forked from k-space/kube
100 lines
3.6 KiB
YAML
100 lines
3.6 KiB
YAML
---
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
passmower:
|
|
# Hostname on which Passmower will be deployed to. Will be used as ingress host.
|
|
host: "auth.k-space.ee"
|
|
# Local groups will be created with given prefix.
|
|
group_prefix: 'k-space'
|
|
# Local or remote group which members will automatically become admins.
|
|
admin_group: 'k-space:onboarding'
|
|
# If set, require all users to be member of the given local or remote group.
|
|
# required_group: ""
|
|
# GitHub organization to pull groups from. Set to keep users other organizations private from Passmower.
|
|
github_organization: "codemowers"
|
|
# Allow enrolling new users automatically. Actual access will be based on required_group parameter. Disable to only manually provision users.
|
|
enroll_users: false
|
|
# Disable making changes to users on their profile or via admin panel - use for enforcing GitOps practices via OIDCUser spec.
|
|
disable_frontend_edit: true
|
|
# Comma-separated, wildcard enabled namespace selector to select, in which namespaces Passmower looks for client CRDs.
|
|
namespace_selector: "*"
|
|
# Domain which will be preferred for determining primary emails.
|
|
preferred_email_domain: 'k-space.ee'
|
|
# Require users to set a custom username instead of system generated one. Will be used as OIDCUser CRD name and OIDC username claim.
|
|
require_custom_username: true
|
|
# Normalize incoming email addresses by removing aliases (e.g. username+alias@gmail.com) etc.
|
|
normalize_email_addresses: false # makes members unable to login due to e-mail being stored unnormalized in user oidc crd. Normalizing it by force has had regressions elsewhere.
|
|
# Email credentials secret name. Secret must contain EMAIL_HOST, EMAIL_PASSWORD, EMAIL_PORT, EMAIL_SSL and EMAIL_USERNAME
|
|
email_credentials_secretRef: "email-credentials"
|
|
# GitHub OAuth client secret name. Secret must contain GH_CLIENT_ID and GH_CLIENT_SECRET
|
|
github_client_secretRef: "github-client"
|
|
# Slack API client secret name. Secret must contain SLACK_TOKEN
|
|
slack_client_secretRef: "slack-client"
|
|
# Different texts displayed and sent to the user
|
|
texts:
|
|
approval:
|
|
configMapRef:
|
|
name: passmower-approval
|
|
emails:
|
|
configMapRef:
|
|
name: passmower-email-templates
|
|
terms_of_service:
|
|
configMapRef:
|
|
name: passmower-tos
|
|
disable_frontend_edit:
|
|
content: "Edit users via [the members repo](https://git.k-space.ee/k-space/members). The repository is automatically synced to cluster via [ArgoCD](https://argocd.k-space.ee/applications/argocd/members?view=tree&resource=)"
|
|
|
|
|
|
redis:
|
|
# Requires the Codemowers redis-operator to be installed: https://github.com/codemowers/operatorlib/tree/main/samples/redis-operator
|
|
redisClaim:
|
|
enabled: false
|
|
spec:
|
|
capacity: 100Mi
|
|
class: ephemeral
|
|
# Deploys a simple, non persistent Redis deployment.
|
|
internal:
|
|
enabled: false
|
|
# Use your own implementation - just provide a secret with a valid Redis URL.
|
|
external:
|
|
enabled: true
|
|
secretKeyRef:
|
|
name: "dragonfly-auth"
|
|
key: "REDIS_URI"
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
ingress:
|
|
className: ""
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
external-dns.alpha.kubernetes.io/hostname: auth.k-space.ee,auth2.k-space.ee
|
|
tls:
|
|
- hosts:
|
|
- "*.k-space.ee"
|
|
|
|
# image:
|
|
# repository: docker.com/passmower/passmower
|
|
# pullPolicy: IfNotPresent
|
|
# # Overrides the image tag whose default is the chart appVersion.
|
|
# tag: "develop"
|
|
|
|
podSecurityContext: {}
|
|
|
|
securityContext: {}
|
|
|
|
replicaCount: 4
|
|
|
|
resources: {}
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|