Update supervisor values.yaml to a schema doc. Make @nullable work
- see build.sh for documented script to run to generate: ytt --file supervisor/config/values.yaml --data-values-schema-inspect --output openapi-v3 > supervisor/schema-openapi.yml
This commit is contained in:
Benjamin A. Petersen
parent
520c6b643d
commit
1191e7470c
@ -1,16 +1,17 @@
|
|||||||
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
|
||||||
#! SPDX-License-Identifier: Apache-2.0
|
#! SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
#@data/values
|
#@data/values-schema
|
||||||
---
|
---
|
||||||
|
#@schema/desc "Namespace of pinniped-supervisor"
|
||||||
app_name: pinniped-supervisor
|
app_name: pinniped-supervisor
|
||||||
|
#@schema/desc "Creates a new namespace statically in yaml with the given name and installs the app into that namespace."
|
||||||
#! Creates a new namespace statically in yaml with the given name and installs the app into that namespace.
|
|
||||||
namespace: pinniped-supervisor
|
namespace: pinniped-supervisor
|
||||||
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
|
#! If specified, assumes that a namespace of the given name already exists and installs the app into that namespace.
|
||||||
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
#! If both `namespace` and `into_namespace` are specified, then only `into_namespace` is used.
|
||||||
into_namespace: #! e.g. my-preexisting-namespace
|
#@schema/desc "Overrides namespace. This is actually confusingly worded."
|
||||||
|
#@schema/nullable
|
||||||
|
into_namespace: my-preexisting-namespace
|
||||||
|
|
||||||
#! All resources created statically by yaml at install-time and all resources created dynamically
|
#! All resources created statically by yaml at install-time and all resources created dynamically
|
||||||
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
|
#! by controllers at runtime will be labelled with `app: $app_name` and also with the labels
|
||||||
@ -26,14 +27,16 @@ replicas: 2
|
|||||||
|
|
||||||
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
#! Specify either an image_digest or an image_tag. If both are given, only image_digest will be used.
|
||||||
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
image_repo: projects.registry.vmware.com/pinniped/pinniped-server
|
||||||
image_digest: #! e.g. sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
#@schema/nullable
|
||||||
|
image_digest: sha256:f3c4fdfd3ef865d4b97a1fd295d94acc3f0c654c46b6f27ffad5cf80216903c8
|
||||||
image_tag: latest
|
image_tag: latest
|
||||||
|
|
||||||
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
#! Specifies a secret to be used when pulling the above `image_repo` container image.
|
||||||
#! Can be used when the above image_repo is a private registry.
|
#! Can be used when the above image_repo is a private registry.
|
||||||
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
#! Typically the value would be the output of: kubectl create secret docker-registry x --docker-server=https://example.io --docker-username="USERNAME" --docker-password="PASSWORD" --dry-run=client -o json | jq -r '.data[".dockerconfigjson"]'
|
||||||
#! Optional.
|
#! Optional.
|
||||||
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
#@schema/nullable
|
||||||
|
image_pull_dockerconfigjson: {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
|
||||||
|
|
||||||
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
|
#! Specify how to expose the Supervisor app's HTTPS port as a Service.
|
||||||
#! Typically, you would set a value for only one of the following service types.
|
#! Typically, you would set a value for only one of the following service types.
|
||||||
@ -41,26 +44,37 @@ image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"
|
|||||||
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
|
#! Note that all port numbers should be numbers (not strings), i.e. use ytt's `--data-value-yaml` instead of `--data-value`.
|
||||||
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
|
#! Several of these values have been deprecated and will be removed in a future release. Their names have been changed to
|
||||||
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
|
#! mark them as deprecated and to make it obvious upon upgrade to anyone who was using them that they have been deprecated.
|
||||||
deprecated_service_http_nodeport_port: #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
|
#@schema/nullable
|
||||||
deprecated_service_http_nodeport_nodeport: #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
|
deprecated_service_http_nodeport_port: 31234 #! will be removed in a future release; when specified, creates a NodePort Service with this `port` value, with port 8080 as its `targetPort`; e.g. 31234
|
||||||
deprecated_service_http_loadbalancer_port: #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
#@schema/nullable
|
||||||
deprecated_service_http_clusterip_port: #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
deprecated_service_http_nodeport_nodeport: 31234 #! will be removed in a future release; the `nodePort` value of the NodePort Service, optional when `deprecated_service_http_nodeport_port` is specified; e.g. 31234
|
||||||
service_https_nodeport_port: #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
|
#@schema/nullable
|
||||||
service_https_nodeport_nodeport: #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
|
deprecated_service_http_loadbalancer_port: 8443 #! will be removed in a future release; when specified, creates a LoadBalancer Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
||||||
service_https_loadbalancer_port: #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
#@schema/nullable
|
||||||
service_https_clusterip_port: #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
deprecated_service_http_clusterip_port: 8443 #! will be removed in a future release; when specified, creates a ClusterIP Service with this `port` value, with port 8080 as its `targetPort`; e.g. 8443
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_nodeport_port: 31243 #! when specified, creates a NodePort Service with this `port` value, with port 8443 as its `targetPort`; e.g. 31243
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_nodeport_nodeport: 31243 #! the `nodePort` value of the NodePort Service, optional when `service_https_nodeport_port` is specified; e.g. 31243
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_loadbalancer_port: 8443 #! when specified, creates a LoadBalancer Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
||||||
|
#@schema/nullable
|
||||||
|
service_https_clusterip_port: 8443 #! when specified, creates a ClusterIP Service with this `port` value, with port 8443 as its `targetPort`; e.g. 8443
|
||||||
#! The `loadBalancerIP` value of the LoadBalancer Service.
|
#! The `loadBalancerIP` value of the LoadBalancer Service.
|
||||||
#! Ignored unless service_https_loadbalancer_port is provided.
|
#! Ignored unless service_https_loadbalancer_port is provided.
|
||||||
#! Optional.
|
#! Optional.
|
||||||
service_loadbalancer_ip: #! e.g. 1.2.3.4
|
#@schema/nullable
|
||||||
|
service_loadbalancer_ip: 1.2.3.4 #! e.g. 1.2.3.4
|
||||||
|
|
||||||
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
#! Specify the verbosity of logging: info ("nice to know" information), debug (developer information), trace (timing information),
|
||||||
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
#! or all (kitchen sink). Do not use trace or all on production systems, as credentials may get logged.
|
||||||
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
#@schema/nullable
|
||||||
|
log_level: info #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
|
||||||
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
|
#! Specify the format of logging: json (for machine parsable logs) and text (for legacy klog formatted logs).
|
||||||
#! By default, when this value is left unset, logs are formatted in json.
|
#! By default, when this value is left unset, logs are formatted in json.
|
||||||
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
|
#! This configuration is deprecated and will be removed in a future release at which point logs will always be formatted as json.
|
||||||
deprecated_log_format:
|
#@schema/nullable
|
||||||
|
deprecated_log_format: json
|
||||||
|
|
||||||
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
|
||||||
@ -76,7 +90,8 @@ api_group_suffix: pinniped.dev
|
|||||||
#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
|
#! e.g. when the Supervisor fetches discovery documents, JWKS keys, and tokens from an upstream OIDC Provider.
|
||||||
#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
|
#! The Supervisor never makes insecure HTTP calls, so there is no reason to set HTTP_PROXY.
|
||||||
#! Optional.
|
#! Optional.
|
||||||
https_proxy: #! e.g. http://proxy.example.com
|
#@schema/nullable
|
||||||
|
https_proxy: http://proxy.example.com #! e.g. http://proxy.example.com
|
||||||
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.cluster.local" #! do not proxy Kubernetes endpoints
|
||||||
|
|
||||||
#! Control the HTTP and HTTPS listeners of the Supervisor.
|
#! Control the HTTP and HTTPS listeners of the Supervisor.
|
||||||
@ -119,7 +134,11 @@ no_proxy: "$(KUBERNETES_SERVICE_HOST),169.254.169.254,127.0.0.1,localhost,.svc,.
|
|||||||
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
|
#! manifests. Changes to the HTTPS listener must be coordinated with the deployment health checks.
|
||||||
#!
|
#!
|
||||||
#! Optional.
|
#! Optional.
|
||||||
|
#@schema/nullable
|
||||||
endpoints:
|
endpoints:
|
||||||
|
https:
|
||||||
|
network: tcp | unix | disabled
|
||||||
|
address: host:port when network=tcp or /pinniped_socket/socketfile.sock when network=unix
|
||||||
|
|
||||||
#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
|
#! Optionally override the validation on the endpoints.http value which checks that only loopback interfaces are used.
|
||||||
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
|
#! When deprecated_insecure_accept_external_unencrypted_http_requests is true, the HTTP listener is allowed to bind to any
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user