Parameters

The parent key for all of the following parameters is lieutenant.

namespace

type

string
default

lieutenant

The namespace in which to deploy this component.

images

type

dictionary

Dictionary containing the container images used by this component.

operator.common_labels

type

dict
default: 
app.kubernetes.io/name: 'lieutenant-operator'
app.kubernetes.io/part-of: 'project-syn'

Common labels to add to each resource of the Lieutenant Operator. Will be used as a label selector for pods.

operator.default_deletion_policy

type

string
default

Archive

Sets what deletion policy for external resources (Git, Vault) should be used by default. One of Archive, Delete, Retain.

operator.deletion_protection

type

bool
default

false

Defines whether the annotation to protect for accidental deletion should be set by default.

operator.default_global_git_repo

type

string
default

``

URL of the default global configuration Git repository. The value of this parameter will be used as the default value for .spec.globalGitRepoURL on new tenant objects.

operator.env

type

dict
default

{}
example 
env:
  LIEUTENANT_CREATE_SERVICEACCOUNT_TOKEN_SECRET: true

Additional environment variables that should be passed to the Lieutenant operator. If a dict is given as the value, the component will render it as valueFrom:.

Environment variables configured in this parameter have precedence over environment variables generated from other component parameters.

operator.lieutenant_api_url

type

string
default

${lieutenant:api:ingress:host}

Make the Lieutenant Operator aware of where the API is publicly reachable. By default, the API ingress hostname is used, with a https:// prefix.

operator.vault.enabled

type

bool
default

true

Whether to enable the Lieutenant Operator Vault integration. If set to true, operator.vault.addr and operator.vault.path must be set to point to a valid Vault instance and a valid KV secret engine of that Vault instance.

operator.vault.addr

type

string
default

vault.todo

Address to the Vault instance.

operator.vault.auth_path

type

string
default

kubernetes

The mount path of the Vault authentication method to use.

operator.vault.path

type

string
default

kv

The mount path of the KV secret engine to be used.

api.common_labels

type

dict
default: 
app.kubernetes.io/name: 'lieutenant-api'
app.kubernetes.io/part-of: 'project-syn'

Common labels to add to each resource of the Lieutenant API. Will be used as a label selector for pods.

api.default_githost

type

string
default

``

The githost to be used by default for new tenants.

api.env

type

list
default

{}
example 
env:
  OIDC_DISCOVERY_URL:
    secretKeyRef:
      name: oidc-config
      key: discovery
  OIDC_CLIENT_ID: lieutenant

Additional environment that should be passed to the Lieutenant API. If a dict is given valueFrom: is assumed.

api.ingress.host

type

string
default

lieutenant.todo

Defines the FQDN of the API ingress, should be overwritten on the cluster level.

api.ingress.annotations

type

dict
default

{}

The annotations added to the created ingress Needs to be set according to the deployed ingress controller.

annotations:
  cert-manager.io/cluster-issuer: letsencrypt-production
  kubernetes.io/ingress.class: nginx
  nginx.ingress.kubernetes.io/cors-allow-credentials: 'true'
  nginx.ingress.kubernetes.io/cors-allow-methods: GET, POST, DELETE
  nginx.ingress.kubernetes.io/cors-allow-origin: http://localhost:8080
  nginx.ingress.kubernetes.io/enable-cors: 'true'

api.ingress.tls

type

bool
default

true

Whether to enable TLS for the ingress. This requires either to set the correct cert-manager annotations or to add the certificate manually to the secret lieutenant-api-cert.

api.lieutenant_instance

type

string
default

${lieutenant:namespace}

Sets the env variable LIEUTENANT_INSTANCE to the value specified here. By default the value is set to the name of the namespace.

api.create_user_serviceaccount_secrets

type

bool
default

true

This parameter controls whether the component creates a ServiceAccount token secret for each user with kind: ServiceAccount listed in parameter api.users.

This parameter should always be set to true on Kubernetes 1.24+, because Kubernetes 1.24 and newer don’t automatically create a ServiceAccount token secret anymore.

api.users

type

list
default: 
users:
  - kind: ServiceAccount
    name: lieutenant-api-user

A list of users that have permission to access the API These entries translate to Kubernetes subjects and can reference a Group, User, or ServiceAccount. For entries with type ServiceAccount the component will create the corresponding service account object.

tenant_rbac

type

dict
default

{}

Role based access control to the created tenant (or cluster) resources. Lieutenant creates a Role for each tenant and cluster using the tenant or cluster ID as the role name.

The component will create a RoleBinding named custom-<key> for each entry in the parameter. The roleRef for each RoleBinding will use the key in the parameter as the role name. We prefix the RoleBinding name with custom-, because Lieutenant already manages RoleBindings which use the tenant and cluster IDs as names.

tenant_rbac:
  t-foo-324
    - name: 'sa-bar'
      kind: 'ServiceAccount'
    - name: 'u-bar-1'
      kind: 'User'
  t-foo-1
    - name: 'g-buzz'
      kind: 'Group'
    - name: 'u-bar-1'
      kind: 'User'
  c-bar-546:
    - name: 'u-bar-1'
      kind: 'User'

The example configuration above will create

  • a RoleBinding custom-t-foo-324 which grants user u-bar-1 and service account sa-bar read access to all clusters owned by tenant t-foo-324.

  • a RoleBinding custom-t-foo-1 which grants group g-buzz and user u-bar-1 read access to all clusters owned by tenant t-foo-1.

  • a RoleBinding custom-c-bar-546 which grants user u-bar-1 read access to cluster c-bar-546.

This can usually only be configured after the initial setup of Lieutenant.

githosts

type

dict
default

{}

A list of GitLab instances Lieutenant will be able to connect to for repository creation.

A GitLab token with api scope need to be accessible through Vault. See the setup githost how-to for further details.

githosts:
  gitlab-vshn:
    endpoint: https://git.vshn.net/
    token: '?{vaultkv:${cluster:tenant}/${cluster:name}/lieutenant/githosts/gitlab-vshn/token}'
    host_keys: |
      git.vshn.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnE1dMkh+3uHWck+cTvQqeNUW0lj1uVcIC9JX2Tg6gmkKCYA73+o+I7vo4g6nPtSOAfITvYdHJLzwE9GwlSFsXHMR9q0ErWl2wC+w6FawLMz9//5XqiBi2qq/8WnWp3ecY16jDoGRW4eymT+USFHKJVi696XBy3WE/0BBapPZ58WPqkKN6A27qkIK6FehI80f+zN4ZqikdwWuCFs35fsimcmLnWqWPm8zbOkgCiB+ov4O/xmRNHwJWCk/qzU6X/M9YtMXzAa5mjwDvcHSAizFD3a3Fv68G1VsmRZ0THLrRKM/WOxrWNZoimSNgyjTzoCwiKeckvL5+hpNcNSW+eBPt
      git.vshn.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO9EkPcVdsz/oVTI2VJkBlq8Mv/dg3rhcbgzAEKyiwUG

auth_delegation

type

dict
default

{}

A list of subjects that will be allowed to review cluster tokens. The component will create a ClusterRoleBinding that assigns the system:auth-delegator ClusterRole to the given subjects.

This can be used to enable one or more subjects to authenticate to an externally running vault instance. The example below will allow any service account in the lieutenant namespace to authenticate to vault.

auth_delegation:
  lieutenant-sa:
    apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: system:serviceaccounts
    namespace: lieutenant

Any listed subject will be able to create SubjectAccessReviews, which means they will be able to deduce all RBAC rules on the cluster.

tenant_template

type

dict
default

null

This parameter allows users to deploy a TenantTemplate object called default. If the parameter is null, the TenantTemplate object won’t be created. The contents of the parameter are used for field spec of the object without any processing or validation.

See TenantSpec for supported fields.