diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index 0467149b01..cdfac23300 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -28,6 +28,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Configure node affinity | +| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | deployment.annotations | object | `{}` | | | deployment.automountServiceAccountToken | bool | `true` | | | deployment.autoscaling.enabled | bool | `false` | | @@ -76,20 +77,21 @@ A Helm chart for deploying ORY Hydra in Kubernetes | job | object | `{"annotations":{},"automountServiceAccountToken":true,"extraContainers":{},"extraInitContainers":{},"lifecycle":{},"serviceAccount":{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""},"shareProcessNamespace":false,"spec":{"backoffLimit":10}}` | Values for initialization job | | job.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | | job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | -| job.extraContainers | object | `{}` | If you want to add extra sidecar containers. | +| job.extraContainers | object | `{}` | If you want to add extra sidecar containers. | | job.extraInitContainers | object | `{}` | If you want to add extra init containers. extraInitContainers: | - name: ... image: ... | -| job.lifecycle | object | `{}` | If you want to add lifecycle hooks. | +| job.lifecycle | object | `{}` | If you want to add lifecycle hooks. | | job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | | job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | | job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | +| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | | job.spec.backoffLimit | int | `10` | Set job back off limit | | maester | object | `{"enabled":true}` | Configures controller setup | | nameOverride | string | `""` | | | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration | | replicaCount | int | `1` | Number of ORY Hydra members | | secret.enabled | bool | `true` | switch to false to prevent creating the secret | +| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | secret.secretAnnotations."helm.sh/hook" | string | `"pre-install, pre-upgrade"` | | | secret.secretAnnotations."helm.sh/hook-delete-policy" | string | `"before-hook-creation"` | | @@ -107,7 +109,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) | | service.public.port | int | `4444` | The service port | | service.public.type | string | `"ClusterIP"` | The service type | -| serviceMonitor | object | `{"enabled":true,"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | +| serviceMonitor | object | `{"enabled":true,"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | | serviceMonitor.enabled | bool | `true` | switch to false to prevent creating the ServiceMonitor | | serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | | serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | diff --git a/helm/charts/keto/README.md b/helm/charts/keto/README.md index e60119d440..7f884cac6e 100644 --- a/helm/charts/keto/README.md +++ b/helm/charts/keto/README.md @@ -21,10 +21,11 @@ Access Control Policies as a Server | Key | Type | Default | Description | |-----|------|---------|-------------| +| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | deployment | object | `{"affinity":{},"annotations":{},"automountServiceAccountToken":true,"autoscaling":{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80},"extraContainers":{},"extraEnv":[],"extraLabels":{},"extraVolumeMounts":[],"extraVolumes":[],"livenessProbe":{"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":10},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"readinessProbe":{"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":10},"resources":{},"tolerations":[],"tracing":{"datadog":{"enabled":false}}}` | Configure the probes for when the deployment is considered ready and ongoing health check | | deployment.annotations | object | `{}` | Add custom annotations to the deployment | | deployment.autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Autoscaling for keto deployment | -| deployment.extraContainers | object | `{}` | If you want to add extra sidecar containers. | +| deployment.extraContainers | object | `{}` | If you want to add extra sidecar containers. | | deployment.extraEnv | list | `[]` | Array of extra Envs to be added to the deployment. K8s format expected - name: FOO value: BAR | | deployment.extraLabels | object | `{}` | Extra labels to be added to the deployment, and pods. K8s object format expected foo: bar my.special.label/type: value | | deployment.extraVolumeMounts | list | `[]` | Array of extra VolumeMounts to be added to the deployment. K8s format expected - name: my-volume mountPath: /etc/secrets/my-secret readOnly: true | @@ -41,20 +42,21 @@ Access Control Policies as a Server | job | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"},"automountServiceAccountToken":true,"extraContainers":{},"lifecycle":{},"serviceAccount":{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""},"shareProcessNamespace":false,"spec":{"backoffLimit":10}}` | Values for initialization job | | job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | | job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | -| job.extraContainers | object | `{}` | If you want to add extra sidecar containers. | -| job.lifecycle | object | `{}` | If you want to add lifecycle hooks. | +| job.extraContainers | object | `{}` | If you want to add extra sidecar containers. | +| job.lifecycle | object | `{}` | If you want to add lifecycle hooks. | | job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | | job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | | job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | +| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | | job.spec.backoffLimit | int | `10` | Set job back off limit | | keto | object | `{"autoMigrate":false,"config":{"dsn":"memory","namespaces":[{"id":0,"name":"sample"}],"serve":{"metrics":{"port":4468},"read":{"port":4466},"write":{"port":4467}}}}` | Main keto config. Full documentation can be found in https://www.ory.sh/keto/docs/reference/configuration | | nameOverride | string | `""` | | | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration | | replicaCount | int | `1` | | -| secret | object | `{"enabled":true,"nameOverride":"","secretAnnotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}}` | Secret management | +| secret | object | `{"enabled":true,"hashSumEnabled":true,"nameOverride":"","secretAnnotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0","helm.sh/resource-policy":"keep"}}` | Secret management | | secret.enabled | bool | `true` | Switch to false to prevent creating the secret | +| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100}` | Default security context configuration | | service | object | `{"metrics":{"annotations":{},"enabled":false,"name":"http-metrics","port":80,"type":"ClusterIP"},"read":{"enabled":true,"name":"http-read","port":80,"type":"ClusterIP"},"write":{"enabled":true,"name":"http-write","port":80,"type":"ClusterIP"}}` | Service configurations | @@ -64,7 +66,7 @@ Access Control Policies as a Server | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| serviceMonitor | object | `{"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | +| serviceMonitor | object | `{"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | | serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | | serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | | serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped | diff --git a/helm/charts/kratos/README.md b/helm/charts/kratos/README.md index 82f59d6d48..d188ac2049 100644 --- a/helm/charts/kratos/README.md +++ b/helm/charts/kratos/README.md @@ -10,10 +10,11 @@ A ORY Kratos Helm chart for Kubernetes |-----|------|---------|-------------| | affinity | object | `{}` | Configure node affinity | | autoscaling | object | `{"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPUUtilizationPercentage":80}` | Horizontal pod autoscaling configuration | +| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | deployment.annotations | object | `{}` | | | deployment.automountServiceAccountToken | bool | `true` | | | deployment.extraArgs | list | `[]` | Array of extra arguments to be passed down to the deployment. Kubernetes args format is expected - --foo - --sqa-opt-out | -| deployment.extraContainers | object | `{}` | If you want to add extra sidecar containers. | +| deployment.extraContainers | object | `{}` | If you want to add extra sidecar containers. | | deployment.extraEnv | list | `[]` | Array of extra envs to be passed to the deployment. Kubernetes format is expected - name: FOO value: BAR | | deployment.extraInitContainers | object | `{}` | | | deployment.extraVolumeMounts | list | `[]` | | @@ -55,13 +56,13 @@ A ORY Kratos Helm chart for Kubernetes | job | object | `{"annotations":{},"automountServiceAccountToken":true,"extraContainers":{},"lifecycle":{},"serviceAccount":{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""},"shareProcessNamespace":false,"spec":{"backoffLimit":10}}` | Values for initialization job | | job.annotations | object | `{}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | | job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | -| job.extraContainers | object | `{}` | If you want to add extra sidecar containers. | -| job.lifecycle | object | `{}` | If you want to add lifecycle hooks. | +| job.extraContainers | object | `{}` | If you want to add extra sidecar containers. | +| job.lifecycle | object | `{}` | If you want to add lifecycle hooks. | | job.serviceAccount | object | `{"annotations":{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"},"create":true,"name":""}` | Specify the serviceAccountName value. In some situations it is needed to provides specific permissions to Hydra deployments Like for example installing Hydra on a cluster with a PosSecurityPolicy and Istio. Uncoment if it is needed to provide a ServiceAccount for the Hydra deployment. | | job.serviceAccount.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation","helm.sh/hook-weight":"0"}` | Annotations to add to the service account | | job.serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | job.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | -| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | +| job.shareProcessNamespace | bool | `false` | Set sharing process namespace | | job.spec.backoffLimit | int | `10` | Set job back off limit | | kratos.autoMigrate | bool | `false` | Enable the initialization job. Required to work with a DB | | kratos.config | object | `{"courier":{"smtp":{}},"secrets":{},"serve":{"admin":{"port":4434},"public":{"port":4433}}}` | You can customize the emails kratos is sending (also uncomment config.courier.template_override_path below) Note: If you are setting config.courier.template_override_path you need to supply overrides for all templates. It is currently not possible to overrides only selected methods. emailTemplates: recovery: valid: subject: Recover access to your account body: |- Hi, please recover access to your account by clicking the following link: {{ .RecoveryURL }} plainBody: Hi, please recover access to your account by clicking the following link: {{ .RecoveryURL }} invalid: subject: Account access attempted body: |- Hi, you (or someone else) entered this email address when trying to recover access to an account. However, this email address is not on our database of registered users and therefore the attempt has failed. If this was you, check if you signed up using a different address. If this was not you, please ignore this email. plainBody: Hi, you (or someone else) entered this email address when trying to recover access to an account. verification: valid: subject: Please verify your email address body: |- Hi, please verify your account by clicking the following link: {{ .VerificationURL }} plainBody: Hi, please verify your account by clicking the following link: {{ .VerificationURL }} invalid: subject: body: plainBody: | @@ -72,6 +73,7 @@ A ORY Kratos Helm chart for Kubernetes | pdb | object | `{"enabled":false,"spec":{"minAvailable":1}}` | PodDistributionBudget configuration | | replicaCount | int | `1` | | | secret.enabled | bool | `true` | switch to false to prevent creating the secret | +| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | secret.secretAnnotations."helm.sh/hook" | string | `"pre-install, pre-upgrade"` | | | secret.secretAnnotations."helm.sh/hook-delete-policy" | string | `"before-hook-creation"` | | @@ -95,7 +97,7 @@ A ORY Kratos Helm chart for Kubernetes | service.public.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) | | service.public.port | int | `80` | | | service.public.type | string | `"ClusterIP"` | | -| serviceMonitor | object | `{"enabled":true,"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | +| serviceMonitor | object | `{"enabled":true,"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | | serviceMonitor.enabled | bool | `true` | switch to false to prevent creating the ServiceMonitor | | serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | | serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | diff --git a/helm/charts/oathkeeper/README.md b/helm/charts/oathkeeper/README.md index 0b574df7cf..2c24b473ea 100644 --- a/helm/charts/oathkeeper/README.md +++ b/helm/charts/oathkeeper/README.md @@ -28,10 +28,11 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| | affinity | object | `{}` | Configure node affinity | +| configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | demo | bool | `false` | If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated. | | deployment.annotations | object | `{}` | | | deployment.automountServiceAccountToken | bool | `false` | | -| deployment.extraContainers | object | `{}` | If you want to add extra sidecar containers. | +| deployment.extraContainers | object | `{}` | If you want to add extra sidecar containers. | | deployment.extraEnv | list | `[]` | | | deployment.extraVolumeMounts | list | `[]` | Extra volume mounts, allows mounting the extraVolumes to the container. | | deployment.extraVolumes | list | `[]` | Extra volumes you can attach to the pod. | @@ -59,7 +60,6 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | ingress | object | `{"api":{"annotations":{},"className":"","enabled":false,"hosts":[{"host":"api.oathkeeper.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]},"proxy":{"annotations":{},"className":"","defaultBackend":{},"enabled":false,"hosts":[{"host":"proxy.oathkeeper.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]}}` | Configure ingress | | ingress.api.enabled | bool | `false` | En-/Disable the api ingress. | | ingress.proxy | object | `{"annotations":{},"className":"","defaultBackend":{},"enabled":false,"hosts":[{"host":"proxy.oathkeeper.localhost","paths":[{"path":"/","pathType":"ImplementationSpecific"}]}]}` | Configure ingress for the proxy port. | -| ingress.proxy.defaultBackend | object | `{}` | Configuration for custom default service. This service will be used to handle the response when the configured service in the Ingress rule does not have any active endpoints | | ingress.proxy.enabled | bool | `false` | En-/Disable the proxy ingress. | | maester | object | `{"enabled":true}` | Configures controller setup | | nameOverride | string | `""` | Chart name override | @@ -72,6 +72,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | replicaCount | int | `1` | Number of ORY Oathkeeper members | | secret.enabled | bool | `true` | switch to false to prevent creating the secret | | secret.filename | string | `"mutator.id_token.jwks.json"` | default filename of JWKS (mounted as secret) | +| secret.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | secret.mountPath | string | `"/etc/secrets"` | default mount path for the kubernetes secret | | secret.nameOverride | string | `""` | Provide custom name of existing secret, or custom name of secret to be created | | secret.secretAnnotations."helm.sh/hook" | string | `"pre-install, pre-upgrade"` | | @@ -100,7 +101,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | service.proxy.name | string | `"http"` | The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio) | | service.proxy.port | int | `4455` | The service port | | service.proxy.type | string | `"ClusterIP"` | The service type | -| serviceMonitor | object | `{"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | +| serviceMonitor | object | `{"labels":{},"scheme":"http","scrapeInterval":"60s","scrapeTimeout":"30s","tlsConfig":{}}` | Parameters for the Prometheus ServiceMonitor objects. Reference: https://docs.openshift.com/container-platform/4.6/rest_api/monitoring_apis/servicemonitor-monitoring-coreos-com-v1.html | | serviceMonitor.labels | object | `{}` | Provide additionnal labels to the ServiceMonitor ressource metadata | | serviceMonitor.scheme | string | `"http"` | HTTP scheme to use for scraping. | | serviceMonitor.scrapeInterval | string | `"60s"` | Interval at which metrics should be scraped |