-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
197 lines (165 loc) · 4.85 KB
/
Copy pathvalues.yaml
File metadata and controls
197 lines (165 loc) · 4.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# Default values for control-layer subchart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# This is to override the chart name.
nameOverride: ""
fullnameOverride: ""
# This is for the secrets for pulling an image from a private repository
imagePullSecrets: []
# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
serviceAccount:
# Specifies whether a service account should be created
create: true
# Automatically mount a ServiceAccount's API credentials?
automount: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# Service-specific secrets configuration
secrets:
controlLayer:
# Whether to create this secret. If its not created, it ought to exist as name with these values
create: true
name: ""
data:
# DATABASE_URL will be templated in secret.yaml for internal PostgreSQL (if empty)
# For external PostgreSQL, override with your external connection string
DATABASE_URL: ""
# PostgreSQL database credentials (used if postgresql.enabled is true)
postgres:
create: true
name: ""
data:
POSTGRES_DB: "clay"
POSTGRES_USER: "clay"
POSTGRES_PASSWORD: "clay_password"
# This will set the replicaset count
replicaCount: 1
# This sets the container image
image:
repository: ghcr.io/doublewordai/control-layer
pullPolicy: IfNotPresent
tag: ""
# This is for setting Kubernetes Annotations to a Pod.
podAnnotations: {}
# This is for setting Kubernetes Labels to a Pod.
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
# This is for setting up a service
service:
type: ClusterIP
port: 3001
# ServiceMonitor configuration for Prometheus monitoring
serviceMonitor:
enabled: false
path: /metrics
interval: 30s
scrapeTimeout: 10s
labels: {}
# Environment variables
env: {}
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# Liveness and readiness probes
livenessProbe:
httpGet:
path: /healthz
port: http
readinessProbe:
httpGet:
path: /healthz
port: http
# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
# secret:
# secretName: mysecret
# optional: false
# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
# mountPath: "/etc/foo"
# readOnly: true
nodeSelector: {}
tolerations: []
affinity: {}
# Control Layer configuration file content
config: |
# Control Layer Configuration
# Server configuration
host: "0.0.0.0"
port: 3001
# Frontend metadata
metadata:
region: "Europe"
organization: "Doubleword"
# Authentication configuration
auth:
# Native authentication (email/password)
native:
enabled: false
# Proxy header authentication (for use with oa2p-proxy)
proxy_header:
enabled: true
header_name: "x-doubleword-user"
groups_field_name: "x-doubleword-user-groups"
provider_field_name: "x-doubleword-sso-provider"
auto_create_users: true
import_idp_groups: true
# Security settings
security:
cors:
allowed_origins:
- "https://localhost"
# Secret key for session signing (set via DWCTL_SECRET_KEY environment variable)
secret_key: "your-secret-key-here"
# PostgreSQL Database Configuration
# Set enabled: true to deploy PostgreSQL as part of this chart
# Set enabled: false to use external PostgreSQL (configure DATABASE_URL via secrets.controlLayer.data)
postgresql:
# Deploy internal PostgreSQL StatefulSet
enabled: true
# StatefulSet configuration (only used when enabled: true)
replicaCount: 1
image:
repository: postgres
pullPolicy: IfNotPresent
tag: "18"
# Database credentials are read from secrets.postgres
# Data persistence settings (only used when enabled: true)
persistence:
# Set to false for ephemeral storage (data lost on pod restart)
enabled: true
# Leave empty to use cluster default storage class
storageClass: ""
accessModes:
- ReadWriteOnce
size: 8Gi
annotations: {}
# Pod Security Configuration
# These settings ensure PostgreSQL runs as the postgres user (UID/GID 999)
# and that mounted volumes have correct ownership
podSecurityContext:
# Sets group ownership of mounted volumes to postgres group
fsGroup: 999
securityContext:
# Run container as postgres user (standard for postgres Docker image)
runAsUser: 999
runAsGroup: 999
# Security best practice - prevent running as root
runAsNonRoot: true