controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator

tag: v0.1.16 # x-release-please-version

resources:

limits:

cpu: 500m

memory: 512Mi

requests:

cpu: 10m

memory: 64Mi

sinkWebhookTimeout: 30s

replicas: 1

serviceAccount:

annotations: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

# Optional environment variable configuration

env: []

# - name: HTTP_PROXY

# value: http://192.168.1.100:8080

# - name: HTTPS_PROXY

# value: http://192.168.1.100:8080

# - name: NO_PROXY

# value: foo.bar.com,127.0.0.1

# Optional proxy configuration. If enabled, the secret containing your proxy CA certificate

# will be mounted in the manager container and configured via an init container.

proxy:

enabled: false

# The image used by the init container. Must include the update-ca-certificates command.

image: quay.io/validator-labs/validator-certs-init:1.0.0

# The name of a secret containing a proxy CA certificate.

secretName: proxy-cert

# If false (using an existing secret), the key whose value is the CA certificate must end with '.crt'.

createSecret: false

# Raw CA certificate, required if createSecret is true

caCert: |

-----BEGIN CERTIFICATE-----

<your certificate content here>

-----END CERTIFICATE-----

# Optional sink configuration

sink: {}

# type: alertmanager

# secretName: alertmanager-sink-secret

# endpoint: "https://alertmanager.alertmanager.svc.cluster.local:9093"

# insecureSkipVerify: "false"

# caCert: "" # (TLS CA certificate, optional)

# username: "" # (HTTP basic auth, optional)

# password: "" # (HTTP basic auth, optional)

# OR

# type: slack

# secretName: slack-sink-secret

# apiToken: ""

# channelId: ""

# By default, a secret will be created. Leave the above fields blank and specify 'createSecret: false' to use an existing secret.

# WARNING: the existing secret must match the format used in sink-secret.yaml

# createSecret: true

cleanup:

image: gcr.io/spectro-images-public/release/spectro-cleanup:1.2.0

grpcServerEnabled: true

hostname: validator-cleanup-service

port: 3006

pluginSecrets:

# If installing the AWS plugin, the below config is required unless one of the following applies:

# - The target cluster already contains a secret with the correct format and you've specified its name below.

# If specifying your own secret, refer to chart/validator/templates/plugin-secret-aws.yaml for

# an example of the expected format and ensure that it exists in the same namespace as the Helm release.

# - You're deploying to a K8s cluster in AWS and relying on an node instance IAM role

# - You're deploying to a K8s cluster in AWS and relying on IMDSv2, plus you've specified auth.serviceAccountName

#

aws: {} # Don't forget to delete these curly braces if you're specifying credentials here!

# secretName: aws-creds # ensure this matches the AWS plugin values below

#

# Any valid combination of AWS credential environment variables, per the options defined in:

# https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#environment-variables.

# env:

# AWS_ACCESS_KEY_ID: ""

# AWS_SECRET_ACCESS_KEY: ""

# AWS_SESSION_TOKEN: ""

# If installing the Azure plugin, the below config is required unless one of the following applies:

# - The target cluster already contains a secret with the correct format and you've specified its name below.

# If specifying your own secret, refer to chart/validator/templates/plugin-secret-azure.yaml for

# an example of the expected format and ensure that it exists in the same namespace as the Helm release.

# - You're deploying to a K8s cluster in AKS and relying on WorkloadIdentityCredentials, plus you've specified auth.serviceAccountName

#

azure: {} # Don't forget to delete these curly braces if you're specifying credentials here!

# secretName: azure-creds # ensure this matches the Azure plugin values below

#

# Any valid combination of Azure credential environment variables, per the options defined in:

# https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.

# env:

# AZURE_CLIENT_ID: ""

# AZURE_TENANT_ID: ""

# AZURE_CLIENT_SECRET: ""

# AZURE_CLIENT_CERTIFICATE_PATH: ""

# AZURE_CLIENT_CERTIFICATE_PASSWORD: ""

# AZURE_USERNAME: ""

# AZURE_PASSWORD: ""

# If installing the MAAS plugin, the below config is required unless the following applies:

# - The target cluster already contains a secret with the correct format and you've specified its name below.

# If specifying your own secret, refer to chart/validator/templates/plugin-secret-maas.yaml for

# an example of the expected format and ensure that it exists in the same namespace as the Helm release.

#

maas: {} # Don't forget to delete these curly braces if you're specifying credentials here!

# secretName: maas-creds # ensure this matches the MAAS plugin values below

# apiToken: ""

# tokenKey: MAAS_API_KEY

network:

# If installing the Network plugin, auth config is required unless the following applies:

# - The target cluster already contains secret(s) with the correct format for all HTTPFile rules whose

# hosts require HTTP basic authentication.

# If specifying your own secret(s), refer to chart/validator/templates/plugin-secret-network-auth.yaml for

# an example of the expected format and ensure they exist in the same namespace as the Helm release.

#

auth: [] # Don't forget to delete these square brackets if you're specifying credentials here!

# Basic auth example:

# - secretName: http-host-1 # ensure this matches authSecretRef.name in the HTTPFile rule

# username: username

# password: pa$$w0rd

oci:

# If installing the OCI plugin and validating against private registries, the below config is required unless the following applies:

# - The target cluster already contains secret(s) with the correct format for all private registries.

# If specifying your own secret(s), refer to chart/validator/templates/plugin-secret-oci-auth.yaml for

# an example of the expected format and ensure that they exist in the same namespace as the Helm release.

#

auth: [] # Don't forget to delete these square brackets if you're specifying credentials here!

# Basic auth example:

# - secretName: registry-creds # ensure this matches auth.secretName in the OciRegistryRule

# env:

# username: username

# password: pa$$w0rd

#

# ECR example:

# - secretName: ecr-registry-creds # ensure this matches the credentials secretName in the OciRegistryRule

# env:

# AWS_ACCESS_KEY_ID: ""

# AWS_SECRET_ACCESS_KEY: ""

# AWS_SESSION_TOKEN: ""

# If installing the OCI plugin and enabling signature verification of artifacts, the below config is required unless the following applies:

# - The target cluster already contains secret(s) with the correct format for all public keys used for signing artifacts.

# If specifying your own secret, refer to chart/validator/templates/plugin-secret-oci-pubkey.yaml for

# an example of the expected format and ensure that it exists in the same namespace as the Helm release.

#

pubKeys: [] # Don't forget to delete these square brackets if you're specifying public keys here!

# - secretName: cosign-public-keys # ensure this matches signatureVerification.secretName in the OciRegistryRule

# key1.pub: | # multiple public keys can be added to your secret, ensure each key name ends in .pub

# -----BEGIN PUBLIC KEY-----

# <your public key here>

# -----END PUBLIC KEY-----

# If installing the vSphere plugin, the below config is required unless the following applies:

# - The target cluster already contains a secret with the correct format and you've specified its name below.

# If specifying your own secret, refer to chart/validator/templates/plugin-secret-vsphere.yaml for

# an example of the expected format and ensure that it exists in the same namespace as the Helm release.

#

vSphere: {} # Don't forget to delete these curly braces if you're specifying credentials here!

# secretName: vsphere-creds # ensure this matches the vSphere plugin values below

# username: ""

# password: ""

# vcenterServer: ""

# insecureSkipVerify: ""

helmConfig:

registry: "https://validator-labs.github.io"

# Validation plugin charts

plugins:

- chart:

name: validator-plugin-azure

repository: validator-plugin-azure

version: v0.0.26

values: |-

controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-azure

tag: v0.0.26

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

# Optionally specify a volumeMount to mount a volume containing a private key

# to leverage Azure Service principal with certificate authentication.

volumeMounts: []

replicas: 1

serviceAccount:

annotations: {}

# Optionally specify a volume containing a private key to leverage Azure Service

# principal with certificate authentication.

volumes: []

# Optionally specify additional labels to use for the controller-manager Pods.

podLabels: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

auth:

# Override the service account used by Azure validator (optional, could be used for WorkloadIdentityCredentials on AKS)

# WARNING: the chosen service account must include all RBAC privileges found in templates/manager-rbac.yaml

serviceAccountName: ""

# Optionally specify the Azure environment to use. Defaults to "AzureCloud" for public Azure cloud.

# Other acceptable values are "AzureUSGovernment" and "AzureChinaCloud".

azureEnvironment: "AzureCloud"

- chart:

name: validator-plugin-oci

repository: validator-plugin-oci

version: v0.3.5

values: |-

controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-oci

tag: v0.3.5

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

replicas: 1

serviceAccount:

annotations: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

- chart:

name: validator-plugin-kubescape

repository: validator-plugin-kubescape

version: v0.0.6

values: |-

controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-kubescape

tag: v0.0.6

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

# Optionally specify a volumeMount to mount a volume containing a private key

# to leverage Azure Service principal with certificate authentication.

volumeMounts: []

replicas: 1

serviceAccount:

annotations: {}

# Optionally specify a volume containing a private key to leverage Azure Service

# principal with certificate authentication.

volumes: []

# Optionally specify additional labels to use for the controller-manager Pods.

podLabels: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

- chart:

name: validator-plugin-aws

repository: validator-plugin-aws

version: v0.1.12

values: |-

controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-aws

tag: v0.1.12

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

replicas: 1

serviceAccount:

annotations: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

auth:

# Override the service account used by AWS validator (optional, could be used for IAM roles for Service Accounts)

# WARNING: the chosen service account must have the same RBAC privileges as seen in templates/manager-rbac.yaml

serviceAccountName: ""

- chart:

name: validator-plugin-network

repository: validator-plugin-network

version: v0.1.2

values: |-

controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: true

capabilities:

add:

- NET_RAW

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-network

tag: v0.1.2

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

replicas: 1

serviceAccount:

annotations: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

- chart:

name: validator-plugin-maas

repository: validator-plugin-maas

version: v0.0.13

values: |-

controllerManager:

manager:

args:

- --metrics-bind-address=:8443

- --health-probe-bind-address=:8081

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-maas

tag: v0.0.13

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

replicas: 1

serviceAccount:

annotations: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP

- chart:

name: validator-plugin-vsphere

repository: validator-plugin-vsphere

version: v0.1.6

values: |-

controllerManager:

manager:

args:

- --health-probe-bind-address=:8081

- --metrics-bind-address=:8443

- --leader-elect

containerSecurityContext:

allowPrivilegeEscalation: false

capabilities:

drop:

- ALL

image:

repository: quay.io/validator-labs/validator-plugin-vsphere

tag: v0.1.6

resources:

limits:

cpu: 500m

memory: 128Mi

requests:

cpu: 10m

memory: 64Mi

replicas: 1

serviceAccount:

annotations: {}

kubernetesClusterDomain: cluster.local

metricsService:

ports:

- name: https

port: 8443

protocol: TCP

targetPort: 8443

type: ClusterIP