diff --git a/getting-started/templates/GCP/gcp-supplemental-values.yaml b/getting-started/templates/GCP/gcp-supplemental-values.yaml new file mode 100644 index 00000000..e7633425 --- /dev/null +++ b/getting-started/templates/GCP/gcp-supplemental-values.yaml @@ -0,0 +1,373 @@ +global: + ingress: + api: + annotations: + kubernetes.io/ingress.class: # - Enter the ingress class used + ui: + annotations: + kubernetes.io/ingress.class: # - Enter the ingress class used + +testmonitorservice: + ## Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy: # - Enter the latest version of the Cloud SQL Auth Proxy image + volumeMounts: + ## This volume mount is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted + readOnly: true + ## This volume mount is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. + - name: # - Enter the volume name where config.json is available + mountPath: /secrets/ + readOnly: true + env: + ## This env variable is required for the proxy to authenticate with Cloud SQL when using Workload Identity Federation. + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/ # - Enter the config json file name which was used as the key while creating the secret + args: + ## If connecting from a VPC-native GKE cluster, you can use the + ## following flag to have the proxy connect over private IP + - "--private-ip" + + ## If you are not connecting with Automatic IAM, you can delete the following flag. + - "--auto-iam-authn" + + ## Enable structured logging with LogEntry format: + - "--structured-logs" + + ## Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal + - "--exit-zero-on-sigterm" + + - "--port=5432" + - "" # - Enter the connection name from the Cloud SQL instance + + ## The credentials file is required for the proxy to authenticate using a service account key file. + ## Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the service account key file name which was used as the key while creating the secret + securityContext: + ## The default Cloud SQL Auth Proxy image runs as the + ## "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + ## You should use resource requests/limits as a best practice to prevent + ## pods from consuming too many resources and affecting the execution of + ## other pods. You should adjust the following values based on what your + ## application needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + ## The proxy's memory use scales linearly with the number of active + ## connections. Fewer open connections will use less memory. Adjust + ## this value based on your application's requirements. + memory: "1Gi" + ## The proxy's CPU use scales linearly with the amount of IO between + ## the database and the application. Adjust this value based on your + ## application's requirements. + cpu: "1" + + ## Extra volumes that can be used in sidecars + extraVolumes: + ## This volume is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. + - name: # - Enter the volume name + projected: + sources: + - serviceAccountToken: + audience: # - Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + ## This volume is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. + - name: # - Enter the volume name where config.json is to be mounted + secret: + secretName: # - Enter the secret name where config.json is added. + + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: "5432" + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: # - Enter the PostgreSQL database name for testmonitor service + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: # - Enter the PostgreSQL username for the testmonitor service + ## @param database.connectionInfo.secretName The name of an existing secret with PostgreSQL connection credentials + ## + secretName: "testmonitorservicedb-connection" + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # migrationPasswordKey: null + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set, a name is generated based on the service name + ## + name: "" + +dashboardhost: + grafana: + ## Configuring Cloud SQL auth proxy extra container to authenticate to Cloud SQL Postgres database + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + ## A reverse proxy server should be added to the extraContainers for grafana to authenticate users. + extraContainers: | + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy: # - Enter the latest version of the Cloud SQL Auth Proxy image + volumeMounts: + ## This volume mount is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted + readOnly: true + ## This volume mount is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. + - name: # - Enter the volume name where config.json is available + mountPath: /secrets/ + readOnly: true + env: + ## This env variable is required for the proxy to authenticate with Cloud SQL when using Workload Identity Federation. + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/ # - Enter the config json file name which was used as the key while creating the secret + args: + ## If connecting from a VPC-native GKE cluster, you can use the + ## following flag to have the proxy connect over private IP + - "--private-ip" + + ## If you are not connecting with Automatic IAM, you can delete the following flag. + - "--auto-iam-authn" + + ## Enable structured logging with LogEntry format: + - "--structured-logs" + + ## Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal + - "--exit-zero-on-sigterm" + + - "--port=5432" + - "" # - Enter the connection name from the Cloud SQL instance + + ## The credentials file is required for the proxy to authenticate using a service account key file. + ## Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the service account key file name which was used as the key while creating the secret + securityContext: + ## The default Cloud SQL Auth Proxy image runs as the + ## "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + ## You should use resource requests/limits as a best practice to prevent + ## pods from consuming too many resources and affecting the execution of + ## other pods. You should adjust the following values based on what your + ## application needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + ## The proxy's memory use scales linearly with the number of active + ## connections. Fewer open connections will use less memory. Adjust + ## this value based on your application's requirements. + memory: "1Gi" + ## The proxy's CPU use scales linearly with the amount of IO between + ## the database and the application. Adjust this value based on your + ## application's requirements. + cpu: "1" + + ## Extra volumes that can be used in extrContainers + extraContainerVolumes: + ## This volume is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. + - name: # - Enter the volume name + projected: + sources: + - serviceAccountToken: + audience: # - Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + ## This volume is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. + - name: # - Enter the volume name where config.json is to be mounted + secret: + secretName: # - Enter the secret name where config.json is added. + + grafana.ini: + ## Database configuration. See here for more documentation: https://grafana.com/docs/grafana/latest/administration/configuration/#database + # - This configures a connection to an external PostgresSQL. Remove this section if not using an external database. + ## + database: + ## Either mysql, postgres or sqlite3. + ## + type: "postgres" + ## The database user (not applicable for sqlite3). + ## + user: $__file{/etc/secrets/dashboardhost/user} + ## The database user’s password (not applicable for sqlite3). If the password contains # or ; you have to wrap it with triple quotes. For example """#password;""". + ## + password: $__file{/etc/secrets/dashboardhost/password} + ## Only applicable to MySQL or Postgres. Includes IP or host name and port or in case of Unix sockets the path to it. + ## For example, for MySQL running on the same host as Grafana: host = 127.0.0.1:3306 or with Unix sockets: host = /var/run/mysqld/mysqld.sock. + ## + host: "localhost:5432" + ## The name of the Grafana database. Leave it set to grafana (default) or some other name. + ## - You must create the database manually before deploying. If you are using the default database + ## name, you must create a database named "grafana". The database user, if not a superuser, will require USAGE + ## and CREATE privileges on the "public" schema and SELECT, INSERT, UPDATE, and DELETE privileges on all tables + ## in the "public" schema. + # name: "database-name" + ## Use either URL or the other fields above to configure the database. + ## url: postgres://dashboardhost:abc123@dashboardhostpostgrescluster-primary.systemlink-nic2.svc:5432/grafana + ## For PostgresSQL, use either disable, require or verify-full. For MySQL, use either true, false, or skip-verify. + ## + ssl_mode: "require" + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set, a name is generated based on the service name + ## + name: "" + +dynamicformfields: + ## Configuring Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database + ## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern + sidecars: + - name: cloud-sql-auth-proxy + image: gcr.io/cloud-sql-connectors/cloud-sql-proxy: # - Enter the latest version of the Cloud SQL Auth Proxy image + volumeMounts: + ## This volume mount is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. + - name: # - Enter the volume name where the token is available + mountPath: # - Enter the path where the token should be mounted + readOnly: true + ## This volume mount is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. + - name: # - Enter the volume name where config.json is available + mountPath: /secrets/ + readOnly: true + env: + ## This env variable is required for the proxy to authenticate with Cloud SQL when using Workload Identity Federation. + - name: "GOOGLE_APPLICATION_CREDENTIALS" + value: /secrets/ # - Enter the config json file name which was used as the key while creating the secret + args: + ## If connecting from a VPC-native GKE cluster, you can use the + ## following flag to have the proxy connect over private IP + - "--private-ip" + + ## If you are not connecting with Automatic IAM, you can delete the following flag. + - "--auto-iam-authn" + + ## Enable structured logging with LogEntry format: + - "--structured-logs" + + ## Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal + - "--exit-zero-on-sigterm" + + - "--port=5432" + - "" # - Enter the connection name from the Cloud SQL instance + + ## The credentials file is required for the proxy to authenticate using a service account key file. + ## Not required if Workload Identity federation is used for authentication. + - "--credentials-file=/secrets/" # - Enter the service account key file name which was used as the key while creating the secret + securityContext: + ## The default Cloud SQL Auth Proxy image runs as the + ## "nonroot" user and group (uid: 65532) by default. + runAsNonRoot: true + restartPolicy: Always + ## You should use resource requests/limits as a best practice to prevent + ## pods from consuming too many resources and affecting the execution of + ## other pods. You should adjust the following values based on what your + ## application needs. For details, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + requests: + ## The proxy's memory use scales linearly with the number of active + ## connections. Fewer open connections will use less memory. Adjust + ## this value based on your application's requirements. + memory: "1Gi" + ## The proxy's CPU use scales linearly with the amount of IO between + ## the database and the application. Adjust this value based on your + ## application's requirements. + cpu: "1" + + ## Extra volumes that can be used in sidecars + extraVolumes: + ## This volume is required for the proxy to authenticate with Cloud SQL using Workload Identity Federation by providing a short-lived token for authentication. + - name: # - Enter the volume name + projected: + sources: + - serviceAccountToken: + audience: # - Enter the audience name for the projected service account token + expirationSeconds: 3600 + path: token + ## This volume is required for the proxy to set up Cloud SQL authentication, using either a service account key file or a Workload Identity Federation config file. + - name: # - Enter the volume name where config.json is to be mounted + secret: + secretName: # - Enter the secret name where config.json is added. + + connectionInfo: + ## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost. + ## + host: "localhost" + ## @param database.connectionInfo.port PostgreSQL port + ## + port: "5432" + ## @param database.connectionInfo.dbName PostgreSQL database name + ## + dbName: # - Enter the PostgreSQL database name for testmonitor service + ## @param database.connectionInfo.user PostgreSQL username used by the service + ## + user: # - Enter the PostgreSQL username for the testmonitor service + ## @param database.connectionInfo.secretName The name of an existing secret with PostgreSQL connection credentials + ## + secretName: "dynamicformfields-db-connection" + ## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # passwordKey: "passkey" + ## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret + ## If unset database.connectionInfo.passwordKey is used instead. + ## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set. + ## + # migrationPasswordKey: null + + serviceAccount: + ## @param serviceAccount.annotations Annotations to add to the service account + ## + annotations: + { + iam.gke.io/gcp-service-account=@.iam.gserviceaccount.com, # - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project Id + } + ## @param serviceAccount.name The name of the service account to use. + ## If not set, a name is generated based on the service name + ## + name: "" + +fileingestion: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for fileingestion service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located + +feedservice: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for feedservice service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located + +nbexecservice: + s3: + port: 443 + bucket: # - Enter the name of the GCS bucket for nbexecservice service + scheme: "https://" + host: "storage.googleapis.com" + region: # - Enter the region where the GCS bucket is located