-
Notifications
You must be signed in to change notification settings - Fork 3
/
values.yaml
173 lines (147 loc) · 3.81 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# Strict mode
strict: true
# OPA Notary Connector configuration
repositories: []
#- name: "localhost.*"
#priority: 10
#trust:
#enabled: true
#trustServer: "https://notary-server.notary.svc.cluster.local:4443"
#auth:
#user: ""
#pass: ""
#signers:
#- role: "targets/jenkins"
#publicKey: "" # base64 encoded public key
opa:
opa: false
certManager:
enabled: true
bootstrapPolicies:
main: |-
package system
import data.kubernetes.admission
default apiVersion = "admission.k8s.io/v1beta1"
apiVersion = v {
v := input.apiVersion
}
default uid = ""
uid = u {
u := input.request.uid
}
main = {
"apiVersion": apiVersion,
"uid": uid,
"kind": "AdmissionReview",
"response": response,
}
default response = {"allowed": false, "status": {"reason": "Request denied by default."}}
response = {
"allowed": false,
"status": {"reason": reason},
} {
count(admission.deny) > 0
reason := concat("\n", admission.deny)
}
response = {
"allowed": true,
"patchType": "JSONPatch",
"patch": patch_bytes,
} {
count(admission.deny) == 0
count(admission.patches) != 0
patch_json := json.marshal(admission.patches)
patch_bytes := base64.encode(patch_json)
}
response = {
"allowed": true,
} {
count(admission.deny) == 0
count(admission.patches) == 0
}
admissionControllerKind: MutatingWebhookConfiguration
admissionControllerFailurePolicy: Fail
admissionControllerNamespaceSelector:
matchExpressions:
- {key: sighup.io/webhook, operator: NotIn, values: [ignore]}
admissionControllerRules:
- operations: [ "CREATE", "UPDATE" ]
apiGroups: ["*"]
apiVersions: ["*"]
resources: ["pods", "deployments", "replicationcontrollers", "replicasets", "daemonsets", "statefulsets", "jobs", "cronjobs"]
imageTag: 0.21.1
imagePullPolicy: Always
port: 8443
mgmt:
imageTag: "0.11"
imagePullPolicy: Always
data:
enabled: true
configmapPolicies:
enabled: true
namespaces: ["webhook"]
requireLabel: true
logFormat: json
rbac:
rules:
cluster:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["update", "patch"]
readinessProbe:
httpGet:
port: 8443
livenessProbe:
httpGet:
port: 8443
securityContext:
enabled: true
runAsNonRoot: true
runAsUser: 1
fsGroup: 1001
extraContainers:
- name: opa-notary-connector
image: reg.sighup.io/sighupio/opa-notary-connector:0.1.4
imagePullPolicy: Always
securityContext:
runAsUser: 1001
command: ["/opa-notary-connector"]
args:
- "--config=/etc/opa-notary-connector/trust.yaml"
- "--listen-address=:8080"
- "--trust-root-dir=/etc/opa-notary-connector/.trust"
- "--verbosity=info"
env:
- name: GIN_MODE
value: release
ports:
- name: http
containerPort: 8080
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
scheme: HTTP
port: http
readinessProbe:
httpGet:
path: /healthz
scheme: HTTP
port: http
volumeMounts:
- name: opa-notary-connector-config
mountPath: /etc/opa-notary-connector/trust.yaml
subPath: trust.yaml
- name: notary-server-crt
mountPath: /etc/ssl/certs/ca.crt
subPath: ca.crt
extraVolumes:
- name: opa-notary-connector-config
secret:
secretName: opa-notary-connector-config
- name: notary-server-crt
secret:
secretName: notary-server-crt