default.values.yaml

# Deploy CiliumNetworkPolicies if you already use cilium as cni
cilium:
  enabled: false
# Deploy ECK https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html 
# include operator,elastic,kibana,filebeats
elk:
  enabled: false
# Deploy Prometheus operator in monitoring namespace. 
# Must have as we use ServiceMonitor by CRD in setup with processing services
prometheus:
  enabled: false
# Deploy nginx Ingresscontroller. 
# We use and recommend https://github.com/kubernetes/ingress-nginx/ coz we have 
# a lot sublocation on same host on different services
# and we do not fell in love with minion config by nginx official controller
ingress:
  enabled: false
# OUR setup is in baremetal, so there is ip which bind to ingresscontroller
  ip: 'someip'
# Deploy certmaanger operator. But you still need setup you Issuer or ClusterIssuer for certmanager
certmanager:
  enabled: false

# Section of common settings for some services
services:
  global:
# Set to "true" if your cluster CIDR only ipv6 family
    ipv6only: false
# Deploy ServiceMonitors with processing services
    metrics:
      enabled: true
# Set if use your own container registry for processing service's images
    registry:
      repository: docker.io/rbkmoney
      imagePullSecret: {}
# Set tolerations for pcidss services. Need manually set taints to pcidss nodes:
# kubectl taint nodes wrk1-dss wrk2-dss pcidss=true:NoSchedule
    pcidss:
      taints:
        enabled: false
        key: pcidss
        value: true
      replicas: 1
    statelessReplicas: 1

# In case of dev:true and If you use kubernetes >=1.21, or use any cloud provider look at https://www.vaultproject.io/docs/auth/kubernetes#discovering-the-service-account-issuer
# You need set issuer according to your cluster in config/vault-cm/values.yaml.gotmpl
  vault:
# enabled:false switch getting postgres user and password from annotations to secret
    enabled: true
# Enable autounseal and disable persistance
    dev: true
    injectorNamespaced: true
# Set "enabled: true" if use another vault instance for autounseal. 
# !Needs secret with token named "vault-transit-token" (look at config/vault/values.yaml.gotmpl)
    transitUnseal:
      enabled: false
      address: http://another.vault.local:8200


# Change in case of external splited riak clusters for CDS and Machinegun, wb-list-manager
  riak:
    riakMgAddress: riak
    riakCdAddress: riak
    riakWblAddress: riak

# Enable postgresql external cluster with One user for any services
# TODO: split users
  postgres:
    external: false
  # Values below uses only if postgres.external is true
    endpoint: postgres-postgresql
    uniUser: postgres
    uniPassword: H@ckM3

# Enable external kafka cluster
  kafka:
    external: false
    endpoint: kafka
    port: 9092
    ssl:
      enabled: false
      keystorePass: 12341234
      # Set if differ from keystore password
      keyPass: 12341234
      truststorePass: 43214321

  s3:
    endpoint: minio:9000
    region: EU
    bucket: bucket-files
    accessKey: user_01
    secretKey: SomeSecretKeyFromS3AdminConsole

  mail:
    smtp:
      host: mail
      port: 25
      from: no-reply@test.ru
    auth:
      enabled: false
      username: user
      password: password

  ingress:
# Ingressclass if have more than one controller:
    class: "nginx"
# root domain with will be used for services subdomain:
    rootDomain: some-site.ru
# If true ingress will be rendered with name of namespace. For example, if deploy
# in Namespace test api will be available at api.test.some-site.ru
    namespacedDomain: false
    tls:
      enabled: false
# Use certmanager annotations for tls certificate
      letsEncrypt:
        enabled: false
        issuer: ""
# Put here name of secret with wildcard cert for services.ingress.rootDomain if you have one.
# If use Lets Encrypt for cert this value will be used as suffix for secrets with certs
      secretName: sometlssecret