2023-10-17 02:03:09 +00:00
|
|
|
|
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
|
|
|
|
kind: HelmRelease
|
|
|
|
|
metadata:
|
|
|
|
|
name: fission
|
2023-10-17 02:05:04 +00:00
|
|
|
|
namespace: fission-ns
|
2023-10-17 02:03:09 +00:00
|
|
|
|
spec:
|
|
|
|
|
chart:
|
|
|
|
|
spec:
|
|
|
|
|
chart: fission-all
|
|
|
|
|
sourceRef:
|
|
|
|
|
kind: HelmRepository
|
|
|
|
|
name: fission
|
|
|
|
|
namespace: flux-system
|
|
|
|
|
interval: 5m
|
|
|
|
|
values:
|
|
|
|
|
## Fission chart configuration
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
## serviceType to consider while creating Fission Controller service.
|
|
|
|
|
## For minikube/kind, set this to NodePort, elsewhere use LoadBalancer or ClusterIP.
|
|
|
|
|
##
|
|
|
|
|
serviceType: LoadBalancer
|
|
|
|
|
|
|
|
|
|
## routerServiceType to consider while creating Fission Router service.
|
|
|
|
|
## For minikube, set this to NodePort, elsewhere use LoadBalancer or ClusterIP.
|
|
|
|
|
##
|
|
|
|
|
routerServiceType: LoadBalancer
|
|
|
|
|
|
|
|
|
|
## repository represents base repository for images used in the chart.
|
|
|
|
|
## Keep it empty for using existing local image
|
|
|
|
|
##
|
|
|
|
|
repository: ghcr.io
|
|
|
|
|
|
|
|
|
|
## image represents the base image fission-bundle used by multiple Fission components.
|
|
|
|
|
## We alter arguments to the image to run a particular component.
|
|
|
|
|
##
|
|
|
|
|
image: fission/fission-bundle
|
|
|
|
|
|
|
|
|
|
## imageTag represents the tag of the base image fission-bundle used by multiple Fission components.
|
|
|
|
|
## It is also used by the chart to identify version of the few more images apart from fission-bundle.
|
|
|
|
|
## Keep it empty for using latest tag.
|
|
|
|
|
##
|
|
|
|
|
imageTag: v1.19.0
|
|
|
|
|
|
|
|
|
|
## pullPolicy represents the pull policy to use for images in the chart.
|
|
|
|
|
##
|
|
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
|
|
|
|
## imageppullsecrets
|
|
|
|
|
imagePullSecrets: []
|
|
|
|
|
|
|
|
|
|
## priorityClassName represents the priority class name to use for Fission components.
|
|
|
|
|
## Refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
|
|
|
|
|
## executor.priorityClassName takes precedence over this value for executor.
|
|
|
|
|
## router.priorityClassName takes precedence over this value for router.
|
|
|
|
|
##
|
|
|
|
|
priorityClassName: ""
|
|
|
|
|
|
|
|
|
|
## terminationMessagePath is the path at which the pod termination message will be written.
|
|
|
|
|
## executor.terminationMessagePath takes precedence over this value for executor.
|
|
|
|
|
## router.terminationMessagePath takes precedence over this value for router.
|
|
|
|
|
##
|
|
|
|
|
terminationMessagePath: /dev/termination-log
|
|
|
|
|
|
|
|
|
|
## terminationMessagePolicy is the policy for the termination message.
|
|
|
|
|
## executor.terminationMessagePolicy takes precedence over this value for executor.
|
|
|
|
|
## router.terminationMessagePolicy takes precedence over this value for router.
|
|
|
|
|
##
|
|
|
|
|
terminationMessagePolicy: File
|
|
|
|
|
|
|
|
|
|
## controllerPort represents the port at which the Fission controller service should be exposed.
|
|
|
|
|
##
|
|
|
|
|
controllerPort: 31313
|
|
|
|
|
|
|
|
|
|
## routerPort represents the port at which the Fission Router service should be exposed.
|
|
|
|
|
##
|
|
|
|
|
routerPort: 31314
|
|
|
|
|
|
|
|
|
|
## defaultNamespace represents the namespace in which Fission custom resources will be created by the Fission user.
|
|
|
|
|
## This is different from the release namespace.
|
|
|
|
|
## Please consider setting `additionalFissionNamespaces` if you want more than one namespace to be used for Fission custom resources.
|
|
|
|
|
##
|
|
|
|
|
defaultNamespace: fission-service-ns
|
|
|
|
|
|
|
|
|
|
## builderNamespace represents the namespace in which Fission Builder resources will be created.
|
|
|
|
|
## if builderNamespace is set to empty then builder resources will be created in the same namespace as the Fission resources.
|
|
|
|
|
## This is different from the release namespace.
|
|
|
|
|
##
|
|
|
|
|
builderNamespace: ""
|
|
|
|
|
|
|
|
|
|
## functionNamespace represents the namespace in which Fission Function resources will be created.
|
|
|
|
|
## if functionNamespace is set to empty then function resources will be created in the same namespace as the Fission resources.
|
|
|
|
|
## This is different from the release namespace.
|
|
|
|
|
##
|
|
|
|
|
functionNamespace: ""
|
|
|
|
|
|
|
|
|
|
## Fission will watch the following namespaces along with the `defaultNamespace` for fission custom resources.
|
|
|
|
|
## additionalFissionNamespaces:
|
|
|
|
|
## - namespace1
|
|
|
|
|
## - namespace2
|
|
|
|
|
## - namespace3
|
|
|
|
|
additionalFissionNamespaces: []
|
|
|
|
|
|
|
|
|
|
## createNamespace decides to create namespaces by the chart.
|
|
|
|
|
## If set to true, functionNamespace and builderNamespace namespaces mentioned above will be created by the chart.
|
|
|
|
|
## Set to false if you want to create the namespaces manually.
|
|
|
|
|
##
|
|
|
|
|
createNamespace: true
|
|
|
|
|
|
|
|
|
|
## enableIstio indicates whether to enable istio integration.
|
|
|
|
|
##
|
|
|
|
|
enableIstio: false
|
|
|
|
|
|
|
|
|
|
## fetcher is a light weight component that helps in running functions.
|
|
|
|
|
## fetcher helps in fetching function source code/build and uploading it when function is invoked.
|
|
|
|
|
##
|
|
|
|
|
fetcher:
|
|
|
|
|
## image represents the image of the fetcher component.
|
|
|
|
|
image: fission/fetcher
|
|
|
|
|
## imageTag represents the tag of the image of the fetcher component.
|
|
|
|
|
imageTag: v1.19.0
|
|
|
|
|
|
|
|
|
|
## Fetcher is only for to downloading or uploading archive.
|
|
|
|
|
## Normally, you don't need to change the value here, unless necessary.
|
|
|
|
|
##
|
|
|
|
|
resource:
|
|
|
|
|
## cpu represents the cpu resource required by the fetcher component.
|
|
|
|
|
##
|
|
|
|
|
cpu:
|
|
|
|
|
requests: "10m"
|
|
|
|
|
## Low CPU limits will increases the function specialization time.
|
|
|
|
|
limits: ""
|
|
|
|
|
## mem represents the memory resource required by the fetcher component.
|
|
|
|
|
##
|
|
|
|
|
mem:
|
|
|
|
|
requests: "16Mi"
|
|
|
|
|
limits: ""
|
|
|
|
|
|
|
|
|
|
## executor is responsible for providing resources to your functions.
|
|
|
|
|
##
|
|
|
|
|
executor:
|
|
|
|
|
## executor priorityClassName
|
|
|
|
|
## Ref. https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
|
|
|
|
|
## Recommended to use system-cluster-critical for executor pods.
|
|
|
|
|
##
|
|
|
|
|
priorityClassName: ""
|
|
|
|
|
## terminationMessagePath is the path at which the file to which the executor will write a message upon termination.
|
|
|
|
|
##
|
|
|
|
|
terminationMessagePath: ""
|
|
|
|
|
## terminationMessagePolicy is the policy for the executor termination message.
|
|
|
|
|
##
|
|
|
|
|
terminationMessagePolicy: ""
|
|
|
|
|
## adoptExistingResources decides whether to adopt existing resources when executor restarts or Fission is redeployed.
|
|
|
|
|
##
|
|
|
|
|
adoptExistingResources: false
|
|
|
|
|
## podReadyTimeout represents the timeout in seconds for waiting for pod to become ready.
|
|
|
|
|
## This is applicable to Pool Manager executor type only.
|
|
|
|
|
##
|
|
|
|
|
podReadyTimeout: 300s
|
|
|
|
|
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## Object Reaper
|
|
|
|
|
## objectReaperInterval (seconds) represents GLOBAL interval to run process that reaps objects after certain idle time.
|
|
|
|
|
## Also you can set different objectReaperInterval for specific executor type. See poolmgs/newdeploy/container section
|
|
|
|
|
## Default: 5 (in seconds)
|
|
|
|
|
##
|
|
|
|
|
objectReaperInterval: 5
|
|
|
|
|
|
|
|
|
|
poolmgr: {}
|
|
|
|
|
## objectReaperInterval specific to poolmgr executor type
|
|
|
|
|
##
|
|
|
|
|
## objectReaperInterval: 5
|
|
|
|
|
newdeploy: {}
|
|
|
|
|
## objectReaperInterval specific to newdeploy executor type
|
|
|
|
|
##
|
|
|
|
|
## objectReaperInterval: 5
|
|
|
|
|
container: {}
|
|
|
|
|
## objectReaperInterval specific to container executor type
|
|
|
|
|
##
|
|
|
|
|
## objectReaperInterval: 5
|
|
|
|
|
|
|
|
|
|
serviceAccountCheck:
|
|
|
|
|
## enables fission to create service account, roles and rolebinding for missing permission for builder and fetcher.
|
|
|
|
|
enabled: true
|
|
|
|
|
## indicates the time interval in minutes, after that fission will create service account, roles and rolebinding for builder and fetcher.
|
|
|
|
|
## interval will be applicable only if enable value is set to true.
|
|
|
|
|
## default timing will be 0 minutes. That means check will run only once.
|
|
|
|
|
## if you want to run check every 30 minutes then set interval to 30.
|
|
|
|
|
interval: 0
|
|
|
|
|
## router is responsible for routing function calls to the appropriate function.
|
|
|
|
|
##
|
|
|
|
|
router:
|
|
|
|
|
## router priorityClassName
|
|
|
|
|
## Ref. https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
|
|
|
|
|
## Recommended to use system-cluster-critical for router pods.
|
|
|
|
|
##
|
|
|
|
|
priorityClassName: ""
|
|
|
|
|
## terminationMessagePath is the path at which the file to which the router will write a message upon termination.
|
|
|
|
|
##
|
|
|
|
|
terminationMessagePath: ""
|
|
|
|
|
## terminationMessagePolicy is the policy for the router termination message.
|
|
|
|
|
##
|
|
|
|
|
terminationMessagePolicy: ""
|
|
|
|
|
## deployAsDaemonSet decides whether to deploy router as a DaemonSet or a Deployment.
|
|
|
|
|
##
|
|
|
|
|
deployAsDaemonSet: false
|
|
|
|
|
## replicas decides how many router pods to deploy. Only used when deployAsDaemonSet is false.
|
|
|
|
|
##
|
|
|
|
|
replicas: 1
|
|
|
|
|
## svcAddressMaxRetries is the max times for router to retry with a specific function service address
|
|
|
|
|
##
|
|
|
|
|
svcAddressMaxRetries: 5
|
|
|
|
|
## svcAddressUpdateTimeout is the timeout setting for a goroutine to wait for the update of a service entry.
|
|
|
|
|
##
|
|
|
|
|
svcAddressUpdateTimeout: 30s
|
|
|
|
|
## unTapServiceTimeout is the timeout used in the request context of unTapService.
|
|
|
|
|
## unTapService is called to free up the resources once the function invocation is done.
|
|
|
|
|
##
|
|
|
|
|
unTapServiceTimeout: 3600s
|
|
|
|
|
## displayAccessLog display endpoing access logs
|
|
|
|
|
## Please be aware of enabling logging endpoint access log, it increases
|
|
|
|
|
## router resource utilization when under heavy workloads.
|
|
|
|
|
##
|
|
|
|
|
displayAccessLog: false
|
|
|
|
|
## svcAnnotations is the annotations to be added to the service resource created for router.
|
|
|
|
|
##
|
|
|
|
|
# svcAnnotations:
|
|
|
|
|
# cloud.google.com/load-balancer-type: Internal
|
|
|
|
|
|
|
|
|
|
## useEncodedPath decideds to match encoded path.
|
|
|
|
|
## If true, "/foo%2Fbar" will match the path "/{var}";
|
|
|
|
|
## Otherwise, it will match the path "/foo/bar".
|
|
|
|
|
## For details, see: https://github.com/fission/fission/issues/1317
|
|
|
|
|
##
|
|
|
|
|
useEncodedPath: false
|
|
|
|
|
|
|
|
|
|
roundTrip:
|
|
|
|
|
## If true, router will disable the HTTP keep-alive which result in performance degradation.
|
|
|
|
|
## But it ensures that router can redirect new coming requests to new function pods.
|
|
|
|
|
##
|
|
|
|
|
## If false, router will enable transport keep-alive feature for better performance.
|
|
|
|
|
## However, the drawback is it takes longer to switch to newly created function pods
|
|
|
|
|
## if using newdeploy as executor type for function. If you want to preserve the
|
|
|
|
|
## performance while keeping the short switching time to new function, you can create
|
|
|
|
|
## an environment with short grace period by setting flag "--graceperiod" (default 360s),
|
|
|
|
|
## so that kubernetes will be able to reap old function pod quickly.
|
|
|
|
|
##
|
|
|
|
|
## For details, see https://github.com/fission/fission/issues/723
|
|
|
|
|
##
|
|
|
|
|
disableKeepAlive: false
|
|
|
|
|
|
|
|
|
|
## keepAliveTime is period for an active network connection to function pod.
|
|
|
|
|
##
|
|
|
|
|
keepAliveTime: 30s
|
|
|
|
|
|
|
|
|
|
## timeout is HTTP transport request timeout
|
|
|
|
|
##
|
|
|
|
|
timeout: 50ms
|
|
|
|
|
|
|
|
|
|
## The length of request timeout will multiply with timeoutExponent after each retry
|
|
|
|
|
##
|
|
|
|
|
timeoutExponent: 2
|
|
|
|
|
|
|
|
|
|
## maxRetries defines no of retries of a failed request
|
|
|
|
|
##
|
|
|
|
|
maxRetries: 10
|
|
|
|
|
|
|
|
|
|
## Extend the container specs for the core fission pods.
|
|
|
|
|
## Can be used to add things like affinity/tolerations/nodeSelectors/etc.
|
|
|
|
|
## For example:
|
|
|
|
|
## extraCoreComponentPodConfig:
|
|
|
|
|
## affinity:
|
|
|
|
|
## nodeAffinity:
|
|
|
|
|
## requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
## nodeSelectorTerms:
|
|
|
|
|
## - matchExpressions:
|
|
|
|
|
## - key: capability
|
|
|
|
|
## operator: In
|
|
|
|
|
## values:
|
|
|
|
|
## - app
|
|
|
|
|
##
|
|
|
|
|
#extraCoreComponentPodConfig:
|
|
|
|
|
# affinity:
|
|
|
|
|
# tolerations:
|
|
|
|
|
# nodeSelector:
|
|
|
|
|
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## The builder manager watches the package & environments CRD changes and manages the builds of function source code.
|
|
|
|
|
##
|
|
|
|
|
buildermgr:
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## controller is the component that the client talks to.
|
|
|
|
|
## It contains CRUD APIs for functions, triggers, environments, Kubernetes event watches, etc. and proxy APIs to internal 3rd-party services.
|
|
|
|
|
##
|
|
|
|
|
controller:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## webhook is the component that validates API calls.
|
|
|
|
|
## It contains validation and mutation for functions, triggers, environments, Kubernetes event watches, etc.
|
|
|
|
|
##
|
|
|
|
|
webhook:
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
certManager:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
caBundlePEM: |
|
|
|
|
|
|
|
|
|
|
crtPEM: |
|
|
|
|
|
|
|
|
|
|
keyPEM: |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## kubewatcher watches the Kubernetes API and invokes functions associated with watches, sending the watch event to the function.
|
|
|
|
|
##
|
|
|
|
|
kubewatcher:
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## The storage service is the home for all archives of packages with sizes larger than 256KB.
|
|
|
|
|
##
|
|
|
|
|
storagesvc:
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Archive pruner removes archives from storage which are not referenced by any package.
|
|
|
|
|
archivePruner:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Run prune routine at interval (in minutes)
|
|
|
|
|
interval: 60
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## The timer works like kubernetes CronJob but instead of creating a pod to do the task
|
|
|
|
|
## It sends a request to router to invoke the function.
|
|
|
|
|
##
|
|
|
|
|
timer:
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## Kafka: enable and configure the details
|
|
|
|
|
##
|
|
|
|
|
kafka:
|
|
|
|
|
enabled: false
|
|
|
|
|
## note: below link is only for reference.
|
|
|
|
|
## Please use the brokers link for your kafka here.
|
|
|
|
|
##
|
|
|
|
|
brokers: "broker.kafka:9092" # or your-bootstrap-server.kafka:9092/9093
|
|
|
|
|
## Sample config for authentication
|
|
|
|
|
## authentication:
|
|
|
|
|
## tls:
|
|
|
|
|
## enabled: true
|
|
|
|
|
## caCert: 'auth/kafka/ca.crt'
|
|
|
|
|
## userCert: 'auth/kafka/user.crt'
|
|
|
|
|
## userKey: 'auth/kafka/user.key'
|
|
|
|
|
##
|
|
|
|
|
authentication:
|
|
|
|
|
tls:
|
|
|
|
|
enabled: false
|
|
|
|
|
## InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name.
|
|
|
|
|
## Warning: Setting this to true, makes TLS susceptible to man-in-the-middle attacks
|
|
|
|
|
##
|
|
|
|
|
insecureSkipVerify: false
|
|
|
|
|
## path to certificate containing public key of CA authority
|
|
|
|
|
##
|
|
|
|
|
caCert: ""
|
|
|
|
|
## path to certificate containing public key of the user signed by CA authority
|
|
|
|
|
##
|
|
|
|
|
userCert: ""
|
|
|
|
|
## path to private key of the user
|
|
|
|
|
##
|
|
|
|
|
userKey: ""
|
|
|
|
|
|
|
|
|
|
## version of Kafka broker
|
|
|
|
|
## For 0.x it must be a string in the format
|
|
|
|
|
## "major.minor.veryMinor.patch" example: 0.8.2.0
|
|
|
|
|
## For 1.x it must be a string in the format
|
|
|
|
|
## "major.major.veryMinor" example: 2.0.1
|
|
|
|
|
## Should be >= 0.11.2.0 to enable Kafka record headers support
|
|
|
|
|
##
|
|
|
|
|
# version: "0.11.2.0"
|
|
|
|
|
|
|
|
|
|
# The following components expose Prometheus metrics and have servicemonitors in this chart (disabled by default)
|
|
|
|
|
# Controller, router, executor, storage svc
|
|
|
|
|
serviceMonitor:
|
|
|
|
|
enabled: false
|
|
|
|
|
##namespace in which you want to deploy servicemonitor
|
|
|
|
|
##
|
|
|
|
|
namespace: ""
|
|
|
|
|
## Map of additional labels to add to the ServiceMonitor resources
|
|
|
|
|
# to allow selecting specific ServiceMonitors
|
|
|
|
|
# in case of multiple prometheus deployments
|
|
|
|
|
additionalServiceMonitorLabels: {}
|
|
|
|
|
# release: "monitoring"
|
|
|
|
|
# key: "value"
|
|
|
|
|
|
|
|
|
|
# The following components expose Prometheus metrics and have podmonitors in this chart (disabled by default)
|
|
|
|
|
#
|
|
|
|
|
podMonitor:
|
|
|
|
|
enabled: false
|
|
|
|
|
##namespace in which you want to deploy podmonitor
|
|
|
|
|
##
|
|
|
|
|
namespace: ""
|
|
|
|
|
## Map of additional labels to add to the PodMonitor resources
|
|
|
|
|
# to allow selecting specific PodMonitor
|
|
|
|
|
# in case of multiple prometheus deployments
|
|
|
|
|
additionalPodMonitorLabels: {}
|
|
|
|
|
# release: "monitoring"
|
|
|
|
|
# key: "value"
|
|
|
|
|
|
|
|
|
|
## Persist data to a persistent volume.
|
|
|
|
|
##
|
|
|
|
|
persistence:
|
|
|
|
|
## If true, fission will create/use a Persistent Volume Claim unless storageType is set to s3
|
|
|
|
|
## If false, use emptyDir
|
|
|
|
|
##
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
## Must be set to either local or S3.
|
|
|
|
|
## If storateType is set(other than local), one of its backend configuration must be set as below.
|
|
|
|
|
##
|
|
|
|
|
#storageType: s3
|
|
|
|
|
|
|
|
|
|
## Sample configuration for AWS s3 storage backend
|
|
|
|
|
##
|
|
|
|
|
#s3:
|
|
|
|
|
# bucketName:
|
|
|
|
|
# subDir: <sub directory within a bucket>
|
|
|
|
|
# accessKeyId: <awsAccessKeyId>
|
|
|
|
|
# secretAccessKey:
|
|
|
|
|
# region: <awsRegion>
|
|
|
|
|
## #For Minio and other s3 compatible storage systems set endPoint property
|
|
|
|
|
# endPoint: <s3StorageUrl>
|
|
|
|
|
|
|
|
|
|
## A manually managed Persistent Volume Claim name
|
|
|
|
|
## Requires persistence.enabled: true
|
|
|
|
|
## If defined, PVC must be created manually before volume will be bound
|
|
|
|
|
##
|
|
|
|
|
# existingClaim:
|
|
|
|
|
|
|
|
|
|
## If defined, storageClassName: <storageClass>
|
|
|
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
|
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
|
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
|
|
|
## GKE, AWS & OpenStack)
|
|
|
|
|
##
|
|
|
|
|
# storageClass: "-"
|
|
|
|
|
|
|
|
|
|
accessMode: ReadWriteOnce
|
|
|
|
|
size: 8Gi
|
|
|
|
|
|
|
|
|
|
## Extend the container specs for the core fission pods.
|
|
|
|
|
## Can be used to add things like affinity/tolerations/nodeSelectors/etc.
|
|
|
|
|
## For example:
|
|
|
|
|
## extraCoreComponentPodConfig:
|
|
|
|
|
## affinity:
|
|
|
|
|
## nodeAffinity:
|
|
|
|
|
## requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
## nodeSelectorTerms:
|
|
|
|
|
## - matchExpressions:
|
|
|
|
|
## - key: capability
|
|
|
|
|
## operator: In
|
|
|
|
|
## values:
|
|
|
|
|
## - app
|
|
|
|
|
##
|
|
|
|
|
#extraCoreComponentPodConfig:
|
|
|
|
|
# affinity:
|
|
|
|
|
# tolerations:
|
|
|
|
|
# nodeSelector:
|
|
|
|
|
|
|
|
|
|
## Analytics let us count how many people installed fission. Set to
|
|
|
|
|
## false to disable analytics.
|
|
|
|
|
##
|
|
|
|
|
analytics: true
|
|
|
|
|
|
|
|
|
|
## Internally used for generating an analytics job for non-helm installs
|
|
|
|
|
##
|
|
|
|
|
analyticsNonHelmInstall: false
|
|
|
|
|
|
|
|
|
|
## Google Analytics Tracking ID
|
|
|
|
|
##
|
|
|
|
|
gaTrackingID: UA-196546703-1
|
|
|
|
|
|
|
|
|
|
## Logger config
|
|
|
|
|
## This would be used if influxdb is enabled
|
|
|
|
|
##
|
|
|
|
|
logger:
|
|
|
|
|
influxdbAdmin: "admin"
|
|
|
|
|
fluentdImageRepository: index.docker.io
|
|
|
|
|
fluentdImage: fluent/fluent-bit
|
|
|
|
|
fluentdImageTag: 1.8.8
|
|
|
|
|
|
|
|
|
|
## Fluent-bit writes/reads it’s own sqlite database to record a history of tracked
|
|
|
|
|
## files and a state of offsets, this is very useful to resume a state if the ser-
|
|
|
|
|
## vice is restarted. For Kubernetes environment with constraints like OpenShift,
|
|
|
|
|
## the containers are limited to write hostPath volume. Hence, we have to enable
|
|
|
|
|
## security context and set privileged to true.
|
|
|
|
|
##
|
|
|
|
|
enableSecurityContext: false
|
|
|
|
|
|
|
|
|
|
## Enable PodSecurityPolicies to allow privileged container
|
|
|
|
|
## Only required in some clusters and when enableSecurityContext is true
|
|
|
|
|
##
|
|
|
|
|
podSecurityPolicy:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
## Configure additional capabilities
|
|
|
|
|
##
|
|
|
|
|
additionalCapabilities:
|
|
|
|
|
# example values for linkerd
|
|
|
|
|
#- NET_RAW
|
|
|
|
|
#- NET_ADMIN
|
|
|
|
|
|
|
|
|
|
## Enable InfluxDB
|
|
|
|
|
##
|
|
|
|
|
influxdb:
|
|
|
|
|
enabled: false
|
|
|
|
|
image: influxdb:1.8
|
|
|
|
|
|
|
|
|
|
## Allow user to override busybox image used in fluent-bit init container
|
|
|
|
|
##
|
|
|
|
|
busyboxImage: busybox
|
|
|
|
|
|
|
|
|
|
## Archive pruner is a garbage collector for archives on the fission storage service.
|
|
|
|
|
## This interval configures the frequency at which it runs inside the storagesvc pod.
|
|
|
|
|
## The value is in minutes.
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
preUpgradeChecks:
|
|
|
|
|
## Run pre-install/pre-upgrade checks if true
|
|
|
|
|
##
|
|
|
|
|
enabled: true
|
|
|
|
|
## pre-install/pre-upgrade checks live in this image
|
|
|
|
|
##
|
|
|
|
|
image: fission/pre-upgrade-checks
|
|
|
|
|
## pre-install/pre-upgrade checks image version
|
|
|
|
|
##
|
|
|
|
|
imageTag: v1.19.0
|
|
|
|
|
|
|
|
|
|
## Fission post-install/post-upgrade reporting live in this image
|
|
|
|
|
##
|
|
|
|
|
postInstallReportImage: fission/reporter
|
|
|
|
|
|
|
|
|
|
## If there are any pod specialization errors when a function is triggered, the error
|
|
|
|
|
## summary is returned as part of http response if this is set to true.
|
|
|
|
|
##
|
|
|
|
|
debugEnv: false
|
|
|
|
|
|
|
|
|
|
## Prometheus related configuration to query metrics
|
|
|
|
|
##
|
|
|
|
|
prometheus:
|
|
|
|
|
## please assign the prometheus service URL
|
|
|
|
|
## that is accessible by Fission components.
|
|
|
|
|
## This is mainly used to enable canary deployment.
|
|
|
|
|
##
|
|
|
|
|
serviceEndpoint: ""
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
canaryDeployment:
|
|
|
|
|
## set this flag to true if you need canary deployment feature
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Security Context
|
|
|
|
|
## It holds pod-level and container level security configuration.
|
|
|
|
|
## This is an experimental section, please verify before enabling in production.
|
|
|
|
|
## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1
|
|
|
|
|
securityContext:
|
|
|
|
|
enabled: true
|
|
|
|
|
## Mark it false, if you want to stop the non root user validation
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
|
|
|
|
|
## Enable authentication for fission function invocation via Fission router
|
|
|
|
|
##
|
|
|
|
|
authentication:
|
|
|
|
|
## set this flag to true if you need authentication
|
|
|
|
|
## for all function invocations
|
|
|
|
|
## default 'false'
|
|
|
|
|
##
|
|
|
|
|
enabled: false
|
|
|
|
|
## authUriPath defines authentication endpoint path
|
|
|
|
|
## via router
|
|
|
|
|
## default '/auth/login'
|
|
|
|
|
##
|
|
|
|
|
authUriPath:
|
|
|
|
|
## authUsername is used as a username for authentication
|
|
|
|
|
## default 'admin'
|
|
|
|
|
##
|
|
|
|
|
authUsername: admin
|
|
|
|
|
## jwtSigningKey is the signing key used for
|
|
|
|
|
## signing the JWT token
|
|
|
|
|
##
|
|
|
|
|
jwtSigningKey: serverless
|
|
|
|
|
## jwtExpiryTime is the JWT expiry time
|
|
|
|
|
## in seconds
|
|
|
|
|
## default '120'
|
|
|
|
|
##
|
|
|
|
|
jwtExpiryTime:
|
|
|
|
|
## jwtIssuer is the issuer of JWT
|
|
|
|
|
## default 'fission'
|
|
|
|
|
##
|
|
|
|
|
jwtIssuer: fission
|
|
|
|
|
|
|
|
|
|
## OpenTelemetry is a set of tools for collecting, analyzing, and visualizing
|
|
|
|
|
## distributed tracing data across function calls.
|
|
|
|
|
##
|
|
|
|
|
openTelemetry:
|
|
|
|
|
## Use this flag to set the collector endpoint for OpenTelemetry.
|
|
|
|
|
## The variable is endpoint of the collector in the format shown below.
|
|
|
|
|
## otlpCollectorEndpoint: "otel-collector.observability.svc:4317"
|
|
|
|
|
##
|
|
|
|
|
otlpCollectorEndpoint: ""
|
|
|
|
|
## Set this flag to false if you are using secure endpoint for the collector.
|
|
|
|
|
##
|
|
|
|
|
otlpInsecure: true
|
|
|
|
|
## Key-value pairs to be used as headers associated with gRPC or HTTP requests to the collector.
|
|
|
|
|
## Eg. otlpHeaders: "key1=value1,key2=value2"
|
|
|
|
|
##
|
|
|
|
|
otlpHeaders: ""
|
|
|
|
|
## Supported samplers:
|
|
|
|
|
## always_on - Sampler that always samples spans, regardless of the parent span's sampling decision.
|
|
|
|
|
## always_off - Sampler that never samples spans, regardless of the parent span's sampling decision.
|
|
|
|
|
## traceidratio - Sampler that samples probabalistically based on rate.
|
|
|
|
|
## parentbased_always_on - (default if empty) Sampler that respects its parent span's sampling decision, but otherwise always samples.
|
|
|
|
|
## parentbased_always_off - Sampler that respects its parent span's sampling decision, but otherwise never samples.
|
|
|
|
|
## parentbased_traceidratio - Sampler that respects its parent span's sampling decision, but otherwise samples probabalistically based on rate.
|
|
|
|
|
## See https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md#general-sdk-configuration
|
|
|
|
|
##
|
|
|
|
|
tracesSampler: "parentbased_traceidratio"
|
|
|
|
|
## Each Sampler type defines its own expected input, if any.
|
|
|
|
|
## Currently we get trace ratio for the case of,
|
|
|
|
|
## 1. traceidratio
|
|
|
|
|
## 2. parentbased_traceidratio
|
|
|
|
|
## Sampling probability, a number in the [0..1] range, e.g. "0.1". Default is 0.1.
|
|
|
|
|
##
|
|
|
|
|
tracesSamplingRate: "0.1"
|
|
|
|
|
## Supported providers:
|
|
|
|
|
## tracecontext - W3C Trace Context
|
|
|
|
|
## baggage - W3C Baggage
|
|
|
|
|
## b3 - B3 Single
|
|
|
|
|
## b3multi - B3 Multi
|
|
|
|
|
## jaeger - Jaeger uber-trace-id header
|
|
|
|
|
## xray - AWS X-Ray (third party)
|
|
|
|
|
## ottrace - OpenTracing Trace (third party)
|
|
|
|
|
## none - No tracing
|
|
|
|
|
## See https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md#general-sdk-configuration
|
|
|
|
|
##
|
|
|
|
|
propagators: "tracecontext,baggage"
|
|
|
|
|
|
|
|
|
|
## Message Queue Trigger Kind, KEDA: enable and configuration
|
|
|
|
|
##
|
|
|
|
|
mqt_keda:
|
|
|
|
|
enabled: true
|
|
|
|
|
connector_images:
|
|
|
|
|
kafka:
|
|
|
|
|
image: fission/keda-kafka-http-connector
|
|
|
|
|
tag: v0.12
|
|
|
|
|
rabbitmq:
|
|
|
|
|
image: fission/keda-rabbitmq-http-connector
|
|
|
|
|
tag: v0.10
|
|
|
|
|
awskinesis:
|
|
|
|
|
image: fission/keda-aws-kinesis-http-connector
|
|
|
|
|
tag: v0.10
|
|
|
|
|
aws_sqs:
|
|
|
|
|
image: fission/keda-aws-sqs-http-connector
|
|
|
|
|
tag: v0.11
|
|
|
|
|
nats_steaming:
|
|
|
|
|
image: fission/keda-nats-streaming-http-connector
|
|
|
|
|
tag: v0.13
|
|
|
|
|
nats_jetstream:
|
|
|
|
|
image: fission/keda-nats-jetstream-http-connector
|
|
|
|
|
tag: v0.4
|
|
|
|
|
gcp_pubsub:
|
|
|
|
|
image: fission/keda-gcp-pubsub-http-connector
|
|
|
|
|
tag: v0.6
|
|
|
|
|
redis:
|
|
|
|
|
image: fission/keda-redis-http-connector
|
|
|
|
|
tag: v0.3
|
|
|
|
|
|
|
|
|
|
## Pod resources as:
|
|
|
|
|
## resources:
|
|
|
|
|
## limits:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
## requests:
|
|
|
|
|
## cpu: <tbd>
|
|
|
|
|
## memory: <tbd>
|
|
|
|
|
##
|
|
|
|
|
resources: {}
|
|
|
|
|
|
|
|
|
|
## Enable Pprof based profiling used mostly by Fission developers
|
|
|
|
|
##
|
|
|
|
|
pprof:
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
## Enable runtimePodSpec and add spec to your poolmgr or newdeploy pods
|
|
|
|
|
##
|
|
|
|
|
runtimePodSpec:
|
|
|
|
|
|
|
|
|
|
## Setting it false by default so that integration tests pass
|
|
|
|
|
##
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
## Checkout PodSpec in https://fission.io/docs/reference/crd-reference/#runtime
|
|
|
|
|
##
|
|
|
|
|
podSpec:
|
|
|
|
|
|
|
|
|
|
## Default podspec to improve security of the pods
|
|
|
|
|
##
|
|
|
|
|
securityContext:
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
|
|
|
|
|
## Enable builderPodSpec and add spec to your env builder pods
|
|
|
|
|
##
|
|
|
|
|
builderPodSpec:
|
|
|
|
|
|
|
|
|
|
## Setting it false by default so that integration tests pass
|
|
|
|
|
##
|
|
|
|
|
enabled: false
|
|
|
|
|
|
|
|
|
|
## Checkout PodSpec in https://fission.io/docs/reference/crd-reference/#builder
|
|
|
|
|
##
|
|
|
|
|
podSpec:
|
|
|
|
|
|
|
|
|
|
## Default podspec to improve security of the pods
|
|
|
|
|
##
|
|
|
|
|
securityContext:
|
|
|
|
|
fsGroup: 10001
|
|
|
|
|
runAsGroup: 10001
|
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
runAsUser: 10001
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Enable Grafana Dashboard configmaps for auto dashboard provisioning
|
|
|
|
|
## If you use kube-prometheus stack for monitoring, these will get imported into grafana
|
|
|
|
|
grafana:
|
|
|
|
|
## The namespace in which grafana pod is present
|
|
|
|
|
namespace: monitoring
|
|
|
|
|
dashboards:
|
|
|
|
|
## Disabled by default. switch to true to deploy them
|
|
|
|
|
enable: false
|
|
|
|
|
|
|
|
|
|
|