annotateKubeSystemNameSpace: false

kiam:
  enabled: true
  server:
    # kiam.server.assumeRoleArn --  kiam server IAM role to assume, required as we run the agents next to the servers normally, eg. arn:aws:iam::123456789012:role/kiam-server-role
    assumeRoleArn: ''
    useHostNetwork: true
    sslCertHostPath: /etc/ssl/certs
    tlsSecret: kiam-server-tls
    tlsCerts:
      certFileName: tls.crt
      keyFileName:  tls.key
      caFileName:   ca.crt
    service:
      port: 6444
      targetPort: 6444
    deployment:
      enabled: true
      replicas: 1
    updateStrategy: RollingUpdate
    resources:
     requests:
       memory: "64Mi"
       cpu: "50m"
     limits:
       memory: "128Mi"
       # cpu: "300m"
    tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/master: ""
    priorityClassName: system-cluster-critical
    prometheus:
      servicemonitor:
        enabled: false
        interval: 30s
        labels:
          release: metrics
    log:
      level: info

  agent:
    gatewayTimeoutCreation: "5s"
    updateStrategy: RollingUpdate
    # IP tables set on each node at boot, see CloudBender
    host:
      iptables: false
      interface: "cali+"
    allowRouteRegexp: '^/latest/(meta-data/instance-id|dynamic)'
    sslCertHostPath: /etc/ssl/certs
    tlsSecret: kiam-agent-tls
    tlsCerts:
      certFileName: tls.crt
      keyFileName:  tls.key
      caFileName:   ca.crt
    resources:
     requests:
       memory: "16Mi"
       cpu: "50m"
     limits:
       memory: "64Mi"
       # cpu: "50m"
    tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    priorityClassName: system-node-critical
    prometheus:
      servicemonitor:
        enabled: false
        interval: 30s
        labels:
          release: metrics
    log:
      level: info
  #  extraEnv:
  #  - name: GRPC_GO_LOG_SEVERITY_LEVEL
  #    value: "info"
  #  - name: GRPC_GO_LOG_VERBOSITY_LEVEL
  #    value: "8"