56 lines
1.2 KiB
YAML
56 lines
1.2 KiB
YAML
image:
|
|
repository: registry.c5ai.ch/pieced/pieced-operator
|
|
tag: "0.1.1"
|
|
pullPolicy: IfNotPresent
|
|
|
|
replicaCount: 1
|
|
|
|
# Operator configuration
|
|
config:
|
|
vault:
|
|
# Internal service URL for OpenBao
|
|
address: "http://openbao.openbao.svc:8200"
|
|
# K8s auth role for the operator (must be pre-created in OpenBao)
|
|
role: "pieced-operator"
|
|
authPath: "kubernetes"
|
|
litellm:
|
|
# Internal service URL for LiteLLM
|
|
url: "http://litellm.inference.svc:4000"
|
|
|
|
# Security context — non-root, read-only rootfs, no privileges
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65532
|
|
runAsGroup: 65532
|
|
fsGroup: 65532
|
|
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
|
|
resources:
|
|
requests:
|
|
cpu: 50m
|
|
memory: 128Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 256Mi
|
|
|
|
# Leader election ensures only one instance reconciles
|
|
leaderElection:
|
|
enabled: true
|
|
|
|
# Service account — the operator's identity for RBAC and Vault K8s auth
|
|
serviceAccount:
|
|
name: pieced-operator
|
|
annotations: {}
|
|
|
|
# Network policy — restrict operator egress to only what it needs
|
|
networkPolicy:
|
|
enabled: true
|