# -- Global values global: # -- Set additional global labels labels: {} # -- Set additional global annotations annotations: {} # -- Set a global namespace # TODO: Currently some objects do not support this namespace: "" diagnosticMode: enabled: false fallbackDefaults: # -- Define a storageClassName that will be used for all PVCs # Can be overruled per PVC storageClass: # -- Default probe type probeType: http # -- Default Service Protocol serviceProtocol: tcp # -- Default Service Type serviceType: ClusterIP # -- Default persistence type persistenceType: pvc # -- Default Retain PVC pvcRetain: false # -- Default PVC Size pvcSize: 100Gi # -- Default VCT Size vctSize: 100Gi # -- Default PVC Access Modes accessModes: - ReadWriteOnce # -- Default VCT Access Modes vctAccessModes: - ReadWriteOnce # -- Default probe timeouts probeTimeouts: liveness: initialDelaySeconds: 12 periodSeconds: 15 timeoutSeconds: 5 failureThreshold: 5 successThreshold: 1 readiness: initialDelaySeconds: 10 periodSeconds: 12 timeoutSeconds: 5 failureThreshold: 4 successThreshold: 2 startup: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 60 successThreshold: 1 # -- Define a postgresql version for CNPG # will be used for all CNPG objects # Can be overruled per CNPG objects # -- Define a topologyKey for default topologySpreadConstraints # Will be used when defaultSpread: true topologyKey: kubernetes.io/hostname cnpg: pgVersion: 16 skipEmptyWalArchiveCheck: true traefik: commonMiddlewares: - name: tc-basic-secure-headers # -- Minimum nodePort value minNodePort: 9000 # -- Enable to stop most pods and containers including cnpg # does not include stand-alone pods stopAll: false # -- Explicitly set a namespace for this chart only namespace: "" image: repository: ghcr.io/traefik/whoami pullPolicy: IfNotPresent tag: v1.11.0@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab chartContext: appUrl: "" podCIDR: "" svcCIDR: "" # -- Security Context securityContext: # -- Container security context for all containers # Can be overruled per container container: runAsUser: 568 runAsGroup: 568 readOnlyRootFilesystem: true allowPrivilegeEscalation: false privileged: false seccompProfile: type: RuntimeDefault capabilities: add: [] drop: - ALL # When set to false, it will automatically # add CHOWN, SETUID, SETGID, FOWNER, DAC_OVERRIDE # capabilities ONLY when container runs as ROOT disableS6Caps: false # -- PUID for all containers # Can be overruled per container PUID: 568 # -- UMASK for all containers # Can be overruled per container UMASK: "0022" # -- Pod security context for all pods # Can be overruled per pod pod: fsGroup: 568 fsGroupChangePolicy: OnRootMismatch supplementalGroups: [] sysctls: [] # -- Resources # Can be overruled per container resources: limits: cpu: 1000m memory: 1500Mi requests: cpu: 100m memory: 250Mi containerOptions: NVIDIA_CAPS: - all # -- Options for all pods # Can be overruled per pod podOptions: enableServiceLinks: false hostNetwork: false hostPID: false hostIPC: false # If this key exists, takes precedence over the automated calculation # hostUsers: false shareProcessNamespace: false affinity: {} dnsPolicy: ClusterFirst dnsConfig: options: - name: ndots value: "1" hostAliases: [] nodeSelector: kubernetes.io/arch: "amd64" # -- Used to enforce a good spread for Deployments and StatefulSets by default defaultSpread: true defaultAffinity: true topologySpreadConstraints: [] tolerations: [] schedulerName: "" priorityClassName: "" runtimeClassName: "" automountServiceAccountToken: false terminationGracePeriodSeconds: 60 # -- (docs/workload/README.md) workload: main: enabled: true primary: true type: Deployment dbWait: true podSpec: containers: main: enabled: true primary: true imageSelector: image probes: liveness: enabled: true type: "{{ .Values.service.main.ports.main.protocol }}" port: "{{ $.Values.service.main.ports.main.targetPort | default .Values.service.main.ports.main.port }}" readiness: enabled: true type: "{{ .Values.service.main.ports.main.protocol }}" port: "{{ $.Values.service.main.ports.main.targetPort | default .Values.service.main.ports.main.port }}" startup: enabled: true type: "{{ .Values.service.main.ports.main.protocol }}" port: "{{ $.Values.service.main.ports.main.targetPort | default .Values.service.main.ports.main.port }}" # -- Timezone used everywhere applicable TZ: UTC # -- Diagnostic Mode diagnosticMode: enabled: false # -- Vertical pod autoscaler vpa: main: enabled: false targetSelector: [] # updatePolicy: # updateMode: auto resourcePolicy: containerPolicies: - containerName: "*" minAllowed: cpu: 50m memory: 50Mi maxAllowed: cpu: 8000m memory: 20Gi controlledResources: ["cpu", "memory"] # -- Horizontal pod autoscaler hpa: main: enabled: false targetSelector: [] # minReplicas: 1 # maxReplicas: 3 # metrics: # Optional, list of metric specs # - type: Resource # Can be Resource, Pods, Object, External, or ContainerResource # resource: # name: cpu # target: # type: Utilization # Or Value / AverageValue # averageUtilization: 50 # - type: Resource # resource: # name: memory # target: # type: AverageValue # averageValue: 500Mi # behavior: # Optional: controls scaling behavior # scaleUp: # stabilizationWindowSeconds: 0 # policies: # - type: Percent # value: 100 # periodSeconds: 15 # scaleDown: # stabilizationWindowSeconds: 300 # policies: # - type: Pods # value: 4 # periodSeconds: 60 # -- (docs/service/README.md) service: main: ## Integration stuff # integration: # metallb: # enabled: false ## Optional to set shared key manually, otherwise set to namespace # sharedKey: "" # # cilium: # enabled: false ## Optional to set shared key manually, otherwise ignored (namespace sharing) # sharedKey: "" # # traefik: # enabled: false enabled: true primary: true ports: main: enabled: true primary: true protocol: http credentials: {} # mys3: # type: s3 # url: "" # path: "" # bucket: "" # accessKey: "" # secretKey: "" # ## Is used in cases where things are encrypted by a backup utility # encrKey: "" ingressMiddlewares: traefik: tc-basic-secure-headers: enabled: false type: headers data: accessControlAllowMethods: - GET - OPTIONS - HEAD - PUT accessControlMaxAge: 100 stsSeconds: 63072000 forceSTSHeader: true contentTypeNosniff: true browserXssFilter: true referrerPolicy: same-origin customRequestHeaders: X-Forwarded-Proto: "https" # basic-auth: # enabled: true # type: basicAuth # data: # # middleware specific data ie # users: # - username: user1 # password: password1 # some-other-middleware: # enabled: true # type: someOtherMiddleware # data: # # middleware specific data ie # someOtherMiddlewareData: someOtherMiddlewareData # -- (docs/persistence/README.md) persistence: shared: enabled: true type: emptyDir mountPath: /shared targetSelectAll: true varlogs: enabled: true type: emptyDir mountPath: /var/logs medium: Memory targetSelectAll: true varrun: enabled: true type: emptyDir mountPath: /var/run medium: Memory targetSelectAll: true tmp: enabled: true type: emptyDir mountPath: /tmp medium: Memory targetSelectAll: true devshm: enabled: true type: emptyDir mountPath: /dev/shm medium: Memory targetSelectAll: true # backupexample: # ## the default backup path, is the credential path suffixed by the releasename, volsync and both the pvc and volsync names # enabled: true # type: pvc # mountPath: /backedup # targetSelectAll: true # volsync: # - name: mybackup # ## TODO: other options # type: restic # credentials: mys3 # dest: # enabled: true # src: # enabled: true # iscsi: # enabled: true # type: iscsi # mountPath: /dev/shm # iscsi: # targetPortal: 10.0.2.15:3260 # portals: ['10.0.2.16:3260', '10.0.2.17:3260'] #optional # iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz # lun: 0 # fsType: ext4 #Optional # iscsiInterface: default #Optional # initiatorName: iqn.1994-05.com.redhat:node1 #Optional # authSession: # username: "someusername" # password: "somepassword" # usernameInitiator: "someusernameInitiator" # passwordInitiator: "somepasswordInitiator" # authDiscovery: # username: "someusername" # password: "somepassword" # usernameInitiator: "someusernameInitiator" # passwordInitiator: "somepasswordInitiator" # vct: # enabled: true # type: vct # mountPath: /shared # dynamic-pvc: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # dynamic-pvc-dataSource: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # dataSource: # kind: "PersistentVolumeClaim" # name: "existingPVC" # existing-claim: # enabled: true # type: pvc # existingClaim: "someclaim" # mountPath: /shared # targetSelectAll: true # existingpv-pvc: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # volumeName: "somePV" # static-nfs-pvc: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # static: # mode: nfs # server: "/someserver" # share: "someshare" # static-smb-pvc: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # static: # mode: smb # server: "/someserver" # share: "someshare" # domain: "somedomain" # user: "someuser" # password: "somepass" # static-custom-pvc: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # static: # mode: custom # provisioner: "some.provisioner" # driver: "somedriver" # # Custom CSI definition here # csi: {} # example-volumesnapshot: # enabled: true # type: pvc # mountPath: /shared # targetSelectAll: true # volumeSnapshots: # - name: "mysnapshot" # volumeSnapshotClassName: "mysnapshotclass" (optional) volumeSnapshotClass: {} volumeSnapshots: {} # volumeSnapshots: # mysnapshot: # volumeSnapshotClassName: "mycustomsnapshot" (optional) # source: # # pick one # persistentVolumeClaimName: "mypvcname" (does not get altered) # volumeSnapshotContentName: "mysnapshotname" # -- (docs/imagePullSecrets.md) imagePullSecret: {} # -- (docs/configmap.md) configmap: {} # -- (docs/secret.md) secret: {} # -- (docs/serviceAccount.md) serviceAccount: {} # -- (docs/rbac.md) rbac: {} # NOTES.txt notes: header: | # Thank you for installing {{ .Chart.Name }} by TrueCharts. # custom: "{{ toYaml $.Values }}" custom: | {{- if .Values.chartContext.appUrl }} ## Connecting externally You can use this Chart by opening the following links in your browser: - {{ toYaml .Values.chartContext.appUrl }} {{- end }} {{ if .Chart.Dependencies }} ## Dependencies for {{ .Chart.Name }} {{- range .Chart.Dependencies }} - Chart: {{ .Repository }}/{{ .Name }} Version: {{ .Version }} {{- end }} {{- end }} {{- if .Values.chartContext.internalUrls }} ## Connecting Internally You can reach this chart inside your cluster, using the following service URLS: {{- range $url := .Values.chartContext.internalUrls -}} - {{ $url }} {{- end }} {{- end }} ## Sources for {{ .Chart.Name }} {{- range .Chart.Sources }} - {{ . }} {{- end -}} {{- $link := .Chart.Annotations.docs -}} {{- if not $link -}} {{- $link = .Chart.Home -}} {{- end }} See more for **{{ $.Chart.Name }}** at ({{ $link }}) footer: | ## Documentation Please check out the TrueCharts documentation on: https://truecharts.org OpenSource can only exist with your help, please consider supporting TrueCharts: https://truecharts.org/sponsor warnings: [] #### ## ## TrueCharts Specific Root Objects ## #### gluetunImage: repository: tccr.io/tccr/gluetun tag: v3.40.0@sha256:a8189e29155e0f8142be1500ae068a92b189b1b25abbba036321e74d6389bf2b pullPolicy: IfNotPresent netshootImage: repository: tccr.io/tccr/netshoot tag: v0.14.0@sha256:28ede4317d22391e7d89a15eb78dc2afc3587ece02c76c983dde7239a0e43679 pullPolicy: IfNotPresent tailscaleImage: repository: tccr.io/tccr/tailscale tag: v1.86.2@sha256:7694928c789a246fe2fb58e10dd604f66b18b4ef961409095b689f7762523ed1 pullPolicy: IfNotPresent codeserverImage: repository: tccr.io/tccr/code-server tag: v4.103.1@sha256:b754400a938e74eaaf07fa6fb9b64a24a4e6c5d88c94f914748b202f1fb57ce6 pullPolicy: IfNotPresent alpineImage: repository: tccr.io/tccr/alpine tag: v3.22.1 pullPolicy: IfNotPresent scratchImage: repository: tccr.io/tccr/scratch tag: latest@sha256:4aef9dbf99ea2a8857ed4ce9d9bf79d330b79044884c7374e392445d122ec746 pullPolicy: IfNotPresent kubectlImage: repository: tccr.io/tccr/kubectl tag: latest@sha256:b16dca4e8ec1c9128a8b7712ebd3713f69d3dd24d622799a482e7ce3929a702b pullPolicy: IfNotPresent wgetImage: repository: tccr.io/tccr/wget tag: v1.0.0@sha256:961566b0149f766abfaa82326aad9c3089e3311eca5d4910ff2d4faf70ddbb10 pullPolicy: IfNotPresent yqImage: pullPolicy: IfNotPresent repository: docker.io/mikefarah/yq tag: 4.47.1@sha256:b9285dd3b0bea3c34d0c54415dd48d767dabd9644d489bd6e253660847b58419 postgresClientImage: repository: tccr.io/tccr/db-wait-postgres tag: v1.1.0@sha256:182687540102534aeb28fce4d124274e81a849a43556214977c378ae2a580b35 pullPolicy: IfNotPresent mariadbClientImage: repository: tccr.io/tccr/db-wait-mariadb tag: v1.1.0@sha256:bd60b6087bacaf5e697243f764065ea5d04da1af703b2009be3752c1aede6d32 pullPolicy: IfNotPresent redisClientImage: repository: tccr.io/tccr/db-wait-redis tag: v1.1.0@sha256:14c792c5d2faf5b5c7f8325e387700d70571bf930d321de81483aa704c198e40 pullPolicy: IfNotPresent mongodbClientImage: repository: tccr.io/tccr/db-wait-mongodb tag: v1.2.0@sha256:fe22e616bd3facd3d2e959cfaae9795a8503c8fb6bb90487a14dfd14cbd3ffe3 pullPolicy: IfNotPresent postgres15Image: repository: ghcr.io/cloudnative-pg/postgresql tag: "15.13" pullPolicy: IfNotPresent postgres16Image: repository: ghcr.io/cloudnative-pg/postgresql tag: "16.9" pullPolicy: IfNotPresent postgresPostgis15Image: repository: ghcr.io/cloudnative-pg/postgis tag: "15-3.4" pullPolicy: IfNotPresent postgresPostgis16Image: repository: ghcr.io/cloudnative-pg/postgis tag: "16-3.4" pullPolicy: IfNotPresent postgresVectors15Image: repository: ghcr.io/tensorchord/cloudnative-pgvecto.rs tag: "15.7-v0.2.1" pullPolicy: IfNotPresent postgresVectors16Image: repository: ghcr.io/tensorchord/cloudnative-pgvecto.rs tag: "16.3-v0.2.1" pullPolicy: IfNotPresent # -- OpenVPN specific configuration # @default -- See below openvpnImage: # -- Specify the openvpn client image repository: tccr.io/tccr/openvpn-client # -- Specify the openvpn client image tag tag: latest@sha256:9bfdf50791d6e51056e31c03f73c9db329b2b72e7746155cfdc63e0c8b49b55a # -- Specify the openvpn client image pull policy pullPolicy: IfNotPresent # -- WireGuard specific configuration # @default -- See below wireguardImage: # -- Specify the WireGuard image repository: tccr.io/tccr/wireguard # -- Specify the WireGuard image tag tag: v1.0.20210914@sha256:683b8b74d64ebd07f9955147539834c2a4b60fee51d2a36fa76b9aba689601bf # -- Specify the WireGuard image pull policy pullPolicy: IfNotPresent # -- Configure the ingresses for the chart here. # Additional ingresses can be added by adding a dictionary key similar to the 'main' ingress. # @default -- See below ingress: main: # -- Enables or disables the ingress enabled: false # -- Make this the primary ingress (used in probes, notes, etc...). # If there is more than 1 ingress, make sure that only 1 ingress is marked as primary. primary: true # -- Ensure this ingress is always enabled. required: false # expandObjectName: false # -- Provide additional labels which may be required. labels: {} # -- Provide additional annotations which may be required. annotations: {} # -- Set the ingressClass that is used for this ingress. # Requires Kubernetes >=1.19 ingressClassName: "" # Defaults to primary service and primary port # targetSelector: # # service: port # main: main ## Configure the hosts for the ingress hosts: [] # - # -- Host address. Helm template can be passed. # host: chart-example.local # ## Configure the paths for the host # paths: # - # -- Path. Helm template can be passed. # path: / # # -- Ignored if not kubeVersion >= 1.14-0 # pathType: Prefix # # -- Overrides the service reference for this path, by default the selector is honored # overrideService: # # -- Overrides the service name reference for this path # name: # # -- Overrides the service port reference for this path # port: # -- Configure TLS for the ingress. Both secretName and hosts can process a Helm template. # Gets ignored when clusterIssuer is filled tls: [] # - secretName: chart-example-tls # certificateIssuer: "" # hosts: # - chart-example.local integrations: certManager: enabled: false certificateIssuer: "" traefik: enabled: false # Default to websecure entrypoints: - websecure # Ensures tls annotation is set forceTLS: true middlewares: [] # - name: my-middleware # # Optional, by default will try to # # "lookup" the namespace based on the name # namespace: "" nginx: enabled: false themepark: enabled: false css: "" ipWhitelist: [] auth: # empty to disable, options: "authentik" or "authelia" type: "" # Internal Domain name + port to reach the auth provider, excluding http(s) internalHost: "" # External (ingress) Domain name to reach the auth provider, excluding http(s) externalHost: "" # Optional: override default response headers responseHeaders: [] homepage: enabled: false # Default: chart name name: "" # Default: chart description description: "" # Default: no group group: "" # Default: chart icon icon: "" widget: # Default: chartname type: "" # Default to ingress host 0 url: "" custom: # somesetting: some value customkv: # - key: some key # value: some value certificate: {} # main: # enabled: false # certificateIssuer: someissuer # hosts: # - somehost # # Optional # certificateSecretTemplate: # labels: {} # annotations: {} # -- BETA: Configure the gateway routes for the chart here. # Additional routes can be added by adding a dictionary key similar to the 'main' route. # Please be aware that this is an early beta of this feature, TrueCharts does not guarantee this actually works. # Being BETA this can/will change in the future without notice, please do not use unless you want to take that risk # [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2) # @default -- See below route: main: # -- Enables or disables the route enabled: false # -- Set the route kind # Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute kind: HTTPRoute # -- Provide additional annotations which may be required. annotations: {} # -- Provide additional labels which may be required. labels: {} # -- Configure the resource the route attaches to. parentRefs: - group: gateway.networking.k8s.io kind: Gateway name: namespace: sectionName: # -- Host addresses hostnames: [] # -- Configure rules for routing. Defaults to the primary service. rules: - backendRefs: - group: "" kind: Service name: namespace: port: weight: 1 ## Configure conditions used for matching incoming requests. Only for HTTPRoutes matches: - path: type: PathPrefix value: / podDisruptionBudget: main: enabled: false # -- Custom Selector Labels # customLabels: # customKey: customValue # maxUnavailable: 1 # minAvailable: 1 targetSelector: main webhook: validating: enabled: false type: validating webhooks: [] mutating: enabled: false type: mutating webhooks: [] priorityClass: {} # priorityClass: # example: # provisioner: some.provisioner.io # enabled: true # value: 1000000 # preemptionPolicy: PreemptLowerPriority # globalDefault: false # description: "some description" # # -- create storageClasses on demand storageClass: {} # storageClass: # example: # provisioner: some.provisioner.io # enabled: true # isDefaultClass: false # parameters: {} # reclaimPolicy: retain # allowVolumeExpansion: true # volumeBindingMode: Immediate # mountOptions: [] metrics: main: enabled: false primary: true # options: servicemonitor, podmonitor type: "servicemonitor" # defaults to selectorLabels selector: {} endpoints: - port: main interval: 5s scrapeTimeout: 5s path: / honorLabels: false prometheusRule: enabled: false groups: {} # somegroup: # # list of rules # rules: [] # # list to support adding rules via the SCALE GUI without overwrithing the rules # additionalrules: [] # List to support adding groups using the SCALE GUI additionalgroups: # - name: "somegroup" # # list of rules # rules: [] # # list to support adding rules via the SCALE GUI without overwrithing the rules # additionalrules: [] # -- The common chart supports several add-ons. These can be configured under this key. # @default -- See below addons: gluetun: enabled: false targetSelector: - main secret: # vpn-conf: # basePath: /gluetun/wireguard # data: # # Effective path /gluetun/wireguard/wg0.conf # wg0.conf: | # some conf # wg1.conf: | # some conf # scripts: # basePath: /gluetun/scripts # defaultMode: "0777" # data: # # Effective path /gluetun/scripts/up.sh # up.sh: | # some conf container: enabled: true imageSelector: gluetunImage probes: liveness: enabled: false readiness: enabled: false startup: enabled: false resources: excludeExtra: true securityContext: runAsUser: 0 runAsNonRoot: false readOnlyRootFilesystem: false runAsGroup: 568 capabilities: add: - NET_ADMIN - NET_RAW - MKNOD env: DOT: "off" DNS_KEEP_NAMESERVER: "on" FIREWALL: "off" FIREWALL_OUTBOUND_SUBNETS: "" FIREWALL_INPUT_PORTS: "" # -- Tailscale specific configuration # @default -- See below # See more info for the configuration # https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh tailscale: enabled: false targetSelector: - main # -- you can directly specify the config file here config: "" container: enabled: true imageSelector: "tailscaleImage" probes: liveness: enabled: false readiness: enabled: false startup: enabled: false command: - /usr/local/bin/containerboot resources: excludeExtra: true env: # Set KUBE_SECRET to empty string to force tailscale # to use the filesystem for state tracking. # With secret for state tracking you can't always # know if the app that uses this sidecard will # use a custom ServiceAccount and will lead to falure. TS_KUBE_SECRET: "" TS_SOCKET: /var/run/tailscale/tailscaled.sock TS_STATE_DIR: /var/lib/tailscale/state TS_USERSPACE: true TS_AUTH_ONCE: true TS_ACCEPT_DNS: false TS_AUTH_KEY: "" TS_TAILSCALED_EXTRA_ARGS: "" TS_EXTRA_ARGS: "" TS_SOCKS5_SERVER: "" TS_DEST_IP: "" TS_ROUTES: "" TS_OUTBOUND_HTTP_PROXY_LISTEN: "" securityContext: capabilities: add: - NET_ADMIN - NET_RAW # -- Auth key to connect to the VPN Service authkey: "" # As a sidecar, it should only need to run in userspace userspace: true auth_once: true accept_dns: false routes: "" dest_ip: "" sock5_server: "" extra_args: "" daemon_extra_args: "" outbound_http_proxy_listen: "" # -- Annotations for tailscale sidecar annotations: {} # -- The common library supports adding a code-server add-on to access files. It can be configured under this key. # @default -- See values.yaml codeserver: enabled: false # -- Enable running a code-server container in the pod container: enabled: true probes: liveness: enabled: true port: 12321 path: "/" readiness: enabled: true port: 12321 path: "/" startup: enabled: true port: 12321 path: "/" imageSelector: "codeserverImage" resources: excludeExtra: true securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false readOnlyRootFilesystem: false args: - "--port" - "12321" - "/" - --auth - none # - --user-data-dir # - "/config/.vscode" # -- Select a workload to add the addon to targetSelector: - "main" service: # -- Enable a service for the code-server add-on. enabled: true type: ClusterIP # Specify the default port information ports: codeserver: enabled: true primary: true protocol: http port: 12321 targetPort: 12321 ingress: # -- Enable an ingress for the code-server add-on. enabled: false annotations: {} # kubernetes.io/ingress.class: nginx labels: {} hosts: - host: code.chart-example.local paths: - path: / # Ignored if not kubeVersion >= 1.14-0 pathType: Prefix tls: [] netshoot: # -- Enable running a netshoot container in the pod enabled: false container: enabled: true command: - /bin/sh - -c - sleep infinity probes: liveness: enabled: false readiness: enabled: false startup: enabled: false imageSelector: "netshootImage" resources: excludeExtra: true securityContext: runAsUser: 0 runAsGroup: 0 runAsNonRoot: false readOnlyRootFilesystem: false capabilities: add: - NET_ADMIN - NET_RAW dependencies: ########################################################################## # This section contains some pre-config for frequently used dependencies # ########################################################################## cnpg: main: enabled: false primary: true # -- Puts the cnpg cluster in hibernation mode hibernate: false # Additional Labels and annotations for all cnpg objects labels: {} annotations: {} # Type of the CNPG database. Available types: # * `postgres` # * `postgis` # * `timescaledb` # * `vectors` type: postgres # Version of Postgresql to use, changes cluster naming scheme # * `15` # * `16` pgVersion: 16 # Cluster mode of operation. Available modes: # * `standalone` - default mode. Creates new or updates an existing CNPG cluster. # * `replica` - Creates a replica cluster from an existing CNPG cluster. # TODO # * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup. mode: standalone # Database details database: "app" user: "app" password: "PLACEHOLDERPASSWORD" # Database cluster configuration cluster: # Additional Labels and annotations for cnpg cluster labels: {} annotations: {} # Number of instances instances: 2 # set to true on single-node clusters to allow PVCs to be kept on instance restart singleNode: false ## set to configure the skipEmptyWalArchiveCheck annotation # skipEmptyWalArchiveCheck: true # # -- storage size for the data pvc's # # Follows the same spec as .Values.Persistence type=PVC # storage: # size: "256Gi" # # -- storage size for the wal pvc's # # Follows the same spec as .Values.Persistence type=PVC # walStorage: # size: "256Gi" # -- Gets scaled to 0 if hibernation is true ## See .Values.resources for more info # resources: # Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been # successfully updated. It can be switchover (default) or in-place (restart). primaryUpdateMethod: switchover # Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been # successfully updated: it can be automated (unsupervised - default) or manual (supervised) # Example of rolling update strategy: # - unsupervised: automated update of the primary once all # replicas have been upgraded (default) # - supervised: requires manual supervision to perform # the switchover of the primary # -- change to supervised to disable unsupervised updates primaryUpdateStrategy: unsupervised # The instances' log level, one of the following values: error, warning, info (default), debug, trace logLevel: info # The configuration for the CA and related certificates # See: https://cloudnative-pg.io/documentation/current/api_reference/#CertificatesConfiguration certificates: # When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password. # If the secret is not present, the operator will automatically create one. # When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created, # and then blank the password of the postgres user by setting it to NULL. # enableSuperuserAccess: true # Configuration of the PostgreSQL server # See: https://cloudnative-pg.io/documentation/current/api_reference/#PostgresConfiguration postgresql: # BootstrapInitDB is the configuration of the bootstrap process when initdb is used # See: https://cloudnative-pg.io/documentation/current/bootstrap/ # See: https://cloudnative-pg.io/documentation/current/api_reference/#bootstrapinitdb initdb: {} # postInitSQL: # - CREATE EXTENSION IF NOT EXISTS vector; # postInitApplicationSQL: # - CREATE EXTENSION IF NOT EXISTS someextension; # -- set to enable prometheus metrics monitoring: enablePodMonitor: false disableDefaultQueries: false customQueries: [] # - name: "pg_cache_hit_ratio" # expandObjectName: true # key: "custom-key" (defaults to "custom-queries") # query: "SELECT current_database() as datname, sum(heap_blks_hit) / (sum(heap_blks_hit) + sum(heap_blks_read)) as ratio FROM pg_statio_user_tables;" # metrics: # - datname: # usage: "LABEL" # description: "Name of the database database" # - ratio: # usage: GAUGE # description: "Cache hit ratio" # Recovery settings if the chosen mode is `recovery`. recovery: ## # Backup Recovery Method # Available recovery methods: # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. # * `object_store` - Recovers a CNPG cluster from a barman object store (PITR supported). # * `pg_basebackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to # migrate databases to CloudNativePG, even from outside Kubernetes. # TODO method: object_store ## set a revision to append to the serverName to ensure restore and backup dont target the same thing # revision: 1 # override serverName in recovery obkect servername: "" ## Point in time recovery target. Specify one of the following: pitrTarget: # Time in RFC3339 format time: "" # Name of the backup to recover from. Required if method is `backup`. backupName: "" # Object Store Recovery Method clusterName: "" # Overrides the provider specific default path. Defaults to: # S3: s3:// # Azure: https://..core.windows.net/ # Google: gs:// destinationPath: "" # Database cluster backup configuration backups: # You need to configure backups manually, so backups are disabled by default. enabled: false encryption: enabled: false ## set a revision to append to the serverName to ensure restore and backup dont target the same thing # revision: 1 # override serverName in recovery obkect servername: "" # Overrides the provider specific default path. Defaults to: # S3: s3:// # Azure: https://..core.windows.net/ # Google: gs:// destinationPath: "" # default: primary, other option prefer-standby target: "" # name of credentials in .Values.Credentials credentials: "" scheduledBackups: - name: daily-backup schedule: "0 0 0 * * *" backupOwnerReference: self immediate: true suspend: false retentionPolicy: "30d" # - Manual list of backups manualBackups: [] # - name: today # labels: {} # annotations: {} # - name: beforeUpgrade # labels: {} # annotations: {} # Database cluster PgBouncer configuration pooler: enabled: false # -- enable to create extra pgbouncer for readonly access createRO: false poolMode: session # -- Gets scaled to 0 if hibernation is true instances: 2 # parameters: # max_client_conn: "1000" # default_pool_size: "25" labels: {} annotations: {} # -- contains credentials and urls output by generator creds: {} # -- Redis dependency configuration # @default -- See below redis: enabled: false includeCommon: false password: "PLACEHOLDERPASSWORD" # -- can be used to make an easy accessible note which URLS to use to access the DB. creds: {} secret: credentials: enabled: false # -- mariadb dependency configuration # @default -- See below mariadb: enabled: false includeCommon: false password: "PLACEHOLDERPASSWORD" rootPassword: "PLACEHOLDERROOTPASSWORD" # -- can be used to make an easy accessable note which URLS to use to access the DB. creds: {} # -- mongodb dependency configuration # @default -- See below mongodb: enabled: false includeCommon: false password: "PLACEHOLDERPASSWORD" rootPassword: "PLACEHOLDERROOTPASSWORD" # -- can be used to make an easy accessable note which URLS to use to access the DB. creds: {} # -- clickhouse dependency configuration # @default -- See below clickhouse: enabled: false includeCommon: false password: "PLACEHOLDERPASSWORD" # -- can be used to make an easy accessable note which URLS to use to access the DB. creds: {} # -- solr dependency configuration # @default -- See below solr: enabled: false includeCommon: false password: "PLACEHOLDERPASSWORD" solrCores: 1 solrEnableAuthentication: "no" # -- can be used to make an easy accessable note which URLS to use to access the DB. creds: {} # -- List of extra objects to deploy with the release extraTpl: []