clusterBackup:
  enabled: false

  image:
    name: public.ecr.aws/zero-downtime/kubezero-admin
    # tag: v1.22.8

  # -- s3:https://s3.amazonaws.com/${CFN[ConfigBucket]}/k8s/${CLUSTERNAME}/clusterBackup
  repository: ""
  # -- /etc/cloudbender/clusterBackup.passphrase
  password: ""

  extraEnv: []

forseti:
  enabled: false

  image:
    name: public.ecr.aws/zero-downtime/forseti
    tag: v0.1.2

  aws:
    region: ""
    # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti"
    iamRoleArn: ""

sealed-secrets:
  enabled: false

  # ensure kubeseal default values match
  fullnameOverride: sealed-secrets-controller

  # Disable auto keyrotation for now
  keyrenewperiod: "0"

  resources:
    requests:
      cpu: 10m
      memory: 24Mi
    limits:
      memory: 128Mi

  metrics:
    serviceMonitor:
      enabled: false

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule

aws-eks-asg-rolling-update-handler:
  enabled: false
  image:
    repository: twinproduction/aws-eks-asg-rolling-update-handler
    tag: v1.8.4

  environmentVars:
    - name: CLUSTER_NAME
      value: ""
    - name: AWS_REGION
      value: us-west-2
    - name: EXECUTION_INTERVAL
      value: "60"
    - name: METRICS
      value: "true"
    - name: EAGER_CORDONING
      value: "true"
    # Only disable if all services have PDBs across AZs
    - name: SLOW_MODE
      value: "true"
    - name: AWS_ROLE_ARN
      value: ""
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: "regional"

  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    seccompProfile:
      type: RuntimeDefault

  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
     drop:
       - ALL

  resources:
    requests:
      cpu: 10m
      memory: 32Mi
    limits:
      memory: 128Mi

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule

aws-node-termination-handler:
  enabled: false

  fullnameOverride: "aws-node-termination-handler"

  # -- "zdt:kubezero:nth:${ClusterName}"
  managedTag: "zdt:kubezero:nth:${ClusterName}"

  useProviderId: true
  enableSqsTerminationDraining: true
  # otherwise pds fails trying to reach IMDS
  enableSpotInterruptionDraining: false
  enableProbesServer: true
  deleteLocalData: true
  ignoreDaemonSets: true
  taintNode: true
  emitKubernetesEvents: true

  # -- https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/${ClusterName}_Nth
  queueURL: ""

  metadataTries: 0
  extraEnv:
  # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.awsNth"
  - name: AWS_ROLE_ARN
    value: ""
  - name: AWS_WEB_IDENTITY_TOKEN_FILE
    value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
  - name: AWS_STS_REGIONAL_ENDPOINTS
    value: "regional"

  enablePrometheusServer: false
  podMonitor:
    create: false

  jsonLogging: true
  logFormatVersion: 2

  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""

  rbac:
    pspEnabled: false

fuseDevicePlugin:
  enabled: false
  image:
    name: public.ecr.aws/zero-downtime/fuse-device-plugin
    tag: v1.2.0

neuron-helm-chart:
  enabled: false

  npd:
    enabled: false

  devicePlugin:
    tolerations:
      - key: CriticalAddonsOnly
        operator: Exists
      - key: aws.amazon.com/neuron
        operator: Exists
        effect: NoSchedule
      - key: kubezero-workergroup
        effect: NoSchedule
        operator: Exists

    volumeMounts:
      - name: device-plugin
        mountPath: /var/lib/kubelet/device-plugins
      - name: infa-map
        mountPath: /run
    volumes:
      - name: device-plugin
        hostPath:
          path: /var/lib/kubelet/device-plugins
      - name: infa-map
        hostPath:
          path: /run

nvidia-device-plugin:
  enabled: false

  cdi:
    nvidiaHookPath: /usr/bin
  deviceDiscoveryStrategy: nvml
  runtimeClassName: nvidia

  tolerations:
  - key: nvidia.com/gpu
    operator: Exists
    effect: NoSchedule
  - key: kubezero-workergroup
    effect: NoSchedule
    operator: Exists

cluster-autoscaler:
  enabled: false

  image:
    repository: registry.k8s.io/autoscaling/cluster-autoscaler
    tag: v1.30.2

  autoDiscovery:
    clusterName: ""
  awsRegion: "us-west-2"

  serviceMonitor:
    enabled: false
    interval: 30s

  prometheusRule:
    enabled: false
    interval: "30"

  # Disable pdb for now
  podDisruptionBudget: false

  extraArgs:
    scan-interval: 30s
    skip-nodes-with-local-storage: false
    balance-similar-node-groups: true
    ignore-daemonsets-utilization: true
    ignore-taint: "node.cilium.io/agent-not-ready"
    # Disable for non-clustered control-plane
    # leader-elect: false

  #securityContext:
  #  runAsNonRoot: true

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule

  # On AWS enable Projected Service Accounts to assume IAM role
  #extraEnv:
  # AWS_ROLE_ARN: <IamArn>
  # AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
  # AWS_STS_REGIONAL_ENDPOINTS: "regional"

  #extraVolumes:
  #- name: aws-token
  #  projected:
  #    sources:
  #    - serviceAccountToken:
  #        path: token
  #        expirationSeconds: 86400
  #        audience: "sts.amazonaws.com"

  #extraVolumeMounts:
  #- name: aws-token
  #  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
  #  readOnly: true

external-dns:
  enabled: false

  interval: 3m
  triggerLoopOnEvent: true

  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""

  #logLevel: debug
  sources:
    - service
  #- istio-gateway

  provider: inmemory


py-kube-downscaler:
  enabled: false

  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""

  resources:
    limits:
      cpu: null
      memory: 256Mi
    requests:
      cpu: 20m
      memory: 48Mi

  # By default no NOT scale down KubeZero modules
  excludedNamespaces:
  - kube-system
  - operators
  - monitoring
  - logging
  - telemetry
  - istio-system
  - istio-ingress
  - cert-manager
  - argocd