396 lines
17 KiB
YAML
396 lines
17 KiB
YAML
# Declare variables to be passed into your templates.
|
|
## @section Global
|
|
## @param nameOverride Individual release name suffix.
|
|
## @param fullnameOverride Override the complete release name logic.
|
|
nameOverride: ""
|
|
fullnameOverride: ""
|
|
|
|
## @section Configuration
|
|
config:
|
|
webConfig:
|
|
## @param config.webConfig.existingSecret.enabled Mount an existing secret containing the key `webConfig.yaml`.
|
|
## @param config.webConfig.existingSecret.secretName Name of the existing secret containing the key `webConfig.yaml`.
|
|
existingSecret:
|
|
enabled: false
|
|
secretName: ""
|
|
|
|
## @param config.webConfig.secret.annotations Additional annotations of the secret containing the `webConfig.yaml`.
|
|
## @param config.webConfig.secret.labels Additional labels of the secret containing the `webConfig.yaml`.
|
|
## @param config.webConfig.secret.webConfig Content of the `webConfig.yaml`.
|
|
## @skip config.webConfig.secret.webConfig Skip individual web configuration.
|
|
secret:
|
|
annotations: {}
|
|
labels: {}
|
|
webConfig: {}
|
|
# basic_auth_users:
|
|
# prom: <bcrypted password>
|
|
# http_server_config:
|
|
# http2: true
|
|
# tls_server_config:
|
|
# cert_file: /path/to/cert.pem
|
|
# client_allowed_sans:
|
|
# - fail2ban.example.local
|
|
# client_ca_file: /path/to/ca.pem
|
|
# key_file: /path/to/key.pem
|
|
# max_version: TLS13
|
|
# min_version: TLS12
|
|
|
|
## @section Daemonset
|
|
daemonSet:
|
|
## @param daemonSet.annotations Additional deployment annotations.
|
|
## @param daemonSet.labels Additional deployment labels.
|
|
annotations: {}
|
|
labels: {}
|
|
|
|
## @param daemonSet.additionalContainers List of additional containers.
|
|
additionalContainers: []
|
|
# - command: [ "sh", "-c", "echo hello world" ]
|
|
# image: "docker.io/library/busybox:latest"
|
|
# name: side-car
|
|
|
|
## @param daemonSet.affinity Affinity for the fail2ban-exporter daemonSet.
|
|
affinity: {}
|
|
# nodeAffinity:
|
|
# requiredDuringSchedulingIgnoredDuringExecution:
|
|
# nodeSelectorTerms:
|
|
# - matchExpressions:
|
|
# - key: kubernetes.io/os
|
|
# operator: In
|
|
# values:
|
|
# - linux
|
|
# preferredDuringSchedulingIgnoredDuringExecution:
|
|
# - weight: 20
|
|
# preference:
|
|
# matchExpressions:
|
|
# - key: kubernetes.io/arch
|
|
# operator: In
|
|
# values:
|
|
# - amd64
|
|
|
|
## @param daemonSet.initContainers List of additional init containers.
|
|
initContainers: []
|
|
# - command: [ "sh", "-c", "echo hello world" ]
|
|
# image: "docker.io/library/busybox:latest"
|
|
# name: init
|
|
|
|
## @param daemonSet.dnsConfig dnsConfig of the fail2ban-exporter daemonSet.
|
|
dnsConfig: {}
|
|
# nameservers:
|
|
# - 192.0.2.1 # this is an example
|
|
# searches:
|
|
# - ns1.svc.cluster-domain.example
|
|
# - my.dns.search.suffix
|
|
# options:
|
|
# - name: ndots
|
|
# value: "2"
|
|
# - name: edns0
|
|
|
|
## @param daemonSet.dnsPolicy dnsPolicy of the fail2ban-exporter daemonSet.
|
|
dnsPolicy: ""
|
|
|
|
## @param daemonSet.hostname Individual hostname of the pod.
|
|
## @param daemonSet.subdomain Individual domain of the pod.
|
|
hostname: ""
|
|
subdomain: ""
|
|
|
|
## @param daemonSet.hostNetwork Use the kernel network namespace of the host system.
|
|
hostNetwork: false
|
|
|
|
## @param daemonSet.imagePullSecrets Secret to use for pulling the image.
|
|
imagePullSecrets: []
|
|
# - name: "my-custom-secret"
|
|
|
|
fail2banExporter:
|
|
## @param daemonSet.fail2banExporter.args Arguments passed to the fail2ban-exporter container.
|
|
args: []
|
|
|
|
## @param daemonSet.fail2banExporter.env List of environment variables for the fail2ban-exporter container.
|
|
env: []
|
|
# - name: SPECIAL_ENV_A
|
|
# value: special-key
|
|
# - name: SPECIAL_ENV
|
|
# valueFrom:
|
|
# configMapKeyRef:
|
|
# name: special-config
|
|
# key: special-key
|
|
# - name: SPECIAL_ENV
|
|
# valueFrom:
|
|
# secretKeyRef:
|
|
# name: special-secret
|
|
# key: special-key
|
|
|
|
## @param daemonSet.fail2banExporter.envFrom List of environment variables mounted from configMaps or secrets for the fail2ban-exporter container.
|
|
envFrom: []
|
|
# - configMapRef:
|
|
# name: special-config
|
|
# - secretRef:
|
|
# name: special-secret
|
|
|
|
## @param daemonSet.fail2banExporter.image.registry Image registry, eg. `docker.io`.
|
|
## @param daemonSet.fail2banExporter.image.repository Image repository, eg. `library/busybox`.
|
|
## @param daemonSet.fail2banExporter.image.tag Custom image tag, eg. `0.1.0`. Defaults to `appVersion`.
|
|
## @param daemonSet.fail2banExporter.image.pullPolicy Image pull policy.
|
|
image:
|
|
registry: git.cryptic.systems
|
|
repository: volker.raschek/prometheus-fail2ban-exporter
|
|
tag: ""
|
|
pullPolicy: IfNotPresent
|
|
|
|
## @param daemonSet.fail2banExporter.resources CPU and memory resources of the pod.
|
|
resources: {}
|
|
# limits:
|
|
# cpu:
|
|
# ephemeral-storage:
|
|
# memory:
|
|
# requests:
|
|
# cpu:
|
|
# ephemeral-storage:
|
|
# memory:
|
|
|
|
## @param daemonSet.fail2banExporter.securityContext Security context of the container of the daemonSet.
|
|
securityContext: {}
|
|
# capabilities:
|
|
# add:
|
|
# - NET_RAW
|
|
# drop:
|
|
# - ALL
|
|
# privileged: false
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
|
|
## @param daemonSet.fail2banExporter.volumeMounts Additional volume mounts.
|
|
## @skip daemonSet.fail2banExporter.volumeMounts Skip individual volume mounts configuration.
|
|
volumeMounts:
|
|
- name: socket
|
|
mountPath: /var/run/fail2ban
|
|
|
|
## @param daemonSet.nodeSelector NodeSelector of the fail2ban-exporter daemonSet.
|
|
nodeSelector: {}
|
|
|
|
## @param daemonSet.priorityClassName PriorityClassName of the fail2ban-exporter daemonSet.
|
|
priorityClassName: ""
|
|
|
|
## @param daemonSet.restartPolicy Restart policy of the fail2ban-exporter daemonSet.
|
|
restartPolicy: ""
|
|
|
|
## @param daemonSet.securityContext Security context of the fail2ban-exporter daemonSet.
|
|
securityContext: {}
|
|
# fsGroup: 2000
|
|
|
|
## @param daemonSet.updateStrategy.rollingUpdate.maxSurge The maximum number of pods that can be scheduled above the desired number of pods during a rolling update.
|
|
## @param daemonSet.updateStrategy.rollingUpdate.maxUnavailable The maximum number of pods that can be unavailable during a rolling update.
|
|
## @param daemonSet.updateStrategy.type Strategy type - `OnDelete` or `RollingUpdate`.
|
|
updateStrategy:
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 0
|
|
type: "RollingUpdate"
|
|
|
|
## @param daemonSet.terminationGracePeriodSeconds How long to wait until forcefully kill the pod.
|
|
terminationGracePeriodSeconds: 60
|
|
|
|
## @param daemonSet.tolerations Tolerations of the fail2ban-exporter daemonSet.
|
|
tolerations: []
|
|
# - key: database/type
|
|
# operator: Equal
|
|
# value: fail2ban
|
|
# effect: NoSchedule
|
|
|
|
## @param daemonSet.topologySpreadConstraints TopologySpreadConstraints of the fail2ban-exporter daemonSet.
|
|
topologySpreadConstraints: []
|
|
# - topologyKey: kubernetes.io/hostname
|
|
# whenUnsatisfiable: DoNotSchedule
|
|
# labelSelector:
|
|
# matchLabels:
|
|
# app.kubernetes.io/instance: prometheus-fail2ban-exporter
|
|
|
|
## @param daemonSet.volumes Additional volumes to mount into the pods of the prometheus-exporter daemonset.
|
|
## @skip daemonSet.volumes Skip individual volumes configuration.
|
|
volumes:
|
|
- name: socket
|
|
hostPath:
|
|
path: /var/run/fail2ban
|
|
type: Directory
|
|
# - name: my-configmap-volume
|
|
# config:
|
|
# name: my-configmap
|
|
# - name: my-secret-volume
|
|
# secret:
|
|
# secretName: my-secret
|
|
|
|
## @section Grafana
|
|
## @param grafana.enabled Enable integration into Grafana. Require the Prometheus operator daemonSet.
|
|
grafana:
|
|
enabled: false
|
|
|
|
## @param grafana.dashboardDiscoveryLabels Labels that Grafana uses to discover resources. The labels may vary depending on the Grafana daemonSet.
|
|
## @skip grafana.dashboardDiscoveryLabels Skip individual configuration.
|
|
dashboardDiscoveryLabels:
|
|
grafana_dashboard: "1"
|
|
|
|
dashboards:
|
|
## @param grafana.dashboards.fail2banExporter.enabled Enable deployment of Grafana dashboard `fail2banExporter`.
|
|
## @param grafana.dashboards.fail2banExporter.annotations Additional configmap annotations.
|
|
## @param grafana.dashboards.fail2banExporter.labels Additional configmap labels.
|
|
fail2banExporter:
|
|
enabled: true
|
|
annotations: {}
|
|
labels: {}
|
|
|
|
## @section Ingress
|
|
ingress:
|
|
## @param ingress.enabled Enable creation of an ingress resource. Requires, that the http service is also enabled.
|
|
## @param ingress.className Ingress class.
|
|
## @param ingress.annotations Additional ingress annotations.
|
|
## @param ingress.labels Additional ingress labels.
|
|
enabled: false
|
|
className: "nginx"
|
|
annotations: {}
|
|
labels: {}
|
|
|
|
## @param ingress.hosts Ingress specific configuration. Specification only required when another ingress controller is used instead of `t1k.
|
|
## @skip ingress.hosts Skip individual host configuration.
|
|
hosts: []
|
|
# - host: fail2ban-exporter.example.local
|
|
# paths:
|
|
# - path: /
|
|
# pathType: Prefix
|
|
|
|
## @param ingress.tls Ingress TLS settings. Specification only required when another ingress controller is used instead of `t1k``.
|
|
## @skip ingress.tls Skip individual TLS configuration.
|
|
tls: []
|
|
# - secretName: fail2ban-exporter-http-tls
|
|
# hosts:
|
|
# - fail2ban-exporter.example.local
|
|
|
|
## @section Pod disruption
|
|
## @param podDisruptionBudget Pod disruption budget.
|
|
podDisruptionBudget: {}
|
|
# maxUnavailable: 1
|
|
# minAvailable: 1
|
|
|
|
## @section Network
|
|
## @param networkPolicies Deploy network policies based on the used container network interface (CNI) implementation - like calico or weave.
|
|
networkPolicies: {}
|
|
|
|
## @section Prometheus
|
|
prometheus:
|
|
## @param prometheus.metrics.enabled Enable of scraping metrics by Prometheus.
|
|
metrics:
|
|
enabled: true
|
|
|
|
## @param prometheus.metrics.podMonitor.enabled Enable creation of a podMonitor. Excludes the existence of a serviceMonitor resource.
|
|
## @param prometheus.metrics.podMonitor.annotations Additional podMonitor annotations.
|
|
## @param prometheus.metrics.podMonitor.enableHttp2 Enable HTTP2.
|
|
## @param prometheus.metrics.podMonitor.followRedirects FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.
|
|
## @param prometheus.metrics.podMonitor.honorLabels Honor labels.
|
|
## @param prometheus.metrics.podMonitor.labels Additional podMonitor labels.
|
|
## @param prometheus.metrics.podMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
|
|
## @param prometheus.metrics.podMonitor.path HTTP path for scraping Prometheus metrics.
|
|
## @param prometheus.metrics.podMonitor.relabelings RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
|
|
## @param prometheus.metrics.podMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
|
|
## @param prometheus.metrics.podMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`.
|
|
## @param prometheus.metrics.podMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
|
|
## @skip prometheus.metrics.podMonitor.tlsConfig Skip individual TLS configuration.
|
|
podMonitor:
|
|
enabled: false
|
|
annotations: {}
|
|
enableHttp2: true
|
|
followRedirects: false
|
|
honorLabels: false
|
|
labels: {}
|
|
interval: "60s"
|
|
path: "/metrics"
|
|
relabelings: []
|
|
scrapeTimeout: "30s"
|
|
scheme: "http"
|
|
tlsConfig: {}
|
|
|
|
## @param prometheus.metrics.serviceMonitor.enabled Enable creation of a serviceMonitor. Excludes the existence of a podMonitor resource.
|
|
## @param prometheus.metrics.serviceMonitor.annotations Additional serviceMonitor annotations.
|
|
## @param prometheus.metrics.serviceMonitor.labels Additional serviceMonitor labels.
|
|
## @param prometheus.metrics.serviceMonitor.enableHttp2 Enable HTTP2.
|
|
## @param prometheus.metrics.serviceMonitor.followRedirects FollowRedirects configures whether scrape requests follow HTTP 3xx redirects.
|
|
## @param prometheus.metrics.serviceMonitor.honorLabels Honor labels.
|
|
## @param prometheus.metrics.serviceMonitor.interval Interval at which metrics should be scraped. If not specified Prometheus' global scrape interval is used.
|
|
## @param prometheus.metrics.serviceMonitor.path HTTP path for scraping Prometheus metrics.
|
|
## @param prometheus.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds relabelings for a few standard Kubernetes fields.
|
|
## @param prometheus.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended. If not specified, global Prometheus scrape timeout is used.
|
|
## @param prometheus.metrics.serviceMonitor.scheme HTTP scheme to use for scraping. For example `http` or `https`.
|
|
## @param prometheus.metrics.serviceMonitor.tlsConfig TLS configuration to use when scraping the metric endpoint by Prometheus.
|
|
## @skip prometheus.metrics.serviceMonitor.tlsConfig Skip individual TLS configuration.
|
|
serviceMonitor:
|
|
enabled: false
|
|
annotations: {}
|
|
labels: {}
|
|
enableHttp2: true
|
|
followRedirects: false
|
|
honorLabels: false
|
|
interval: "60s"
|
|
path: "/metrics"
|
|
relabelings: []
|
|
scrapeTimeout: "30s"
|
|
scheme: "http"
|
|
tlsConfig: {}
|
|
|
|
## @param prometheus.rules Array of Prometheus rules for monitoring the application and triggering alerts.
|
|
## @skip prometheus.rules Skip individual Prometheus rules.
|
|
rules: []
|
|
|
|
## @section Service
|
|
## @param services.http.enabled Enable the service.
|
|
## @param services.http.annotations Additional service annotations.
|
|
## @param services.http.externalIPs External IPs for the service.
|
|
## @param services.http.externalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster external traffic. Furthermore, this enables source IP preservation.
|
|
## @param services.http.internalTrafficPolicy If `service.type` is `NodePort` or `LoadBalancer`, set this to `Local` to tell kube-proxy to only use node local endpoints for cluster internal traffic.
|
|
## @param services.http.ipFamilies IPFamilies is list of IP families (e.g. `IPv4`, `IPv6`) assigned to this service. This field is usually assigned automatically based on cluster configuration and only required for customization.
|
|
## @param services.http.labels Additional service labels.
|
|
## @param services.http.loadBalancerClass LoadBalancerClass is the class of the load balancer implementation this Service belongs to. Requires service from type `LoadBalancer`.
|
|
## @param services.http.loadBalancerIP LoadBalancer will get created with the IP specified in this field. Requires service from type `LoadBalancer`.
|
|
## @param services.http.loadBalancerSourceRanges Source range filter for LoadBalancer. Requires service from type `LoadBalancer`.
|
|
## @param services.http.port Port to forward the traffic to.
|
|
## @param services.http.sessionAffinity Supports `ClientIP` and `None`. Enable client IP based session affinity via `ClientIP`.
|
|
## @param services.http.sessionAffinityConfig Contains the configuration of the session affinity.
|
|
## @param services.http.type Kubernetes service type for the traffic.
|
|
services:
|
|
http:
|
|
enabled: true
|
|
annotations: {}
|
|
externalIPs: []
|
|
externalTrafficPolicy: "Cluster"
|
|
internalTrafficPolicy: "Cluster"
|
|
ipFamilies: []
|
|
labels: {}
|
|
loadBalancerClass: ""
|
|
loadBalancerIP: ""
|
|
loadBalancerSourceRanges: []
|
|
port: 9191
|
|
sessionAffinity: "None"
|
|
sessionAffinityConfig: {}
|
|
type: "ClusterIP"
|
|
|
|
## @section ServiceAccount
|
|
serviceAccount:
|
|
## @param serviceAccount.existing.enabled Use an existing service account instead of creating a new one. Assumes that the user has all the necessary kubernetes API authorizations.
|
|
## @param serviceAccount.existing.serviceAccountName Name of the existing service account.
|
|
existing:
|
|
enabled: false
|
|
serviceAccountName: ""
|
|
|
|
## @param serviceAccount.new.annotations Additional service account annotations.
|
|
## @param serviceAccount.new.labels Additional service account labels.
|
|
## @param serviceAccount.new.automountServiceAccountToken Enable/disable auto mounting of the service account token.
|
|
## @param serviceAccount.new.imagePullSecrets ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this serviceAccount.
|
|
## @param serviceAccount.new.secrets Secrets is the list of secrets allowed to be used by pods running using this ServiceAccount.
|
|
new:
|
|
annotations: {}
|
|
labels: {}
|
|
automountServiceAccountToken: true
|
|
imagePullSecrets: []
|
|
# - name: "my-image-pull-secret"
|
|
secrets: []
|
|
# - name: "my-secret"
|
|
# namespace: "my-namespace"
|
|
# fieldPath: "my-field"
|