forked from minddocdev/buzzfeed-sso
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
134 lines (126 loc) · 4.09 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Default values for buzzfeed-sso.
emailDomain: "<your_email_domain>" # Required. e.g "email.mydomain.foo"
rootDomain: "<your_root_domain>" # Required. e.g "mydomain.foo"
# whitelistedEmails: "<whitelisted_addresses>" # Optional. e.g. "[email protected],[email protected]"
cluster: dev
auth:
enabled: true
annotations: {}
domain: "<your_auth_domain>" # Required. e.g "sso-auth.mydomain.foo"
extraEnv: []
replicaCount: 1
resources:
limits:
memory: "256Mi"
cpu: "200m"
nodeSelector: {}
tolerations: []
affinity: {}
service:
type: ClusterIP
port: 80
# Generate these secrets with the command:
# 'openssl rand -base64 32 | head -c 32 | base64'
secret: {} # Required (if customSecret is not set)
# codeSecret: ''
# cookieSecret: ''
# # Or if you do not want to create the secret via helm
# customSecret: my-sso-auth-secret
# Include Auth application in ingress, useful if the auth component is
# exposed independently.
ingressEnabled: true
# Auth application ingress path.
# For GKE and AWS ALB ingresses use "/*"
# For Nginx ingress use "/"
ingressPath: /
tls: {}
# secretName: sso-auth-tls-secret
proxy:
enabled: true
annotations: {}
extraEnv:
- name: STATSD_HOST
value: localhost
- name: STATSD_PORT
value: "11111"
# providerUrlInternal: https://sso-auth.mydomain.com
replicaCount: 1
resources:
limits:
memory: "256Mi"
cpu: "200m"
nodeSelector: {}
tolerations: []
affinity: {}
service:
type: ClusterIP
port: 80
# Generate these secrets with the command:
# 'openssl rand -base64 32 | head -c 32 | base64'
secret: {} # Required (if customSecret is not set)
# clientId: ''
# clientSecret: ''
# cookieSecret: ''
# # Or if you do not want to create the secret via helm
# customSecret: my-sso-proxy-secret
# If you are using_allowed groups in upstreams, DEFAULT_ALLOWED_EMAIL_DOMAINS needs to be an empty string
# this is explained in this pr https://github.com/buzzfeed/sso/pull/280#issuecomment-584088825
# to get an empty value, set the string below to -, as per this issue https://github.com/helm/helm/issues/2600#issuecomment-310108850
# otherwise populate it with your default allowed email domains
defaultAllowedEmailDomains: ""
provider:
google: {} # Required.
# google:
# adminEmail: [email protected]
# slug: oauth2
# secret:
# clientId: foo123123-fake123123.apps.googleusercontent.com
# clientSecret: googleOauthClientSecret
# serviceAccount: 'service account content in JSON format'
# # Or if you do not want to create the secret via helm
# google:
# adminEmail: [email protected]
# customSecret: my-sso-google-secret
image:
repository: buzzfeed/sso
tag: v2.1.0
pullPolicy: IfNotPresent
ingress:
enabled: true
annotations: {}
# kubernetes.io/ingress.class: nginx
# certmanager.k8s.io/cluster-issuer: my-letsencrypt-issuer
# ingress.kubernetes.io/ssl-redirect: "true"
extraLabels: {}
hosts: []
# - domain: mybackend.mydomain.foo
# # The "path" field is deprecated and will be removed in the
# # next major release. Use "paths" instead.
# path: /
# paths:
# - /endpoint1
# - /endpoint2
tls: []
# - secretName: mybackend-mydomain-tls
# hosts:
# - mybackend.mydomain.foo
# GCP backend service configuration
# Possible values can be found here : https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
gcpBackendConfig: {}
# timeoutSec: 60
# connectionDraining:
# drainingTimeoutSec: 60
upstreams: []
# See https://github.com/buzzfeed/sso/blob/f437f237ac977201f15868601c9bc0e9dff11f40/docs/sso_config.md#proxy-config
# - service: mybackend
# default:
# from: mybackend.mydomain.foo
# to: http://mybackend.mynamespace.svc.cluster.local:9091
# options:
# allowed_groups:
# skip_auth_regex:
# - ^\/github-webhook\/$
# header_overrides:
# X-Frame-Options: DENY