deployment-scripts/helm-charts/deepfence-console/values.yaml

# Default values for deepfence-console.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

nameOverride: ""
fullnameOverride: ""

# priorityClassName for pods
priorityClassName: ""

# Add labels to all the deployed resources
commonLabels: {}

global:
  imageRepoPrefix: "quay.io"
  # imageRepoPrefix: "docker.io"
  # this image tag is used everywhere for console services
  # to override set tag at service level
  imageTag: 2.5.1
  storageClass: ""
  # used in service name generation
  # <service>.<namespace>.svc.<cluster_domain>
  cluster_domain: "cluster.local"

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/deepfence-ecr-role"
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

imagePullSecret:
  # Specifies whether a image pull secret should be created
  create: false
  registry: "quay.io"
  # registry: "https://index.docker.io/v1/"
  username: ""
  password: ""
  # The name of the imagePullSecret to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

proxy:
  # Configure proxy server
  enabled: false
  # Example: http://my.internal.server:port
  http_proxy: ""
  https_proxy: ""
  # Domains or ip addresses to add in no_proxy env variable, comma-separated string
  additional_no_proxy: ""

kafka:
  # Specifies whether a kafka cluster should be created
  create: true
  # if create false provide name of the existing secret
  # secret format refer templates/console-secrets/kafka.yaml
  secretName: ""
  # if create true then below values are used to create kafka cluster
  replicaCount: 1 # recommended 3 for high availability kafka
  image:
    repository: deepfenceio/deepfence_kafka_broker_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  config:
    # required, recommended to generate new UUID using kafka-storage tool
    STORAGE_UUID: hNQ55qppT5GGybF52ZGlOQ
  storageClass: ""
  volumeSize: 50G
  resources:
    limits:
      cpu: 4000m
      memory: 8192Mi
    requests:
      cpu: 500m
      memory: 1024Mi
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

postgres:
  # Specifies whether a postgres database instance should be created
  create: true
  # if create false provide name of the existing secret
  # secret format refer templates/deepfence-console-secrets/postgres.yaml
  secretName: ""
  # if create true then below values are used to create postgres database instance
  secrets:
    # set the below to change the default credentials
    # POSTGRES_PASSWORD: ""
    # POSTGRES_USER: ""
  config:
    POSTGRES_DB: users
  image:
    repository: deepfenceio/deepfence_postgres_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  storageClass: ""
  volumeSize: 50G
  resources:
    limits:
      cpu: 2000m
      memory: 2048Mi
    requests:
      cpu: 200m
      memory: 512Mi
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

redis:
  # Specifies whether a postgres database instance should be created
  create: true
  # if create false provide name of the existing secret
  # secret format refer templates/console-secrets/redis.yaml
  secretName: ""
  # if create true then below values are used to create postgres database instance
  image:
    repository: deepfenceio/deepfence_redis_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  storageClass: ""
  volumeSize: 30G
  resources:
    limits:
      cpu: 3000m
      memory: 6144Mi
    requests:
      cpu: 100m
      memory: 128Mi
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

fileserver:
  # Specifies whether a file server instance should be created
  # set this to false if using S3
  create: true
  # if create false provide name of the existing secret.
  # Secret format refer templates/deepfence-console-secrets/s3.yaml or templates/deepfence-console-secrets/fileserver.yaml
  secretName: ""

  # Set this if external file server is used and create=false
  fileServerHost: ""
  fileServerPort: ""

  # if create true then below values are used to create postgres database instance
  # set the below to change the default credentials
  # secrets:
  #   FILE_SERVER_ROOT_USER: ""
  #   FILE_SERVER_ROOT_PASSWORD: ""
  image:
    repository: deepfenceio/deepfence_file_server_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  storageClass: ""
  volumeSize: 100G
  resources:
    limits:
      cpu: 2000m
      memory: 4096Mi
    requests:
      cpu: 100m
      memory: 128Mi
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

# these values are used if fileserver.create=false
aws_s3_buckets:
  # Specifies whether secret should be created
  create: false
  # if create false provide name of the existing secret.
  # Secret format refer templates/deepfence-console-secrets/s3.yaml
  secretName: ""
  # public bucket with read permisons on objects for hosting vulnerability database
  # S3 bucket permissions {"Version":"2012-10-17","Statement":[{"Sid":"database","Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":["arn:aws:s3:::<bucket-name>/database/*","arn:aws:s3:::<bucket-name>/database"]}]}
  vulnerability_db_bucket: ""
  # private bucket to host reports, sbom, etc.
  data_bucket: ""
  # aws credentials to access buckets
  access_key_id: ""
  secret_access_key: ""
  # region where the buckets are hosted ex: ap-south-1
  region: ""

neo4j:
  # Specifies whether a neo4j database instance should be created
  create: true
  ## use below setting to put Neo4j in maintainance mode
  ## disables health checks & stops neo4j
  offlineMaintenanceModeEnabled: false
  # if create false provide name of the existing secret
  # secret format refer templates/console-secrets/neo4j.yaml
  secretName: ""
  # if create true then below values are used to create neo4j database instance
  secrets:
    # set the below to change the default credentials
    # format should be username/password
    # NEO4J_AUTH: ""
    # To enable periodic backup of neo4j database to S3, please set the values below
    # AWS_ACCESS_KEY: ""
    # AWS_SECRET_KEY: ""
    # DF_REMOTE_BACKUP_ROOT: "" # S3 bucket name
  config:
    NEO4J_server_memory_pagecache_size: 2600m
    NEO4J_db_tx__log_rotation_retention__policy: "3 files"
    NEO4J_PLUGINS: '["apoc"]'
  image:
    repository: deepfenceio/deepfence_neo4j_ce
    pullPolicy: Always
    # tag: 2.5.1
  storageClass: ""
  volumeSize: 100G
  resources:
    limits:
      cpu: 4000m
      memory: 16Gi
    requests:
      cpu: 1000m
      memory: 2048Mi
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

# DO NOT USE
# Use deepfence-router helm chart to configure the service and ingress
# ingress for console
ingress:
  enabled: false
  ## name of the ingress class for ingress provider installed on the cluster, cannot be empty
  ## Example: nginx
  class: nginx
  ## host example: threat.example.com
  host: ""
  ## annotations to customize ingress
  annotations:
    ## nginx ingress annotations
    ## https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 200m

    ## aws alb annotations
    ## aws load balancer controller needs to be installed on the cluster for these annotations to work
    ## documentation aws load balancer controller https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/
    # alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
    # alb.ingress.kubernetes.io/backend-protocol: HTTPS
    ## arn of the certificate available on aws certificate manager
    # alb.ingress.kubernetes.io/certificate-arn: ""
    # alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
    # alb.ingress.kubernetes.io/scheme: internet-facing
    # alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true,stickiness.lb_cookie.duration_seconds=3600
    # alb.ingress.kubernetes.io/target-type: ip

    ## add an annotation indicating the issuer to use by cert-manager.
    # cert-manager.io/cluster-issuer: nameOfClusterIssuer
  
  tls: []
  #  - secretName: threat-mapper-tls
  #    hosts:
  #      - threat.example.com

router:
  replicaCount: 1
  image:
    repository: deepfenceio/deepfence_router_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  forceHttpsRedirect: true
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  service:
    ## useful if deepfence-router chart is not installed
    create: false
    # useful for configuring loadbalancer options on supported clouds
    annotations: {}
    ## service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
    type: ClusterIP # set service type to cluster ip and enable ingress if available
    httpsPort: 443
    httpPort: 80
  resources:
    limits:
      cpu: 3000m
      memory: 4096Mi
    requests:
      cpu: 100m
      memory: 128Mi
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}
  # Use custom ssl certificate for Deepfence UI
  # custom certificates can be configured using two options
  # existing secret or base64 encoded cert and key string
  # provide one off the two options to configure custom certificates
  tls:
    # provide secret name which contains tls cert and key
    # reference: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
    # make sure to create secret in the same namespace as that of the console
    secretName: ""
    # embed given cert and key as secret and mount to router pod
    # provide certificate and key in below example format
    # cert: |-
    #   -----BEGIN CERTIFICATE-----
    #   MIIFCTCCAvGgAwIBAgIUNshy8GFTjfUR7inZ1JCcN+tDuh4wDQYJKoZIhvcNAQEL
    #   .....
    #   BMepE4d9+TQFcPQ/OKSlP8FB2nPKZJdM+JlXDFWqeKvbdYS4QErRLd33qUmq
    #   -----END CERTIFICATE-----
    # key: |-
    #   -----BEGIN PRIVATE KEY-----
    #   MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDECeUraonCz/89
    #   .....
    #   bHEvWp7ugCTFhurM+lla0d+ElDO2
    #   -----END PRIVATE KEY-----
    cert: ""
    key: ""

server:
  replicaCount: 1
  image:
    repository: deepfenceio/deepfence_server_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  service:
    type: ClusterIP
    port: 8080
    internalPort: 8081
  resources:
    limits:
      cpu: 3000m
      memory: 4096Mi
    requests:
      cpu: 250m
      memory: 256Mi
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

worker:
  replicaCount: 1
  image:
    repository: deepfenceio/deepfence_worker_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  service:
    type: ClusterIP
    port: 8080
  resources:
    limits:
      cpu: 2000m
      memory: 8Gi
    requests:
      cpu: 500m
      memory: 1Gi
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}
  ephemeralVolume:
    # Create ephemeral volume and mount it at /tmp
    create: false
    # Storage class
    # AWS: gp3, GCP: standard
    storageClass: ""
    volumeSize: 200G

ingester:
  replicaCount: 1
  image:
    repository: deepfenceio/deepfence_worker_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  service:
    type: ClusterIP
    port: 8080
  resources:
    limits:
      cpu: 2000m
      memory: 4096Mi
    requests:
      cpu: 100m
      memory: 128Mi
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

scheduler:
  image:
    repository: deepfenceio/deepfence_worker_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  service:
    type: ClusterIP
    port: 8080
  resources:
    limits:
      cpu: 1000m
      memory: 1024Mi
    requests:
      cpu: 100m
      memory: 128Mi
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

ui:
  replicaCount: 1
  image:
    repository: deepfenceio/deepfence_ui_ce
    pullPolicy: Always
    # Overrides the image tag whose default is .global.imageTag
    # tag: 2.5.1
  service:
    type: ClusterIP
    port: 8081
  resources:
    limits:
      cpu: 1000m
      memory: 512Mi
    requests:
      cpu: 100m
      memory: 128Mi
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 3
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
  podAnnotations: {}
  podSecurityContext: {}
  securityContext: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}
  podLabels: {}

console_agents:
  enabled: true
  cluster_name: "tm-console"
  enableGraphReport: true
  userDefinedTags: ""
  instanceIdSuffix: "N"
  mountContainerRuntimeSocket:
    dockerSock: false
    # Change if socket path is not the following
    dockerSockPath: "/var/run/docker.sock"
    containerdSock: true
    # Change if socket path is not the following
    containerdSockPath: "/run/containerd/containerd.sock"
    crioSock: false
    # Change if socket path is not the following
    crioSockPath: "/var/run/crio/crio.sock"
    podmanSock: false
    # Change if socket path is not the following
    podmanSockPath: "/run/podman/podman.sock"
  agent:
    image:
      repository: deepfenceio/deepfence_agent_ce
      pullPolicy: Always
      # Overrides the image tag whose default is .global.imageTag
      # tag: 2.5.1
    resources:
      requests:
        cpu: 150m
        memory: 512Mi
      limits:
        cpu: 1500m
        memory: 2048Mi
    podAnnotations: {}
    podSecurityContext: {}
    securityContext: {}
    nodeSelector: { "kubernetes.io/os": "linux" }
    tolerations:
      - operator: "Exists"
        effect: "NoSchedule"
      - operator: "Exists"
        effect: "NoExecute"
    affinity: {}
    podLabels: {}
  cluster_agent:
    image:
      repository: deepfenceio/deepfence_cluster_agent_ce
      pullPolicy: Always
      # Overrides the image tag whose default is .global.imageTag
      # tag: 2.5.1
    resources:
      requests:
        cpu: 25m
        memory: 80Mi
      limits:
        cpu: 1500m
        memory: 1536Mi
    podAnnotations: {}
    podSecurityContext: {}
    securityContext: {}
    nodeSelector: { "kubernetes.io/os": "linux" }
    tolerations:
      - operator: "Exists"
        effect: "NoSchedule"
      - operator: "Exists"
        effect: "NoExecute"
    affinity: {}
    podLabels: {}