This repository was archived by the owner on Mar 10, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy pathvalues.yaml
429 lines (421 loc) · 14.4 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
global:
# -- DNS name to generate environment variables and consoleCLIDownload urls.
# By default, in OpenShift, the value for this is
# apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
appsSubdomain: ""
configs:
segment_backup_job:
enabled: false
namespace_create: false
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/segment-backup-job-rhel9
version: sha256:d5b5f7942e898a056d2268083e2d4a45f763bce5697c0e9788d5aa0ec382cc44
pullPolicy: IfNotPresent
rolebindings:
- segment-backup-job
name: segment-backup-job
namespace: trusted-artifact-signer-monitoring
clientserver:
# -- Whether to create the OpenShift resource 'ConsoleCLIDownload' for each binary.
# -- This can only be enabled if the OpenShift CRD is registered.
consoleDownload: true
# -- Whether to create the OpenShift route resource
route: true
name: tas-clients
namespace_create: true
namespace: trusted-artifact-signer-clientserver
image:
registry: quay.io
repository: redhat-user-workloads/rhtas-tenant/access-1-0-gamma/client-server-1-0-gamma
version: sha256:d8540b72f67c3947287d30913a9277770a43eb37eff2dd3efcb8e24759a106ac
pullPolicy: IfNotPresent
ctlog:
namespace: ctlog-system
namespace_create: true
# -- Names for rolebindings to add clusterroles to ctlog serviceaccounts.
# The names must match the serviceaccount names in the ctlog namespace.
rolebindings:
- ctlog
- ctlog-createtree
- trusted-artifact-signer-ctlog-createctconfig
rekor:
namespace_create: true
namespace: rekor-system
# -- names for rolebindings to add clusterroles to rekor serviceaccounts.
# The names must match the serviceaccount names in the rekor namespace.
rolebindings:
- rekor-redis
- rekor-server
- trusted-artifact-signer-rekor-createtree
# -- Signer holds secret that contains the private key used to sign entries and the tree head of the transparency log
# When this section is left out, scaffold.rekor creates the secret and key.
signer:
secret:
# -- Name of the secret to create with the private key data. This name must match the value in
# scaffold.rekor.server.signer.signerFileSecretOptions.secretName.
name: ""
# -- Private encrypted signing key
private_key: ""
# -- File containing a private encrypted signing key
private_key_file: ""
# -- With ClusterMonitoring enabled, a ServiceMonitor and RBAC is created. This adds a metrics target from rekor-server
# in the openshift-monitoring namespace scraped by prometheus along with other cluster-monitoring targets.
clusterMonitoring:
enabled: true
endpoints:
- interval: 30s
port: 2112-tcp
scheme: http
fulcio:
namespace_create: true
namespace: fulcio-system
# -- Names for rolebindings to add clusterroles to fulcio serviceaccounts.
# The names must match the serviceaccount names in the fulcio namespace.
rolebindings:
- fulcio-createcerts
- fulcio-server
server:
# -- Secret to create with fulcio signing backend certificate and keys.
# Leave this section out if a secret already exists in the fulcio namespace.
# The secret.name must match the value of scaffold.fulcio.server.secret and
# also tuf.secrets.fulcio.name. For details on certificate and key requirements,
# see https://github.com/sigstore/fulcio/blob/main/docs/setup.md#ca-certificate-requirements
secret:
name: ""
# -- password to decrypt the signing key
password: ""
# -- signer public key
public_key: ""
# -- a PEM-encoded encrypted signing key
private_key: ""
# -- file containing signer public key
public_key_file: ""
# -- file containing a PEM-encoded encrypted signing key
private_key_file: ""
# -- fulcio root certificate authority (CA)
root_cert: ""
# -- file containing fulcio root certificate authority (CA)
root_cert_file: ""
# -- With ClusterMonitoring enabled, a ServiceMonitor and RBAC is created. This adds a metrics target from fulcio-server
# in the openshift-monitoring namespace scraped by prometheus along with other cluster-monitoring targets.
clusterMonitoring:
enabled: true
endpoints:
- interval: 30s
port: 2112-tcp
scheme: http
trillian:
namespace_create: true
namespace: trillian-system
# -- names for rolebindings to add clusterroles to trillian serviceaccounts.
# The names must match the serviceaccount names in the trillian namespace.
rolebindings:
- trillian-logserver
- trillian-logsigner
- trillian-mysql
tuf:
namespace: tuf-system
namespace_create: true
# -- names for rolebindings to add clusterroles to tuf serviceaccounts.
# The names must match the serviceaccount names in the tuf namespace.
rolebindings:
- tuf
- tuf-secret-copy-job
cosign_deploy:
enabled: false
namespace: cosign
namespace_create: true
# -- names for rolebindings to add clusterroles to cosign serviceaccounts.
# The names must match the serviceaccount names in the cosign namespace.
rolebindings:
- cosign
# -- Name of deployment
name: cosign
# -- Image containing the cosign binary as well as environment variables with the base domain injected.
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/cosign-rhel9
version: sha256:f4c2cec3fc1e24bbe094b511f6fe2fe3c6fa972da0edacaf6ac5672f06253a3e
pullPolicy: IfNotPresent
# tsa:
# namespace: tsa-system
# namespace_create: true
# # -- names for rolebindings to add clusterroles to tuf serviceaccounts.
# # The names must match the serviceaccount names in the tuf namespace.
# rolebindings:
# - tsa-server
rbac:
# -- clusterrole to be added to sigstore component serviceaccounts.
clusterrole: system:openshift:scc:anyuid
# github.com/sigstore/helm-charts/charts
scaffold:
ctlog:
enabled: true
forceNamespace: ctlog-system
fullnameOverride: ctlog
namespace:
create: false
name: ctlog-system
server:
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/ct-server-rhel9
version: sha256:6124a531097c91bf8c872393a6f313c035ca03eca316becd3c350930d978929f
pullPolicy: IfNotPresent
createctconfig:
backoffLimit: 30
enabled: true
initContainerImage:
curl:
registry: registry.access.redhat.com
repository: ubi9/ubi-minimal
version: latest
imagePullPolicy: IfNotPresent
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/createctconfig-rhel9
version: sha256:10155f8c2b73b12599124895b2db0c9e08b2c3953df7361574fd08467c42fd04
pullPolicy: IfNotPresent
createcerts:
fullnameOverride: ctlog-createcerts
createtree:
fullnameOverride: ctlog-createtree
displayName: ctlog-tree
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/createtree-rhel9
version: sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab
pullPolicy: IfNotPresent
fulcio:
enabled: true
forceNamespace: fulcio-system
ctlog:
enabled: false
createctconfig:
logPrefix: sigstorescaffolding
namespace:
name: fulcio-system
create: false
createcerts:
enabled: false
fullnameOverride: fulcio-createcerts
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/createcerts-rhel9
version: sha256:0ac3fa62bd38a5e098d60aa06bf1dc960e2567c5caa68bf415c7372efc08ee8f
pullPolicy: IfNotPresent
server:
fullnameOverride: fulcio-server
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/fulcio-rhel9
version: sha256:0421d44d2da8dd87f05118293787d95686e72c65c0f56dfb9461a61e259b8edc
pullPolicy: IfNotPresent
# If content and/or files not provided in configs.fulcio.secret
# then this secret must exist in fulcio-system ns. See ../quickstart-with-keycloak.md
# for how to create this secret.
secret: fulcio-secret-rh
ingress:
http:
enabled: true
className: ""
annotations:
route.openshift.io/termination: "edge"
rekor:
enabled: true
forceNamespace: rekor-system
fullnameOverride: rekor
namespace:
name: rekor-system
create: false
trillian:
enabled: false
redis:
fullnameOverride: rekor-redis
server:
fullnameOverride: rekor-server
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/rekor-server-rhel9
version: sha256:8ee7d5dd2fa1c955d64ab83d716d482a3feda8e029b861241b5b5dfc6f1b258e
pullPolicy: IfNotPresent
# when providing contents of secret with configs.rekor.signer
# the signer sections must also be provided here
signer: /key/private
signerFileSecretOptions:
secretName: rekor-private-key
secretMountPath: /key
secretMountSubPath: private
privateKeySecretKey: private
ingress:
className: ""
annotations:
route.openshift.io/termination: "edge"
createtree:
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/createtree-rhel9
version: sha256:8a80def74e850f2b4c73690f86669a1fe52c1043c175610750abb4644e63d4ab
pullPolicy: IfNotPresent
backfillredis:
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/backfill-redis-rhel9
version: sha256:13299c22ffebc0551077f19578a9ec7b21883ce1c3a04f951e3290bd49c98ee7
pullPolicy: IfNotPresent
trillian:
enabled: true
forceNamespace: trillian-system
fullnameOverride: trillian
namespace:
create: false
name: trillian-system
createdb:
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/createdb-rhel9
version: sha256:c2067866e8cd73710bcdb218cb78bb3fcc5b314339a466de2b5af56b3b456be8
pullPolicy: IfNotPresent
initContainerImage:
netcat:
registry: registry.redhat.io
repository: rhtas-tech-preview/trillian-netcat-rhel9
version: sha256:b9fa895af8967cceb7a05ed7c9f2b80df047682ed11c87249ca2edba86492f6e
curl:
registry: registry.access.redhat.com
repository: ubi9/ubi-minimal
version: latest
imagePullPolicy: IfNotPresent
redis:
args:
- /usr/bin/run-redis
- --bind
- 0.0.0.0
- --appendonly
- "yes"
image:
registry: registry.redhat.io
repository: rhel9/redis-6
version: sha256:031a5a63611e1e6a9fec47492a32347417263b79ad3b63bcee72fc7d02d64c94
pullPolicy: IfNotPresent
logSigner:
name: trillian-logsigner
fullnameOverride: trillian-logsigner
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/trillian-logsigner-rhel9
version: sha256:fa2717c1d54400ca74cc3e9038bdf332fa834c0f5bc3215139c2d0e3579fc292
pullPolicy: IfNotPresent
logServer:
name: trillian-logserver
fullnameOverride: trillian-logserver
portHTTP: 8090
portRPC: 8091
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/trillian-logserver-rhel9
version: sha256:43bfc6b7b8ed902592f19b830103d9030b59862f959c97c376cededba2ac3a03
pullPolicy: IfNotPresent
mysql:
fullnameOverride: trillian-mysql
gcp:
scaffoldSQLProxy:
registry: registry.redhat.io
repository: rhtas-tech-preview/cloudsqlproxy-rhel9
version: sha256:f6879364d41b2adbe339c6de1dae5d17be575ea274786895448ee4277831cb7f
image:
registry: registry.redhat.io
repository: rhtas-tech-preview/trillian-database-rhel9
version: sha256:fe4758ff57a9a6943a4655b21af63fb579384dc51838af85d0089c04290b4957
pullPolicy: IfNotPresent
args: []
securityContext:
fsGroup: 0
livenessProbe:
exec:
command:
- mysqladmin
- ping
- -h
- localhost
- -u
- $(MYSQL_USER)
- -p$(MYSQL_PASSWORD)
readinessProbe:
exec:
command:
- mysqladmin
- ping
- -h
- localhost
- -u
- $(MYSQL_USER)
- -p$(MYSQL_PASSWORD)
tuf:
namespace:
create: false
name: tuf-system
forceNamespace: tuf-system
fullnameOverride: tuf
secrets:
fulcio:
name: fulcio-secret-rh
path: fulcio-cert
rekor:
name: rekor-public-key
path: rekor-pubkey
ctlog:
name: ctlog-public-key
path: ctfe.pub
enabled: true
ingress:
className: ""
annotations:
route.openshift.io/termination: "edge"
deployment:
registry: registry.redhat.io
repository: rhtas-tech-preview/tuf-server-rhel9
version: sha256:413e361de99f09e617084438b2fc3c9c477f4a8e2cd65bd5f48271e66d57a9d9
copySecretJob:
name: copy-secrets-job
enabled: true
registry: registry.redhat.io
repository: openshift4/ose-cli
version: latest
imagePullPolicy: IfNotPresent
serviceaccount: tuf-secret-copy-job
backoffLimit: 1000
tsa:
enabled: false
# enabled: true
forceNamespace: tsa-system
namespace:
create: false
name: tsa-system
server:
fullnameOverride: tsa-server
image:
registry: quay.io
repository: redhat-user-workloads/rhtas-tenant/tsa-1-0-gamma/timestamp-authority-1-0-gamma
version: sha256:4a142e1581801501705ab955109dc9a12bfd3e2232efa67b27b07bd7c290a40b
imagePullPolicy: IfNotPresent
ingress:
http:
enabled: true
className: ""
annotations:
route.openshift.io/termination: "edge"
serviceAccount:
create: true
name: "tsa-server"
mountToken: false
securityContext:
runAsUser: 1000620001
supplementalGroups: [1000620001]
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
containerSecurityContext:
testing: "true"