clusterBackup:
  enabled: false

  image:
    name: public.ecr.aws/zero-downtime/kubezero-admin
    # tag: v1.22.8

  # -- s3:https://s3.amazonaws.com/${CFN[ConfigBucket]}/k8s/${CLUSTERNAME}/clusterBackup
  repository: ""
  # -- /etc/cloudbender/clusterBackup.passphrase
  password: ""

  extraEnv: []

forseti:
  enabled: false

  image:
    name: public.ecr.aws/zero-downtime/forseti
    tag: v0.1.2

  aws:
    region: ""
    # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.kubezeroForseti"
    iamRoleArn: ""

sealed-secrets:
  enabled: false

  # ensure kubeseal default values match
  fullnameOverride: sealed-secrets-controller

  # Disable auto keyrotation for now
  keyrenewperiod: "0"

  resources:
    requests:
      cpu: 10m
      memory: 24Mi
    limits:
      memory: 128Mi

  metrics:
    serviceMonitor:
      enabled: false

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule

aws-eks-asg-rolling-update-handler:
  enabled: false
  image:
    tag: v1.7.0

  environmentVars:
    - name: CLUSTER_NAME
      value: ""
    - name: AWS_REGION
      value: us-west-2
    - name: EXECUTION_INTERVAL
      value: "60"
    - name: METRICS
      value: "true"
    - name: EAGER_CORDONING
      value: "true"
    # Only disable if all services have PDBs across AZs
    - name: SLOW_MODE
      value: "true"
    - name: AWS_ROLE_ARN
      value: ""
    - name: AWS_WEB_IDENTITY_TOKEN_FILE
      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    - name: AWS_STS_REGIONAL_ENDPOINTS
      value: "regional"

  resources:
    requests:
      cpu: 10m
      memory: 32Mi
    limits:
      memory: 128Mi

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule

aws-node-termination-handler:
  enabled: false

  fullnameOverride: "aws-node-termination-handler"

  checkASGTagBeforeDraining: false
  # -- "zdt:kubezero:nth:${ClusterName}"
  managedTag: "zdt:kubezero:nth:${ClusterName}"

  useProviderId: true
  enableSqsTerminationDraining: true
  # otherwise pds fails trying to reach IMDS
  enableSpotInterruptionDraining: false
  enableProbesServer: true
  deleteLocalData: true
  ignoreDaemonSets: true
  taintNode: true
  emitKubernetesEvents: true

  # -- https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/${ClusterName}_Nth
  queueURL: ""

  metadataTries: 0
  extraEnv:
  # -- "arn:aws:iam::${AWS::AccountId}:role/${AWS::Region}.${ClusterName}.awsNth"
  - name: AWS_ROLE_ARN
    value: ""
  - name: AWS_WEB_IDENTITY_TOKEN_FILE
    value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
  - name: AWS_STS_REGIONAL_ENDPOINTS
    value: "regional"

  enablePrometheusServer: false
  podMonitor:
    create: false

  jsonLogging: true
  logFormatVersion: 2

  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""

  rbac:
    pspEnabled: false

fuseDevicePlugin:
  enabled: false

awsNeuron:
  enabled: false

  image:
    name: public.ecr.aws/neuron/neuron-device-plugin
    tag: 1.9.3.0

nvidia-device-plugin:
  enabled: false
  tolerations:
  - key: nvidia.com/gpu
    operator: Exists
    effect: NoSchedule
  - key: kubezero-workergroup
    effect: NoSchedule
    operator: Exists

  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: "node.kubernetes.io/instance-type"
                operator: In
                values:
                  - g5.xlarge
                  - g5.2xlarge
                  - g5.4xlarge
                  - g5.8xlarge
                  - g5.12xlarge
                  - g5.16xlarge
                  - g5.24xlarge
                  - g5.48xlarge
                  - g4dn.xlarge
                  - g4dn.2xlarge
                  - g4dn.4xlarge
                  - g4dn.8xlarge
                  - g4dn.12xlarge
                  - g4dn.16xlarge

cluster-autoscaler:
  enabled: false

  image:
    tag: v1.25.1

  autoDiscovery:
    clusterName: ""
  awsRegion: "us-west-2"

  serviceMonitor:
    enabled: false
    interval: 30s

  prometheusRule:
    enabled: false
    interval: "30"

  # Disable pdb for now
  podDisruptionBudget: false

  extraArgs:
    scan-interval: 30s
    skip-nodes-with-local-storage: false
    balance-similar-node-groups: true
    ignore-taint: "node.cilium.io/agent-not-ready"

  #securityContext:
  #  runAsNonRoot: true

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule

  # On AWS enable Projected Service Accounts to assume IAM role
  #extraEnv:
  # AWS_ROLE_ARN: <IamArn>
  # AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" 
  # AWS_STS_REGIONAL_ENDPOINTS: "regional"

  #extraVolumes:
  #- name: aws-token
  #  projected:
  #    sources:
  #    - serviceAccountToken:
  #        path: token
  #        expirationSeconds: 86400
  #        audience: "sts.amazonaws.com"

  #extraVolumeMounts:
  #- name: aws-token
  #  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
  #  readOnly: true

external-dns:
  enabled: false

  interval: 3m
  triggerLoopOnEvent: true

  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""

  #logLevel: debug
  sources:
    - service
  #- istio-gateway

  provider: inmemory

falco-control-plane:
  enabled: false

  fullnameOverride: falco-control-plane

  # -- Disable the drivers since we want to deploy only the k8saudit plugin.
  driver:
    enabled: false

  # -- Disable the collectors, no syscall events to enrich with metadata.
  collectors:
    enabled: false

  nodeSelector:
    node-role.kubernetes.io/control-plane: ""

  # -- Deploy Falco as a deployment. One instance of Falco is enough. Anyway the number of replicas is configurabale.
  controller:
    kind: deployment
    deployment:
      # -- Number of replicas when installing Falco using a deployment. Change it if you really know what you are doing.
      # For more info check the section on Plugins in the README.md file.
      replicas: 1


  falcoctl:
    artifact:
      install:
        # -- Enable the init container. We do not recommend installing (or following) plugins for security reasons since they are executable objects.
        enabled: true
      follow:
        # -- Enable the sidecar container. We do not support it yet for plugins. It is used only for rules feed such as k8saudit-rules rules.
        enabled: true
    config:
      artifact:
        install:
          # -- Do not resolve the depenencies for artifacts. By default is true, but for our use case we disable it.
          resolveDeps: false
          # -- List of artifacts to be installed by the falcoctl init container.
          # Only rulesfiles, we do no recommend plugins for security reasonts since they are executable objects.
          refs: [k8saudit-rules:0.6]
        follow:
          # -- List of artifacts to be followed by the falcoctl sidecar container.
          # Only rulesfiles, we do no recommend plugins for security reasonts since they are executable objects.
          refs: [k8saudit-rules:0.6]

  services:
    - name: k8saudit-webhook
      ports:
        - port: 9765 # See plugin open_params
          protocol: TCP

  falco:
    rules_file:
      - /etc/falco/k8s_audit_rules.yaml
      - /etc/falco/rules.d
    plugins:
      - name: k8saudit
        library_path: libk8saudit.so
        init_config:
          maxEventBytes: 1048576
          # sslCertificate: /etc/falco/falco.pem
        open_params: "http://:9765/k8s-audit"
      - name: json
        library_path: libjson.so
        init_config: ""
    # Plugins that Falco will load. Note: the same plugins are installed by the falcoctl-artifact-install init container.
    load_plugins: [k8saudit, json]