djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ContainerImage.Pinniped/deploy/supervisor/values.yaml

130 lines
8.8 KiB
YAML
Raw Normal View History

HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page
2020-10-06 00:28:19 +00:00
#! SPDX-License-Identifier: Apache-2.0
#@data/values
---
app_name: pinniped-supervisor
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page
2020-10-06 00:28:19 +00:00
namespace: pinniped-supervisor
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
into_namespace: #! e.g. my-preexisting-namespace
#! All resources created statically by yaml at install-time and all resources created dynamically
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
Concierge controllers add labels to all created resources
2020-10-15 17:14:23 +00:00
#! specified here. The value of `custom_labels` must be a map of string keys to string values.
#! The app can be uninstalled either by:
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
#! 1. Deleting the static install-time yaml resources including the static namespace, which will cascade and also delete
#! resources that were dynamically created by controllers at runtime
#! 2. Or, deleting all resources by label, which does not assume that there was a static install-time yaml namespace.
custom_labels: {} #! e.g. {myCustomLabelName: myCustomLabelValue, otherCustomLabelName: otherCustomLabelValue}
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page
2020-10-06 00:28:19 +00:00
#! Specify how many replicas of the Pinniped server to run.
replicas: 2
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
Move our main image references to the VMware Harbor registry. Signed-off-by: Matt Moyer <moyerm@vmware.com>
2020-12-17 23:41:13 +00:00
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page
2020-10-06 00:28:19 +00:00
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
image_tag: latest
Support installing concierge and supervisor into existing namespace - New optional ytt value called `into_namespace` means install into that preexisting namespace rather than creating a new namespace for each app - Also ensure that every resource that is created statically by our yaml at install-time by either app is labeled consistently - Also support adding custom labels to all of those resources from a new ytt value called `custom_labels`
2020-10-14 22:05:42 +00:00
#! Specifies a secret to be used when pulling the above `image_repo` container image.
Implement very rough skeleton of the start of a supervisor server - This is just stab at a starting place because it felt easier to put something down on paper than to keep staring at a blank page
2020-10-06 00:28:19 +00:00
#! Can be used when the above image_repo is a private registry.
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
#! Optional.
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
Allow creation of different Service types in Supervisor ytt templates - Tiltfile and prepare-for-integration-tests.sh both specify the NodePort Service using `--data-value-yaml 'service_nodeport_port=31234'` - Also rename the namespaces used by the Concierge and Supervisor apps during integration tests running locally
2020-10-09 23:00:11 +00:00
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
#! Typically, you would set a value for only one of the following service types.
#! Setting any of these values means that a Service of that type will be created. They are all optional.
Allow ytt templating of the `loadBalancerIP` for the supervisor
2020-10-28 23:45:23 +00:00
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
Run as non-root I tried to follow a principle of encapsulation here - we can still default to peeps making connections to 80/443 on a Service object, but internally we will use 8080/8443. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:57:05 +00:00
service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
Run as non-root I tried to follow a principle of encapsulation here - we can still default to peeps making connections to 80/443 on a Service object, but internally we will use 8080/8443. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-02 16:57:05 +00:00
service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
Allow ytt templating of the `loadBalancerIP` for the supervisor
2020-10-28 23:45:23 +00:00
#! The `loadBalancerIP` value of the LoadBalancer Service.
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
#! Ignored unless service_https_loadbalancer_port is provided.
Allow ytt templating of the `loadBalancerIP` for the supervisor
2020-10-28 23:45:23 +00:00
#! Optional.
service_loadbalancer_ip: #! e.g. 1.2.3.4
Add YTT template value for setting log level This is helpful for us, amongst other users, because we want to enable "debug" logging whenever we deploy components for testing. See a5643e3 for addition of log level. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-11 12:49:46 +00:00
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
Add YTT template value for setting log level This is helpful for us, amongst other users, because we want to enable "debug" logging whenever we deploy components for testing. See a5643e3 for addition of log level. Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2020-11-11 12:49:46 +00:00
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
Run Tilt images as root for faster reload Previously, when triggering a Tilt reload via a *.go file change, a reload would take ~13 seconds and we would see this error message in the Tilt logs for each component. Live Update failed with unexpected error: command terminated with exit code 2 Falling back to a full image build + deploy Now, Tilt should reload images a lot faster (~3 seconds) since we are running the images as root. Note! Reloading the Concierge component still takes ~13 seconds because there are 2 containers running in the Concierge namespace that use the Concierge image: the main Concierge app and the kube cert agent pod. Tilt can't live reload both of these at once, so the reload takes longer and we see this error message. Will not perform Live Update because: Error retrieving container info: can only get container info for a single pod; image target image:image/concierge has 2 pods Falling back to a full image build + deploy Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-13 14:47:39 +00:00
Use 65532 instead of 1001 as non-root user Signed-off-by: Monis Khan <mok@vmware.com>
2021-10-25 20:21:54 +00:00
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
deploy: wire API group suffix through YTT templates I didn't advertise this feature in the deploy README's since (hopefully) not many people will want to use it? Signed-off-by: Andrew Keesler <akeesler@vmware.com>
2021-01-19 22:23:06 +00:00
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,
#! authentication.concierge.pinniped.dev, etc. As an example, if this is set to tuna.io, then
#! Pinniped API groups will look like foo.tuna.io. authentication.concierge.tuna.io, etc.
api_group_suffix: pinniped.dev
Add `https_proxy` and `no_proxy` settings for the Supervisor - Add new optional ytt params for the Supervisor deployment. - When the Supervisor is making calls to an upstream OIDC provider, use these variables if they were provided. - These settings are integration tested in the main CI pipeline by sometimes setting them on deployments in certain cases, and then letting the existing integration tests (e.g. TestE2EFullIntegration) provide the coverage, so there are no explicit changes to the integration tests themselves in this commit.
2021-07-07 19:50:13 +00:00
#! Set the standard golang HTTPS_PROXY and NO_PROXY environment variables on the Supervisor containers.
#! These will be used when the Supervisor makes backend-to-backend calls to upstream identity providers using HTTPS,
#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
#! Optional.
https_proxy: #! e.g. http://proxy.example.com
Provide good defaults for NO_PROXY This change updates the default NO_PROXY for the supervisor to not proxy requests to the Kubernetes API and other Kubernetes endpoints such as Kubernetes services. It also adds https_proxy and no_proxy settings for the concierge with the same default. Signed-off-by: Monis Khan <mok@vmware.com>
2021-08-17 13:44:40 +00:00
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! Control the HTTP and HTTPS listeners of the Supervisor.
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#!
#! The schema of this config is as follows:
#!
#! endpoints:
#! https:
#! network: tcp | unix | disabled
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! address: host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#! http:
#! network: same as above
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! address: same as above, except that when network=tcp then the address is only allowed to bind to loopback interfaces
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#!
#! Setting network to disabled turns off that particular listener.
#! See https://pkg.go.dev/net#Listen and https://pkg.go.dev/net#Dial for a description of what can be
#! specified in the address parameter based on the given network parameter. To aid in the use of unix
#! domain sockets, a writable empty dir volume is mounted at /pinniped_socket when network is set to "unix."
#!
#! The current defaults are:
#!
#! endpoints:
#! https:
#! network: tcp
#! address: :8443
#! http:
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! network: disabled
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#!
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! These defaults mean: For HTTPS listening, bind to all interfaces using TCP on port 8443.
#! Disable HTTP listening by default.
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#!
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! The HTTP listener can only be bound to loopback interfaces. This allows the listener to accept
#! traffic from within the pod, e.g. from a service mesh sidecar. The HTTP listener should not be
#! used to accept traffic from outside the pod, since that would mean that the network traffic could be
#! transmitted unencrypted. The HTTPS listener should be used instead to accept traffic from outside the pod.
#! Ingresses and load balancers that terminate TLS connections should re-encrypt the data and route traffic
#! to the HTTPS listener. Unix domain sockets may also be used for integrations with service meshes.
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#!
HTTP listener: default disabled and may only bind to loopback interfaces
2022-03-24 22:46:10 +00:00
#! Changing the HTTPS port number must be accompanied by matching changes to the service and deployment
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
Allow configuration of supervisor endpoints This change allows configuration of the http and https listeners used by the supervisor. TCP (IPv4 and IPv6 with any interface and port) and Unix domain socket based listeners are supported. Listeners may also be disabled. Binding the http listener to TCP addresses other than 127.0.0.1 or ::1 is deprecated. The deployment now uses https health checks. The supervisor is always able to complete a TLS connection with the use of a bootstrap certificate that is signed by an in-memory certificate authority. To support sidecar containers used by service meshes, Unix domain socket based listeners include ACLs that allow writes to the socket file from any runAsUser specified in the pod's containers. Signed-off-by: Monis Khan <mok@vmware.com>
2021-12-15 20:48:55 +00:00
#!
#! Optional.
endpoints:
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
#! interface, including interfaces that are listening for traffic from outside the pod. This value is being introduced
#! to ease the transition to the new loopback interface validation for the HTTP port for any users who need more time
#! to change their ingress strategy to avoid using plain HTTP into the Supervisor pods.
Change to camel-case for insecureAcceptExternalUnencryptedHttpRequests - Use camel-case in the static configmap - Parse the value into a boolean in the go struct instead of a string - Add test for when unsupported value is used in the configmap - Run the config_test.go tests in parallel - Update some paragraphs in configure-supervisor.md for clarity
2022-03-31 23:23:45 +00:00
#! This value is immediately deprecated upon its introduction. It will be removed in some future release, at which time
Provide a way to override the new HTTP loopback-only validation Add new deprecated_insecure_accept_external_unencrypted_http_requests value in values.yaml. Allow it to be a boolean or a string to make it easier to use (both --data-value and --data-value-yaml will work). Also: - Consider "ip6-localhost" and "ip6-loopback" to be loopback addresses for the validation - Remove unused env.SupervisorHTTPAddress var - Deprecate the `service_http_*` values in values.yaml by renaming them and causing a ytt render error when the old names are used
2022-03-29 00:03:23 +00:00
#! traffic from outside the pod will need to be sent to the HTTPS listener instead, with no simple workaround available.
#! Allowed values are true (boolean), "true" (string), false (boolean), and "false" (string). The default is false.
#! Optional.
deprecated_insecure_accept_external_unencrypted_http_requests: false