drupal/values.yaml

# Subchart with few functionality that is reused for our other charts
silta-release:
  # Enable downscaler by default.
  downscaler:
    enabled: true
    # Allows to modify How long should This release be active until downscaled. Value examples: 10y, 4w, 1h
    # releaseMinAge: '1w'
    releaseMinAge: ''

# Main domain of the cluster.
# Subdomains of this domain will be created automatically for each environment.
clusterDomain: "silta.wdr.io"

# An optional human-readable label for the project, defaults to the repository name.
# This name is mainly used to create nice subdomains for each environment.
projectName: ""

# An optional human-readable label for the environment, defaults to the release name.
# We typically pass the branch name when we build dedicated environments per branch.
# This name is mainly used to create nice subdomains for each environment.
environmentName: ""

# Configure image pull secrets for the containers. This is not needed on GKE.
# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []

# Custom imagePullSecret for the containers. Base64 encoded. This will create a secret and append it to the imagePullSecrets. 
imagePullSecret: ""

# The app label added to our Kubernetes resources.
app: drupal

# Path to the web root folder.
# If you change this, make sure to check for any other references to "/app/web" or "web/" in your project.
# See https://github.com/wunderio/silta/blob/master/docs/changing_the_webroot.md
webRoot: /app/web

# How many instances of the Drupal pod should be in our Kubernetes deployment.
# A single pod (the default value) is good for development environments to minimise resource usage.
# Multiple pods make sense for high availability.
replicas: 1

# Enable autoscaling using HorizontalPodAutoscaler
# see: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale-walkthrough/
autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 3
  metrics:
  - type: Resource
    resource:
      name: cpu
      targetAverageUtilization: 80
  - type: Resource
    resource:
      name: memory
      targetAverageUtilization: 80

# Domain names that will be mapped to this deployment.
# Example of exposing 2 additional domains for this deployment, each with its own certificate.
# exposeDomains:
#   example:
#     hostname: example.com
#   example2:
#     hostname: example1.com
#     # Reference to a key under `ingress`
#     ingress: gce
#     ssl:
#       enabled: true
#       issuer: letsencrypt-staging
#   example_www:
#     hostname: www.example.com
#   example_no_https:
#    hostname: insecure.example.com
#      ssl:
#        enabled: false
exposeDomains: {}

exposeDomainsDefaults:
  ingress: default
  ssl:
    enabled: true
    issuer: letsencrypt

ingress:
  default:
    type: traefik
    tls: true
    redirect-https: true
    extraAnnotations:
      traefik.ingress.kubernetes.io/rate-limit: |
        extractorfunc: client.ip
        rateset:
          default:
            period: 1s
            average: 32
            burst: 90
      nginx.ingress.kubernetes.io/limit-rps: "60"
      nginx.ingress.kubernetes.io/limit-rpm: "300"
      nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"
      nginx.ingress.kubernetes.io/limit-connections: "100"
  gce:
    type: gce
    # The name of the reserved static IP address.
    # It is best to first reserve the IP address and then add it here.
    # staticIpAddressName: null
    # Custom ingress annotations
    # extraAnnotations:
    #   networking.gke.io/suppress-firewall-xpn-error: "true"

# Infrastructure related settings.
cluster:
  type: gke
  vpcNative: false

# backendConfig customisations for Drupal service
backendConfig:
  securityPolicy:
    name: "silta-ingress"

# Timezone to be used by the services that support it.
# List of timezones: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List (use the TZ identifier column)
# The default timezone for most container images is UTC.
timezone: ""

# Add prefixes to the generated per-branch domains, to be used for projects that need to respond
# on multiple domains, for example using Drupal's domain module, or using different domains for different languages.
# domainPrefixes: ['en', 'fi']
domainPrefixes: []

# Domains by default are created following pattern branch.repository.cluster
# By enabling single subdomain it will be converted to branch-repository.cluster
singleSubdomain: false

# Settings for default site provided by this deployment
ssl:
  # Enable HTTPS for this deployment
  enabled:  true
  # Possible issuers: letsencrypt-staging, letsencrypt, selfsigned, custom
  issuer: letsencrypt
  # Only when certificate type is custom
  # ca: ""
  # key: ""
  # crt: ""

# These variables are build-specific and should be passed via the --set parameter.
nginx:
  image: 'you need to pass in a value for nginx.image to your helm chart'

  # Requires "X-Proxy-Auth" header from upstream when value is non-empty string.
  x_proxy_auth: ""

  # Possible Values: debug, info, notice, warn, error, crit, alert, or emerg.
  loglevel: error

  # The Kubernetes resources for the nginx container.
  # These values are optimised for development environments.
  resources:
    requests:
      cpu: 1m
      memory: 10Mi
    limits:
      cpu: 500m
      memory: 244Mi

  # Set of values to enable and use http basic authentication
  # It is implemented only for very basic protection (like web crawlers)
  basicauth:
    enabled: true

    # Define username and password
    credentials:
      username: silta
      password: demo

  # Header containing real IP address
  real_ip_header: X-Forwarded-For

  # Expose drupal cache tag headers
  expose_cache_headers: false

  # Trust X-Forwarded-For from these hosts for getting external IP
  realipfrom:
    gke-internal: 10.0.0.0/8
    gce-health-check-1: 130.211.0.0/22
    gce-health-check-2: 35.191.0.0/16

  # Define the internal network access.
  # These are used below to allow internal access to certain files
  # from trusted locations while not allowing access from the public internet.
  # These addreses are also excluded from basicauth.
  # Note that the key is only used for documentation purposes.
  noauthips:
    gke-internal: 10.0.0.0/8
    gce-health-check-1: 130.211.0.0/22
    gce-health-check-2: 35.191.0.0/16

  # Security headers
  security_headers:
    # X-Frame-Options: 'SAMEORIGIN'
    # X-Content-Type-Options: 'nosniff'
    X-XSS-Protection: '"1; mode=block"'
    Referrer-Policy: '"no-referrer, strict-origin-when-cross-origin" always'

  # includeSubdomains should be used whenever possible, but before enabling it needs to be made sure there are no subdomains not using https:
  hsts_include_subdomains: ""
  #hsts_include_subdomains: " includeSubDomains;"
  #content_security_policy: "upgrade-insecure-requests; default-src https: data: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self'; base-uri 'self'; object-src 'self'; connect-src wss: https:"

  # Gzip compression level
  comp_level: 6

  # Retry file lookup in 5 seconds (filesystem sync workaround)
  # retry404s:
  #   delay: 5
  #   paths:
  #     - "^/sites/[^/]+/files/(?:css|js)/"

  # Nginx status pages will be available at /nginx_status and /nginx_vts,
  # accessible from nginx.noauthips and localhost.
  status_page:
    enabled: true

  # Allow load-balancer to pod session affinity for consecutive requests. Does not work with varnish enabled.
  sessionAffinity: false

  # Extra configuration block in server context.
  serverExtraConfig: |

  # Extra configuration block in location context.
  locationExtraConfig: |

  # Extra configuration to pass to nginx as a file
  extraConfig: |

  # Toggle open_files_cache.
  # Naming follows https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache directive
  open_file_cache:
    enabled: true
    max: 6000
    inactive: 120s

# Configuration for everything that runs in php containers.
php:
  # The docker image to be used. This is typically passed by your CI system using the --set parameter.
  image: 'you need to pass in a value for drupal.image to your helm chart'

  # The Kubernetes resources for the php containers.
  # These values are optimised for development environments.
  resources:
    requests:
      cpu: 5m
      memory: 122Mi
    limits:
      memory: 488Mi

  fpm:
    # Custom php-fpm settings block. May override parameters previously defined.
    # This will be put under [www] process pool.
    extraConfig: |

    # PHP-FPM status page will be available at /php_status, accessible
    # from nginx.noauthips and localhost.
    status_page:
      enabled: true

  cronJobDefaults:
    # resources:
    #   requests:
    #     cpu: 500m
    #     memory: 488Mi
    #   limits:
    #     memory: 488Mi
    # nodeSelector:
    #   cloud.google.com/gke-nodepool: static-ip

  # Cron tasks, each of which will be run into a dedicated temporary pod.
  cron:
    drupal:
      # ~ gets replaced with a random digit between 0 and 9 to prevent having all cron jobs at once.
      schedule: '~ * * * *'
      # When overriding this value, make sure to include the `drush cron` command.
      command: |
        if [[ "$(drush status --fields=bootstrap)" = *'Successful'* ]] ; then
          drush cron;
        fi

    # Add custom php.ini file overrides for the cronjob.
    # Use the same syntax as in php.ini file
    # Example:
    # php_ini: |
        # [PHP]
        # memory_limit=128M

    # php_ini: |

      # Set a nodeSelector specifically for cron jobs.
      nodeSelector: {}

      # Specify a how many attempts should be made before considering a cron job as failed.
      backoffLimit: 1

      # Set resources specifically for cron jobs. If not set, they will be
      # inherited from php.resources.
      resources:
        requests:
          cpu: 500m
          memory: 488Mi
        limits:
          memory: 488Mi

  # Post-installation hook.
  # This is run every time a new environment is created.
  postinstall:
    # Specify any particular commands to be executed after an environment is installed.
    # If referenced data is enabled, it gets imported before this step.
    command: ""
    resources:
      requests:
        cpu: 500m
        memory: 488Mi
      limits:
        memory: 488Mi

  # Post-upgrade hook.
  # This is run every time a new environment is upgraded.
  postupgrade:
    command: |
      # Cache rebuild needs to be done before anything else, since if for
      # example service files have changed, Drupal might not be able to
      # bootstrap, not even for the `drush status` command below.
      if [[ $DRUPAL_CORE_VERSION -eq 7 ]] ; then
        drush cache-clear all || true
      else
        drush eval "drupal_flush_all_caches();" || true
      fi
      if [[ "$(drush status --fields=bootstrap)" = *'Successful'* ]] ; then
        drush updatedb -y
        if [[ $DRUPAL_CORE_VERSION -gt 7 && -f $DRUPAL_CONFIG_PATH/core.extension.yml ]]; then
          drush config-import -y
          drush cache-rebuild
        fi
      fi
    # Extra commands to run after previous 'command' block.
    # This removes the user step of copying the whole 'command' block and adding their own custom logic.
    afterCommand: |


  # Pass additional environment variables to all php containers as key-value pairs.
  env: {}

  # The hashsalt can be provided if you need to import an existing database and preserve the ability for
  # users to log in. If not provided, a random value will be used.
  hashsalt: "template-hash-salt"

  # Set whether Drupal errors are displayed.
  # This is a useful override for development environments.
  errorLevel: "verbose"

  # PHP settings
  php_ini:
    upload_max_filesize: 60M
    post_max_size: 60M
    memory_limit: 256M
    max_execution_time: 60
    # Custom php settings block. May override parameters previously defined.
    # Note: include correct php ini section, i.e. "[PHP]" or "[Date]".
    extraConfig: |

  # Define the location of the Drupal config files relative to the composer root.
  # This variable is exposed as $DRUPAL_CONFIG_PATH in the container.
  drupalConfigPath: "config/sync"

  # Define Drupal version to be able to use different settings.php and do other core specific tasks.
  # This variable is exposed as $DRUPAL_CORE_VERSION in the container.
  drupalCoreVersion: "8"

  # Set a restriction on where the php pod are provisioned.
  # This can be used for example to get a static IP for egress traffic.
  nodeSelector: {}

# Configuration for everything that runs in shell container.
shell:
  enabled: true

  # The docker image to be used. This is typically passed by your CI system using the --set parameter.
  image: 'you need to pass in a value for shell.image to your helm chart'
  # Values for the SSH gitAuth.
  gitAuth:
    # Project's git repository URL
    repositoryUrl: 'you need to pass in a value for shell.gitAuth.repositoryUrl to your helm chart'
    outsideCollaborators: true
    keyserver:
      enabled: true
      # Defaults to https://keys.[clusterDomain]/api/1/git-ssh-keys
      url: ''
      username: ''
      password: ''
  # Static ssh keys
  # Note: cluster administrator support required for duplicating keys in jumphost.
  authorizedKeys: []

  # Specifications for the volume where host keys are mounted.
  mount:
    storageClassName: silta-shared
    csiDriverName: csi-rclone
    storage: 1M

  # Extend resources defined under php.resources.
  resources:
    requests:
      cpu: 5m
      memory: 64Mi

  # Set a restriction on where the shell pod are provisioned.
  # This can be used for example to get a static IP for egress traffic.
  nodeSelector: {}

# Configure the dynamically mounted volumes
mounts:
  public-files:
    enabled: true
    storage: 1G
    # Assumes that webRoot is set to the default value "/app/web".
    mountPath: /app/web/sites/default/files
    storageClassName: silta-shared
    csiDriverName: csi-rclone
  private-files:
    enabled: false
    storage: 1G
    mountPath: /app/private
    storageClassName: silta-shared
    csiDriverName: csi-rclone

# Configure reference data that will be used when creating new environments.
referenceData:
  enabled: true

  # The name of the environment from which reference data will be copied.
  referenceEnvironment: 'master'

  # When to automatically update the reference data.
  schedule: '~ 3 * * *'

  # Update the reference data after deployments on the reference environment.
  updateAfterDeployment: true

  # Matching folders will not be included in reference data.
  ignoreFolders:
    - css
    - js
    - styles
    - languages
    - php

  # Files larger than this will not be included in reference data.
  maxFileSize: '5M'

  storage: 1G
  storageClassName: silta-shared
  csiDriverName: csi-rclone

  # Skips mounting the volume outside of the reference environment, only used programmatically.
  skipMount: false

  # Resources for the reference data cron job.
  resources:
    requests:
      cpu: 1000m
      memory: 488Mi
    limits:
      memory: 488Mi

# Release sync configuration. Storage is used for data synchronization and process is handled by the Silta HUB.
silta-hub:
  sync:
    storage: 10G

# Parameters for sanitizing reference data with github.com/Smile-SA/gdpr-dump
# Uses formatters from fakerphp.github.io/formatters
gdprDump:
  tables:
    cache:
      truncate: true
    cache_*:
      truncate: true
    sessions:
      truncate: true
    watchdog:
      truncate: true
    commerce_payment_method*:
      truncate: true
    users_field_data:
      converters:
        mail:
          converter: 'randomizeEmail'
          unique: true
        init:
          converter: 'fromContext'
          parameters:
            key: 'processed_data.mail'
        name:
          converter: 'faker'
          parameters:
            formatter: 'name'
        pass:
          converter: 'randomizeText'
    commerce_order:
      converters:
        mail:
          converter: 'randomizeEmail'
          unique: true
        ip_address:
          converter: 'faker'
          parameters:
            formatter: 'ipv4'
    commerce_store_field_data:
      converters:
        mail:
          converter: 'randomizeEmail'
          unique: true

backup:
  # Whether backups should be taken for the current environment.
  enabled: false

  # Cron schedule when backups should be taken, this is expected to take place daily.
  # ~ gets replaced with a random digit between 0 and 9 to prevent having all cron jobs at once.
  schedule: '~ 2 * * *'

  # How many daily backups to preserve.
  retention: 14

  storage: 10G
  storageClassName: silta-shared
  csiDriverName: csi-rclone

  # These tables will have their content ignored from the backups.
  ignoreTableContent: '(cache|cache_.*)'

  #  Do not backup files
  #skipFiles: true

  # Resources for the backup cron job.
  resources:
    requests:
      cpu: 1000m
      memory: 488Mi

# Override the default values of the MariaDB subchart.
# These settings are optimised for development environments.
# see: https://github.com/bitnami/charts/blob/91fcd1eb5d00c33cc74e24502a85ce656ac1e963/bitnami/mariadb/values.yaml
mariadb:
  enabled: true
  image:
    # https://hub.docker.com/r/bitnami/mariadb/tags
    tag: 10.6-debian-12
  replication:
    enabled: false
  db:
    name: drupal
    user: drupal
  master:
    persistence:
      # Database storage disk space allocation
      # Request assistance from ops team after changing this on existing deployment.
      size: 1G
    resources:
      requests:
        cpu: 25m
        memory: 366Mi
      limits:
        memory: 488Mi
    extraInitContainers: |
      - name: dbinfo
        image: busybox:stable
        command: ["/bin/sh", "-c"]
        args:
          - df -h /bitnami/mariadb
        volumeMounts:
          - mountPath: /bitnami/mariadb
            name: data
    affinity:
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - weight: 100
          preference:
            matchExpressions:
            - key: cloud.google.com/gke-nodepool
              operator: NotIn
              values:
              - static-ip
  enableServiceLinks: false

varnish:
  # See https://github.com/wunderio/silta/blob/master/docs/silta-examples.md#using-varnish
  # to configure varnish for Your site correctly.
  enabled: false
  resources:
    requests:
      cpu: 25m
      memory: 32Mi
  image: wunderio/silta-varnish
  imageTag: 6-v1
  # https://varnish-cache.org/docs/6.6/users-guide/storage-backends.html
  storageBackend: 'file,/var/lib/varnish/varnish_storage.bin,512M'
  # https://varnish-cache.org/docs/6.6/reference/varnishd.html#list-of-parameters
  extraParams: ""
  # Inject custom code into vcl_recv subroutine.
  vcl_recv_extra: ""
  # Html code for status 500 page.
  status_500_html: ""
  # Additional cookie based rules
  vcl_extra_cookies: ""
  # Do not cache files larger than 3 megabytes (use integers).
  cache_skip_size: 3
  # https://varnish-cache.org/docs/6.6/reference/vcl.html#backends-and-health-probes
  backend_config: |
    .max_connections = 300;
    .probe = {
      .url       = "/robots.txt";
      .interval  = 5s;
      .timeout   = 5s;
      .window    = 5;
      .threshold = 3;
    }
    .first_byte_timeout     = 300s;
    .connect_timeout        = 10s;
    .between_bytes_timeout  = 10s;

# https://github.com/elastic/helm-charts/blob/2fd64d0af65f14df7aa01da591919460dabac4b3/elasticsearch/values.yaml
elasticsearch:
  enabled: false

  # The elasticsearch version to use.
  # It's a good idea to tag this in your silta.yml
  imageTag: 6.8.22

  replicas: 1
  minimumMasterNodes: 1
  maxUnavailable: 0
  clusterHealthCheckParams: 'wait_for_status=yellow&timeout=1s'

  # Note: "roles" definition is ignored for 6.x images due to subchart compatability reasons.

  # Drupal integration module still requires non-ssl connection
  # related param: elasticsearch.extraEnvs[xpack.security.enabled]
  createCert: false
  protocol: http
  extraEnvs:
    - name: xpack.security.enabled
      value: "false"

  # Disable service links that cause a slow startup.
  enableServiceLinks: false

  # This value should be slightly less than 50% of the requested memory.
  esJavaOpts: -Xmx220m -Xms220m
  xpack:
    enabled: false
  volumeClaimTemplate:
    resources:
      requests:
        storage: 1Gi
  resources:
    requests:
      cpu: 200m
      memory: 640Mi
    limits:
      memory: 1Gi

  nodeAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
    - weight: 100
      preference:
        matchExpressions:
        - key: cloud.google.com/gke-nodepool
          operator: NotIn
          values:
          - static-ip

# Memcache service overrides
# see: https://github.com/bitnami/charts/blob/master/bitnami/memcached/values.yaml
memcached:
  enabled: false
  replicaCount: 1
  resources:
    requests:
      cpu: 10m
      memory: 128Mi
    limits:
      memory: 128Mi
  arguments:
    - /run.sh
    # MaxMemoryLimit, this should be less than the resources.limits.memory, or memcached will crash.
    - -m 118
    # MaxItemSize
    - -I 4M

# https://github.com/bitnami/charts/blob/master/bitnami/redis/values.yaml
redis:
  enabled: false
  architecture: standalone
  auth:
    # mandatory value
    password: ""
  replica:
    # replicaCount: 1
    autoscaling:
      enabled: false
  master:
    resources:
      limits:
        cpu: 250m
        memory: 512Mi
      requests:
        cpu: 50m
        memory: 256Mi

# Mailhog service overrides
# see: https://github.com/codecentric/helm-charts/blob/master/charts/mailhog/values.yaml
mailhog:
  enabled: false
  image:
    # Set image repository to "mailhog/mailhog" to reenable logging.
    repository: wunderio/silta-mailhog
    # Set image tag to "" to reenable logging.
    tag: v1
  resources:
    requests:
      cpu: 1m
      memory: 10M

# Email via SMTP. Configuration is passed to containers as environment variables (SMTP_ADDRESS, SMTP_PORT, ..)
# see: https://github.com/wunderio/silta/blob/master/docs/silta-examples.md#sending-e-mail
smtp:
  enabled: false
  # address: smtp.example.com:25
  # username: ""
  # password: ""

# Solr.
solr:
  enabled: false
  # Available image tags: https://hub.docker.com/r/geerlingguy/solr/tags
  image: wunderio/silta-solr
  imageTag: 8-v1

  # Solr 4.x and 5.x does not support "-force" argument (optional override)
  command: ["/opt/solr/bin/solr"]
  commandArgs: ["start", "-p", "8983", "-f", "-force", "-m", "256m", "-a", "-Dlog4j2.formatMsgNoLookups=true"]

  # Path in php container containing solr conf files (schema, solrconfig, stopwords, etc.).
  # Solr init container will contents of this folder to actual solr container.
  # Note: Configuration folder is not synced with shell container, drupal image rebuild required to update!
  confLocation: /app/silta/solr/conf
  coreName: search

  readinessProbeUrl: /solr/admin/info/system

  # Kubernetes resource assignments.
  resources:
    requests:
      cpu: 250m
      memory: 488Mi
    limits:
      cpu: 500m
      memory: 732Mi

  persistence:
    data:
      size: 1Gi
      # storageClassName: standard
      # Provide driver name if using CSI driver backed storage class (optional).
      # csiDriverName: csi-driver-name
      accessModes:
        - ReadWriteOnce

# ClamAV daemon for virus scanning.
clamav:
  enabled: false
  # Available image tags: https://hub.docker.com/r/clamav/clamav/
  image: clamav/clamav
  imageTag: stable
  freshclamExtraConfig: ""
  resources:
    requests:
      cpu: 1
      memory: 2Gi
    limits:
      cpu: 1500m
      memory: 3Gi
db:
  # Available options: mariadb, pxc-db
  primary: mariadb

# Percona XtraDB Cluster
# see: https://github.com/percona/percona-helm-charts/blob/4ec113774f41a31167c2f9efd4c93f3d387e7f04/charts/pxc-db/values.yaml
pxc-db:
  enabled: false
  allowUnsafeConfigurations: false
  pxc:
    size: 3
    expose:
      enabled: false
    disableTLS: true
    resources:
      requests:
        cpu: 250m
        memory: 488Mi
      limits:
        cpu: 1000m
        memory: 977Mi
    # User defined MySQL options according to MySQL configuration file syntax
    configuration: |
      [mysqld]
      # Required for db import / reference data / backups
      # https://forums.percona.com/t/import-mysql-dump-to-pxc/6104
      # https://www.percona.com/doc/percona-xtradb-cluster/8.0/features/pxc-strict-mode.html
      pxc_strict_mode=PERMISSIVE
    persistence:
      enabled: true
      size: 8Gi
  proxysql:
    enabled: true
    resources:
      requests:
        cpu: 100m
        memory: 122Mi
      limits:
        cpu: 500m
        memory: 244Mi
  logcollector:
    enabled: false
  backup:
    enabled: false
    # schedule: []
  secrets:
    passwords:
      root: drupal
      pmmserver: drupal
      xtrabackup: drupal
      monitor: drupal
      clustercheck: drupal
      proxyadmin: drupal
      operator: drupal
      replication: drupal

# Fastly Signal Sciences support
# https://docs.fastly.com/signalsciences/
signalsciences:
  enabled: false
  accesskeyid: ""
  secretaccesskey: ""
  image: signalsciences/sigsci-agent
  imageTag: latest
  # sidecar container resources
  resources:
    requests:
      cpu: 20m
      memory: 40Mi
    limits:
      cpu: 200m
      memory: 300Mi

# Logging configurations for services that support them.
# BETA feature, currently only supported by drupal-cron.
logging:
  # Currently supported formats are "default" and "json".
  format: default

# Obfuscate parts of the full domain name.
# Available values for maskSubdomains are:
# - releaseName (scrambles release name subdomain, e.g., xxx.project.silta.tld)
# - projectName (scrambles project name subdomain, e.g., release.yyy.silta.tld)
# - both (obfuscates both, e.g., zzz.silta.tld)
# maskSubdomains: both