Parameters

The parent key for all of the following parameters is patch_operator.

`namespace`

type	string
default	`syn-patch-operator`

The namespace in which to deploy this component.

`patch_serviceaccount`

This parameter allows users to customize the default service account which is managed by the component for any patches created through the component library.

`patch_serviceaccount.name`

type	string
default	`patch-sa`

The name of the service account.

`patch_serviceaccount.cluster_role`

type	dict
default	`cluster-admin`

The name of the cluster role to grant the ServiceAccount.

`external_certificates`

type	dict
default	`{}`

This parameter allows users to configure their own externally generated certificates for the patch-operator’s webhook and metrics endpoints. Supported keys are tls.key, tls.crt and ca.crt. The component will generate secrets with type kubernetes.io/tls and the provided keys. If key ca.crt is missing, the component assumes that tls.crt is a self-signed certificate.

The certificate must be provided directly in the hierarchy, rather than as a secret reference.

When field tls.crt or ca.crt are provided as secret references, the component will generate invalid admission webhook configurations if the certificates are provided as PEM-encoded. To get valid admission webhook configs with secret references, the certificates would have to be base64-encoded PEM-encoded certificates. However, by base64-encoding the certificates in Vault, we’d get an invalid certificate secret, since we always emit the secrets with the certificate values in field stringData.

`charts`

type	dict
default	See `class/defaults.yml`

The Helm charts used by the component.

`helm_values`

type	dict
default	`enableCertManager: true`

The Helm values to use to render the patch-operator helm chart.

We enable cert-manager integration for the admission webhook serving certificates by default.

If you install the component on a cluster which doesn’t have cert-manager installed, please disable this value and ensure webhook serving certificates are made available through parameter external_certificates.

`monitoring_enabled`

type	bool
default	`true`

On OpenShift 4, the component sets label openshift.io/cluster-monitoring=true on the namespace, so that the patch operator ServiceMonitor object is picked up by the OpenShift 4 cluster monitoring stack. The component generates a PrometheusRule object with alerts as defined in alerts.

`alerts`

type

dict

defaults

See class/defaults.yml

example

BadThingsHappening:
  enabled: true
  rule:
    annotations:
      description: Bad things have been happening on {{$labels.node}} for more than 10 minutes.
      message: Bad things have been happening on {{$labels.node}} for more than 10 minutes.
      runbook_url: https://hub.syn.tools/patch-operator/runbooks/BadThingsHappening.html
    expr: |
      bad_thing_happening == 1
    for: 10m
    labels:
      severity: warning

alerts defines the alerts to be installed. The dictionary key is used as the name of the alert. Note that alerts is ignored if monitoring_enabled is set to false.

`alerts.<name>.enabled`

type

bool

Defines whether to install the alert.

`alerts.<name>.rule`

type

dict

Holds the configuration of the alert rule.

See Prometheus Alerting Rules for details.