############################################# ##### # # ##### ##### # # # # ###### ###### # # # # # # ## ## # # # # # # # # # # ## # # # ##### # # ##### # # # # # # # # # # # # # # # # # ##### # # # # # # ###### ###### ############################################# ## @section Optimize Parameters # Optimize configuration for the Optimize sub chart. optimize: ## @param optimize.enabled if true, the Optimize deployment and its related resources are deployed via a helm release enabled: true container: ports: http: https: 8443 keystore: location: "/optimize/var/run/secrets/java.io/keystores/truststore.jks" ## @extra optimize.image configuration to configure the Optimize image specifics # https://hub.docker.com/r/camunda/optimize/tags image: ## @param optimize.image.registry can be used to set container image registry registry: "i-ckdregistry.pro.be.xpi.net.intra/dockerhub" ## @param optimize.image.repository defines which image repository to use repository: camunda/optimize ## @param optimize.image.tag can be set to overwrite the global tag, which should be used in that chart # renovate: datasource=docker depName=camunda/optimize tag: 8.4.0 ## @param optimize.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: [] ## @extra optimize.migration configuration for Optimize migration migration: ## @param optimize.migration.enabled if true, run Optimize migration script as an init container enabled: false ## @param optimize.migration.env can be used to set environment variables for Optimize migration init container env: [] ## @param optimize.sidecars can be used to attach extra containers to the optimize deployment sidecars: [] # contextPath: "/optimize" ## @param optimize.contextPath can be used to make Optimize web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "/optimize" ## @param optimize.podAnnotations can be used to define extra Optimize pod annotations podAnnotations: {} ## @param optimize.podLabels can be used to define extra Optimize pod labels podLabels: {} ## @param optimize.partitionCount defines how many Zeebe partitions are set up in the cluster and which should be imported by Optimize partitionCount: "3" ## @param optimize.env can be used to set extra environment variables in each Optimize container env: #- name: keyfile # value: /var/run/secrets/openshift.io/services_serving_certs/tls.key #- name: crtfile # value: /var/run/secrets/openshift.io/services_serving_certs/tls.crt #- name: keystore_pkcs12 # value: /var/run/secrets/java.io/keystores/keystore.pkcs12 #- name: keystore_jks # value: /var/run/secrets/java.io/keystores/keystore.jks #- name: password # value: changeit - name: "CAMUNDA_OPTIMIZE_CONTAINER_PORTS_HTTPS" value: "8443" - name: "MANAGEMENT_SERVER_PORT" value: "9443" - name: CONTAINER_KEYSTORE_LOCATION value: "/optimize/var/run/secrets/java.io/keystores/truststore.jks" - name: CONTAINER_KEYSTORE_PASSWORD value: "changeit" #- name: CAMUNDA_OPTIMIZE_CONTAINER_PORTS_HTTP # value: "8080" - name: server.ssl.enabled value: "true" - name: "server.ssl.trust-store" value: "/optimize/var/run/secrets/java.io/keystores/truststore.jks" - name: "server.ssl.trust-store-password" value: "changeit" - name: "server.ssl.trust-store-type" value: "JKS" - name: "keystore_jks" value: "/optimize/var/run/secrets/java.io/keystores/keystore.jks" - name: "server.ssl.key-store" value: "/optimize/var/run/secrets/java.io/keystores/keystore.jks" - name: "server.ssl.key-store-password" value: "changeit" - name: OPTIMIZE_JAVA_OPTS value: "-Dserver.ssl.enabled=true -Dserver.port=8443 -Dmanagement.server.port=9443 -Xms1024m -Xmx1024m -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=256m" - name: "JDK_JAVA_OPTIONS" value: "-Dserver.ssl.enabled=true -Dserver.port=8443 -Dmanagement.server.port=9443 -Djavax.net.ssl.trustStore=/optimize/var/run/secrets/java.io/keystores/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit" - name: "CAMUNDA_OPTIMIZE_IDENTITY_BASE_URL" value: "https://camunda-platform-optimize-public-x0.apps.ckd.int.be.xpi.net.intra/optimize" ## @param optimize.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param optimize.extraVolumes can be used to define extra volumes for the Optimize pods, useful for tls and self-signed certificates extraVolumes: - name: keystore-volume emptyDir: {} - name: service-camunda-optimize-certs secret: secretName: "service-camunda-optimize-certs" ## @param optimize.extraVolumeMounts can be used to mount extra volumes for the Optimize pods, useful for tls and self-signed certificates extraVolumeMounts: - readOnly: true mountPath: /optimize/var/run/secrets/java.io/keystores name: keystore-volume - readOnly: false mountPath: /optimize/var/run/secrets/openshift.io/services_serving_certs name: service-camunda-optimize-certs ## @param optimize.initContainers can be used to set up extra init containers for the optimize pods, useful for additional exporters initContainers: - name: pem-to-truststore image: i-ckdregistry.pro.be.xpi.net.intra/baseimages/copenjdk11:11 env: - name: ca_bundle value: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - name: truststore_jks value: /optimize/var/run/secrets/java.io/keystores/truststore.jks - name: password value: changeit command: [ '/bin/bash' ] args: [ '-c', "cd /tmp && keytool -importkeystore -srckeystore $JAVA_HOME/lib/security/cacerts -srcstoretype JKS -destkeystore $truststore_jks -storepass $password -srcstorepass $password && csplit -z -f crt- $ca_bundle '/-----BEGIN CERTIFICATE-----/' '{*}' && for file in crt-*; do keytool -import -noprompt -keystore $truststore_jks -file $file -storepass $password -alias service-$file; done" ] volumeMounts: - name: keystore-volume mountPath: /optimize/var/run/secrets/java.io/keystores - name: pem-to-keystore image: i-ckdregistry.pro.be.xpi.net.intra/baseimages/copenjdk11:11 #image: i-ckdregistry.pro.be.xpi.net.intra/cb-consorsbank/copenjdk11:11-cubi7_7 imagePullPolicy: "Always" env: - name: keyfile value: /optimize/var/run/secrets/openshift.io/services_serving_certs/tls.key - name: crtfile value: /optimize/var/run/secrets/openshift.io/services_serving_certs/tls.crt - name: keystore_pkcs12 value: /optimize/var/run/secrets/java.io/keystores/keystore.pkcs12 - name: keystore_jks value: /optimize/var/run/secrets/java.io/keystores/keystore.jks - name: password value: changeit command: ['/bin/bash'] args: ['-c', "openssl pkcs12 -export -inkey $keyfile -in $crtfile -out $keystore_pkcs12 -password pass:$password && keytool -importkeystore -noprompt -srckeystore $keystore_pkcs12 -srcstoretype pkcs12 -destkeystore $keystore_jks -storepass $password -srcstorepass $password && chmod 644 /optimize/var/run/secrets/java.io/keystores/keystore.pkcs12"] securityContext: privileged: false readOnlyRootFilesystem: false allowPrivilegeEscalation: false runAsNonRoot: true volumeMounts: - name: "keystore-volume" mountPath: /optimize/var/run/secrets/java.io/keystores - name: "service-camunda-optimize-certs" mountPath: /optimize/var/run/secrets/openshift.io/services_serving_certs ## @extra optimize.serviceAccount configuration for the service account where the Optimize pods are assigned to serviceAccount: ## @param optimize.serviceAccount.enabled if true, enables the Optimize service account enabled: true ## @param optimize.serviceAccount.name can be used to set the name of the Optimize service account name: "" ## @param optimize.serviceAccount.annotations can be used to set the annotations of the Optimize service account annotations: {} ## @extra optimize.service configuration to configure the Optimize service. service: ## @param optimize.service.annotations can be used to define annotations, which will be applied to the Optimize service annotations: service.alpha.openshift.io/serving-cert-secret-name: "service-camunda-optimize-certs" ## @param optimize.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param optimize.service.port defines the port of the service, where the Optimize web application will be available port: 8443 ## @param optimize.service.managementPort defines the port where actuator will be available. Also required to reach backup API managementPort: 9443 ## @extra optimize.podSecurityContext defines the security options the Optimize pod should be run with podSecurityContext: ## @param optimize.podSecurityContext.runAsNonRoot runAsNonRoot: true ## @param optimize.podSecurityContext.fsGroup fsGroup: null ## @extra optimize.containerSecurityContext defines the security options the Optimize container should be run with containerSecurityContext: ## @param optimize.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param optimize.containerSecurityContext.privileged privileged: false ## @param optimize.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: false ## @param optimize.containerSecurityContext.runAsUser runAsUser: null ## @extra optimize.startupProbe configuration startupProbe: ## @param optimize.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param optimize.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param optimize.startupProbe.probePath defines the startup probe route used on the app probePath: /api/readyz ## @param optimize.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param optimize.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param optimize.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param optimize.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param optimize.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra optimize.readinessProbe configuration readinessProbe: ## @param optimize.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: false ## @param optimize.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTPS ## @param optimize.readinessProbe.probePath defines the readiness probe route used on the app probePath: /api/readyz ## @param optimize.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param optimize.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param optimize.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param optimize.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param optimize.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra optimize.livenessProbe configuration livenessProbe: ## @param optimize.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param optimize.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTPS ## @param optimize.livenessProbe.probePath defines the liveness probe route used on the app probePath: /api/readyz ## @param optimize.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param optimize.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param optimize.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param optimize.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param optimize.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param optimize.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param optimize.nodeSelector can be used to define on which nodes the Optimize pods should run nodeSelector: {} ## @param optimize.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param optimize.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra optimize.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param optimize.resources.requests.cpu ## @param optimize.resources.requests.memory ## @param optimize.resources.limits.cpu ## @param optimize.resources.limits.memory resources: requests: cpu: 600m memory: 1Gi limits: cpu: 2000m memory: 2Gi ingress: ## @param optimize.ingress.enabled if true, an ingress resource is deployed with the Optimize deployment. Only useful if an ingress controller is available, like nginx. enabled: false ## @param optimize.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param optimize.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip optimize.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip optimize.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip optimize.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: "/" nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" ## @param optimize.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param optimize.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "" ## @extra optimize.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param optimize.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param optimize.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-optimize ## PostgreSQL chart configuration postgresql: ## @param postgresql.enabled Enable PostgreSQL Helm chart. Required for Multi-Tenancy. ## enabled: true