# Default values for Camunda Helm chart. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # The values file follows helm best practices https://helm.sh/docs/chart_best_practices/values/ # # This means: # * Variable names should begin with a lowercase letter, and words should be separated with camelcase. # * Every defined property in values.yaml should be documented. The documentation string should begin with the name of the property that it describes, and then give at least a one-sentence description # # Furthermore, we try to apply the following pattern: # [VarName] [conjunction] [definition] # # VarName: # # * In the documentation the variable name is started with a big letter, similar to kubernetes resource documentation. # * If the variable is part of a subsection/object we use a json path expression (to make it more clear where the variable belongs to). # The root (chart name) is omitted (e.g. zeebe). This is useful for using --set in helm. # # Conjunction: # * [defines] for mandatory configuration # * [can be used] for optional configuration # * [if true] for toggles # * [configuration] for section/group of variables ########################################## ##### # # # #### ##### ## # # # # # # # # # # # #### # # # ##### # # # # # # # # # # ###### # # # # # # # # # # # ##### ###### #### ##### # # ###### ########################################## # Global configuration for variables which can be accessed by all sub charts ## @section Global parameters ## @extra global global: ## Secrets configuration. ## @extra global.secrets configuration for auto-generated secrets which is only used during the installation. secrets: ## @param global.secrets.autoGenerated if true, a secret object will be generated with auto-generated passwords. This secret object is NOT managed with corresponding releases and NOR part of Helm deployment/upgrade! It's generated once, and if it's deleted, you will lose the secrets. autoGenerated: false ## @param global.secrets.name defines the name of the secret object that has the auto-generated passwords. name: "camunda-credentials-autogen" ## @param global.secrets.annotations [object] defines the secret object annotations that utilize Helm hooks to keep that object out of the Helm deployment. annotations: helm.sh/hook: 'pre-install' helm.sh/resource-policy: 'keep' ## License configuration. ## @extra global.license license: ## @param global.license.key if set, it will be exposed as "CAMUNDA_LICENSE_KEY" in the apps. key: ## @param global.license.existingSecret you can provide an existing secret name for Camunda license secret. existingSecret: ## @param global.license.existingSecretKey you can provide the key within the existing secret object for Camunda license key. existingSecretKey: ## @extra global.compatibility Compatibility adaptations for Kubernetes platforms compatibility: ## Compatibility adaptations for Openshift ## openshift: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: disabled ## @extra global.config Config used in various places. config: ## @param global.config.requestBodySize defines applications request body size which used for upload files. requestBodySize: 10MB ## Multitenancy configuration. ## @extra global.multitenancy multitenancy: ## @param global.multitenancy.enabled if true, then enable multitenancy in all applicable components. enabled: false ## @param global.createReleaseInfo Create config that will be used in Camunda Console. createReleaseInfo: true ## @skip global.testDeprecationFlags testDeprecationFlags: ## @skip global.testDeprecationFlags.existingSecretsMustBeSet give error or warning when existingSecret is not set existingSecretsMustBeSet: "warning" ## @param global.annotations Annotations can be used to define common annotations, which should be applied to all deployments annotations: {} labels: ## @param global.labels.app Name of the application app: camunda-platform # Image configuration to be used in each sub chart # https://hub.docker.com/u/camunda image: ## @param global.image.registry Can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param global.image.tag defines the tag / version which should be used in the most of the apps. tag: ## @param global.image.pullPolicy defines the image pull policy which should be used https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy pullPolicy: IfNotPresent ## @param global.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## Ingress configuration to configure the ingress resource ## @extra global.ingress ingress: ## @param global.ingress.enabled if true, an ingress resource is deployed. Only useful if an ingress controller is available, like Ingress-NGINX. enabled: false ## @param global.ingress.className Ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param global.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' # The proxy-body-size should be the same size as global.config.requestBodySize. nginx.ingress.kubernetes.io/proxy-body-size: "10m" # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules ## @param global.ingress.host If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "camunda-tst.api.desenv.gbpiweb.loc" ## @param global.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @extra global.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param global.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param global.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: "mycert" # Elasticsearch configuration which is shared between the sub charts ## @extra global.elasticsearch ## @param global.elasticsearch.enabled if true, enables elasticsearch for all components ## @param global.elasticsearch.external if true, tries to connect to an external elasticsearch ## @extra global.elasticsearch.tls ## @param global.elasticsearch.tls.enabled enable tls for external elasticsearch ## @param global.elasticsearch.tls.existingSecret provide an already existing tls secret for connecting to external elasticsearch ## @extra global.elasticsearch.auth ## @param global.elasticsearch.auth.username the username for external elasticsearch ## @param global.elasticsearch.auth.password the password for external elasticsearch ## @param global.elasticsearch.auth.existingSecret you can provide an existing secret for the external elasticsearch password ## @param global.elasticsearch.auth.existingSecretKey you can provide an existing secret key for the external elasticsearch password elasticsearch: enabled: true external: false tls: enabled: false existingSecret: auth: username: password: existingSecret: existingSecretKey: "password" ## @param global.elasticsearch.disableExporter DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled disableExporter: false ## @extra global.elasticsearch.url Configuration to configure elasticsearch url ## @param global.elasticsearch.url.protocol defines the elasticsearch access protocol. ## @param global.elasticsearch.url.host Elasticsearch.host defines the elasticsearch host, ideally the service name inside the namespace ## @param global.elasticsearch.url.port Elasticsearch.port defines the elasticsearch port, under which elasticsearch can be accessed url: protocol: http host: "{{ .Release.Name }}-elasticsearch" port: 9200 ## @param global.elasticsearch.clusterName Elasticsearch.clusterName defines the cluster name which is used by Elasticsearch clusterName: "elasticsearch" ## @param global.elasticsearch.prefix Elasticsearch.prefix defines the prefix which is used by the Zeebe Elasticsearch Exporter to create Elasticsearch indexes prefix: zeebe-record # Opensearch configuration which is shared between the sub charts ## @extra global.opensearch ## @param global.opensearch.enabled enabled external opensearch ## @param global.opensearch.aws.enabled Enabling AWS IRSA ## @extra global.opensearch.tls ## @param global.opensearch.tls.enabled enable tls for external opensearch ## @param global.opensearch.tls.existingSecret provide an already existing tls secret for connecting to external opensearch ## @extra global.opensearch.auth ## @param global.opensearch.auth.username the username for external opensearch ## @param global.opensearch.auth.password the password for external opensearch ## @param global.opensearch.auth.existingSecret you can provide an existing secret for the external opensearch password ## @param global.opensearch.auth.existingSecretKey you can provide an existing secret key for the external opensearch password opensearch: enabled: false aws: enabled: false tls: enabled: false existingSecret: auth: username: password: existingSecret: existingSecretKey: "password" ## @extra global.opensearch.url Configuration to configure opensearch url ## @param global.opensearch.url.protocol defines the external opensearch access protocol ## @param global.opensearch.url.host defines the external opensearch host, ideally the service name inside the namespace ## @param global.opensearch.url.port defines the external opensearch port, under which opensearch can be accessed url: protocol: https host: port: 443 ## @param global.zeebeClusterName ZeebeClusterName defines the cluster name for the Zeebe cluster. All Zeebe pods get this prefix in their name and the brokers uses that as cluster name. zeebeClusterName: "{{ .Release.Name }}-zeebe" # Identity configuration to configure identity specifics on global level, which can be accessed by other sub-charts identity: service: ## @param global.identity.service.url url: keycloak: # global.identity.keycloak.internal if true, it will configure an extra service with type "ExternalName". ## @param global.identity.keycloak.internal It's useful for using existing Keycloak in another namespace with and access it with the combined Ingress. internal: false ## @param global.identity.keycloak.url can be used incorporate with "identityKeycloak.enabled: false" to use your own Keycloak instead of the one comes with Camunda Helm chart. url: {} # Example to produce the following URL "https://keycloak.prod.svc.cluster.local:8443": # url: # protocol: "https" # host: "keycloak.prod.svc.cluster.local" # port: "8443" # defines the endpoint of Keycloak which varies between Keycloak versions. ## @param global.identity.keycloak.contextPath In Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's '/'. contextPath: "/auth" ## @param global.identity.keycloak.realm defines Keycloak realm path used for Camunda. realm: "/realms/camunda-platform" ## @param global.identity.keycloak.auth same as "identityKeycloak.auth" but it's used for existing Keycloak. auth: {} # identity.keycloak.auth.adminUser can be used to configure admin user to access existing Keycloak. # adminUser: "" # identity.keycloak.auth.existingSecret can be used to configure existing Secret object which has admin password # to access existing Keycloak. # existingSecret: "" # identity.keycloak.auth.existingSecretKey can be used to configure the key inside existing Secret object # which has admin password to access existing Keycloak. # existingSecretKey: "admin-password" ## @extra global.identity.auth configuration, to configure identity authentication setup auth: ## @param global.identity.auth.enabled if true, enables the identity authentication otherwise basic-auth will be used on all services. enabled: true ## @param global.identity.auth.issuer defines the issuer name, which is used by the services to validate the JWT tokens. issuer: "" ## @param global.identity.auth.issuerBackendUrl defines the issuer backend URL, which is used by the services to validate the JWT tokens in a container to container context. issuerBackendUrl: "" ## @param global.identity.auth.tokenUrl defines the token URL, which is used by the services to request JWT tokens. tokenUrl: "" ## @param global.identity.auth.jwksUrl defines the JWKS URL, which is used by the services to validate the JWT tokens. jwksUrl: "" ## @param global.identity.auth.type defines the type of authentication which should be used. Defaults to Keycloak type: "KEYCLOAK" # defines the token issuer (Keycloak) URL, where the services can request JWT tokens. # Should be publicly accessible, per default we assume a port-forward to Keycloak (18080) is created before login. ## @param global.identity.auth.publicIssuerUrl Can be overwritten if ingress is in use and an external IP is available. publicIssuerUrl: "http://camunda-tst.api.desenv.gbpiweb.loc/auth/realms/camunda-platform" ## @extra global.identity.auth.connectors configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts connectors: ## @param global.identity.auth.connectors.clientId defines the client id, which is used by Connectors in authentication flows. clientId: connectors ## @param global.identity.auth.connectors.existingSecret can be used to use an own existing secret. If not set a random secret is generated. existingSecret: ## @param global.identity.auth.connectors.existingSecretKey defines the key within the existing secret object. existingSecretKey: connectors-secret ## @extra global.identity.auth.identity configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts identity: ## @param global.identity.auth.identity.clientId defines the client id, which is used by Identity in authentication flows. clientId: camunda-identity ## @param global.identity.auth.identity.audience defines the audience, which is used by Identity. audience: camunda-identity-resource-server ## @param global.identity.auth.identity.existingSecret can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated. existingSecret: ## @param global.identity.auth.identity.existingSecretKey defines the key within the existing secret object. existingSecretKey: identity-secret ## @param global.identity.auth.identity.redirectUrl defines the redirect URL, which is used by the auth platform to access Identity. # Should be publicly accessible, the default value works if a port-forward to Identity is created to 8085. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://localhost:8085" ## @param global.identity.auth.identity.initialClaimName defines the initial claim name, which is used by Identity to configure initial mapping rules, # defaults to "oid". initialClaimName: "oid" ## @param global.identity.auth.identity.initialClaimValue defines the initial claim value, which is used by Identity to configure initial mapping rules. initialClaimValue: ## @extra global.identity.auth.operate configuration to configure Operate authentication specifics on global level, which can be accessed by other sub-charts operate: ## @param global.identity.auth.operate.clientId defines the client id, which is used by Operate in authentication flows. clientId: operate ## @param global.identity.auth.operate.audience defines the audience, which is used by Operate. audience: operate-api ## @param global.identity.auth.operate.existingSecret can be used to reference an existing secret. If not set, a random secret is generated. existingSecret: ## @param global.identity.auth.operate.existingSecretKey defines the key within the existing secret object. existingSecretKey: operate-secret ## @param global.identity.auth.operate.redirectUrl defines the redirect URL, which is used by Keycloak to access Operate. # Should be publicly accessible, the default value works if a port-forward to Operate is created to 8081. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://camunda-tst.api.desenv.gbpiweb.loc/operate" ## @extra global.identity.auth.tasklist configuration to configure Tasklist authentication specifics on global level, which can be accessed by other sub-charts tasklist: ## @param global.identity.auth.tasklist.clientId defines the client id, which is used by Tasklist in authentication flows. clientId: tasklist ## @param global.identity.auth.tasklist.audience defines the audience, which is used by Tasklist. audience: tasklist-api ## @param global.identity.auth.tasklist.existingSecret can be used to use an own existing secret. If not set a random secret is generated. existingSecret: ## @param global.identity.auth.tasklist.existingSecretKey defines the key within the existing secret object. existingSecretKey: tasklist-secret ## @param global.identity.auth.tasklist.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Tasklist. # Should be publicly accessible, the default value works if a port-forward to Tasklist is created to 8082. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://camunda-tst.api.desenv.gbpiweb.loc/tasklist" ## @extra global.identity.auth.optimize configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts optimize: ## @param global.identity.auth.optimize.clientId defines the client id, which is used by Optimize in authentication flows. clientId: optimize ## @param global.identity.auth.optimize.audience defines the audience, which is used by Optimize. audience: optimize-api ## @param global.identity.auth.optimize.existingSecret can be used to use an own existing secret. If not set a random secret is generated. existingSecret: ## @param global.identity.auth.optimize.existingSecretKey defines the key within the existing secret object. existingSecretKey: optimize-secret ## @param global.identity.auth.optimize.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Optimize. # Should be publicly accessible, the default value works if a port-forward to Optimize is created to 8083. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://camunda-tst.api.desenv.gbpiweb.loc/optimize" ## @extra global.identity.auth.webModeler configuration to configure WebModeler authentication specifics on global level, which can be accessed by other sub-charts webModeler: ## @param global.identity.auth.webModeler.clientId defines the client id, which is used by WebModeler in authentication flows. clientId: web-modeler ## @param global.identity.auth.webModeler.clientApiAudience defines the audience which is used by WebModeler's client API. clientApiAudience: web-modeler-api ## @param global.identity.auth.webModeler.publicApiAudience defines the audience which is used by WebModeler's public API. publicApiAudience: web-modeler-public-api ## @param global.identity.auth.webModeler.redirectUrl defines the root URL which is used by Keycloak to access WebModeler. # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8084. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://camunda-tst.api.desenv.gbpiweb.loc/modeler" ## @extra global.identity.auth.console configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts console: ## @param global.identity.auth.console.clientId defines the client id, which is used by Console in authentication flows. clientId: console ## @param global.identity.auth.console.audience defines the audience which is used by Console's client API. audience: console-api ## @param global.identity.auth.console.wellKnown defines the uri for the well known config which is used by Console (optional). wellKnown: https://well-known-uri ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated. existingSecret: ## @param global.identity.auth.console.existingSecretKey defines the key within the existing secret object. existingSecretKey: console-secret ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access WebModeler. # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8080. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://camunda-tst.api.desenv.gbpiweb.loc/console" ## @extra global.identity.auth.zeebe configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts zeebe: ## @param global.identity.auth.zeebe.clientId defines the client id, which is used by Zeebe in authentication flows. clientId: zeebe ## @param global.identity.auth.zeebe.existingSecret can be used to use an own existing secret. If not set a random secret is generated. existingSecret: ## @param global.identity.auth.zeebe.existingSecretKey defines the key within the existing secret object. existingSecretKey: zeebe-secret ## @param global.identity.auth.zeebe.audience defines the audience, which is used by Zeebe. audience: zeebe-api ## @param global.identity.auth.zeebe.tokenScope defines the token scope, which is used by Zeebe. tokenScope: # Multiregion options for Zeebe # ## WARNING: Customers must develop and test the operational procedure described below in non-production environments based on the framework steps # outlined by Camunda before applying them in production setups. # Before advancing to production go-live, validating these procedures with Camunda is strongly recommended. # Customers are solely responsible for detecting any regional failures and implementing the necessary operational procedure described. multiregion: ## @skip global.multiregion.regions number of regions that this Camunda Platform instance is stretched across regions: 1 ## @skip global.multiregion.regionId unique id of the region. MUST start at 0 for the computation to work correctly. With 2 regions, you would have region 0 and 1. regionId: 0 ## @skip global.multiregion.installationType mode of installation for multi-region disaster recovery: normal, failOver, failBack installationType: normal ## Document Store Configuration ## @extra global.documentStore These parameters are used to configure the document storage backend across all Camunda components. documentStore: ## @param global.documentStore.activeStoreId The default document store to use. Valid values: inmemory, aws, and gcp # The value must match one of the values of the storeId for the document store types shown below. activeStoreId: "inmemory" type: aws: ## @param global.documentStore.type.aws.enabled Enable AWS document store configuration. enabled: false ## @param global.documentStore.type.aws.storeId Custom prefix for AWS. Default will generate env vars containing 'storeId' such as DOCUMENT_STORE_AWS_CLASS. storeId: "AWS" ## @param global.documentStore.type.aws.region AWS region for the S3 bucket. (example: us-east-1) region: "" ## @param global.documentStore.type.aws.bucket Name of the AWS S3 bucket. bucket: "your-aws-bucket" ## @param global.documentStore.type.aws.bucketPath [string, nullable] (Optional) Path/prefix within the S3 bucket. # bucketPath: "" ## @param global.documentStore.type.aws.bucketTtl [int, nullable] (Optional) Time-to-live for documents in the S3 bucket (number in days). # bucketTtl: 0 ## @param global.documentStore.type.aws.class Fully qualified class name for the AWS document store provider. class: "io.camunda.document.store.aws.AwsDocumentStoreProvider" ## @param global.documentStore.type.aws.existingSecret Reference to an existing Kubernetes secret containing AWS credentials. existingSecret: "aws-credentials" ## @param global.documentStore.type.aws.accessKeyIdKey Key within the AWS credentials secret for AWS_ACCESS_KEY_ID. accessKeyIdKey: "awsAccessKeyId" ## @param global.documentStore.type.aws.secretAccessKeyKey Key within the AWS credentials secret for AWS_SECRET_ACCESS_KEY. secretAccessKeyKey: "awsSecretAccessKey" gcp: ## @param global.documentStore.type.gcp.enabled Enable GCP document store configuration. enabled: false ## @param global.documentStore.type.gcp.storeId Custom prefix for GCP. Default will generate env vars containing 'storeId' such as DOCUMENT_STORE_GCP_CLASS. storeId: "GCP" ## @param global.documentStore.type.gcp.bucket Name of the GCP bucket. bucket: "your-gcp-bucket" ## @param global.documentStore.type.gcp.class Fully qualified class name for the GCP document store provider. class: "io.camunda.document.store.gcp.GcpDocumentStoreProvider" ## @param global.documentStore.type.gcp.existingSecret Reference to an existing Kubernetes secret containing GCP credentials. existingSecret: "gcp-credentials" ## @param global.documentStore.type.gcp.credentialsKey Key in the GCP credentials secret that contains the service-account JSON. credentialsKey: "service-account.json" ## @param global.documentStore.type.gcp.mountPath Mount path for the GCP credentials secret. mountPath: "/var/secrets/gcp" ## @param global.documentStore.type.gcp.fileName The file name for the GCP credentials JSON. fileName: "service-account.json" inmemory: ## @param global.documentStore.type.inmemory.enabled Enable in-memory document store configuration. enabled: true ## @param global.documentStore.type.inmemory.storeId Custom prefix for in-memory. Default will generate env vars containing 'storeId' such as DOCUMENT_STORE_INMEMORY_CLASS. storeId: "INMEMORY" ## @param global.documentStore.type.inmemory.class Fully qualified class name for the in-memory document store provider. class: "io.camunda.document.store.inmemory.InMemoryDocumentStoreProvider" ## @param global.extraManifests Array of extra objects to deploy with the release. #Example: # extraManifests: # - | # apiVersion: v1 # kind: ConfigMap # metadata: # name: example-cm # data: # test: test extraManifests: [] ################################################# ##### # # #### # # #### #### # ###### # # # ## # # # # # # # # # # # # #### # # # ##### # # # # # # # # # # # # # # # # ## # # # # # # ##### #### # # #### #### ###### ###### ################################################# ## @section Console Parameters ## @extra console configuration for the Console. console: ## @param console.enabled if true, the Console deployment and its related resources are deployed via a helm release enabled: true ## @param console.configuration Configuration passed directly to Console as YAML file. More details on [Console official documenations](https://docs.camunda.io/docs/self-managed/console-deployment/configuration/) configuration: "" ##@param console.overrideConfiguration When populated, it will override the configuration passed to Console, either auto-generated configuration or passed via `console.configuration` overrideConfiguration: "" ## console.image configuration to configure the Console image specifics # https://hub.docker.com/r/camunda/console/tags image: ## @param console.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param console.image.repository defines which image repository to use repository: camunda/console ## @param console.image.tag can be used to set the Docker image tag for the Console image (overwrites global.image.tag) tag: 8.7.0 ## @param console.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @param console.sidecars can be used to attach extra containers to the console deployment sidecars: [] ## @param console.replicas Number of Console replicas replicas: 1 ## console.tls Configure the Console TLS options tls: ## @param console.tls.enabled Enable TLS traffic for console enabled: false ## @param console.tls.existingSecret The name of the existing secret that contains the TLS certificates. Each key of the secret corresponds to a certificate filename, and each value of a key corresponds to the content of the certificate file. existingSecret: "" ## @param console.tls.certKeyFilename Certificate Key filename certKeyFilename: "" ## console.keycloak configuration to configure Keycloak authentication settings. keycloak: ## @param console.keycloak.realm Specifies the Keycloak realm used for authentication. realm: "camunda-platform" ## @param console.contextPath can be used to make Console web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "/console" ## @param console.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @param console.podAnnotations can be used to define extra Console pod annotations podAnnotations: {} ## @param console.podLabels can be used to define extra Console pod labels podLabels: {} ## @param console.logging configuration for the Console logging. This template will be directly included in the Operate configuration YAML file logging: {} ## console.service configuration to configure the Console service. service: ## @param console.service.annotations can be used to define annotations, which will be applied to the Console service annotations: {} ## @param console.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param console.service.port defines the port number where the web application will be available port: 80 ## @param console.service.serverName defines the port name where the web application will be available serverName: http ## @param console.service.managementPort defines the management port used to access metrics and app status managementPort: 9100 ## console.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param console.resources.requests.memory ## @param console.resources.limits.cpu ## @param console.resources.limits.memory ## @param console.resources.requests.cpu resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param console.env can be used to set extra environment variables in each app container env: [] ## @param console.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param console.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param console.extraVolumes can be used to define extra volumes for the Console pods, useful for TLS and self-signed certificates extraVolumes: [] ## @param console.extraVolumeMounts can be used to mount extra volumes for the Console pods, useful for TLS and self-signed certificates extraVolumeMounts: [] ## console.startupProbe configuration startupProbe: ## @param console.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param console.startupProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @param console.startupProbe.probePath defines the startup probe route used on the app probePath: /health/readiness ## @param console.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param console.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param console.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param console.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param console.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## console.readinessProbe configuration readinessProbe: ## @param console.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param console.readinessProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @param console.readinessProbe.probePath defines the readiness probe route used on the app probePath: /health/readiness ## @param console.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param console.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param console.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param console.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param console.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## console.livenessProbe configuration livenessProbe: ## @param console.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param console.livenessProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @param console.livenessProbe.probePath defines the liveness probe route used on the app probePath: /health/liveness ## @param console.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param console.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param console.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param console.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param console.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## console.metrics configuration metrics: ## @param console.metrics.prometheus Prometheus metrics endpoint prometheus: /prometheus ## console.serviceAccount configuration for the service account where the Console pods are assigned to serviceAccount: ## @param console.serviceAccount.enabled if true, enables the Console service account enabled: true ## @param console.serviceAccount.name can be used to set the name of the Console service account name: "" ## @param console.serviceAccount.annotations can be used to set the annotations of the Operate service account annotations: {} ## @param console.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ingress: ## @param console.ingress.enabled if true, an ingress resource is deployed with the Console deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param console.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param console.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip console.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip console.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip console.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param console.ingress.path defines the path which is associated with the Console service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param console.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param console.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all http traffic, if specified the rule applies to that host. host: "" ## console.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param console.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param console.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-console ## @extra console.podSecurityContext defines the security options the Console broker pod should be run with podSecurityContext: ## @param console.podSecurityContext.runAsNonRoot run as non root runAsNonRoot: true ## @param console.podSecurityContext.fsGroup fsGroup: 1001 ## @extra console.podSecurityContext.seccompProfile seccompProfile: ## @param console.podSecurityContext.seccompProfile.type type: RuntimeDefault # ContainerSecurityContext defines the security options the Console broker container should be run with containerSecurityContext: ## @param console.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param console.containerSecurityContext.privileged privileged: false ## @param console.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param console.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param console.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra console.containerSecurityContext.seccompProfile seccompProfile: ## @param console.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @param console.nodeSelector can be used to define on which nodes the Console pods should run nodeSelector: {} ## @param console.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param console.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @param console.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param console.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ################################### ####### # ###### ###### ##### ###### # # # # # # # ##### ##### ##### ##### # # # # # # # # # # # # ####### ###### ###### ##### ###### ################################### ## @section Zeebe Parameters ## @extra zeebe configuration for the Zeebe sub chart. Contains configuration for the Zeebe broker and related resources. zeebe: ## @param zeebe.enabled if true, all zeebe related resources are deployed via the helm release enabled: true ## @param zeebe.debug if true, extra info is printed. debug: false ## @extra zeebe.image configuration to configure the zeebe image specifics image: ## @param zeebe.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param zeebe.image.repository defines which image repository to use repository: camunda/zeebe ## @param zeebe.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param zeebe.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @param zeebe.sidecars can be used to attach extra containers to the zeebe deployment sidecars: [] ## @param zeebe.clusterSize defines the amount of brokers (=replicas), which are deployed via helm clusterSize: "3" ## @param zeebe.partitionCount defines how many zeebe partitions are set up in the cluster partitionCount: "3" ## @param zeebe.replicationFactor defines how each partition is replicated, the value defines the number of nodes replicationFactor: "3" ## @extra zeebe.env can be used to set extra environment variables in each zeebe broker container env: ## @param zeebe.env[0].name ## @param zeebe.env[0].value ## @param zeebe.env[1].name ## @param zeebe.env[1].value ## @param zeebe.env[2].name ## @param zeebe.env[2].value - name: ZEEBE_BROKER_DATA_SNAPSHOTPERIOD value: "5m" - name: ZEEBE_BROKER_DATA_DISK_FREESPACE_REPLICATION value: "2GB" - name: ZEEBE_BROKER_DATA_DISK_FREESPACE_PROCESSING value: "3GB" ## @param zeebe.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @extra zeebe.configMap configuration which will be applied to the mounted config map. configMap: ## @param zeebe.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. see https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623 defaultMode: 0754 ## @param zeebe.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param zeebe.logLevel defines the log level which is used by the zeebe brokers logLevel: info ## @param zeebe.log4j2 can be used to overwrite the log4j2 configuration of the zeebe brokers log4j2: '' ## @param zeebe.javaOpts can be used to set java options for the zeebe brokers javaOpts: >- -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/usr/local/zeebe/data -XX:ErrorFile=/usr/local/zeebe/data/zeebe_error%p.log -XX:+ExitOnOutOfMemoryError ## @extra zeebe.service configuration for the broker service service: ## @param zeebe.service.annotations can be used to define annotations, which will be applied to the Zeebe service annotations: {} ## @param zeebe.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param zeebe.service.httpPort defines the port of the http endpoint, where for example metrics are provided httpPort: 9600 ## @param zeebe.service.httpName defines the name of the http endpoint, where for example metrics are provided httpName: "http" ## @param zeebe.service.commandPort defines the port of the command api endpoint, where the broker commands are sent to commandPort: 26501 ## @param zeebe.service.commandName defines the name of the command api endpoint, where the broker commands are sent to commandName: "command" ## @param zeebe.service.internalPort defines the port of the internal api endpoint, which is used for internal communication internalPort: 26502 ## @param zeebe.service.internalName defines the name of the internal api endpoint, which is used for internal communication internalName: "internal" ## @param zeebe.service.extraPorts can be used to expose any other ports which are required. Can be useful for exporters extraPorts: [] # - name: hazelcast # protocol: TCP # port: 5701 # targetPort: 5701 ## @extra global.zeebe.ServiceAccount configuration for the service account where the broker pods are assigned to serviceAccount: ## @param zeebe.serviceAccount.enabled if true, enables the broker service account enabled: true ## @param zeebe.serviceAccount.name can be used to set the name of the broker service account name: "" ## @param zeebe.serviceAccount.annotations can be used to set the annotations of the broker service account annotations: {} ## @param zeebe.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ## @param zeebe.cpuThreadCount defines how many threads can be used for the processing on each broker pod cpuThreadCount: "3" ## @param zeebe.ioThreadCount defines how many threads can be used for the exporting on each broker pod ioThreadCount: "3" ## @extra zeebe.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @extra zeebe.resources.requests ## @param zeebe.resources.requests.cpu ## @param zeebe.resources.requests.memory ## @param zeebe.resources.limits.cpu ## @param zeebe.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param zeebe.persistenceType defines the type of persistence which is used by Zeebe. Possible values are: disk, local and memory. # disk - means a persistence volume claim is configured and used # local - means the data is stored into the container, no volumeMount nor volume nor claim is configured # memory - means zeebe uses a tmpfs for the data persistence, be aware that this takes the limits into account persistenceType: disk ## @param zeebe.pvcSize defines the persistent volume claim size, which is used by each broker pod https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims pvcSize: "32Gi" ## @param zeebe.pvcAccessModes can be used to configure the persistent volume claim access mode https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes pvcAccessModes: ["ReadWriteOnce"] ## @param zeebe.pvcStorageClassName can be used to set the storage class name which should be used by the persistent volume claim. # It is recommended to use a storage class, which is backed with a SSD. Set to "-" to disable use of default storage class. pvcStorageClassName: '' ## @param zeebe.pvcAnnotations can be used to specify custom annotations for Zeebe's persistent volume claims, enhancing storage configuration flexibility. pvcAnnotations: {} ## @param zeebe.pvcSelector can be used to specify a label selector for Zeebe's persistent volume claims for further filtering of the set of persistent volumes to select. # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector pvcSelector: {} ## @param zeebe.extraVolumes can be used to define extra volumes for the broker pods, useful for additional exporters extraVolumes: [] ## @param zeebe.extraVolumeMounts can be used to mount extra volumes for the broker pods, useful for additional exporters extraVolumeMounts: [] ## @param zeebe.extraInitContainers (Deprecated - use `initContainers` instead) ExtraInitContainers can be used to set up extra init containers for the broker pods, useful for additional exporters extraInitContainers: [] ## @param zeebe.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @param zeebe.podAnnotations can be used to define extra broker pod annotations podAnnotations: {} ## @param zeebe.podLabels can be used to define extra broker pod labels podLabels: {} ## @extra zeebe.podDisruptionBudget configuration to configure a pod disruption budget for the broker pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/ podDisruptionBudget: ## @param zeebe.podDisruptionBudget.enabled if true a pod disruption budget is defined for the brokers enabled: false ## @param zeebe.podDisruptionBudget.minAvailable can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive). minAvailable: ## @param zeebe.podDisruptionBudget.maxUnavailable can be used to set how many pods should be at max. unavailable maxUnavailable: 1 ## @extra zeebe.podSecurityContext defines the security options the Zeebe broker pod should be run with podSecurityContext: ## @param zeebe.podSecurityContext.runAsNonRoot run as non root runAsNonRoot: true ## @param zeebe.podSecurityContext.fsGroup fsGroup: 1001 ## @extra zeebe.podSecurityContext.seccompProfile seccompProfile: ## @param zeebe.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra zeebe.containerSecurityContext defines the security options the Zeebe broker container should be run with containerSecurityContext: ## @param zeebe.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param zeebe.containerSecurityContext.privileged privileged: false ## @param zeebe.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param zeebe.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param zeebe.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra zeebe.containerSecurityContext.seccompProfile seccompProfile: ## @param zeebe.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra zeebe.startupProbe configuration startupProbe: ## @param zeebe.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param zeebe.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param zeebe.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health/startup ## @param zeebe.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated. initialDelaySeconds: 30 ## @param zeebe.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param zeebe.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param zeebe.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param zeebe.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra zeebe.readinessProbe configuration readinessProbe: ## @param zeebe.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param zeebe.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param zeebe.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health/readiness ## @param zeebe.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param zeebe.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param zeebe.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param zeebe.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param zeebe.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra zeebe.livenessProbe configuration livenessProbe: ## @param zeebe.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param zeebe.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param zeebe.livenessProbe.probePath defines the liveness probe route used on the app. The path is intended to be the same as the readinessProbe. Refer to this issue for more details: https://github.com/camunda/camunda-platform-helm/issues/1849 probePath: /actuator/health/readiness ## @param zeebe.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param zeebe.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param zeebe.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param zeebe.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param zeebe.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param zeebe.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param zeebe.nodeSelector can be used to define on which nodes the broker pods should run nodeSelector: {} ## @param zeebe.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @extra global.zeebe.Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity # The default defined PodAntiAffinity allows constraining on which nodes the Zeebe pods are scheduled on https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity # It uses a hard requirement for scheduling and works based on the Zeebe pod labels ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: "app.kubernetes.io/component" operator: In values: - zeebe-broker topologyKey: "kubernetes.io/hostname" ## @param zeebe.priorityClassName can be used to define the broker pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass priorityClassName: "" retention: ## @param zeebe.retention.enabled if true, the ILM Policy is created and applied to the index templates. enabled: false ## @param zeebe.retention.minimumAge defines how old the data must be, before the data is deleted as a duration. minimumAge: 30d ## @param zeebe.retention.policyName defines the name of the created and applied ILM policy. policyName: zeebe-record-retention-policy ## @param zeebe.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param zeebe.extraConfiguration if specified, contents will be used for any extra configuration files such as log4j2.xml extraConfiguration: {} ## @param zeebe.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param zeebe.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} # Zeebe. #### ## ##### ###### # # ## # # # # # # # # # # # # # # # # # # ##### # # # # # # ### ###### # # # ## # ###### # # # # # # # ## ## # # # #### # # # ###### # # # # # ## @section ZeebeGateway Parameters ## @extra Gateway configuration to define properties related to the standalone gateway zeebeGateway: ## @param zeebeGateway.replicas defines how many standalone gateways are deployed replicas: 2 ## @extra zeebeGateway.image configuration to configure the ZeebeGateway image specifics image: ## @param zeebeGateway.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param zeebeGateway.image.repository defines which image repository to use repository: camunda/zeebe ## @param zeebeGateway.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param zeebeGateway.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @param zeebeGateway.sidecars can be used to attach extra containers to the ZeebeGateway deployment sidecars: [] ## @param zeebeGateway.podAnnotations can be used to define extra gateway pod annotations podAnnotations: {} ## @param zeebeGateway.podLabels can be used to define extra gateway pod labels podLabels: {} ## @param zeebeGateway.logLevel defines the log level which is used by the gateway logLevel: info ## @param zeebeGateway.log4j2 can be used to overwrite the log4j2 configuration of the gateway log4j2: '' ## @param zeebeGateway.javaOpts can be used to set java options for the ZeebeGateway javaOpts: >- -XX:+ExitOnOutOfMemoryError ## @param zeebeGateway.env can be used to set extra environment variables in each gateway container env: [] ## @param zeebeGateway.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @extra zeebeGateway.configMap configuration which will be applied to the mounted config map. configMap: ## @param zeebeGateway.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623 defaultMode: 0744 ## @param zeebeGateway.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @extra zeebeGateway.podDisruptionBudget configuration to configure a pod disruption budget for the gateway pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/ podDisruptionBudget: ## @param zeebeGateway.podDisruptionBudget.enabled if true a pod disruption budget is defined for the gateways enabled: false ## @param zeebeGateway.podDisruptionBudget.minAvailable can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive). minAvailable: 1 ## @param zeebeGateway.podDisruptionBudget.maxUnavailable can be used to set how many pods should be at max. unavailable maxUnavailable: ## @extra zeebeGateway.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param zeebeGateway.resources.requests.cpu ## @param zeebeGateway.resources.requests.memory ## @param zeebeGateway.resources.limits.cpu ## @param zeebeGateway.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param zeebeGateway.priorityClassName can be used to define the gateway pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass priorityClassName: "" ## @extra zeebeGateway.podSecurityContext defines the security options the gateway pod should be run wit podSecurityContext: ## @param zeebeGateway.podSecurityContext.runAsNonRoot runAsNonRoot: true ## @param zeebeGateway.podSecurityContext.fsGroup fsGroup: 1001 ## @extra zeebeGateway.podSecurityContext.seccompProfile seccompProfile: ## @param zeebeGateway.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra zeebeGateway.containerSecurityContext defines the security options the gateway container should be run with containerSecurityContext: ## @param zeebeGateway.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param zeebeGateway.containerSecurityContext.privileged privileged: false ## @param zeebeGateway.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param zeebeGateway.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param zeebeGateway.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra zeebeGateway.containerSecurityContext.seccompProfile seccompProfile: ## @param zeebeGateway.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra zeebeGateway.startupProbe configuration startupProbe: ## @param zeebeGateway.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param zeebeGateway.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param zeebeGateway.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health/startup ## @param zeebeGateway.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param zeebeGateway.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param zeebeGateway.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param zeebeGateway.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param zeebeGateway.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra zeebeGateway.readinessProbe configuration readinessProbe: ## @param zeebeGateway.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param zeebeGateway.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param zeebeGateway.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health/readiness ## @param zeebeGateway.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before ## @extra zeebeGateway.the probe is initiated. initialDelaySeconds: 30 ## @param zeebeGateway.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param zeebeGateway.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param zeebeGateway.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param zeebeGateway.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra zeebeGateway.livenessProbe configuration livenessProbe: ## @param zeebeGateway.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param zeebeGateway.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param zeebeGateway.livenessProbe.probePath defines the liveness probe route used on the app probePath: /actuator/health/liveness ## @param zeebeGateway.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before initialDelaySeconds: 30 ## @param zeebeGateway.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param zeebeGateway.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param zeebeGateway.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param zeebeGateway.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param zeebeGateway.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param zeebeGateway.nodeSelector can be used to define on which nodes the gateway pods should run nodeSelector: {} ## @param zeebeGateway.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @extra zeebeGateway.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity # The default defined PodAntiAffinity allows constraining on which nodes the ZeebeGateway pods are scheduled on https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity # It uses a hard requirement for scheduling and works based on the ZeebeGateway pod labels ## @skip zeebeGateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key ## @skip zeebeGateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator ## @skip zeebeGateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values ## @skip zeebeGateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: "app.kubernetes.io/component" operator: In values: - zeebe-gateway topologyKey: "kubernetes.io/hostname" ## @param zeebeGateway.extraVolumeMounts can be used to mount extra volumes for the gateway pods, useful for enabling tls between gateway and broker extraVolumeMounts: [] ## @param zeebeGateway.extraVolumes can be used to define extra volumes for the gateway pods, useful for enabling tls between gateway and broker extraVolumes: [] ## @param zeebeGateway.extraInitContainers (Deprecated - use `initContainers` instead) can be used to set up extra init containers for the gateway pods, useful for adding interceptors extraInitContainers: [] ## @param zeebeGateway.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @extra zeebeGateway.service configuration for the gateway service service: ## @param zeebeGateway.service.annotations can be used to define annotations, which will be applied to the zeebe-gateway service annotations: {} ## @param zeebeGateway.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param zeebeGateway.service.loadBalancerIP defines public ip of the load balancer if the type is LoadBalancer loadBalancerIP: "" ## @param zeebeGateway.service.loadBalancerSourceRanges defines list of allowed source ip address ranges if the type is LoadBalancer loadBalancerSourceRanges: [] ## @param zeebeGateway.service.httpPort defines the port of the http endpoint, where for example metrics are provided httpPort: 9600 ## @param zeebeGateway.service.httpName defines the name of the http endpoint, where for example metrics are provided httpName: "http" ## @param zeebeGateway.service.grpcPort defines the port of the gateway gRPC endpoint, where client commands (grpc) are sent to grpcPort: 26500 ## @param zeebeGateway.service.grpcName defines the name of the gateway gRPC endpoint, where client commands (grpc) are sent to grpcName: "gateway" ## @param zeebeGateway.service.restPort defines the REST port of the gateway REST endpoint, where client commands (REST) are sent to restPort: 8080 ## @param zeebeGateway.service.restName defines the name of the gateway REST endpoint, where client commands (REST) are sent to restName: "rest" ## @param zeebeGateway.service.internalPort defines the port of the internal api endpoint, which is used for internal communication internalPort: 26502 ## @param zeebeGateway.service.internalName defines the name of the internal api endpoint, which is used for internal communication internalName: "internal" ## @extra zeebeGateway.serviceAccount configuration for the service account where the gateway pods are assigned to serviceAccount: ## @param zeebeGateway.serviceAccount.enabled if true, enables the gateway service account enabled: true ## @param zeebeGateway.serviceAccount.name can be used to set the name of the gateway service account name: "" ## @param zeebeGateway.serviceAccount.annotations can be used to set the annotations of the gateway service account annotations: {} ## @param zeebeGateway.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ingress: grpc: ## @param zeebeGateway.ingress.grpc.enabled if true, an ingress resource is deployed with the Zeebe gateway deployment. Only useful if an ingress controller is available, like nginx. enabled: false ## @param zeebeGateway.ingress.grpc.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param zeebeGateway.ingress.grpc.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip zeebeGateway.ingress.grpc.annotations.ingress.kubernetes.io/rewrite-target ## @skip zeebeGateway.ingress.grpc.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip zeebeGateway.ingress.grpc.annotations.nginx.ingress.kubernetes.io/backend-protocol ## @skip zeebeGateway.ingress.grpc.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/backend-protocol: 'GRPC' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' ## @param zeebeGateway.ingress.grpc.path defines the path which is associated with the Zeebe gateway's gRPC service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param zeebeGateway.ingress.grpc.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param zeebeGateway.ingress.grpc.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound gRPC traffic, if specified the rule applies to that host. host: "zeebe.camunda-tst.api.desenv.gbpiweb.loc" ## @extra zeebeGateway.ingress.grpc.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param zeebeGateway.ingress.grpc.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param zeebeGateway.ingress.grpc.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-zeebe-gateway-grpc rest: ## @param zeebeGateway.ingress.rest.enabled if true, an ingress resource is deployed with the Zeebe gateway deployment. Only useful if an ingress controller is available, like nginx. enabled: false ## @param zeebeGateway.ingress.rest.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param zeebeGateway.ingress.rest.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip zeebeGateway.ingress.rest.annotations.ingress.kubernetes.io/rewrite-target ## @skip zeebeGateway.ingress.rest.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip zeebeGateway.ingress.rest.annotations.nginx.ingress.kubernetes.io/backend-protocol ## @skip zeebeGateway.ingress.rest.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/backend-protocol: "HTTP" nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param zeebeGateway.ingress.rest.path defines the path which is associated with the Zeebe gateway's REST service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param zeebeGateway.ingress.rest.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param zeebeGateway.ingress.rest.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound gRPC traffic, if specified the rule applies to that host. host: "zeebe.camunda-tst.api.desenv.gbpiweb.loc" ## @extra zeebeGateway.ingress.rest.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param zeebeGateway.ingress.rest.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param zeebeGateway.ingress.rest.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-zeebe-gateway-rest # contextPath: "/zeebe" ## @param zeebeGateway.contextPath can be used to make Zeebe web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "" ## @param zeebeGateway.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param zeebeGateway.extraConfiguration if specified, contents will be used for any extra configuration files such as log4j2.xml extraConfiguration: {} ## @param zeebeGateway.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param zeebeGateway.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ################################################ ##### # # ##### ###### ##### ## ##### ###### # # # # # # # # # # # # # # # ##### # # # # # ##### # # ##### # ##### ###### # # # # # # # # # # # # ##### # ###### # # # # # ###### ################################################ ## @section Operate Parameters ## @extra.operate configuration for the Operate sub chart. operate: ## @param operate.enabled if true, the Operate deployment and its related resources are deployed via a helm release enabled: true ## @extra operate.image configuration to configure the Operate image specifics image: ## @param operate.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param operate.image.repository defines which image repository to use repository: camunda/operate ## @param operate.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param operate.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @extra operate.migration configuration for Operate migration migration: ## @param operate.migration.enabled if true, run Operate migration script as an init container enabled: true ## @param operate.migration.env can be used to set environment variables for Operate migration init container env: [] ## @extra operate.migration.resources configuration to set request and limit configuration for the migration container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param operate.migration.resources.requests.cpu ## @param operate.migration.resources.requests.memory ## @param operate.migration.resources.limits.cpu ## @param operate.migration.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param operate.sidecars can be used to attach extra containers to the operate deployment sidecars: [] ## @param operate.initContainers can be used to set up extra init containers for the application Pod initContainers: [] # contextPath: "/operate" ## @param operate.contextPath can be used to make Operate web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "/operate" ## @param operate.podAnnotations can be used to define extra Operate pod annotations podAnnotations: {} ## @param operate.podLabels can be used to define extra Operate pod labels podLabels: {} ## @extra operate.logging configuration for the Operate logging. This template will be directly included in the Operate configuration YAML file ## @param operate.logging.level.ROOT ## @param operate.logging.level.io.camunda.operate logging: level: ROOT: INFO io.camunda.operate: INFO ## @extra operate.service configuration to configure the Operate service. service: ## @param operate.service.annotations can be used to define annotations, which will be applied to the Operate service annotations: {} ## @param operate.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param operate.service.port defines the port of the service, where the Operate web application will be available port: 80 ## @param operate.service.managementPort defines the management port of the service managementPort: 9600 ## @param operate.service.internalPort defines the port of the internal api endpoint, which is used for internal communication internalPort: 26502 ## @param operate.service.internalName defines the name of the internal api endpoint, which is used for internal communication internalName: "internal" ## @extra operate.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param operate.resources.requests.cpu ## @param operate.resources.requests.memory ## @param operate.resources.limits.cpu ## @param operate.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param operate.env can be used to set extra environment variables in each Operate container env: [] ## @param operate.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @extra operate.configMap configuration which will be applied to the mounted config map. configMap: ## @param operate.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623 defaultMode: 0744 ## @param operate.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param operate.extraVolumes can be used to define extra volumes for the Operate pods, useful for tls and self-signed certificates extraVolumes: [] ## @param operate.extraVolumeMounts can be used to mount extra volumes for the Operate pods, useful for tls and self-signed certificates extraVolumeMounts: [] ## @extra operate.serviceAccount configuration for the service account where the Operate pods are assigned to serviceAccount: ## @param operate.serviceAccount.enabled if true, enables the Operate service account enabled: true ## @param operate.serviceAccount.name can be used to set the name of the Operate service account name: "" ## @param operate.serviceAccount.annotations can be used to set the annotations of the Operate service account annotations: {} ## @param operate.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ingress: ## @param operate.ingress.enabled if true, an ingress resource is deployed with the Operate deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param operate.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param operate.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip operate.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip operate.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip operate.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param operate.ingress.path defines the path which is associated with the Operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param operate.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param operate.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "camunda-tst.api.desenv.gbpiweb.loc" ## @extra Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param operate.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param operate.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: "" ## @extra operate.podSecurityContext defines the security options the Operate pod should be run with podSecurityContext: ## @param operate.podSecurityContext.runAsNonRoot runAsNonRoot: true ## @param operate.podSecurityContext.fsGroup fsGroup: 1001 ## @extra operate.podSecurityContext.seccompProfile seccompProfile: ## @param operate.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra operate.containerSecurityContext defines the security options the Operate container should be run with containerSecurityContext: ## @param operate.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param operate.containerSecurityContext.privileged privileged: false ## @param operate.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param operate.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param operate.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra operate.containerSecurityContext.seccompProfile seccompProfile: ## @param operate.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra operate.startupProbe configuration startupProbe: ## @param operate.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param operate.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param operate.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health/readiness ## @param operate.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param operate.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param operate.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param operate.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param operate.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra operate.readinessProbe configuration readinessProbe: ## @param operate.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param operate.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param operate.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health/readiness ## @param operate.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param operate.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param operate.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param operate.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param operate.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra operate.livenessProbe configuration livenessProbe: ## @param operate.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param operate.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param operate.livenessProbe.probePath defines the liveness probe route used on the app probePath: /actuator/health/liveness ## @param operate.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param operate.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param operate.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param operate.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param operate.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param operate.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param operate.nodeSelector can be used to define on which nodes the Operate pods should run nodeSelector: {} ## @param operate.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param operate.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} # Retention can be used to define the data in Elasticsearch (ILM). retention: ## @param operate.retention.enabled if true, the ILM Policy is created and applied to the index templates. enabled: false ## @param operate.retention.minimumAge defines how old the data must be, before the data is deleted as a duration. minimumAge: 30d ## @param operate.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param operate.extraConfiguration if specified, contents will be used for any extra configuration files such as the log4j2.xml extraConfiguration: {} ## @param operate.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param operate.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ################################################## ####### # ## #### # # # # #### ##### # # # # # # # # # # # # # #### #### # # #### # # ###### # # # # # # # # # # # # # # # # # # # # # # #### # # ###### # #### # ################################################## ## @section Tasklist Parameters # Tasklist configuration for the tasklist sub chart. tasklist: ## @param tasklist.enabled if true, the tasklist deployment and its related resources are deployed via a helm release enabled: true ## @extra tasklist.image configuration to configure the tasklist image specifics image: ## @param tasklist.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param tasklist.image.repository defines which image repository to use repository: camunda/tasklist ## @param tasklist.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param tasklist.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @param tasklist.sidecars can be used to attach extra containers to the tasklist deployment sidecars: [] ## @param tasklist.initContainers can be used to set up extra init containers for the application Pod initContainers: [] # contextPath: "/tasklist" ## @param tasklist.contextPath can be used to make Tasklist web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "/tasklist" ## @param tasklist.env can be used to set extra environment variables on each Tasklist container env: [] ## @param tasklist.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param tasklist.podAnnotations can be used to define extra Tasklist pod annotations podAnnotations: {} ## @param tasklist.podLabels can be used to define extra tasklist pod labels podLabels: {} ## @extra tasklist.configMap configuration which will be applied to the mounted config map. configMap: ## @param tasklist.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623 defaultMode: 0744 ## @param tasklist.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @extra tasklist.service configuration to configure the tasklist service. service: ## @param tasklist.service.annotations can be used to define annotations, which will be applied to the Tasklist service annotations: {} ## @param tasklist.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param tasklist.service.port defines the port of the service, where the tasklist web application will be available port: 80 ## @param tasklist.service.managementPort defines the management port of the service managementPort: 9600 ## @param tasklist.service.internalPort defines the port of the internal api endpoint, which is used for internal communication internalPort: 26502 ## @param tasklist.service.internalName defines the name of the internal api endpoint, which is used for internal communication internalName: "internal" ## @extra tasklist.identity configures app user management. identity: userAccessRestrictions: ## @param tasklist.identity.userAccessRestrictions.enabled if true, enables the identity user access restrictions enabled: true ## @param tasklist.extraVolumes can be used to define extra volumes for the Tasklist pods, useful for tls and self-signed certificates extraVolumes: [] ## @param tasklist.extraVolumeMounts can be used to mount extra volumes for the Tasklist pods, useful for tls and self-signed certificates extraVolumeMounts: [] ## @extra tasklist.serviceAccount configuration for the service account where the Tasklist pods are assigned to serviceAccount: ## @param tasklist.serviceAccount.enabled if true, enables the Tasklist service account enabled: true ## @param tasklist.serviceAccount.name can be used to set the name of the Tasklist service account name: "" ## @param tasklist.serviceAccount.annotations can be used to set the annotations of the Tasklist service account annotations: {} ## @param tasklist.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ## @extra tasklist.podSecurityContext defines the security options the Tasklist pod should be run with podSecurityContext: ## @param tasklist.podSecurityContext.runAsNonRoot runAsNonRoot: true ## @param tasklist.podSecurityContext.fsGroup fsGroup: 1001 ## @extra tasklist.podSecurityContext.seccompProfile seccompProfile: ## @param tasklist.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra tasklist.containerSecurityContext defines the security options the Tasklist container should be run with containerSecurityContext: ## @param tasklist.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param tasklist.containerSecurityContext.privileged privileged: false ## @param tasklist.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param tasklist.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param tasklist.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra tasklist.containerSecurityContext.seccompProfile seccompProfile: ## @param tasklist.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra tasklist.startupProbe configuration startupProbe: ## @param tasklist.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param tasklist.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param tasklist.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health/readiness ## @param tasklist.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param tasklist.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param tasklist.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param tasklist.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param tasklist.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 5 ## @extra tasklist.readinessProbe configuration readinessProbe: ## @param tasklist.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param tasklist.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param tasklist.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health/readiness ## @param tasklist.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param tasklist.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param tasklist.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param tasklist.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param tasklist.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 5 ## @extra tasklist.livenessProbe configuration livenessProbe: ## @param tasklist.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param tasklist.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param tasklist.livenessProbe.probePath defines the liveness probe route used on the app probePath: /actuator/health/liveness ## @param tasklist.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param tasklist.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param tasklist.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param tasklist.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param tasklist.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 5 ## Metrics configuration metrics: ## @param tasklist.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param tasklist.nodeSelector can be used to define on which nodes the Tasklist pods should run nodeSelector: {} ## @param tasklist.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param tasklist.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra tasklist.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param tasklist.resources.requests.cpu ## @param tasklist.resources.requests.memory ## @param tasklist.resources.limits.cpu ## @param tasklist.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ingress: ## @param tasklist.ingress.enabled if true, an ingress resource is deployed with the tasklist deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param tasklist.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param tasklist.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip tasklist.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip tasklist.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip tasklist.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param tasklist.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param tasklist.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param tasklist.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "camunda-tst.api.desenv.gbpiweb.loc" tls: ## @param tasklist.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param tasklist.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: "" # Retention can be used to define the data in Elasticsearch (ILM). retention: ## @param tasklist.retention.enabled if true, the ILM Policy is created and applied to the index templates. enabled: false ## @param tasklist.retention.minimumAge defines how old the data must be, before the data is deleted as a duration. minimumAge: 30d ## @param tasklist.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param tasklist.extraConfiguration if specified, contents will be used for any extra configuration files such as log4j2.xml extraConfiguration: {} ## @param tasklist.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param tasklist.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ############################################# ##### # # ##### ##### # # # # ###### ###### # # # # # # ## ## # # # # # # # # # # ## # # # ##### # # ##### # # # # # # # # # # # # # # # # # ##### # # # # # # ###### ###### ############################################# ## @section Optimize Parameters # Optimize configuration for the Optimize sub chart. optimize: ## @param optimize.enabled if true, the Optimize deployment and its related resources are deployed via a helm release enabled: true ## @extra optimize.image configuration to configure the Optimize image specifics # https://hub.docker.com/r/camunda/optimize/tags image: ## @param optimize.image.registry can be used to set container image registry registry: repo.gbpiweb.loc/public-images ## @param optimize.image.repository defines which image repository to use repository: camunda/optimize ## @param optimize.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param optimize.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @extra optimize.migration configuration for Optimize migration migration: ## @param optimize.migration.enabled if true, run Optimize migration script as an init container enabled: true ## @param optimize.migration.env can be used to set environment variables for Optimize migration init container env: [] ## @extra optimize.migration.resources configuration to set request and limit configuration for the migration container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param optimize.migration.resources.requests.cpu ## @param optimize.migration.resources.requests.memory ## @param optimize.migration.resources.limits.cpu ## @param optimize.migration.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param optimize.sidecars can be used to attach extra containers to the optimize deployment sidecars: [] # contextPath: "/optimize" ## @param optimize.contextPath can be used to make Optimize web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "/optimize" ## @extra optimize.configMap configuration which will be applied to the mounted config map. configMap: ## @param optimize.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623 defaultMode: 0754 ## @param optimize.podAnnotations can be used to define extra Optimize pod annotations podAnnotations: {} ## @param optimize.podLabels can be used to define extra Optimize pod labels podLabels: {} ## @param optimize.partitionCount defines how many Zeebe partitions are set up in the cluster and which should be imported by Optimize partitionCount: "3" ## @param optimize.env can be used to set extra environment variables in each Optimize container env: [] ## @param optimize.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param optimize.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param optimize.extraVolumes can be used to define extra volumes for the Optimize pods, useful for tls and self-signed certificates extraVolumes: [] ## @param optimize.extraVolumeMounts can be used to mount extra volumes for the Optimize pods, useful for tls and self-signed certificates extraVolumeMounts: [] ## @param optimize.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @extra optimize.serviceAccount configuration for the service account where the Optimize pods are assigned to serviceAccount: ## @param optimize.serviceAccount.enabled if true, enables the Optimize service account enabled: true ## @param optimize.serviceAccount.name can be used to set the name of the Optimize service account name: "" ## @param optimize.serviceAccount.annotations can be used to set the annotations of the Optimize service account annotations: {} ## @param optimize.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ## @extra optimize.service configuration to configure the Optimize service. service: ## @param optimize.service.annotations can be used to define annotations, which will be applied to the Optimize service annotations: {} ## @param optimize.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param optimize.service.port defines the port of the service, where the Optimize web application will be available port: 80 ## @param optimize.service.managementPort defines the port where actuator will be available. Also required to reach backup API managementPort: 8092 ## @extra optimize.podSecurityContext defines the security options the Optimize pod should be run with podSecurityContext: ## @param optimize.podSecurityContext.runAsNonRoot runAsNonRoot: true ## @param optimize.podSecurityContext.fsGroup fsGroup: 1001 ## @extra optimize.podSecurityContext.seccompProfile seccompProfile: ## @param optimize.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra optimize.containerSecurityContext defines the security options the Optimize container should be run with containerSecurityContext: ## @param optimize.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param optimize.containerSecurityContext.privileged privileged: false ## @param optimize.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param optimize.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param optimize.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra optimize.containerSecurityContext.seccompProfile seccompProfile: ## @param optimize.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra optimize.startupProbe configuration startupProbe: ## @param optimize.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param optimize.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param optimize.startupProbe.probePath defines the startup probe route used on the app probePath: /api/readyz ## @param optimize.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param optimize.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param optimize.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param optimize.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param optimize.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra optimize.readinessProbe configuration readinessProbe: ## @param optimize.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param optimize.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param optimize.readinessProbe.probePath defines the readiness probe route used on the app probePath: /api/readyz ## @param optimize.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param optimize.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param optimize.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param optimize.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param optimize.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra optimize.livenessProbe configuration livenessProbe: ## @param optimize.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param optimize.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param optimize.livenessProbe.probePath defines the liveness probe route used on the app probePath: /api/readyz ## @param optimize.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param optimize.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param optimize.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param optimize.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param optimize.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param optimize.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param optimize.nodeSelector can be used to define on which nodes the Optimize pods should run nodeSelector: {} ## @param optimize.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param optimize.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra optimize.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param optimize.resources.requests.cpu ## @param optimize.resources.requests.memory ## @param optimize.resources.limits.cpu ## @param optimize.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ingress: ## @param optimize.ingress.enabled if true, an ingress resource is deployed with the Optimize deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param optimize.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param optimize.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip optimize.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip optimize.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip optimize.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param optimize.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param optimize.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param optimize.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "camunda-tst.api.desenv.gbpiweb.loc" ## @extra optimize.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param optimize.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param optimize.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: "" ## @param optimize.configuration if specified, contents will be used as the environment-config.yaml configuration: "" ## @param optimize.extraConfiguration if specified, contents will be used for any extra configuration files such as environment-logback.xml extraConfiguration: {} ## @param optimize.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param optimize.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ######################################################################################################### ###### # # ###### #### # # ##### # #### # # # ##### ###### # # ##### # ##### # # # # # # # # # # # # # # ## # # # # # ## # # # # # # ##### ## ##### # # # # # # # # # # ##### # # # ##### # # # # # # # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## # # # # # ## # # # # ###### # # ###### #### #### # # #### # # # ##### ###### # # # # # # ######################################################################################################### ## @skip executionIdentity Parameters ## @skip executionIdentity configuration for executionIdentity. executionIdentity: ## @skip executionIdentity.enabled if true, the executionIdentity deployment and its related resources are deployed via a helm release enabled: false ## @skip executionIdentity.configuration Configuration passed directly to executionIdentity as YAML file. More details on [executionIdentity official documentations](https://docs.camunda.io/docs/self-managed/executionIdentity-deployment/configuration/) configuration: "" ## executionIdentity.image configuration to configure the executionIdentity image specifics image: ## @skip executionIdentity.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @skip executionIdentity.image.repository defines which image repository to use repository: camunda/camunda ## @skip executionIdentity.image.tag can be used to set the Docker image tag for the executionIdentity image (overwrites global.image.tag) # renovate: datasource=docker depName=camunda/executionIdentity lookupName=registry.camunda.cloud/executionIdentity/executionIdentity-sm tag: SNAPSHOT ## @skip executionIdentity.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @skip executionIdentity.sidecars can be used to attach extra containers to the executionIdentity deployment sidecars: [] ## @skip executionIdentity.replicas Number of executionIdentity replicas replicas: 1 ## executionIdentity.keycloak configuration to configure Keycloak authentication settings. keycloak: ## @skip executionIdentity.keycloak.realm Specifies the Keycloak realm used for authentication. realm: "camunda-platform" ## @skip executionIdentity.contextPath can be used to make executionIdentity web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "" ## @skip executionIdentity.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @skip executionIdentity.podAnnotations can be used to define extra executionIdentity pod annotations podAnnotations: {} ## @skip executionIdentity.podLabels can be used to define extra executionIdentity pod labels podLabels: {} ## @skip executionIdentity.logging configuration for the executionIdentity logging. This template will be directly included in the Operate configuration YAML file logging: {} ## executionIdentity.service configuration to configure the executionIdentity service. service: ## @skip executionIdentity.service.annotations can be used to define annotations, which will be applied to the executionIdentity service annotations: {} ## @skip executionIdentity.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @skip executionIdentity.service.port defines the port number where the web application will be available port: 80 ## @skip executionIdentity.service.serverName defines the port name where the web application will be available serverName: http ## @skip executionIdentity.service.managementPort defines the management port used to access metrics and app status managementPort: 9600 ## executionIdentity.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @skip executionIdentity.resources.requests.memory ## @skip executionIdentity.resources.limits.cpu ## @skip executionIdentity.resources.limits.memory ## @skip executionIdentity.resources.requests.cpu resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @skip executionIdentity.env can be used to set extra environment variables in each app container env: [] ## @skip executionIdentity.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @skip executionIdentity.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @skip executionIdentity.extraVolumes can be used to define extra volumes for the executionIdentity pods, useful for TLS and self-signed certificates extraVolumes: [] ## @skip executionIdentity.extraVolumeMounts can be used to mount extra volumes for the executionIdentity pods, useful for TLS and self-signed certificates extraVolumeMounts: [] ## executionIdentity.startupProbe configuration startupProbe: ## @skip executionIdentity.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @skip executionIdentity.startupProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @skip executionIdentity.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health ## @skip executionIdentity.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @skip executionIdentity.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @skip executionIdentity.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @skip executionIdentity.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @skip executionIdentity.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## executionIdentity.readinessProbe configuration readinessProbe: ## @skip executionIdentity.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @skip executionIdentity.readinessProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @skip executionIdentity.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health ## @skip executionIdentity.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @skip executionIdentity.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @skip executionIdentity.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @skip executionIdentity.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @skip executionIdentity.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## executionIdentity.livenessProbe configuration livenessProbe: ## @skip executionIdentity.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @skip executionIdentity.livenessProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @skip executionIdentity.livenessProbe.probePath defines the liveness probe route used on the app probePath: /actuator/health ## @skip executionIdentity.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @skip executionIdentity.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @skip executionIdentity.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @skip executionIdentity.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @skip executionIdentity.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## executionIdentity.metrics configuration metrics: ## @skip executionIdentity.metrics.prometheus Prometheus metrics endpoint prometheus: /prometheus ## executionIdentity.serviceAccount configuration for the service account where the executionIdentity pods are assigned to serviceAccount: ## @skip executionIdentity.serviceAccount.enabled if true, enables the executionIdentity service account enabled: true ## @skip executionIdentity.serviceAccount.name can be used to set the name of the executionIdentity service account name: "" ## @skip executionIdentity.serviceAccount.annotations can be used to set the annotations of the Operate service account annotations: {} ## @skip executionIdentity.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ingress: ## @skip executionIdentity.ingress.enabled if true, an ingress resource is deployed with the executionIdentity deployment. Only useful if an ingress controller is available, like nginx. enabled: false ## @skip executionIdentity.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @skip executionIdentity.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip executionIdentity.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip executionIdentity.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip executionIdentity.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @skip executionIdentity.ingress.path defines the path which is associated with the executionIdentity service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @skip executionIdentity.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @skip executionIdentity.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all http traffic, if specified the rule applies to that host. host: "" ## executionIdentity.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @skip executionIdentity.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @skip executionIdentity.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-execution-identity ## @skip executionIdentity.podSecurityContext defines the security options the executionIdentity broker pod should be run with podSecurityContext: ## @skip executionIdentity.podSecurityContext.runAsNonRoot run as non root runAsNonRoot: true ## @skip executionIdentity.podSecurityContext.fsGroup fsGroup: 1001 ## @skip executionIdentity.podSecurityContext.seccompProfile seccompProfile: ## @skip executionIdentity.podSecurityContext.seccompProfile.type type: RuntimeDefault # ContainerSecurityContext defines the security options the executionIdentity broker container should be run with containerSecurityContext: ## @skip executionIdentity.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @skip executionIdentity.containerSecurityContext.privileged privileged: false ## @skip executionIdentity.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @skip executionIdentity.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @skip executionIdentity.containerSecurityContext.runAsUser runAsUser: 1001 ## @skip executionIdentity.containerSecurityContext.seccompProfile seccompProfile: ## @skip executionIdentity.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @skip executionIdentity.nodeSelector can be used to define on which nodes the executionIdentity pods should run nodeSelector: {} ## @skip executionIdentity.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @skip executionIdentity.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @skip executionIdentity.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @skip executionIdentity.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ############################################ ### # ##### ###### # # ##### # ##### # # # # # # ## # # # # # # # # # ##### # # # # # # # # # # # # # # # # # # # # # # # ## # # # # ### ##### ###### # # # # # # ############################################ ## @section Identity Parameters # Identity configuration for the identity sub chart. identity: ## @param identity.enabled if true, the identity deployment and its related resources are deployed via a helm release # # Note: If using Keycloak, Identity is required by Optimize and WebModeler. # If you need neither Optimize nor WebModeler, make sure to disable both the Identity authentication and the applications by setting: # global.identity.auth.enabled=false # optimize.enabled=false # webModeler.enabled=false enabled: true ## @param identity.fullnameOverride can be used to override the full name of the Identity resources fullnameOverride: "" ## @param identity.nameOverride can be used to partly override the name of the Identity resources (names will still be prefixed with the release name) nameOverride: "" ## @extra identity.firstUser configuration to configure properties of the first Identity user, which can be used to access all # web applications firstUser: ## @param identity.firstUser.enabled if true, Identity will seed the first user in Keycloak. enabled: true ## @param identity.firstUser.username defines the username of the first user, needed to log in into the web applications username: demo ## @param identity.firstUser.password defines the password of the first user, needed to log in into the web applications password: demo ## @param identity.firstUser.email defines the email address of the first user; a valid email address is required to use WebModeler email: demo@example.org ## @param identity.firstUser.firstName defines the first name of the first user; a name is required to use WebModeler firstName: Demo ## @param identity.firstUser.lastName defines the last name of the first user; a name is required to use WebModeler lastName: User ## @param identity.firstUser.existingSecret can be used to use an own existing secret for Identity first user. existingSecret: "" ## @param identity.firstUser.existingSecretKey defines the key within the existing secret object. existingSecretKey: "identity-firstuser-password" ## @extra identity.image configuration to configure the identity image specifics image: ## @param identity.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param identity.image.repository defines which image repository to use repository: camunda/identity ## @param identity.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param identity.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @param identity.sidecars can be used to attach extra containers to the identity deployment sidecars: [] ## @param identity.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @param identity.fullURL can be used when Ingress is configured (for both multi and single domain setup). fullURL: "https://camunda-tst.api.desenv.gbpiweb.loc/identity" # Note: Identity cannot be accessed over HTTP if a "contextPath" is configured. # Which means that Identity cannot be configured in combined Ingress without HTTPS. # To use Identity over HTTP, setup a separated Ingress using "identity.ingress" and don't set "contextPath". # contextPath: "/identity" ## @param identity.contextPath can be used to make Identity web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "/identity" ## @param identity.podAnnotations can be used to define extra Identity pod annotations podAnnotations: {} ## @param identity.podLabels can be used to define extra Identity pod labels podLabels: {} ## @extra identity.service configuration to configure the identity service. service: ## @param identity.service.annotations can be used to define annotations, which will be applied to the identity service annotations: {} ## @param identity.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param identity.service.port defines the port of the service on which the identity application will be available port: 80 ## @param identity.service.metricsPort defines the port of the service on which the identity metrics will be available metricsPort: 82 ## @param identity.service.metricsName defines the name of the service on which the identity metrics will be available metricsName: metrics ## @extra identity.podSecurityContext defines the security options the Identity pod should be run with podSecurityContext: ## @param identity.podSecurityContext.runAsNonRoot runAsNonRoot: true ## @param identity.podSecurityContext.fsGroup fsGroup: 1001 ## @extra identity.podSecurityContext.seccompProfile seccompProfile: ## @param identity.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra identity.containerSecurityContext defines the security options the Identity container should be run with containerSecurityContext: ## @param identity.containerSecurityContext.allowPrivilegeEscalation allowPrivilegeEscalation: false ## @param identity.containerSecurityContext.privileged privileged: false ## @param identity.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param identity.containerSecurityContext.runAsNonRoot runAsNonRoot: true ## @param identity.containerSecurityContext.runAsUser runAsUser: 1001 ## @extra identity.containerSecurityContext.seccompProfile seccompProfile: ## @param identity.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra identity.startupProbe configuration startupProbe: ## @param identity.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param identity.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param identity.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health ## @param identity.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated. initialDelaySeconds: 30 ## @param identity.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param identity.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param identity.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param identity.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra identity.readinessProbe configuration readinessProbe: ## @param identity.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param identity.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param identity.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health ## @param identity.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated. initialDelaySeconds: 30 ## @param identity.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param identity.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param identity.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param identity.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra identity.livenessProbe configuration livenessProbe: ## @param identity.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param identity.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param identity.livenessProbe.probePath defines the liveness probe route used on the app probePath: /actuator/health ## @param identity.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param identity.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param identity.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param identity.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param identity.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param identity.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @param identity.nodeSelector can be used to define on which nodes the Identity pods should run nodeSelector: {} ## @param identity.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param identity.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra identity.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param identity.resources.requests.memory ## @param identity.resources.limits.cpu ## @param identity.resources.requests.cpu ## @param identity.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param identity.env can be used to set extra environment variables in each identity container. See the documentation https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/ for more details. env: [] ## @param identity.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param identity.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param identity.extraVolumes can be used to define extra volumes for the identity pods, useful for tls and self-signed certificates extraVolumes: [] ## @param identity.extraVolumeMounts can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates extraVolumeMounts: [] ## @extra identity.serviceAccount configuration for the service account where the identity pods are assigned to serviceAccount: ## @param identity.serviceAccount.enabled if true, enables the identity service account enabled: true ## @param identity.serviceAccount.name can be used to set the name of the identity service account name: "" ## @param identity.serviceAccount.annotations can be used to set the annotations of the identity service account annotations: {} ## @param identity.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: true ingress: ## @param identity.ingress.enabled if true, an ingress resource is deployed with the identity deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param identity.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param identity.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip identity.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip identity.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip identity.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param identity.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param identity.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param identity.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "" ## @extra identity.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param identity.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param identity.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-identity ## External PostgreSQL configuration ## All of these values are only used when postgresql.enabled is set to false ## @param identity.externalDatabase.enabled ## @param identity.externalDatabase.host Database host ## @param identity.externalDatabase.port Database port number ## @param identity.externalDatabase.username Non-root username ## @param identity.externalDatabase.password Password for the non-root username ## @param identity.externalDatabase.database The database name ## @param identity.externalDatabase.existingSecret Name of an existing secret resource containing the database credentials ## @param identity.externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials ## externalDatabase: enabled: false host: port: username: database: password: existingSecret: existingSecretPasswordKey: ## @param identity.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param identity.extraConfiguration if specified, contents will be used for any extra configuration files such as the log4j2.xml extraConfiguration: {} ## @param identity.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param identity.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} keycloak: # see: http://github.com/bitnami/charts/tree/master/bitnami/keycloak#parameters ingress: # see: http://www.keycloak.org/server/reverseproxy enabled: false ingressClassName: nginx hostname: "camunda-tst.api.desenv.gbpiweb.loc" extraEnvVars: # see: http://github.com/bitnami/bitnami-docker-keycloak#configuration - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING value: "true" - name: KEYCLOAK_EXTRA_ARGS value: "-Dkeycloak.frontendUrl=https://camunda-tst.api.desenv.gbpiweb.loc/auth" # Identity. ##### #### #### ##### #### ##### ###### #### #### # # # # # # # # # # # # # # # # # # # # #### # # # # ##### #### # # # ##### # # # # # ### ##### # # # # # # # # # # # # # # # # # # # # # # # #### #### # #### # # ###### #### ### # ###### ## @section Identity - PostgreSQL Parameters ## @extra identityPostgresql configuration for the PostgreSQL dependency chart used by Identity. For more details, check [Bitnami package for PostgreSQL](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters) documentation. identityPostgresql: ## @param identityPostgresql.enabled Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy. ## enabled: false ## @extra identityPostgresql.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## compatibility: ## Compatibility adaptations for Openshift ## openshift: ## @param identityPostgresql.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" # https://hub.docker.com/r/bitnami/postgresql/tags ## @param identityPostgresql.image.repository PostgreSQL repo ## @param identityPostgresql.image.tag PostgreSQL image tag ## image: repository: bitnami/postgresql tag: 15.10.0-debian-12-r2 ## @param identityPostgresql.nameOverride the name used for Identity PostgreSQL. ## nameOverride: identity-postgresql auth: ## @param identityPostgresql.auth.username Non-root username ## username: identity ## @param identityPostgresql.auth.database The database name ## database: identity ## @param identityPostgresql.auth.password Password for the non-root username ## password: ## @param identityPostgresql.auth.existingSecret Name of an existing secret resource containing the database credentials ## existingSecret: secretKeys: ## @param identityPostgresql.auth.secretKeys.adminPasswordKey defines the key within the existing secret object for PostgreSQL admin. adminPasswordKey: "postgres-password" ## @param identityPostgresql.auth.secretKeys.userPasswordKey defines the key within the existing secret object for PostgreSQL user. userPasswordKey: "password" # Identity. # # ###### # # #### # #### ## # # # # # # # # # # # # # # # # #### ##### # # # # # # # #### # # # # # # # # ###### # # # # # # # # # # # # # # # # # ###### # #### ###### #### # # # # ## @section Identity - Keycloak Parameters ## @extra identityKeycloak configuration, for the Keycloak dependency chart which is used by Identity. For more details, check [Bitnami package for Keycloak](https://artifacthub.io/packages/helm/bitnami/keycloak#parameters) documentation. identityKeycloak: ## @param identityKeycloak.enabled Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart enabled: true ## @extra identityKeycloak.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## compatibility: ## Compatibility adaptations for Openshift ## openshift: ## @param identityKeycloak.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" security: ## @param identityKeycloak.global.security.allowInsecureImages Allows the use of the Camunda build Keycloak image (including the Identity login theme) allowInsecureImages: true ## @param identityKeycloak.nameOverride the name used for Keycloak. nameOverride: "keycloak" ## @extra identityKeycloak.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param identityKeycloak.resources.requests.cpu ## @param identityKeycloak.resources.requests.memory ## @param identityKeycloak.resources.limits.cpu ## @param identityKeycloak.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @extra identityKeycloak.image configuration. # https://hub.docker.com/r/bitnami/keycloak/tags image: ## @param identityKeycloak.image.repository image repo repository: camunda/keycloak ## @param identityKeycloak.image.tag image tag tag: 26.1.4 ## @extra identityKeycloak.postgresql configuration. postgresql: # https://hub.docker.com/r/bitnami/postgresql/tags image: ## @param identityKeycloak.postgresql.image.repository image repo repository: bitnami/postgresql ## @param identityKeycloak.postgresql.image.tag image tag tag: 15.10.0-debian-12-r2 auth: ## @param identityKeycloak.postgresql.auth.existingSecret defines the existing secret resource containing the database credentials existingSecret: "" secretKeys: ## @param identityKeycloak.postgresql.auth.secretKeys.adminPasswordKey defines the key within the existing secret object for PostgreSQL admin. adminPasswordKey: "postgres-password" ## @param identityKeycloak.postgresql.auth.secretKeys.userPasswordKey defines the key within the existing secret object for PostgreSQL user. userPasswordKey: "password" primary: ## @param identityKeycloak.postgresql.primary.containerSecurityContext.enabled ## @param identityKeycloak.postgresql.primary.containerSecurityContext.privileged ## @param identityKeycloak.postgresql.primary.containerSecurityContext.readOnlyRootFilesystem ## @param identityKeycloak.postgresql.primary.containerSecurityContext.allowPrivilegeEscalation ## @param identityKeycloak.postgresql.primary.containerSecurityContext.runAsNonRoot ## @param identityKeycloak.postgresql.primary.containerSecurityContext.runAsUser ## @param identityKeycloak.postgresql.primary.containerSecurityContext.capabilities.drop ## @param identityKeycloak.postgresql.primary.containerSecurityContext.seccompProfile.type containerSecurityContext: enabled: true privileged: false readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1001 capabilities: drop: ["ALL"] seccompProfile: type: RuntimeDefault ## @param identityKeycloak.postgresql.primary.podSecurityContext.enabled ## @param identityKeycloak.postgresql.primary.podSecurityContext.runAsNonRoot ## @param identityKeycloak.postgresql.primary.podSecurityContext.fsGroup podSecurityContext: enabled: true runAsNonRoot: true fsGroup: 1001 # Keycloak.proxy defines the proxy mode depends on the TLS termination in your environment. # Docs: https://www.keycloak.org/server/reverseproxy ## @param identityKeycloak.proxy keycloak proxy proxy: edge ## @extra identityKeycloak.tls can be used to enable TLS encryption. Required for HTTPs traffic. tls: ## @param identityKeycloak.tls.enabled enabling tls enabled: false # NOTE: Since Helm v3 (latest checked 3.10.x) doesn't merge lists with custom values files, then you will need to # add this to your own values file if you override any of "extraVolumes", "initContainers", or "extraVolumeMounts". ## @skip identityKeycloak.extraVolumes [object] Extra volumes for keycloak ## @skip identityKeycloak.extraVolumes[0].name ## @skip identityKeycloak.extraVolumes[0].emptyDir ## @skip identityKeycloak.extraVolumes[1].name ## @skip identityKeycloak.extraVolumes[1].emptyDir extraVolumes: - name: data-tmp emptyDir: {} ## @param identityKeycloak.extraVolumeMounts[0].name ## @param identityKeycloak.extraVolumeMounts[0].mountPath extraVolumeMounts: - name: data-tmp mountPath: /opt/bitnami/keycloak/data/tmp ## @param identityKeycloak.containerSecurityContext.privileged ## @param identityKeycloak.containerSecurityContext.readOnlyRootFilesystem ## @param identityKeycloak.containerSecurityContext.allowPrivilegeEscalation ## @param identityKeycloak.containerSecurityContext.runAsNonRoot ## @param identityKeycloak.containerSecurityContext.runAsUser ## @param identityKeycloak.containerSecurityContext.capabilities.drop ## @param identityKeycloak.containerSecurityContext.seccompProfile.type containerSecurityContext: privileged: false readOnlyRootFilesystem: true allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1001 capabilities: drop: ["ALL"] seccompProfile: type: RuntimeDefault ## @param identityKeycloak.podSecurityContext.runAsNonRoot ## @param identityKeycloak.podSecurityContext.fsGroup podSecurityContext: runAsNonRoot: true fsGroup: 1001 ## @param identityKeycloak.httpRelativePath defines the context for Keycloak. This config is valid for Keycloak v19.x.x only # where in Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's configurable. # NOTE: This should be the same as ".Values.global.identity.keycloak.contextPath" plus a trailing slash, # but it cannot be referenced directly because of a bug in Helm (tested with Helm v3.9.3). # NOTE: In Keycloak v23, accessing this path without the trailing slash will return "Internal Server Error". httpRelativePath: /auth/ ## @extra identityKeycloak.extraEnvVars ## @param identityKeycloak.extraEnvVars[0].name ## @param identityKeycloak.extraEnvVars[0].value extraEnvVars: # KEYCLOAK_PROXY_ADDRESS_FORWARDING can be used with Ingress that has SSL Termination. It will be "true" if the TLS # in global Ingress is enabled, but it could be overwritten with separate Ingress setup. - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING value: "{{ .Values.global.ingress.tls.enabled }}" # under "global.ingress" is enabled. However, it's possible to setup Keycloak on a separate Ingress if needed. # For more details: https://github.com/bitnami/charts/tree/main/bitnami/keycloak#configure-ingress ingress: ## @param identityKeycloak.ingress.enabled can be used enable ingress record generation for Keycloak. enabled: false ## @param identityKeycloak.ingress.tls can be used to enable TLS configuration for the host defined at ingress.hostname parameter. tls: false ## @param identityKeycloak.ingress.extraTls configuration for additional hostnames to be covered with this ingress record. extraTls: [] ## @param identityKeycloak.ingress.annotations [object] configures annotations to be applied to the ingress record. annotations: ## @skip identityKeycloak.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param identityKeycloak.ingress.pathType defines Ingress path type. pathType: Prefix ## @extra identityKeycloak.service configuration, to configure the service which is deployed along with keycloak service: ## @param identityKeycloak.service.type can be set to change the service type. # We use clusterIP for keycloak service, since per default LoadBalancer is used, which is not supported on all cloud providers. # This might prevent scheduling of the service. type: ClusterIP ## Keycloak authentication parameters ## ref: https://github.com/bitnami/bitnami-docker-keycloak#admin-credentials ## ## @extra identityKeycloak.auth uses the secrets generated by keycloak, to access keycloak. auth: ## @param identityKeycloak.auth.adminUser defines the keycloak administrator user adminUser: admin ## @param identityKeycloak.auth.existingSecret can be used to reuse an existing secret containing authentication information. # See https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/ for more details. existingSecret: "" ## @param identityKeycloak.auth.passwordSecretKey defines the key within the existing secret object. passwordSecretKey: "admin-password" ####################################################################### # # # # # # # ###### ##### ## ## #### ##### ###### # ###### ##### # # # # # # # # # # # # # # # # # # # # # # ##### ##### # # # # # # # ##### # ##### # # # # # # # # # # # # # # # # # ##### # # # # # # # # # # # # # # # # # ## ## ###### ##### # # #### ##### ###### ###### ###### # # ####################################################################### ## @section WebModeler Parameters # WebModeler configuration of the WebModeler deployment webModeler: ## @param webModeler.enabled if true, the WebModeler deployment and its related resources are deployed via a helm release enabled: true ## @param webModeler.fullnameOverride can be used to override the full name of the WebModeler resources fullnameOverride: "" ## @param webModeler.nameOverride can be used to partly override the name of the WebModeler resources (names will still be prefixed with the release name) nameOverride: "" ## @extra webModeler.image configuration of the WebModeler Docker images image: ## @param webModeler.image.registry can be used to set the Docker registry for the WebModeler images (overwrites global.image.registry) registry: repo.gbpiweb.loc/public-images ## @param webModeler.image.tag can be used to set the Docker image tag for the WebModeler images (overwrites global.image.tag) # renovate: datasource=docker depName=camunda/web-modeler-restapi tag: 8.7.0 ## @param webModeler.image.pullSecrets can be used to configure image pull secrets, see https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc # Note: The WebSocket application will be exposed on the configured path suffixed with "-ws", e.g. "/modeler-ws" # contextPath: "/modeler" ## @param webModeler.contextPath can be used to make WebModeler available on a custom sub-path. This is mainly used to run the Camunda web applications under a single domain. contextPath: "/modeler" # WebModeler. ###### # ###### ### # # ###### #### ##### # # # # # # # # # # # # # # # ###### ##### #### # # # ###### # # # # # # ####### # # # # # # # # # # # # # # ###### #### # # # # ### ## @section WebModeler - RestAPI Parameters ## @extra webModeler.restapi configuration of the WebModeler restapi component restapi: ## @extra webModeler.restapi.image configuration of the restapi Docker image image: ## @param webModeler.restapi.image.repository defines which image repository to use for the restapi Docker image repository: camunda/web-modeler-restapi ## @param webModeler.restapi.sidecars can be used to attach extra containers to the restapi deployment sidecars: [] ## @param webModeler.restapi.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @extra webModeler.restapi.externalDatabase can be used to configure a connection to an external database; will only be applied if the postgresql dependency chart is disabled (with `postgresql.enabled=false`) # Note: Currently, the only supported database system is PostgreSQL. externalDatabase: ## @param webModeler.restapi.externalDatabase.url defines the JDBC url of the database instance url: "" ## @param webModeler.restapi.externalDatabase.user defines the database user user: "" ## @param webModeler.restapi.externalDatabase.password can be used to provide the database user's password; ignored if `webModeler.restapi.externalDatabase.existingSecret` is set password: "" ## @param webModeler.restapi.externalDatabase.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: ## @param webModeler.restapi.externalDatabase.existingSecretPasswordKey can be used to provide the name of an existing secret key containing the database password existingSecretPasswordKey: "database-password" ## @extra webModeler.restapi.mail configuration for emails sent by WebModeler mail: ## @param webModeler.restapi.mail.smtpHost defines the host name of the SMTP server to be used by WebModeler smtpHost: "" ## @param webModeler.restapi.mail.smtpPort defines the port number of the SMTP server smtpPort: 587 ## @param webModeler.restapi.mail.smtpUser can be used to provide a user for the SMTP server smtpUser: "" ## @param webModeler.restapi.mail.smtpPassword can be used to provide a password for the SMTP server; ignored if `webModeler.restapi.mail.existingSecret` is set smtpPassword: "" ## @param webModeler.restapi.mail.smtpTlsEnabled if true, enforces TLS encryption for SMTP connections (using STARTTLS) smtpTlsEnabled: true ## @param webModeler.restapi.mail.existingSecret can be used to provide the name of an existing secret resource containing the SMTP password existingSecret: ## @param webModeler.restapi.mail.existingSecretPasswordKey can be used to provide the name of an existing secret key containing the SMTP password existingSecretPasswordKey: "smtppassword" ## @param webModeler.restapi.mail.fromAddress defines the email address that will be displayed as the sender of emails sent by WebModeler # NOTE: This value is mandatory. fromAddress: "modeler@bancobpi.pt" ## @param webModeler.restapi.mail.fromName defines the name that will be displayed as the sender of emails sent by WebModeler fromName: "camunda8" ## @param webModeler.restapi.clusters can be used to configure Camunda 8 clusters that will be available in Web Modeler (will override default cluster configuration that is used if `zeebe.enabled=true`) clusters: [] # - id: "default-cluster" # name: "Default cluster" # version: "8.7.0" # authentication: "BEARER_TOKEN" # url: # zeebe: # grpc: "grpc://camunda-platform-zeebe-gateway:26500" # rest: "http://camunda-platform-zeebe-gateway:8080" # operate: "http://camunda-platform-operate:80" # tasklist: "http://camunda-platform-tasklist:80" # # only required for authentication type CLIENT_CREDENTIALS # oauth: # url: https://auth.example.com/token # required (URL of the token endpoint) # scope: "custom-scope" # optional (default is empty) # audience: # zeebe: "custom-zeebe-audience" # optional (default is "zeebe-api") # operate: "custom-operate-audience" # optional (default is "operate-api") # tasklist: "custom-tasklist-audience" # optional (default is "tasklist-api") ## @param webModeler.restapi.podAnnotations can be used to define extra restapi pod annotations podAnnotations: {} ## @param webModeler.restapi.podLabels can be used to define extra restapi pod labels podLabels: {} ## @param webModeler.restapi.env can be used to set extra environment variables in each restapi container env: [] ## @param webModeler.restapi.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param webModeler.restapi.command can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param webModeler.restapi.extraVolumes can be used to define extra volumes for the restapi pods, useful for TLS and self-signed certificates extraVolumes: [] ## @param webModeler.restapi.extraVolumeMounts can be used to mount extra volumes for the restapi pods, useful for TLS and self-signed certificates extraVolumeMounts: [] ## @extra webModeler.restapi.podSecurityContext can be used to define the security options the restapi pod should be run with podSecurityContext: ## @param webModeler.restapi.podSecurityContext.runAsNonRoot ## @param webModeler.restapi.podSecurityContext.fsGroup runAsNonRoot: true fsGroup: 1001 ## @extra webModeler.restapi.podSecurityContext.seccompProfile seccompProfile: ## @param webModeler.restapi.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra webModeler.restapi.containerSecurityContext can be used to define the security options the restapi container should be run with ## @param webModeler.restapi.containerSecurityContext.privileged ## @param webModeler.restapi.containerSecurityContext.readOnlyRootFilesystem ## @param webModeler.restapi.containerSecurityContext.allowPrivilegeEscalation ## @param webModeler.restapi.containerSecurityContext.runAsNonRoot ## @param webModeler.restapi.containerSecurityContext.runAsUser containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 ## @extra webModeler.restapi.containerSecurityContext.seccompProfile seccompProfile: ## @param webModeler.restapi.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra webModeler.restapi.startupProbe configuration of the restapi startup probe startupProbe: ## @param webModeler.restapi.startupProbe.enabled if true, the startup probe will be enabled for the restapi container enabled: false ## @param webModeler.restapi.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param webModeler.restapi.startupProbe.probePath defines the HTTP endpoint used for the startup probe probePath: /health/liveness ## @param webModeler.restapi.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 30 ## @param webModeler.restapi.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.restapi.startupProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.restapi.startupProbe.failureThreshold defines when the probe is considered failed so the container will be restarted failureThreshold: 5 ## @param webModeler.restapi.startupProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @extra webModeler.restapi.readinessProbe configuration of the restapi readiness probe readinessProbe: ## @param webModeler.restapi.readinessProbe.enabled if true, the readiness probe will be enabled for the restapi container enabled: true ## @param webModeler.restapi.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param webModeler.restapi.readinessProbe.probePath defines the HTTP endpoint used for the readiness probe probePath: /health/readiness ## @param webModeler.restapi.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 30 ## @param webModeler.restapi.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.restapi.readinessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.restapi.readinessProbe.failureThreshold defines when the probe is considered failed so the Pod will be marked unready failureThreshold: 5 ## @param webModeler.restapi.readinessProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @extra webModeler.restapi.livenessProbe configuration of the restapi liveness probe livenessProbe: ## @param webModeler.restapi.livenessProbe.enabled if true, the liveness probe will be enabled for the restapi container enabled: false ## @param webModeler.restapi.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param webModeler.restapi.livenessProbe.probePath defines the HTTP endpoint used for the liveness probe probePath: /health/liveness ## @param webModeler.restapi.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 30 ## @param webModeler.restapi.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.restapi.livenessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.restapi.livenessProbe.failureThreshold defines when the probe is considered failed so the container will be restarted failureThreshold: 5 ## @param webModeler.restapi.livenessProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param webModeler.restapi.metrics.prometheus Prometheus metrics endpoint prometheus: /metrics ## @param webModeler.restapi.nodeSelector can be used to select the nodes the restapi pods should run on nodeSelector: {} ## @param webModeler.restapi.tolerations can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param webModeler.restapi.affinity can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra webModeler.restapi.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param webModeler.restapi.resources.requests.cpu ## @param webModeler.restapi.resources.requests.memory ## @param webModeler.restapi.resources.limits.cpu ## @param webModeler.restapi.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @extra webModeler.restapi.service configuration of the WebModeler restapi service service: ## @param webModeler.restapi.service.annotations can be used to define annotations which will be applied to the service annotations: {} ## @param webModeler.restapi.service.type defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param webModeler.restapi.service.port defines the default port of the service port: 80 ## @param webModeler.restapi.service.managementPort defines the management port of the service managementPort: 8091 ## @param webModeler.restapi.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param webModeler.restapi.extraConfiguration if specified, contents will be used for any extra configuration files such as log4j2.xml extraConfiguration: {} ## @param webModeler.restapi.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param webModeler.restapi.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: { } # WebModeler. # # ###### ##### ## ##### ##### # # # # # # # # # # # # # ##### ##### # # # # # # # ## # # # # ###### ##### ##### ## ## # # # # # # # # # ###### ##### # # # # ## @section WebModeler - WebApp Parameters ## @extra webModeler.webapp. configuration of the WebModeler webapp component webapp: ## @extra webModeler.webapp.image configuration of the webapp Docker image image: ## @param webModeler.webapp.image.repository defines which image repository to use for the webapp Docker image repository: camunda/web-modeler-webapp ## @param webModeler.webapp.sidecars can be used to attach extra containers to the modeler webapp deployment sidecars: [] ## @param webModeler.webapp.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @param webModeler.webapp.podAnnotations can be used to define extra webapp pod annotations podAnnotations: {} ## @param webModeler.webapp.podLabels can be used to define extra webapp pod labels podLabels: {} ## @param webModeler.webapp.env can be used to set extra environment variables in each webapp container env: [] ## @param webModeler.webapp.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param webModeler.webapp.command can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param webModeler.webapp.extraVolumes can be used to define extra volumes for the webapp pods, useful for TLS and self-signed certificates extraVolumes: [] ## @param webModeler.webapp.extraVolumeMounts can be used to mount extra volumes for the webapp pods, useful for TLS and self-signed certificates extraVolumeMounts: [] ## @extra webModeler.webapp.podSecurityContext can be used to define the security options the webapp pod should be run with ## @param webModeler.webapp.podSecurityContext.runAsNonRoot ## @param webModeler.webapp.podSecurityContext.fsGroup podSecurityContext: runAsNonRoot: true fsGroup: 1001 ## @extra webModeler.webapp.podSecurityContext.seccompProfile seccompProfile: ## @param webModeler.webapp.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra webModeler.webapp.containerSecurityContext can be used to define the security options the webapp container should be run with ## @param webModeler.webapp.containerSecurityContext.privileged ## @param webModeler.webapp.containerSecurityContext.readOnlyRootFilesystem ## @param webModeler.webapp.containerSecurityContext.allowPrivilegeEscalation ## @param webModeler.webapp.containerSecurityContext.runAsNonRoot ## @param webModeler.webapp.containerSecurityContext.runAsUser containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 ## @extra webModeler.webapp.containerSecurityContext.seccompProfile seccompProfile: ## @param webModeler.webapp.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra webModeler.webapp.startupProbe configuration of the webapp startup probe startupProbe: ## @param webModeler.webapp.startupProbe.enabled if true, the startup probe will be enabled for the webapp container enabled: false ## @param webModeler.webapp.startupProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param webModeler.webapp.startupProbe.probePath defines the HTTP endpoint used for the startup probe probePath: /health/liveness ## @param webModeler.webapp.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 15 ## @param webModeler.webapp.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.webapp.startupProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.webapp.startupProbe.failureThreshold defines when the probe is considered failed so the container will be restarted failureThreshold: 5 ## @param webModeler.webapp.startupProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @extra webModeler.webapp.readinessProbe configuration of the webapp readiness probe readinessProbe: ## @param webModeler.webapp.readinessProbe.enabled if true, the readiness probe will be enabled for the webapp container enabled: true ## @param webModeler.webapp.readinessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param webModeler.webapp.readinessProbe.probePath defines the HTTP endpoint used for the readiness probe probePath: /health/readiness ## @param webModeler.webapp.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 15 ## @param webModeler.webapp.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.webapp.readinessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.webapp.readinessProbe.failureThreshold defines when the probe is considered failed so the Pod will be marked unready failureThreshold: 5 ## @param webModeler.webapp.readinessProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @extra webModeler.webapp.livenessProbe configuration of the webapp liveness probe livenessProbe: ## @param webModeler.webapp.livenessProbe.enabled if true, the liveness probe will be enabled for the webapp container enabled: false ## @param webModeler.webapp.livenessProbe.scheme defines the startup probe schema used on calling the probePath scheme: HTTP ## @param webModeler.webapp.livenessProbe.probePath defines the HTTP endpoint used for the liveness probe probePath: /health/liveness ## @param webModeler.webapp.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 15 ## @param webModeler.webapp.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.webapp.livenessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.webapp.livenessProbe.failureThreshold defines when the probe is considered failed so the container will be restarted failureThreshold: 5 ## @param webModeler.webapp.livenessProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param webModeler.webapp.metrics.prometheus Prometheus metrics endpoint prometheus: /metrics ## @param webModeler.webapp.nodeSelector can be used to select the nodes the webapp pods should run on nodeSelector: {} ## @param webModeler.webapp.tolerations can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param webModeler.webapp.affinity can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra webModeler.webapp.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param webModeler.webapp.resources.requests.cpu ## @param webModeler.webapp.resources.requests.memory ## @param webModeler.webapp.resources.limits.cpu ## @param webModeler.webapp.resources.limits.memory resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi ## @extra webModeler.webapp.service configuration of the WebModeler webapp service service: ## @param webModeler.webapp.service.annotations can be used to define annotations which will be applied to the service annotations: {} ## @param webModeler.webapp.service.type defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param webModeler.webapp.service.port defines the port of the service port: 80 ## @param webModeler.webapp.service.managementPort defines the management port of the service managementPort: 8071 ## @param webModeler.webapp.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param webModeler.webapp.extraConfiguration if specified, contents will be used for any extra configuration files such as log4j2.xml extraConfiguration: {} ## @param webModeler.webapp.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param webModeler.webapp.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} # WebModeler. # # ###### ##### #### #### #### # # ###### ##### #### # # # # # # # # # # # # # # # # # ##### ##### #### # # # #### ##### # #### # ## # # # # # # # # # # # # # ## ## # # # # # # # # # # # # # # # # # ###### ##### #### #### #### # # ###### # #### ## @section WebModeler - WebSockets Parameters ## @extra webModeler.websockets configuration of the WebModeler websockets component websockets: enabled: false ## @extra webModeler.websockets.image configuration of the websockets Docker image image: ## @param webModeler.websockets.image.repository defines which image repository to use for the websockets Docker image repository: camunda/web-modeler-websockets ## @param webModeler.websockets.sidecars can be used to attach extra containers to the modeler websockets deployment sidecars: [] ## @param webModeler.websockets.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @param webModeler.websockets.publicHost can be used to define the host on which the WebSockets server can be reached from the WebModeler client in the browser. # The default value assumes that a port-forwarding to the websockets service has been created. # Note: The host will only be used if the Ingress resource for WebModeler is disabled. publicHost: localhost ## @param webModeler.websockets.publicPort can be used to define the port number on which the WebSockets server can be reached from the WebModeler client in the browser. # The default value assumes that a port-forwarding to the websockets service on port 8085 has been created. # Note: The port will only be used if the Ingress resource for WebModeler is disabled. publicPort: 8085 ## @param webModeler.websockets.podAnnotations can be used to define extra websockets pod annotations podAnnotations: {} ## @param webModeler.websockets.podLabels can be used to define extra websockets pod labels podLabels: {} ## @param webModeler.websockets.env can be used to set extra environment variables in each websockets container env: [] ## @param webModeler.websockets.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param webModeler.websockets.command can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param webModeler.websockets.extraVolumes can be used to define extra volumes for the websockets pod; useful for logging to a file extraVolumes: [] ## @param webModeler.websockets.extraVolumeMounts can be used to mount extra volumes for the websockets pod; useful for logging to a file extraVolumeMounts: [] ## @extra webModeler.websockets.podSecurityContext can be used to define the security options the websockets pod should be run with ## @param webModeler.websockets.podSecurityContext.runAsNonRoot ## @param webModeler.websockets.podSecurityContext.fsGroup podSecurityContext: runAsNonRoot: true fsGroup: 1001 ## @extra webModeler.websockets.podSecurityContext.seccompProfile seccompProfile: ## @param webModeler.websockets.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra webModeler.websockets.containerSecurityContext can be used to define the security options the websockets container should be run with ## @param webModeler.websockets.containerSecurityContext.privileged ## @param webModeler.websockets.containerSecurityContext.readOnlyRootFilesystem ## @param webModeler.websockets.containerSecurityContext.allowPrivilegeEscalation ## @param webModeler.websockets.containerSecurityContext.runAsNonRoot ## @param webModeler.websockets.containerSecurityContext.runAsUser containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 ## @extra webModeler.websockets.containerSecurityContext.seccompProfile seccompProfile: ## @param webModeler.websockets.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra webModeler.websockets.startupProbe configuration of the websockets startup probe startupProbe: ## @param webModeler.websockets.startupProbe.enabled if true, the startup probe will be enabled for the websockets container enabled: false ## @param webModeler.websockets.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 10 ## @param webModeler.websockets.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.websockets.startupProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.websockets.startupProbe.failureThreshold defines when the probe is considered failed so the container will be restarted failureThreshold: 5 ## @param webModeler.websockets.startupProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @extra webModeler.websockets.readinessProbe configuration of the websockets readiness probe readinessProbe: ## @param webModeler.websockets.readinessProbe.enabled if true, the readiness probe will be enabled for the websockets container enabled: true ## @param webModeler.websockets.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 10 ## @param webModeler.websockets.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.websockets.readinessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.websockets.readinessProbe.failureThreshold defines when the probe is considered failed so the Pod will be marked unready failureThreshold: 5 ## @param webModeler.websockets.readinessProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @extra webModeler.websockets.livenessProbe configuration of the websockets liveness probe livenessProbe: ## @param webModeler.websockets.livenessProbe.enabled if true, the liveness probe will be enabled for the websockets container enabled: false ## @param webModeler.websockets.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated initialDelaySeconds: 10 ## @param webModeler.websockets.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param webModeler.websockets.livenessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed successThreshold: 1 ## @param webModeler.websockets.livenessProbe.failureThreshold defines when the probe is considered failed so the container will be restarted failureThreshold: 5 ## @param webModeler.websockets.livenessProbe.timeoutSeconds defines the number of seconds after which the probe times out timeoutSeconds: 1 ## @param webModeler.websockets.nodeSelector can be used to select the nodes the websockets pods should run on nodeSelector: {} ## @param webModeler.websockets.tolerations can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param webModeler.websockets.affinity can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @extra webModeler.websockets.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param webModeler.websockets.resources.requests.cpu ## @param webModeler.websockets.resources.requests.memory ## @param webModeler.websockets.resources.limits.cpu ## @param webModeler.websockets.resources.limits.memory resources: requests: cpu: 100m memory: 64Mi limits: cpu: 200m memory: 128Mi ## @extra webModeler.websockets.service configuration of the WebModeler websockets service service: ## @param webModeler.websockets.service.annotations can be used to define annotations which will be applied to the service annotations: {} ## @param webModeler.websockets.service.type defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param webModeler.websockets.service.port defines the port of the service port: 80 ## @param webModeler.websockets.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param webModeler.websockets.extraConfiguration if specified, contents will be used for any extra configuration files such as log4j2.xml extraConfiguration: {} ## @param webModeler.websockets.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param webModeler.websockets.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ## @extra webModeler.serviceAccount configuration for the service account the WebModeler pods are assigned to serviceAccount: ## @param webModeler.serviceAccount.enabled if true, enables the WebModeler service account enabled: true ## @param webModeler.serviceAccount.name can be used to set the name of the WebModeler service account name: "" ## @param webModeler.serviceAccount.annotations can be used to set the annotations of the WebModeler service account annotations: {} ## @param webModeler.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ingress: ## @param webModeler.ingress.enabled if true, an Ingress resource will be deployed with the WebModeler deployment. Only useful if an Ingress controller like NGINX is available. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param webModeler.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param webModeler.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip webModeler.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip webModeler.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip webModeler.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @extra webModeler.ingress.webapp configuration of the webapp ingress webapp: ## @param webModeler.ingress.webapp.host defines the host of the ingress rule, see https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules; this is the host name on which the WebModeler web application will be available # Note: The value must be different from ingress.websockets.host host: "" ## @param webModeler.ingress.webapp.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @extra webModeler.ingress.webapp.tls configuration for TLS on the ingress resource, see https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param webModeler.ingress.webapp.tls.enabled if true, TLS will be configured on the ingress resource enabled: false ## @param webModeler.ingress.webapp.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-webmodeler-webapp ## @extra webModeler.ingress.websockets configuration of the websockets ingress websockets: ## @param webModeler.ingress.websockets.host defines the host of the ingress rule, see https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules; this is the host name the WebModeler client in the browser will use to connect to the WebSockets server # Note: The value must be different from ingress.webapp.host host: "" ## @param webModeler.ingress.websockets.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @extra webModeler.ingress.websockets.tls configuration for TLS on the ingress resource, see https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param webModeler.ingress.websockets.tls.enabled if true, TLS will be configured on the ingress resource enabled: false ## @param webModeler.ingress.websockets.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-webmodeler-websockets # WebModeler. ##### #### #### ##### #### ##### ###### #### #### # # # # # # # # # # # # # # # # # # # # #### # # # # ##### #### # # # ##### # # # # # ### ##### # # # # # # # # # # # # # # # # # # # # # # # #### #### # #### # # ###### #### ### # ###### ## @section WebModeler - PostgreSQL Parameters ## @extra postgresql configuration for the postgresql dependency chart used by WebModeler. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters for more details. postgresql: ## @param postgresql.enabled if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart # Note: If WebModeler is enabled, and WebModeler Postgresql is disabled, the external database configuration must be set under "webModeler.restapi.externalDatabase". enabled: true ## @extra postgresql.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## compatibility: ## Compatibility adaptations for Openshift ## openshift: ## @param postgresql.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" ## @param postgresql.nameOverride defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters # Note: Don't use "postgresql" which is already used for Keycloak's database. nameOverride: pgsmodel # https://hub.docker.com/r/bitnami/postgresql/tags ## @param postgresql.image.repository PostgreSQL repo ## @param postgresql.image.tag PostgreSQL image tag image: repository: bitnami/postgresql tag: 14.17.0-debian-12-r9 ## @extra postgresql.auth configuration of the database authentication auth: ## @param postgresql.auth.username defines the name of the database user to be created for WebModeler username: web-modeler ## @param postgresql.auth.password can be used to provide the database user's password; a random password will be generated if left empty / ignored if `postgresql.auth.existingSecret` is set password: "" ## @param postgresql.auth.database defines the name of the database to be created for WebModeler database: web-modeler ## @param postgresql.auth.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: "" secretKeys: ## @param postgresql.auth.secretKeys.adminPasswordKey defines the key within the existing secret object for PostgreSQL admin. adminPasswordKey: "postgres-password" ## @param postgresql.auth.secretKeys.userPasswordKey defines the key within the existing secret object for PostgreSQL user. userPasswordKey: "password" ## @param postgresql.primary.containerSecurityContext.enabled ## @param postgresql.primary.containerSecurityContext.allowPrivilegeEscalation ## @param postgresql.primary.containerSecurityContext.privileged ## @param postgresql.primary.containerSecurityContext.readOnlyRootFilesystem ## @param postgresql.primary.containerSecurityContext.runAsNonRoot ## @param postgresql.primary.containerSecurityContext.runAsUser ## @param postgresql.primary.containerSecurityContext.capabilities.drop ## @param postgresql.primary.containerSecurityContext.seccompProfile.type primary: containerSecurityContext: enabled: true allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 capabilities: drop: ["ALL"] seccompProfile: type: RuntimeDefault ## @param postgresql.primary.podSecurityContext.enabled ## @param postgresql.primary.podSecurityContext.runAsNonRoot ## @param postgresql.primary.podSecurityContext.fsGroup podSecurityContext: enabled: true runAsNonRoot: true fsGroup: 1001 ##################################################################### ##### # # #### # # # # ###### #### ##### #### ##### #### # # # ## # ## # # # # # # # # # # # # # # # # # # # ##### # # # # # # #### # # # # # # # # # # # # # # ##### # # # # # # ## # ## # # # # # # # # # # ##### #### # # # # ###### #### # #### # # #### ##################################################################### ## @section Connectors Parameters ## @extra connectors configuration for the Connectors. connectors: ## @param connectors.enabled if true, the Connectors deployment and its related resources are deployed via a helm release enabled: true ## @extra connectors.inbound Switch for inbound mode (e.g., for webhook or polling) inbound: ## @param connectors.inbound.mode acceptable values: disabled, credentials, or oauth mode: oauth ## @extra connectors.inbound.auth configuration of the credentials authentication. auth: ## @param connectors.inbound.auth.existingSecret can be used to configure Secret name that contains Operate password (if inbound mode is credentials) existingSecret: "" ## @param connectors.inbound.auth.existingSecretKey defines the key within the existing secret object. existingSecretKey: "connectors-secret" ## @extra connectors.image configuration to configure the Connectors image specifics # https://hub.docker.com/r/camunda/connectors-bundle/tags image: ## @param connectors.image.registry can be used to set container image registry. registry: repo.gbpiweb.loc/public-images ## @param connectors.image.repository defines which image repository to use repository: camunda/connectors-bundle ## @param connectors.image.tag can be set to overwrite the global tag, which should be used in that chart tag: 8.7.0 ## @param connectors.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod pullSecrets: - name: repo-gbpiweb-loc ## @param connectors.sidecars can be used to attach extra containers to the connectors deployment sidecars: [] ## @param connectors.initContainers can be used to set up extra init containers for the application Pod initContainers: [] ## @param connectors.replicas number of Connectors replicas replicas: 1 # contextPath: "/connectors" ## @param connectors.contextPath can be used to make Connectors web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. contextPath: "" ## @param connectors.podAnnotations can be used to define extra Connectors pod annotations podAnnotations: {} ## @param connectors.podLabels can be used to define extra Connectors pod labels podLabels: {} ## @extra connectors.logging configuration for the Connectors logging. This template will be directly included in the Operate configuration YAML file ## @param connectors.logging.level.io.camunda.connector logging: level: io.camunda.connector: ERROR ## @extra connectors.service configuration to configure the Connectors service. service: ## @param connectors.service.annotations can be used to define annotations, which will be applied to the Connectors service annotations: {} ## @param connectors.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types type: ClusterIP ## @param connectors.service.serverPort defines the port number where the Connector web application will be available serverPort: 8080 ## @param connectors.service.serverName defines the port name where the Connector web application will be available serverName: http ## @extra connectors.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits ## @param connectors.resources.requests.cpu ## @param connectors.resources.requests.memory ## @param connectors.resources.limits.cpu ## @param connectors.resources.limits.memory resources: requests: cpu: 100m memory: 512Mi limits: cpu: 500m memory: 1Gi ## @param connectors.env can be used to set extra environment variables in each Connector container env: [] ## @param connectors.envFrom list of environment variables to import from configMapRef and secretRef envFrom: [] ## @param connectors.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ command: [] ## @param connectors.extraVolumes can be used to define extra volumes for the Connectors pods, useful for TLS and self-signed certificates extraVolumes: [] ## @param connectors.extraVolumeMounts can be used to mount extra volumes for the Connectors pods, useful for TLS and self-signed certificates extraVolumeMounts: [] ## @extra connectors.startupProbe configuration startupProbe: ## @param connectors.startupProbe.enabled if true, the startup probe is enabled in app container enabled: false ## @param connectors.startupProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @param connectors.startupProbe.probePath defines the startup probe route used on the app probePath: /actuator/health/readiness ## @param connectors.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before # the probe is initiated. initialDelaySeconds: 30 ## @param connectors.startupProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param connectors.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param connectors.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param connectors.startupProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra connectors.readinessProbe configuration readinessProbe: ## @param connectors.readinessProbe.enabled if true, the readiness probe is enabled in app container enabled: true ## @param connectors.readinessProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @param connectors.readinessProbe.probePath defines the readiness probe route used on the app probePath: /actuator/health/readiness ## @param connectors.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated. initialDelaySeconds: 30 ## @param connectors.readinessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param connectors.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure successThreshold: 1 ## @param connectors.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready failureThreshold: 5 ## @param connectors.readinessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## @extra connectors.livenessProbe configuration livenessProbe: ## @param connectors.livenessProbe.enabled if true, the liveness probe is enabled in app container enabled: false ## @param connectors.livenessProbe.scheme defines the startup probe scheme used on calling the probePath scheme: HTTP ## @param connectors.livenessProbe.probePath defines the liveness probe route used on the app probePath: /actuator/health/liveness ## @param connectors.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before ## @param connectors.livenessProbe.initialDelaySeconds the probe is initiated. initialDelaySeconds: 30 ## @param connectors.livenessProbe.periodSeconds defines how often the probe is executed periodSeconds: 30 ## @param connectors.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed successThreshold: 1 ## @param connectors.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted failureThreshold: 5 ## @param connectors.livenessProbe.timeoutSeconds defines the seconds after the probe times out timeoutSeconds: 1 ## Metrics configuration metrics: ## @param connectors.metrics.prometheus Prometheus metrics endpoint prometheus: /actuator/prometheus ## @extra connectors.serviceAccount configuration for the service account where the Connectors pods are assigned to serviceAccount: ## @param connectors.serviceAccount.enabled if true, enables the Connectors service account enabled: true ## @param connectors.serviceAccount.name can be used to set the name of the Connectors service account name: "" ## @param connectors.serviceAccount.annotations can be used to set the annotations of the Operate service account annotations: {} ## @param connectors.serviceAccount.automountServiceAccountToken can be used to control whether the service account token should be automatically mounted automountServiceAccountToken: false ingress: ## @param connectors.ingress.enabled if true, an ingress resource is deployed with the Connectors deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. enabled: false ## @param connectors.ingress.className defines the class or configuration of ingress which should be used by the controller className: nginx ## @param connectors.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller ## @skip connectors.ingress.annotations.ingress.kubernetes.io/rewrite-target ## @skip connectors.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect ## @skip connectors.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size annotations: ingress.kubernetes.io/rewrite-target: '/' nginx.ingress.kubernetes.io/ssl-redirect: 'false' nginx.ingress.kubernetes.io/proxy-buffer-size: '128k' nginx.ingress.kubernetes.io/proxy-buffering: 'on' ## @param connectors.ingress.path defines the path which is associated with the Connectors service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules path: / ## @param connectors.ingress.pathType can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types pathType: Prefix ## @param connectors.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host. host: "" ## @extra connectors.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls tls: ## @param connectors.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. enabled: false ## @param connectors.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate secretName: camunda-platform-connectors ## @extra connectors.podSecurityContext defines the security options the Connectors pod should be run with podSecurityContext: ## @param connectors.podSecurityContext.runAsNonRoot run as non root runAsNonRoot: true ## @param connectors.podSecurityContext.fsGroup fsGroup: 1001 ## @extra connectors.podSecurityContext.seccompProfile seccompProfile: ## @param connectors.podSecurityContext.seccompProfile.type type: RuntimeDefault ## @extra connectors.containerSecurityContext defines the security options the Connectors container should be run with ## @param connectors.containerSecurityContext.privileged ## @param connectors.containerSecurityContext.readOnlyRootFilesystem ## @param connectors.containerSecurityContext.allowPrivilegeEscalation ## @param connectors.containerSecurityContext.runAsNonRoot ## @param connectors.containerSecurityContext.runAsUser containerSecurityContext: allowPrivilegeEscalation: false privileged: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 ## @extra connectors.containerSecurityContext.seccompProfile seccompProfile: ## @param connectors.containerSecurityContext.seccompProfile.type type: RuntimeDefault ## @param connectors.nodeSelector can be used to define on which nodes the Connectors pods should run nodeSelector: {} ## @param connectors.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ tolerations: [] ## @param connectors.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity affinity: {} ## @param connectors.configuration if specified, contents will be used as the application.yaml configuration: "" ## @param connectors.extraConfiguration if specified, contents will be used for any extra configuration files such as the log4j2.xml extraConfiguration: {} ## @param connectors.dnsPolicy https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy dnsPolicy: "" ## @param connectors.dnsConfig https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config dnsConfig: {} ##################################################################################### ####### # # ## #### ##### # #### #### ###### ## ##### #### # # # # # # # # # # # # # # # # # # # # # ##### # # # #### # # # #### ##### # # # # # ###### # # ###### # # # # # # ###### ##### # # # # # # # # # # # # # # # # # # # # # # # # ####### ###### # # #### # # #### #### ###### # # # # #### # # ##################################################################################### ## @section Elasticsearch Parameters ## @extra elasticsearch elasticsearch: ## @param elasticsearch.enabled enabled: true ## @extra elasticsearch.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## compatibility: ## Compatibility adaptations for Openshift ## openshift: ## @param elasticsearch.global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: "{{ .Values.global.compatibility.openshift.adaptSecurityContext | default \"disabled\" }}" # https://hub.docker.com/r/bitnami/elasticsearch/tags image: ## @param elasticsearch.image.repository repository: bitnami/elasticsearch ## @param elasticsearch.image.tag tag: 8.17.4 ## @param elasticsearch.extraConfig Append extra configuration to the elasticsearch node configuration extraConfig: | # Disable deprecation warnings - https://github.com/camunda/camunda/issues/26285 logger.org.elasticsearch.deprecation: "OFF" master: ## @param elasticsearch.master.replicaCount defines number of master-elegible replicas to deploy replicaCount: 3 ## @param elasticsearch.master.podAntiAffinityPreset defines Pod anti-affinity preset. Ignored if master.affinity is set podAntiAffinityPreset: hard containerSecurityContext: ## @param elasticsearch.master.containerSecurityContext.readOnlyRootFilesystem readOnlyRootFilesystem: true ## @param elasticsearch.master.masterOnly masterOnly: false ## @param elasticsearch.master.heapSize heapSize: 1024m persistence: ## @param elasticsearch.master.persistence.size size: 64Gi resources: requests: ## @param elasticsearch.master.resources.requests.cpu cpu request cpu: '1' ## @param elasticsearch.master.resources.requests.memory request memory: 1Gi limits: ## @param elasticsearch.master.resources.limits.cpu cpu limit cpu: '1' ## @param elasticsearch.master.resources.limits.memory memory limit memory: 2Gi extraEnvVars: ## @param elasticsearch.master.extraEnvVars[0].name env - name: ELASTICSEARCH_ENABLE_REST_TLS ## @param elasticsearch.master.extraEnvVars[0].value env value value: "false" sysctlImage: ## @param elasticsearch.sysctlImage.enabled enabled: true data: ## @param elasticsearch.data.replicaCount replicaCount: 0 coordinating: ## @param elasticsearch.coordinating.replicaCount replicaCount: 0 ingest: ## @param elasticsearch.ingest.enabled enabled: false ##################################################################### ###### # # ##### #### # # ###### ##### # # ###### # # #### # # # # # # ## ## # # # # # # # # ###### # # # # # ## # ##### # ###### ##### # # #### # ##### # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #### # # ###### # # # ###### #### #### ##################################################################### ## @section Prometheus Parameters ## @extra PrometheusServiceMonitor configuration to configure a prometheus service monitor prometheusServiceMonitor: ## @param prometheusServiceMonitor.enabled if true then a service monitor will be deployed, which allows an installed prometheus controller to scrape metrics from the deployed pods enabled: false ## @extra promotheuServiceMonitor.labels can be set to configure extra labels, which will be added to the servicemonitor and can be used on the prometheus controller for selecting the servicemonitors labels: ## @param prometheusServiceMonitor.labels.release release: metrics ## @param prometheusServiceMonitor.scrapeInterval can be set to configure the interval at which metrics should be scraped # Should be *less* than 60s if the provided grafana dashboard is used, which can be found here https://github.com/camunda/camunda/tree/main/monitor/grafana, # otherwise it isn't able to show any metrics which is aggregated over 1 min. scrapeInterval: 10s