Parameters

The parent key for all of the following parameters is control_api.

namespace

type

string

default

appuio-control-api

The namespace in which to deploy this component.

images

type

dictionary

default

See class/defaults.yml

Dictionary containing the container images used by this component.

odoo8.countries

type

dictionary

default

See See class/defaults.yml

example
odoo8:
  countries:
    Switzerland:
      code: CH
      id: 44
    Liechtenstein:
      code: LI
      id: 129

Dictionary containing allowed countries and their Odoo 8 configuration.

The key is the name of the country as it should be displayed in the UI. The value is a dictionary containing the id and code of the country in Odoo 8.

odoo8.countries.*.id

type

integer

The ID of the country in Odoo 8. Check the Odoo 8 database for the correct value. An export of the country IDs defined in the VSHN Odoo is available here.

odoo8.countries.*.code

type

string

The ISO 3166-1 alpha-2 code of the country. Check the Odoo 8 database for the correct value. An export is available here.

apiserver.extraArgs

type

list(string)

default

[]

A list of extra command line arguments for the control-api API server deployment.

apiserver.extraEnv

type

list

default

{}

example
extraEnv:
  ODOO_PASSWORD:
    secretKeyRef:
      name: odoo-user
      key: password
  DEBUG: "true"

Additional environment that should be passed to the API server. If a dict is given valueFrom: is assumed.

apiserver.apiservice

type

dict

This key is applied directly as an APIService object. The APIService object instructs the Kubernetes API server to delegate requests to the aggregate API server.

apiserver.resources

type

dict

default

{}

Custom resource requests and limits to use for the API server container. The contents of this parameter are merged over the default requests defined in the upstream API server manifest.

apiserver.tls

This key configures encryption of internal traffic from the Kubernetes API server to the aggregate API sever.

You have the option to provide a custom TLS key and certificate.

apiserver.tls.certSecretName

type

string

default

control-api-tls

If this field is set to null, the aggregate API server will generate its own certificates. In that case the connection is still encrypted, but you need to disable TLS verification by setting insecureSkipTLSVerify to true in the APIService.

apiserver.tls.serverCert

type

string

default

""

apiserver.tls.serverKey

type

string

default

"?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/apiserver-key}"

zones

type

dict

default

{}

This key deploys static APPUiO Zone definitions and manages ServiceAccounts for the agent on the zones.

Each subkey of zones results in the resource’s metadata.name and contains an object that’s an appuio.io/v1/Zone spec verbatim. The subkeys are also used to create a ServiceAccount adn RBAC for the agent on the zones in the form of ${subkey}-cloud-agent.

Example 1. Zone configuration
parameters:
  control_api:
    zones:
      example-zone-1:
        data:
          displayName: Example Zone 1
          features:
            kubernetesVersion: ${dynamic_facts:kubernetesVersion:major}.${dynamic_facts:kubernetesVersion:minor}
            sdnPlugin: OVN-Kubernetes
          urls:
            console: https://console.example.zone
            kubernetesAPI: https://api.example.zone:6443
          cname: cname.example.zone
          defaultAppDomain: apps.example.zone
          gatewayIPs:
          - 100.100.100.100
          cloudProvider:
            name: example
            zones:
              - zone1
            region: region1

zone_agent_service_accounts

type

list(string)

default

[]

Allows adding additional ServiceAccounts for zones that should not be shown in the portal.

The list is appended to keys(zones). Entries can be removed by prefixing them with ~.

usage_profiles

type

dict

default

{}

example
usage_profiles:
  example:
    spec:
      namespaceCount: 25
      resources:
        deny-egress-tcp-25:
          apiVersion: networking.k8s.io/v1
          kind: NetworkPolicy
          metadata:
            annotations:
              description: Deny egress traffic to all hosts on ports 25
          spec:
            egress:
            - ports:
              - port: 25
                protocol: TCP
              to:
              - ipBlock:
                  cidr: 0.0.0.0/0
            podSelector: {}
            policyTypes:
            - Egress

Deploys UsageProfile definitions to the control-api.

Each subkey of usage_profiles results in the resource’s metadata.name and contains an object that’s an appuio.io/v1/UsageProfile spec verbatim.

Usage profiles are used to define resource limits and quotas for organizations. You can read more about usage profiles in the documentation.

cluster_admin_impersonation.oidc_administrator_role

type

string

default

admin

The name of the OpenID Connect role to allow administrator impersonation.

username_prefix

type

string

default

appuio#

The prefix used for OIDC users in the Kubernetes API server.

controller.extraArgs

type

list(string)

default

[]

A list of extra command line arguments for the control-api controller deployment.

controller.extraEnv

type

list

default

{}

example
extraEnv:
  DEBUG: "true"

Additional environment that should be passed to the controller. If a dict is given valueFrom: is assumed.

controller.resources

type

dict

default

{}

Custom resource requests and limits to use for the controller container. The contents of this parameter are merged over the default requests defined in the upstream controller manifest.

controller.webhookTls

This key configures encryption of traffic to the controller’s admission webhook server. The Kubernetes API server only communicates with admission webhooks over HTTPS. Therefore, the component requires that both controller.webhookTls.certificate and controller.webhookTls.key are configured.

controller.webhookTls.certSecretName

type

string

default

webhook-service-tls

The name of the secret containing the TLS certificate and key for the controller’s webhook server.

controller.webhookTls.caCertificate

type

string

default

""

The CA certificate used to sign the webhook service certificate. If left empty, the component assumes that the provided certificate can be verified using the cluster’s default CA bundle.

If you deploy a self-signed certificate, set this parameter to ${control_api:controller:webhookTls:certificate}.

controller.webhookTls.certificate

type

string

default

""

The certificate to use for the controller’s admission webhook server. Users must provide this parameter, since Kubernetes doesn’t support admission webhooks which aren’t secured with TLS.

controller.webhookTls.key

type

string

default

?{vaultkv:${cluster:tenant}/${cluster:name}/${_instance}/webhook-key}

The private key to use for the controller’s admission webhook server.

idp_adapter.enabled

type

boolean

default

false

Controls if the IDP Adapter should be deployed.

idp_adapter.args

type

list

default

[]

Arguments that should be passed to the IDP Adapter.

idp_adapter.env

type

list

default

{}

example
idp_adapter:
  env:
    KEYCLOAK_PASSWORD:
      secretKeyRef:
        name: keycloak-user
        key: password
    DEBUG: "true"

Additional environment that should be passed to the IDP Adapter. If a dict is given valueFrom: is assumed.

idp_adapter.resources

type

dict

default

See class/defaults.yml

Resource requests and limits to apply to the IDP Adapter container.

secrets

type

dictionary

default

{}

example
secrets:
  keycloak-user:
    stringData:
      username: keycloak-user
      password: keycloak-password

A key-value map defining multiple Secret for referencing in secrets. Each entry will generate a Secret with the key as its name.

cleanupJob.enabled

type

boolean

default

false

Controls whether a cronjob for cleaning up stale inflight records should be created.

cleanupJob.schedule

type

string

default

45 0 * * *

Cron schedule for the cleanup cron job.

cleanupJob.extraArgs

type

list(string)

default

[]

A list of extra command line arguments for the cleanup container.

cleanupJob.extraEnv

type

list

default

{}

example
extraEnv:
  ODOO_PASSWORD:
    secretKeyRef:
      name: odoo-user
      key: password
  DEBUG: "true"

Additional environment that should be passed to the cleanup container. If a dict is given valueFrom: is assumed.

cleanupJob.nodeSelector

type

dictionary

default
nodeSelector:
  node-role.kubernetes.io/infra: ''

Node selector to apply to the cleanup job.

cleanupJob.jobHistoryLimit.failed

type

integer

default

2

How many failed jobs to keep at most.

cleanupJob.jobHistoryLimit.successful

type

integer

default

2

How many successful jobs to keep at most.