLEWARE & PANEL) ## TLS_INGRESS: false ## ---------- ## ## PostgreSQL ## ## ---------- ## ## PostgreSQL environment variables. ## `POSTGRES_HOST` may be changed if an external database is used. ## POSTGRES_HOST: kcs-postgres POSTGRES_PORT: 5432 POSTGRES_DB_NAME: api ## PostgreSQL sslmode ## Urgent! If the TLS_INTERNAL variable is set to 'false', you must set this variable is 'disable' ## ## You choice: ## `disable` ## `verify-ca` ## `verify-full` ## POSTGRES_VERIFY_LEVEL: verify-full ## PostgreSQL CA certificate path. ## Should be changed for external PostgreSQL: ## ## 1a. Put PostgreSQL CA certificate (`certs/pgsql-ca.crt`) ## Set `POSTGRES_ROOT_CA_PATH` variable with an internal mount point ## 1b. Or uncomment the `cert-pgsql-ca` block in the `vault.certificate` section ## 2. Uncomment the `secret.cert-pgsql-ca` block for secret creation ## ## Default value (internal PostgreSQL): /etc/ssl/certs/ca.crt ## # POSTGRES_ROOT_CA_PATH: /etc/ssl/certs/pgsql-ca.crt ## ---------- ## ## ClickHouse ## ## ---------- ## ## Set the value to `true` if `kcs-clickhouse` should be run using a single PV named `pvc-clickhouse-cold` ## CLICKHOUSE_SINGLE_STORAGE: false ## External ClickHouse environment variables must be uncommented and changed if an external database is used. ## # EXT_CLICKHOUSE_PROTOCOL: https # EXT_CLICKHOUSE_HOST: clickhouse.ns.svc.cluster.local # EXT_CLICKHOUSE_PORT: 8443 # EXT_CLICKHOUSE_DB_NAME: kcs # EXT_CLICKHOUSE_COLD_STORAGE_NAME: cold # EXT_CLICKHOUSE_STORAGE_POLICY_NAME: kcs_default ## ClickHouse sslmode enables user authentication using their client certificates without requiring a password ## Urgent! If the TLS_INTERNAL variable is set to 'false', you must set this variable is 'false' ## # EXT_CLICKHOUSE_SSL_AUTH: true ## ClickHouse CA certificate path. ## Must be changed for external ClickHouse if the variable `EXT_CLICKHOUSE_PROTOCOL` is set to `https` ## ## 1a. Put ClickHouse CA certificate (`certs/kcs-clickhouse-ca.crt`) ## Uncomment the `secret.cert-kcs-clickhouse-ca` block for secret creation ## 1b. Or uncomment the `cert-kcs-clickhouse-ca` block in the `vault.certificate` section ## 2. Set `EXT_CLICKHOUSE_ROOT_CA_PATH` variable with an internal mount point ## ## Default value (internal ClickHouse): /etc/ssl/certs/ca.crt ## # EXT_CLICKHOUSE_ROOT_CA_PATH: /etc/ssl/certs/kcs-clickhouse-ca.crt ## --------- ## ## MinIO ## ## --------- ## ## MinIO environment variables. ## `MINIO_HOST` may be changed if an external instance is used. ## MINIO_HOST: kcs-s3 MINIO_PORT: 9000 MINIO_BUCKET_NAME: reports ## MinIO sslmode variable must be uncommented for TLS/SSL connections to an external MinIO ## Urgent! If the TLS_INTERNAL variable is set to 'false', you must set this variable is 'false' ## # MINIO_SSL: true ## MinIO CA certificate path. ## Must be changed for external MinIO if the variable `MINIO_SSL` is set to `true`: ## ## 1a. Put MinIO CA certificate (`certs/minio-ca.crt`) ## Uncomment the `secret.cert-minio-ca` block for secret creation ## 1b. Or uncomment the `cert-minio-ca` block in the `vault.certificate` section ## 2. Set `MINIO_ROOT_CA_PATH` variable with an internal mount point ## ## Default value (internal MinIO): /etc/ssl/certs/ca.crt ## # MINIO_ROOT_CA_PATH: /etc/ssl/certs/minio-ca.crt ## ------------ ## ## Log levels ## ## ------------ ## ## Internal log level ## ## Your choice: ## `panic | fatal | error | warning | debug | trace | info` ## ## Default, recommended for production - `info` ## # API_LOG_LEVEL: info ## External log level ## ## Your choice: ## `debug | release` ## ## Default, recommended for production - `release` ## # HTTP_MODE: release ## Database requests logs for all KCS services ## ## Your choice: ## `info | warn | error | silent` ## ## Default, recommended for production - `silent` ## # DB_LOG_LEVEL: silent ## ------------------------------------ ## ## Updates and external communications ## ## ------------------------------------ ## ## If `default.updates.enabled` is `true` and the `kcs-updates` internal container is used in the same namespace, the necessary values will be added to the Configmap automatically. ## ## If namespace is different or an external web address is used, you need to do two things: ## 1. If use HTTP & HTTPS proxies for components, the variable `secret.infracreds.envs.SCANNER_PROXY` is must be empty ## 2. Correct and uncomment these variables: ## # KCS_UPDATE_URL: http://kcs-updates.updates-namespace.svc.cluster.local:8080/kuu/updates # KESL_HOST: kcs-updates.updates-namespace.svc.cluster.local:8080 ## Servername directive for nginx (PANEL service) ## It should be changed to public domain when passthrough ingress scenario is used. ## # SERVERNAME: kcs-panel ## ------- ## ## Other ## ## ------- ## ## Enable scanning for Java vulnerabilities ## # ENABLE_JAVA_VULN: true ## The storage period for events and information about duplicate scanning results, values in hours ## # EVENT_LIFETIME_HOURS: 2160 # SCAN_LIFETIME_HOURS: 2160 ## The name of the secret in the namespace that contains credentials for technical user accounts used for accessing repositories in KCS scanning ## # TECHNICAL_ACCOUNTS_SECRET_NAME: kcs-technical-accounts ## Version-specific parameters for generating YAML objects in the UI ## KUBE_AGENT_TAG: v2.1.0 NODE_AGENT_TAG: v2.1.0 SCANNER_TAG: v2.1.0 IMAGE_TAG_MIDDLEWARE: v2.1.0 # ----------- # # Secrets # # ----------- # secret: ## Secrets from files with: ## ## - CA certificate and key for internal services ## - CA for external PostgreSQL ## - CA for external ClickHouse ## - CA for external MinIO ## - self-signed service certificates and keys ## - certificate and key for Ingress ## ## Show comments for these blocks and environment variables: ## ## `configmap.infraconfig.envs.TLS_INTERNAL` ## `configmap.infraconfig.envs.TLS_INGRESS` ## `configmap.infraconfig.envs.POSTGRES_VERIFY_LEVEL` ## `configmap.infraconfig.envs.EXT_CLICKHOUSE_SSL_AUTH` ## `configmap.infraconfig.envs.MINIO_SSL` ## `ingress.kcs` # ---------------------- # # Ingress certificates # # ---------------------- # ## Certificate and key for PANEL, MIDDLEWARE and AgentBroker services (ssl-passthrough) ## or Ingress Object (https) ## # cert-ingress: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-ingress.crt # tls.key: certs/kcs-ingress.key # --------------------------------------------- # # External PostgreSQL CA & client certificate # # --------------------------------------------- # ## CA certificate for external PostgreSQL ## # cert-pgsql-ca: # type: Opaque # files: # tls.crt: certs/pgsql-ca.crt ## PostgreSQL client certificate for MIDDLEWARE and AgentBroker services. ## # cert-pguser: # type: kubernetes.io/tls # files: # tls.crt: certs/pguser.crt # tls.key: certs/pguser.key # --------------------------------------------- # # External ClickHouse CA & client certificate # # --------------------------------------------- # ## CA certificate for external ClickHouse ## # cert-kcs-clickhouse-ca: # type: Opaque # files: # tls.crt: certs/kcs-clickhouse-ca.crt ## ClickHouse client certificates for EventBroker service. ## # cert-kcsuser-write: # type: kubernetes.io/tls # files: # tls.crt: certs/kcsuser-write.crt # tls.key: certs/kcsuser-write.key # cert-kcsuser-read: # type: kubernetes.io/tls # files: # tls.crt: certs/kcsuser-read.crt # tls.key: certs/kcsuser-read.key # -------------------# # External MinIO CA # # -------------------# ## CA certificate for external MinIO ## # cert-minio-ca: # type: Opaque # files: # tls.crt: certs/minio-ca.crt # --------------------------------------------------------- # # Internal certificates (when `default.certSource: files`) # # --------------------------------------------------------- # ## CA certificate and key for internal services ## # cert-ca: # type: kubernetes.io/tls # files: # tls.crt: certs/ca.crt # tls.key: certs/ca.key ## Certificate and key for the LICENCES service (internal) ## # cert-kcs-licenses: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-licenses.crt # tls.key: certs/kcs-licenses.key ## Certificate and key for the AGENT BROKER service (internal) ## # cert-kcs-ab: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-ab.crt # tls.key: certs/kcs-ab.key ## Certificate and key for the MIDDLEWARE service (internal) ## # cert-kcs-middleware: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-middleware.crt # tls.key: certs/kcs-middleware.key ## Certificate and key for the MIDDLEWARE GRPC service (internal) ## # cert-kcs-mw-grpc: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-mw-grpc.crt # tls.key: certs/kcs-mw-grpc.key ## Certificate and key for the SCANNER service (internal) ## # cert-kcs-scanner: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-scanner.crt # tls.key: certs/kcs-scanner.key ## Certificate and key for the SCANNER API service (internal) ## # cert-kcs-scanner-api: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-scanner-api.crt # tls.key: certs/kcs-scanner-api.key ## Certificate and key for the UPDATES service (internal) ## # cert-kcs-updates: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-updates.crt # tls.key: certs/kcs-updates.key ## Certificate and key for the Memcached service (internal) ## # cert-kcs-memcached: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-memcached.crt # tls.key: certs/kcs-memcached.key ## Certificate and key for the POSTGRESQL service (internal) ## # cert-kcs-postgres: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-postgres.crt # tls.key: certs/kcs-postgres.key ## Certificate and key for s3 service (internal) ## # cert-kcs-s3: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-s3.crt # tls.key: certs/kcs-s3.key ## Certificate and key for EventBroker service (internal) ## # cert-kcs-eb: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-eb.crt # tls.key: certs/kcs-eb.key ## Certificate and key for ClickHouse service (internal) ## # cert-kcs-clickhouse: # type: kubernetes.io/tls # files: # tls.crt: certs/kcs-clickhouse.crt # tls.key: certs/kcs-clickhouse.key # cert-kcsuser-write: # type: kubernetes.io/tls # files: # tls.crt: certs/kcsuser-write.crt # tls.key: certs/kcsuser-write.key # cert-kcsuser-read: # type: kubernetes.io/tls # files: # tls.crt: certs/kcsuser-read.crt # tls.key: certs/kcsuser-read.key # ---------------- # # System secrets # # ---------------- # ## Main Secret `infracreds` with environment variables for KCS services. ## infracreds: type: fromEnvs envs: ## HTTP & HTTPS proxies for components ## # HTTP_PROXY: # HTTPS_PROXY: # SCANNER_PROXY: # LICENSE_PROXY: ## Credentials for PostgreSQL ## If you change the default value of `POSTGRES_USER` and use the variable `secret.infracreds.envs.POSTGRES_VERIFY_LEVEL` with a value of `verify-full`, ## you must use `default.certSource: files` ## POSTGRES_USER: pguser POSTGRES_PASSWORD: "" ## Credentials for S3 ## The `MINIO_ROOT_PASSWORD` value must be more or equal to 8 characters ## MINIO_ROOT_USER: "" MINIO_ROOT_PASSWORD: "" ## Usernames for ClickHouse are required only if it is used externally ## # EXT_CLICKHOUSE_WRITE_USER: kcsuser-write # EXT_CLICKHOUSE_READ_USER: kcsuser-read ## Passwords for ClickHouse ## CLICKHOUSE_ADMIN_PASSWORD: "" CLICKHOUSE_WRITE_PASSWORD: "{{ $.Values.secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD }}" CLICKHOUSE_READ_PASSWORD: "{{ $.Values.secret.infracreds.envs.CLICKHOUSE_ADMIN_PASSWORD }}" ## Credentials for Memcached ## MCHD_USER: "" MCHD_PASS: "" ## These parameters is used to encrypt sensitive information in the database. ## Urgent! After creation, this parameter must not be lost or changed ## APP_SECRET: "" ## Credentials for technical user accounts used for accessing repositories in KCS scanning ## The value must be a base64-encoded string of a JSON file ## # TECHNICAL_ACCOUNTS: base64-string # ----------- # # Vault # # ----------- # ## The Vault section generates annotation components for the vault k8s injector ## If you uncomment any value from the `secret` or `certificate` section, it will override the generated or already defined value of the same type. ## vault: ## Enable the generation of main annotations and inserts them into the pod that has a match to a secret or certificate ## # enabled: true ## Path to mount secrets in the pod. Default `/vault/secrets` ## # mountPath: /vault/secrets ## Authorisation role in the vault. It should have all the service accounts from the section `serviceAccount` ## # role: kcs ## Flag for the annotation value `vault.hashicorp.com/agent-init-first`. Default `true` ## # agentInitFirst: "true" ## Flag for the annotation value `vault.hashicorp.com/agent-pre-populate`. Default `true` ## # agentPrePopulate: "true" ## Flag for the annotation value ` vault.hashicorp.com/agent-pre-populate-only`. Default `false` ## # agentPrePopulateOnly: "false" ## Flag for the annotation value `vault.hashicorp.com/preserve-secret-case`. Default `true` ## # preserveSecretCase: "true" ## Custom block for adding any annotations to all components ## To add a custom annotation to the pod, you need to insert the `annotation` field into the required `component` in the ARCHITECTURE block. ## # annotations: # vault.hashicorp.com/foo: "bar" # --------------- # # Vault secrets # # --------------- # ## In the `vault.secret` section in the value of the variable you must specify the path and name of the secret from Vault ## and through the `@` sign specify the name of the key from vault ## Any uncommented secret overrides the value of the same secret from the `secret` section ## secret: type: managedByVault ## Flag for the annotation value `vault.hashicorp.com/agent-inject-perms`. Default `0440` ## # agentInjectPerms: "0440" ## HTTP & HTTPS proxies for components ## # HTTP_PROXY: kv/secret/kcs/proxy@HTTP_PROXY # HTTPS_PROXY: kv/secret/kcs/proxy@HTTPS_PROXY # SCANNER_PROXY: kv/secret/kcs/proxy@SCANNER_PROXY # LICENSE_PROXY: kv/secret/kcs/proxy@LICENSE_PROXY ## Credentials for PostgreSQL ## The component `kcs-postgres` do not support the integration of getting secrets from the Vault ## Use the flag `default.postgresql.external` is `true` or keep these credentials commented ## # POSTGRES_USER: kv/secret/kcs/psql@POSTGRES_USER # POSTGRES_PASSWORD: kv/secret/kcs/psql@POSTGRES_PASSWORD ## Credentials for S3 ## The `MINIO_ROOT_PASSWORD` value must be more or equal to 8 characters ## # MINIO_ROOT_USER: kv/secret/kcs/minio@MINIO_ROOT_USER # MINIO_ROOT_PASSWORD: kv/secret/kcs/minio@MINIO_ROOT_PASSWORD ## Usernames for ClickHouse are required only if it is used externally ## # EXT_CLICKHOUSE_WRITE_USER: kv/secret/kcs/clickhouse@EXT_CLICKHOUSE_WRITE_USER # EXT_CLICKHOUSE_READ_USER: kv/secret/kcs/clickhouse@EXT_CLICKHOUSE_READ_USER ## Passwords for ClickHouse ## # CLICKHOUSE_ADMIN_PASSWORD: kv/secret/kcs/clickhouse@CLICKHOUSE_ADMIN_PASSWORD # CLICKHOUSE_WRITE_PASSWORD: kv/secret/kcs/clickhouse@CLICKHOUSE_WRITE_PASSWORD # CLICKHOUSE_READ_PASSWORD: kv/secret/kcs/clickhouse@CLICKHOUSE_READ_PASSWORD ## Credentials for Memcached ## # MCHD_USER: kv/secret/kcs/memcached@MCHD_USER # MCHD_PASS: kv/secret/kcs/memcached@MCHD_PASS ## These parameters is used to encrypt sensitive information in the database. ## If parameters are lost or updated, the data will be lost ## # APP_SECRET: kv/secret/kcs/appsecret@APP_SECRET ## Credentials for technical user accounts used for accessing repositories in KCS scanning ## The required key name in the secret is `config.json` ## # TECHNICAL_ACCOUNTS: kv/tua/configjson@config.json # ----------------- # # Vault certificate # # ----------------- # ## In the vault.certificate section, the following values must be specified: ## 1. To obtain a CA certificate, the `ca` flag is required to `true`, with the path derived from the PKI name using the default access path `cert/ca`. ## If the CA certificate is not a root certificate, the entire certificate chain, including the root, must be specified through the `caList` flag as a list. ## 2. For generating certificates and keys, the path must be derived from the PKI name using the default access path `issue` along with the name of the created role. ## The certificate will automatically include the `common_name` and all possible alternative names. The `cn`, `altname` and `ipsans` flags can override this behavior. ## Any uncommented certificate overrides the value of the same secret from the `secret` section ## certificate: ## Flag for `ttl` value in certificate generation annotations. Default `8760h` ## Cannot exceed the value set in the Vault PKI settings. ## # ttl: "8760h" ## Flag for the annotation value `vault.hashicorp.com/agent-inject-perms`. Default `0440` ## # agentInjectPerms: "0440" # --------------------------------------------- # # External PostgreSQL CA & client certificates # # --------------------------------------------- # ## The component `kcs-postgres` do not support the integration of getting secrets from the Vault ## Use the flag `default.postgresql.external` is `true` or keep these credentials commented ## with the flag `configmap.infraconfig.envs.POSTGRES_VERIFY_LEVEL` is `disable` ## ## CA certificate for external PostgreSQL ## Uncomment the variable `configmap.infraconfig.envs.POSTGRES_ROOT_CA_PATH` ## # cert-pgsql-ca: # ca: true # tls.crt: pki_psql/cert/ca # caList: # - pki/cert/ca ## PostgreSQL client certificate for MIDDLEWARE and AgentBroker services. ## The value of flags `cn`, `altname` and `ipsans` should be set according to the settings of the external database ## # cert-pguser: # cn: pguser # altname: pguser,pguser.psql,pguser.psql.svc,pguser.psql.svc.cluster.local,localhost # ipsans: 0.0.0.0,127.0.0.1 # tls.crt: pki_psql/issue/psql # tls.key: pki_psql/issue/psql # --------------------------------------------- # # External ClickHouse CA & client certificates # # --------------------------------------------- # ## CA certificate for external ClickHouse ## Uncomment the variable `configmap.infraconfig.envs.EXT_CLICKHOUSE_ROOT_CA_PATH` ## # cert-kcs-clickhouse-ca: # ca: true # tls.crt: pki_clickhouse/cert/ca # caList: # - pki/cert/ca ## ClickHouse client certificates for EventBroker service. ## The value of flags `cn`, `altname` and `ipsans` should be set according to the settings of the external database ## # cert-kcsuser-write: # cn: kcsuser-write # altname: kcsuser-write.clickhouse # ipsans: 0.0.0.0,127.0.0.1 # tls.crt: pki_clickhouse/issue/clickhouse # tls.key: pki_clickhouse/issue/clickhouse # cert-kcsuser-read: # cn: kcsuser-read # altname: kcsuser-read.clickhouse # ipsans: 0.0.0.0,127.0.0.1 # tls.crt: pki_clickhouse/issue/clickhouse # tls.key: pki_clickhouse/issue/clickhouse # -------------------# # External MinIO CA # # -------------------# ## CA certificate for external MinIO ## Uncomment the variable `configmap.infraconfig.envs.MINIO_ROOT_CA_PATH` ## # cert-minio-ca: # ca: true # tls.crt: pki_minio/cert/ca # caList: # - pki/cert/ca # ----------------------- # # Internal certificates # # ----------------------- # ## CA certificate for internal services ## # cert-ca: # ca: true # tls.crt: pki_kcs/cert/ca # caList: # - pki/cert/ca ## Certificate and key for the LICENCES service (internal) ## # cert-kcs-licenses: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for the AGENT BROKER service (internal) ## # cert-kcs-ab: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for the MIDDLEWARE service (internal) ## # cert-kcs-middleware: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for the MIDDLEWARE GRPC service (internal) ## # cert-kcs-mw-grpc: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for the SCANNER service (internal) ## # cert-kcs-scanner: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for the SCANNER API service (internal) ## # cert-kcs-scanner-api: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for the UPDATES service (internal) ## # cert-kcs-updates: # tls.key: pki_kcs/issue/kcs # tls.crt: pki_kcs/issue/kcs ## Certificate and key for the Memcached service (internal) ## # cert-kcs-memcached: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for s3 service (internal) ## # cert-kcs-s3: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for EventBroker service (internal) ## # cert-kcs-eb: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ## Certificate and key for ClickHouse service (internal) ## # cert-kcs-clickhouse: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs # cert-kcsuser-write: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs # cert-kcsuser-read: # tls.crt: pki_kcs/issue/kcs # tls.key: pki_kcs/issue/kcs ################################################################################################ ### ARCHITECTURE ### ################################################################################################ ## This section describes KCS microservices and architecture for Kubernetes object rendering. ## ## The options do NOT REQUIRED editing. ## # ---------------- # # SMART ENV VARS # # ---------------- # smartconfigmap: infraconfig: type: fromEnvs envs: API_URL: "{{ $.Values.ingress.kcs.externalTrafficType }}://{{ $.Values.default.domain }}" COOKIE_DOMAIN: "{{ $.Values.default.domain }}" REGISTRY_AGENT_URL: "{{ $.Values.default.registryRoot }}" LICENSE_GRPC_HOST: kcs-licenses LICENSE_GRPC_PORT: 51060 MIDDLEWARE_HOST: kcs-middleware MIDDLEWARE_PORT: 8000 AGENT_BROKER_HOST: kcs-ab AGENT_BROKER_PORT: 8000 MIDDLEWARE_GRPC_HOST: kcs-mw-grpc MIDDLEWARE_GRPC_PORT: 51065 SCANNER_HOST: kcs-scanner SCANNER_PORT: 8080 SCANNER_API_HOST: kcs-scanner-api SCANNER_API_PORT: 8000 SCANNER_API_PATH: / PRINTER_TARGET_URL: http://localhost:9224 PRINTER_DEVTOOLS_URL: http://localhost:9222 PRINTER_TARGET_SERVER_PORT: 9224 UPDATES_ENABLED: "{{ $.Values.default.updates.enabled }}" POSTGRESQL_MAX_CONNECTIONS: 120 POSTGRES_CERT_KEY_PATH: "/certs/pguser.key" POSTGRES_CERT_PATH: "/certs/pguser.crt" POSTGRES_EXT: "{{ $.Values.default.postgresql.external }}" MEMCACHED_HOST: kcs-memcached MEMCACHED_PORT_NUMBER: "11211" MEMCACHED_MAX_CONNECTIONS: 10000 MEMCACHED_MAX_ITEM_SIZE: "52428800" MINIO_ENABLED: '{{ or ((index .Values.default "kcs-s3").enabled) ((index .Values.default "kcs-s3").external) }}' MINIO_SCHEME: "{{- if $.Values.configmap.infraconfig.envs.TLS_INTERNAL }}https{{- else }}http{{- end }}" MINIO_EXT: '{{ (index .Values.default "kcs-s3").external }}' EVENT_BROKER_HOST: kcs-eb EVENT_BROKER_PORT: 8881 CLICKHOUSE_EXT: '{{ (index .Values.default "kcs-clickhouse").external }}' # -------------------- # # GENERATED ENV VARS # # -------------------- # tplconfigmap: infraconfig: type: fromEnvs envs: NO_PROXY: '{{ include "noProxyValue" (list .Values.default.NO_PROXY .Values.component $.Release.Namespace "cluster.local" .Values.default.clusterDnsZone (default .Values.secret.infracreds.envs.HTTP_PROXY .Values.vault.secret.HTTP_PROXY) (default .Values.secret.infracreds.envs.HTTPS_PROXY .Values.vault.secret.HTTPS_PROXY) . ) | toString }}' CLUSTER_DNS_ZONE: '{{ include "selectByPriority" (list "cluster.local" .Values.default.clusterDnsZone) | toString }}' SCAN_PARSING_WORKERS: '{{ include "selectByPriority" (list 10 (index .Values.default "kcs-middleware").scanWorkers) | int }}' MEMCACHED_EXTRA_FLAGS: '{{ include "selectByEnv" (list .Values.configmap.infraconfig.envs.TLS_INTERNAL "-Y /var/opt/setup/auth-file" "-Z -o ssl_chain_cert=/opt/bitnami/memcached/certs/client/kcs-memcached.crt,ssl_key=/opt/bitnami/memcached/certs/client/kcs-memcached.key,ssl_ca_cert=/opt/bitnami/memcached/certs/client/ca.crt,ssl_verify_mode=1 -Y /var/opt/setup/auth-file") | toString }}' VAULT_PATH: '{{ include "checkEnvEnable" (list .Values.vault.enabled "/vault/secrets" .Values.vault.mountPath false) | toString }}' CLICKHOUSE_HOST: '{{ include "checkEnvEnable" (list (not (index .Values.default "kcs-clickhouse").external) "kcs-clickhouse" "" false) | toString }}' CLICKHOUSE_PROTOCOL: '{{ include "checkEnvEnable" (list (not (index .Values.default "kcs-clickhouse").external) "http" "" .Values.configmap.infraconfig.envs.TLS_INTERNAL "https") | toString }}' CLICKHOUSE_PORT: '{{ include "checkEnvEnable" (list (not (index .Values.default "kcs-clickhouse").external) "8123" "" .Values.configmap.infraconfig.envs.TLS_INTERNAL "8443") | toString }}' KCS_UPDATE_URL: '{{ include "checkEnvEnable" (list .Values.default.updates.enabled "http://kcs-updates:8080/kuu/updates" .Values.configmap.infraconfig.envs.KCS_UPDATE_URL false) | toString }}' KESL_PROTOCOL: '{{ include "checkEnvEnable" (list .Values.default.updates.enabled "http" .Values.configmap.infraconfig.envs.KESL_PROTOCOL false) | toString }}' KESL_HOST: '{{ include "checkEnvEnable" (list .Values.default.updates.enabled "kcs-updates:8080" .Values.configmap.infraconfig.envs.KESL_HOST false) | toString }}' # ------------------------- # # ADDITIONAL CERTIFICATES # # ------------------------- # addCerts: kcs-postgres: create: "{{ and $.Values.configmap.infraconfig.envs.TLS_INTERNAL (not $.Values.default.postgresql.external) }}" skipOnUpgrade: true pguser: create: "{{ and $.Values.configmap.infraconfig.envs.TLS_INTERNAL (not $.Values.default.postgresql.external) }}" skipOnUpgrade: true kcsuser-write: create: '{{ and $.Values.configmap.infraconfig.envs.TLS_INTERNAL (not (index .Values.default "kcs-clickhouse").external) }}' skipOnUpgrade: true kcsuser-read: create: '{{ and $.Values.configmap.infraconfig.envs.TLS_INTERNAL (not (index .Values.default "kcs-clickhouse").external) }}' skipOnUpgrade: true # ------------------------ # # KCS ROLE & CLUSTERROLE # # ------------------------ # role: ns-pods: - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "watch", "list"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] # -------------- # # KCS COMPONENTS # # -------------- # staticLabels: app: kcs component: # -------------- # # POSTGRESQL # # -------------- # kcs-postgres: ## Automatic enabling/disabling POSTGRESQL service deployment by other key:value. ## enabled: "{{ not $.Values.default.postgresql.external }}" service: true image: REGISTRY_ROOT/external/postgresql imageTag: 15.13.0 # -------------- # # PANEL # # -------------- # kcs-panel: enabled: true appType: deployment replicaCount: 1 strategy: RollingUpdate recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsGroup: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault container: kcs-panel: image: REGISTRY_ROOT/services/panel/nginx imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: "100Mi" cpu: "10m" limits: memory: "200Mi" cpu: "20m" service: kcs-panel: port: 8080 containerPort: 8080 protocol: TCP ingress: - name: kcs path: "/" livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 env: DEFAULT_LANGUAGE: en-EN envFromExistConfigMap: TLS_INGRESS: infraconfig COOKIE_DOMAIN: infraconfig SERVERNAME: infraconfig dir: - name: tmp mountPath: /tmp readOnly: false emptyDir: {} - name: nginx mountPath: /var/nginx readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required. ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt ## INGRESS internal server certificate - secret: cert-ingress file: tls.crt mountPath: /certs/service.crt - secret: cert-ingress file: tls.key mountPath: /certs/service.key # -------------- # # LICENSES # # -------------- # kcs-licenses: enabled: true appType: deployment replicaCount: 1 recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsGroup: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault container: kcs-licenses: image: REGISTRY_ROOT/services/licenses imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: "200Mi" cpu: "100m" limits: memory: "400Mi" cpu: "200m" service: kcs-licenses: cert: true port: 51060 containerPort: 51060 protocol: TCP allowedServiceTraffic: - kcs-middleware livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 envFromExistConfigMap: TLS_INTERNAL: infraconfig SCANNER_API_HOST: infraconfig SCANNER_API_PORT: infraconfig KCS_USE_OLD_DOWNLOADER: infraconfig VAULT_PATH: infraconfig envFromExistSecret: LICENSE_PROXY: infracreds dir: - name: tmp mountPath: /tmp readOnly: false emptyDir: {} - name: licenses mountPath: /var/bin/licenses readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt ## LICENSE internal server certificate - secret: cert-kcs-licenses file: tls.crt mountPath: /certs/service.crt - secret: cert-kcs-licenses file: tls.key mountPath: /certs/service.key # -------------- # # SCANNER # # -------------- # kcs-scanner: enabled: true appType: deployment replicaCount: 1 recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsGroup: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainer: scan-to-upd-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/updates.sh" securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL envFromExistConfigMap: UPDATES_ENABLED: infraconfig container: kcs-scanner: image: REGISTRY_ROOT/services/scanner-server imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: ephemeral-storage: "3Gi" memory: "256Mi" cpu: "500m" limits: ephemeral-storage: "4Gi" memory: "2Gi" cpu: "1" service: kcs-scanner: cert: true port: 8080 containerPort: 8080 protocol: TCP allowedServiceTraffic: - kcs-ih kcs-scanner-api: cert: true port: 8000 containerPort: 8000 protocol: TCP allowedServiceTraffic: - kcs-middleware - kcs-licenses - kcs-ih livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 envFromExistConfigMap: TLS_INTERNAL: infraconfig KCS_UPDATE_URL: infraconfig KCS_USE_OLD_DOWNLOADER: infraconfig MIDDLEWARE_GRPC_HOST: infraconfig MIDDLEWARE_GRPC_PORT: infraconfig ENABLE_JAVA_VULN: infraconfig NO_PROXY: infraconfig VAULT_PATH: infraconfig envFromExistSecret: SCANNER_PROXY: infracreds envFromResourceFieldRef: GOMAXPROCS: resource: limits.cpu divisor: 1 GOMEMLIMIT: resource: limits.memory divisor: 1 dir: - name: tmp mountPath: /tmp readOnly: false emptyDir: {} - name: cache mountPath: /home/appuser/.cache readOnly: false emptyDir: {} - name: updates mountPath: /kuu-updates readOnly: false emptyDir: {} - name: kuu mountPath: /kuu readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt ## SCANNER internal server certificate - secret: cert-kcs-scanner file: tls.crt mountPath: /certs/service.crt - secret: cert-kcs-scanner file: tls.key mountPath: /certs/service.key - secret: cert-kcs-scanner-api file: tls.crt mountPath: /certs/service-api.crt - secret: cert-kcs-scanner-api file: tls.key mountPath: /certs/service-api.key # --------------- # # AGENT BROKER # # --------------- # kcs-ab: enabled: true appType: deployment replicaCount: 1 recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsGroup: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainer: ab-to-psql-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/psql.sh" securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL envFromExistConfigMap: TLS_INTERNAL: infraconfig POSTGRES_DB_NAME: infraconfig POSTGRES_HOST: infraconfig POSTGRES_PORT: infraconfig POSTGRES_EXT: infraconfig envFromExistSecret: POSTGRES_USER: infracreds POSTGRES_PASSWORD: infracreds fileFromSecret: - secret: cert-pguser file: tls.crt mountPath: /certs/pguser.crt - secret: cert-pguser file: tls.key mountPath: /certs/pguser.key ab-to-mchd-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/memcached.sh" securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL envFromExistConfigMap: TLS_INTERNAL: infraconfig MEMCACHED_HOST: infraconfig MEMCACHED_PORT_NUMBER: infraconfig fileFromSecret: - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt container: kcs-ab: image: REGISTRY_ROOT/services/agent-broker imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: limits: memory: "2Gi" cpu: "2" requests: memory: "512Mi" cpu: "500m" service: kcs-ab: cert: true port: 8000 containerPort: 8000 protocol: TCP allowedServiceTraffic: - kcs-event-broker kcs-ab-hb: port: 8437 containerPort: 8437 protocol: TCP ingress: - name: kcs path: "/agent-api/heartbeat" kcs-ab-ci: port: 8438 containerPort: 8438 protocol: TCP ingress: - name: kcs path: "/agent-api/cluster" kcs-ab-bench: port: 8439 containerPort: 8439 protocol: TCP ingress: - name: kcs path: "/agent-api/bench" kcs-ab-others: port: 8440 containerPort: 8440 protocol: TCP ingress: - name: kcs path: "/agent-api/others" livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 envFromExistConfigMap: TLS_INTERNAL: infraconfig TLS_INGRESS: infraconfig VAULT_PATH: infraconfig MIDDLEWARE_GRPC_HOST: infraconfig MIDDLEWARE_GRPC_PORT: infraconfig POSTGRES_DB_NAME: infraconfig POSTGRES_HOST: infraconfig POSTGRES_PORT: infraconfig POSTGRES_VERIFY_LEVEL: infraconfig POSTGRES_CERT_PATH: infraconfig POSTGRES_CERT_KEY_PATH: infraconfig POSTGRES_ROOT_CA_PATH: infraconfig MEMCACHED_HOST: infraconfig MEMCACHED_PORT_NUMBER: infraconfig NO_PROXY: infraconfig HTTP_MODE: infraconfig DB_LOG_LEVEL: infraconfig API_LOG_LEVEL: infraconfig EVENT_BROKER_HOST: infraconfig EVENT_BROKER_PORT: infraconfig envFromExistSecret: HTTP_PROXY: infracreds HTTPS_PROXY: infracreds POSTGRES_USER: infracreds POSTGRES_PASSWORD: infracreds MCHD_USER: infracreds MCHD_PASS: infracreds envFromResourceFieldRef: GOMAXPROCS: resource: limits.cpu divisor: 1 GOMEMLIMIT: resource: limits.memory divisor: 1 dir: - name: tmp mountPath: /tmp readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt ## AGENT BROKER internal server certificate - secret: cert-kcs-ab file: tls.crt mountPath: /certs/service.crt - secret: cert-kcs-ab file: tls.key mountPath: /certs/service.key ## AGENT BROKER external (ingress) certificate - secret: cert-ingress file: tls.crt mountPath: /certs/ingress.crt - secret: cert-ingress file: tls.key mountPath: /certs/ingress.key ## PostgreSQL CA certificate - secret: cert-pgsql-ca file: tls.crt mountPath: /etc/ssl/certs/pgsql-ca.crt ## PostgreSQL client certificate - secret: cert-pguser file: tls.crt mountPath: /certs/pguser.crt mode: 0600 - secret: cert-pguser file: tls.key mountPath: /certs/pguser.key mode: 0600 # --------------- # # IMAGE HANDLER # # --------------- # kcs-ih: enabled: true appType: deployment replicaCount: 3 recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsGroup: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainer: ih-to-mw-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/middleware.sh" envFromExistConfigMap: TLS_INTERNAL: infraconfig securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true seccompProfile: type: RuntimeDefault container: kcs-ih: image: REGISTRY_ROOT/services/image-handler imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: false allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: "4Gi" cpu: "2" ephemeral-storage: 8Gi limits: memory: "8Gi" cpu: "4" ephemeral-storage: 12Gi livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 envFromExistConfigMap: TLS_INTERNAL: infraconfig MIDDLEWARE_HOST: infraconfig MIDDLEWARE_PORT: infraconfig SCANNER_HOST: infraconfig SCANNER_PORT: infraconfig SCANNER_API_HOST: infraconfig SCANNER_API_PORT: infraconfig MIDDLEWARE_GRPC_HOST: infraconfig MIDDLEWARE_GRPC_PORT: infraconfig NO_PROXY: infraconfig KESL_PROTOCOL: infraconfig KESL_HOST: infraconfig VAULT_PATH: infraconfig envFromExistSecret: SCANNER_PROXY: infracreds HTTP_PROXY: infracreds HTTPS_PROXY: infracreds envFromResourceFieldRef: GOMAXPROCS: resource: limits.cpu divisor: 1 GOMEMLIMIT: resource: limits.memory divisor: 1 fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt # -------------- # # MIDDLEWARE # # -------------- # kcs-middleware: enabled: true appType: deployment replicaCount: 1 serviceAccount: kcs-middleware recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsGroup: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainer: mdw-to-psql-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/psql.sh" securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL envFromExistConfigMap: TLS_INTERNAL: infraconfig POSTGRES_DB_NAME: infraconfig POSTGRES_HOST: infraconfig POSTGRES_PORT: infraconfig POSTGRES_EXT: infraconfig envFromExistSecret: POSTGRES_USER: infracreds POSTGRES_PASSWORD: infracreds fileFromSecret: - secret: cert-pguser file: tls.crt mountPath: /certs/pguser.crt - secret: cert-pguser file: tls.key mountPath: /certs/pguser.key mdw-to-mchd-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/memcached.sh" securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL envFromExistConfigMap: TLS_INTERNAL: infraconfig MEMCACHED_HOST: infraconfig MEMCACHED_PORT_NUMBER: infraconfig fileFromSecret: - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt container: kcs-reports: image: REGISTRY_ROOT/kcs-reports imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: "2Gi" cpu: "500m" limits: memory: "4Gi" cpu: "1" port: kcs-print: containerPort: 9222 protocol: TCP livenessProbe: httpGet: path: /json/version port: 9222 initialDelaySeconds: 30 periodSeconds: 10 envFromExistConfigMap: PRINTER_TARGET_URL: infraconfig dir: - name: tmp1 mountPath: /tmp readOnly: false emptyDir: {} - name: cache mountPath: /var/cache readOnly: false emptyDir: {} kcs-middleware: image: REGISTRY_ROOT/services/middleware imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: "2Gi" cpu: "500m" limits: memory: "4Gi" cpu: "1" port: kcs-mw-ch: containerPort: 9224 protocol: TCP service: kcs-middleware: cert: true port: 8000 containerPort: 8000 protocol: TCP allowedServiceTraffic: - kcs-ih - kcs-event-broker kcs-mw-ingress: port: 8443 containerPort: 8443 protocol: TCP ingress: - name: kcs path: "/api" - name: kcs path: "/public/swagger" - name: kcs path: "/public/redoc" kcs-mw-grpc: cert: true port: 51065 containerPort: 51065 protocol: TCP allowedServiceTraffic: - kcs-ih - kcs-scanner - kcs-ab livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 envFromExistConfigMap: TLS_INTERNAL: infraconfig TLS_INGRESS: infraconfig API_URL: infraconfig CLUSTER_DNS_ZONE: infraconfig VAULT_PATH: infraconfig KUBE_AGENT_TAG: infraconfig NODE_AGENT_TAG: infraconfig IMAGE_TAG_MIDDLEWARE: infraconfig POSTGRES_DB_NAME: infraconfig POSTGRES_HOST: infraconfig POSTGRES_PORT: infraconfig POSTGRES_VERIFY_LEVEL: infraconfig POSTGRES_CERT_PATH: infraconfig POSTGRES_CERT_KEY_PATH: infraconfig POSTGRES_ROOT_CA_PATH: infraconfig POSTGRES_EXT: infraconfig MEMCACHED_HOST: infraconfig MEMCACHED_PORT_NUMBER: infraconfig API_LOG_LEVEL: infraconfig HTTP_MODE: infraconfig DB_LOG_LEVEL: infraconfig CEF_PROTOCOL: infraconfig CEF_HOST: infraconfig CEF_PORT: infraconfig LICENSE_GRPC_HOST: infraconfig LICENSE_GRPC_PORT: infraconfig SCANNER_API_HOST: infraconfig SCANNER_API_PORT: infraconfig SCANNER_API_PATH: infraconfig NO_PROXY: infraconfig SCAN_PARSING_WORKERS: infraconfig TECHNICAL_ACCOUNTS_SECRET_NAME: infraconfig MIDDLEWARE_GRPC_HOST: infraconfig MIDDLEWARE_GRPC_PORT: infraconfig PRINTER_DEVTOOLS_URL: infraconfig PRINTER_TARGET_SERVER_PORT: infraconfig MINIO_ENABLED: infraconfig MINIO_HOST: infraconfig MINIO_PORT: infraconfig MINIO_BUCKET_NAME: infraconfig MINIO_SSL: infraconfig MINIO_ROOT_CA_PATH: infraconfig MINIO_EXT: infraconfig REGISTRY_AGENT_URL: infraconfig CLICKHOUSE_EXT: infraconfig EVENT_BROKER_HOST: infraconfig EVENT_BROKER_PORT: infraconfig EVENT_LIFETIME_HOURS: infraconfig SCAN_LIFETIME_HOURS: infraconfig UPDATES_ENABLED: infraconfig envFromExistSecret: HTTP_PROXY: infracreds HTTPS_PROXY: infracreds POSTGRES_USER: infracreds POSTGRES_PASSWORD: infracreds MINIO_ROOT_USER: infracreds MINIO_ROOT_PASSWORD: infracreds MCHD_USER: infracreds MCHD_PASS: infracreds TECHNICAL_ACCOUNTS: infracreds APP_SECRET: infracreds envFromResourceFieldRef: GOMAXPROCS: resource: limits.cpu divisor: 1 GOMEMLIMIT: resource: limits.memory divisor: 1 envFromfieldRef: POD_NAME: metadata.name dir: - name: tmp2 mountPath: /tmp readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt - secret: cert-ca file: tls.key mountPath: /etc/ssl/certs/ca.key ## MIDDLEWARE grpc - secret: cert-kcs-mw-grpc file: tls.crt mountPath: /certs/service-grpc.crt - secret: cert-kcs-mw-grpc file: tls.key mountPath: /certs/service-grpc.key ## MiniIO CA certificate - secret: cert-minio-ca file: tls.crt mountPath: /etc/ssl/certs/minio-ca.crt ## PostgreSQL CA certificate - secret: cert-pgsql-ca file: tls.crt mountPath: /etc/ssl/certs/pgsql-ca.crt ## PostgreSQL client certificate - secret: cert-pguser file: tls.crt mountPath: /certs/pguser.crt mode: 0600 - secret: cert-pguser file: tls.key mountPath: /certs/pguser.key mode: 0600 ## MIDDLEWARE internal server certificate - secret: cert-kcs-middleware file: tls.crt mountPath: /certs/service.crt - secret: cert-kcs-middleware file: tls.key mountPath: /certs/service.key ## MIDDLEWARE external (ingress) certificate - secret: cert-ingress file: tls.crt mountPath: /certs/ingress.crt - secret: cert-ingress file: tls.key mountPath: /certs/ingress.key # -------------- # # UPDATES # # -------------- # kcs-updates: enabled: "{{ $.Values.default.updates.enabled }}" appType: deployment replicaCount: 1 recreate: true securityContext: kubernetes: fsGroup: 2222 fsGroupChangePolicy: Always runAsUser: 2222 runAsNonRoot: true seccompProfile: type: RuntimeDefault container: kcs-updates: image: REGISTRY_ROOT/updates imageTag: v2.1 imagePullPolicy: Always securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: cpu: "20m" memory: "64Mi" limits: cpu: "40m" memory: "128Mi" service: kcs-updates: cert: true port: 8080 containerPort: 8080 protocol: TCP ingress: - name: kcs path: "/kuu" allowedServiceTraffic: - kcs-ih - kcs-scanner - agent envFromExistConfigMap: TLS_INTERNAL: infraconfig dir: - name: tmp mountPath: /tmp readOnly: false emptyDir: {} - name: nginx mountPath: /var/nginx readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt ## UPDATES internal server certificate - secret: cert-kcs-updates file: tls.crt mountPath: /certs/service.crt - secret: cert-kcs-updates file: tls.key mountPath: /certs/service.key # -------------- # # EVENT-BROKER # # -------------- # kcs-event-broker: enabled: true appType: deployment replicaCount: 1 recreate: true securityContext: kubernetes: runAsUser: 2222 runAsGroup: 2222 fsGroup: 2222 fsGroupChangePolicy: Always runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainer: eb-to-clhs-check: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/clickhouse.sh" envFromExistConfigMap: TLS_INTERNAL: infraconfig CLICKHOUSE_HOST: infraconfig CLICKHOUSE_PORT: infraconfig CLICKHOUSE_EXT: infraconfig envFromExistSecret: CLICKHOUSE_READ_PASSWORD: infracreds securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true fileFromSecret: - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt - secret: cert-kcsuser-read file: tls.crt mountPath: /etc/ssl/certs/kcsuser-read.crt - secret: cert-kcsuser-read file: tls.key mountPath: /etc/ssl/certs/kcsuser-read.key container: kcs-event-broker: image: REGISTRY_ROOT/services/event-broker imageTag: v2.1.0 securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: memory: "256Mi" cpu: "250m" limits: memory: "1Gi" cpu: "1" service: kcs-eb: cert: true port: 8881 containerPort: 8881 protocol: TCP allowedServiceTraffic: - kcs-middleware - kcs-ab kcs-eb-ingress: port: 8880 containerPort: 8880 protocol: TCP ingress: - name: kcs path: "/clickhouse" livenessProbe: httpGet: path: /healthz port: 8001 initialDelaySeconds: 60 periodSeconds: 10 envFromExistConfigMap: TLS_INTERNAL: infraconfig TLS_INGRESS: infraconfig CLUSTER_DNS_ZONE: infraconfig VAULT_PATH: infraconfig AGENT_BROKER_HOST: infraconfig AGENT_BROKER_PORT: infraconfig MIDDLEWARE_HOST: infraconfig MIDDLEWARE_PORT: infraconfig CLICKHOUSE_PROTOCOL: infraconfig CLICKHOUSE_HOST: infraconfig CLICKHOUSE_PORT: infraconfig CLICKHOUSE_EXT: infraconfig EXT_CLICKHOUSE_PROTOCOL: infraconfig EXT_CLICKHOUSE_HOST: infraconfig EXT_CLICKHOUSE_PORT: infraconfig EXT_CLICKHOUSE_DB_NAME: infraconfig EXT_CLICKHOUSE_COLD_STORAGE_NAME: infraconfig EXT_CLICKHOUSE_STORAGE_POLICY_NAME: infraconfig EXT_CLICKHOUSE_SSL_AUTH: infraconfig EXT_CLICKHOUSE_ROOT_CA_PATH: infraconfig envFromExistSecret: EXT_CLICKHOUSE_WRITE_USER: infracreds EXT_CLICKHOUSE_READ_USER: infracreds CLICKHOUSE_READ_PASSWORD: infracreds CLICKHOUSE_WRITE_PASSWORD: infracreds envFromfieldRef: POD_NAMESPACE: metadata.namespace envFromResourceFieldRef: WORKER_PROCESSES: resource: limits.cpu divisor: 1 dir: - name: tmp mountPath: /tmp readOnly: false emptyDir: {} - name: nginx mountPath: /var/nginx readOnly: false emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt ## EventBroker internal server certificate - secret: cert-kcs-eb file: tls.crt mountPath: /etc/ssl/certs/service.crt - secret: cert-kcs-eb file: tls.key mountPath: /etc/ssl/certs/service.key ## ClickHouse CA certificate - secret: cert-kcs-clickhouse-ca file: tls.crt mountPath: /etc/ssl/certs/kcs-clickhouse-ca.crt ## ClickHouse client certificates - secret: cert-kcsuser-write file: tls.crt mountPath: /etc/ssl/certs/kcsuser-write.crt - secret: cert-kcsuser-write file: tls.key mountPath: /etc/ssl/certs/kcsuser-write.key - secret: cert-kcsuser-read file: tls.crt mountPath: /etc/ssl/certs/kcsuser-read.crt - secret: cert-kcsuser-read file: tls.key mountPath: /etc/ssl/certs/kcsuser-read.key ## EventBroker external (ingress) certificate - secret: cert-ingress file: tls.crt mountPath: /etc/ssl/certs/cert.crt - secret: cert-ingress file: tls.key mountPath: /etc/ssl/certs/cert.key # -------------- # # MEMCACHED # # -------------- # kcs-memcached: enabled: true appType: statefulSet podManagementPolicy: OrderedReady replicaCount: 1 strategy: RollingUpdate securityContext: kubernetes: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 fsGroupChangePolicy: Always runAsNonRoot: true seccompProfile: type: RuntimeDefault initContainer: setup-mchd: image: REGISTRY_ROOT/initer imageTag: v2.1.0 command: - "sh" - "-c" - "/opt/scripts/mchd-setup.sh" securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL envFromExistConfigMap: VAULT_PATH: infraconfig envFromExistSecret: MCHD_USER: infracreds MCHD_PASS: infracreds dir: - name: setup mountPath: /var/opt/setup container: kcs-memcached: imagePullPolicy: IfNotPresent image: REGISTRY_ROOT/external/memcached imageTag: 1.6.38 command: - "/bin/bash" - "-c" args: - "exec /opt/bitnami/scripts/memcached/entrypoint.sh /opt/bitnami/scripts/memcached/run.sh" service: kcs-memcached: cert: true port: 11211 containerPort: 11211 protocol: TCP allowedServiceTraffic: - kcs-middleware - kcs-ab securityContext: kubernetes: readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL resources: requests: cpu: "250m" memory: "128Mi" limits: cpu: "2" memory: "2Gi" env: BITNAMI_DEBUG: false livenessProbe: failureThreshold: 6 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 exec: command: - pgrep - memcached envFromExistConfigMap: MEMCACHED_PORT_NUMBER: infraconfig MEMCACHED_MAX_CONNECTIONS: infraconfig MEMCACHED_EXTRA_FLAGS: infraconfig MEMCACHED_MAX_ITEM_SIZE: infraconfig envFromResourceFieldRef: MEMCACHED_THREADS: resource: limits.cpu divisor: 1 MEMCACHED_CACHE_SIZE: resource: limits.memory divisor: 1Mi dir: - name: setup mountPath: /var/opt/setup readOnly: true emptyDir: {} fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /opt/bitnami/memcached/certs/client/ca.crt - secret: cert-ca file: tls.key mountPath: /opt/bitnami/memcached/certs/client/ca.key ## Memcached internal server certificate - secret: cert-kcs-memcached file: tls.crt mountPath: /opt/bitnami/memcached/certs/client/kcs-memcached.crt - secret: cert-kcs-memcached file: tls.key mountPath: /opt/bitnami/memcached/certs/client/kcs-memcached.key # -------------- # # CLICKHOUSE # # -------------- # kcs-clickhouse: enabled: '{{ not (index .Values.default "kcs-clickhouse").external }}' appType: statefulSet podManagementPolicy: OrderedReady replicaCount: 1 strategy: RollingUpdate securityContext: kubernetes: runAsUser: 1001 runAsGroup: 0 fsGroup: 1001 fsGroupChangePolicy: Always seccompProfile: type: RuntimeDefault container: kcs-clickhouse: image: REGISTRY_ROOT/services/clickhouse imageTag: '{{- if $.Values.configmap.infraconfig.envs.TLS_INTERNAL }}v2.1.0{{- else }}v2.1.0-without-ssl{{- end }}' command: - "/bin/bash" - "-c" args: - "exec /opt/bitnami/scripts/clickhouse/entrypoint.sh /opt/bitnami/scripts/clickhouse/run.sh -- --listen_host=0.0.0.0" securityContext: kubernetes: readOnlyRootFilesystem: false allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true resources: requests: cpu: 200m memory: 1Gi service: kcs-clickhouse: cert: true port: '{{- if $.Values.configmap.infraconfig.envs.TLS_INTERNAL }}8443{{- else }}8123{{- end }}' containerPort: '{{- if $.Values.configmap.infraconfig.envs.TLS_INTERNAL }}8443{{- else }}8123{{- end }}' protocol: TCP allowedServiceTraffic: - kcs-event-broker livenessProbe: exec: command: - /bin/bash - /healthcheck.sh initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 3 successThreshold: 1 failureThreshold: 3 readinessProbe: exec: command: - /bin/bash - /healthcheck.sh initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 3 successThreshold: 1 failureThreshold: 3 envFromExistConfigMap: TLS_INTERNAL: infraconfig CLICKHOUSE_PORT: infraconfig CLICKHOUSE_SINGLE_STORAGE: infraconfig envFromExistSecret: CLICKHOUSE_ADMIN_PASSWORD: infracreds CLICKHOUSE_WRITE_PASSWORD: infracreds CLICKHOUSE_READ_PASSWORD: infracreds persistent: '{{ (index .Values.default "kcs-clickhouse").persistent }}' storage: pvc-clickhouse-cold: mountPath: /bitnami/clickhouse/cold accessModes: "ReadWriteOnce" pvc-clickhouse-hot: enabled: "{{ not ($.Values.configmap.infraconfig.envs.CLICKHOUSE_SINGLE_STORAGE) }}" mountPath: /bitnami/clickhouse/hot accessModes: "ReadWriteOnce" fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/clickhouse-server/certs/ca.crt ## Clickhouse internal server certificate - secret: cert-kcs-clickhouse file: tls.crt mountPath: /etc/clickhouse-server/certs/cert.crt - secret: cert-kcs-clickhouse file: tls.key mountPath: /etc/clickhouse-server/certs/cert.key # -------------- # # S3 # # -------------- # kcs-s3: enabled: '{{ and (index .Values.default "kcs-s3").enabled (not (default false (index .Values.default "kcs-s3").external)) }}' appType: statefulSet podManagementPolicy: OrderedReady replicaCount: 1 strategy: RollingUpdate securityContext: kubernetes: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 fsGroupChangePolicy: OnRootMismatch seccompProfile: type: RuntimeDefault container: kcs-s3: imagePullPolicy: IfNotPresent image: REGISTRY_ROOT/external/minio imageTag: 2025.8.19 command: - "/bin/bash" - "-c" args: - "/usr/bin/docker-entrypoint.sh server /data" securityContext: kubernetes: readOnlyRootFilesystem: false allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true resources: requests: cpu: 10m memory: 100Mi limits: cpu: "500m" memory: "512Mi" service: kcs-s3: cert: true port: 9000 containerPort: 9000 protocol: TCP allowedServiceTraffic: - kcs-middleware livenessProbe: httpGet: path: /minio/health/live port: 9001 scheme: "{{- if $.Values.configmap.infraconfig.envs.TLS_INTERNAL }}HTTPS{{- else }}HTTP{{- end }}" initialDelaySeconds: 60 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 readinessProbe: httpGet: path: /minio/health/cluster port: 9000 scheme: "{{- if $.Values.configmap.infraconfig.envs.TLS_INTERNAL }}HTTPS{{- else }}HTTP{{- end }}" initialDelaySeconds: 60 periodSeconds: 5 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 5 env: MINIO_CERTS_DIR: /certs envFromExistConfigMap: MINIO_PORT: infraconfig TLS_INTERNAL: infraconfig envFromExistSecret: MINIO_ROOT_USER: infracreds MINIO_ROOT_PASSWORD: infracreds persistent: true storage: pvc-minio: mountPath: /data accessModes: "ReadWriteOnce" fileFromSecret: ## Declaration of possible file mounting. ## Editing is not required ## Internal CA - secret: cert-ca file: tls.crt mountPath: /etc/ssl/certs/ca.crt - secret: cert-ca file: tls.key mountPath: /etc/ssl/certs/ca.key ## S3 internal server certificate - secret: cert-kcs-s3 file: tls.crt mountPath: /certs/public.crt - secret: cert-kcs-s3 file: tls.key mountPath: /certs/private.key