79 lines
2.1 KiB
YAML
79 lines
2.1 KiB
YAML
image:
|
|
repository: registry.c5ai.ch/pieced/pieced-operator
|
|
tag: "0.1.40"
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets:
|
|
- name: registry-creds
|
|
|
|
replicaCount: 1
|
|
|
|
# Operator configuration
|
|
config:
|
|
vault:
|
|
# Internal service URL for OpenBao
|
|
address: "http://openbao.openbao.svc:8200"
|
|
# K8s auth role for the operator (must be pre-created in OpenBao)
|
|
role: "pieced-operator"
|
|
authPath: "kubernetes"
|
|
litellm:
|
|
# Internal service URL for LiteLLM
|
|
url: "http://litellm.inference.svc:4000"
|
|
|
|
# Security context — non-root, read-only rootfs, no privileges
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
runAsGroup: 65532
|
|
fsGroup: 65532
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 256Mi
|
|
|
|
# Leader election ensures only one instance reconciles
|
|
leaderElection:
|
|
enabled: true
|
|
|
|
# Service account — the operator's identity for RBAC and Vault K8s auth
|
|
serviceAccount:
|
|
name: pieced-operator
|
|
annotations: {}
|
|
|
|
# Network policy — restrict operator egress to only what it needs
|
|
networkPolicy:
|
|
enabled: true
|
|
|
|
# OpenClaw image default (Feature: per-tenant version overrides).
|
|
#
|
|
# Materialised as the `pieced-openclaw-config` ConfigMap, which the
|
|
# operator reads on every reconcile. Per-tenant overrides set via the
|
|
# portal (PiecedTenant.spec.openClawImage.tag) take precedence over
|
|
# this default for the affected tenants.
|
|
#
|
|
# We support tag-only (not digest) by design — a single image-selector
|
|
# field avoids SSA field-ownership ambiguity when switching values,
|
|
# and the downstream OpenClaw operator handles a tag-only image spec
|
|
# unambiguously. For reproducibility-critical deployments, pin by
|
|
# using an immutable release tag.
|
|
#
|
|
# Empty defaultTag falls back to the operator's built-in version.
|
|
# Admins can edit this value at runtime via the portal admin UI;
|
|
# the resulting ConfigMap edits trigger reconciles for every tenant
|
|
# that doesn't have its own override.
|
|
openClaw:
|
|
defaultTag: "2026.4.22"
|