## edp-install configuration ## Ref: https://github.com/epam/edp-install ## ## global: # -- platform type that can be "kubernetes" or "openshift" platform: "kubernetes" # -- a cluster DNS wildcard name dnsWildCard: # Specifies the URL of the API Gateway used by widgets in the platform. # The 'apiGatewayUrl' should be set to the external URL of the KrakenD API Gateway exposed via Ingress. # Example: https://api.domain.example.com # By default, this value is left empty, and widgets are disabled. # -- API Gateway URL configuration for Widget Functionality apiGatewayUrl: "" # -- Define the list of available remote clusters to deploy applications. Example: "cluster1, cluster2, cluster3" availableClusters: "" # Specify the admin OIDC group name. If empty, default {{ .Release.Namespace }}-oidc-admins. adminGroupName: "" # Specify the developer OIDC group name. If empty, default {{ .Release.Namespace }}-oidc-developers. developerGroupName: "" # Specify the viewers OIDC group name. If empty, default {{ .Release.Namespace }}-oidc-viewers. viewerGroupName: "" # -- Can be gerrit, github, gitlab or bitbucket. Default: github gitProviders: - github # - gitlab # - gerrit # - bitbucket # Define the Image Registry that will be used in Pipelines. # This section is optional, and users can configure the registry within the KubeRocketCI Portal user interface. # Ref: https://docs.kuberocketci.io/docs/user-guide/manage-container-registries#add-container-registry # # For example to integrate platform with ecr and publish image under 'edp' prefix: # dockerRegistry: # type: "ecr" # url: "<aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com" # space: "edp" # awsRegion: "eu-central-1" # As a result all image artifacts are published under "<aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com/edp/simple-project:0.1.0-SNAPSHOT.1" # # For example to integrate platform with harbor and publish image under 'edp' project name: # dockerRegistry: # type: "harbor" # url: "registry.example.com" # space: "edp" # As a result all image artifacts are published under https://registry.example.com/edp/simple-project # # For example to integrate platform with dockerhub and publish image under 'my_user' account: # dockerRegistry: # type: "dockerhub" # url: "docker.io" # space: "my_user" # As a result all image artifacts are published under https://hub.docker.com/repository/docker/my_user # # For example to integrate platform with openshift and publish image under 'edp' project name: # dockerRegistry: # type: "openshift" # url: "image-registry.openshift-image-registry.svc:5000" # space: "edp" # By default, Kubernetes Service Account has the ability to push images to the registry # within the namespace where KubeRocketCI is installed. # Ref: https://github.com/epam/edp-tekton/blob/master/charts/pipelines-library/templates/resources/rolebinding-tekton-registry-editor.yaml # # For example to integrate platform with nexus and publish image under 'edp' project name: # dockerRegistry: # type: "nexus" # url: "nexus-container.example.com" # space: "edp" # As a result all image artifacts are published under https://nexus-container.example.com/edp # # For example to integrate platform with GitHub container registry and publish image under 'my_user' project name: # dockerRegistry: # type: "ghcr" # url: "ghcr.io" # space: "my_user" # As a result all image artifacts are published under https://github.com/users/my_user/packages/container/package/simple-project dockerRegistry: # -- Defines type of registry. One of `ecr`, `harbor`, `dockerhub`, `openshift`, `nexus` or `ghcr`. # 'openshift' registry is available only in case if platform is deployed on the OpenShift cluster and the variable global.platform is set to 'openshift'. type: "" # Below is an example of endpoint values for each registry type: # type: | url # ============================= # ecr | <aws_account_id>.dkr.ecr.<aws_region>.amazonaws.com # harbor | <registry.example.com> # dockerhub | 'docker.io' # openshift | <image-registry.openshift-image-registry.svc:5000> # nexus | <nexus-container.example.com> # ghcr | 'ghcr.io' # -- Defines registry endpoint URL. url: "" # Below is a description of space values for each registry type: # type: | description # ================================================= # ecr | The suffix project name in registry. # harbor | The project name in registry. # dockerhub | The user account id or community user account id with push permission. # openshift | The project name in registry. # nexus | The project name in registry. # ghcr | The user account id or community user account id with push permission. # -- Defines project name. space: "" # -- Defines the geographic area where the (AWS) Elastic Container Registry repository is hosted (optional). E.g. "eu-central-1". # Mandatory if 'global.dockerRegistry.type=ecr' for kaniko build-task. # Ref: https://github.com/epam/edp-tekton/blob/release/0.10/charts/pipelines-library/templates/tasks/kaniko.yaml#L73 awsRegion: "" # Configure External Secrets Operator to provision secrets for Platform and/or KubeRocketCI. Required External Secrets Operator deployment: https://docs.kuberocketci.io/docs/operator-guide/secrets-management/install-external-secrets-operator # https://external-secrets.io/latest/provider-aws-secrets-manager/ # Description of secrets that can be created using this approach - available in the documentation: https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration externalSecrets: # -- Configure External Secrets for KubeRocketCI platform. Deploy SecretStore. Default: false enabled: false # -- Defines provider type. One of `aws` or `generic`. type: "aws" secretProvider: aws: # -- Use AWS as a Secret Provider. Can be ParameterStore or SecretsManager service: ParameterStore # -- IAM Role to be used for Accessing AWS either Parameter Store or Secret Manager. Format: arn:aws:iam::<AWS_ACCOUNT_ID>:role/<AWS_IAM_ROLE_NAME> role: # -- AWS Region where secrets are stored, e.g. eu-central-1 region: eu-central-1 generic: # Defines Secret Store configuration. Used when externalSecrets.type is set to "generic". secretStore: # -- Defines SecretStore name. name: "example-secret-store" # -- Defines SecretStore provider configuration. providerConfig: {} # gcpsm: # projectID: "alphabet-123" # When installing KubeRocketCI, three secrets must be created: ci-argocd, ci-defectdojo, ci-dependency-track, kaniko-docker-config and other. # see https://github.com/epam/edp-install/tree/master/deploy-templates/templates/external-secrets, https://docs.kuberocketci.io/docs/operator-guide/secrets-management/external-secrets-operator-integration # manageEDPInstallSecrets creates required secrets using ExternalSecretOperator # Ensure external secret source is configured properly # -- Create necessary secrets for KubeRocketCI installation, using External Secret Operator manageEDPInstallSecrets: true # -- Value name in AWS ParameterStore or AWS SecretsManager. Used when manageEDPInstallSecrets is true manageEDPInstallSecretsName: /edp/deploy-secrets manageCodemieSecretsName: /edp/codemie-secrets manageGitProviderSecretsName: /edp/git-provider-secrets annotations: {} codebase-operator: enabled: true # image: # repository: epamedp/codebase-operator # tag: # envs: # - name: RECONCILATION_PERIOD # value: "360" # The value should be typed in minutes # # Maximum number of parallel reconciliation codebasebranches # - name: CODEBASE_BRANCH_MAX_CONCURRENT_RECONCILES # value: 3 # jira: # integration: false # name: "jira" # apiUrl: "https://jiraeu-api.example.com" # rootUrl: "https://jiraeu.example.com" # credentialName: "ci-jira" cd-pipeline-operator: enabled: true # image: # repository: epamedp/cd-pipeline-operator # tag: # -- Defines the type of the tenant engine that can be "none", "kiosk" or "capsule"; # for Stages with external cluster tenancyEngine will be ignored. Default: none tenancyEngine: "none" # -- Required tenancyEngine: capsule. Specify Capsule Tenant specification for Environments. capsuleTenant: # Enable Capsule Tenant creation as a part of cd-pipeline-operator deployment. Active if tenancyEngine="capsule" create: true spec: # ingressOptions: # allowWildcardHostnames: false # allowedHostnames: # # Enable restriction pattern for ingress hostname creation. # allowedRegex: ^.*example.com$ # hostnameCollisionScope: Tenant # limitRanges: # items: # - limits: # # Default limits for cintainer if not specified in upstream manifest # - default: # cpu: 256m # memory: 512Mi # # Default requests for cintainer if not specified in upstream manifest # defaultRequest: # cpu: 128m # memory: 128Mi # type: Container # # Manage PVC creation # - limits: # - max: # storage: 0Gi # min: # storage: 0Gi # type: PersistentVolumeClaim # # Maximum count of namespace to be created by cd-pipeline-operator # namespaceOptions: # quota: 3 # networkPolicies: # items: # - ingress: # - from: # - namespaceSelector: # matchLabels: # # Please fill namespace for match selector # capsule.clastix.io/tenant: <namespace> # - podSelector: {} # - ipBlock: # cidr: 172.16.0.0/16 # podSelector: {} # policyTypes: # - Ingress # resourceQuotas: # items: # - hard: # limits.cpu: 512m # limits.memory: 512Mi # - hard: # # Maximum count of pods to be deployed # pods: '5' # scope: Tenant # serviceOptions: # allowedServices: # # Restrict 'externalName', 'LoadBalancer' and 'NodePort' service type creation # externalName: false # loadBalancer: false # nodePort: false # -- should the operator manage(create/delete) namespaces for stages # Refer to the guide for managing namespace (https://docs.kuberocketci.io/docs/operator-guide/auth/namespace-management) manageNamespace: true # -- Flag indicating whether the operator should manage secrets for stages. # This parameter controls the provisioning of the 'regcred' secret within deployed environments, facilitating access to private container registries. # Set the parameter to "none" under the following conditions: # - If 'global.dockerRegistry.type=ecr' and IRSA is enabled, or # - If 'global.dockerRegistry.type=openshift'. # For private registries, choose the most appropriate method to provide credentials to deployed environments. Refer to the guide for managing container registries (https://docs.kuberocketci.io/docs/user-guide/manage-container-registries). # Possible values: own/eso/none. # - own: Copies the secret once from the parent namespace, without subsequent reconciliation. If updated in the parent namespace, manual updating in all created namespaces is required. # - eso: The secret will be managed by the External Secrets Operator (requires installation and configuration in the cluster: https://docs.kuberocketci.io/docs/operator-guide/secrets-management/install-external-secrets-operator). # - none: Disables secrets management logic. secretManager: own gerrit-operator: enabled: false # image: # repository: epamedp/gerrit-operator # tag: # gerrit: # deploy: true # name: "gerrit" # image: "openfrontier/gerrit" # version: # imagePullSecrets: # storage: # size: 1Gi # class: gp2 # gerrit: # # Provide external endpoint access. Default Ingress/Route host pattern: gerrit-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} # ingress: # # -- Enable external endpoint access. Default Ingress/Route host pattern: gerrit-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} # annotations: {} # # -- pathType is only for k8s >= 1.1= # pathType: Prefix # # -- For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName # # -- See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress # # ingressClassName: nginx # tls: [] # # - secretName: chart-example-tls # # hosts: # # - gerrit-edp.example.com edp-headlamp: enabled: true ingress: # -- Enable external endpoint access. Default Ingress/Route host pattern: portal-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} enabled: true # -- Annotations for Ingress resource annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # -- Hostname(s) for the Ingress resource # -- Ingress TLS configuration tls: [] # - secretName: chart-example-tls # hosts: # - portal-edp.example.com config: # -- base url path at which headlamp should run baseURL: "" # -- Ensure that the specified client is associated with cluster OIDC integration. # -- For detailed instructions, refer to: https://docs.kuberocketci.io/docs/operator-guide/auth/configure-keycloak-oidc-eks, https://docs.kuberocketci.io/docs/operator-guide/auth/ui-portal-oidc oidc: # Enable OIDC integration. Default: false enabled: false # -- OIDC Issuer URL for authentication. # -- This URL identifies the OpenID Connect provider endpoint. Examples: # -- Keycloak: https://keycloak.example.com/auth/realms/<realm-name> # -- Azure Entra: https://sts.windows.net/<tenant-id>/ issuerUrl: "" # -- OIDC client ID clientID: "" # -- OIDC client secret name clientSecretName: "keycloak-client-headlamp-secret" # -- OIDC client secret key clientSecretKey: "clientSecret" # -- OIDC scopes to be used scopes: "" # image: # repository: epamedp/edp-headlamp # tag: edp-tekton: enabled: true pipelines: image: # -- Registry for tekton pipelines images. Default: docker.io registry: "docker.io" # -- This section contains the list of pipelines and tasks that will be installed. deployableResources: # -- This flag control the installation of the tasks. tasks: true # -- This flag control the installation of the Deploy pipelines. deploy: true # -- This section control the installation of the review and build pipelines. c: cmake: true make: true cs: dotnet3.1: false dotnet6.0: false docker: true groovy: true go: beego: true gin: true operatorsdk: true helm: true helm-pipeline: true infrastructure: true java: java8: false java11: true java17: true js: angular: true antora: true express: true next: true react: true vue: true opa: false python: ansible: true flask: true fastapi: true python3.8: false terraform: true # -- This section allows to determine on which nodes to run tekton pipelines podTemplate: [] # nodeSelector: # role: tekton # tolerations: # - effect: NoSchedule # key: role # operator: Equal # value: tekton tekton-cache: # Deploy tekton-cache helm-chart. enabled: true # Tekton cache endpoint for pipeline-library helm chart. See charts/pipelines-library/templates/resources/cm-tekton-cache.yaml # url: http://tekton-cache:8080 dashboard: # -- Deploy Tekton Dashboard as a part of pipeline library when true. Default: false # -- WARNING: Default deployment of the dashboard does not involve any proxy and may be accessible to the public. # -- To enable proxy protect use openshift_proxy or sso.enabled sections. # -- More details: # -- https://docs.kuberocketci.io/docs/operator-guide/auth/oauth2-proxy enabled: false # -- Define mode for Tekton Dashboard. Enable/disaable capability to create/modify/remove Tekton objects via Tekton Dashboard. Default: false. readOnly: false # -- Make it possible to use openshift as OIDC provider to hide tekton-dashboard. # -- Only for openshift deploy scenario, # -- For EKS scenario - uncomment dashboard.ingress.annotations block # -- More details: # -- https://docs.kuberocketci.io/docs/operator-guide/auth/oauth2-proxy#enable-oauth2-proxy-on-tekton-dashboard openshift_proxy: # -- Enable oauth-proxy to include authorization layer on tekton-dashboard. Default: flase enabled: false ingress: # -- Enable external endpoint access. Default Ingress/Route host pattern: tekton-{{ .Release.Namespace }}.{{ .Values.global.dnsWildCard }} enabled: true # -- Annotations for Ingress resource annotations: {} # -- Uncomment it to enable tekton-dashboard OIDC on EKS cluster # nginx.ingress.kubernetes.io/auth-signin: 'https://<oauth-ingress-host>/oauth2/start?rd=https://$host$request_uri' # nginx.ingress.kubernetes.io/auth-url: 'http://oauth2-proxy.edp.svc.cluster.local:8080/oauth2/auth' tls: [] # - secretName: chart-example-tls # hosts: # - tekton-edp.example.com # -- Enable integration of tekton-pipelines metrics with Prometheus and Grafana monitoring stack # -- More details: # -- https://docs.kuberocketci.io/docs/operator-guide/ci/tekton-monitoring grafana: enabled: false # -- Labels applied to the ServiceMonitor resource. # -- These labels are used by Prometheus to discover and integrate the ServiceMonitor into its configuration. # -- The labels must match the Prometheus release labels. # serviceMonitor: # prometheusReleaseLabels: # release: prom # GitServers configuration section # GitServer creation depends on the gitProviders configuration, if gitProvider is not enabled, # the GitServer will not be created. gitServers: {} # my-github: # gitProvider: github # host: github.com # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # my-gitlab: # gitProvider: gitlab # host: gitlab.com # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # my-gerrit: # gitProvider: gerrit # host: gerrit.example.com # gitUser: ci-user # httpsPort: 443 # nameSshKeySecret: gerrit-ciuser-sshkey # sshPort: 30022 # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # my-bitbucket: # gitProvider: bitbucket # host: bitbucket.org # webhook: # skipWebhookSSLVerification: false # eventListener: # # -- Enable EventListener # enabled: true # # -- EventListener resources # resources: # requests: # memory: "64Mi" # cpu: "50m" # limits: # memory: "128Mi" # cpu: "500m" # # -- Node labels for EventListener pod assignment # nodeSelector: {} # # -- Tolerations for EventListener pod assignment # tolerations: [] # # -- Affinity for EventListener pod assignment # affinity: {} # ingress: # # -- Enable ingress controller resource # enabled: true # # -- Ingress annotations # annotations: {} # # -- Ingress TLS configuration # tls: [] # -- Define platform Quick Links, more details: https://github.com/epam/edp-codebase-operator/ # @default -- `` quickLinks: # argocd: "" # defectdojo: "" # dependency_track: "" # docker_registry: "" # grafana: "" # opensearch: "" # nexus: "" # sonar: "" # codemie: "" # -- Define extra Quick Links, more details: https://github.com/epam/edp-codebase-operator/ extraQuickLinks: {} # - prometheus: # url: https://ingress-prometheus.example.com # visible: true # icon: icon_in_base64 # - another_tool: # url: https://ingress-anothertool.example.com # visible: true # icon: icon_in_base64 # -- Array of extra K8s manifests to deploy extraObjects: [] # - apiVersion: external-secrets.io/v1beta1 # kind: ExternalSecret # metadata: # name: example-secret-1 # spec: # data: # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-1.username # secretKey: username # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-1.password # secretKey: password # secretStoreRef: # kind: SecretStore # name: example-parameterstore # - | # apiVersion: external-secrets.io/v1beta1 # kind: ExternalSecret # metadata: # name: example-secret-2 # spec: # data: # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-2.username # secretKey: username # - remoteRef: # key: /edp/deploy-secrets # property: example-secret-2.password # secretKey: password # secretStoreRef: # kind: SecretStore # name: example-parameterstore