# Default values for nsx-ncp-operator. # This is a YAML-formatted file. # Declare variables to be passed into your templates. image: repository: vmware/nsx-container-plugin-operator pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" ncp: # Docker image for NSX NCP Container Plugin image: "nsx-ncp-ubuntu:latest" vc: # IpAddress or Hostname of VC vc_endpoint: "" # The SSO domain associated with the deployment sso_domain: "vsphere.local" # VC API server HTTPS port. https_port: 443 coe: # Container orchestrator adaptor to plug in. adaptor: kubernetes # Specify cluster for adaptor. cluster: k8scluster # Log level for NCP modules (controllers, services, etc.). Ignored if debug # is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel: <None> # Log level for NSX API client operations. Ignored if debug is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #nsxlib_loglevel: <None> # Enable SNAT for all projects in this cluster. Modification of topologies # for existing Namespaces is not supported if this option is reset. #enable_snat: True # Option to enable profiling #profiling: False # The interval of reporting performance metrics (0 means disabled) #metrics_interval: 0 # Name of log file for outputting metrics only (if not defined, use default # logging facility) #metrics_log_file: <None> # The type of container host node # Choices: HOSTVM BAREMETAL CLOUD WCP_WORKER #node_type: HOSTVM # The time in seconds for NCP/nsx_node_agent to recover the connection to # NSX manager/container orchestrator adaptor/Hyperbus before exiting. If # the value is 0, NCP/nsx_node_agent won't exit automatically when the # connection check fails #connect_retry_timeout: 0 # Enable system health status report for SHA #enable_sha: True default: # If set to true, the logging level will be set to DEBUG instead of the # default INFO level. debug: False # If set to true, log output to standard error. #use_stderr: True # Destination to send api log to. STDOUT or STDERR for console output. FILE # to write log to file configured in "api_log_file". NONE to disable api # log. # Choices: STDOUT STDERR FILE NONE #api_log_output: NONE # Name of log file to send API access log to. #api_log_file: ncp_api_log.txt # Interval in seconds to logs api call to output configured in # api_log_output #api_log_interval: 60 # When api_log_output is not NONE, this option determines if api calls # should be collected per NSX cluster or individual NSX manager. # Choices: API_LOG_PER_ENDPOINT API_LOG_PER_CLUSTER #api_log_mode: API_LOG_PER_ENDPOINT # If set to true, use syslog for logging. #use_syslog: False # The base directory used for relative log_file paths. #log_dir: <None> # Name of log file to send logging output to. #log_file: <None> # max MB for each compressed file. Defaults to 100 MB. #log_rotation_file_max_mb: 100 # max MB for each compressed file for API logs.Defaults to 10 MB. #api_log_rotation_file_max_mb: 10 # Total number of compressed backup files to store. Defaults to 5. #log_rotation_backup_count: 5 # Total number of compressed backup files to store API logs. Defaults to 5. #api_log_rotation_backup_count: 5 # Log level for the root logger. If debug=True, the default root logger # level will be DEBUG regardless of the value of this option. If this # option is unset, the default root logger level will be either DEBUG or # INFO according to the debug option value # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel: <None> nsx: {} # Set NSX API adaptor to NSX Policy API adaptor. If unset, NSX adaptor will # be set to the NSX Manager based adaptor. If unset or False, the NSX # resource ID in other options can be resource name or UUID #policy_nsxapi: False # Path to NSX client certificate file. If specified, the nsx_api_user and # nsx_api_password options will be ignored. Must be specified along with # nsx_api_private_key_file option #nsx_api_cert_file: <None> # Path to NSX client private key file. If specified, the nsx_api_user and # nsx_api_password options will be ignored. Must be specified along with # nsx_api_cert_file option #nsx_api_private_key_file: <None> # IP address of one or more NSX managers separated by commas. The IP # address should be of the form: # [<scheme>://]<ip_adress>[:<port>] # If scheme is not provided https is used. If port is not provided port 80 # is used for http and port 443 for https. #nsx_api_managers: [] # If True, skip fatal errors when no endpoint in the NSX management cluster # is available to serve a request, and retry the request instead #cluster_unavailable_retry: False # Maximum number of times to retry API requests upon stale revision errors. #retries: 10 # Specify one or a list of CA bundle files to use in verifying the NSX # Manager server certificate. This option is ignored if "insecure" is set # to True. If "insecure" is set to False and "ca_file" is unset, the # "thumbprint" will be used. If "thumbprint" is unset, the system root CAs # will be used to verify the server certificate. #ca_file: [] # Specify one or a list of thumbprint strings to use in verifying the NSX # Manager server certificate. This option is ignored if "insecure" is set # to True or "ca_file" is defined. #thumbprint: [] # If true, the NSX Manager server certificate is not verified. If false the # CA bundle specified via "ca_file" will be used or if unset the # "thumbprint" will be used. If "thumbprint" is unset, the default system # root CAs will be used. #insecure: False # The time in seconds before aborting a HTTP connection to a NSX manager. #http_timeout: 10 # The time in seconds before aborting a HTTP read response from a NSX # manager. #http_read_timeout: 180 # Maximum number of times to retry a HTTP connection. #http_retries: 3 # Maximum concurrent connections to all NSX managers. If multiple NSX # managers are configured, connections will be spread evenly across all # managers, rounded down to the nearest integer. Each NSX manager will have # at least 1 connection. This value should be a multiple of # [nsx_v3]nsx_api_managers length. #concurrent_connections: 10 # The amount of time in seconds to wait before ensuring connectivity to the # NSX manager if no manager connection has been used. #conn_idle_timeout: 10 # Number of times a HTTP redirect should be followed. #redirects: 2 # Subnet prefix of IP block. #subnet_prefix: 24 # Subnet prefix for v6 IP blocks #v6_subnet_prefix: 64 # Indicates whether distributed firewall DENY rules are logged. #log_dropped_traffic: False # Indicates whether distributed firewall rules are logged. Option 'ALL' # will enable logging for all DFW rules (both DENY and ALLOW), and option # 'DENY' will enable logging only for DENY rules. Remove this config if no # logging is desired. When IPv6 is enabled this setting will not apply to # rules for allowing ND traffic. # Choices: ALL DENY <None> #log_firewall_traffic: <None> # Option to use native load balancer or not #use_native_loadbalancer: True # Option to auto scale layer 4 load balancer or not. If set to True, NCP # will create additional LB when necessary upon K8s Service of type LB # creation/update. #l4_lb_auto_scaling: True # Option to use native load balancer or not when ingress class annotation # is missing. Only effective if use_native_loadbalancer is set to true #default_ingress_class_nsx: True # Path to the default certificate file for HTTPS load balancing. Must be # specified along with lb_priv_key_path option #lb_default_cert_path: <None> # Path to the private key file for default certificate for HTTPS load # balancing. Must be specified along with lb_default_cert_path option #lb_priv_key_path: <None> # Option to set load balancing algorithm in load balancer pool object. # Choices: ROUND_ROBIN LEAST_CONNECTION IP_HASH WEIGHTED_ROUND_ROBIN #pool_algorithm: ROUND_ROBIN # Option to set load balancer service size. MEDIUM Edge VM (4 vCPU, 8GB) # only supports SMALL LB. LARGE Edge VM (8 vCPU, 16GB) only supports MEDIUM # and SMALL LB. Bare Metal Edge (IvyBridge, 2 socket, 128GB) supports # LARGE, MEDIUM and SMALL LB # Choices: SMALL MEDIUM LARGE #service_size: SMALL # Option to set load balancer persistence option. If cookie is selected, # cookie persistence will be offered.If source_ip is selected, source IP # persistence will be offered for ingress traffic through L7 load balancer # Choices: <None> cookie source_ip #l7_persistence: <None> # An integer for LoadBalancer side timeout value in seconds on layer 7 # persistence profile, if the profile exists. #l7_persistence_timeout: 10800 # Option to set load balancer persistence option. If source_ip is selected, # source IP persistence will be offered for ingress traffic through L4 load # balancer # Choices: <None> source_ip #l4_persistence: <None> # Option to set distributed load balancer source ip persistence option, # only available when use_native_dlb: True # Choices: <None> source_ip #dlb_l4_persistence: <None> # Resource ID of the container ip blocks that will be used for creating # subnets. If name, it must be unique. If policy_nsxapi is enabled, it also # support automatically creating the IP blocks. The definition is a comma # separated list: CIDR,CIDR,... Mixing different formats (e.g. UUID,CIDR) # is not supported. #container_ip_blocks: [] # Resource ID of the container ip blocks that will be used for creating # subnets for no-SNAT projects. If specified, no-SNAT projects will use # these ip blocks ONLY. Otherwise they will use container_ip_blocks #no_snat_ip_blocks: [] # Resource ID of the external ip pools that will be used for allocating IP # addresses which will be used for translating container IPs via SNAT # rules. If policy_nsxapi is enabled, it also support automatically # creating the ip pools. The definition is a comma separated list: # CIDR,IP_1-IP_2,... Mixing different formats (e.g. UUID, CIDR&IP_Range) is # not supported. #external_ip_pools: [] # Resource ID of the top-tier router for the container cluster network, # which could be either tier0 or tier1. If policy_nsxapi is enabled, should # be ID of a tier0/tier1 gateway. #top_tier_router: <None> # Option to use single-tier router for the container cluster network #single_tier_topology: False # Option to use single-tier router for the container cluster network. Each # namespace will have dedicated tier-1 router created. Namespaces with # "sr_shared_res: true" annotation will share t1 and lbs. #single_tier_sr_topology: False # Resource ID of the external ip pools that will be used only for # allocating IP addresses for Ingress controller and LB service. If # policy_nsxapi is enabled, it also supports automatically creating the ip # pools. The definition is a comma separated list: CIDR,IP_1-IP_2,... # Mixing different formats (e.g. UUID, CIDR&IP_Range) is not supported. #external_ip_pools_lb: [] # Resource ID of the NSX overlay transport zone that will be used for # creating logical switches for container networking. It must refer to an # already existing resource on NSX and every transport node where VMs # hosting containers are deployed must be enabled on this transport zone #overlay_tz: <None> # Name of the enforcement point used to look up overlay transport zones and # edge cluster paths, e.g. vmc-enforcementpoint, default, etc. #enforcement_point: default # Resource ID of the lb service that can be attached by virtual servers #lb_service: <None> # Resource ID of the IPSet containing the IPs of all the virtual servers #lb_vs_ip_set: <None> # Enable X_forward_for for ingress. Available values are INSERT or REPLACE. # When this config is set, if x_forwarded_for is missing, LB will add # x_forwarded_for in the request header with value client ip. When # x_forwarded_for is present and its set to REPLACE, LB will replace # x_forwarded_for in the header to client_ip. When x_forwarded_for is # present and its set to INSERT, LB will append client_ip to # x_forwarded_for in the header. If not wanting to use x_forwarded_for, # remove this config # Choices: <None> INSERT REPLACE #x_forwarded_for: <None> # Resource ID of the firewall section that will be used to create firewall # sections below this mark section #top_firewall_section_marker: <None> # Resource ID of the firewall section that will be used to create firewall # sections above this mark section #bottom_firewall_section_marker: <None> # Replication mode of container logical switch, set SOURCE for cloud as it # only supports head replication mode # Choices: MTEP SOURCE #ls_replication_mode: MTEP # The resource which NCP will search tag 'node_name' on, to get parent VIF # or transport node uuid for container LSP API context field. For HOSTVM # mode, it will search tag on LSP. For BM mode, it will search tag on LSP # then search TN. For CLOUD mode, it will search tag on VM. For WCP_WORKER # mode, it will search TN by hostname. # Choices: tag_on_lsp tag_on_tn tag_on_vm hostname_on_tn #search_node_tag_on: tag_on_lsp # Determines which kind of information to be used as VIF app_id. Defaults # to pod_resource_key. In WCP mode, pod_uid is used. # Choices: pod_resource_key pod_uid #vif_app_id_type: pod_resource_key # If this value is not empty, NCP will append it to nameserver list #dns_servers: [] # Set this to True to enable NCP to report errors through NSXError CRD. #enable_nsx_err_crd: False # Maximum number of virtual servers allowed to create in cluster for # LoadBalancer type of services. #max_allowed_virtual_servers: 9223372036854775807 # Edge cluster ID needed when creating Tier1 router for loadbalancer # service. Information could be retrieved from Tier0 router #edge_cluster: <None> # Inventory feature switch #enable_inventory: True # For internal container network CIDR, NCP adds redistribution deny rule to # stop T0 router advertise subnets to external network outside of T0 # router. If BGP or route redistribution is disabled, or # T1_CONNECTED/TIER1_SEGMENT option is not selected, NCP would not add the # deny rule. If users enable BGP and route redistribution, or select # T1_CONNECTED/TIER1_SEGMENT option after NCP starts, user needs to restart # NCP to let NCP set deny rule. If there is already a route map attached, # NCP will create IP prefix list on the existing route map. Otherwise NCP # will create a new route map and attach it. This option could be used only # in SNAT mode and when policy_nsxapi: True. #configure_t0_redistribution: False # Health check interval for nsx lb monitor profile #lb_hc_profile_interval: 5 # Health check timeout for nsx lb monitor profile #lb_hc_profile_timeout: 15 # Health check failed count for nsx lb monitor profile. Pool member failed # for this amount will be marked as down. #lb_hc_profile_fall_count: 3 # Health check rise count for nsx lb monitor profile. Pool members # previously marked down will be brought up, if succeed in the health check # for this amount fo time. #lb_hc_profile_rise_count: 3 # Maximum size of the buffer used to store HTTP request headers for L7 # virtual servers in cluster. A request with header larger than this value # will be processed as best effort whereas a request with header below this # value is guaranteed to be processed. #lb_http_request_header_size: 1024 # Maximum size of the buffer used to store HTTP response headers for all L7 # virtual servers in cluster. A response with header larger than this value # will be dropped. #lb_http_response_header_size: 4096 # Maximum server idle time in seconds for L7 virtual servers in cluster. If # backend server does not send any packet within this time, the connection # is closed. #lb_http_response_timeout: 60 # Determines the behavior when a Tier-1 instance restarts after a failure. # If set to PREEMPTIVE, the preferred node will take over, even if it # causes another failure. If set to NON_PREEMPTIVE, then the instance that # restarted will remain secondary. Applicable to Tier-1 across cluster that # was created by NCP and has edge cluster configured. # Choices: PREEMPTIVE NON_PREEMPTIVE #failover_mode: NON_PREEMPTIVE # Set this to ENABLE to enable NCP enforced pool member limit for all load # balancer servers in cluster. Set this to CRD_LB_ONLY will only enforce # the limit for load balancer servers created using lb CRD. Set this to # DISABLE to turn off all limit checks. This option requires # relax_scale_validation set to True, l4_lb_auto_scaling set to False, and # works on Policy API only. When not disabled, NCP will enforce a pool # member limit on LBS to prevent one LBS from using up all resources on # edge nodes. # Choices: DISABLE ENABLE CRD_LB_ONLY #ncp_enforced_pool_member_limit: DISABLE # Maximum number of pool member allowed for each small load balancer # service. Requires ncp_enforced_pool_member_limit set to ENABLE or # CRD_LB_ONLY to take effect. #members_per_small_lbs: 2000 # Maximum number of pool member allowed for each medium load balancer # service. Requires ncp_enforced_pool_member_limit set to ENABLE or # CRD_LB_ONLY to take effect. #members_per_medium_lbs: 2000 # Interval in seconds to clean empty segments. #segment_gc_interval: 600 # Determines the mode NCP limits rate when sending API calls to NSX. # Choices: NO_LIMIT SLIDING_WINDOW ADAPTIVE_AIMD #api_rate_limit_mode: ADAPTIVE_AIMD # When nsx_v3.api_rate_limit_mode is not set to NO_LIMIT, determines the # maximum number of API calls sent per manager ip per second. Should be a # positive integer. #max_api_rate: 40 # Resource ID of the client SSL profile which will be used by Loadbalancer # while participating in TLS handshake with the client #client_ssl_profile: <None> # Enable security policy notification, If this optionis enabled, NCP will # configure container network afterNSX creates logical port and finishes # security policysynchronization #wait_for_security_policy_sync: False # Set this to True to enable rule tag as cluster name in DFW logs for k8s. # When IPv6 is enabled, the tag will not be applied to rules created by NCP # for allowing ND traffic. #enable_rule_tag: True # Set this to enable logging for snat rule, supported choices are : None, # Basic and Extended.none for no logging, basic for logging for # namespacesnat rules, extended for logging for snat rules for # allnamespaces and services # Choices: none basic extended #snat_rule_logging: none # Log properties of virtual server for ingress/routeIt maps to two # parameters access_log_enabled andlog_significant_event_only of virtual # server.It decides whether to log and what events to recordby virtual # server. # Choices: none all significant #vs_access_log: none # The time in seconds before a released IP can be reallocated. This value # is used to determine if a previously exhuasted logical switch can be used # again for creating a new logical port #ip_reallocation_time: 60 # Specify a custom cookie name for NSX default LB when l7_persistence type # is set to cookie. It has no effect if l7_persistence is not set. #cookie_name: <None> ha: {} # Time duration in seconds of mastership timeout. NCP instance will remain # master for this duration after elected. Note that the heartbeat period # plus the update timeout must not be greater than this period. This is # done to ensure that the master instance will either confirm liveness or # fail before the timeout. #master_timeout: 18 # Time in seconds between heartbeats for elected leader. Once an NCP # instance is elected master, it will periodically confirm liveness based # on this value. #heartbeat_period: 6 # Timeout duration in seconds for update to election resource. The default # value is calculated by subtracting heartbeat period from master timeout. # If the update request does not complete before the timeout it will be # aborted. Used for master heartbeats to ensure that the update finishes or # is aborted before the master timeout occurs. #update_timeout: <None> k8s: # Kubernetes API server IP address. #apiserver_host_ip: <None> # Kubernetes API server port. #apiserver_host_port: <None> # Full path of the Token file to use for authenticating with the k8s API # server. client_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token # Full path of the client certificate file to use for authenticating with # the k8s API server. It must be specified together with # "client_private_key_file". #client_cert_file: <None> # Full path of the client private key file to use for authenticating with # the k8s API server. It must be specified together with # "client_cert_file". #client_private_key_file: <None> # Specify a CA bundle file to use in verifying the k8s API server # certificate. ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt # Specify whether ingress controllers are expected to be deployed in # hostnework mode or as regular pods externally accessed via NAT # Choices: hostnetwork nat #ingress_mode: hostnetwork # Log level for the kubernetes adaptor. Ignored if debug is True # Choices: NOTSET DEBUG INFO WARNING ERROR CRITICAL #loglevel: <None> # The default HTTP ingress port for non-NSX ingress controllers in NAT # mode. #http_ingress_port: 80 # The default HTTPS ingress port for non-NSX ingress controllers in NAT # mode. #https_ingress_port: 443 # Specifying whether the TCP connections between the LoadBalancer service # and backend could be reused by multiple client requests. #lb_connection_multiplexing_enabled: False # Specifying the maximum number of multiplexing connections. #lb_connection_multiplexing_number: 6 # Specify thread pool size to process resource events #resource_watcher_thread_pool_size: 1 # User specified IP address for HTTP and HTTPS ingresses #http_and_https_ingress_ip: <None> # Set this option to configure the ability to allow a virtual IP that is # not in the range of external_ip_pools_lb specified in spec.loadBalancerIP # of K8s service of type LoadBalancer to be realized in NSX.When the value # is relaxed, any IP specified in spec.loadBalancerIP can be allowed. When # the value is strict, only IP within the range of external_ip_pools_lb # will be allowed. # Choices: relaxed strict #lb_ip_allocation: relaxed # Set this to True to enable NCP to create tier1 router, first segment and # default SNAT IP for VirtualNetwork CRD, and then create segment port for # VM through VirtualNetworkInterface CRD. #enable_vnet_crd: False # Set this to True to enable NCP to create LoadBalancer on a Tier-1 for # LoadBalancer CRD. This option does not support LB autoscaling. #enable_lb_crd: False # Set this to True to enable NCP to create LbMonitor CR for NSX LBS #enable_lb_monitor_crd: False # Set this to True to enable NCP to manage network resources and resource # quotas per Namespace. This option only works under WCP T1 per Supervisor # Namespace networking topology #enable_nsnetwork_crd: False # Option to set the type of baseline cluster policy. ALLOW_CLUSTER creates # an explicit baseline policy to allow any pod to communicate any other pod # within the cluster. ALLOW_NAMESPACE creates an explicit baseline policy # to allow pods within the same namespace to communicate with each other. # By default, no baseline rule will be created and the cluster will assume # the default behavior as specified by the backend. Modification is not # supported after the value is set. # Choices: <None> allow_cluster allow_namespace #baseline_policy_type: <None> # Maximum number of endpoints allowed to create for a service. #max_allowed_endpoints: 1000 # Set this to True to enable NCP reporting NSX backend error to k8s object # using k8s event #enable_ncp_event: False # Set this to True to enable multus to create multiple interfaces for one # pod. Requires policy_nsxapi set to True to take effect. If passthrough # interface is used as additional interface, user should deploy the network # device plugin to provide device allocation information for NCP. Pod # annotations with prefix "k8s.v1.cni.cncf.io" cannot be modified once pod # is realized. User defined IP will not be allocated from the Segment # IPPool. The "gateway" in NetworkAttachmentDefinition is not used to # configure secondary interfaces, as the default gateway of Pod is # configured by the primary CNI on the main network interface. User must # define IP and/or MAC if no "ipam" is configured. Only available if node # type is HOSTVM and not to be leveraged in conjunction with 3rd party CNI # plugin #enable_multus: True # Interval of polling loadbalancer statistics. Default to60 seconds. #lb_statistic_monitor_interval: 600 # Option to enable polling virtual server statistics. #enable_lb_vs_statistics_monitor: False # This option is for toggling process of network CRD.It should be set to # False when the network status setting is done by OCP4 NetworkOperator #process_oc_network: True # nsx-node-agent will add iptables rules for K8s pod which has hostPort, # client packets to hostPort will be SNATed to node IP. We leverage portmap # plugin to add iptables DNAT rules for hostPort ingress traffic. This # hostPort feature is only supported on K8s Linux node. #enable_hostport_snat: False # If this option is True, nsx-ncp-bootstrap pod will install portmap plugin # from nsx-ncp image, nsx-ncp-cleanup pod will remove portmap plugin. #use_ncp_portmap: False serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "nsx-ncp-operator" podAnnotations: {} podSecurityContext: {} # fsGroup: 2000 securityContext: {} # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi nodeSelector: {} tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master - effect: NoSchedule key: node.kubernetes.io/not-ready - effect: NoSchedule key: node.kubernetes.io/network-unavailable affinity: {}