Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added GCP supplemental values file #237

Open
wants to merge 15 commits into
base: main
Choose a base branch
from
381 changes: 381 additions & 0 deletions getting-started/templates/GCP/gcp-supplemental-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,381 @@
global:
ingress:
api:
annotations:
kubernetes.io/ingress.class: <user-defined-ingress-class> # <ATTENTION> - Enter the ingress class used
ui:
annotations:
kubernetes.io/ingress.class: <user-defined-ingress-class> # <ATTENTION> - Enter the ingress class used

testmonitorservice:
## Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database
## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern
sidecars:
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- name: cloud-sql-auth-proxy
image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
volumeMounts:
# This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file.
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is mounted
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
mountPath: <token-mount-path> # <ATTENTION> - Enter the path where the token is mounted
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
readOnly: true
# This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- name: <config-volume-name> # <ATTENTION> - Enter the volume name where config.json is mounted
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
mountPath: /secrets/
readOnly: true
env:
# This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- name: "GOOGLE_APPLICATION_CREDENTIALS"
value: /secrets/<secret-key> # <ATTENTION> - - Enter the key which was used while creating the secret
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
args:
# If connecting from a VPC-native GKE cluster, you can use the
# following flag to have the proxy connect over private IP
- "--private-ip"

# If you are not connecting with Automatic IAM, you can delete the following flag.
- "--auto-iam-authn"

# Enable structured logging with LogEntry format:
- "--structured-logs"

# Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal
- "--exit-zero-on-sigterm"

- "--port=5432"
- "<connection-name>" # <ATTENTION> - Enter the connection name from the CloudSQL instance

# The credentials file is required for the proxy to authenticate using a service account key file.
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- "--credentials-file=/secrets/<secret-key>" # <ATTENTION> - Enter the key which was used while creating the secret
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
securityContext:
# The default Cloud SQL Auth Proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
restartPolicy: Always
# You should use resource requests/limits as a best practice to prevent
# pods from consuming too many resources and affecting the execution of
# other pods. You should adjust the following values based on what your
# application needs. For details, see
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
# The proxy's memory use scales linearly with the number of active
# connections. Fewer open connections will use less memory. Adjust
# this value based on your application's requirements.
memory: "1Gi"
# The proxy's CPU use scales linearly with the amount of IO between
# the database and the application. Adjust this value based on your
# application's requirements.
cpu: "1"

## Extra volumes that can be used in sidecars
extraVolumes:
# This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is to be mounted
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
projected:
sources:
- serviceAccountToken:
audience: <audience-name> # <ATTENTION> - Enter the audience name for the projected service account token
expirationSeconds: 3600
path: token
# This volume is required for the proxy to authenticate with cloudSQL using a service account key file.
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
- name: <config-volume-name> # <ATTENTION> - Enter the volume name where config.json is to be mounted
secret:
secretName: <secret-name> # <ATTENTION> - Enter the secret name where config.json is added.

connectionInfo:
## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost.
##
host: "localhost"
## @param database.connectionInfo.port PostgreSQL port
##
port: "5432"
## @param database.connectionInfo.dbName PostgreSQL database name
##
dbName: <database-name> # <ATTENTION> - Enter the PostgreSQL database name for testmonitor service
## @param database.connectionInfo.user PostgreSQL username used by the service
##
user: <username> # <ATTENTION> - Enter the PostgreSQL username for the testmonitor service
## @param database.connectionInfo.secretName The name of an existing secret with PostgreSQL connection credentials
##
secretName: <secret-name> # <ATTENTION> - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret
## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set.
##
# passwordKey: "passkey"
## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret
## If unset database.connectionInfo.passwordKey is used instead.
## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set.
##
# migrationPasswordKey: null

serviceAccount:
## @param serviceAccount.annotations Annotations to add to the service account
##
annotations:
{
iam.gke.io/gcp-service-account=<YOUR-GSA-NAME>@<YOUR-GOOGLE-CLOUD-PROJECT>.iam.gserviceaccount.com, # <ATTENTION> - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
}
## @param serviceAccount.name The name of the service account to use.
## If not set and create is true, a name is generated using the fullname template
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
##
name: ""

dashboardhost:
grafana:
## Configuring Cloud SQL auth proxy extra container to authenticate to Cloud SQL Postgres database
## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern
## A reverse proxy server should be added to the extraContainers for grafana to authenticate users.
extraContainers: |
- name: cloud-sql-auth-proxy
image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0
volumeMounts:
# This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file.
- name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is mounted
mountPath: <token-mount-path> # <ATTENTION> - Enter the path where the token is mounted
readOnly: true
# This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
- name: <config-volume-name> # <ATTENTION> - Enter the volume name where config.json is mounted
mountPath: /secrets/
readOnly: true
env:
# This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
- name: "GOOGLE_APPLICATION_CREDENTIALS"
value: /secrets/<secret-key> # <ATTENTION> - Enter the key which was used while creating the secret
args:
# If connecting from a VPC-native GKE cluster, you can use the
# following flag to have the proxy connect over private IP
- "--private-ip"

# If you are not connecting with Automatic IAM, you can delete the following flag.
- "--auto-iam-authn"

# Enable structured logging with LogEntry format:
- "--structured-logs"

# Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal
- "--exit-zero-on-sigterm"

- "--port=5432"
- "<connection-name>" # <ATTENTION> - Enter the connection name from the CloudSQL instance

# The credentials file is required for the proxy to authenticate using a service account key file.
- "--credentials-file=/secrets/<secret-key>" # <ATTENTION> - Enter the key which was used while creating the secret
securityContext:
# The default Cloud SQL Auth Proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
restartPolicy: Always
# You should use resource requests/limits as a best practice to prevent
# pods from consuming too many resources and affecting the execution of
# other pods. You should adjust the following values based on what your
# application needs. For details, see
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
# The proxy's memory use scales linearly with the number of active
# connections. Fewer open connections will use less memory. Adjust
# this value based on your application's requirements.
memory: "1Gi"
# The proxy's CPU use scales linearly with the amount of IO between
# the database and the application. Adjust this value based on your
# application's requirements.
cpu: "1"

## Extra volumes that can be used in extrContainers
extraContainerVolumes:
# This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
- name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is to be mounted
projected:
sources:
- serviceAccountToken:
audience: <audience-name> # <ATTENTION> - Enter the audience name for the projected service account token
expirationSeconds: 3600
path: token
# This volume is required for the proxy to authenticate with cloudSQL using a service account key file.
- name: <config-volume-name> # <ATTENTION> - Enter the volume name where config.json is to be mounted
secret:
secretName: <secret-name> # <ATTENTION> - Enter the secret name where config.json is added.

connectionInfo:
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost.
##
host: "localhost"
## @param database.connectionInfo.port PostgreSQL port
##
port: "5432"
## @param database.connectionInfo.dbName PostgreSQL database name
##
dbName: <database-name> # <ATTENTION> - Enter the PostgreSQL database name for testmonitor service
## @param database.connectionInfo.user PostgreSQL username used by the service
##
user: <username> # <ATTENTION> - Enter the PostgreSQL username for the testmonitor service
## @param database.connectionInfo.secretName The name of an existing secret with
## PostgreSQL connection credentials
##
secretName: <secret-name> # <ATTENTION> - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials
## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret
## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set.
##
# passwordKey: "passkey"
## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret
## If unset database.connectionInfo.passwordKey is used instead.
## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set.
##
# migrationPasswordKey: null

serviceAccount:
## @param serviceAccount.annotations Annotations to add to the service account
##
annotations:
{
iam.gke.io/gcp-service-account=<YOUR-GSA-NAME>@<YOUR-GOOGLE-CLOUD-PROJECT>.iam.gserviceaccount.com, # <ATTENTION> - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name
}
## @param serviceAccount.name The name of the service account to use.
## If not set and create is true, a name is generated using the fullname template
##
name: ""

dynamicformfields:
## Configuring Cloud SQL auth proxy sidecar container to authenticate to Cloud SQL Postgres database
## ref: https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine#run_the_in_a_sidecar_pattern
sidecars:
- name: cloud-sql-auth-proxy
image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.8.0
volumeMounts:
# This volume mount is required for the proxy to authenticate with cloudSQL using a service account key file.
- name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is mounted
mountPath: <token-mount-path> # <ATTENTION> - Enter the path where the token is mounted
readOnly: true
# This volume mount is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
- name: <config-volume-name> # <ATTENTION> - Enter the volume name where config.json is mounted
mountPath: /secrets/
readOnly: true
env:
# This env variable is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
- name: "GOOGLE_APPLICATION_CREDENTIALS"
value: /secrets/<secret-key> # <ATTENTION> - Enter the key which was used while creating the secret
args:
# If connecting from a VPC-native GKE cluster, you can use the
# following flag to have the proxy connect over private IP
- "--private-ip"

# If you are not connecting with Automatic IAM, you can delete the following flag.
- "--auto-iam-authn"

# Enable structured logging with LogEntry format:
- "--structured-logs"

# Ensures the proxy exits gracefully with a 0 exit code when it receives a SIGTERM signal
- "--exit-zero-on-sigterm"

- "--port=5432"
- "<connection-name>" # <ATTENTION> - Enter the connection name from the CloudSQL instance

# The credentials file is required for the proxy to authenticate using a service account key file.
- "--credentials-file=/secrets/<secret-key>" # <ATTENTION> - Enter the key which was used while creating the secret
securityContext:
# The default Cloud SQL Auth Proxy image runs as the
# "nonroot" user and group (uid: 65532) by default.
runAsNonRoot: true
restartPolicy: Always
# You should use resource requests/limits as a best practice to prevent
# pods from consuming too many resources and affecting the execution of
# other pods. You should adjust the following values based on what your
# application needs. For details, see
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources:
requests:
# The proxy's memory use scales linearly with the number of active
# connections. Fewer open connections will use less memory. Adjust
# this value based on your application's requirements.
memory: "1Gi"
# The proxy's CPU use scales linearly with the amount of IO between
# the database and the application. Adjust this value based on your
# application's requirements.
cpu: "1"

## Extra volumes that can be used in sidecars
extraVolumes:
# This volume is required for the proxy to authenticate with cloudSQL when using Workload Identity Federation.
- name: <token-volume-name> # <ATTENTION> - Enter the volume name where the token is to be mounted
projected:
sources:
- serviceAccountToken:
audience: <audience-name> # <ATTENTION> - Enter the audience name for the projected service account token
expirationSeconds: 3600
path: token
# This volume is required for the proxy to authenticate with cloudSQL using a service account key file.
- name: <config-volume-name> # <ATTENTION> - Enter the volume name where config.json is to be mounted
secret:
secretName: <secret-name> # <ATTENTION> - Enter the secret name where config.json is added.

connectionInfo:
## @param database.connectionInfo.host PostgreSQL hostname. Since the cloud-sql-auth-proxy is used, this value should be localhost.
##
host: "localhost"
## @param database.connectionInfo.port PostgreSQL port
##
port: "5432"
## @param database.connectionInfo.dbName PostgreSQL database name
##
dbName: <database-name> # <ATTENTION> - Enter the PostgreSQL database name for testmonitor service
## @param database.connectionInfo.user PostgreSQL username used by the service
##
user: <username> # <ATTENTION> - Enter the PostgreSQL username for the testmonitor service
## @param database.connectionInfo.secretName The name of an existing secret with
## PostgreSQL connection credentials
##
secretName: <secret-name> # <ATTENTION> - Enter the secret name that contains the testmonitor service's Postgres SQL database connection credentials
## @param database.connectionInfo.passwordKey Password key for database.connectionInfo.user to be retrieved from existing secret
## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set.
##
# passwordKey: "passkey"
## @param database.connectionInfo.migrationPasswordKey Password key for database.connectionInfo.migrationUser to be retrieved from existing secret
## If unset database.connectionInfo.passwordKey is used instead.
## NOTE: Ignored unless `database.connectionInfo.secretName` parameter is set.
##
# migrationPasswordKey: null

serviceAccount:
## @param serviceAccount.annotations Annotations to add to the service account
##
annotations:
{
iam.gke.io/gcp-service-account=<YOUR-GSA-NAME>@<YOUR-GOOGLE-CLOUD-PROJECT>.iam.gserviceaccount.com, # <ATTENTION> - Enter the Google Service Account name created for Cloud SQL access and the Google Cloud Project name
}
## @param serviceAccount.name The name of the service account to use.
## If not set and create is true, a name is generated using the fullname template
##
name: ""

fileingestion:
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
s3:
port: 443
bucket: <name-of-gcs-bucket> # <ATTENTION> - Enter the name of the GCS bucket for fileingestion service
scheme: "https://"
host: "storage.googleapis.com"
region: "us-east1"
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved

feedservice:
s3:
port: 443
bucket: <name-of-gcs-bucket> # <ATTENTION> - Enter the name of the GCS bucket for feedservice service
scheme: "https://"
host: "storage.googleapis.com"
region: "us-east1"

saltmaster:
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
serviceTCP:
type: LoadBalancer

nbexecservice:
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
argo:
## Configure GCS access.
##
artifactRepository:
priyadarshini-ni marked this conversation as resolved.
Show resolved Hide resolved
s3:
port: 443
bucket: <name-of-gcs-bucket> # <ATTENTION> - Enter the name of the GCS bucket for nbexecservice service
scheme: "https://"
host: "storage.googleapis.com"
region: "us-east1"
insecure: false
Loading
Loading