deployment:
  initImage: <INIT_IMAGE_URL>
  serverImage: <CONTROLLER_IMAGE_URL>
  pullPolicy: Always
  resources:
    limits:
      cpu: 1.0
      memory: 512Mi
    requests:
      cpu: 1.0
      memory: 512Mi
  replicas: 1
  readiness:
    httpGet:
      path: /healthz
      scheme: HTTP
      port: 8080
    initialDelaySeconds: 10
    periodSeconds: 10
  liveness:
    httpGet:
      path: /healthz
      scheme: HTTP
      port: 8080
    initialDelaySeconds: 10
    periodSeconds: 10
  securityContext:  
    allowPrivilegeEscalation: false  
    runAsUser: 1000  
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    capabilities:
      drop: ["ALL"]  
    seccompProfile:
      type: "RuntimeDefault"

labels:
  billing: lob-cc
  env: dev
  owner: jimmy

service:
  ports:
    http: 80
    https: 443

server:
  address:
  log:
    encoding: console
    level: debug
  ports:
    http: 8080
    https: 8443
  tls:
    secrets:
      crtFile: "/certs/tls.crt"
      keyFile: "/certs/tls.key"
      cabundle: 
      crt:
      key:
  enableNetworkPolicies: true
  endpoints:
    metrics: "/metrics"
    health: "/healthz"
    validation: &validateUrl "/validate"

serviceAccount:
  name: notary-admission
  create: false
  awsRoleArn: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>"

notation:
  mode: binary 
  debug:
    enabled: false
    flag: "--debug"
  paths:
    binaryDir: "./verify/bin"
    binarySrc: "./notation"  # changes to this require changes in the image
    binaryDst: "./verify/bin/notation"
    plugins:
      signerPluginDir: "/verify/notation/plugins/com.amazonaws.signer.notation.plugin"
      signerPluginFile: "notation-com.amazonaws.signer.notation.plugin"
    homeDirectory: "/verify/notation"
    xdgHomeValue: "/verify"
    xdgHomeVariable: "XDG_CONFIG_HOME"
  commands:
    version: version
    login: login
    verify: verify
    list: list
  trust:
    policy:
      name: aws-signer-tp
      file: "trustpolicy.json"
      aws:
        signer:
          profileArns: ["arn:aws:signer:<AWS_REGION>:<AWS_ACCOUNT_ID>:/signing-profiles/notary_admission"]
          debugEnabled: false
          endpoint: 
    store:
      name: aws-signer-ts
      signingAuthorities: ["signingAuthority:aws-signer-ts"]
      rootCert: "/signer/aws-signer-notation-root.cert"

prometheus:
  name: notary_admission
  start: 0
  width: 5
  count: 20
  scrape: true

ecr:
  auth:
    apiOverride:
      endpoint:
      partition:
      region: 
    credentialCache:
      enabled: true
      preAuthRegistries: ["<AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com","<AWS_ACCOUNT_ID>.dkr.ecr.<AWS_REGION>.amazonaws.com"]
      cacheRefreshInterval: 300
      cacheTimeoutInterval: 600
  ignoreRegistries: ["public.ecr.aws","gcr.io","k8s.gcr.io","registry.k8s.io"]

admission:
  failurePolicy: Fail
  endpointUrl: *validateUrl
  operations: ["CREATE","UPDATE"]
  resources: ["deployments","pods"]
  apiVersions: ["v1"]
  reviewVersions: ["v1"]