Files
truecharts/charts/library/common/values.yaml
T
Kjeld Schouten 784a5fcfde feat(common): add nginx ingress integration (#34469)
**Description**
As discussed we wanted to make setting-up nginx easier for users,
primarily themepark and auth/
This provides an integration to do so.

⚒️ Fixes  #33988

**⚙️ Type of change**

- [x] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code
- [ ] 📜 Documentation Changes

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [ ] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made changes to the documentation
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning
- [ ] I made sure the title starts with `feat(chart-name):`,
`fix(chart-name):`, `chore(chart-name):`, `docs(chart-name):` or
`fix(docs):`

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Kjeld Schouten <info@kjeldschouten.nl>
Co-authored-by: Stavros Kois <s.kois@outlook.com>
2025-04-21 19:03:46 +02:00

1309 lines
36 KiB
YAML

# -- Global values
global:
# -- Set additional global labels
labels: {}
# -- Set additional global annotations
annotations: {}
# -- Set a global namespace
# TODO: Currently some objects do not support this
namespace: ""
diagnosticMode:
enabled: false
fallbackDefaults:
# -- Define a storageClassName that will be used for all PVCs
# Can be overruled per PVC
storageClass:
# -- Default probe type
probeType: http
# -- Default Service Protocol
serviceProtocol: tcp
# -- Default Service Type
serviceType: ClusterIP
# -- Default persistence type
persistenceType: pvc
# -- Default Retain PVC
pvcRetain: false
# -- Default PVC Size
pvcSize: 100Gi
# -- Default VCT Size
vctSize: 100Gi
# -- Default PVC Access Modes
accessModes:
- ReadWriteOnce
# -- Default VCT Access Modes
vctAccessModes:
- ReadWriteOnce
# -- Default probe timeouts
probeTimeouts:
liveness:
initialDelaySeconds: 12
periodSeconds: 15
timeoutSeconds: 5
failureThreshold: 5
successThreshold: 1
readiness:
initialDelaySeconds: 10
periodSeconds: 12
timeoutSeconds: 5
failureThreshold: 4
successThreshold: 2
startup:
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 60
successThreshold: 1
# -- Define a postgresql version for CNPG
# will be used for all CNPG objects
# Can be overruled per CNPG objects
# -- Define a topologyKey for default topologySpreadConstraints
# Will be used when defaultSpread: true
topologyKey: kubernetes.io/hostname
cnpg:
pgVersion: 16
skipEmptyWalArchiveCheck: true
traefik:
commonMiddlewares:
- name: tc-basic-secure-headers
# -- Minimum nodePort value
minNodePort: 9000
# -- Enable to stop most pods and containers including cnpg
# does not include stand-alone pods
stopAll: false
# -- Explicitly set a namespace for this chart only
namespace: ""
image:
repository: ghcr.io/traefik/whoami
pullPolicy: IfNotPresent
tag: v1.11.0@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab
chartContext:
appUrl: ""
podCIDR: ""
svcCIDR: ""
# -- Security Context
securityContext:
# -- Container security context for all containers
# Can be overruled per container
container:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: false
seccompProfile:
type: RuntimeDefault
capabilities:
add: []
drop:
- ALL
# When set to false, it will automatically
# add CHOWN, SETUID, SETGID, FOWNER, DAC_OVERRIDE
# capabilities ONLY when container runs as ROOT
disableS6Caps: false
# -- PUID for all containers
# Can be overruled per container
PUID: 568
# -- UMASK for all containers
# Can be overruled per container
UMASK: "0022"
# -- Pod security context for all pods
# Can be overruled per pod
pod:
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
supplementalGroups: []
sysctls: []
# -- Resources
# Can be overruled per container
resources:
limits:
cpu: 1000m
memory: 1500Mi
requests:
cpu: 100m
memory: 250Mi
containerOptions:
NVIDIA_CAPS:
- all
# -- Options for all pods
# Can be overruled per pod
podOptions:
enableServiceLinks: false
hostNetwork: false
hostPID: false
hostIPC: false
# If this key exists, takes precedence over the automated calculation
# hostUsers: false
shareProcessNamespace: false
dnsPolicy: ClusterFirst
dnsConfig:
options:
- name: ndots
value: "1"
hostAliases: []
nodeSelector:
kubernetes.io/arch: "amd64"
# -- Used to enforce a good spread for Deployments and StatefulSets by default
defaultSpread: true
topologySpreadConstraints: []
tolerations: []
schedulerName: ""
priorityClassName: ""
runtimeClassName: ""
automountServiceAccountToken: false
terminationGracePeriodSeconds: 60
# -- (docs/workload/README.md)
workload:
main:
enabled: true
primary: true
type: Deployment
dbWait: true
podSpec:
containers:
main:
enabled: true
primary: true
imageSelector: image
probes:
liveness:
enabled: true
type: "{{ .Values.service.main.ports.main.protocol }}"
port: "{{ $.Values.service.main.ports.main.targetPort | default .Values.service.main.ports.main.port }}"
readiness:
enabled: true
type: "{{ .Values.service.main.ports.main.protocol }}"
port: "{{ $.Values.service.main.ports.main.targetPort | default .Values.service.main.ports.main.port }}"
startup:
enabled: true
type: "{{ .Values.service.main.ports.main.protocol }}"
port: "{{ $.Values.service.main.ports.main.targetPort | default .Values.service.main.ports.main.port }}"
# -- Timezone used everywhere applicable
TZ: UTC
# -- Diagnostic Mode
diagnosticMode:
enabled: false
# -- (docs/service/README.md)
service:
main:
## Integration stuff
# integration:
# metallb:
# enabled: false
## Optional to set shared key manually, otherwise set to namespace
# sharedKey: ""
#
# cilium:
# enabled: false
## Optional to set shared key manually, otherwise ignored (namespace sharing)
# sharedKey: ""
#
# traefik:
# enabled: false
enabled: true
primary: true
ports:
main:
enabled: true
primary: true
protocol: http
credentials:
{}
# mys3:
# type: s3
# url: ""
# path: ""
# bucket: ""
# accessKey: ""
# secretKey: ""
# ## Is used in cases where things are encrypted by a backup utility
# encrKey: ""
ingressMiddlewares:
traefik:
tc-basic-secure-headers:
enabled: false
type: headers
data:
accessControlAllowMethods:
- GET
- OPTIONS
- HEAD
- PUT
accessControlMaxAge: 100
stsSeconds: 63072000
forceSTSHeader: true
contentTypeNosniff: true
browserXssFilter: true
referrerPolicy: same-origin
customRequestHeaders:
X-Forwarded-Proto: "https"
# basic-auth:
# enabled: true
# type: basicAuth
# data:
# # middleware specific data ie
# users:
# - username: user1
# password: password1
# some-other-middleware:
# enabled: true
# type: someOtherMiddleware
# data:
# # middleware specific data ie
# someOtherMiddlewareData: someOtherMiddlewareData
# -- (docs/persistence/README.md)
persistence:
shared:
enabled: true
type: emptyDir
mountPath: /shared
targetSelectAll: true
varlogs:
enabled: true
type: emptyDir
mountPath: /var/logs
medium: Memory
targetSelectAll: true
varrun:
enabled: true
type: emptyDir
mountPath: /var/run
medium: Memory
targetSelectAll: true
tmp:
enabled: true
type: emptyDir
mountPath: /tmp
medium: Memory
targetSelectAll: true
devshm:
enabled: true
type: emptyDir
mountPath: /dev/shm
medium: Memory
targetSelectAll: true
# backupexample:
# ## the default backup path, is the credential path suffixed by the releasename, volsync and both the pvc and volsync names
# enabled: true
# type: pvc
# mountPath: /backedup
# targetSelectAll: true
# volsync:
# - name: mybackup
# ## TODO: other options
# type: restic
# credentials: mys3
# dest:
# enabled: true
# src:
# enabled: true
# iscsi:
# enabled: true
# type: iscsi
# mountPath: /dev/shm
# iscsi:
# targetPortal: 10.0.2.15:3260
# portals: ['10.0.2.16:3260', '10.0.2.17:3260'] #optional
# iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
# lun: 0
# fsType: ext4 #Optional
# iscsiInterface: default #Optional
# initiatorName: iqn.1994-05.com.redhat:node1 #Optional
# authSession:
# username: "someusername"
# password: "somepassword"
# usernameInitiator: "someusernameInitiator"
# passwordInitiator: "somepasswordInitiator"
# authDiscovery:
# username: "someusername"
# password: "somepassword"
# usernameInitiator: "someusernameInitiator"
# passwordInitiator: "somepasswordInitiator"
# vct:
# enabled: true
# type: vct
# mountPath: /shared
# dynamic-pvc:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# dynamic-pvc-dataSource:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# dataSource:
# kind: "PersistentVolumeClaim"
# name: "existingPVC"
# existing-claim:
# enabled: true
# type: pvc
# existingClaim: "someclaim"
# mountPath: /shared
# targetSelectAll: true
# existingpv-pvc:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# volumeName: "somePV"
# static-nfs-pvc:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# static:
# mode: nfs
# server: "/someserver"
# share: "someshare"
# static-smb-pvc:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# static:
# mode: smb
# server: "/someserver"
# share: "someshare"
# domain: "somedomain"
# user: "someuser"
# password: "somepass"
# static-custom-pvc:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# static:
# mode: custom
# provisioner: "some.provisioner"
# driver: "somedriver"
# # Custom CSI definition here
# csi: {}
# example-volumesnapshot:
# enabled: true
# type: pvc
# mountPath: /shared
# targetSelectAll: true
# volumeSnapshots:
# - name: "mysnapshot"
# volumeSnapshotClassName: "mysnapshotclass" (optional)
volumeSnapshotClass: {}
volumeSnapshots: {}
# volumeSnapshots:
# mysnapshot:
# volumeSnapshotClassName: "mycustomsnapshot" (optional)
# source:
# # pick one
# persistentVolumeClaimName: "mypvcname" (does not get altered)
# volumeSnapshotContentName: "mysnapshotname"
# -- (docs/imagePullSecrets.md)
imagePullSecret: {}
# -- (docs/configmap.md)
configmap: {}
# -- (docs/secret.md)
secret: {}
# -- (docs/serviceAccount.md)
serviceAccount: {}
# -- (docs/rbac.md)
rbac: {}
# NOTES.txt
notes:
header: |
# Thank you for installing {{ .Chart.Name }} by TrueCharts.
# custom: "{{ toYaml $.Values }}"
custom: |
{{- if .Values.chartContext.appUrl }}
## Connecting externally
You can use this Chart by opening the following links in your browser:
- {{ toYaml .Values.chartContext.appUrl }}
{{- end }}
{{ if .Chart.Dependencies }}
## Dependencies for {{ .Chart.Name }}
{{- range .Chart.Dependencies }}
- Chart: {{ .Repository }}/{{ .Name }}
Version: {{ .Version }}
{{- end }}
{{- end }}
{{- if .Values.chartContext.internalUrls }}
## Connecting Internally
You can reach this chart inside your cluster, using the following service URLS:
{{- range $url := .Values.chartContext.internalUrls -}}
- {{ $url }}
{{- end }}
{{- end }}
## Sources for {{ .Chart.Name }}
{{- range .Chart.Sources }}
- {{ . }}
{{- end -}}
{{- $link := .Chart.Annotations.docs -}}
{{- if not $link -}}
{{- $link = .Chart.Home -}}
{{- end }}
See more for **{{ $.Chart.Name }}** at ({{ $link }})
footer: |
## Documentation
Please check out the TrueCharts documentation on:
https://truecharts.org
OpenSource can only exist with your help, please consider supporting TrueCharts:
https://truecharts.org/sponsor
warnings: []
####
##
## TrueCharts Specific Root Objects
##
####
gluetunImage:
repository: tccr.io/tccr/gluetun
tag: v3.40.0@sha256:f5d434869d03fe3c91f832915ecabf7cb65c330732c5ba39ac03feb5e917f552
pullPolicy: IfNotPresent
netshootImage:
repository: tccr.io/tccr/netshoot
tag: v0.13.0@sha256:d1e6942d828ce14180e5de6136caa9ba2d89fcd25bfe3d3aaf9851ec73366879
pullPolicy: IfNotPresent
tailscaleImage:
repository: tccr.io/tccr/tailscale
tag: v1.82.0@sha256:d1750edcac72b5854177d1747c257d2b404af67ca8cc4815e01555fc3e7b2385
pullPolicy: IfNotPresent
codeserverImage:
repository: tccr.io/tccr/code-server
tag: v4.99.3@sha256:9f37dfc2c12bf87ae6540e1b2630cb4ea6957d31df23c9d0d546227aa74021a5
pullPolicy: IfNotPresent
alpineImage:
repository: tccr.io/tccr/alpine
tag: v3.21.3
pullPolicy: IfNotPresent
scratchImage:
repository: tccr.io/tccr/scratch
tag: latest@sha256:4aef9dbf99ea2a8857ed4ce9d9bf79d330b79044884c7374e392445d122ec746
pullPolicy: IfNotPresent
kubectlImage:
repository: tccr.io/tccr/kubectl
tag: latest@sha256:945f44d44720e6ca42969817c903e8643c6e34b9dafd90b338710dd104530588
pullPolicy: IfNotPresent
wgetImage:
repository: tccr.io/tccr/wget
tag: v1.0.0@sha256:2c26ff54ed4bed9e4f1a97132119ba22f75710655d08c400bcef15dc08f9e0d1
pullPolicy: IfNotPresent
yqImage:
pullPolicy: IfNotPresent
repository: docker.io/mikefarah/yq
tag: 4.45.1@sha256:2c100efaca06e95ffe452cfe9bfc0048b493f0f3a072d5fe06f828c638d9462b
postgresClientImage:
repository: tccr.io/tccr/db-wait-postgres
tag: v1.1.0@sha256:c85c459d3ca854d705b4aa8663a77752e62c8d33aa43d6a5e4455523f7eb53bd
pullPolicy: IfNotPresent
mariadbClientImage:
repository: tccr.io/tccr/db-wait-mariadb
tag: v1.1.0@sha256:513e3d11ea19317f2d6b146329eaa05f76e24322734d81effb98a5fccea6ed0c
pullPolicy: IfNotPresent
redisClientImage:
repository: tccr.io/tccr/db-wait-redis
tag: v1.1.0@sha256:910ade9977376cef26e6ee3b03939d74e295bb980e3c62ec8174bdd0b12af9af
pullPolicy: IfNotPresent
mongodbClientImage:
repository: tccr.io/tccr/db-wait-mongodb
tag: v1.2.0@sha256:faee7b78290e6cadab8c27b55884a6bf7805fc32e4ae22cf94452cf87949fb2a
pullPolicy: IfNotPresent
postgres15Image:
repository: ghcr.io/cloudnative-pg/postgresql
tag: "15.12"
pullPolicy: IfNotPresent
postgres16Image:
repository: ghcr.io/cloudnative-pg/postgresql
tag: "16.8"
pullPolicy: IfNotPresent
postgresPostgis15Image:
repository: ghcr.io/cloudnative-pg/postgis
tag: "15-3.4"
pullPolicy: IfNotPresent
postgresPostgis16Image:
repository: ghcr.io/cloudnative-pg/postgis
tag: "16-3.4"
pullPolicy: IfNotPresent
postgresVectors15Image:
repository: ghcr.io/tensorchord/cloudnative-pgvecto.rs
tag: "15.7-v0.2.1"
pullPolicy: IfNotPresent
postgresVectors16Image:
repository: ghcr.io/tensorchord/cloudnative-pgvecto.rs
tag: "16.3-v0.2.1"
pullPolicy: IfNotPresent
# -- OpenVPN specific configuration
# @default -- See below
openvpnImage:
# -- Specify the openvpn client image
repository: tccr.io/tccr/openvpn-client
# -- Specify the openvpn client image tag
tag: latest@sha256:9bfdf50791d6e51056e31c03f73c9db329b2b72e7746155cfdc63e0c8b49b55a
# -- Specify the openvpn client image pull policy
pullPolicy: IfNotPresent
# -- WireGuard specific configuration
# @default -- See below
wireguardImage:
# -- Specify the WireGuard image
repository: tccr.io/tccr/wireguard
# -- Specify the WireGuard image tag
tag: v1.0.20210914@sha256:683b8b74d64ebd07f9955147539834c2a4b60fee51d2a36fa76b9aba689601bf
# -- Specify the WireGuard image pull policy
pullPolicy: IfNotPresent
# -- Configure the ingresses for the chart here.
# Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress.
# @default -- See below
ingress:
main:
# -- Enables or disables the ingress
enabled: false
# -- Make this the primary ingress (used in probes, notes, etc...).
# If there is more than 1 ingress, make sure that only 1 ingress is marked as primary.
primary: true
# -- Ensure this ingress is always enabled.
required: false
# expandObjectName: false
# -- Provide additional labels which may be required.
labels: {}
# -- Provide additional annotations which may be required.
annotations: {}
# -- Set the ingressClass that is used for this ingress.
# Requires Kubernetes >=1.19
ingressClassName: ""
# Defaults to primary service and primary port
# targetSelector:
# # service: port
# main: main
## Configure the hosts for the ingress
hosts: []
# - # -- Host address. Helm template can be passed.
# host: chart-example.local
# ## Configure the paths for the host
# paths:
# - # -- Path. Helm template can be passed.
# path: /
# # -- Ignored if not kubeVersion >= 1.14-0
# pathType: Prefix
# # -- Overrides the service reference for this path, by default the selector is honored
# overrideService:
# # -- Overrides the service name reference for this path
# name:
# # -- Overrides the service port reference for this path
# port:
# -- Configure TLS for the ingress. Both secretName and hosts can process a Helm template.
# Gets ignored when clusterIssuer is filled
tls: []
# - secretName: chart-example-tls
# certificateIssuer: ""
# hosts:
# - chart-example.local
integrations:
certManager:
enabled: false
certificateIssuer: ""
traefik:
enabled: false
# Default to websecure
entrypoints:
- websecure
# Ensures tls annotation is set
forceTLS: true
middlewares: []
# - name: my-middleware
# # Optional, by default will try to
# # "lookup" the namespace based on the name
# namespace: ""
nginx:
enabled: false
themepark:
enabled: false
css: ""
ipWhitelist: []
auth:
# empty to disable, options: "authentik" or "authelia"
type: ""
# Internal Domain name + port to reach the auth provider, excluding http(s)
internalHost: ""
# External (ingress) Domain name to reach the auth provider, excluding http(s)
externalHost: ""
# Optional: override default response headers
responseHeaders: []
homepage:
enabled: false
# Default: chart name
name: ""
# Default: chart description
description: ""
# Default: no group
group: ""
# Default: chart icon
icon: ""
widget:
# Default: chartname
type: ""
# Default to ingress host 0
url: ""
custom:
# somesetting: some value
customkv:
# - key: some key
# value: some value
certificate: {}
# main:
# enabled: false
# certificateIssuer: someissuer
# hosts:
# - somehost
# # Optional
# certificateSecretTemplate:
# labels: {}
# annotations: {}
# -- BETA: Configure the gateway routes for the chart here.
# Additional routes can be added by adding a dictionary key similar to the 'main' route.
# Please be aware that this is an early beta of this feature, TrueCharts does not guarantee this actually works.
# Being BETA this can/will change in the future without notice, please do not use unless you want to take that risk
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
# @default -- See below
route:
main:
# -- Enables or disables the route
enabled: false
# -- Set the route kind
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
kind: HTTPRoute
# -- Provide additional annotations which may be required.
annotations: {}
# -- Provide additional labels which may be required.
labels: {}
# -- Configure the resource the route attaches to.
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name:
namespace:
sectionName:
# -- Host addresses
hostnames: []
# -- Configure rules for routing. Defaults to the primary service.
rules:
- backendRefs:
- group: ""
kind: Service
name:
namespace:
port:
weight: 1
## Configure conditions used for matching incoming requests. Only for HTTPRoutes
matches:
- path:
type: PathPrefix
value: /
podDisruptionBudget:
main:
enabled: false
# -- Custom Selector Labels
# customLabels:
# customKey: customValue
# maxUnavailable: 1
# minAvailable: 1
targetSelector: main
webhook:
validating:
enabled: false
type: validating
webhooks: []
mutating:
enabled: false
type: mutating
webhooks: []
priorityClass: {}
# priorityClass:
# example:
# provisioner: some.provisioner.io
# enabled: true
# value: 1000000
# preemptionPolicy: PreemptLowerPriority
# globalDefault: false
# description: "some description"
# # -- create storageClasses on demand
storageClass: {}
# storageClass:
# example:
# provisioner: some.provisioner.io
# enabled: true
# isDefaultClass: false
# parameters: {}
# reclaimPolicy: retain
# allowVolumeExpansion: true
# volumeBindingMode: Immediate
# mountOptions: []
metrics:
main:
enabled: false
primary: true
# options: servicemonitor, podmonitor
type: "servicemonitor"
# defaults to selectorLabels
selector: {}
endpoints:
- port: main
interval: 5s
scrapeTimeout: 5s
path: /
honorLabels: false
prometheusRule:
enabled: false
groups: {}
# somegroup:
# # list of rules
# rules: []
# # list to support adding rules via the SCALE GUI without overwrithing the rules
# additionalrules: []
# List to support adding groups using the SCALE GUI
additionalgroups:
# - name: "somegroup"
# # list of rules
# rules: []
# # list to support adding rules via the SCALE GUI without overwrithing the rules
# additionalrules: []
# -- The common chart supports several add-ons. These can be configured under this key.
# @default -- See below
addons:
gluetun:
enabled: false
targetSelector:
- main
secret:
# vpn-conf:
# basePath: /gluetun/wireguard
# data:
# # Effective path /gluetun/wireguard/wg0.conf
# wg0.conf: |
# some conf
# wg1.conf: |
# some conf
# scripts:
# basePath: /gluetun/scripts
# defaultMode: "0777"
# data:
# # Effective path /gluetun/scripts/up.sh
# up.sh: |
# some conf
container:
enabled: true
imageSelector: gluetunImage
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
resources:
excludeExtra: true
securityContext:
runAsUser: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
runAsGroup: 568
capabilities:
add:
- NET_ADMIN
- NET_RAW
- MKNOD
env:
DOT: "off"
DNS_KEEP_NAMESERVER: "on"
FIREWALL: "off"
FIREWALL_OUTBOUND_SUBNETS: ""
FIREWALL_INPUT_PORTS: ""
# -- Tailscale specific configuration
# @default -- See below
# See more info for the configuration
# https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
tailscale:
enabled: false
targetSelector:
- main
# -- you can directly specify the config file here
config: ""
container:
enabled: true
imageSelector: "tailscaleImage"
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
command:
- /usr/local/bin/containerboot
resources:
excludeExtra: true
env:
# Set KUBE_SECRET to empty string to force tailscale
# to use the filesystem for state tracking.
# With secret for state tracking you can't always
# know if the app that uses this sidecard will
# use a custom ServiceAccount and will lead to falure.
TS_KUBE_SECRET: ""
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_STATE_DIR: /var/lib/tailscale/state
TS_USERSPACE: true
TS_AUTH_ONCE: true
TS_ACCEPT_DNS: false
TS_AUTH_KEY: ""
TS_TAILSCALED_EXTRA_ARGS: ""
TS_EXTRA_ARGS: ""
TS_SOCKS5_SERVER: ""
TS_DEST_IP: ""
TS_ROUTES: ""
TS_OUTBOUND_HTTP_PROXY_LISTEN: ""
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
# -- Auth key to connect to the VPN Service
authkey: ""
# As a sidecar, it should only need to run in userspace
userspace: true
auth_once: true
accept_dns: false
routes: ""
dest_ip: ""
sock5_server: ""
extra_args: ""
daemon_extra_args: ""
outbound_http_proxy_listen: ""
# -- Annotations for tailscale sidecar
annotations: {}
# -- The common library supports adding a code-server add-on to access files. It can be configured under this key.
# @default -- See values.yaml
codeserver:
enabled: false
# -- Enable running a code-server container in the pod
container:
enabled: true
probes:
liveness:
enabled: true
port: 12321
path: "/"
readiness:
enabled: true
port: 12321
path: "/"
startup:
enabled: true
port: 12321
path: "/"
imageSelector: "codeserverImage"
resources:
excludeExtra: true
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
args:
- "--port"
- "12321"
- "/"
- --auth
- none
# - --user-data-dir
# - "/config/.vscode"
# -- Select a workload to add the addon to
targetSelector:
- "main"
service:
# -- Enable a service for the code-server add-on.
enabled: true
type: ClusterIP
# Specify the default port information
ports:
codeserver:
enabled: true
primary: true
protocol: http
port: 12321
targetPort: 12321
ingress:
# -- Enable an ingress for the code-server add-on.
enabled: false
annotations: {}
# kubernetes.io/ingress.class: nginx
labels: {}
hosts:
- host: code.chart-example.local
paths:
- path: /
# Ignored if not kubeVersion >= 1.14-0
pathType: Prefix
tls: []
netshoot:
# -- Enable running a netshoot container in the pod
enabled: false
container:
enabled: true
command:
- /bin/sh
- -c
- sleep infinity
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
imageSelector: "netshootImage"
resources:
excludeExtra: true
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
dependencies:
##########################################################################
# This section contains some pre-config for frequently used dependencies #
##########################################################################
cnpg:
main:
enabled: false
primary: true
# -- Puts the cnpg cluster in hibernation mode
hibernate: false
# Additional Labels and annotations for all cnpg objects
labels: {}
annotations: {}
# Type of the CNPG database. Available types:
# * `postgres`
# * `postgis`
# * `timescaledb`
# * `vectors`
type: postgres
# Version of Postgresql to use, changes cluster naming scheme
# * `15`
# * `16`
pgVersion: 16
# Cluster mode of operation. Available modes:
# * `standalone` - default mode. Creates new or updates an existing CNPG cluster.
# * `replica` - Creates a replica cluster from an existing CNPG cluster. # TODO
# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup.
mode: standalone
# Database details
database: "app"
user: "app"
password: "PLACEHOLDERPASSWORD"
# Database cluster configuration
cluster:
# Additional Labels and annotations for cnpg cluster
labels: {}
annotations: {}
# Number of instances
instances: 2
# set to true on single-node clusters to allow PVCs to be kept on instance restart
singleNode: false
## set to configure the skipEmptyWalArchiveCheck annotation
# skipEmptyWalArchiveCheck: true
# # -- storage size for the data pvc's
# # Follows the same spec as .Values.Persistence type=PVC
# storage:
# size: "256Gi"
# # -- storage size for the wal pvc's
# # Follows the same spec as .Values.Persistence type=PVC
# walStorage:
# size: "256Gi"
# -- Gets scaled to 0 if hibernation is true
## See .Values.resources for more info
# resources:
# Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
# successfully updated. It can be switchover (default) or in-place (restart).
primaryUpdateMethod: switchover
# Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
# successfully updated: it can be automated (unsupervised - default) or manual (supervised)
# Example of rolling update strategy:
# - unsupervised: automated update of the primary once all
# replicas have been upgraded (default)
# - supervised: requires manual supervision to perform
# the switchover of the primary
# -- change to supervised to disable unsupervised updates
primaryUpdateStrategy: unsupervised
# The instances' log level, one of the following values: error, warning, info (default), debug, trace
logLevel: info
# The configuration for the CA and related certificates
# See: https://cloudnative-pg.io/documentation/current/api_reference/#CertificatesConfiguration
certificates:
# When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password.
# If the secret is not present, the operator will automatically create one.
# When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created,
# and then blank the password of the postgres user by setting it to NULL.
# enableSuperuserAccess: true
# Configuration of the PostgreSQL server
# See: https://cloudnative-pg.io/documentation/current/api_reference/#PostgresConfiguration
postgresql:
# BootstrapInitDB is the configuration of the bootstrap process when initdb is used
# See: https://cloudnative-pg.io/documentation/current/bootstrap/
# See: https://cloudnative-pg.io/documentation/current/api_reference/#bootstrapinitdb
initdb: {}
# postInitSQL:
# - CREATE EXTENSION IF NOT EXISTS vector;
# postInitApplicationSQL:
# - CREATE EXTENSION IF NOT EXISTS someextension;
# -- set to enable prometheus metrics
monitoring:
enablePodMonitor: false
disableDefaultQueries: false
customQueries: []
# - name: "pg_cache_hit_ratio"
# expandObjectName: true
# key: "custom-key" (defaults to "custom-queries")
# query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;"
# metrics:
# - datname:
# usage: "LABEL"
# description: "Name of the database database"
# - ratio:
# usage: GAUGE
# description: "Cache hit ratio"
# Recovery settings if the chosen mode is `recovery`.
recovery:
##
# Backup Recovery Method
# Available recovery methods:
# * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace.
# * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported).
# * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to
# migrate databases to CloudNativePG, even from outside Kubernetes. # TODO
method: object_store
## set a revision to append to the serverName to ensure restore and backup dont target the same thing
# revision: 1
# override serverName in recovery obkect
servername: ""
## Point in time recovery target. Specify one of the following:
pitrTarget:
# Time in RFC3339 format
time: ""
# Name of the backup to recover from. Required if method is `backup`.
backupName: ""
# Object Store Recovery Method
clusterName: ""
# Overrides the provider specific default path. Defaults to:
# S3: s3://<bucket><path>
# Azure: https://<storageAccount>.<serviceName>.core.windows.net/<clusterName><path>
# Google: gs://<bucket><path>
destinationPath: ""
# Database cluster backup configuration
backups:
# You need to configure backups manually, so backups are disabled by default.
enabled: false
encryption:
enabled: false
## set a revision to append to the serverName to ensure restore and backup dont target the same thing
# revision: 1
# override serverName in recovery obkect
servername: ""
# Overrides the provider specific default path. Defaults to:
# S3: s3://<bucket><path>
# Azure: https://<storageAccount>.<serviceName>.core.windows.net/<clusterName><path>
# Google: gs://<bucket><path>
destinationPath: ""
# default: primary, other option prefer-standby
target: ""
# name of credentials in .Values.Credentials
credentials: ""
scheduledBackups:
- name: daily-backup
schedule: "0 0 0 * * *"
backupOwnerReference: self
immediate: true
suspend: false
retentionPolicy: "30d"
# - Manual list of backups
manualBackups: []
# - name: today
# labels: {}
# annotations: {}
# - name: beforeUpgrade
# labels: {}
# annotations: {}
# Database cluster PgBouncer configuration
pooler:
enabled: false
# -- enable to create extra pgbouncer for readonly access
createRO: false
poolMode: session
# -- Gets scaled to 0 if hibernation is true
instances: 2
# parameters:
# max_client_conn: "1000"
# default_pool_size: "25"
labels: {}
annotations: {}
# -- contains credentials and urls output by generator
creds: {}
# -- Redis dependency configuration
# @default -- See below
redis:
enabled: false
includeCommon: false
password: "PLACEHOLDERPASSWORD"
# -- can be used to make an easy accessible note which URLS to use to access the DB.
creds: {}
secret:
credentials:
enabled: false
# -- mariadb dependency configuration
# @default -- See below
mariadb:
enabled: false
includeCommon: false
password: "PLACEHOLDERPASSWORD"
rootPassword: "PLACEHOLDERROOTPASSWORD"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
creds: {}
# -- mongodb dependency configuration
# @default -- See below
mongodb:
enabled: false
includeCommon: false
password: "PLACEHOLDERPASSWORD"
rootPassword: "PLACEHOLDERROOTPASSWORD"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
creds: {}
# -- clickhouse dependency configuration
# @default -- See below
clickhouse:
enabled: false
includeCommon: false
password: "PLACEHOLDERPASSWORD"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
creds: {}
# -- solr dependency configuration
# @default -- See below
solr:
enabled: false
includeCommon: false
password: "PLACEHOLDERPASSWORD"
solrCores: 1
solrEnableAuthentication: "no"
# -- can be used to make an easy accessable note which URLS to use to access the DB.
creds: {}
# -- List of extra objects to deploy with the release
extraTpl: []