General configuration

In this section we go over the generic configuration properties. These properties are defined in the config.yml.

NOTE: Further configurable properties of the config.yml can be found at the end of this chapter.

System domain

  system_domain: demo.kube-plus.cloud

• The system_domain property is required for the kube+ system components. All your apps and also the system components itself will run under a subdomain of this - e.g. grafana.demo.kube-plus.cloud

In order to be able to use these domains, you need to setup the DNS accordingly. This is described under the DNS chapter.

Auth

In the this section we define the basic keycloak and pomerium configuration. Keycloak is an open-source identity and access management (IAM). All installed system components will be integrated with keycloak. Pomerium (opens new window) is an identity-aware reverse-proxy that can automatically secure internal apps via OAuth2 and is integrated with keycloak and listening on *.system-domain.

  auth:
    client:
      secret: my-secret
    user:
      password: my-password
      email: user@domain-example
    admin:
      password: my-admin-password
      email: user@domain-example
    pomerium:
      cookie_secret: my-cookie-secret
      shared_secret: my-shared-secret
    additional_system_components:
    - name: my-dummy-app
      hostname: dummy-app
      endpoint: http://my-app.dummy.svc.cluster.local:8080

• The auth.client.secret property is required and can be any random character you want (e.g. use uuidgen to generate one).
  
• The auth.user.password property is required and can be randomly chosen. It's the password for the initial keycloak user "kube-plus".
  
• The auth.admin.password property is required and can be randomly chosen. It's the password for the keycload user "admin"
• The auth.pomerium.cookie_secret property is required and can be randomly chosen. It's the cookie secret for the pomerium reverse-proxy
• The auth.pomerium.shared_secret property is required and can be randomly chosen. It's the shared secret for the pomerium reverse-proxy
• The auth.additional_system_components property is optional. It's for configuring any additional apps/components that you want pomerium to reverse-proxy for you. hostname will be the subdomain of the system_domain under which the app will be reachable, in this example dummy-app.demo.kube-plus.cloud. endpoint is the cluster-local address where pomerium should proxy traffic towards.

ArgoCD

ArgoCD is a declarative, GitOps continuous delivery tool for Kubernetes. Within kube+ it is an optional component. Set the argodcd.enabled property to false if you don't want to install this component, the default value is true.

  argocd:
    # enabled: true
    server:
      secret_key: my-secret

• The argocd.server.secret_key property is required if ArgoCD is enabled, it can be any random character you want (e.g. you can use uuidgen to generate a key). This is an ArgoCD internal secret and will not be visible or used by users.

Harbor

Harbor is an open source registry and is an optional component within kube+. Set the harbor.enabled property to false if you don't want to install this component, the default value is true.

  harbor:
    # enabled: true
    password: my-password
    csrf_key: dummy-dummy-dummy-dummy-dummy---
    secret: dummy-dummy-----
    secret_key: dummy-dummy-----
    disk_size:
      registry: 50Gi

• The harbor.password property is required if harbor is enabled. It's the harbor admin password. This is a password you can newly pick.
• The harbor.csrf_key property is required if harbor is enabled. It needs to be 32 characters.
• The harbor.secret property is required if harbor is enabled. It needs to be 16 characters.
• The harbor.secret_key property is required if harbor is enabled. It needs to be 16 characters.
• The harbor.disk_size.registry property is optional. With that property you can change the disk size of the registry, the default value is 50Gi. You can remove these two lines entirely if you don't want to change the default.

Lets encrypt

Lets encrypt allows you the certificate generation for cert-manager. This component is optional within kube+. Set the lets_encrypt.enabled property to false if you don't want to install this component, the default value is true.

  lets_encrypt:
    # enabled: true
    issuer: prod

• The lets_encrypt.issuer property is optional. The default value is prod. It can be either prod or staging. It is only required if lets_encrypt is enabled.

NOTE: Overwrite the lets_encrypt.issuer property to staging in non productive environments to avoid rate limits.

Dashboard

Within kube+ the Dashboard is an optional component. Set the dashboard dashboard.enabled property to false if you don't want to install this component, the default value is true.

  # dashboard:
    # enabled: true

• Set the dashboard.enabled property to false if you don't want to install this component.

Prometheus

Prometheus is a standard component within kube+. You can instruct prometheus to automatically scrape everything it finds on-cluster. Otherwise it would only scrape Service- and PodMonitors. This option is entirely optional, the default value is true.

# prometheus:
    # scrape_everything: true

• Set the prometheus.scrape_everything property to false if you want prometheus to only scrape Service- and PodMonitors.

kpack

Kpack is a Kubernetes native container build service, that allows you to build container images from your application source code. Within kube+ kpack is an optional component. Set the kpack enabled property to false if you don't want to install this component, the default value is true.

NOTE: kpack only works with Internet!

  kpack:
    # enabled: true
    registry:
      # use_harbor: true
      # hostname: my.ecr.amazonaws.com
      # username: dummy-dummy
      # password: dummy-dummy
      # builder_path: kpack/builder
      # image_test_path: kpack/test_images

• The registry kpack.registry.use_harbor is optional. The default value is true. Set the value to false only if you want to use a different registry to store kpack-produced images.
• The kpack.registry.hostname property is only required, if kpack.registry.use_harbor is set to false.
• The kpack.registry.username property is only required, if kpack.registry.use_harbor is set to false.
• The kpack.registry.password property is only required, if ``kpack.registry.use_harboris set tofalse`.
• The kpack.registry.builder_path property is only required, if kpack.registry.use_harbor is set to false. It's the image storage path for kpack builder components.
• The kpack.registry.image_test_path property is only required, if use_harbor is set to false. It's the image storage path for kpack test images.

Knative

Knative is a Kubernetes-based platform to easily deploy and manage modern container workloads. Within kube+ knative is an optional component. Set the knative.enabled property to false if you don't want to install this component, the default value is true.

  # knative:
    # enabled: true

• The knative.enabled property is optional. The default value is true. Set it to false if you don't want to use this component.

Velero

Velero Velero is an open source backup and restore tool. Within kube+ velero is an optional component. Set the velero.enabled property to false if you don't want to install this component, the default value is true.

  velero:
    # enabled: true
    bucket: my-bucket
    prefix: my-prefix
    # scheduled_backup:
    #   enabled: true
    #   default_volumes_to_restic: false
    #   schedule: "15 5 * * *"

NOTE: Never change these backup storage location values after installation, otherwise this will break velero and it needs a fresh install!

• The velero.bucket property is only required, if you use velero. Define the bucket where velero will store your backups.
• The velero.prefix property is only required, if you use velero. Define the prefix as folder/path for your velero backups.
• The velero.scheduled_backup.enabled property is optional. The default value is true. It will schedule a backup of the whole kubernetes cluster. Set it to false if you don't want a backup to be scheduled.
• The velero.scheduled_backup.default_volumes_to_restic property is optional. It is used when velero.scheduled_backup.enabled is set to true. The default value is false. This means that the backup will be perfomed using volume snapshots. Set it to true if you want to use Restic instead.
• The velero.scheduled_backup.schedule property is optional. It is used when velero.scheduled_backup.enabled is set to true. It configures when the scheduled backup will run. The default valuse is 15 5 * * *.

NOTE: If you install velero, please note that you have to configure the platform.s3 property in the Platform section below.

Metrics

In this section of the config.yml you define if kube+ installs a metrics server or if your kubernetes already brings one with its installation. The default value is true. Set it to false if you don't want to use this component.

  # metrics_server:
    # enabled: true

• The metrics_server.enabled property is optional. The default value is true. Set it to false if you don't want to use this component.

Sealed Secrets

In this section of the config.yml you define if kube+ installs a sealed secrets component. The default value is true. Set it to false if you don't want to use this component.

  # sealed_secrets:
    # enabled: true

• The sealed_secrets.enabled property is optional. The default value is true. Set it to false if you don't want to use this component.

Platform

In the platform section of the config.yml you define the platform specific properties.

NOTE: kube+ runs on any kubernetes matching the minimum requirements described in the prerequisites section Requirements.

  platform:
    kubernetes: eks
    s3: compatible
    resources:
      remove_limits: false
      remove_requests: false

• The platform.kubernetes property is optional. The default value is eks. It can be either eks, aks, pks, kind or any other string. The first 4 have implications on other property requirements.
• The platform.s3 property is only required if velero is enabled. The default value is s3. It can be either s3, azure or compatible. This property has implications on other properties.
• The platform.resources.remove_limits property is optional. The default value is false. Change the value of this property to true if you don't want to have any resource requests for pods/containers.
• The platform.resources.remove_requests property is optional. The default value is false. Change the value of this property to true if you don't want to have any resource requests for pods/containers.

If you use the platform.s3: "compatible" mode, you need to define the following properties in your config.yml.

  s3_compatible:
    access_key: s3-access-key
    secret_key: s3-secret-key
    url: s3-url

AWS

• AWS EKS specific configuration

Azure

• Microsoft Azure AKS specific configuration

Exoscale

• Exoscale SKS specific configuration

Swisscom

• Swisscom PKS specific configuration

Additional config.yml properties

The listed properties below can be configured on config.yml and defaults to following values.

Module Registry

The module_registry defines the registry where it fetches the kube+ images and defaults to cnbb-docker-local.bin.swisscom.com with appropriate credentials and permisssions set already.

  module_registry:
    host: cnbb-docker-local.bin.swisscom.com
    username: SA-PF100-kubepluspub
    password: <<redacted>>

System Registry

With the system_registry you could define and use a private registry instead. Ses also Relocate images.

  system_registry:
    host: ""
    path: kube-plus
    username: ""
    password: ""

Misc Configs

Further defaults or additionals which can be overwritten with a setting on config.yml

# general admin email address (e.g. issuser certs). See email for individual user under auth: stanza.
  admin_email: applicationcloud.platform@swisscom.com

# internet true or false - air gapped - You will have to disable Lets encrypt and provide your own certificates.
  internet:
    enabled: true

# certificates issuer set self-signed (default) or customer-provided.
# For customer-provided see also:[Certificates]
  certificates:
    issuer: self-signed
    customer_provided:
      tls_crt: ""
      tls_key: ""
      ca_crt: ""

# argoworkflow will be disabled if argocd is set to false.
  argoworkflow:
    enabled: true

# component flavor: small, medium, large
  flavor_type: small

# amount of individual jobs. The value "" takes the default setting.
  sizing:
    replicas:
      cert_manager: ""
      cert_manager_cainjector: ""
      cert_manager_webhook: ""
      contour_external: ""
      contour_internal: ""
      harbor_core: ""
      harbor_jobservice: ""
      harbor_portal: ""
      harbor_registry: ""
      knative_serving_autoscaler: ""
      knative_serving_net_contour_controller: ""
      kpack_controller: ""
      kpack_webhook: ""
      dashboard: ""
      dashboard_metrics_scraper: ""
      pomerium: ""