This repository has been archived by the owner on Feb 14, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 115
/
sample-cf-install-values.yml
126 lines (108 loc) · 4.82 KB
/
sample-cf-install-values.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#@data/values
---
#! Used by any component that has an external interface. It is used for traffic to system components of CF.
#! - usually you'll want to configure a DNS entry for *.<system_domain> to point to the cluster's external load balancer
system_domain: system.cf.example.com
#! The root domains used for apps that are pushed to CF.
#! - you can use the same domain for system and apps if desired
app_domains:
#@overlay/append
- apps.cf.example.com
#! The password for the CF "admin" user.
#! - operators can use the admin user to test `cf push`
cf_admin_password: cfadminpassword
#! The blobstore secret key shared between CAPI and the blobstore.
blobstore:
secret_access_key: the_blobstore_secret_key
#! The admin password for operators to access the database.
cf_db:
admin_password: the_cf_dbadmin_password
#! The db password shared between CAPI and the database.
capi:
cf_api_controllers_client_secret: uaa_cf_api_controllers_client_credentials
cf_api_backup_metadata_generator_client_secret: uaa_cf_api_backup_metadata_generator_client_credentials
cc_username_lookup_client_secret: uaa_cloud_controller_lookup_client_credentials
database:
password: ccdb_password
encryption_key: ccdb_encryption_key
#! When true, automatically upgrades incoming HTTP connections to HTTPS
gateway:
https_only: true
#! Notes about X.509 certificates:
#! - all of the certs should include the common name in the list of subject alternative names
#! - all of the certs should have KeyUsage that includes server and client authentication
#! certificate, private key, and certificate authority used to identify the CF installation (i.e. the ingress gateway).
#! - should be valid for *.system.cf.example.com
system_certificate:
crt: ingress_gateway_certificate
key: ingress_gateway_private_key
ca: ingress_gateway_certificate_ca
#! certificate, private key, and certificate authority used to identify the CF installation (i.e. the ingress gateway).
#! - should be valid for *.apps.cf.example.com
#! - may be the system cert, as long as the system cert is valid for the apps domain as well
workloads_certificate:
crt: workload_certificate
key: workload_private_key
ca: workload_certificate_ca
#! certificate, private key, and certificate authority used for the instance index env injector mutating webhook in eirini
#! - should be valid for *.cf-system.svc
instance_index_env_injector_certificate:
crt: &crt instance_index_env_injector_certificate
key: &key instance_index_env_injector_private_key
ca: instance_index_env_injector_ca
uaa:
database:
#! The db password shared between UAA and the database.
password: uaadb_password
#! The secret used for the UAA admin client.
admin_client_secret: uaaadminclientsecret
#! JWT policy configuration
jwt_policy:
signing_key: jwt_policy_signing_key
#! Encyption key for encrypting data stored in the database
encryption_key:
passphrase: encryption_key_passphrase
#! Configuration for UAA's SAML provider
login:
service_provider:
key: login_service_provider_key
certificate: login_service_provider_certificate
login_secret: uaa_login_secret
#! To push apps from source code, you need to configure the `app_registry` block
#! Example below is for docker hub. For other registry examples, see below.
app_registry:
hostname: https://index.docker.io/v1/
#! often times the repository_prefix is just your `docker_user`
repository_prefix: <docker_hub_repository>
username: <docker_user>
password: <docker_password>
#! example below is for a Google container registry. Make sure to remove other registry blocks if you intend to use GCR
#! app_registry:
#! hostname: gcr.io
#! repository_prefix: <gcr.io/gcp_project_id/cf-workloads>
#! username: _json_key
#! password: |
#! contents_of_service_account_json
#! example below is for an Azure container registry. Make sure to remove other registry blocks if you intend to use ACR
#! app_registry:
#! hostname: <registry-name>.azurecr.io
#! repository_prefix: <registry-name>.azurecr.io
#! username: <username>
#! password: <password>
#! example below is for an Amazon container registry. Make sure to remove other registry blocks if you intend to use ECR
#! ecr_hostname="$(aws sts get-caller-identity --query 'Account' --output text).dkr.ecr.${region}.amazonaws.com"
#! ecr_token=$(aws ecr get-login-password)
#! app_registry:
#! hostname: https://${ecr_hostname}
#! repository_prefix: "${ecr_hostname}/my_env" # ensure ${ecr_hostname}/my_env/cf-default-builder exists
#! username: AWS
#! password: ${ecr_token}
remove_resource_requirements: true
add_metrics_server_components: true
allow_prometheus_metrics_access: true
use_external_dns_for_wildcard: true
enable_automount_service_account_token: true
metrics_server_prefer_internal_kubelet_address: true
use_first_party_jwt_tokens: true
load_balancer:
enable: false