sealed-secrets
Helm chart
iamguarded
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets [array] Global Docker registry secret names as an array
18
##
19
global:
20
imageRegistry: ""
21
## E.g.
22
## imagePullSecrets:
23
## - myRegistryKeySecretName
24
##
25
imagePullSecrets: []
26
## Security parameters
27
##
28
security:
29
## @param global.security.allowInsecureImages Allows skipping image verification
30
allowInsecureImages: false
31
## Compatibility adaptations for Kubernetes platforms
32
##
33
compatibility:
34
## Compatibility adaptations for Openshift
35
##
36
openshift:
37
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
38
##
39
adaptSecurityContext: auto
40
org: ""
41
## @section Common parameters
42
##
43
44
## @param kubeVersion Override Kubernetes version
45
##
46
kubeVersion: ""
47
## @param nameOverride String to partially override common.names.fullname
48
##
49
nameOverride: ""
50
## @param fullnameOverride String to fully override common.names.fullname
51
##
52
fullnameOverride: ""
53
## @param namespaceOverride String to fully override common.names.namespace
54
##
55
namespaceOverride: ""
56
## @param commonLabels [object] Labels to add to all deployed objects
57
##
58
commonLabels: {}
59
## @param commonAnnotations [object] Annotations to add to all deployed objects
60
##
61
commonAnnotations: {}
62
## @param clusterDomain Kubernetes cluster domain name
63
##
64
clusterDomain: cluster.local
65
## @param extraDeploy [array] Array of extra objects to deploy with the release
66
##
67
extraDeploy: []
68
## @section Sealed Secrets Parameters
69
##
70
71
## Iamguarded Sealed Secrets image
72
## @param image.registry [default: REGISTRY_NAME] Sealed Secrets image registry
73
## @param image.repository [default: REPOSITORY_NAME/sealed-secrets] Sealed Secrets image repository
74
## @skip image.tag Sealed Secrets image tag (immutable tags are recommended)
75
## @param image.digest Sealed Secrets image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
76
## @param image.pullPolicy Sealed Secrets image pull policy
77
## @param image.pullSecrets [array] Sealed Secrets image pull secrets
78
## @param image.debug Enable Sealed Secrets image debug mode
79
##
80
image:
81
registry: chainreg.biz
82
repository: chainguard-private/sealed-secrets-controller-iamguarded
83
tag: 0.37.0
84
digest: ""
85
## Specify a imagePullPolicy
86
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
87
##
88
pullPolicy: IfNotPresent
89
## Optionally specify an array of imagePullSecrets.
90
## Secrets must be manually created in the namespace.
91
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
92
## e.g:
93
## pullSecrets:
94
## - myRegistryKeySecretName
95
##
96
pullSecrets: []
97
## Enable debug mode
98
##
99
debug: false
100
## @param command [array] Override default container command (useful when using custom images)
101
##
102
command: []
103
## @param commandArgs [array] Additional args (doesn't override the default ones)
104
##
105
commandArgs: []
106
## @param args [array] Override default container args (useful when using custom images)
107
##
108
args: []
109
## @param revisionHistoryLimit Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
110
## e.g:
111
revisionHistoryLimit: ""
112
## @param createController Specifies whether the Sealed Secrets controller should be created
113
##
114
createController: true
115
## @param secretName The name of an existing TLS secret containing the key used to encrypt secrets
116
##
117
secretName: ""
118
## @param updateStatus Specifies whether the Sealed Secrets controller should update the status subresource
119
##
120
updateStatus: true
121
## @param skipRecreate Specifies whether the Sealed Secrets controller should skip recreating removed secrets
122
## Setting it to true allows to optionally restore backward compatibility in low priviledge
123
## environments when old versions of the controller did not require watch permissions on secrets
124
## for secret re-creation.
125
##
126
skipRecreate: false
127
## @param keyRenewPeriod Specifies key renewal period. Default 30 days. e.g keyRenewPeriod: "720h30m"
128
##
129
keyRenewPeriod: ""
130
## @param rateLimit Number of allowed sustained request per second for verify endpoint
131
##
132
rateLimit: ""
133
## @param rateLimitBurst Number of requests allowed to exceed the rate limit per second for verify endpoint
134
##
135
rateLimitBurst: ""
136
## @param additionalNamespaces List of namespaces used to manage the Sealed Secrets
137
##
138
additionalNamespaces: []
139
## @param privateKeyAnnotations Map of annotations to be set on the sealing keypairs
140
##
141
privateKeyAnnotations: {}
142
## @param privateKeyLabels Map of labels to be set on the sealing keypairs
143
##
144
privateKeyLabels: {}
145
## @param logInfoStdout Specifies whether the Sealed Secrets controller will log info to stdout
146
##
147
logInfoStdout: false
148
## @param containerPorts.http Controller HTTP container port to open
149
## @param containerPorts.metrics Controller metrics container port
150
##
151
containerPorts:
152
http: 8080
153
metrics: 8081
154
## Sealed Secret resource requests and limits
155
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
156
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
157
##
158
resourcesPreset: "nano"
159
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
160
## Example:
161
## resources:
162
## requests:
163
## cpu: 2
164
## memory: 512Mi
165
## limits:
166
## cpu: 3
167
## memory: 1024Mi
168
##
169
resources: {}
170
## Configure extra options for Sealed Secret containers' liveness, readiness and startup probes
171
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
172
## @param livenessProbe.enabled Enable livenessProbe on Sealed Secret containers
173
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
174
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
175
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
176
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
177
## @param livenessProbe.successThreshold Success threshold for livenessProbe
178
##
179
livenessProbe:
180
enabled: true
181
initialDelaySeconds: 5
182
periodSeconds: 10
183
timeoutSeconds: 1
184
failureThreshold: 3
185
successThreshold: 1
186
## @param readinessProbe.enabled Enable readinessProbe on Sealed Secret containers
187
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
188
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
189
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
190
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
191
## @param readinessProbe.successThreshold Success threshold for readinessProbe
192
##
193
readinessProbe:
194
enabled: true
195
initialDelaySeconds: 5
196
periodSeconds: 10
197
timeoutSeconds: 1
198
failureThreshold: 3
199
successThreshold: 1
200
## @param startupProbe.enabled Enable startupProbe on Sealed Secret containers
201
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
202
## @param startupProbe.periodSeconds Period seconds for startupProbe
203
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
204
## @param startupProbe.failureThreshold Failure threshold for startupProbe
205
## @param startupProbe.successThreshold Success threshold for startupProbe
206
##
207
startupProbe:
208
enabled: false
209
initialDelaySeconds: 10
210
periodSeconds: 10
211
timeoutSeconds: 1
212
failureThreshold: 15
213
successThreshold: 1
214
## @param customLivenessProbe [object] Custom livenessProbe that overrides the default one
215
##
216
customLivenessProbe: {}
217
## @param customReadinessProbe [object] Custom readinessProbe that overrides the default one
218
##
219
customReadinessProbe: {}
220
## @param customStartupProbe [object] Custom startupProbe that overrides the default one
221
##
222
customStartupProbe: {}
223
## Configure Pods Security Context
224
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
225
## @param podSecurityContext.enabled Enabled Sealed Secret pods' Security Context
226
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
227
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
228
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
229
## @param podSecurityContext.fsGroup Set Sealed Secret pod's Security Context fsGroup
230
##
231
podSecurityContext:
232
enabled: true
233
fsGroupChangePolicy: Always
234
sysctls: []
235
supplementalGroups: []
236
fsGroup: 1001
237
## Configure Container Security Context
238
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
239
## @param containerSecurityContext.enabled Enabled Sealed Secret containers' Security Context
240
## @param containerSecurityContext.allowPrivilegeEscalation Whether the Sealed Secret container can escalate privileges
241
## @param containerSecurityContext.capabilities.drop Which privileges to drop in the Sealed Secret container
242
## @param containerSecurityContext.readOnlyRootFilesystem Whether the Sealed Secret container has a read-only root filesystem
243
## @param containerSecurityContext.runAsNonRoot Indicates that the Sealed Secret container must run as a non-root user
244
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
245
## @param containerSecurityContext.runAsUser Set Sealed Secret containers' Security Context runAsUser
246
## @param containerSecurityContext.runAsGroup Set Sealed Secret containers' Security Context runAsGroup
247
## @param containerSecurityContext.seccompProfile.type Set Sealed Secret container's Security Context seccompProfile type
248
##
249
containerSecurityContext:
250
enabled: true
251
allowPrivilegeEscalation: false
252
capabilities:
253
drop: ["ALL"]
254
readOnlyRootFilesystem: true
255
runAsNonRoot: true
256
seLinuxOptions: {}
257
runAsUser: 1001
258
runAsGroup: 1001
259
seccompProfile:
260
type: RuntimeDefault
261
## @param automountServiceAccountToken Mount Service Account token in pod
262
##
263
automountServiceAccountToken: true
264
## @param hostAliases [array] Sealed Secret pods host aliases
265
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
266
##
267
hostAliases: []
268
## @param podLabels [object] Extra labels for Sealed Secret pods
269
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
270
##
271
podLabels: {}
272
## @param podAnnotations [object] Annotations for Sealed Secret pods
273
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
274
##
275
podAnnotations: {}
276
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
277
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
278
##
279
podAffinityPreset: ""
280
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
281
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
282
##
283
podAntiAffinityPreset: soft
284
## Node affinity preset
285
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
286
##
287
nodeAffinityPreset:
288
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
289
##
290
type: ""
291
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set
292
##
293
key: ""
294
## @param nodeAffinityPreset.values [array] Node label values to match. Ignored if `affinity` is set
295
## E.g.
296
## values:
297
## - e2e-az1
298
## - e2e-az2
299
##
300
values: []
301
## @param affinity [object] Affinity for Sealed Secret pods assignment
302
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
303
## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set
304
##
305
affinity: {}
306
## @param nodeSelector [object] Node labels for Sealed Secret pods assignment
307
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
308
##
309
nodeSelector: {}
310
## @param tolerations [array] Tolerations for Sealed Secret pods assignment
311
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
312
##
313
tolerations: []
314
## @param updateStrategy.type Sealed Secret statefulset strategy type
315
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
316
##
317
updateStrategy:
318
## StrategyType
319
## Can be set to RollingUpdate or OnDelete
320
##
321
type: RollingUpdate
322
## @param priorityClassName Sealed Secret pods' priorityClassName
323
##
324
priorityClassName: ""
325
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
326
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
327
##
328
topologySpreadConstraints: []
329
## @param schedulerName Name of the k8s scheduler (other than default) for Sealed Secret pods
330
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
331
##
332
schedulerName: ""
333
## @param terminationGracePeriodSeconds Seconds the pod needs to terminate gracefully
334
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
335
##
336
terminationGracePeriodSeconds: ""
337
## @param lifecycleHooks [object] for the Sealed Secret container(s) to automate configuration before or after startup
338
##
339
lifecycleHooks: {}
340
## @param extraEnvVars Array with extra environment variables to add to Sealed Secret nodes
341
## e.g:
342
## extraEnvVars:
343
## - name: FOO
344
## value: "bar"
345
##
346
extraEnvVars: []
347
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Sealed Secret nodes
348
##
349
extraEnvVarsCM: ""
350
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for Sealed Secret nodes
351
##
352
extraEnvVarsSecret: ""
353
## @param extraVolumes [array] Optionally specify extra list of additional volumes for the Sealed Secret pod(s)
354
##
355
extraVolumes: []
356
## @param extraVolumeMounts [array] Optionally specify extra list of additional volumeMounts for the Sealed Secret container(s)
357
##
358
extraVolumeMounts: []
359
## @param sidecars [object] Add additional sidecar containers to the Sealed Secret pod(s)
360
## e.g:
361
## sidecars:
362
## - name: your-image-name
363
## image: your-image
364
## imagePullPolicy: Always
365
## ports:
366
## - name: portname
367
## containerPort: 1234
368
##
369
sidecars: []
370
## @param initContainers [object] Add additional init containers to the Sealed Secret pod(s)
371
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
372
## e.g:
373
## initContainers:
374
## - name: your-image-name
375
## image: your-image
376
## imagePullPolicy: Always
377
## command: ['sh', '-c', 'echo "hello world"']
378
##
379
initContainers: []
380
## @section Traffic Exposure Parameters
381
##
382
383
## Sealed Secret service parameters
384
##
385
service:
386
## @param service.type Sealed Secret service type
387
##
388
type: ClusterIP
389
ports:
390
## @param service.ports.http Sealed Secret service HTTP port number
391
##
392
http: 8080
393
## @param service.ports.name Sealed Secret service HTTP port name
394
##
395
name: http
396
## @param service.nodePorts.http Node port for HTTP
397
## Specify the nodePort value for the LoadBalancer and NodePort service types
398
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
399
## NOTE: choose port between <30000-32767>
400
##
401
nodePorts:
402
http: ""
403
## @param service.clusterIP Sealed Secret service Cluster IP
404
## e.g.:
405
## clusterIP: None
406
##
407
clusterIP: ""
408
## @param service.loadBalancerIP Sealed Secret service Load Balancer IP
409
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
410
##
411
loadBalancerIP: ""
412
## @param service.loadBalancerClass Sealed Secret service Load Balancer Class
413
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
414
##
415
loadBalancerClass: ""
416
## @param service.loadBalancerSourceRanges [array] Sealed Secret service Load Balancer sources
417
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
418
## e.g:
419
## loadBalancerSourceRanges:
420
## - 10.10.10.0/24
421
##
422
loadBalancerSourceRanges: []
423
## @param service.externalTrafficPolicy Sealed Secret service external traffic policy
424
## ref: http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
425
##
426
externalTrafficPolicy: Cluster
427
## @param service.annotations [object] Additional custom annotations for Sealed Secret service
428
##
429
annotations: {}
430
## @param service.extraPorts Extra ports to expose in Sealed Secret service (normally used with the `sidecars` value)
431
##
432
extraPorts: []
433
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
434
## Values: ClientIP or None
435
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
436
##
437
sessionAffinity: None
438
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
439
## sessionAffinityConfig:
440
## clientIP:
441
## timeoutSeconds: 300
442
##
443
sessionAffinityConfig: {}
444
## Sealed Secret ingress parameters
445
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
446
##
447
ingress:
448
## @param ingress.enabled Enable ingress record generation for Sealed Secret
449
##
450
enabled: false
451
## @param ingress.pathType Ingress path type
452
##
453
pathType: ImplementationSpecific
454
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
455
##
456
apiVersion: ""
457
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress
458
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.
459
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
460
##
461
ingressClassName: ""
462
## @param ingress.hostname Default host for the ingress record
463
##
464
hostname: sealed-secrets.local
465
## @param ingress.path Default path for the ingress record
466
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
467
##
468
path: /
469
## @param ingress.annotations [object] Additional custom annotations for the ingress record
470
## NOTE: If `ingress.certManager=true`, annotation `kubernetes.io/tls-acme: "true"` will automatically be added
471
##
472
annotations: {}
473
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
474
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
475
## You can:
476
## - Use the `ingress.secrets` parameter to create this TLS secret
477
## - Relay on cert-manager to create it by setting `ingress.certManager=true`
478
## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
479
##
480
tls: false
481
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
482
##
483
selfSigned: false
484
## @param ingress.extraHosts [array] An array with additional hostname(s) to be covered with the ingress record
485
## e.g:
486
## extraHosts:
487
## - name: sealed-secrets.local
488
## path: /
489
##
490
extraHosts: []
491
## @param ingress.extraPaths [array] An array with additional arbitrary paths that may need to be added to the ingress under the main host
492
## e.g:
493
## extraPaths:
494
## - path: /*
495
## backend:
496
## serviceName: ssl-redirect
497
## servicePort: use-annotation
498
##
499
extraPaths: []
500
## @param ingress.extraTls [array] TLS configuration for additional hostname(s) to be covered with this ingress record
501
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
502
## e.g:
503
## extraTls:
504
## - hosts:
505
## - sealed-secrets.local
506
## secretName: sealed-secrets.local-tls
507
##
508
extraTls: []
509
## @param ingress.secrets [array] Custom TLS certificates as secrets
510
## NOTE: 'key' and 'certificate' are expected in PEM format
511
## NOTE: 'name' should line up with a 'secretName' set further up
512
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
513
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
514
## It is also possible to create and manage the certificates outside of this helm chart
515
## Please see README.md for more information
516
## e.g:
517
## secrets:
518
## - name: sealed-secrets.local-tls
519
## key: |-
520
## -----BEGIN RSA PRIVATE KEY-----
521
## ...
522
## -----END RSA PRIVATE KEY-----
523
## certificate: |-
524
## -----BEGIN CERTIFICATE-----
525
## ...
526
## -----END CERTIFICATE-----
527
##
528
secrets: []
529
## @param ingress.extraRules Additional rules to be covered with this ingress record
530
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
531
## e.g:
532
## extraRules:
533
## - host: sealed-secrets.local
534
## http:
535
## path: /
536
## backend:
537
## service:
538
## name: sealed-secrets
539
## port:
540
## name: http
541
##
542
extraRules: []
543
## @section Other Parameters
544
##
545
546
## RBAC configuration
547
##
548
rbac:
549
## @param rbac.create Specifies whether RBAC resources should be created
550
##
551
create: true
552
## @param rbac.pspEnabled PodSecurityPolicy
553
##
554
pspEnabled: false
555
## @param rbac.clusterRole Specifies whether the Cluster Role resource should be created. If both rbac.clusterRole and rbac.namespacedRoles are set to false no RBAC will be created.
556
##
557
clusterRole: true
558
## @param rbac.clusterRoleName Specifies the name for the Cluster Role resource
559
##
560
clusterRoleName: ""
561
## @param rbac.namespacedRoles Specifies whether the namespaced Roles should be created (in each of the specified additionalNamespaces). If both rbac.clusterRole and rbac.namespacedRoles are set to false no RBAC will be created.
562
##
563
namespacedRoles: false
564
## @param rbac.namespacedRolesName Specifies the name for the namesapced Role resource
565
##
566
namespacedRolesName: ""
567
## @param rbac.unsealer.rules Custom RBAC rules to set for unsealer ClusterRole
568
## @param rbac.keyAdmin.rules Custom RBAC rules to set for key-admin role
569
## @param rbac.serviceProxier.rules Custom RBAC rules to set for service-proxier role
570
## e.g:
571
## rules:
572
## - apiGroups:
573
## - ""
574
## resources:
575
## - pods
576
## verbs:
577
## - get
578
## - list
579
##
580
unsealer:
581
rules: []
582
keyAdmin:
583
rules: []
584
serviceProxier:
585
rules: []
586
## @param rbac.labels Extra labels to be added to RBAC resources
587
##
588
labels: {}
589
## ServiceAccount configuration
590
##
591
serviceAccount:
592
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
593
##
594
create: true
595
## @param serviceAccount.name The name of the ServiceAccount to use.
596
## If not set and create is true, a name is generated using the common.names.fullname template
597
##
598
name: ""
599
## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
600
##
601
annotations: {}
602
## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
603
##
604
automountServiceAccountToken: false
605
## Network policies
606
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
607
##
608
networkPolicy:
609
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
610
##
611
enabled: false
612
## @param networkPolicy.allowExternal Don't require client label for connections
613
## When set to false, only pods with the correct client label will have network access to the port the controller is
614
## listening on. When true, the controller accept connections from any source (with the correct destination port).
615
##
616
allowExternal: true
617
## Pod Disruption Budget configuration
618
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
619
## @param pdb.create Enable a Pod Disruption Budget creation
620
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
621
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
622
##
623
pdb:
624
create: true
625
minAvailable: ""
626
maxUnavailable: ""
627
## @section Metrics parameters
628
##
629
metrics:
630
## @param metrics.enabled Sealed Secrets toggle metrics service definition
631
enabled: false
632
service:
633
## @param metrics.service.type Sealed Secrets metrics service type
634
##
635
type: ClusterIP
636
## @param metrics.service.ports.metrics Sealed Secrets metrics service port
637
##
638
ports:
639
metrics: 8081
640
## @param metrics.service.externalTrafficPolicy Sealed Secrets metrics service external traffic policy
641
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
642
##
643
externalTrafficPolicy: Cluster
644
## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
645
##
646
extraPorts: []
647
## @param metrics.service.loadBalancerIP Sealed Secrets metrics service Load Balancer IP
648
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
649
##
650
loadBalancerIP: ""
651
## @param metrics.service.loadBalancerSourceRanges Sealed Secrets metrics service Load Balancer sources
652
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
653
## e.g.
654
## loadBalancerSourceRanges:
655
## - 10.10.10.0/24
656
##
657
loadBalancerSourceRanges: []
658
## @param metrics.service.annotations Additional custom annotations for Sealed Secrets metrics service
659
##
660
annotations: {}
661
## Prometheus Service Monitor
662
## ref: https://github.com/coreos/prometheus-operator
663
## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
664
##
665
serviceMonitor:
666
## @param metrics.serviceMonitor.enabled Specify if a ServiceMonitor will be deployed for Prometheus Operator
667
##
668
enabled: false
669
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
670
##
671
namespace: ""
672
port:
673
## @param metrics.serviceMonitor.port.number Port number for the serviceMonitor
674
name: "metrics"
675
## @param metrics.serviceMonitor.port.name Port name for the serviceMonitor
676
number: 8081
677
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
678
##
679
labels: {}
680
## @param metrics.serviceMonitor.annotations Additional ServiceMonitor annotations (evaluated as a template)
681
##
682
annotations: {}
683
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
684
##
685
jobLabel: ""
686
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
687
##
688
honorLabels: false
689
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
690
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
691
## e.g:
692
## interval: 10s
693
##
694
interval: ""
695
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
696
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
697
## e.g:
698
## scrapeTimeout: 10s
699
##
700
scrapeTimeout: ""
701
## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
702
##
703
metricRelabelings: []
704
## @param metrics.serviceMonitor.relabelings Specify general relabeling
705
##
706
relabelings: []
707
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
708
## selector:
709
## prometheus: my-prometheus
710
##
711
selector: {}
712
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.