115 lines
2.6 KiB
YAML
115 lines
2.6 KiB
YAML
catalog:
|
|
image:
|
|
repository: quay.io/lakekeeper/catalog
|
|
tag: v0.9.3
|
|
pullPolicy: IfNotPresent
|
|
|
|
replicaCount: 1
|
|
|
|
# Configuration using the correct structure
|
|
config:
|
|
LAKEKEEPER__OPENID_PROVIDER_URI: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
|
|
LAKEKEEPER__OPENID_AUDIENCE: "lakekeeper"
|
|
LAKEKEEPER__UI__OPENID_CLIENT_ID: "lakekeeper"
|
|
LAKEKEEPER__UI__OPENID_SCOPE: "openid profile lakekeeper"
|
|
|
|
# Secret management configuration
|
|
secrets:
|
|
backend: "postgres"
|
|
|
|
# Service configuration
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
|
|
# Health probes
|
|
probes:
|
|
liveness:
|
|
enabled: true
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 10
|
|
readiness:
|
|
enabled: true
|
|
httpGet:
|
|
path: /health
|
|
port: http
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
|
|
# Resource limits (based on Goldilocks/VPA recommendations, rounded to clean values)
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
|
|
# Security context for Pod Security Standards (restricted)
|
|
podSecurityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
|
|
# Database migration configuration
|
|
dbMigrations:
|
|
enabled: true
|
|
|
|
# Ingress configuration
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
ingressClassName: traefik
|
|
host: {{ .Env.LAKEKEEPER_HOST }}
|
|
path: ""
|
|
tls:
|
|
enabled: true
|
|
secretName: lakekeeper-tls
|
|
|
|
# Authentication configuration
|
|
auth:
|
|
oauth2:
|
|
providerUri: "https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}"
|
|
audience: "lakekeeper"
|
|
authz:
|
|
backend: "allowall"
|
|
|
|
# PostgreSQL subchart (disabled since we use external)
|
|
postgresql:
|
|
enabled: false
|
|
|
|
|
|
# External database configuration
|
|
externalDatabase:
|
|
type: postgres
|
|
host_read: postgres-cluster-rw.postgres
|
|
host_write: postgres-cluster-rw.postgres
|
|
port: 5432
|
|
database: lakekeeper
|
|
user: lakekeeper
|
|
userSecret: lakekeeper-database-secret
|
|
userSecretKey: username
|
|
passwordSecret: lakekeeper-database-secret
|
|
passwordSecretKey: password
|