mirror of
https://github.com/kubevela/kubevela.git
synced 2026-02-14 10:00:06 +00:00
d064d3dbd2
Some checks failed
Webhook Upgrade Validation / webhook-upgrade-check (push) Failing after 23s
* Feat: Add configurable timeout for admission webhooks Signed-off-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Chaitanyareddy0702 <chaitanyareddy0702@gmail.com> * Feat: Update admission webhook timeout configuration to use admissionWebhookTimeout variable Signed-off-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Chaitanyareddy0702 <chaitanyareddy0702@gmail.com> * Feat: Add admission webhook timeout parameter to README Signed-off-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Chaitanyareddy0702 <chaitanyareddy0702@gmail.com> * removed period in readme to run pipelines Signed-off-by: Vaibhav Agrawal <vaibhav.agrawal0096@gmail.com> Signed-off-by: Chaitanyareddy0702 <chaitanyareddy0702@gmail.com> --------- Signed-off-by: Amit Singh <singhamitch@outlook.com> Signed-off-by: Chaitanyareddy0702 <chaitanyareddy0702@gmail.com> Signed-off-by: Vaibhav Agrawal <vaibhav.agrawal0096@gmail.com>
336 lines
14 KiB
YAML
336 lines
14 KiB
YAML
# Default values for kubevela.
|
|
# This is a YAML-formatted file.
|
|
# Declare variables to be passed into your templates.
|
|
|
|
## @section KubeVela core parameters
|
|
|
|
## @param systemDefinitionNamespace System definition namespace, if unspecified, will use built-in variable `.Release.Namespace`.
|
|
systemDefinitionNamespace:
|
|
|
|
## @param applicationRevisionLimit Application revision limit
|
|
applicationRevisionLimit: 2
|
|
|
|
## @param definitionRevisionLimit Definition revision limit
|
|
definitionRevisionLimit: 2
|
|
|
|
## @param concurrentReconciles concurrentReconciles is the concurrent reconcile number of the controller
|
|
concurrentReconciles: 4
|
|
|
|
## @param controllerArgs.reSyncPeriod The period for resync the applications
|
|
controllerArgs:
|
|
reSyncPeriod: 5m
|
|
|
|
|
|
## @section KubeVela workflow parameters
|
|
|
|
## @param workflow.enableSuspendOnFailure Enable suspend on workflow failure
|
|
## @param workflow.enableExternalPackageForDefaultCompiler Enable external package for default cuex compiler
|
|
## @param workflow.enableExternalPackageWatchForDefaultCompiler Enable external package watch for default cuex compiler
|
|
## @param workflow.backoff.maxTime.waitState The max backoff time of workflow in a wait condition
|
|
## @param workflow.backoff.maxTime.failedState The max backoff time of workflow in a failed condition
|
|
## @param workflow.step.errorRetryTimes The max retry times of a failed workflow step
|
|
workflow:
|
|
enableSuspendOnFailure: false
|
|
enableExternalPackageForDefaultCompiler: true
|
|
enableExternalPackageWatchForDefaultCompiler: false
|
|
backoff:
|
|
maxTime:
|
|
waitState: 60
|
|
failedState: 300
|
|
step:
|
|
errorRetryTimes: 10
|
|
|
|
|
|
## @section KubeVela controller parameters
|
|
|
|
## @param replicaCount KubeVela controller replica count
|
|
replicaCount: 1
|
|
|
|
## @param imageRegistry Image registry
|
|
imageRegistry: ""
|
|
## @param image.repository Image repository
|
|
## @param image.tag Image tag
|
|
## @param image.pullPolicy Image pull policy
|
|
image:
|
|
repository: oamdev/vela-core
|
|
tag: latest
|
|
pullPolicy: Always
|
|
|
|
## @param resources.limits.cpu KubeVela controller's cpu limit
|
|
## @param resources.limits.memory KubeVela controller's memory limit
|
|
## @param resources.requests.cpu KubeVela controller's cpu request
|
|
## @param resources.requests.memory KubeVela controller's memory request
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
requests:
|
|
cpu: 50m
|
|
memory: 20Mi
|
|
|
|
## @param webhookService.type KubeVela webhook service type
|
|
## @param webhookService.port KubeVela webhook service port
|
|
webhookService:
|
|
type: ClusterIP
|
|
port: 9443
|
|
|
|
## @param healthCheck.port KubeVela health check port
|
|
healthCheck:
|
|
port: 9440
|
|
|
|
## @skip readinessProbe
|
|
readinessProbe:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
## @skip livenessProbe
|
|
livenessProbe:
|
|
failureThreshold: 3
|
|
initialDelaySeconds: 90
|
|
periodSeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
|
|
## @section KubeVela controller optimization parameters
|
|
##@param optimize.cachedGvks Optimize types of resources to be cached.
|
|
##@param optimize.markWithProb Optimize ResourceTracker GC by only run mark with probability. Side effect: outdated ResourceTracker might not be able to be removed immediately.
|
|
##@param optimize.disableComponentRevision Optimize componentRevision by disabling the creation and gc
|
|
##@param optimize.disableApplicationRevision Optimize ApplicationRevision by disabling the creation and gc.
|
|
##@param optimize.enableInMemoryWorkflowContext Optimize workflow by use in-memory context.
|
|
##@param optimize.disableResourceApplyDoubleCheck Optimize workflow by ignoring resource double check after apply.
|
|
##@param optimize.enableResourceTrackerDeleteOnlyTrigger Optimize resourcetracker by only trigger reconcile when resourcetracker is deleted.
|
|
optimize:
|
|
cachedGvks: ""
|
|
markWithProb: 0.1
|
|
disableComponentRevision: true
|
|
disableApplicationRevision: false
|
|
enableInMemoryWorkflowContext: false
|
|
disableResourceApplyDoubleCheck: false
|
|
enableResourceTrackerDeleteOnlyTrigger: true
|
|
|
|
##@param featureGates.gzipResourceTracker compress ResourceTracker using gzip (good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers.
|
|
##@param featureGates.zstdResourceTracker compress ResourceTracker using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge ResourceTrackers. Note that zstd will be prioritized if you enable other compression options.
|
|
##@param featureGates.applyOnce if enabled, the apply-once feature will be applied to all applications, no state-keep and no resource data storage in ResourceTracker
|
|
##@param featureGates.multiStageComponentApply if enabled, the multiStageComponentApply feature will be combined with the stage field in TraitDefinition to complete the multi-stage apply.
|
|
##@param featureGates.gzipApplicationRevision compress apprev using gzip (good) before being stored. This is reduces network throughput when dealing with huge apprevs.
|
|
##@param featureGates.zstdApplicationRevision compress apprev using zstd (fast and good) before being stored. This is reduces network throughput when dealing with huge apprevs. Note that zstd will be prioritized if you enable other compression options.
|
|
##@param featureGates.preDispatchDryRun enable dryrun before dispatching resources. Enable this flag can help prevent unsuccessful dispatch resources entering resourcetracker and improve the user experiences of gc but at the cost of increasing network requests.
|
|
##@param featureGates.validateComponentWhenSharding enable component validation in webhook when sharding mode enabled
|
|
##@param featureGates.disableWebhookAutoSchedule disable auto schedule for application mutating webhook when sharding enabled
|
|
##@param featureGates.disableBootstrapClusterInfo disable the cluster info bootstrap at the starting of the controller
|
|
##@param featureGates.informerCacheFilterUnnecessaryFields filter unnecessary fields for informer cache
|
|
##@param featureGates.sharedDefinitionStorageForApplicationRevision use definition cache to reduce duplicated definition storage for application revision, must be used with InformerCacheFilterUnnecessaryFields
|
|
##@param featureGates.disableWorkflowContextConfigMapCache disable the workflow context's configmap informer cache
|
|
##@param featureGates.enableCueValidation enable the strict cue validation for cue required parameter fields
|
|
##@param featureGates.enableApplicationStatusMetrics enable application status metrics and structured logging
|
|
##@param featureGates.validateResourcesExist enable webhook validation to check if resource types referenced in definition templates exist in the cluster
|
|
##@param
|
|
featureGates:
|
|
gzipResourceTracker: false
|
|
zstdResourceTracker: true
|
|
applyOnce: false
|
|
multiStageComponentApply: true
|
|
gzipApplicationRevision: false
|
|
zstdApplicationRevision: true
|
|
preDispatchDryRun: true
|
|
validateComponentWhenSharding: false
|
|
disableWebhookAutoSchedule: false
|
|
disableBootstrapClusterInfo: false
|
|
informerCacheFilterUnnecessaryFields: true
|
|
sharedDefinitionStorageForApplicationRevision: true
|
|
disableWorkflowContextConfigMapCache: true
|
|
enableCueValidation: false
|
|
enableApplicationStatusMetrics: false
|
|
validateResourcesExist: false
|
|
|
|
## @section MultiCluster parameters
|
|
|
|
## @param multicluster.enabled Whether to enable multi-cluster
|
|
## @param multicluster.metrics.enabled Whether to enable multi-cluster metrics collect
|
|
## @param multicluster.clusterGateway.direct controller will connect to ClusterGateway directly instead of going to Kubernetes APIServer
|
|
## @param multicluster.clusterGateway.replicaCount ClusterGateway replica count
|
|
## @param multicluster.clusterGateway.port ClusterGateway port
|
|
## @param multicluster.clusterGateway.image.repository ClusterGateway image repository
|
|
## @param multicluster.clusterGateway.image.tag ClusterGateway image tag
|
|
## @param multicluster.clusterGateway.image.pullPolicy ClusterGateway image pull policy
|
|
## @param multicluster.clusterGateway.resources.requests.cpu ClusterGateway cpu request
|
|
## @param multicluster.clusterGateway.resources.requests.memory ClusterGateway memory request
|
|
## @param multicluster.clusterGateway.resources.limits.cpu ClusterGateway cpu limit
|
|
## @param multicluster.clusterGateway.resources.limits.memory ClusterGateway memory limit
|
|
## @param multicluster.clusterGateway.secureTLS.enabled Whether to enable secure TLS
|
|
## @param multicluster.clusterGateway.secureTLS.certPath Path to the certificate file
|
|
## @param multicluster.clusterGateway.secureTLS.certManager.enabled Whether to enable cert-manager
|
|
## @param multicluster.clusterGateway.serviceMonitor.enabled Whether to enable service monitor
|
|
## @param multicluster.clusterGateway.serviceMonitor.additionalLabels Additional labels for service monitor
|
|
multicluster:
|
|
enabled: true
|
|
metrics:
|
|
enabled: false
|
|
clusterGateway:
|
|
direct: true
|
|
serviceMonitor:
|
|
enabled: false
|
|
additionalLabels: { }
|
|
replicaCount: 1
|
|
port: 9443
|
|
image:
|
|
repository: oamdev/cluster-gateway
|
|
tag: v1.9.0-alpha.2
|
|
pullPolicy: IfNotPresent
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 20Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 200Mi
|
|
secureTLS:
|
|
enabled: true
|
|
certManager:
|
|
enabled: false
|
|
certPath: /etc/k8s-cluster-gateway-certs
|
|
|
|
|
|
## @section Test parameters
|
|
|
|
## @param test.app.repository Test app repository
|
|
## @param test.app.tag Test app tag
|
|
## @param test.k8s.repository Test k8s repository
|
|
## @param test.k8s.tag Test k8s tag
|
|
test:
|
|
app:
|
|
repository: oamdev/hello-world
|
|
tag: v1
|
|
k8s:
|
|
repository: oamdev/alpine-k8s
|
|
tag: 1.18.2
|
|
|
|
|
|
## @section Common parameters
|
|
|
|
## @param imagePullSecrets Image pull secrets
|
|
imagePullSecrets: []
|
|
## @param nameOverride Override name
|
|
nameOverride: ""
|
|
## @param fullnameOverride Fullname override
|
|
fullnameOverride: ""
|
|
|
|
## @param serviceAccount.create Specifies whether a service account should be created
|
|
## @param serviceAccount.annotations Annotations to add to the service account
|
|
## @param serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template
|
|
serviceAccount:
|
|
# Specifies whether a service account should be created
|
|
create: true
|
|
# Annotations to add to the service account
|
|
annotations: {}
|
|
# The name of the service account to use.
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
name:
|
|
|
|
## @skip podSecurityContext
|
|
podSecurityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
## @skip securityContext
|
|
securityContext: {}
|
|
# capabilities:
|
|
# drop:
|
|
# - ALL
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
## @param nodeSelector Node selector
|
|
nodeSelector: {}
|
|
|
|
## @param tolerations Tolerations
|
|
tolerations: []
|
|
|
|
## @param affinity Affinity
|
|
affinity: {}
|
|
|
|
## @param rbac.create Specifies whether a RBAC role should be created
|
|
rbac:
|
|
create: true
|
|
|
|
## @param logDebug Enable debug logs for development purpose
|
|
logDebug: false
|
|
|
|
## @param devLogs Enable formatted logging support for development purpose
|
|
devLogs: false
|
|
|
|
## @param logFilePath If non-empty, write log files in this path
|
|
logFilePath: ""
|
|
|
|
## @param logFileMaxSize Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited.
|
|
logFileMaxSize: 1024
|
|
|
|
## @param admissionWebhookTimeout Timeout seconds for admission webhooks
|
|
admissionWebhookTimeout: 10
|
|
|
|
## @skip admissionWebhooks
|
|
admissionWebhooks:
|
|
enabled: true
|
|
failurePolicy: Fail
|
|
certificate:
|
|
mountPath: /etc/k8s-webhook-certs
|
|
patch:
|
|
enabled: true
|
|
image:
|
|
repository: oamdev/kube-webhook-certgen
|
|
tag: v2.4.1
|
|
pullPolicy: IfNotPresent
|
|
nodeSelector: {}
|
|
affinity: {}
|
|
tolerations: []
|
|
appConversion:
|
|
enabled: false
|
|
certManager:
|
|
enabled: false
|
|
revisionHistoryLimit: 3
|
|
|
|
## @param kubeClient.qps The qps for reconcile clients
|
|
## @param kubeClient.burst The burst for reconcile clients
|
|
kubeClient:
|
|
qps: 400
|
|
burst: 600
|
|
|
|
## @param authentication.enabled Enable authentication framework for applications
|
|
## SECURITY NOTE: When enabled WITH authentication.withUser=true, KubeVela impersonates the requesting user
|
|
## when deploying resources, ensuring that users cannot deploy resources beyond their RBAC permissions.
|
|
## This is strongly recommended when KubeVela has cluster-admin or other high-level permissions.
|
|
## @param authentication.withUser Application authentication will impersonate as the request User (must be true for security)
|
|
## @param authentication.defaultUser Application authentication will impersonate as the User if no user provided or withUser is false
|
|
## @param authentication.groupPattern Application authentication will impersonate as the request Group that matches the pattern
|
|
authentication:
|
|
enabled: false
|
|
withUser: true
|
|
defaultUser: kubevela:vela-core
|
|
groupPattern: kubevela:*
|
|
|
|
## @param authorization.definitionValidationEnabled Enable definition permission validation for RBAC checks on definitions
|
|
## SECURITY NOTE: If KubeVela is running with cluster-admin or high-level permissions,
|
|
## consider enabling this feature and/or authentication.enabled for security:
|
|
## - This feature: Validates users can only reference definitions they have RBAC access to
|
|
## - authentication.enabled: Makes KubeVela impersonate users, applying their full RBAC permissions
|
|
## Both features can be used together for defense in depth.
|
|
authorization:
|
|
definitionValidationEnabled: false
|
|
|
|
## @param sharding.enabled When sharding enabled, the controller will run as master mode. Refer to https://github.com/kubevela/kubevela/blob/master/design/vela-core/sharding.md for details.
|
|
## @param sharding.schedulableShards The shards available for scheduling. If empty, dynamic discovery will be used.
|
|
sharding:
|
|
enabled: false
|
|
schedulableShards: ""
|
|
|
|
## @param core.metrics.enabled Enable metrics for vela-core
|
|
## @param core.metrics.serviceMonitor.enabled Enable service monitor for metrics
|
|
## @param core.metrics.serviceMonitor.additionalLabels Additional labels for service monitor
|
|
core:
|
|
metrics:
|
|
enabled: false
|
|
serviceMonitor:
|
|
enabled: false
|
|
additionalLabels: {} |