-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathvalues.yaml
187 lines (163 loc) · 6.53 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Default values for cortex.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: thehiveproject/cortex
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# Cortex's entrypoint script has to run as root because it chowns
# some stuff while starting up. This could perhaps be changed for
# the better in the case of Kubernetes by using an InitContainer,
# but at this writing that hasn't happened yet. In any case, the
# serving process does not run as root.
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 9001
ingress:
enabled: true
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: cortex.example.com
paths: []
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
# If no elasticsearch method is enabled, local indexing will be used;
# see localIndexStorage below.
elasticsearch:
# Elasticsearch set up outside this chart using Elastic Cloud on
# Kubernetes (ECK)
eck:
# If true, names of resources (e.g. secrets, services) used will
# all be formed using the name below, unless you override them.
enabled: false
# Specify the name of the Elasticsearch custom resource, which
# must have been successfully created before using this chart.
name: ""
# Elasticsearch set up outside this chart, with less
# assumptions. You will need to set more values; read on below.
external:
# Set this to true if you have an Elasticsearch server or cluster
# that was not set up with ECK. You'll need to set other
# elasticsearch.* values.
enabled: false
# If ECK is used, you don't need to mess with the rest of these.
# -----------------------------------------------------------------
#
# Username to use when connecting to Elasticsearch.
username: elastic
# The name of an opaque secret, whose data is a mapping (dictionary,
# object) with the username as key and the password as value. If ECK
# is enabled, the default is the secret created by ECK. If ECK is
# not enabled, this must be set.
userSecret: ""
# Where to reach the Elasticsearch cluster. Probably
# "https://something:9200". If ECK is enabled, the default is the
# service created by ECK.
url: ""
# If true, this chart expects to tell Cortex a CA cert to trust when
# connecting to Elasticsearch. If ECK is enabled, this has to be set
# to true. If ECK is not enabled and this is set to true, you need
# to provide a CA certificate using the caCertSecret or caCert
# values.
tls: true
# The name of a Kubernetes Secret object containing a CA cert to
# trust when connecting to Elasticsearch using HTTPS. The secret
# should contain a mapping with a key, named by
# `caCertSecretMappingKey`, whose value is the PEM-encoded cert. If
# ECK is enabled, the default is the appropriate secret created by
# ECK. If ECK is not enabled, and this is not set, a Secret will be
# created using the `caCert` value below. N.B. despite the
# juxtaposition of the words `caCert` and `Secret`, the private key
# of the certificate authority is far from what we are talking about
# here.
caCertSecret: ""
# The name of the key inside the caCertSecret, whose value is the
# PEM-encoded cert. N.B. despite the juxtaposition of the words
# `caCert` and `Secret`, the private key of the certificate
# authority is far from what we are talking about here.
caCertSecretMappingKey: "ca.crt"
# A PEM-encoded certification authority certificate to trust when
# connecting to Elasticsearch. Used to construct a Secret in cases
# where ECK is not enabled, `tls` is enabled, and `caCertSecret` is
# not set.
caCert: ""
# Cortex sends inputs to analyzers and receives reports back via a
# persistent volume it shares with the jobs. These are the parameters
# for that filesystem. It's created with the ReadWriteMany access
# mode, which tells the cluster that both the Cortex pod and the
# analyzer/responder job pod will need to be able both to read and
# write this volume. Far fewer storage drivers support this mode than
# ReadWriteOnce, but at least one should support you. You may have to
# manually create the PersistentVolume that backs this claim.
jobIOStorage:
pvc:
enabled: true
storageClass: default
size: 10Gi
# Secrets containing CA certs to trust when Cortex makes outgoing TLS
# connections. Each Secret named here should contain a key "ca.crt"
# whose value is the PEM-encoded CA certificate.
trustRootCertsInSecrets: []
# CA certs to trust when Cortex makes outgoing TLS connections. This
# chart will create Secrets containing the certs. Each item should be
# the text of a single PEM-encoded certificate.
trustRootCerts: []
analyzerURLs:
- "https://download.thehive-project.org/analyzers.json"
responderURLs:
- "https://download.thehive-project.org/responders.json"
# Provide extra pieces of Cortex configuration in this map. Keys will
# be used as filenames; values as the contents of the respective
# files. An include directive for each file given here will be written
# in the main configuration file. The file contents will be stored in
# a secret, so it is OK to put secrets like API keys in here. In
# particular, connections to Cortex instances should be configured
# here as extras.
extraCortexConfigurations: {}