apiVersion: v1
kind: Namespace
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "10"
    openshift.io/description: ""
    openshift.io/display-name: ""
  labels:
    kubernetes.io/metadata.name: stackrox
  name: stackrox
spec:
  finalizers:
  - kubernetes
---
apiVersion: v1
kind: Secret
metadata:
  # The secret needs to be created before the creation of the "Central" Custom Resource.
  # Otherwise, a race condition is possible and the installation of the Central might get stuck.
  annotations:
    argocd.argoproj.io/sync-wave: "10"
  name: central-admin
  namespace: stackrox
type: Opaque
data:
  password: {{ include "acs-admin-password" . | b64enc | quote }}
---
apiVersion: platform.stackrox.io/v1alpha1
kind: Central
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "15"
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: stackrox-central-services
  namespace: stackrox
spec:
  central:
    exposure:
      loadBalancer:
        enabled: false
        port: 443
      nodePort:
        enabled: false
      route:
        enabled: true
    adminPasswordSecret:
      name: central-admin
    db:
      isEnabled: Default
      persistence:
        persistentVolumeClaim:
          claimName: central-db
    persistence:
      persistentVolumeClaim:
        claimName: stackrox-db
  egress:
    connectivityPolicy: Online
  scanner:
    analyzer:
      scaling:
        autoScaling: Disabled
        replicas: 3
    scannerComponent: Enabled
  # Listen on pain HTTP so that we can expose the central through a Route
  customize:
    envVars:
      - name: ROX_PLAINTEXT_ENDPOINTS
        value: http@8080
---
apiVersion: platform.stackrox.io/v1alpha1
kind: SecuredCluster
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "30"
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: stackrox-secured-cluster-services
  namespace: stackrox
spec:
  auditLogs:
    collection: Auto
  admissionControl:
    listenOnUpdates: true
    bypass: BreakGlassAnnotation
    contactImageScanners: ScanIfMissing
    listenOnCreates: true
    timeoutSeconds: 20
    listenOnEvents: true
  scanner:
    analyzer:
      scaling:
        autoScaling: Enabled
        maxReplicas: 5
        minReplicas: 2
        replicas: 3
    scannerComponent: AutoSense
  perNode:
    collector:
      collection: EBPF
      imageFlavor: Regular
    taintToleration: TolerateTaints
  clusterName: local-cluster
---
apiVersion: console.openshift.io/v1
kind: ConsoleLink
metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: rhacs-menu
spec:
  applicationMenu:
    imageURL: >-
      /static/assets/redhat.svg
    section: RHACS Section
  href: 'https://central.{{ .Values.openshiftDnsZone }}/'
  location: ApplicationMenu
  text: Red Hat Advanced Cluster Security