Skip to content

Instantly share code, notes, and snippets.

@brooksphilip

brooksphilip/values.yaml

Last active October 30, 2025 06:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save brooksphilip/bf6a15aef87ef07cd93bf7670264da91 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save brooksphilip/bf6a15aef87ef07cd93bf7670264da91 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
values.yaml
domain: svc.cluster.local
# -- List of registry credentials used to pull images
registryCredentials:
registry: registry1.dso.mil
username: ""
password: ""
email: ""
kyverno:
enabled: true
values:
upstream:
crds:
install: true
groups:
image:
registry: harbor.mylab.lol
defaultRegistry: harbor.mylab.lol
repository: chainguard-private/kyverno-cli
tag: latest
migration:
enabled: true
image:
defaultRegistry: harbor.mylab.lol
repository: chainguard-private/kyverno-cli
tag: latest
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno
tag: latest
pullPolicy: Always
test:
sleep: 20
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest
admissionController:
initContainer:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyvernopre
tag: latest
pullPolicy: Always
container:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno
tag: latest
pullPolicy: Always
backgroundController:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-background-controller
tag: latest
pullPolicy: Always
cleanupController:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-cleanup-controller
tag: latest
pullPolicy: Always
reportsController:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-reports-controller
tag: latest
pullPolicy: Always
cleanupJobs:
admissionReports:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
clusterAdmissionReports:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
ephemeralReports:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
updateRequests:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
clusterEphemeralReports:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
webhooksCleanup:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
policyReportsCleanup:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
kyvernoReporter:
enabled: true
values:
global:
image:
registry: harbor.mylab.lol
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-policy-reporter
tag: latest
# BigBang Values - Kyverno Policies Wait Job Image Fix
kyvernoPolicies:
enabled: true
postRenderers:
- kustomize:
images:
- name: registry1.dso.mil/ironbank/opensource/kubernetes/kubectl
newName: harbor.mylab.lol/chainguard-private/kubectl
newTag: latest-dev
values:
#This is a helm hook and needs to be rewritten possibly.
waitJob:
enabled: false
kind: ClusterRole
image: harbor.mylab.lol/chainguard-private/kubectl:latest-dev
policies:
# CRITICAL: Exclude wait job from image mutations
update-image-registry:
exclude:
any:
- resources:
kinds:
- Job
- Pod
namespaces:
- kyverno
names:
- "*wait-job*"
update-image-pull-policy:
exclude:
any:
- resources:
kinds:
- Job
- Pod
namespaces:
- kyverno
names:
- "*wait-job*"
restrict-image-registries:
enabled: true
validationFailureAction: Audit
parameters:
allow:
- harbor.mylab.lol
- registry1.dso.mil/
- docker.io/
validationFailureAction: Audit
monitoring:
values:
alertmanager:
alertmanagerSpec:
image:
registry: harbor.mylab.lol
repository: chainguard-private/grafana-alertmanager
tag: latest
grafana:
image:
registry: harbor.mylab.lol
repository: chainguard-private/grafana
tag: latest
sidecar:
image:
repository: harbor.mylab.lol/chainguard-private/k8s-sidecar
tag: latest
downloadDashboardsImage:
repository: harbor.mylab.lol/chainguard-private/curl
tag: latest-dev
kube-state-metrics:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kube-state-metrics
tag: latest
prometheus-node-exporter:
version: 1.7.0 # NOTE: Workaround for chart's semver check
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-node-exporter
tag: latest
prometheusOperator:
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-operator
tag: latest
prometheusConfigReloader:
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-config-reloader
tag: latest
thanosImage:
registry: harbor.mylab.lol
repository: chainguard-private/thanos
tag: latest
kubectlImage:
registry: harbor.mylab.lol
repository: chainguard-private/kubectl
tag: latest-dev
admissionWebhooks:
enabled: true
patch:
image:
registry: harbor.mylab.lol
repository: chainguard-private/kube-webhook-certgen
tag: latest
# NOTE: Use the "bigbang" utility image due to the charts hardcoded `securityContext`
# cleanupProxy:
# image:
# registry: harbor.mylab.lol
# repository: chainguard-private/curl
# tag: latest-dev
prometheus:
prometheusSpec:
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus
tag: latest
tempo:
values:
tempo:
repository: harbor.mylab.lol/chainguard-private/tempo
tag: latest
tempoQuery:
enabled: false
repository: harbor.mylab.lol/chainguard/tempo-query
tag: latest
grafana:
values:
global:
imageRegistry: harbor.mylab.lol
image:
repository: chainguard-private/grafana
tag: latest
downloadDashboardsImage:
repository: chainguard-private/curl
tag: latest-dev
upstream:
image:
registry: registry1.dso.mil
repository: ironbank/big-bang/grafana/grafana-plugins
sidecar:
image:
registry: harbor.mylab.lol
repository: chainguard-private/k8s-sidecar
tag: latest
loki:
strategy: "monolith"
values:
minio:
enabled: false
loki:
image:
registry: harbor.mylab.lol
repository: chainguard-private/loki
tag: latest
gateway:
image:
registry: harbor.mylab.lol
repository: chainguard-private/nginx
tag: latest
sidecar:
image:
registry: harbor.mylab.lol
repository: chainguard-private/k8s-sidecar
tag: latest
# promtail:
# values:
# image:
# registry: harbor.mylab.lol
# repository: chainguard-private/promtail
# tag: latest
# sidecar:
# configReloader:
# image:
# registry: harbor.mylab.lol
# repository: chainguard-private/configmap-reload
# tag: latest
addons:
metricsServer:
values:
image:
repository: harbor.mylab.lol/chainguard-private/metrics-server
tag: latest
promtail:
values:
image:
registry: harbor.mylab.lol
repository: chainguard-private/promtail
tag: latest
sidecar:
configReloader:
image:
registry: harbor.mylab.lol
repository: chainguard-private/configmap-reload
tag: latest
# NOTE: Chainguard has all of the Neuvector images except for the scanner
# We do not distribute the neuvector-scanner image due to potential legal issues
# with distributing an up-to-date vulnerability database embedded in the image
neuvector:
enabled: true
values:
upstream:
registry: harbor.mylab.lol
cve:
adapter:
image:
repository: chainguard-private/neuvector-registry-adapter
tag: latest
updater:
enabled: true
image:
registry: harbor.mylab.lol
repository: chainguard-private/neuvector-updater
tag: latest
scanner:
enabled: true
image:
repository: neuvector/scanner
imagePullPolicy: Always
tag: "6"
enforcer:
enabled: true
image:
repository: chainguard-private/neuvector-enforcer
manager:
enabled: true
image:
repository: chainguard-private/neuvector-manager
controller:
# If false, controller will not be installed
enabled: true
image:
repository: chainguard-private/neuvector-controller
monitor:
registry: harbor.mylab.lol
exporter:
image:
repository: chainguard-private/neuvector-prometheus-exporter
tag: 1
istioCNI:
enabled: false
istioCRDs:
enabled: true
istiod:
enabled: true
values:
upstream:
pilot:
image: harbor.mylab.lol/chainguard-private/istio-pilot:latest
global:
proxy:
image: harbor.mylab.lol/chainguard-private/istio-proxy:latest
proxy_init:
image: harbor.mylab.lol/chainguard-private/istio-proxy:latest
istioGateway:
enabled: false
values:
upstream:
image: harbor.mylab.lol/chainguard-private/istio-proxy:latest
#broken
alloy:
enabled: true
# PostRenderer only for operator deployment itself
postRenderers:
- kustomize:
images:
- name: registry1.dso.mil/ironbank/opensource/grafana/alloy-operator
newName: harbor.mylab.lol/chainguard-private/grafana-alloy-operator
newTag: latest
- name: harbor.mylab.lol/ironbank/opensource/grafana/alloy-operator
newName: harbor.mylab.lol/chainguard-private/grafana-alloy-operator
newTag: latest
values:
global:
image:
registry: harbor.mylab.lol
imageRegistry: harbor.mylab.lol
imagePullSecrets:
- name: private-registry
upstream:
cluster:
name: bigbang
alloy-operator:
image:
registry: harbor.mylab.lol
repository: chainguard-private/grafana-alloy-operator
tag: latest
configReloader:
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-config-reloader
tag: latest
alloy:
enableReporting: false
# ============================================================
# ALLOY LOGS - CORRECTED STRUCTURE
# ============================================================
alloy-logs:
enabled: true
alloy:
registry: harbor.mylab.lol
repository: chainguard-private/grafana-alloy
tag: latest
configReloader:
image: # ← ADD THIS "image" wrapper
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-config-reloader
tag: latest
# ============================================================
# ALLOY METRICS (if needed)
# ============================================================
alloy-metrics:
enabled: false
alloy:
registry: harbor.mylab.lol
repository: chainguard-private/grafana-alloy
tag: latest
configReloader:
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-config-reloader
tag: latest
# ============================================================
# ALLOY RECEIVER (if needed)
# ============================================================
alloy-receiver:
enabled: false
alloy:
registry: harbor.mylab.lol
repository: chainguard-private/grafana-alloy
tag: latest
configReloader:
image:
registry: harbor.mylab.lol
repository: chainguard-private/prometheus-config-reloader
tag: latest
integrations:
alloy:
enableReporting: false
# Additional components to override remaining Iron Bank images
# bbctl:
# enabled: true
# values:
# image:
# registry: harbor.mylab.lol
# repository: chainguard-private/bbctl
# tag: latest
kyvernoReporter:
enabled: true
values:
upstream:
# Main policy reporter image
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-policy-reporter
tag: latest
# Kyverno plugin
plugin:
kyverno:
enabled: true
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-policy-reporter-plugin-kyverno
tag: latest
# UI
ui:
enabled: true
image:
registry: harbor.mylab.lol
repository: chainguard-private/kyverno-policy-reporter-ui
tag: latest
kiali:
enabled: false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment