-
Notifications
You must be signed in to change notification settings - Fork 134
Expand file tree
/
Copy pathvalues-full.yaml
More file actions
338 lines (297 loc) · 11.3 KB
/
Copy pathvalues-full.yaml
File metadata and controls
338 lines (297 loc) · 11.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
## =============================================================================
## Full Values — NICo Bare Metal Manager
## =============================================================================
## Comprehensive example showing all configurable values with documentation.
## Copy and modify this file for your environment.
## See PREREQUISITES.md for required Secrets, ConfigMaps, and operators.
##
## Install with: helm install nico ./helm -n nico-system --create-namespace -f values-full.yaml
## =============================================================================
global:
## Container image for NICo core services (REQUIRED)
image:
repository: "your-registry.example.com/nico-core"
tag: "v2025.12.30"
pullPolicy: IfNotPresent
## Image pull secrets for private registries
imagePullSecrets:
- name: my-registry-secret
## cert-manager Certificate defaults for all services
certificate:
duration: 720h0m0s
renewBefore: 360h0m0s
privateKey:
algorithm: ECDSA
size: 384
issuerRef:
kind: ClusterIssuer
name: vault-nico-issuer
group: cert-manager.io
## SPIFFE trust domain for mTLS between services
spiffe:
trustDomain: nico.local
## Common labels applied to all resources
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: site-controller
## ---------------------------------------------------------------------------
## nico-api — Core API server
## ---------------------------------------------------------------------------
nico-api:
enabled: true
replicas: 1
resources:
limits:
cpu: 3
memory: 32Gi
requests:
cpu: 1500m
memory: 8Gi
## Boot-artifact init containers — volume mount at /forge-boot-artifacts/blobs/internal
## is auto-injected by the template.
bootArtifactContainers:
- name: boot-artifacts-x86-64
image: "your-registry.example.com/boot-artifacts-x86_64:latest"
command: ["sh", "-c", "cp -r /x86_64 /forge-boot-artifacts/blobs/internal"]
- name: boot-artifacts-aarch64
image: "your-registry.example.com/boot-artifacts-aarch64:latest"
command: ["sh", "-c", "cp -r /aarch64 /apt /forge-boot-artifacts/blobs/internal"]
- name: machine-validation-config
image: "your-registry.example.com/machine-validation-config:latest"
command: ["sh", "-c", "cp -r /machine-validation /forge-boot-artifacts/blobs/internal"]
env:
VAULT_PKI_ROLE_NAME: "nico-cluster"
RUST_BACKTRACE: "full"
RUST_LIB_BACKTRACE: "0"
## OAuth2/SSO authentication — configure via extraEnv
## These are not built into the chart to keep it auth-provider agnostic.
extraEnv:
- name: NICO_WEB_AUTH_TYPE
value: "oauth2"
- name: NICO_WEB_OAUTH2_AUTH_ENDPOINT
value: "https://login.example.com/oauth2/v2.0/authorize"
- name: NICO_WEB_OAUTH2_TOKEN_ENDPOINT
value: "https://login.example.com/oauth2/v2.0/token"
- name: NICO_WEB_OAUTH2_CLIENT_ID
value: "your-oauth2-client-id"
- name: NICO_WEB_OAUTH2_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azure-sso-nico-web-client-secret
key: client_secret
- name: NICO_WEB_ALLOWED_ACCESS_GROUPS
value: "nico-admins,nico-operators"
## NICo Web UI hostname
hostname: "nico.example.com"
## Site-specific config overrides
siteConfig:
enabled: true
nicoApiSiteConfig: |
dhcp_servers=["nico-dhcp.nico-system.svc.cluster.local:67"]
route_servers=[]
## Create Vault and DB ConfigMaps from values (alternative to external ConfigMaps)
vaultClusterInfo:
VAULT_SERVICE: "https://vault.example.com"
NICO_VAULT_MOUNT: "secrets"
NICO_VAULT_PKI_MOUNT: "nicoca"
databaseConfig:
DB_HOST: "postgresql.nico-system.svc.cluster.local"
DB_PORT: "5432"
DB_NAME: "nico"
## External LoadBalancer (for MetalLB or similar)
externalService:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
metallb.universe.tf/loadBalancerIPs: "10.0.0.10"
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 25s
## ---------------------------------------------------------------------------
## nico-dhcp — DHCP server
## ---------------------------------------------------------------------------
nico-dhcp:
enabled: true
replicas: 1
## kea-dhcp4 configuration — structured shape (chart assembles JSON).
## See helm/charts/nico-dhcp/values.yaml for every supported field and
## the matching kea JSON key. For full per-site override (multiple
## hooks, custom logger destinations, advanced lease backends), set
## `config.keaConfigJsonRaw` to a complete kea_config.json string
## instead — the structured `kea:` block is then ignored.
config:
enabled: true
kea:
## libdhcp hook parameters — these are the IPs the DHCP server
## advertises to PXE clients (DPUs / bare-metal hosts).
## CRITICAL: replace each placeholder with a real IP the client
## can reach (typically MetalLB LoadBalancer IPs of nico-dns /
## site NTP / nico-pxe). Leaving 127.0.0.1 breaks DPU pre-ingestion.
hookParameters:
nameservers: "10.0.0.20" # EXAMPLE — replace with nico-dns LB IP
ntpServer: "10.0.0.30" # EXAMPLE — replace with site NTP IP(s), comma-separated for multi
provisioningServer: "10.0.0.40" # EXAMPLE — replace with nico-pxe LB IP
# nicoApiUrl: "" # leave empty to derive https://<apiServiceName>.<ns>.svc.cluster.local:1079
# nicoMetricsEndpoint: "[::]:1089" # chart default
## Subnets the DHCP server serves leases on.
subnet4:
- subnet: "10.0.0.0/24"
pools:
- "10.0.0.100-10.0.0.200"
## All other kea-dhcp4 fields below default to sensible values and
## can usually be omitted. Shown here for completeness.
# interfacesConfig:
# interfaces: ["eth0"]
# dhcpSocketType: udp
# leaseDatabase:
# type: memfile
# lfcInterval: 3600
# matchClientId: false
# authoritative: true
# renewTimer: 900
# rebindTimer: 1800
# validLifetime: 3600
# declineProbationPeriod: 900
# hookLibraryPath: /usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp.so
# additionalHooksLibraries: []
# loggers:
# - name: kea-dhcp4
# severity: INFO
# - name: kea-dhcp4.hooks
# severity: INFO
# - name: kea-dhcp4.nico-rust
# severity: INFO
externalService:
enabled: true
type: LoadBalancer
annotations:
metallb.universe.tf/loadBalancerIPs: "10.0.0.11"
## ---------------------------------------------------------------------------
## nico-dns — Authoritative DNS
## ---------------------------------------------------------------------------
nico-dns:
enabled: true
replicas: 2
externalService:
enabled: true
type: LoadBalancer
perPodAnnotations:
- metallb.universe.tf/loadBalancerIPs: "10.0.0.20" # pod-0
- metallb.universe.tf/loadBalancerIPs: "10.0.0.21" # pod-1
## ---------------------------------------------------------------------------
## nico-dsx-exchange-consumer — DSX Exchange consumer
## ---------------------------------------------------------------------------
nico-dsx-exchange-consumer:
enabled: true
replicas: 1
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 25s
## ---------------------------------------------------------------------------
## nico-hardware-health — Hardware health metrics
## ---------------------------------------------------------------------------
nico-hardware-health:
enabled: true
replicas: 1
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 25s
## Optional: scrape /telemetry for per-endpoint sensor gauges (high cardinality).
telemetryServiceMonitor:
enabled: false
interval: 30s
scrapeTimeout: 25s
## ---------------------------------------------------------------------------
## nico-pxe — PXE boot server
## ---------------------------------------------------------------------------
nico-pxe:
enabled: true
replicas: 1
bootArtifacts:
servePath: /forge-boot-artifacts
bootArtifactContainers:
- name: boot-artifacts-x86-64
image: "your-registry.example.com/boot-artifacts-x86_64:latest"
command: ["sh", "-c", "cp -r /x86_64 /forge-boot-artifacts/blobs/internal"]
- name: boot-artifacts-aarch64
image: "your-registry.example.com/boot-artifacts-aarch64:latest"
command: ["sh", "-c", "cp -r /aarch64 /apt /forge-boot-artifacts/blobs/internal"]
- name: machine-validation-config
image: "your-registry.example.com/machine-validation-config:latest"
command: ["sh", "-c", "cp -r /machine-validation /forge-boot-artifacts/blobs/internal"]
externalService:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Local
annotations:
metallb.universe.tf/loadBalancerIPs: "10.0.0.40"
## ---------------------------------------------------------------------------
## nico-ssh-console-rs — SSH console proxy
## ---------------------------------------------------------------------------
nico-ssh-console-rs:
enabled: true
replicas: 1
## OpenTelemetry Collector Contrib sidecar for shipping console logs to Loki.
## Requires a Loki instance at http://loki.loki.svc.cluster.local:3100.
## If Loki is not deployed, set enabled: false to skip the sidecar.
lokiLogCollector:
enabled: true
image:
repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector-contrib
tag: "0.81.0"
externalService:
enabled: true
type: LoadBalancer
annotations:
metallb.universe.tf/loadBalancerIPs: "10.0.0.13"
## ---------------------------------------------------------------------------
## unbound — Recursive DNS resolver
## ---------------------------------------------------------------------------
unbound:
enabled: true
image:
repository: "your-registry.example.com/unbound"
tag: "1.21.1"
pullPolicy: IfNotPresent
exporterImage:
repository: "your-registry.example.com/unbound-exporter"
tag: "0.4.6"
pullPolicy: IfNotPresent
## Configure upstream DNS forwarders
localConfig:
forwarders.conf: |
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
forward-addr: 1.1.1.1
## ---------------------------------------------------------------------------
## nico-bmc-proxy: Authenticating BMC redfish proxy
## ---------------------------------------------------------------------------
nico-bmc-proxy:
enabled: true
replicas: 2
configFiles:
enabled: true
nicoBmcProxyConfig: |
listen = "[::]:1079"
metrics_endpoint = "[::]:1080"
database_url = "postgres://replaced-by-env-var"
allowed_principals = ["spiffe-service-id/nico-api", "spiffe-service-id/nv-dps"]
[tls]
identity_pemfile_path = "/var/run/secrets/spiffe.io/tls.crt"
identity_keyfile_path = "/var/run/secrets/spiffe.io/tls.key"
root_cafile_path = "/var/run/secrets/spiffe.io/ca.crt"
admin_root_cafile_path = "/etc/nico/nico-bmc-proxy/site/admin_root_cert_pem"
[auth.trust]
spiffe_trust_domain = "nico.local"
spiffe_service_base_paths = [
"/nico-system/sa/",
"/default/sa/",
]
spiffe_machine_base_path = "/nico-system/machine/"
additional_issuer_cns = []