# service account name serviceAccountName: clusters-service # TODO: This parameter isn't currently used, but kept to avoid failures in the # execution of saasherder. It will be removed once the version of the service # that doesn't use it is deployed to all environments. debugPort: "" # Maximum allowed duration for /debug/pprof/ profiling requests, e.g. "30s" or "5m". "0" means no limit. debugMaxDuration: "5m" # Sets the runtime configuration mode for CS. runtimeMode: "aro-hcp" # Default expiration time assigned to any newly created cluster (e.g. 45m or 72h). 0 means no expiration. defaultExpiration: "0" # Maximum expiration duration possible for any newly created cluster (e.g. 72h means the expiration date cannot be greater than 72h). 0 means no maximum expiration value possible. maximumExpiration: "0" # Duration since cluster creation after which the first notification for stale cluster should be sent. firstStaleClusterNotification: "24h" # 1 day # Duration since cluster creation after which the second notification for stale cluster should be sent. secondStaleClusterNotification: "600h" # 25 days # Duration after which a stale cluster can be cleaned up. staleClusterAutocleanupWindow: "720h" # 30 days # Image Registry imageRegistry: "" # Image Repository imageRepository: "" # Image Digest imageDigest: "" # log verbosity level logLevel: "debug" # Number of replicas of the service to run. replicas: 1 # Location of the JSON web key set used to verify tokens. jwksUrl: "http://localhost" # Location of the service that issues JSON web tokens. tokenUrl: "http://localhost" # Disable TLS certificate verification on authentication. insecure: "false" # The URL of the gateway. gatewayUrl: "http://127.0.0.1:9090" # Level of access that an app can request to a resource. clientScopes: "openid" # Environment associated with this instance. environment: "" # The URL of the Backplane API which is exposed via an endpoint and is dynamically consumed by the Backplane CLI. # Backplane CLI expects a URL with the following format https://api.<OCM environment>.backplane.<domain> # The <domain> part is specific to each deployment environment. The <OCM environment> part is optional. # Note: this is defaulted to empty string and should be overriden in fedramp app-interface. # This being an empty string, CS will send an empty string back via the /environment endpoint # thus making the Backplane CLI failover to check if the backplane user has an environment variable BACKPLANE_URL set and use it instead. backplaneURL: "" # Provision shard limit of managed clusters. provisionShardClusterLimit: "500" # If not empty clears the dirty flag and forces the given migration version. forceMigration: "" # If set to true, a cluster error will trigger a report. clusterErrorReport: "false" # Period between executions of day-1 machine pool migration worker. Useful time units are "m" or "h". machinePoolMigrationWorkerPeriod: "1h" # The name of the DNS base domain for creating a user defined domains. # Note: this is defaulted to a commercial value. This should be overriden in fedramp app-interface userDefinedDnsBaseDomain: "i1.devshift.org" # Signals batch processes step to run in dry run. batchProcessesDryRun: "true" # Date identification of each batch process expected to be run. Comma separated sequence. batchProcesses: "" # The URL of the Azure Container Registry where the OpenShift images are stored. ocpAcrURL: "" # The resource ID of the Azure Container Registry where the OpenShift images are stored. ocpAcrResourceId: "" # These limits are based on the metrics collected in the production environment # over the last year. In particular the following Prometheus queries were used # to obtain the values: # # - For the memory request: # # max( # quantile_over_time( # 0.5, # container_memory_usage_bytes{ # cluster="app-sre", # namespace="uhc-production", # pod_name=~"^clusters-service-.*$", # container_name="service" # } # [1w] # ) # ) # # The result was exactly 88322048. Added a margin of 25% and rounded up to a # multiple of 50 MiB which results in 150 MiB. # # - For the memory limit: # # max( # max_over_time( # container_memory_usage_bytes{ # cluster="app-sre", # namespace="uhc-production", # pod_name=~"^clusters-service-.*$", # container_name="service" # } # [1w] # ) # ) # # The result was exactly 131502080. Added a margin of 25% and rounded up to a # multiple of 50 MiB which results in 200 MiB. # # - For the CPU request: # # max( # quantile_over_time( # 0.5, # pod_name:container_cpu_usage:sum{ # cluster="app-sre", # namespace="uhc-production", # pod_name=~"^clusters-service-.*$" # } # [1w] # ) # ) # # The result was exactly 0.03117216095926307. Added a margin of 25% and rounded # up to a multiple of 0.05 cores, which results in 0.05 cores. # # - For the CPU limit: # # max( # max_over_time( # pod_name:container_cpu_usage:sum{ # cluster="app-sre", # namespace="uhc-production", # pod_name=~"^clusters-service-.*$" # } # [1w] # ) # ) # # The result was exactly 0.2380057350296368. Added a margin of 25% and rounded # up to a multiple of 0.05 cores, which results in 0.3 cores. # Memory request. memoryRequest: "150Mi" # Memory limit. memoryLimit: "1Gi" # CPU request. cpuRequest: "50m" # CPU limit. cpuLimit: "1" # Client ID for the CS manage identity. azureCsMiClientId: "" # Azure region the CS instance is running in. region: "westus3" # The client id of the first party application identity. azureFirstPartyApplicationClientId: "" # The name of the Key Vault containing keys, secrets and certificates used to support services running on the service cluster. serviceKeyVaultName: "" # The Tenant ID of service cluster. tenantId: "" # The name of the secret that contains the first party application certificate bundle. fpaCertName: "" # If set to true the connection to the database is performed without TLS. databaseDisableTLS: "false" # Authentication method to use when connecting to the database. Accepted values are 'az-entra', 'postgres' databaseAuthMethod: "az-entra" # URL of the storage account blob service, e.g. https://<storage-account>.blob.core.windows.net/ oidcIssuerBlobServiceUrl: "" # OIDC base issuer URL, e.g. https://<storage-account>.z1.web.core.windows.net/ oidcIssuerBaseUrl: "" # The client id of the service principal that represents the ARM Helper Identity. azureArmHelperIdentityClientId: "" # The name of the secret that contains the ARM Helper Indentity certificate bundle. azureArmHelperIdentityCertName: "" # The principal id of the service principal that represents the mock first party application identity. azureArmHelperMockFpaPrincipalId: "" # The name of the secret that contains the mock managed identities certificate bundle. azureMiMockServicePrincipalCertName: "" # The client id of the mock managed identities service principal. azureMiMockServicePrincipalClientId: "" # The principal id of the mock managed identities service principal. azureMiMockServicePrincipalPrincipalId: "" # Details for a provisioning shard shard: consumerName: "" zoneResourceId: "" cxSecretsKeyVaultUrl: "" cxMiKeyVaultUrl: "" maestroRestUrl: "" maestroGrpUrl: "" # ocm client id clientId: "foo" # ocm secret clientSecret: "bar" # If true an in cluster database will be deployed. deployLocalDatabase: true # The name of the K8s secret where CS DB connection information is placed databaseK8sSecretName: "ocm-cs-db" # The hostname of the postgres server/service. It can be a K8s service name databaseHost: "ocm-cs-db" # Username for PostgreSQL user that will be used for accessing the database. databaseUser: "ocm" # Password for the PostgreSQL connection user. databasePassword: "TheBlurstOfTimes" # Name of the PostgreSQL database accessed. databaseName: "ocm-cs-db" # Host port databasePort: "5432" # The name of the managed identities data plane audience resource. managedIdentitiesDataPlaneAudienceResource: "https://dummy.org" # The Azure Operator Managed Identities. azureOperatorsMI: clusterApiAzure: roleName: '' roleId: '' controlPlane: roleName: '' roleId: '' cloudControllerManager: roleName: '' roleId: '' ingress: roleName: '' roleId: '' diskCsiDriver: roleName: '' roleId: '' fileCsiDriver: roleName: '' roleId: '' imageRegistry: roleName: '' roleId: '' cloudNetworkConfig: roleName: '' roleId: '' kms: roleName: '' roleId: '' # Pull binding configuration for ACR Pull Operator pullBinding: registry: "" scope: "" workloadIdentityClientId: "" workloadIdentityTenantId: "" tracing: address: "" exporter: ""