Parameters

The parent key for all of the following parameters is emergency_credentials_controller.

`namespace`

type	string
default	`appuio-emergency-credentials-controller`

The namespace in which to deploy this component.

`namespaceMetadata`

type	dict
default	`annotations: openshift.io/node-selector: "node-role.kubernetes.io/infra=" labels: openshift.io/cluster-monitoring: "true"`

Metadata to be added to the namespace.

`images`

type	dictionary

The images to use for this component.

`manifests_version`

type	string
default	`${emergency_credentials_controller:images:emergency_credentials_controller:tag}`

The Git reference to the controller deployment manifests. The default is the tag of the controller image.

emergency_accounts

type

dict

default

{}

example

emergency_accounts:
  example:
    spec:
      validityDuration: 720h
      minValidityDurationLeft: 168h
      tokenStores:
        - name: secret
          type: secret
      _tokenStores:
        ext-s3:
          type: s3
          s3Store:
            encryption:
              encrypt: true
              pgpKeys: [omitted]
            s3:
              endpoint: zrh.example.io
              bucket: emergency-credentials
              accessKeyId: nJxvJLuryTpxBVt16La4xEM5ZfAB5fIVPGEPdDrR
              secretAccessKey: Z9rQrB2QHLEcmCVBqGi8EnKlKUfUcQ6PrfXnjenH
            objectNameTemplate: "em-{{ .Context.ClusterId | sha256sum }}"
            objectNameTemplateContext:
              ClusterId: ${cluster:name}
  no-binding:
    _create_binding: false
    spec:
      validityDuration: 720h

This parameter is used to configure the EmergencyAccount objects. The dictionary key is used as the name of the EmergencyAccount object. The value is the configuration of the EmergencyAccount object.

The value has an additional key _create_binding which is used to control whether a ClusterRoleBinding to the ClusterRole defined in cluster_admin_role should be created. The default is true.

The _tokenStores keys is a helper to hierarchically configure the tokenStores key. It’s a dictionary where the key is the name of the tokenStore and the value is the configuration of the tokenStore. The resulting configurations are appended to the tokenStores key.

See github.com/appuio/emergency-credentials-controller for the manifest definition.

`cluster_admin_role`

type	string
default	`cluster-admin`

The name of the ClusterRole to bind the EmergencyAccount ServiceAccount to.

`alerts`

type

dict

example

BadThingsHappening:
  enabled: true
  rule:
    annotations:
      description: Bad things have been happening on {{$labels.node}} for more than 10 minutes.
      message: Bad things have been happening on {{$labels.node}} for more than 10 minutes.
      runbook_url: https://hub.syn.tools/emergency-credentials-controller/runbooks/BadThingsHappening.html
    expr: |
      bad_thing_happening == 1
    for: 10m
    labels:
      severity: warning

alerts defines the alerts to be installed. The dictionary key is used as the name of the alert.

`alerts.<name>.enabled`

type

bool

Defines whether to install the alert.

`alerts.<name>.rule`

type

dict

Holds the configuration of the alert rule.

See Prometheus Alerting Rules for details.