Skip to content

Instantly share code, notes, and snippets.

@tvvignesh

tvvignesh/AmbassadorChartIssue.yaml

Created September 27, 2020 21:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tvvignesh/46433362548d4117815e8ba29d329da6 to your computer and use it in GitHub Desktop.
Save tvvignesh/46433362548d4117815e8ba29d329da6 to your computer and use it in GitHub Desktop.
Download ZIP
Ambassador NonRoot error
Raw
AmbassadorChartIssue.yaml
---
# Manually set metadata for the Release.
#
# Defaults to .Chart.Name
nameOverride: ""
# Defaults to .Release.Name-.Chart.Name unless .Release.Name contains "ambassador"
fullnameOverride: ""
# Defaults to .Release.Namespace
namespaceOverride: ""
replicaCount: 3
daemonSet: false
# This will enable the test-ready Pod (https://github.com/datawire/ambassador-chart/blob/master/templates/tests/test-ready.yaml).
# It will spawn a busybox container to call Ambassador's check_ready endpoint to validate it is working correctly.
test:
enabled: true
image: busybox
# Enable autoscaling using HorizontalPodAutoscaler
# daemonSet: true, autoscaling will be disabled
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 5
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 60
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 60
podDisruptionBudget: {}
# namespace:
# name: default
# Additional container environment variable
# Uncomment or add additional environment variables for the container here.
env: {}
# Exposing statistics via StatsD
# STATSD_ENABLED: true
# STATSD_HOST: statsd-sink
# sets the minimum number of seconds between Envoy restarts
# AMBASSADOR_RESTART_TIME: 15
# sets the number of seconds that the Envoy will wait for open connections to drain on a restart
# AMBASSADOR_DRAIN_TIME: 5
# sets the number of seconds that Ambassador will wait for the old Envoy to clean up and exit on a restart
# AMBASSADOR_SHUTDOWN_TIME: 10
# labels Ambassador with an ID to allow for configuring multiple Ambassadors in a cluster
# AMBASSADOR_ID: default
# Additional container environment variable in raw YAML format
# Uncomment or add additional environment variables for the container here.
envRaw: {}
# - name: REDIS_PASSWORD
# value: password
# valueFrom:
# secretKeyRef:
# name: redis-password
# key: password
# - name: POD_IP
# valueFrom:
# fieldRef:
# fieldPath: status.podIP
imagePullSecrets: []
security:
# Security Context for all containers in the pod.
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#podsecuritycontext-v1-core
podSecurityContext:
runAsUser: 8888
# Security Context for the Ambassador container specifically
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#securitycontext-v1-core
containerSecurityContext:
allowPrivilegeEscalation: false
# A basic PodSecurityPolicy to ensure Ambassador is running with appropriate security permissions
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
#
# A set of reasonable defaults is outlined below. This is not created by default as it should only
# be created by a one Release. If you want to use the PodSecurityPolicy in the chart, create it in
# the "master" Release and then leave it unset in all others. Set the `rbac.podSecurityPolicies`
# in all non-"master" Releases.
podSecurityPolicy:
# Add AppArmor and Seccomp annotations
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor
annotations:
spec:
seLinux:
rule: RunAsAny
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
privileged: false
allowPrivilegeEscalation: false
runAsUser:
rule: MustRunAsNonRoot
image:
repository: docker.io/datawire/aes
tag: 1.7.2
pullPolicy: IfNotPresent
dnsPolicy: "ClusterFirst"
hostNetwork: false
service:
type: LoadBalancer
# Note that target http ports need to match your ambassador configurations service_port
# https://www.getambassador.io/reference/modules/#the-ambassador-module
ports:
- name: http
port: 80
targetPort: 8080
# protocol: TCP
# nodePort: 30080
# hostPort: 80
- name: https
port: 443
targetPort: 8443
# protocol: TCP
# nodePort: 30443
# hostPort: 443
# TCPMapping_Port
# port: 2222
# targetPort: 2222
# protocol: TCP
# nodePort: 30222
externalTrafficPolicy:
externalIPs: []
annotations: {}
#############################################################################
## Ambassador should be configured using CRD definition. If you want
## to use annotations, the following is an example of annotating the
## Ambassador service with global configuration manifest.
##
## See https://www.getambassador.io/reference/core/ambassador and
## https://www.getambassador.io/reference/core/tls for more info
#############################################################################
#
# getambassador.io/config: |
# ---
# apiVersion: ambassador/v1
# kind: TLSContext
# name: ambassador
# secret: ambassador-certs
# hosts: ["*"]
# ---
# apiVersion: ambassador/v1
# kind: Module
# name: ambassador
# config:
# admin_port: 8001
# diag_port: 8877
# diagnostics:
# enabled: true
# enable_grpc_http11_bridge: false
# enable_grpc_web: false
# enable_http10: false
# enable_ipv4: true
# enable_ipv6: false
# liveness_probe:
# enabled: true
# lua_scripts:
# readiness_probe:
# enabled: true
# server_name: envoy
# service_port: 8080
# use_proxy_proto: false
# use_remote_address: true
# xff_num_trusted_hops: 0
# x_forwarded_proto_redirect: false
# load_balancer:
# policy: round_robin
# circuit_breakers:
# max_connections: 2048
# retry_policy:
# retry_on: "5xx"
# cors:
adminService:
create: true
type: ClusterIP
port: 8877
# NodePort used if type is NodePort
# nodePort: 38877
annotations:
{}
rbac:
# Specifies whether RBAC resources should be created
create: true
# List of Pod Security Policies to use on the container.
# If security.podSecurityPolicy is set, it will be appended to the list
podSecurityPolicies: []
# Name of the RBAC resources defaults to the name of the release.
# Set nameOverride when installing Ambassador with cluster-wide scope in
# different namespaces with the same release name to avoid conflicts.
nameOverride:
scope:
# tells Ambassador to only use resources in the namespace or namespace set by namespace.name
singleNamespace: false
serviceAccount:
# Specifies whether a service account should be created
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name:
deploymentStrategy:
type: RollingUpdate
restartPolicy:
initContainers: []
sidecarContainers: []
livenessProbe:
initialDelaySeconds: 30
periodSeconds: 3
failureThreshold: 3
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 3
failureThreshold: 3
volumes: []
volumeMounts: []
podLabels:
{}
podAnnotations:
{}
# prometheus.io/scrape: "true"
# prometheus.io/port: "9102"
deploymentLabels:
{}
deploymentAnnotations:
{}
# configmap.reloader.stakater.com/auto: "true"
resources:
# Recommended resource requests and limits for Ambassador
limits:
cpu: 1000m
memory: 600Mi
requests:
cpu: 200m
memory: 300Mi
priorityClassName: ""
nodeSelector: {}
tolerations: []
affinity: {}
ambassadorConfig: ""
crds:
enabled: true
create: true
keep: true
# Prometheus Operator ServiceMonitor configuration
# See documentation: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#servicemonitor
metrics:
serviceMonitor:
enabled: false
# interval: 30s
# scrapeTimeout: 30s
# selector: {}
################################################################################
## Ambassador Edge Stack Configuration ##
################################################################################
# The Ambassador Edge Stack is free for limited use without a license key.
# Go to https://{ambassador-host}/edge_stack/admin/#dashboard to register
# for a community license key.
enableAES: true
# Set createSecret: false is installing multiple releases of The Ambassador
# Edge Stack in the same namespace.
licenseKey:
value:
createSecret: true
secretName:
# Annotations to attach to the license-key-secret.
annotations:
{}
# The DevPortal is exposed at /docs/ endpoint in the AES container.
# Setting this to true will automatically create routes for the DevPortal.
createDevPortalMappings: true
# The Ambassador Edge Stack uses a redis instance for managing authentication,
# rate limiting, and sharing minor configuration details between pods for
# centralized management. These values configure the redis instance that ships
# by default with The Ambassador Edge Stack.
#
# URL of your redis instance. Defaults to redis instance created below.
redisURL:
# Ambassador ships with a basic redis instance. Configure the deployment with the options below.
redis:
create: true
image:
repository: redis
tag: 5.0.1
pullPolicy: IfNotPresent
# Annotations for Ambassador Pro's redis instance.
annotations:
deployment:
{}
service:
{}
resources: {}
# If you want to specify resources, uncomment the following
# lines and remove the curly braces after 'resources:'.
# These are placeholder values and must be tuned.
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 50m
# memory: 128Mi
nodeSelector: {}
# Configures the AuthService that ships with the Ambassador Edge Stack.
# Setting authService.create: false will not install the AES AuthService and
# allow you to define your own.
#
# Typically when using the AES, you will want to keep this set to true and use
# the External Filter to communicate with a custom authentication service.
# https://www.getambassador.io/reference/filter-reference/#filter-type-external
authService:
create: true
# Set additional configuration options. See https://www.getambassador.io/reference/services/auth-service for more information
optional_configurations:
# include_body:
# max_bytes: 4096
# allow_partial: true
# status_on_error:
# code: 403
# failure_mode_allow: false
# retry_policy:
# retry_on: "5xx"
# num_retries: 2
# add_linkerd_headers: true
# timeout_ms: 30000
# Configures the RateLimitService in the Ambassador Edge Stack.
# Keep this enabled to configure RateLimits in AES.
rateLimit:
create: true
# Projects are a beta feature of Ambassador that allow developers to stage and
# deploy code with nothing more than a Github repository.
# See: https://www.getambassador.io/docs/latest/topics/using/projects/
registry:
create: false
# Configures Service Preview that ships with the Ambassador Edge Stack and edgectl.
# Setting servicePreview.enabled: true will install the Traffic Agent Service Account, Traffic Manager with RBAC, and ambassador-injector
servicePreview:
enabled: true
trafficManager:
image:
# Leave blank to use image.repository and image.tag
repository:
tag:
serviceAccountName: "traffic-manager"
trafficAgent:
image:
# Leave blank to use image.repository and image.tag
repository:
tag:
singleNamespace: true
serviceAccountName: "traffic-agent"
port: 9900
# Configure the ambassador-injector webhook for Service Preview Traffic Agent automatic sidecar injection.
injector:
enabled: true
# If no injector.crtPEM and injector.keyPEM are provided, a self-signed certificate will be issued
# for the Common Name (CN) of `<ambassador-injector>.<namespace>.svc`, which is the cluster-internal DNS name
# for the service.
crtPEM: ""
keyPEM: ""
securityContext:
runAsUser: 8888
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment