-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathvalues-hub.yaml
More file actions
722 lines (708 loc) · 27.8 KB
/
values-hub.yaml
File metadata and controls
722 lines (708 loc) · 27.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
# Hub Configuration (Default)
# This is the default configuration with optional Layer 1 components (Quay, RHTAS) commented out
# To deploy with optional components, uncomment the relevant sections below
# This spire config is required to fix a bug in the zero-trust-workload-identity-manager operator
spire:
oidcDiscoveryProvider:
ingress:
enabled: true
annotations:
route.openshift.io/termination: reencrypt
route.openshift.io/destination-ca-certificate-secret: spire-bundle
clusterGroup:
name: hub
isHubCluster: true
namespaces:
- open-cluster-management
- vault
- qtodo
- golang-external-secrets
- keycloak-system:
operatorGroup: true
targetNamespace: keycloak-system
- cert-manager
- cert-manager-operator:
operatorGroup: true
targetNamespace: cert-manager-operator
# Layer 1: Storage and Registry
# Required for RHTPA and QUAY (provides NooBaa object storage backend)
# - openshift-storage:
# operatorGroup: true
# targetNamespace: openshift-storage
# annotations:
# openshift.io/cluster-monitoring: "true"
# argocd.argoproj.io/sync-wave: "-5" # Propagated to OperatorGroup by framework
# - quay-enterprise:
# annotations:
# argocd.argoproj.io/sync-wave: "1" # Create before NooBaa and all Quay components
# labels:
# openshift.io/cluster-monitoring: "true"
# RHTAS namespace (required when RHTAS application is enabled)
# COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE signing
# - trusted-artifact-signer:
# annotations:
# argocd.argoproj.io/sync-wave: "1" # Auto-created by RHTAS operator
# labels:
# openshift.io/cluster-monitoring: "true"
# - rhtpa-operator:
# operatorGroup: true
# targetNamespace: rhtpa-operator
# annotations:
# argocd.argoproj.io/sync-wave: "-5" # Create before operator subscription
# - trusted-profile-analyzer:
# annotations:
# argocd.argoproj.io/sync-wave: "1" # Create before RHTPA components
# labels:
# openshift.io/cluster-monitoring: "true"
- zero-trust-workload-identity-manager:
operatorGroup: true
targetNamespace: zero-trust-workload-identity-manager
- openshift-compliance:
operatorGroup: true
targetNamespace: openshift-compliance
annotations:
openshift.io/cluster-monitoring: "true"
# Secure Supply Chain: Uncomment to enable OpenShift Pipelines
# - openshift-pipelines
#
# Red Hat Advanced Cluster Security (RHACS/StackRox) - Uncomment to enable
- stackrox:
operatorGroup: true
labels:
openshift.io/cluster-monitoring: "true"
subscriptions:
acm:
name: advanced-cluster-management
namespace: open-cluster-management
channel: release-2.15
catalogSource: redhat-operators
cert-manager:
name: openshift-cert-manager-operator
namespace: cert-manager-operator
channel: stable-v1
catalogSource: redhat-marketplace
# Secure Supply Chain: Uncomment to enable OpenShift Pipelines
# openshift-pipelines:
# name: openshift-pipelines-operator-rh
# namespace: openshift-operators
rhbk:
name: rhbk-operator
namespace: keycloak-system
channel: stable-v26.4
catalogSource: redhat-marketplace
zero-trust-workload-identity-manager:
name: openshift-zero-trust-workload-identity-manager
namespace: zero-trust-workload-identity-manager
channel: stable-v1
catalogSource: redhat-marketplace
compliance-operator:
name: compliance-operator
namespace: openshift-compliance
channel: stable
catalogSource: redhat-marketplace
config:
nodeSelector:
node-role.kubernetes.io/worker: ""
#
# ACS Operator Subscription (Uncomment to enable)
rhacs-operator:
name: rhacs-operator
namespace: openshift-operators
channel: stable
source: redhat-operators
#
# Storage and Registry operator subscriptions
# Required for RHTPA and QUAY (provides NooBaa object storage backend)
# ODF provides object storage backend (NooBaa) for RHTPA and optionally Quay
# odf:
# name: odf-operator
# namespace: openshift-storage
# channel: stable-4.20
# annotations:
# argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5)
# quay-operator:
# name: quay-operator
# namespace: openshift-operators
# channel: stable-3.15
# annotations:
# argocd.argoproj.io/sync-wave: "-3" # Install after ODF operator
# RHTAS operator subscription (required when RHTAS application is enabled)
# COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE integration
# rhtas-operator:
# name: rhtas-operator
# namespace: openshift-operators
# channel: stable
# annotations:
# argocd.argoproj.io/sync-wave: "-2" # Install after Quay operator, before applications
# catalogSource: redhat-operators
# RHTPA operator subscription
# Channel: stable-v1.1 provides latest 1.1.x patch updates
# Note: No direct upgrade path from 1.1.x to 2.x (requires fresh install)
# rhtpa-operator:
# name: rhtpa-operator
# namespace: rhtpa-operator # MUST use dedicated namespace (not openshift-operators)
# channel: stable-v1.1 # Use stable-v1.1 channel for 1.1.x updates
# catalogSource: redhat-operators
# annotations:
# argocd.argoproj.io/sync-wave: "-4" # Install after OperatorGroup (-5), before applications
projects:
- hub
# Explicitly mention the cluster-state based overrides we plan to use for this pattern.
# We can use self-referential variables because the chart calls the tpl function with these variables defined
sharedValueFiles:
- '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml'
# sharedValueFiles is a flexible mechanism that will add the listed valuefiles to every app defined in the
# applications section. We intend this to supplement and possibly even replace previous "magic" mechanisms, though
# we do not at present have a target date for removal.
#
# To replicate the "classic" magic include structure, the clusterGroup would need all of these
# sharedValueFiles, in this order:
# - '/overrides/values-{{ $.Values.global.clusterPlatform }}.yaml'
# - '/overrides/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.global.clusterVersion }}.yaml'
# - '/overrides/values-{{ $.Values.global.clusterPlatform }}-{{ $.Values.clusterGroup.name }}.yaml'
# - '/overrides/values-{{ $.Values.global.clusterVersion }}-{{ $.Values.clusterGroup.name }}.yaml"
# - '/overrides/values-{{ $.Values.global.localClusterName }}.yaml'
# This kind of variable substitution will work with any of the variables the Validated Patterns operator knows
# about and sets, so this is also possible, for example:
# - '/overrides/values-{{ $.Values.global.hubClusterDomain }}.yaml'
# - '/overrides/values-{{ $.Values.global.localClusterDomain }}.yaml'
applications:
ztvp-certificates:
name: ztvp-certificates
namespace: openshift-config
project: hub
path: charts/ztvp-certificates
annotations:
argocd.argoproj.io/sync-wave: "-10"
# Ignore the ACM-replicated policy in local-cluster namespace
# ACM automatically creates policy replicas with name pattern: <source-ns>.<policy-name>
ignoreDifferences:
- group: policy.open-cluster-management.io
kind: Policy
name: openshift-config.ztvp-certificates-distribution
namespace: local-cluster
jsonPointers:
- /
# Use extraValueFiles for complex nested structures like additionalCertificates
# The validated patterns framework only processes 'overrides' as --set parameters
# Edit /overrides/values-ztvp-certificates.yaml to configure:
# - Additional CA certificates (additionalCertificates array)
# - Automatic rollout restart for consuming applications
extraValueFiles:
- /overrides/values-ztvp-certificates.yaml
- '/overrides/values-ztvp-certificates-{{ $.Values.global.clusterPlatform }}.yaml'
overrides:
# Disable Job TTL to prevent ArgoCD OutOfSync when Kubernetes deletes completed Jobs
# The initial Job runs once during first sync; CronJob handles ongoing extraction
- name: debug.keepFailedJobs
value: "true"
# Enable verbose logging for troubleshooting (uncomment if needed)
# - name: debug.verbose
# value: "true"
# Primary custom CA: Use secretRef to reference an existing Kubernetes secret containing CA certificates
# Uncomment to add a primary custom CA:
# Single cert: oc create secret generic custom-ca-bundle --from-file=ca.crt=/path/to/ca.crt -n openshift-config
# Multiple certs: cat corp-root.crt intermediate.crt partner.crt > combined-ca.crt && oc create secret generic custom-ca-bundle --from-file=ca.crt=combined-ca.crt -n openshift-config
# Disabled for now - using auto-detection only
# - name: customCA.secretRef.enabled
# value: "true"
- name: customCA.secretRef.name
value: custom-ca-bundle
- name: customCA.secretRef.namespace
value: openshift-config
- name: customCA.secretRef.key
value: ca.crt
# Automatic rollout configuration (simple overrides work fine)
- name: rollout.enabled
value: "true"
- name: rollout.strategy
value: labeled
# Note: additionalCertificates (complex nested array) temporarily disabled
# Need to find proper way to pass complex structures in Validated Patterns
acm:
name: acm
namespace: open-cluster-management
project: hub
chart: acm
chartVersion: 0.1.*
ignoreDifferences:
- group: internal.open-cluster-management.io
kind: ManagedClusterInfo
jsonPointers:
- /spec/loggingCA
# We override the secret store because we are not provisioning clusters
overrides:
- name: global.secretStore.backend
value: none
acm-managed-clusters:
name: acm-managed-clusters
project: hub
path: charts/acm-managed-clusters
ignoreDifferences:
- group: cluster.open-cluster-management.io
kind: ManagedCluster
jsonPointers:
- /metadata/labels/cloud
- /metadata/labels/vendor
compliance-scanning:
name: compliance-scanning
namespace: openshift-compliance
annotations:
argocd.argoproj.io/sync-wave: '-30'
project: hub
chart: ocp-compliance-scanning
chartVersion: 0.0.*
overrides:
# Disable unused PVC - compliance operator creates its own PVCs per scan
# via rawResultStorage in scan-setting.yaml. The explicit PVC causes
# ArgoCD 'Progressing' status on storage with WaitForFirstConsumer mode.
- name: compliance.storage.enabled
value: false
vault:
name: vault
namespace: vault
project: hub
chart: hashicorp-vault
chartVersion: 0.1.*
# Custom Vault policies for least-privilege access
# Each application gets access only to its specific secrets path
#
# TWO types of policies needed:
# 1. <prefix>-k8s-secret - for Kubernetes auth (ClusterSecretStore/ExternalSecrets)
# 2. <prefix>-jwt-secret - for JWT/SPIFFE auth (application workloads)
#
# NOTE: K8s auth policies are auto-created by Ansible from vaultPrefixes
# JWT auth policies below are manually defined for apps that need direct Vault access
policies:
# ============================================================
# JWT/SPIFFE Auth Policies (for application workloads)
# These are used by apps authenticating via SPIFFE JWT tokens
# Only define policies for apps that need direct Vault access
# K8s auth policies (<prefix>-k8s-secret) are auto-created by Ansible
# ============================================================
- name: apps-qtodo-jwt-secret
policy: |
path "secret/data/apps/qtodo/*" {
capabilities = ["read"]
}
- name: hub-infra-rhtpa-jwt-secret
policy: |
path "secret/data/hub/infra/rhtpa/*" {
capabilities = ["read"]
}
- name: hub-supply-chain-jwt-secret
policy: |
path "secret/data/hub/infra/quay/*" {
capabilities = ["read"]
}
path "secret/data/hub/infra/rhtpa/rhtpa-oidc-cli" {
capabilities = ["read"]
}
jwt:
enabled: true
oidcDiscoveryUrl: https://spire-spiffe-oidc-discovery-provider.zero-trust-workload-identity-manager.svc.cluster.local
oidcDiscoveryCa: /run/secrets/kubernetes.io/serviceaccount/service-ca.crt
defaultRole: qtodo
roles:
- name: qtodo
audience: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp
subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/qtodo/sa/qtodo
policies:
- apps-qtodo-jwt-secret
# RHTPA vault role
# - name: rhtpa
# audience: rhtpa
# subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/trusted-profile-analyzer/sa/rhtpa
# policies:
# - hub-infra-rhtpa-jwt-secret
# Supply chain vault role (for Tekton pipelines)
# - name: supply-chain
# audience: supply-chain
# subject: spiffe://apps.{{ $.Values.global.clusterDomain }}/ns/pipeline/sa/pipeline
# policies:
# - hub-supply-chain-jwt-secret
# Shared Object Storage Backend
# Required for RHTPA and QUAY (provides S3-compatible storage via NooBaa MCG)
# NooBaa MCG provides S3-compatible object storage for multiple applications
# noobaa-mcg:
# name: noobaa-mcg
# namespace: openshift-storage
# project: hub
# path: charts/noobaa-mcg
# annotations:
# argocd.argoproj.io/sync-wave: "5" # Deploy after core services
# Quay Container Registry (uses NooBaa for storage)
# quay-registry:
# name: quay-registry
# namespace: quay-enterprise
# project: hub
# chart: quay
# chartVersion: 0.1.*
# annotations:
# argocd.argoproj.io/sync-wave: "10" # Deploy after NooBaa storage backend
# RHTAS with SPIFFE Integration
# COMMENTED OUT: Uncomment to enable RHTAS with SPIFFE and Email issuers
# Depends on: Vault, SPIRE, Keycloak (for Email OIDC issuer if used)
# trusted-artifact-signer:
# name: trusted-artifact-signer
# namespace: trusted-artifact-signer
# project: hub
# path: charts/rhtas-operator
# annotations:
# argocd.argoproj.io/sync-wave: "15" # Deploy after dependencies
# overrides:
# # OIDC Issuer Configuration - Both can be enabled simultaneously
# # Enable SPIFFE issuer for workload identity
# - name: rhtas.zeroTrust.spire.enabled
# value: "true"
# - name: rhtas.zeroTrust.spire.trustDomain
# value: "apps.{{ $.Values.global.clusterDomain }}"
# - name: rhtas.zeroTrust.spire.issuer
# value: "https://spire-spiffe-oidc-discovery-provider.apps.{{ $.Values.global.clusterDomain }}"
# # Enable Keycloak issuer for user/email authentication
# - name: rhtas.zeroTrust.email.enabled
# value: "true"
# - name: rhtas.zeroTrust.email.issuer
# value: https://keycloak.apps.{{ $.Values.global.clusterDomain }}/realms/ztvp
# RHTPA (Red Hat Trusted Profile Analyzer) with SPIFFE Integration
# Depends on: NooBaa MCG (storage), Vault (secrets), SPIRE (identity), Keycloak (auth)
# trusted-profile-analyzer:
# name: trusted-profile-analyzer
# namespace: trusted-profile-analyzer
# project: hub
# path: charts/rhtpa-operator
# annotations:
# argocd.argoproj.io/sync-wave: "10" # Create chart resources (OBC, DB, etc.)
# # Note: The TrustedProfileAnalyzer CR is created by ACM Policy at wave 50
# # to ensure the operator is fully ready (mitigates v1.1.0 initialization bug)
# # Ignore differences to prevent OutOfSync status
# ignoreDifferences:
# # Ignore Job status changes (completion, failure counts, conditions)
# # Jobs are created by hooks and their status changes don't require re-sync
# - group: batch
# kind: Job
# jsonPointers:
# - /status
# overrides:
# # Vault Integration
# # - name: rhtpa.zeroTrust.vault.url
# # value: https://vault.vault.svc.cluster.local:8200
# # Keycloak URL is automatically constructed from global.localClusterDomain
# # TLS Configuration - Custom Ingress CA (for Azure/AWS/GCP with custom certs)
# # For standard OpenShift deployments, auto-detection works without overrides
# # For cloud platforms with custom ingress certs in non-standard locations:
# # - name: rhtpa.tls.ingressCA.customSource.enabled
# # value: "true"
# # - name: rhtpa.tls.ingressCA.customSource.secretName
# # value: "custom-ingress-cert"
# # - name: rhtpa.tls.ingressCA.customSource.secretNamespace
# # value: "openshift-ingress"
# # - name: rhtpa.tls.ingressCA.customSource.secretKey
# # value: "tls.crt"
# # Importer Configuration
# # Enable all 5 importers explicitly (chart defaults: cve and osv-github enabled)
# # Period defaults to 1d for all importers (configured in chart)
# # Default importers
# # - name: rhtpa.modules.createImporters.importers.cve.cve.disabled
# # value: "false"
# # - name: rhtpa.modules.createImporters.importers.osv-github.osv.disabled
# # value: "false"
# # Additional importers (disabled by default due to large datasets)
# # - name: rhtpa.modules.createImporters.importers.redhat-csaf.csaf.disabled
# # value: "false"
# # - name: rhtpa.modules.createImporters.importers.quay-redhat-user-workloads.quay.disabled
# # value: "false"
# # - name: rhtpa.modules.createImporters.importers.redhat-sboms.sbom.disabled
# # value: "false"
golang-external-secrets:
name: golang-external-secrets
namespace: golang-external-secrets
project: hub
chart: golang-external-secrets
chartVersion: 0.1.*
rh-keycloak:
name: rh-keycloak
namespace: keycloak-system
project: hub
chart: rhbk
chartVersion: 0.0.*
# SPIFFE Identity Provider is enabled by default in the chart.
# Override issuer/jwksUrl only if auto-generated values from cluster domain are not suitable.
# overrides:
# - name: keycloak.spiffeIdentityProvider.config.config.issuer
# value: "spiffe://apps.example.com"
# - name: keycloak.spiffeIdentityProvider.config.config.jwksUrl
# value: "https://spire-spiffe-oidc-discovery-provider.apps.example.com/keys"
rh-cert-manager:
name: rh-cert-manager
namespace: cert-manager-operator
project: hub
chart: ocp-certmanager
chartVersion: 0.2.*
zero-trust-workload-identity-manager:
name: zero-trust-workload-identity-manager
namespace: zero-trust-workload-identity-manager
project: hub
chart: ztwim
chartVersion: 0.1.*
overrides:
- name: spire.clusterName
value: hub
qtodo:
name: qtodo
namespace: qtodo
project: hub
path: charts/qtodo
ignoreDifferences:
- kind: ServiceAccount
jqPathExpressions:
- .imagePullSecrets[]|select(.name | contains("-dockercfg-"))
overrides:
- name: app.oidc.enabled
value: true
- name: app.spire.enabled
value: true
- name: app.vault.url
value: https://vault.vault.svc.cluster.local:8200
- name: app.vault.role
value: qtodo
- name: app.vault.secretPath
value: secret/data/apps/qtodo/qtodo-db
# For Secure Supply Chain, we changed the qtodo image to use the one built in the secure supply chain
# - name: app.images.main.name
# value: quay-registry-quay-quay-enterprise.apps.{{ $.Values.global.clusterDomain }}/ztvp/qtodo
# - name: app.images.main.version
# value: latest
# Uncomment to enable registry authentication
# - name: app.images.main.registry.auth
# value: true
# - name: app.images.main.registry.user
# value: quay-user
# - name: app.images.main.registry.passwordVaultKey
# value: quay-user-password
# Secure Supply Chain - Uncomment to enable
# supply-chain:
# name: supply-chain
# project: hub
# path: charts/supply-chain
# ignoreDifferences:
# - kind: ServiceAccount
# jqPathExpressions:
# - .imagePullSecrets[]|select(.name | contains("-dockercfg-"))
# overrides:
# # Don't forget to uncomment the RHTAS and RHTPA components in this same file
# - name: rhtas.enabled
# value: true
# - name: rhtpa.enabled
# value: true
# - name: registry.tlsVerify
# value: "false"
# - name: registry.user
# value: quay-admin
# - name: registry.passwordVaultKey
# value: quay-admin-password
#
# ACS Central Services
acs-central:
name: acs-central-services
namespace: stackrox
project: hub
path: charts/acs-central
overrides:
# Uncomment and set if you need a specific StorageClass:
# - name: central.persistence.storageClass
# value: gp3-csi # Example for AWS
- name: central.exposure.route.enabled
value: "true"
- name: integration.keycloak.enabled
value: "true"
- name: integration.keycloak.realm
value: "ztvp"
- name: integration.keycloak.clientId
value: "acs-central"
# ACS to scan images stored in Quay (Uncomment to enable)
# - name: integration.quay.enabled
# value: "true"
# - name: integration.quay.url
# value: "quay-quay-enterprise.apps.{{ .Values.global.domain }}"
extraValueFiles:
- /values-global.yaml
- /values-{{ .Values.global.pattern }}-hub.yaml
ignoreDifferences:
- group: platform.stackrox.io
kind: Central
jsonPointers:
- /spec/scanner/scannerComponent
annotations:
argocd.argoproj.io/sync-wave: "10"
# ACS Secured Cluster
acs-secured-cluster:
name: acs-secured-cluster
namespace: stackrox
project: hub
path: charts/acs-secured-cluster
overrides:
- name: clusterName
value: hub
extraValueFiles:
- /values-global.yaml
- /values-{{ .Values.global.pattern }}-hub.yaml
annotations:
argocd.argoproj.io/sync-wave: "15"
# ACS Policies
acs-policies:
name: acs-policies
namespace: stackrox
project: hub
path: charts/acs-policies
annotations:
argocd.argoproj.io/sync-wave: "20"
argoCD:
resourceHealthChecks:
- check: |
local hs = {}
hs.status = "Progressing"
hs.message = "Waiting for status update."
if obj.status ~= nil then
if obj.status.conditions ~= nil then
for i, condition in ipairs(obj.status.conditions) do
if condition.type == "Done" and condition.status == "True" then
hs.status = "Healthy"
hs.message = condition.message
return hs
end
if condition.type == "Started" and condition.status == "True" then
hs.status = "Progressing"
hs.message = "Realm import is running"
return hs
end
if condition.type == "HasErrors" and condition.status == "True" then
hs.status = "Degraded"
hs.message = condition.message
return hs
end
end
end
end
return hs
group: k8s.keycloak.org
kind: KeycloakRealmImport
resourceExclusions: |
- apiGroups:
- internal.open-cluster-management.io
kinds:
- ManagedClusterInfo
clusters:
- "*"
- apiGroups:
- tekton.dev
kinds:
- TaskRun
- PipelineRun
imperative:
# NOTE: We *must* use lists and not hashes. As hashes lose ordering once parsed by helm
# The default schedule is every 10 minutes: imperative.schedule
# Total timeout of all jobs is 1h: imperative.activeDeadlineSeconds
# imagePullPolicy is set to always: imperative.imagePullPolicy
jobs: []
managedClusterGroups: {}
# This configuration can be used for use cases Pipeline/Secure Supply Chain
# devel:
# name: devel
# helmOverrides:
# - name: clusterGroup.isHubCluster
# value: false
# clusterSelector:
# matchLabels:
# clusterGroup: devel
# matchExpressions:
# - key: vendor
# operator: In
# values:
# - OpenShift
# production:
# name: production
# helmOverrides:
# - name: clusterGroup.isHubCluster
# value: false
# clusterSelector:
# matchLabels:
# clusterGroup: production
# matchExpressions:
# - key: vendor
# operator: In
# values:
# - OpenShift
# End of Pipeline/DevSecOps configuration
# exampleRegion:
# name: group-one
# acmlabels:
# - name: clusterGroup
# value: group-one
# helmOverrides:
# - name: clusterGroup.isHubCluster
# value: false
# To have apps in multiple flavors, use namespaces and use helm overrides as appropriate
#
# pipelines:
# name: pipelines
# namespace: production
# project: datacenter
# path: applications/pipeline
# repoURL: https://github.com/you/applications.git
# targetRevision: stable
# overrides:
# - name: myparam
# value: myparam
#
# pipelines_staging:
# - name: pipelines
# namespace: staging
# project: datacenter
# path: applications/pipeline
# repoURL: https://github.com/you/applications.git
# targetRevision: main
#
# Additional applications
# Be sure to include additional resources your apps will require
# +X machines
# +Y RAM
# +Z CPU
# vendor-app:
# name: vendor-app
# namespace: default
# project: vendor
# path: path/to/myapp
# repoURL: https://github.com/vendor/applications.git
# targetRevision: main
# managedSites:
# factory:
# name: factory
# # repoURL: https://github.com/dagger-refuse-cool/manuela-factory.git
# targetRevision: main
# path: applications/factory
# helmOverrides:
# - name: site.isHubCluster
# value: false
# clusterSelector:
# matchExpressions:
# - key: vendor
# operator: In
# values:
# - OpenShift
# List of previously provisioned clusters to import and manage from the Hub cluster
acmManagedClusters:
clusters: []
# This configuration can be used for use cases Pipeline/Secure Supply Chain
# - name: ztvp-spoke-1
# clusterGroup: devel
# labels:
# cloud: auto-detect
# vendor: auto-detect
# kubeconfigVaultPath: secret/data/hub/kubeconfig-spoke-1
# - name: ztvp-spoke-2
# clusterGroup: production
# labels:
# cloud: auto-detect
# vendor: auto-detect
# kubeconfigVaultPath: secret/data/hub/kubeconfig-spoke-2