114 lines
3.3 KiB
YAML
114 lines
3.3 KiB
YAML
|
affinity: {}
|
||
|
|
autoscaling:
|
||
|
|
enabled: false
|
||
|
|
maxReplicas: 100
|
||
|
|
minReplicas: 1
|
||
|
|
targetCPUUtilizationPercentage: 80
|
||
|
|
|
||
|
|
config:
|
||
|
|
apiUrl: 'wss://api.gate.calegix.net' # Matches Docker example; adjust as needed
|
||
|
|
telemetry:
|
||
|
|
enabled: true # Matches Docker default (telemetry on unless disabled)
|
||
|
|
token:
|
||
|
|
existingSecret: null # Set to a secret name if using an existing one
|
||
|
|
key: FIREZONE_TOKEN # Matches Helm chart expectation
|
||
|
|
value: null # Set this to your token if not using a secret, e.g., ".SFMyNTY..."
|
||
|
|
|
||
|
|
dnsConfig: {}
|
||
|
|
dnsPolicy: ClusterFirst # Default OpenShift policy; explicit for clarity
|
||
|
|
|
||
|
|
envFrom: []
|
||
|
|
extraEnv:
|
||
|
|
- name: FIREZONE_NAME # Override chart's default to use hostname
|
||
|
|
valueFrom:
|
||
|
|
fieldRef:
|
||
|
|
fieldPath: spec.nodeName # Closest to `hostname` in OpenShift
|
||
|
|
|
||
|
|
fullnameOverride: ''
|
||
|
|
image:
|
||
|
|
pullPolicy: Always # Matches Docker --pull=always
|
||
|
|
repository: ghcr.io/firezone/gateway
|
||
|
|
tag: '1' # Matches Docker version; adjust as needed
|
||
|
|
imagePullSecrets: []
|
||
|
|
|
||
|
|
logLevel: info # Matches Docker RUST_LOG=info; adjust to trace if desired
|
||
|
|
|
||
|
|
nameOverride: ''
|
||
|
|
nodeSelector: {}
|
||
|
|
pdb:
|
||
|
|
annotations: {}
|
||
|
|
enabled: false
|
||
|
|
labels: {}
|
||
|
|
maxUnavailable: ''
|
||
|
|
minAvailable: 1 # Reasonable default for availability
|
||
|
|
|
||
|
|
podAnnotations: {}
|
||
|
|
podLabels: {}
|
||
|
|
podSecurityContext:
|
||
|
|
fsGroup: null # Arbitrary non-root group ID for volume access
|
||
|
|
runAsNonRoot: true # OpenShift best practice
|
||
|
|
runAsUser: null # Arbitrary non-root user ID
|
||
|
|
|
||
|
|
replicas: 1
|
||
|
|
resources:
|
||
|
|
requests: # Suggested defaults; adjust based on workload
|
||
|
|
cpu: 100m
|
||
|
|
memory: 256Mi
|
||
|
|
limits:
|
||
|
|
cpu: 500m
|
||
|
|
memory: 512Mi
|
||
|
|
|
||
|
|
revisionHistoryLimit: 10
|
||
|
|
|
||
|
|
securityContext:
|
||
|
|
privileged: false # Avoid privileged; use capabilities instead
|
||
|
|
readOnlyRootFilesystem: false # Required for /var/lib/firezone writes
|
||
|
|
capabilities:
|
||
|
|
add:
|
||
|
|
- NET_ADMIN # Required for TUN device and networking
|
||
|
|
runAsNonRoot: true # OpenShift best practice
|
||
|
|
runAsUser: null # Match podSecurityContext
|
||
|
|
|
||
|
|
serviceAccount:
|
||
|
|
annotations: {}
|
||
|
|
automount: false
|
||
|
|
create: true
|
||
|
|
name: '' # Auto-generated if empty
|
||
|
|
|
||
|
|
tolerations: []
|
||
|
|
|
||
|
|
# Custom additions for Firezone Gateway
|
||
|
|
volumes:
|
||
|
|
- name: firezone-data # Persistent storage for /var/lib/firezone
|
||
|
|
emptyDir: {} # Use PVC if persistence is needed
|
||
|
|
- name: tun-device # Mount for TUN device
|
||
|
|
hostPath:
|
||
|
|
path: /dev/net/tun
|
||
|
|
|
||
|
|
containers:
|
||
|
|
- name: firezone-gateway # Matches chart's expected name
|
||
|
|
volumeMounts:
|
||
|
|
- mountPath: /var/lib/firezone
|
||
|
|
name: firezone-data
|
||
|
|
- mountPath: /dev/net/tun
|
||
|
|
name: tun-device
|
||
|
|
livenessProbe:
|
||
|
|
exec:
|
||
|
|
command:
|
||
|
|
- ip
|
||
|
|
- link
|
||
|
|
- grep
|
||
|
|
- tun-firezone # Matches Docker health check
|
||
|
|
initialDelaySeconds: 10
|
||
|
|
periodSeconds: 10
|
||
|
|
failureThreshold: 3
|
||
|
|
readinessProbe:
|
||
|
|
exec:
|
||
|
|
command:
|
||
|
|
- ip
|
||
|
|
- link
|
||
|
|
- grep
|
||
|
|
- tun-firezone # Matches Docker health check
|
||
|
|
initialDelaySeconds: 5
|
||
|
|
periodSeconds: 10
|
||
|
|
failureThreshold: 3
|