# Parameters

The parent key for all of the following parameters is `appuio_cloud`.

## `namespace`

 type string default `appuio-cloud`

The namespace in which to deploy this component.

## `namespaceLabels`

 type dict default ``````network-policies.syn.tools/no-defaults: 'true' network-policies.syn.tools/purge-defaults: 'true'``````

The labels of the namespace in which this component is deployed.

## `namespaceAnnotations`

 type dict default `{}`

The annotations of the namespace in which this component is deployed.

## `images`

 type dict default See `class/defaults.yml`

This parameter allows selecting the Docker images to us. Each image is specified using keys `registry`, `repository` and `tag`. This structure allows easily injecting a registry mirror, if required.

## `monitoring.enabled`

 type boolean default `true`

Controls if `ServiceMonitor` object is created to scrape the APPUiO Cloud Agent metrics.

## `agent.replicas`

 type int default 3

With how many replicas the APPUiO Cloud Agent should run.

## `agent.resources`

 type dict default ``````limits: memory: 1Gi``````

Resource requests and limits for the APPUiO Cloud Agent deployment.

The contents of this parameter are merged over the default resource requests and limits of the Agent’s base configuration.

## `agent.resourceRatio.memoryPerCore`

type

string

default

`4Gi`

The "fair-use" limit of memory to CPU request. That means, if a namespace requests less than `4Gi` of memory per requested CPU core, the APPUiO Cloud Agent will warn the user that they exceed the "fair-use" limit and will potentially generate additional costs.

## `agent.webhook.tls`

This key configures encryption of traffic to the controller’s admission webhook server. The Kubernetes API server only communicates with admission webhooks over HTTPS. Therefore, the component requires that both `agent.webhook.tls.certificate` and `agent.webhook.tls.key` are configured.

### `agent.webhook.tls.certSecretName`

 type string default `webhook-service-tls`

The name of the secret containing the TLS certificate and key for the agent’s webhook server.

### `agent.webhook.tls.caCertificate`

 type string default `""`

The CA certificate used to sign the webhook service certificate. If left empty, the component assumes that the provided certificate can be verified using the cluster’s default CA bundle.

If you deploy a self-signed certificate, set this parameter to `${appuio_cloud:agent:webhook:tls:certificate}`. ### `agent.webhook.tls.certificate`  type string default `""` The certificate to use for the agent’s admission webhook server. Users must provide this parameter, since Kubernetes doesn’t support admission webhooks which aren’t secured with TLS. ### `agent.webhook.tls.key`  type string default `?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/webhook-key}`

The private key to use for the agent’s admission webhook server.

## `agent.webhook.namespaceSelector`

 type dict

NamespaceSelector that’s applied to every webhook installed by the APPUiO Cloud Agent The namespaceSelector decides whether to run the webhook on a request for a namespaced resource (or a Namespace object), based on whether the namespace’s labels match the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is a cluster scoped resource other than a Namespace, namespaceSelector has no effect.

See the upstream documentation on these selectors.

### `agent.config`

 type dict default See `class/defaults.yml`

This parameter allows configuring the APPUiO Cloud Agent. See the Agent repository for an overview of the available configuration options.

 type dict default `${appuio_cloud:bypassNamespaceRestrictions:subjects}` example ``````_subjects: argocd: kind: ServiceAccount name: argocd-application-controller namespace: argocd admin: kind: User name: admin admins: kind: Group name: admins`````` A special key to map between the Kyverno way of specifying subjects and the APPUiO Cloud Agent way. The key is omitted from the final configuration. ## `clusterRoles`  type dict example ``````clusterRoles: namespace-owner: rules: - apiGroups: [''] resources: [namespaces] verbs: - get - watch - edit - patch - delete`````` The `clusterRoles` parameter can be used to create a list of arbitrary `ClusterRoles`. The key is used as the name of the `ClusterRole` and the value is transformed into the `ClusterRole` resource. ## `reservedNamespaces`  type dict example ``````reservedNamespaces: monitoring: ['monitoring-*', 'test-monitoring-*'] logging: logging`````` Creating and editing namespaces matching any of the entries is disallowed. The list must consist of entries like `custom: ['custom-', 'test-custom-']` or `custom: 'custom-*'`. ## `allowedNamespaceLabels`  type dict example ``````allowedNamespaceLabels: kubernetesGenerated: - kubernetes.io/metadata.name custom: custom.io/*`````` Creating and editing namespace labels is disallowed except for labels explicitly approved using this parameter. The list must consist of entries like `custom: ['custom-', 'test-custom-']` or `custom: 'custom-*'`. ## `allowedNamespaceAnnotations`  type dict example ``````allowedNamespaceAnnotations: kubernetesGenerated: - kubectl.kubernetes.io/last-applied-configuration custom: custom.io/*`````` Creating and editing namespace annotations is disallowed except for annotations explicitly approved using this parameter. The list must consist of entries like `custom: ['custom-', 'test-custom-']` or `custom: 'custom-*'`. ## `bypassNamespaceRestrictions.roles`  type dict example ``````roles: my-admin: ['my-admin', 'test-admin'] special-role: special-role`````` `Roles` in the same namespace excluded from all namespace policies. Must consist of entries like `my-admin: ['my-admin', 'test-admin']` or `my-admin: 'my-admin'`. ## `bypassNamespaceRestrictions.clusterRoles`  type dict example ``````clusterRoles: my-admin: ['my-admin', 'test-admin'] special-role: special-role`````` `ClusterRoles` excluded from all namespace policies. Must consist of entries like `my-admin: ['my-admin', 'test-admin']` or `my-admin: 'my-admin'`. ## `bypassNamespaceRestrictions.subjects`  type dict example ``````subjects: argocd: kind: ServiceAccount name: argocd-application-controller namespace: syn-argocd`````` `ServiceAccount`, `User` or `Group` (chosen by `kind:`) excluded from all namespace policies. ## `generatedResourceQuota`  type dict A key-value map defining `ResourceQuota` objects. Each entry will generate a `ResourceQuota` with the key as its name. ### `generatedResourceQuota[name].synchronize`  type bool default `true` Whether the created `ResourceQuota` is kept in sync. If set to `false` the created `ResourceQuota` can be modified.  There is a bug in `kyverno` up until `v1.4.2`. The bug has been fixed, but as of writing this the fix hasn’t been released. The bug will cause the `ResourceQuota` to be updated if the `Namespace` or `ClusterPolicy` changes, even if `synchronize` has been disabled. ### `generatedResourceQuota[name].spec`  type dict default See `class/defaults.yml` The desired contents of field `spec` of the ResourceQuota that should be generated. The component doesn’t validate the contents of this field. See the Kubernetes Resource Quota documentation for supported configurations.  You can override these default quotas on a namespace level, by setting an annotation `resourcequota.appuio.io/.` on the namespace. For example `resourcequota.appuio.io/organization-compute.limits.cpu: "1337"` will increase the limit of used vCPUs to `1337`. For resources containing a forward slash, you will need to substitute it for an underline. For example: `resourcequota.appuio.io/organization-objects.openshift.io_imagestreams: "40"`. The exception is that for customizing storage class quotas you need to set annotation `resourcequota.appuio.io/.storageclasses`. This is because the regular annotations for storageclass-specific resources are generally too long to be accepted as annotation keys by Kubernetes. The value of the `resourcequota.appuio.io/.storageclasses` annotation is parsed as JSON by Kyverno. The policy expects that the parsed JSON is a single object. For quota keys of the resource quota `` which match the prefix `.storageclass.storage.k8s.io` the policy checks that JSON object instead of a plain annotation for overrides. ## `generatedLimitRange`  type dict This parameter defines a `LimitRange` object. ### `generatedLimitRange.name`  type string default `organization` The `metadata.name` of the `LimitRange` that gets generated in the new `Namespace` created by the user. ### `generatedLimitRange.synchronize`  type bool default `true` Whether the created `LimitRange` is kept in sync. If set to `false` the created `LimitRange` can be modified.  There is a bug in `kyverno` up until `v1.4.2`. The bug has been fixed, but as of writing this the fix hasn’t been released. The bug will cause the `LimitRange` to be updated if the `Namespace` or `ClusterPolicy` changes, even if `synchronize` has been disabled. ### `generatedLimitRange.limits`  type dict example ``````limits: "Container": max: memory: "4G" min: memory: "4Mi" "PersistentVolumeClaim": max: storage: 2Gi min: storage: 1Gi`````` A key-value map defining limits for different `Types`. The example above will reject any PVC smaller than `1Gi` or larger than `2Gi`. It will also reject any container requesting more than `4G` of memory or less than `4Mi`. Consult the official Kubernetes documentation on how to configure these `limits`. ## `disallowDockerBuildStrategy`  type boolean default `true` Creating build strategies using Docker is disallowed. ## `maxNamespaceQuota`  type int default 25 Set the number of namespaces an organization can create.  It’s recommended that this quota is applied per zone. For example, with a quota of `25` in Zone A and a quota of `10` in Zone B, any organization can have 25 namespaces in Zone A, but only 10 namespaces in Zone B. ## `namespaceQuotaOverrides`  type dict Override `maxNamespaceQuota` for a specific organization. ``````namespaceQuotaOverrides: exampleCompany: 50 (1)``````  1 The organization `exampleCompany` can now have 50 namespaces  You can also set an override that’s lower than the default quota. It’s recommended that this override is applied per zone. ## `projectTemplate` Configuration options for the OpenShift default project template. ### `projectTemplate.enabled`  type boolean default `false` This parameter controls whether the component deploys and enables a custom default project template. ### `projectTemplate.objects`  type dict default ``````project: apiVersion: project.openshift.io/v1 kind: Project metadata: annotations: openshift.io/description: '{PROJECT_DESCRIPTION}' openshift.io/display-name: '{PROJECT_DISPLAYNAME}' openshift.io/requester: '{PROJECT_REQUESTING_USER}' name: '{PROJECT_NAME}'`````` The contents of this dict are used to populate field `objects` of the OpenShift template object. The keys in the dict are ignored, but can be used in the configuration hierarchy to change existing template objects. Setting a key to value `null` removes the object from the resulting template. To avoid Commodore trying to interpret template parameters, escape them with `\${PARAM}` as shown in the default value. Any parameters used in the template objects must be defined in component parameter `projectTemplate.parameters`.

 OpenShift requires that the default template contains at least one object of type `Project`.

### `projectTemplate.parameters`

 type dict default ``````PROJECT_NAME: {} PROJECT_DISPLAYNAME: {} PROJECT_DESCRIPTION: {} PROJECT_ADMIN_USER: {} PROJECT_REQUESTING_USER: {}``````

The contents of this dict are used to populate field `parameters` of the OpenShift template object.

The field `parameters` in the template object is a list of objects, see the OpenShift documentation. The component transforms the entries of this component parameter into objects by using the key as field `name` of the resulting object and merging it with the provided value. Users can remove parameters by setting value `null`.

## `runOnceActiveDeadlineSeconds`

Configuration for the cluster policy which ensures that `.spec.activeDeadlineSeconds` is set for all "runonce" pods. "Runonce" pods are pods which have `.spec.restartPolicy` set to `OnFailure` or `Never`.

### `runOnceActiveDeadlineSeconds.defaultActiveDeadlineSeconds`

 type int default `1800`

This parameter gives the default value for `.spec.activeDeadlineSeconds` which is added to "runonce" pods which don’t have the field set already.

### `runOnceActiveDeadlineSeconds.overrideAnnotationKey`

 type string default `appuio.io/active-deadline-seconds-override`

The key of the namespace annotation which users can use to override the global default value for `.spec.activeDeadlineSeconds`.

### `runOnceActiveDeadlineSeconds.podMatchExpressions`

 type dict default `{}` example ``````podMatchExpressions: # Don't set activeDeadlineSeconds for pods which have # label `acme.cert-manager.io/http01-solver` acme.cert-manager.io/http01-solver: operator: DoesNotExist``````

The entries of the dict are expected to be of form `labelKey: <partial matchExpression>`. Each entry is transformed to a Kubernetes `matchExpression` entry by taking the key as value for field `key` of the resulting match expression.

See the `matchExpressions` section in the Kubernetes LabelSelector documentation for supported fields in a `matchExpressions` element.

The field `activeDeadlineSeconds` will only be set for pods which match the provided expressions.

Generally, we recommend adjusting the value for `activeDeadlineSeconds` by annotating namespaces as documented above or by setting `activeDeadlineSeconds` in the Pod spec, but in some cases it may be necessary to exclude pods from the policy.