# Copyright 2017 AT&T Intellectual Property.  All other rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# namespace: "kube-system"

labels:
  node_selector_key: ucp-control-plane
  node_selector_value: enabled

dependencies:
  static:
    tiller_deploy:

images:
  tags:
    tiller: gcr.io/kubernetes-helm/tiller:v2.16.9
  pull_policy: "IfNotPresent"
  local_registry:
    # NOTE(portdirect): this tiller chart does not support image pulling
    active: false
    exclude:
      - tiller

deployment:
  # NOTE: Current replica is hard-coded to 1. This is a placeholder variable
  # for future usage. Updates will be made to the chart when we know that
  # tiller is stable with multiple instances.
  replicas: 1
  # The amount of revision tiller is willing to support. 0 means that there is
  # no limit.
  tiller_history: 0

conf:
  tiller:
    verbosity: 5
    storage: null
    # Only postgres is supported so far
    sql_dialect: postgres
    sql_connection: null
    trace: false
    # Note: Defaulting to the (default) kubernetes grace period, as anything
    # greater than that will have no effect.
    prestop_sleep: 30
    # To have Tiller bind to all interfaces, allowing direct connections from
    # the Helm client to pod_ip:port, set 'listen_on_any: true'.
    # The default setting 'listen_on_any: false' binds Tiller to 127.0.0.1.
    # Helm clients with Kubernetes API access dynamically set up a portforward
    # into the pod, which works with the default setting.
    listen_on_any: false
    port: 44134
    probe_port: 44135

pod:
  mandatory_access_control:
    type: apparmor
    tiller:
      tiller: runtime/default
  security_context:
    tiller:
      pod:
        runAsUser: 65534
      container:
        tiller:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
  probes:
    tiller:
      tiller:
        readiness:
          enabled: true
          params:
            failureThreshold: 3
            initialDelaySeconds: 1
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
        liveness:
          enabled: true
          params:
            failureThreshold: 3
            initialDelaySeconds: 1
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
  resources:
    enabled: false
    tiller:
      limits:
        memory: "128Mi"
        cpu: "100m"
      requests:
        memory: "128Mi"
        cpu: "100m"
  mounts:
    tiller:
      tiller:
        volumes:
          - name: kubernetes-client-cache
            emptyDir: {}
        volumeMounts:
          - name: kubernetes-client-cache
            # Should be the `$HOME/.kube` of the `runAsUser` above
            # as this is where tiller's kubernetes client roots its cache dir.
            mountPath: /tmp/.kube
network_policy:
  tiller:
    ingress:
      - {}
    egress:
      - {}

manifests:
  deployment_tiller: true
  service_tiller_deploy: true
  network_policy: false