opensearch
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
storageClass: ""
29
## Security parameters
30
##
31
security:
32
## @param global.security.allowInsecureImages Allows skipping image verification
33
allowInsecureImages: false
34
## Compatibility adaptations for Kubernetes platforms
35
##
36
compatibility:
37
## Compatibility adaptations for Openshift
38
##
39
openshift:
40
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
41
##
42
adaptSecurityContext: auto
43
org: ""
44
## @section Common parameters
45
46
## @param kubeVersion Override Kubernetes version
47
##
48
kubeVersion: ""
49
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
50
##
51
apiVersions: []
52
## @param nameOverride String to partially override common.names.fullname
53
##
54
nameOverride: ""
55
## @param fullnameOverride String to fully override common.names.fullname
56
##
57
fullnameOverride: ""
58
## @param commonLabels Labels to add to all deployed objects
59
##
60
commonLabels: {}
61
## @param commonAnnotations Annotations to add to all deployed objects
62
##
63
commonAnnotations: {}
64
## @param clusterDomain Kubernetes cluster domain name
65
##
66
clusterDomain: cluster.local
67
## @param extraDeploy Array of extra objects to deploy with the release
68
##
69
extraDeploy: []
70
## @param namespaceOverride String to fully override common.names.namespace
71
##
72
namespaceOverride: ""
73
## @param usePasswordFiles Mount credentials as files instead of using environment variables
74
##
75
usePasswordFiles: true
76
## Enable diagnostic mode in the deployment
77
##
78
diagnosticMode:
79
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
80
##
81
enabled: false
82
## @param diagnosticMode.command Command to override all containers in the deployment
83
##
84
command:
85
- sleep
86
## @param diagnosticMode.args Args to override all containers in the deployment
87
##
88
args:
89
- infinity
90
## @section OpenSearch cluster Parameters
91
92
## @param clusterName OpenSearch cluster name
93
##
94
clusterName: open
95
## @param containerPorts.restAPI OpenSearch REST API port
96
## @param containerPorts.transport OpenSearch Transport port
97
##
98
containerPorts:
99
restAPI: 9200
100
transport: 9300
101
## @param plugins Comma, semi-colon or space separated list of plugins to install at initialization
102
##
103
plugins: ""
104
## @param snapshotRepoPath File System snapshot repository path
105
##
106
snapshotRepoPath: ""
107
## @param config Override opensearch configuration
108
##
109
config: {}
110
## @param extraConfig Append extra configuration to the opensearch node configuration
111
## Use this instead of `config` to add more configuration
112
## See below example:
113
## extraConfig:
114
## node:
115
## store:
116
## allow_mmap: false
117
## ref: https://www.open.co/guide/en/opensearch/reference/current/settings.html
118
##
119
extraConfig: {}
120
## @param extraHosts A list of external hosts which are part of this cluster
121
## Example Use Case: When you have a cluster with nodes spanned across multiple K8s or namespaces
122
## extraHosts:
123
## - datacenter2-opensearch-master-hl.namespace2.svc
124
## - datacenter2-opensearch-data-hl.namespace2.svc
125
extraHosts: []
126
## @param extraVolumes A list of volumes to be added to the pod
127
## Example Use Case: mount ssl certificates when opensearch has tls enabled
128
## extraVolumes:
129
## - name: es-certs
130
## secret:
131
## defaultMode: 420
132
## secretName: es-certs
133
extraVolumes: []
134
## @param extraVolumeMounts A list of volume mounts to be added to the pod
135
## extraVolumeMounts:
136
## - name: es-certs
137
## mountPath: /certs
138
## readOnly: true
139
extraVolumeMounts: []
140
## @param initScripts Dictionary of init scripts. Evaluated as a template.
141
## Specify dictionary of scripts to be run at first boot
142
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
143
## For example:
144
## initScripts:
145
## my_init_script.sh: |
146
## #!/bin/sh
147
## echo "Do something."
148
initScripts: {}
149
## @param initScriptsCM ConfigMap with the init scripts. Evaluated as a template.
150
## Note: This will override initScripts
151
##
152
initScriptsCM: ""
153
## @param initScriptsSecret Secret containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time that contain sensitive data. Evaluated as a template.
154
##
155
initScriptsSecret: ""
156
## @param extraEnvVars Array containing extra env vars to be added to all pods (evaluated as a template)
157
## For example:
158
## extraEnvVars:
159
## - name: MY_ENV_VAR
160
## value: env_var_value
161
##
162
extraEnvVars: []
163
## @param extraEnvVarsCM ConfigMap containing extra env vars to be added to all pods (evaluated as a template)
164
##
165
extraEnvVarsCM: ""
166
## @param extraEnvVarsSecret Secret containing extra env vars to be added to all pods (evaluated as a template)
167
##
168
extraEnvVarsSecret: ""
169
## @param sidecars Add additional sidecar containers to the all opensearch node pod(s)
170
## e.g:
171
## sidecars:
172
## - name: your-image-name
173
## image: your-image
174
## imagePullPolicy: Always
175
## ports:
176
## - name: portname
177
## containerPort: 1234
178
##
179
sidecars: []
180
## @param initContainers Add additional init containers to the all opensearch node pod(s)
181
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
182
## e.g:
183
## initContainers:
184
## - name: your-image-name
185
## image: your-image
186
## imagePullPolicy: Always
187
## command: ['sh', '-c', 'echo "hello world"']
188
##
189
initContainers: []
190
## @param useIstioLabels Use this variable to add Istio labels to all pods
191
##
192
useIstioLabels: true
193
## Iamguarded OpenSearch image
194
## @param image.registry [default: REGISTRY_NAME] OpenSearch image registry
195
## @param image.repository [default: REPOSITORY_NAME/opensearch] OpenSearch image repository
196
## @skip image.tag OpenSearch image tag (immutable tags are recommended)
197
## @param image.digest OpenSearch image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
198
## @param image.pullPolicy OpenSearch image pull policy
199
## @param image.pullSecrets OpenSearch image pull secrets
200
## @param image.debug Enable OpenSearch image debug mode
201
##
202
image:
203
registry: cgr.dev
204
repository: chainguard-private/opensearch-iamguarded
205
tag: 3.5.0
206
digest: ""
207
## Specify a imagePullPolicy
208
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
209
##
210
pullPolicy: IfNotPresent
211
## Optionally specify an array of imagePullSecrets.
212
## Secrets must be manually created in the namespace.
213
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
214
## e.g:
215
## pullSecrets:
216
## - myRegistryKeySecretName
217
##
218
pullSecrets: []
219
## Enable debug mode
220
##
221
debug: false
222
## X-Pack security parameters
223
## Note: TLS configuration is required in order to configure password authentication
224
##
225
security:
226
## @param security.enabled Enable X-Pack Security settings
227
##
228
enabled: false
229
## @param security.adminPassword Password for 'admin' user
230
##
231
adminPassword: ""
232
## @param security.logstashPassword Password for Logstash
233
##
234
logstashPassword: ""
235
## @param security.existingSecret Name of the existing secret containing the OpenSearch password and
236
##
237
existingSecret: ""
238
## FIPS mode
239
## @param security.fipsMode Configure opensearch with FIPS 140 compliant mode
240
## Ref: https://www.open.co/guide/en/opensearch/reference/current/fips-140-compliance.html
241
##
242
fipsMode: false
243
## TLS configuration
244
##
245
tls:
246
## @section OpenSearch admin parameters
247
## @param security.tls.admin.existingSecret Existing secret containing the certificates for admin
248
## @param security.tls.admin.certKey Key containing the crt for admin certificate (defaults to admin.crt)
249
## @param security.tls.admin.keyKey Key containing the key for admin certificate (defaults to admin.key)
250
##
251
admin:
252
existingSecret: ""
253
certKey: ""
254
keyKey: ""
255
## @param security.tls.restEncryption Enable SSL/TLS encryption for OpenSearch REST API.
256
##
257
restEncryption: false
258
## @param security.tls.autoGenerated Create self-signed TLS certificates.
259
## NOTE: If autoGenerated certs are enabled and a new node type is enabled using helm upgrade, make sure you remove previously existing OpenSearch TLS secrets.
260
## Otherwise, the new node certs won't match the existing certs.
261
##
262
autoGenerated: true
263
## @param security.tls.verificationMode Verification mode for SSL communications.
264
## Supported values: full, certificate, none.
265
## Ref: https://www.open.co/guide/en/opensearch/reference/current/security-settings.html
266
##
267
verificationMode: "full"
268
## TLS configuration for master nodes
269
##
270
master:
271
## @param security.tls.master.existingSecret Existing secret containing the certificates for the master nodes
272
## @param security.tls.master.certKey Key containing the crt for master nodes certificate (defaults to tls.crt)
273
## @param security.tls.master.keyKey Key containing the key for master nodes certificate (defaults to tls.key)
274
## @param security.tls.master.caKey Key containing the ca for master nodes certificate (defaults to ca.crt)
275
##
276
existingSecret: ""
277
certKey: ""
278
keyKey: ""
279
caKey: ""
280
## TLS configuration for data nodes
281
##
282
data:
283
## @param security.tls.data.existingSecret Existing secret containing the certificates for the data nodes
284
## @param security.tls.data.certKey Key containing the crt for data nodes certificate (defaults to tls.crt)
285
## @param security.tls.data.keyKey Key containing the key for data nodes certificate (defaults to tls.key)
286
## @param security.tls.data.caKey Key containing the ca for data nodes certificate (defaults to ca.crt)
287
##
288
existingSecret: ""
289
certKey: ""
290
keyKey: ""
291
caKey: ""
292
## TLS configuration for ingest nodes
293
##
294
ingest:
295
## @param security.tls.ingest.existingSecret Existing secret containing the certificates for the ingest nodes
296
## @param security.tls.ingest.certKey Key containing the crt for ingest nodes certificate (defaults to tls.crt)
297
## @param security.tls.ingest.keyKey Key containing the key for ingest nodes certificate (defaults to tls.key)
298
## @param security.tls.ingest.caKey Key containing the ca for ingest nodes certificate (defaults to ca.crt)
299
##
300
existingSecret: ""
301
certKey: ""
302
keyKey: ""
303
caKey: ""
304
## TLS configuration for coordinating nodes
305
##
306
coordinating:
307
## @param security.tls.coordinating.existingSecret Existing secret containing the certificates for the coordinating nodes
308
## @param security.tls.coordinating.certKey Key containing the crt for coordinating nodes certificate (defaults to tls.crt)
309
## @param security.tls.coordinating.keyKey Key containing the key for coordinating nodes certificate (defaults to tls.key)
310
## @param security.tls.coordinating.caKey Key containing the ca for coordinating nodes certificate (defaults to ca.crt)
311
##
312
existingSecret: ""
313
certKey: ""
314
keyKey: ""
315
caKey: ""
316
## @param security.tls.keystoreFilename Name of the keystore file
317
##
318
keystoreFilename: opensearch.keystore.jks
319
## @param security.tls.truststoreFilename Name of the truststore
320
##
321
truststoreFilename: opensearch.truststore.jks
322
## @param security.tls.usePemCerts Use this variable if your secrets contain PEM certificates instead of JKS/PKCS12
323
## Ignored when using autoGenerated certs.
324
##
325
usePemCerts: false
326
## @param security.tls.passwordsSecret Existing secret containing the Keystore and Truststore passwords, or key password if PEM certs are used
327
##
328
passwordsSecret: ""
329
## @param security.tls.keystorePassword Password to access the JKS/PKCS12 keystore or PEM key when they are password-protected.
330
## Ignored if security.tls.passwordsSecret is provided.
331
##
332
keystorePassword: ""
333
## @param security.tls.truststorePassword Password to access the JKS/PKCS12 truststore when they are password-protected.
334
## Ignored if security.tls.passwordsSecret is provided.
335
##
336
truststorePassword: ""
337
## @param security.tls.keyPassword Password to access the PEM key when they are password-protected.
338
## Ignored if security.tls.passwordsSecret is provided.
339
##
340
keyPassword: ""
341
## @param security.tls.secretKeystoreKey Name of the secret key containing the Keystore password
342
##
343
secretKeystoreKey: ""
344
## @param security.tls.secretTruststoreKey Name of the secret key containing the Truststore password
345
##
346
secretTruststoreKey: ""
347
## @param security.tls.secretKey Name of the secret key containing the PEM key password
348
##
349
secretKey: ""
350
## @param security.tls.nodesDN A comma separated list of DN for nodes
351
## e.g. nodesDN: "O=Example CA,C=SE,UID=c-5ca04c9328c8208704310f7c2ed16414"
352
##
353
##
354
nodesDN: ""
355
## @param security.tls.adminDN A comma separated list of DN for admins
356
## Note that this parameter has lower priority than extraConfig.plugins.security.authcz.admin_dn and will be overridden if both parameters are set.
357
##
358
## Also, due to specifics of the config bootstrap script implementation, spaces will be treated as separators.
359
## For example, "CN=admin,O=Some Organisation,L=SomeCity,C=SomeCountry" will become:
360
## admin_dn:
361
## - CN=admin,O=Some
362
## - Organisation,L=SomeCity,C=SomeCountry
363
##
364
## To avoid this, consider using extraConfig.plugins.security.authcz.admin_dn instead.
365
##
366
##
367
adminDN: "CN=admin;CN=admin"
368
## @section Traffic Exposure Parameters
369
370
## OpenSearch service parameters
371
##
372
service:
373
## @param service.type OpenSearch service type
374
##
375
type: ClusterIP
376
## @param service.ports.restAPI OpenSearch service REST API port
377
## @param service.ports.transport OpenSearch service transport port
378
##
379
ports:
380
restAPI: 9200
381
transport: 9300
382
## Node ports to expose
383
## @param service.nodePorts.restAPI Node port for REST API
384
## @param service.nodePorts.transport Node port for REST API
385
## NOTE: choose port between <30000-32767>
386
##
387
nodePorts:
388
restAPI: ""
389
transport: ""
390
## @param service.clusterIP OpenSearch service Cluster IP
391
## e.g.:
392
## clusterIP: None
393
##
394
clusterIP: ""
395
## @param service.loadBalancerIP OpenSearch service Load Balancer IP
396
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
397
##
398
loadBalancerIP: ""
399
## @param service.loadBalancerSourceRanges OpenSearch service Load Balancer sources
400
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
401
## e.g:
402
## loadBalancerSourceRanges:
403
## - 10.10.10.0/24
404
##
405
loadBalancerSourceRanges: []
406
## @param service.externalTrafficPolicy OpenSearch service external traffic policy
407
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
408
##
409
externalTrafficPolicy: Cluster
410
## @param service.annotations Additional custom annotations for OpenSearch service
411
##
412
annotations: {}
413
## @param service.extraPorts Extra ports to expose in OpenSearch service (normally used with the `sidecars` value)
414
##
415
extraPorts: []
416
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
417
## If "ClientIP", consecutive client requests will be directed to the same Pod
418
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
419
##
420
sessionAffinity: None
421
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
422
## sessionAffinityConfig:
423
## clientIP:
424
## timeoutSeconds: 300
425
##
426
sessionAffinityConfig: {}
427
## OpenSearch ingress parameters
428
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
429
##
430
ingress:
431
## @param ingress.enabled Enable ingress record generation for OpenSearch
432
##
433
enabled: false
434
## @param ingress.pathType Ingress path type
435
##
436
pathType: ImplementationSpecific
437
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
438
##
439
apiVersion: ""
440
## @param ingress.hostname Default host for the ingress record
441
##
442
hostname: opensearch.local
443
## @param ingress.path Default path for the ingress record
444
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
445
##
446
path: /
447
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
448
## Use this parameter to set the required annotations for cert-manager, see
449
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
450
## e.g:
451
## annotations:
452
## kubernetes.io/ingress.class: nginx
453
## cert-manager.io/cluster-issuer: cluster-issuer-name
454
##
455
annotations: {}
456
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
457
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
458
## You can:
459
## - Use the `ingress.secrets` parameter to create this TLS secret
460
## - Rely on cert-manager to create it by setting the corresponding annotations
461
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
462
##
463
tls: false
464
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
465
##
466
selfSigned: false
467
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
468
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
469
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
470
##
471
ingressClassName: ""
472
## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
473
## e.g:
474
## extraHosts:
475
## - name: opensearch.local
476
## path: /
477
##
478
extraHosts: []
479
## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
480
## e.g:
481
## extraPaths:
482
## - path: /*
483
## backend:
484
## serviceName: ssl-redirect
485
## servicePort: use-annotation
486
##
487
extraPaths: []
488
## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
489
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
490
## e.g:
491
## extraTls:
492
## - hosts:
493
## - opensearch.local
494
## secretName: opensearch.local-tls
495
##
496
extraTls: []
497
## @param ingress.secrets Custom TLS certificates as secrets
498
## NOTE: 'key' and 'certificate' are expected in PEM format
499
## NOTE: 'name' should line up with a 'secretName' set further up
500
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
501
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
502
## It is also possible to create and manage the certificates outside of this helm chart
503
## Please see README.md for more information
504
## e.g:
505
## secrets:
506
## - name: opensearch.local-tls
507
## key: |-
508
## -----BEGIN RSA PRIVATE KEY-----
509
## ...
510
## -----END RSA PRIVATE KEY-----
511
## certificate: |-
512
## -----BEGIN CERTIFICATE-----
513
## ...
514
## -----END CERTIFICATE-----
515
##
516
secrets: []
517
## @param ingress.extraRules Additional rules to be covered with this ingress record
518
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
519
## e.g:
520
## extraRules:
521
## - host: example.local
522
## http:
523
## path: /
524
## backend:
525
## service:
526
## name: example-svc
527
## port:
528
## name: http
529
##
530
extraRules: []
531
## @section Master-eligible nodes parameters
532
master:
533
## @param master.masterOnly Deploy the OpenSearch master-eligible nodes as master-only nodes. Recommended for high-demand deployments.
534
## If you are
535
masterOnly: true
536
## @param master.replicaCount Number of master-eligible replicas to deploy
537
##
538
replicaCount: 2
539
## @param master.extraRoles Append extra roles to the node role
540
##
541
extraRoles: []
542
## Pod Disruption Budget configuration
543
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
544
## @param master.pdb.create Enable/disable a Pod Disruption Budget creation
545
## @param master.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
546
## @param master.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `master.pdb.minAvailable` and `master.pdb.maxUnavailable` are empty.
547
##
548
pdb:
549
create: true
550
minAvailable: ""
551
maxUnavailable: ""
552
## @param master.nameOverride String to partially override opensearch.master.fullname
553
##
554
nameOverride: ""
555
## @param master.fullnameOverride String to fully override opensearch.master.fullname
556
##
557
fullnameOverride: ""
558
## @param master.servicenameOverride String to fully override opensearch.master.servicename
559
## DEPRECATED: Use master.service.headless.nameOverride instead
560
##
561
servicenameOverride: ""
562
## @param master.annotations [object] Annotations for the master statefulset
563
##
564
annotations: {}
565
## @param master.updateStrategy.type Master-eligible nodes statefulset strategy type
566
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
567
##
568
updateStrategy:
569
type: RollingUpdate
570
## OpenSearch resource requests and limits
571
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
572
## We usually recommend not to specify default resources and to leave this as a conscious
573
## choice for the user. This also increases chances charts run on environments with little
574
## resources, such as Minikube. If you do want to specify resources, uncomment the following
575
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
576
## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production).
577
##
578
resourcesPreset: "medium"
579
## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
580
## Example:
581
## resources:
582
## requests:
583
## cpu: 2
584
## memory: 512Mi
585
## limits:
586
## cpu: 3
587
## memory: 1024Mi
588
##
589
resources: {}
590
## @param master.heapSize OpenSearch master-eligible node heap size.
591
## Note: The recommended heapSize is half of the container's memory.
592
## If omitted, it will be automatically set.
593
## Example:
594
## heapSize: 128m
595
##
596
heapSize: 512m
597
## Configure Pods Security Context
598
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
599
## @param master.podSecurityContext.enabled Enabled master-eligible pods' Security Context
600
## @param master.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
601
## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface
602
## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups
603
## @param master.podSecurityContext.fsGroup Set master-eligible pod's Security Context fsGroup
604
##
605
podSecurityContext:
606
enabled: true
607
fsGroupChangePolicy: Always
608
sysctls: []
609
supplementalGroups: []
610
fsGroup: 1001
611
## Configure Container Security Context
612
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
613
## @param master.containerSecurityContext.enabled Enabled containers' Security Context
614
## @param master.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
615
## @param master.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
616
## @param master.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
617
## @param master.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
618
## @param master.containerSecurityContext.privileged Set container's Security Context privileged
619
## @param master.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
620
## @param master.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
621
## @param master.containerSecurityContext.capabilities.drop List of capabilities to be dropped
622
## @param master.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
623
##
624
containerSecurityContext:
625
enabled: true
626
seLinuxOptions: {}
627
runAsUser: 1001
628
runAsGroup: 1001
629
runAsNonRoot: true
630
privileged: false
631
readOnlyRootFilesystem: true
632
allowPrivilegeEscalation: false
633
capabilities:
634
drop: ["ALL"]
635
seccompProfile:
636
type: "RuntimeDefault"
637
## @param master.automountServiceAccountToken Mount Service Account token in pod
638
##
639
automountServiceAccountToken: false
640
## @param master.hostAliases master-eligible pods host aliases
641
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
642
##
643
hostAliases: []
644
## @param master.podLabels Extra labels for master-eligible pods
645
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
646
##
647
podLabels: {}
648
## @param master.podAnnotations Annotations for master-eligible pods
649
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
650
##
651
podAnnotations: {}
652
## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard`
653
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
654
##
655
podAffinityPreset: ""
656
## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard`
657
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
658
##
659
podAntiAffinityPreset: ""
660
## Node master.affinity preset
661
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
662
##
663
nodeAffinityPreset:
664
## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard`
665
##
666
type: ""
667
## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set
668
##
669
key: ""
670
## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set
671
## E.g.
672
## values:
673
## - e2e-az1
674
## - e2e-az2
675
##
676
values: []
677
## @param master.affinity Affinity for master-eligible pods assignment
678
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
679
## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set
680
##
681
affinity: {}
682
## @param master.nodeSelector Node labels for master-eligible pods assignment
683
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
684
##
685
nodeSelector: {}
686
## @param master.tolerations Tolerations for master-eligible pods assignment
687
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
688
##
689
tolerations: []
690
## @param master.priorityClassName master-eligible pods' priorityClassName
691
##
692
priorityClassName: ""
693
## @param master.schedulerName Name of the k8s scheduler (other than default) for master-eligible pods
694
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
695
##
696
schedulerName: ""
697
## @param master.terminationGracePeriodSeconds In seconds, time the given to the OpenSearch Master pod needs to terminate gracefully
698
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
699
##
700
terminationGracePeriodSeconds: ""
701
## @param master.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
702
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
703
##
704
topologySpreadConstraints: []
705
## @param master.podManagementPolicy podManagementPolicy to manage scaling operation of OpenSearch master pods
706
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
707
##
708
podManagementPolicy: "Parallel"
709
## Configure extra options for OpenSearch master-eligible containers' liveness, readiness and startup probes
710
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
711
## @param master.startupProbe.enabled Enable/disable the startup probe (master nodes pod)
712
## @param master.startupProbe.initialDelaySeconds Delay before startup probe is initiated (master nodes pod)
713
## @param master.startupProbe.periodSeconds How often to perform the probe (master nodes pod)
714
## @param master.startupProbe.timeoutSeconds When the probe times out (master nodes pod)
715
## @param master.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (master nodes pod)
716
## @param master.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
717
##
718
startupProbe:
719
enabled: false
720
initialDelaySeconds: 90
721
periodSeconds: 10
722
timeoutSeconds: 5
723
successThreshold: 1
724
failureThreshold: 5
725
## @param master.livenessProbe.enabled Enable/disable the liveness probe (master-eligible nodes pod)
726
## @param master.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated (master-eligible nodes pod)
727
## @param master.livenessProbe.periodSeconds How often to perform the probe (master-eligible nodes pod)
728
## @param master.livenessProbe.timeoutSeconds When the probe times out (master-eligible nodes pod)
729
## @param master.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (master-eligible nodes pod)
730
## @param master.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
731
##
732
livenessProbe:
733
enabled: true
734
initialDelaySeconds: 180
735
periodSeconds: 10
736
timeoutSeconds: 5
737
successThreshold: 1
738
failureThreshold: 5
739
## @param master.readinessProbe.enabled Enable/disable the readiness probe (master-eligible nodes pod)
740
## @param master.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated (master-eligible nodes pod)
741
## @param master.readinessProbe.periodSeconds How often to perform the probe (master-eligible nodes pod)
742
## @param master.readinessProbe.timeoutSeconds When the probe times out (master-eligible nodes pod)
743
## @param master.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (master-eligible nodes pod)
744
## @param master.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
745
##
746
readinessProbe:
747
enabled: true
748
initialDelaySeconds: 90
749
periodSeconds: 10
750
timeoutSeconds: 5
751
successThreshold: 1
752
failureThreshold: 5
753
## @param master.customStartupProbe Override default startup probe
754
##
755
customStartupProbe: {}
756
## @param master.customLivenessProbe Override default liveness probe
757
##
758
customLivenessProbe: {}
759
## @param master.customReadinessProbe Override default readiness probe
760
##
761
customReadinessProbe: {}
762
## @param master.command Override default container command (useful when using custom images)
763
##
764
command: []
765
## @param master.args Override default container args (useful when using custom images)
766
##
767
args: []
768
## @param master.lifecycleHooks for the master-eligible container(s) to automate configuration before or after startup
769
##
770
lifecycleHooks: {}
771
## @param master.extraEnvVars Array with extra environment variables to add to master-eligible nodes
772
## e.g:
773
## extraEnvVars:
774
## - name: FOO
775
## value: "bar"
776
##
777
extraEnvVars: []
778
## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for master-eligible nodes
779
##
780
extraEnvVarsCM: ""
781
## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for master-eligible nodes
782
##
783
extraEnvVarsSecret: ""
784
## @param master.extraVolumes Optionally specify extra list of additional volumes for the master-eligible pod(s)
785
##
786
extraVolumes: []
787
## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the master-eligible container(s)
788
##
789
extraVolumeMounts: []
790
## @param master.sidecars Add additional sidecar containers to the master-eligible pod(s)
791
## e.g:
792
## sidecars:
793
## - name: your-image-name
794
## image: your-image
795
## imagePullPolicy: Always
796
## ports:
797
## - name: portname
798
## containerPort: 1234
799
##
800
sidecars: []
801
## @param master.initContainers Add additional init containers to the master-eligible pod(s)
802
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
803
## e.g:
804
## initContainers:
805
## - name: your-image-name
806
## image: your-image
807
## imagePullPolicy: Always
808
## command: ['sh', '-c', 'echo "hello world"']
809
##
810
initContainers: []
811
## Enable persistence using Persistent Volume Claims
812
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
813
##
814
persistence:
815
## @param master.persistence.enabled Enable persistence using a `PersistentVolumeClaim`
816
##
817
enabled: true
818
## @param master.persistence.storageClass Persistent Volume Storage Class
819
## If defined, storageClassName: <storageClass>
820
## If set to "-", storageClassName: "", which disables dynamic provisioning
821
## If undefined (the default) or set to null, no storageClassName spec is
822
## set, choosing the default provisioner. (gp2 on AWS, standard on
823
## GKE, AWS & OpenStack)
824
##
825
storageClass: ""
826
## @param master.persistence.existingClaim Existing Persistent Volume Claim
827
## then accept the value as an existing Persistent Volume Claim to which
828
## the container should be bound
829
##
830
existingClaim: ""
831
## @param master.persistence.existingVolume Existing Persistent Volume for use as volume match label selector to the `volumeClaimTemplate`. Ignored when `master.persistence.selector` is set.
832
##
833
existingVolume: ""
834
## @param master.persistence.selector Configure custom selector for existing Persistent Volume. Overwrites `master.persistence.existingVolume`
835
## selector:
836
## matchLabels:
837
## volume:
838
##
839
selector: {}
840
## @param master.persistence.annotations Persistent Volume Claim annotations
841
##
842
annotations: {}
843
## @param master.persistence.accessModes Persistent Volume Access Modes
844
##
845
accessModes:
846
- ReadWriteOnce
847
## @param master.persistence.size Persistent Volume Size
848
##
849
size: 8Gi
850
## Pods Service Account
851
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
852
## @param master.serviceAccount.create Specifies whether a ServiceAccount should be created
853
## @param master.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
854
## @param master.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
855
## @param master.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
856
##
857
serviceAccount:
858
create: false
859
name: ""
860
automountServiceAccountToken: false
861
annotations: {}
862
## Network Policy configuration
863
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
864
##
865
networkPolicy:
866
## @param master.networkPolicy.enabled Enable creation of NetworkPolicy resources
867
##
868
enabled: true
869
## @param master.networkPolicy.allowExternal The Policy model to apply
870
## When set to false, only pods with the correct client label will have network access to the ports OpenSearch is
871
## listening on. When true, OpenSearch will accept connections from any source (with the correct destination port).
872
##
873
allowExternal: true
874
## @param master.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
875
##
876
allowExternalEgress: true
877
## @param master.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
878
## e.g:
879
## extraIngress:
880
## - ports:
881
## - port: 1234
882
## from:
883
## - podSelector:
884
## - matchLabels:
885
## - role: frontend
886
## - podSelector:
887
## - matchExpressions:
888
## - key: role
889
## operator: In
890
## values:
891
## - frontend
892
##
893
extraIngress: []
894
## @param master.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
895
## e.g:
896
## extraEgress:
897
## - ports:
898
## - port: 1234
899
## to:
900
## - podSelector:
901
## - matchLabels:
902
## - role: frontend
903
## - podSelector:
904
## - matchExpressions:
905
## - key: role
906
## operator: In
907
## values:
908
## - frontend
909
##
910
extraEgress: []
911
## @param master.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
912
## @param master.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
913
##
914
ingressNSMatchLabels: {}
915
ingressNSPodMatchLabels: {}
916
autoscaling:
917
vpa:
918
## @param master.autoscaling.vpa.enabled Enable VPA
919
##
920
enabled: false
921
## @param master.autoscaling.vpa.annotations Annotations for VPA resource
922
##
923
annotations: {}
924
## @param master.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
925
##
926
controlledResources: []
927
## @param master.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
928
## cpu: 200m
929
## memory: 100Mi
930
maxAllowed: {}
931
## @param master.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
932
## cpu: 200m
933
## memory: 100Mi
934
minAllowed: {}
935
updatePolicy:
936
## @param master.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
937
## Possible values are "Off", "Initial", "Recreate", and "Auto".
938
##
939
updateMode: Auto
940
hpa:
941
## @param master.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
942
##
943
enabled: false
944
## @param master.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
945
##
946
minReplicas: 3
947
## @param master.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
948
##
949
maxReplicas: 11
950
## @param master.autoscaling.hpa.targetCPU Target CPU utilization percentage
951
##
952
targetCPU: ""
953
## @param master.autoscaling.hpa.targetMemory Target Memory utilization percentage
954
##
955
targetMemory: ""
956
## Master-eligible service parameters
957
##
958
service:
959
## Headless service properties
960
##
961
headless:
962
## @param master.service.headless.annotations Annotations for the Master-eligible headless service.
963
##
964
annotations: {}
965
## @param master.service.headless.nameOverride String to fully override opensearch.master.servicename
966
##
967
nameOverride: ""
968
## @param master.service.headless.trafficDistribution String Traffic distribution for the master headless service
969
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
970
##
971
trafficDistribution: "PreferClose"
972
## Metrics configuration for master-eligible node
973
##
974
metrics:
975
## @param master.metrics.enabled Enable master-eligible node metrics
976
##
977
enabled: false
978
service:
979
## @param master.metrics.service.ports.metrics master-eligible node metrics service port
980
##
981
ports:
982
metrics: 80
983
## @param master.metrics.service.clusterIP master-eligible node metrics service Cluster IP
984
## e.g.:
985
## clusterIP: None
986
##
987
clusterIP: ""
988
## master-eligible node metrics service monitor configuration
989
##
990
serviceMonitor:
991
## @param master.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
992
##
993
enabled: false
994
## @param master.metrics.serviceMonitor.namespace Namespace which Prometheus is running in
995
## e.g:
996
## namespace: monitoring
997
##
998
namespace: ""
999
## @param master.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1000
##
1001
jobLabel: ""
1002
## @param master.metrics.serviceMonitor.interval Interval at which metrics should be scraped
1003
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1004
##
1005
interval: 30s
1006
## @param master.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1007
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1008
##
1009
scrapeTimeout: 10s
1010
## @param master.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1011
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1012
##
1013
relabelings: []
1014
## @param master.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1015
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1016
##
1017
metricRelabelings: []
1018
## @param master.metrics.serviceMonitor.selector ServiceMonitor selector labels
1019
##
1020
## selector:
1021
## prometheus: my-prometheus
1022
##
1023
selector: {}
1024
## @param master.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1025
##
1026
honorLabels: false
1027
## Rules for PrometheusRule object if enabled
1028
##
1029
## E.g.
1030
## @param master.metrics.rules.enabled Enable render extra rules for PrometheusRule object
1031
## @param master.metrics.rules.spec Rules to render into the PrometheusRule object
1032
## @param master.metrics.rules.selector Selector for the PrometheusRule object
1033
## @param master.metrics.rules.namespace Namespace where to create the PrometheusRule object
1034
## @param master.metrics.rules.additionalLabels Additional lables to add to the PrometheusRule object
1035
##
1036
rules:
1037
enabled: false
1038
## E.g
1039
## - alert: ArgoAppMissing
1040
## expr: |
1041
## absent(argocd_app_info)
1042
## for: 15m
1043
## labels:
1044
## severity: critical
1045
## annotations:
1046
## summary: "[ArgoCD] No reported applications"
1047
## description: >
1048
## ArgoCD has not reported any applications data for the past 15 minutes which
1049
## means that it must be down or not functioning properly. This needs to be
1050
## resolved for this cloud to continue to maintain state.
1051
## - alert: ArgoAppNotSynced
1052
## expr: |
1053
## argocd_app_info{sync_status!="Synced"} == 1
1054
## for: 12h
1055
## labels:
1056
## severity: warning
1057
## annotations:
1058
## summary: "[{{`{{ $labels.name }}`}}] Application not synchronized"
1059
## description: >
1060
## The application [{{`{{ $labels.name }}`}} has not been synchronized for over
1061
## 12 hours which means that the state of this cloud has drifted away from the
1062
## state inside Git.
1063
##
1064
spec: []
1065
## E.g
1066
## selector:
1067
## prometheus: kube-prometheus
1068
##
1069
selector: {}
1070
namespace: monitoring
1071
additionalLabels: {}
1072
## @section Data-only nodes parameters
1073
data:
1074
## @param data.replicaCount Number of data-only replicas to deploy
1075
##
1076
replicaCount: 2
1077
## @param data.extraRoles Append extra roles to the node role
1078
##
1079
extraRoles: []
1080
## Pod Disruption Budget configuration
1081
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1082
## @param data.pdb.create Enable/disable a Pod Disruption Budget creation
1083
## @param data.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1084
## @param data.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `data.pdb.minAvailable` and `data.pdb.maxUnavailable` are empty.
1085
##
1086
pdb:
1087
create: true
1088
minAvailable: ""
1089
maxUnavailable: ""
1090
## @param data.nameOverride String to partially override opensearch.data.fullname
1091
##
1092
nameOverride: ""
1093
## @param data.fullnameOverride String to fully override opensearch.data.fullname
1094
##
1095
fullnameOverride: ""
1096
## @param data.servicenameOverride String to fully override opensearch.data.servicename
1097
## DEPRECATED: Use data.service.headless.nameOverride instead
1098
##
1099
servicenameOverride: ""
1100
## @param data.annotations [object] Annotations for the data statefulset
1101
##
1102
annotations: {}
1103
## @param data.updateStrategy.type Data-only nodes statefulset strategy type
1104
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1105
##
1106
updateStrategy:
1107
type: RollingUpdate
1108
## OpenSearch resource requests and limits
1109
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1110
## @param data.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if data.resources is set (data.resources is recommended for production).
1111
##
1112
resourcesPreset: "medium"
1113
## @param data.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1114
## Example:
1115
## resources:
1116
## requests:
1117
## cpu: 2
1118
## memory: 512Mi
1119
## limits:
1120
## cpu: 3
1121
## memory: 1024Mi
1122
##
1123
resources: {}
1124
## @param data.heapSize OpenSearch data node heap size.
1125
## Note: The recommended heapSize is half of the container's memory.
1126
## If omitted, it will be automatically set.
1127
## Example:
1128
## heapSize: 128m
1129
##
1130
heapSize: 1024m
1131
## Configure Pods Security Context
1132
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1133
## @param data.podSecurityContext.enabled Enabled data pods' Security Context
1134
## @param data.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1135
## @param data.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1136
## @param data.podSecurityContext.supplementalGroups Set filesystem extra groups
1137
## @param data.podSecurityContext.fsGroup Set data pod's Security Context fsGroup
1138
##
1139
podSecurityContext:
1140
enabled: true
1141
fsGroupChangePolicy: Always
1142
sysctls: []
1143
supplementalGroups: []
1144
fsGroup: 1001
1145
## Configure Container Security Context
1146
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1147
## @param data.containerSecurityContext.enabled Enabled containers' Security Context
1148
## @param data.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1149
## @param data.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1150
## @param data.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1151
## @param data.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1152
## @param data.containerSecurityContext.privileged Set container's Security Context privileged
1153
## @param data.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1154
## @param data.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1155
## @param data.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1156
## @param data.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1157
##
1158
containerSecurityContext:
1159
enabled: true
1160
seLinuxOptions: {}
1161
runAsUser: 1001
1162
runAsGroup: 1001
1163
runAsNonRoot: true
1164
privileged: false
1165
readOnlyRootFilesystem: true
1166
allowPrivilegeEscalation: false
1167
capabilities:
1168
drop: ["ALL"]
1169
seccompProfile:
1170
type: "RuntimeDefault"
1171
## @param data.automountServiceAccountToken Mount Service Account token in pod
1172
##
1173
automountServiceAccountToken: false
1174
## @param data.hostAliases data pods host aliases
1175
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1176
##
1177
hostAliases: []
1178
## @param data.podLabels Extra labels for data pods
1179
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1180
##
1181
podLabels: {}
1182
## @param data.podAnnotations Annotations for data pods
1183
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1184
##
1185
podAnnotations: {}
1186
## @param data.podAffinityPreset Pod affinity preset. Ignored if `data.affinity` is set. Allowed values: `soft` or `hard`
1187
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1188
##
1189
podAffinityPreset: ""
1190
## @param data.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `data.affinity` is set. Allowed values: `soft` or `hard`
1191
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1192
##
1193
podAntiAffinityPreset: ""
1194
## Node data.affinity preset
1195
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1196
##
1197
nodeAffinityPreset:
1198
## @param data.nodeAffinityPreset.type Node affinity preset type. Ignored if `data.affinity` is set. Allowed values: `soft` or `hard`
1199
##
1200
type: ""
1201
## @param data.nodeAffinityPreset.key Node label key to match. Ignored if `data.affinity` is set
1202
##
1203
key: ""
1204
## @param data.nodeAffinityPreset.values Node label values to match. Ignored if `data.affinity` is set
1205
## E.g.
1206
## values:
1207
## - e2e-az1
1208
## - e2e-az2
1209
##
1210
values: []
1211
## @param data.affinity Affinity for data pods assignment
1212
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1213
## NOTE: `data.podAffinityPreset`, `data.podAntiAffinityPreset`, and `data.nodeAffinityPreset` will be ignored when it's set
1214
##
1215
affinity: {}
1216
## @param data.nodeSelector Node labels for data pods assignment
1217
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1218
##
1219
nodeSelector: {}
1220
## @param data.tolerations Tolerations for data pods assignment
1221
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1222
##
1223
tolerations: []
1224
## @param data.priorityClassName data pods' priorityClassName
1225
##
1226
priorityClassName: ""
1227
## @param data.schedulerName Name of the k8s scheduler (other than default) for data pods
1228
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1229
##
1230
schedulerName: ""
1231
## @param data.terminationGracePeriodSeconds In seconds, time the given to the OpenSearch data pod needs to terminate gracefully
1232
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1233
##
1234
terminationGracePeriodSeconds: ""
1235
## @param data.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1236
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1237
##
1238
topologySpreadConstraints: []
1239
## @param data.podManagementPolicy podManagementPolicy to manage scaling operation of OpenSearch data pods
1240
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
1241
##
1242
podManagementPolicy: "Parallel"
1243
## Configure extra options for OpenSearch data containers' liveness, readiness and startup probes
1244
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1245
## @param data.startupProbe.enabled Enable/disable the startup probe (data nodes pod)
1246
## @param data.startupProbe.initialDelaySeconds Delay before startup probe is initiated (data nodes pod)
1247
## @param data.startupProbe.periodSeconds How often to perform the probe (data nodes pod)
1248
## @param data.startupProbe.timeoutSeconds When the probe times out (data nodes pod)
1249
## @param data.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (data nodes pod)
1250
## @param data.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
1251
##
1252
startupProbe:
1253
enabled: false
1254
initialDelaySeconds: 90
1255
periodSeconds: 10
1256
timeoutSeconds: 5
1257
successThreshold: 1
1258
failureThreshold: 5
1259
## @param data.livenessProbe.enabled Enable/disable the liveness probe (data nodes pod)
1260
## @param data.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated (data nodes pod)
1261
## @param data.livenessProbe.periodSeconds How often to perform the probe (data nodes pod)
1262
## @param data.livenessProbe.timeoutSeconds When the probe times out (data nodes pod)
1263
## @param data.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (data nodes pod)
1264
## @param data.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
1265
##
1266
livenessProbe:
1267
enabled: true
1268
initialDelaySeconds: 180
1269
periodSeconds: 10
1270
timeoutSeconds: 5
1271
successThreshold: 1
1272
failureThreshold: 5
1273
## @param data.readinessProbe.enabled Enable/disable the readiness probe (data nodes pod)
1274
## @param data.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated (data nodes pod)
1275
## @param data.readinessProbe.periodSeconds How often to perform the probe (data nodes pod)
1276
## @param data.readinessProbe.timeoutSeconds When the probe times out (data nodes pod)
1277
## @param data.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (data nodes pod)
1278
## @param data.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
1279
##
1280
readinessProbe:
1281
enabled: true
1282
initialDelaySeconds: 90
1283
periodSeconds: 10
1284
timeoutSeconds: 5
1285
successThreshold: 1
1286
failureThreshold: 5
1287
## @param data.customStartupProbe Override default startup probe
1288
##
1289
customStartupProbe: {}
1290
## @param data.customLivenessProbe Override default liveness probe
1291
##
1292
customLivenessProbe: {}
1293
## @param data.customReadinessProbe Override default readiness probe
1294
##
1295
customReadinessProbe: {}
1296
## @param data.command Override default container command (useful when using custom images)
1297
##
1298
command: []
1299
## @param data.args Override default container args (useful when using custom images)
1300
##
1301
args: []
1302
## @param data.lifecycleHooks for the data container(s) to automate configuration before or after startup
1303
##
1304
lifecycleHooks: {}
1305
## @param data.extraEnvVars Array with extra environment variables to add to data nodes
1306
## e.g:
1307
## extraEnvVars:
1308
## - name: FOO
1309
## value: "bar"
1310
##
1311
extraEnvVars: []
1312
## @param data.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for data nodes
1313
##
1314
extraEnvVarsCM: ""
1315
## @param data.extraEnvVarsSecret Name of existing Secret containing extra env vars for data nodes
1316
##
1317
extraEnvVarsSecret: ""
1318
## @param data.extraVolumes Optionally specify extra list of additional volumes for the data pod(s)
1319
##
1320
extraVolumes: []
1321
## @param data.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the data container(s)
1322
##
1323
extraVolumeMounts: []
1324
## @param data.sidecars Add additional sidecar containers to the data pod(s)
1325
## e.g:
1326
## sidecars:
1327
## - name: your-image-name
1328
## image: your-image
1329
## imagePullPolicy: Always
1330
## ports:
1331
## - name: portname
1332
## containerPort: 1234
1333
##
1334
sidecars: []
1335
## @param data.initContainers Add additional init containers to the data pod(s)
1336
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1337
## e.g:
1338
## initContainers:
1339
## - name: your-image-name
1340
## image: your-image
1341
## imagePullPolicy: Always
1342
## command: ['sh', '-c', 'echo "hello world"']
1343
##
1344
initContainers: []
1345
## Enable persistence using Persistent Volume Claims
1346
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1347
##
1348
persistence:
1349
## @param data.persistence.enabled Enable persistence using a `PersistentVolumeClaim`
1350
##
1351
enabled: true
1352
## @param data.persistence.storageClass Persistent Volume Storage Class
1353
## If defined, storageClassName: <storageClass>
1354
## If set to "-", storageClassName: "", which disables dynamic provisioning
1355
## If undefined (the default) or set to null, no storageClassName spec is
1356
## set, choosing the default provisioner. (gp2 on AWS, standard on
1357
## GKE, AWS & OpenStack)
1358
##
1359
storageClass: ""
1360
## @param data.persistence.existingClaim Existing Persistent Volume Claim
1361
## then accept the value as an existing Persistent Volume Claim to which
1362
## the container should be bound
1363
##
1364
existingClaim: ""
1365
## @param data.persistence.existingVolume Existing Persistent Volume for use as volume match label selector to the `volumeClaimTemplate`. Ignored when `data.persistence.selector` is set.
1366
##
1367
existingVolume: ""
1368
## @param data.persistence.selector Configure custom selector for existing Persistent Volume. Overwrites `data.persistence.existingVolume`
1369
## selector:
1370
## matchLabels:
1371
## volume:
1372
##
1373
selector: {}
1374
## @param data.persistence.annotations Persistent Volume Claim annotations
1375
##
1376
annotations: {}
1377
## @param data.persistence.accessModes Persistent Volume Access Modes
1378
##
1379
accessModes:
1380
- ReadWriteOnce
1381
## @param data.persistence.size Persistent Volume Size
1382
##
1383
size: 8Gi
1384
## Pods Service Account
1385
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1386
## @param data.serviceAccount.create Specifies whether a ServiceAccount should be created
1387
## @param data.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
1388
## @param data.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1389
## @param data.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
1390
##
1391
serviceAccount:
1392
create: false
1393
name: ""
1394
automountServiceAccountToken: false
1395
annotations: {}
1396
## Network Policy configuration
1397
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1398
##
1399
networkPolicy:
1400
## @param data.networkPolicy.enabled Enable creation of NetworkPolicy resources
1401
##
1402
enabled: true
1403
## @param data.networkPolicy.allowExternal The Policy model to apply
1404
## When set to false, only pods with the correct client label will have network access to the ports OpenSearch is
1405
## listening on. When true, OpenSearch will accept connections from any source (with the correct destination port).
1406
##
1407
allowExternal: true
1408
## @param data.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1409
##
1410
allowExternalEgress: true
1411
## @param data.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1412
## e.g:
1413
## extraIngress:
1414
## - ports:
1415
## - port: 1234
1416
## from:
1417
## - podSelector:
1418
## - matchLabels:
1419
## - role: frontend
1420
## - podSelector:
1421
## - matchExpressions:
1422
## - key: role
1423
## operator: In
1424
## values:
1425
## - frontend
1426
##
1427
extraIngress: []
1428
## @param data.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1429
## e.g:
1430
## extraEgress:
1431
## - ports:
1432
## - port: 1234
1433
## to:
1434
## - podSelector:
1435
## - matchLabels:
1436
## - role: frontend
1437
## - podSelector:
1438
## - matchExpressions:
1439
## - key: role
1440
## operator: In
1441
## values:
1442
## - frontend
1443
##
1444
extraEgress: []
1445
## @param data.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1446
## @param data.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1447
##
1448
ingressNSMatchLabels: {}
1449
ingressNSPodMatchLabels: {}
1450
autoscaling:
1451
vpa:
1452
## @param data.autoscaling.vpa.enabled Enable VPA
1453
##
1454
enabled: false
1455
## @param data.autoscaling.vpa.annotations Annotations for VPA resource
1456
##
1457
annotations: {}
1458
## @param data.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1459
##
1460
controlledResources: []
1461
## @param data.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1462
## cpu: 200m
1463
## memory: 100Mi
1464
maxAllowed: {}
1465
## @param data.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1466
## cpu: 200m
1467
## memory: 100Mi
1468
minAllowed: {}
1469
updatePolicy:
1470
## @param data.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1471
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1472
##
1473
updateMode: Auto
1474
hpa:
1475
## @param data.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
1476
##
1477
enabled: false
1478
## @param data.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
1479
##
1480
minReplicas: 3
1481
## @param data.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
1482
##
1483
maxReplicas: 11
1484
## @param data.autoscaling.hpa.targetCPU Target CPU utilization percentage
1485
##
1486
targetCPU: ""
1487
## @param data.autoscaling.hpa.targetMemory Target Memory utilization percentage
1488
##
1489
targetMemory: ""
1490
## Data service parameters
1491
##
1492
service:
1493
## Headless service properties
1494
##
1495
headless:
1496
## @param data.service.headless.annotations Annotations for the data headless service.
1497
##
1498
annotations: {}
1499
## @param data.service.headless.nameOverride String to fully override opensearch.data.servicename
1500
##
1501
nameOverride: ""
1502
## @param data.service.headless.trafficDistribution String Traffic distribution for the data headless service
1503
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
1504
##
1505
trafficDistribution: "PreferClose"
1506
## Metrics configuration for data node
1507
##
1508
metrics:
1509
## @param data.metrics.enabled Enable data node metrics
1510
##
1511
enabled: false
1512
service:
1513
## @param data.metrics.service.ports.metrics data node metrics service port
1514
##
1515
ports:
1516
metrics: 80
1517
## @param data.metrics.service.clusterIP data node metrics service Cluster IP
1518
## e.g.:
1519
## clusterIP: None
1520
##
1521
clusterIP: ""
1522
## data node metrics service monitor configuration
1523
##
1524
serviceMonitor:
1525
## @param data.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
1526
##
1527
enabled: false
1528
## @param data.metrics.serviceMonitor.namespace Namespace which Prometheus is running in
1529
## e.g:
1530
## namespace: monitoring
1531
##
1532
namespace: ""
1533
## @param data.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1534
##
1535
jobLabel: ""
1536
## @param data.metrics.serviceMonitor.interval Interval at which metrics should be scraped
1537
## ref: https://github.com/coreos/prometheus-operator/blob/data/Documentation/api.md#endpoint
1538
##
1539
interval: 30s
1540
## @param data.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1541
## ref: https://github.com/coreos/prometheus-operator/blob/data/Documentation/api.md#endpoint
1542
##
1543
scrapeTimeout: 10s
1544
## @param data.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1545
## ref: https://github.com/coreos/prometheus-operator/blob/data/Documentation/api.md#relabelconfig
1546
##
1547
relabelings: []
1548
## @param data.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1549
## ref: https://github.com/coreos/prometheus-operator/blob/data/Documentation/api.md#relabelconfig
1550
##
1551
metricRelabelings: []
1552
## @param data.metrics.serviceMonitor.selector ServiceMonitor selector labels
1553
##
1554
## selector:
1555
## prometheus: my-prometheus
1556
##
1557
selector: {}
1558
## @param data.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1559
##
1560
honorLabels: false
1561
## Rules for PrometheusRule object if enabled
1562
##
1563
## E.g.
1564
## @param data.metrics.rules.enabled Enable render extra rules for PrometheusRule object
1565
## @param data.metrics.rules.spec Rules to render into the PrometheusRule object
1566
## @param data.metrics.rules.selector Selector for the PrometheusRule object
1567
## @param data.metrics.rules.namespace Namespace where to create the PrometheusRule object
1568
## @param data.metrics.rules.additionalLabels Additional lables to add to the PrometheusRule object
1569
##
1570
rules:
1571
enabled: false
1572
## E.g
1573
## - alert: ArgoAppMissing
1574
## expr: |
1575
## absent(argocd_app_info)
1576
## for: 15m
1577
## labels:
1578
## severity: critical
1579
## annotations:
1580
## summary: "[ArgoCD] No reported applications"
1581
## description: >
1582
## ArgoCD has not reported any applications data for the past 15 minutes which
1583
## means that it must be down or not functioning properly. This needs to be
1584
## resolved for this cloud to continue to maintain state.
1585
## - alert: ArgoAppNotSynced
1586
## expr: |
1587
## argocd_app_info{sync_status!="Synced"} == 1
1588
## for: 12h
1589
## labels:
1590
## severity: warning
1591
## annotations:
1592
## summary: "[{{`{{ $labels.name }}`}}] Application not synchronized"
1593
## description: >
1594
## The application [{{`{{ $labels.name }}`}} has not been synchronized for over
1595
## 12 hours which means that the state of this cloud has drifted away from the
1596
## state inside Git.
1597
##
1598
spec: []
1599
## E.g
1600
## selector:
1601
## prometheus: kube-prometheus
1602
##
1603
selector: {}
1604
namespace: monitoring
1605
additionalLabels: {}
1606
## @section Coordinating-only nodes parameters
1607
coordinating:
1608
## @param coordinating.replicaCount Number of coordinating-only replicas to deploy
1609
##
1610
replicaCount: 2
1611
## @param coordinating.extraRoles Append extra roles to the node role
1612
## NOTE: In OpenSearch, all nodes act as coordinators, coordinating-only nodes do not have any other role by default.
1613
##
1614
extraRoles: []
1615
## Pod Disruption Budget configuration
1616
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1617
## @param coordinating.pdb.create Enable/disable a Pod Disruption Budget creation
1618
## @param coordinating.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1619
## @param coordinating.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `coordinating.pdb.minAvailable` and `coodinating.pdb.maxUnavailable` are empty.
1620
##
1621
pdb:
1622
create: true
1623
minAvailable: ""
1624
maxUnavailable: ""
1625
## @param coordinating.nameOverride String to partially override opensearch.coordinating.fullname
1626
##
1627
nameOverride: ""
1628
## @param coordinating.fullnameOverride String to fully override opensearch.coordinating.fullname
1629
##
1630
fullnameOverride: ""
1631
## @param coordinating.servicenameOverride String to fully override opensearch.coordinating.servicename
1632
## DEPRECATED: Use coordinating.service.headless.nameOverride instead
1633
##
1634
servicenameOverride: ""
1635
## @param coordinating.annotations [object] Annotations for the coordinating-only statefulset
1636
##
1637
annotations: {}
1638
## @param coordinating.updateStrategy.type Coordinating-only nodes statefulset strategy type
1639
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1640
##
1641
updateStrategy:
1642
type: RollingUpdate
1643
## OpenSearch resource requests and limits
1644
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1645
## @param coordinating.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if coordinating.resources is set (coordinating.resources is recommended for production).
1646
##
1647
resourcesPreset: "medium"
1648
## @param coordinating.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1649
## Example:
1650
## resources:
1651
## requests:
1652
## cpu: 2
1653
## memory: 512Mi
1654
## limits:
1655
## cpu: 3
1656
## memory: 1024Mi
1657
##
1658
resources: {}
1659
## @param coordinating.heapSize OpenSearch coordinating node heap size.
1660
## Note: The recommended heapSize is half of the container's memory.
1661
## If omitted, it will be automatically set.
1662
## Example:
1663
## heapSize: 128m
1664
##
1665
heapSize: 512m
1666
## Configure Pods Security Context
1667
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1668
## @param coordinating.podSecurityContext.enabled Enabled coordinating-only pods' Security Context
1669
## @param coordinating.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1670
## @param coordinating.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1671
## @param coordinating.podSecurityContext.supplementalGroups Set filesystem extra groups
1672
## @param coordinating.podSecurityContext.fsGroup Set coordinating-only pod's Security Context fsGroup
1673
##
1674
podSecurityContext:
1675
enabled: true
1676
fsGroupChangePolicy: Always
1677
sysctls: []
1678
supplementalGroups: []
1679
fsGroup: 1001
1680
## Configure Container Security Context
1681
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1682
## @param coordinating.containerSecurityContext.enabled Enabled containers' Security Context
1683
## @param coordinating.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1684
## @param coordinating.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1685
## @param coordinating.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1686
## @param coordinating.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1687
## @param coordinating.containerSecurityContext.privileged Set container's Security Context privileged
1688
## @param coordinating.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1689
## @param coordinating.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1690
## @param coordinating.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1691
## @param coordinating.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1692
##
1693
containerSecurityContext:
1694
enabled: true
1695
seLinuxOptions: {}
1696
runAsUser: 1001
1697
runAsGroup: 1001
1698
runAsNonRoot: true
1699
privileged: false
1700
readOnlyRootFilesystem: true
1701
allowPrivilegeEscalation: false
1702
capabilities:
1703
drop: ["ALL"]
1704
seccompProfile:
1705
type: "RuntimeDefault"
1706
## @param coordinating.automountServiceAccountToken Mount Service Account token in pod
1707
##
1708
automountServiceAccountToken: false
1709
## @param coordinating.hostAliases coordinating-only pods host aliases
1710
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1711
##
1712
hostAliases: []
1713
## @param coordinating.podLabels Extra labels for coordinating-only pods
1714
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1715
##
1716
podLabels: {}
1717
## @param coordinating.podAnnotations Annotations for coordinating-only pods
1718
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1719
##
1720
podAnnotations: {}
1721
## @param coordinating.podAffinityPreset Pod affinity preset. Ignored if `coordinating.affinity` is set. Allowed values: `soft` or `hard`
1722
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1723
##
1724
podAffinityPreset: ""
1725
## @param coordinating.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `coordinating.affinity` is set. Allowed values: `soft` or `hard`
1726
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1727
##
1728
podAntiAffinityPreset: ""
1729
## Node coordinating.affinity preset
1730
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1731
##
1732
nodeAffinityPreset:
1733
## @param coordinating.nodeAffinityPreset.type Node affinity preset type. Ignored if `coordinating.affinity` is set. Allowed values: `soft` or `hard`
1734
##
1735
type: ""
1736
## @param coordinating.nodeAffinityPreset.key Node label key to match. Ignored if `coordinating.affinity` is set
1737
##
1738
key: ""
1739
## @param coordinating.nodeAffinityPreset.values Node label values to match. Ignored if `coordinating.affinity` is set
1740
## E.g.
1741
## values:
1742
## - e2e-az1
1743
## - e2e-az2
1744
##
1745
values: []
1746
## @param coordinating.affinity Affinity for coordinating-only pods assignment
1747
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1748
## NOTE: `coordinating.podAffinityPreset`, `coordinating.podAntiAffinityPreset`, and `coordinating.nodeAffinityPreset` will be ignored when it's set
1749
##
1750
affinity: {}
1751
## @param coordinating.nodeSelector Node labels for coordinating-only pods assignment
1752
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1753
##
1754
nodeSelector: {}
1755
## @param coordinating.tolerations Tolerations for coordinating-only pods assignment
1756
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1757
##
1758
tolerations: []
1759
## @param coordinating.priorityClassName coordinating-only pods' priorityClassName
1760
##
1761
priorityClassName: ""
1762
## @param coordinating.schedulerName Name of the k8s scheduler (other than default) for coordinating-only pods
1763
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1764
##
1765
schedulerName: ""
1766
## @param coordinating.terminationGracePeriodSeconds In seconds, time the given to the OpenSearch coordinating pod needs to terminate gracefully
1767
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1768
##
1769
terminationGracePeriodSeconds: ""
1770
## @param coordinating.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1771
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1772
##
1773
topologySpreadConstraints: []
1774
## @param coordinating.podManagementPolicy podManagementPolicy to manage scaling operation of OpenSearch coordinating pods
1775
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
1776
##
1777
podManagementPolicy: "Parallel"
1778
## Configure extra options for OpenSearch coordinating-only containers' liveness, readiness and startup probes
1779
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1780
## @param coordinating.startupProbe.enabled Enable/disable the startup probe (coordinating-only nodes pod)
1781
## @param coordinating.startupProbe.initialDelaySeconds Delay before startup probe is initiated (coordinating-only nodes pod)
1782
## @param coordinating.startupProbe.periodSeconds How often to perform the probe (coordinating-only nodes pod)
1783
## @param coordinating.startupProbe.timeoutSeconds When the probe times out (coordinating-only nodes pod)
1784
## @param coordinating.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (coordinating-only nodes pod)
1785
## @param coordinating.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
1786
##
1787
startupProbe:
1788
enabled: false
1789
initialDelaySeconds: 90
1790
periodSeconds: 10
1791
timeoutSeconds: 5
1792
successThreshold: 1
1793
failureThreshold: 5
1794
## @param coordinating.livenessProbe.enabled Enable/disable the liveness probe (coordinating-only nodes pod)
1795
## @param coordinating.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated (coordinating-only nodes pod)
1796
## @param coordinating.livenessProbe.periodSeconds How often to perform the probe (coordinating-only nodes pod)
1797
## @param coordinating.livenessProbe.timeoutSeconds When the probe times out (coordinating-only nodes pod)
1798
## @param coordinating.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (coordinating-only nodes pod)
1799
## @param coordinating.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
1800
##
1801
livenessProbe:
1802
enabled: true
1803
initialDelaySeconds: 180
1804
periodSeconds: 10
1805
timeoutSeconds: 5
1806
successThreshold: 1
1807
failureThreshold: 5
1808
## @param coordinating.readinessProbe.enabled Enable/disable the readiness probe (coordinating-only nodes pod)
1809
## @param coordinating.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated (coordinating-only nodes pod)
1810
## @param coordinating.readinessProbe.periodSeconds How often to perform the probe (coordinating-only nodes pod)
1811
## @param coordinating.readinessProbe.timeoutSeconds When the probe times out (coordinating-only nodes pod)
1812
## @param coordinating.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (coordinating-only nodes pod)
1813
## @param coordinating.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
1814
##
1815
readinessProbe:
1816
enabled: true
1817
initialDelaySeconds: 90
1818
periodSeconds: 10
1819
timeoutSeconds: 5
1820
successThreshold: 1
1821
failureThreshold: 5
1822
## @param coordinating.customStartupProbe Override default startup probe
1823
##
1824
customStartupProbe: {}
1825
## @param coordinating.customLivenessProbe Override default liveness probe
1826
##
1827
customLivenessProbe: {}
1828
## @param coordinating.customReadinessProbe Override default readiness probe
1829
##
1830
customReadinessProbe: {}
1831
## @param coordinating.command Override default container command (useful when using custom images)
1832
##
1833
command: []
1834
## @param coordinating.args Override default container args (useful when using custom images)
1835
##
1836
args: []
1837
## @param coordinating.lifecycleHooks for the coordinating-only container(s) to automate configuration before or after startup
1838
##
1839
lifecycleHooks: {}
1840
## @param coordinating.extraEnvVars Array with extra environment variables to add to coordinating-only nodes
1841
## e.g:
1842
## extraEnvVars:
1843
## - name: FOO
1844
## value: "bar"
1845
##
1846
extraEnvVars: []
1847
## @param coordinating.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for coordinating-only nodes
1848
##
1849
extraEnvVarsCM: ""
1850
## @param coordinating.extraEnvVarsSecret Name of existing Secret containing extra env vars for coordinating-only nodes
1851
##
1852
extraEnvVarsSecret: ""
1853
## @param coordinating.extraVolumes Optionally specify extra list of additional volumes for the coordinating-only pod(s)
1854
##
1855
extraVolumes: []
1856
## @param coordinating.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the coordinating-only container(s)
1857
##
1858
extraVolumeMounts: []
1859
## @param coordinating.sidecars Add additional sidecar containers to the coordinating-only pod(s)
1860
## e.g:
1861
## sidecars:
1862
## - name: your-image-name
1863
## image: your-image
1864
## imagePullPolicy: Always
1865
## ports:
1866
## - name: portname
1867
## containerPort: 1234
1868
##
1869
sidecars: []
1870
## @param coordinating.initContainers Add additional init containers to the coordinating-only pod(s)
1871
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1872
## e.g:
1873
## initContainers:
1874
## - name: your-image-name
1875
## image: your-image
1876
## imagePullPolicy: Always
1877
## command: ['sh', '-c', 'echo "hello world"']
1878
##
1879
initContainers: []
1880
## Pods Service Account
1881
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1882
## @param coordinating.serviceAccount.create Specifies whether a ServiceAccount should be created
1883
## @param coordinating.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
1884
## @param coordinating.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1885
## @param coordinating.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
1886
##
1887
serviceAccount:
1888
create: false
1889
name: ""
1890
automountServiceAccountToken: false
1891
annotations: {}
1892
## Network Policy configuration
1893
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1894
##
1895
networkPolicy:
1896
## @param coordinating.networkPolicy.enabled Enable creation of NetworkPolicy resources
1897
##
1898
enabled: true
1899
## @param coordinating.networkPolicy.allowExternal The Policy model to apply
1900
## When set to false, only pods with the correct client label will have network access to the ports OpenSearch is
1901
## listening on. When true, OpenSearch will accept connections from any source (with the correct destination port).
1902
##
1903
allowExternal: true
1904
## @param coordinating.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1905
##
1906
allowExternalEgress: true
1907
## @param coordinating.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1908
## e.g:
1909
## extraIngress:
1910
## - ports:
1911
## - port: 1234
1912
## from:
1913
## - podSelector:
1914
## - matchLabels:
1915
## - role: frontend
1916
## - podSelector:
1917
## - matchExpressions:
1918
## - key: role
1919
## operator: In
1920
## values:
1921
## - frontend
1922
##
1923
extraIngress: []
1924
## @param coordinating.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1925
## e.g:
1926
## extraEgress:
1927
## - ports:
1928
## - port: 1234
1929
## to:
1930
## - podSelector:
1931
## - matchLabels:
1932
## - role: frontend
1933
## - podSelector:
1934
## - matchExpressions:
1935
## - key: role
1936
## operator: In
1937
## values:
1938
## - frontend
1939
##
1940
extraEgress: []
1941
## @param coordinating.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1942
## @param coordinating.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1943
##
1944
ingressNSMatchLabels: {}
1945
ingressNSPodMatchLabels: {}
1946
autoscaling:
1947
vpa:
1948
## @param coordinating.autoscaling.vpa.enabled Enable VPA
1949
##
1950
enabled: false
1951
## @param coordinating.autoscaling.vpa.annotations Annotations for VPA resource
1952
##
1953
annotations: {}
1954
## @param coordinating.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1955
##
1956
controlledResources: []
1957
## @param coordinating.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1958
## cpu: 200m
1959
## memory: 100Mi
1960
maxAllowed: {}
1961
## @param coordinating.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1962
## cpu: 200m
1963
## memory: 100Mi
1964
minAllowed: {}
1965
updatePolicy:
1966
## @param coordinating.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1967
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1968
##
1969
updateMode: Auto
1970
hpa:
1971
## @param coordinating.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
1972
##
1973
enabled: false
1974
## @param coordinating.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
1975
##
1976
minReplicas: 3
1977
## @param coordinating.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
1978
##
1979
maxReplicas: 11
1980
## @param coordinating.autoscaling.hpa.targetCPU Target CPU utilization percentage
1981
##
1982
targetCPU: ""
1983
## @param coordinating.autoscaling.hpa.targetMemory Target Memory utilization percentage
1984
##
1985
targetMemory: ""
1986
## Coordinating-only service parameters
1987
##
1988
service:
1989
## Headless service properties
1990
##
1991
headless:
1992
## @param coordinating.service.headless.annotations Annotations for the coordinating-only headless service.
1993
##
1994
annotations: {}
1995
## @param coordinating.service.headless.nameOverride String to fully override opensearch.coordinating.servicename
1996
##
1997
nameOverride: ""
1998
## @param coordinating.service.headless.trafficDistribution String Traffic distribution for the coordinating headless service
1999
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
2000
##
2001
trafficDistribution: "PreferClose"
2002
## Metrics configuration for coordinating node
2003
##
2004
metrics:
2005
## @param coordinating.metrics.enabled Enable coordinating node metrics
2006
##
2007
enabled: false
2008
service:
2009
## @param coordinating.metrics.service.ports.metrics coordinating node metrics service port
2010
##
2011
ports:
2012
metrics: 80
2013
## @param coordinating.metrics.service.clusterIP coordinating node metrics service Cluster IP
2014
## e.g.:
2015
## clusterIP: None
2016
##
2017
clusterIP: ""
2018
## coordinating node metrics service monitor configuration
2019
##
2020
serviceMonitor:
2021
## @param coordinating.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
2022
##
2023
enabled: false
2024
## @param coordinating.metrics.serviceMonitor.namespace Namespace which Prometheus is running in
2025
## e.g:
2026
## namespace: monitoring
2027
##
2028
namespace: ""
2029
## @param coordinating.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
2030
##
2031
jobLabel: ""
2032
## @param coordinating.metrics.serviceMonitor.interval Interval at which metrics should be scraped
2033
## ref: https://github.com/coreos/prometheus-operator/blob/coordinating/Documentation/api.md#endpoint
2034
##
2035
interval: 30s
2036
## @param coordinating.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2037
## ref: https://github.com/coreos/prometheus-operator/blob/coordinating/Documentation/api.md#endpoint
2038
##
2039
scrapeTimeout: 10s
2040
## @param coordinating.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
2041
## ref: https://github.com/coreos/prometheus-operator/blob/coordinating/Documentation/api.md#relabelconfig
2042
##
2043
relabelings: []
2044
## @param coordinating.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
2045
## ref: https://github.com/coreos/prometheus-operator/blob/coordinating/Documentation/api.md#relabelconfig
2046
##
2047
metricRelabelings: []
2048
## @param coordinating.metrics.serviceMonitor.selector ServiceMonitor selector labels
2049
##
2050
## selector:
2051
## prometheus: my-prometheus
2052
##
2053
selector: {}
2054
## @param coordinating.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
2055
##
2056
honorLabels: false
2057
## Rules for PrometheusRule object if enabled
2058
##
2059
## E.g.
2060
## @param coordinating.metrics.rules.enabled Enable render extra rules for PrometheusRule object
2061
## @param coordinating.metrics.rules.spec Rules to render into the PrometheusRule object
2062
## @param coordinating.metrics.rules.selector Selector for the PrometheusRule object
2063
## @param coordinating.metrics.rules.namespace Namespace where to create the PrometheusRule object
2064
## @param coordinating.metrics.rules.additionalLabels Additional lables to add to the PrometheusRule object
2065
##
2066
rules:
2067
enabled: false
2068
## E.g
2069
## - alert: ArgoAppMissing
2070
## expr: |
2071
## absent(argocd_app_info)
2072
## for: 15m
2073
## labels:
2074
## severity: critical
2075
## annotations:
2076
## summary: "[ArgoCD] No reported applications"
2077
## description: >
2078
## ArgoCD has not reported any applications data for the past 15 minutes which
2079
## means that it must be down or not functioning properly. This needs to be
2080
## resolved for this cloud to continue to maintain state.
2081
## - alert: ArgoAppNotSynced
2082
## expr: |
2083
## argocd_app_info{sync_status!="Synced"} == 1
2084
## for: 12h
2085
## labels:
2086
## severity: warning
2087
## annotations:
2088
## summary: "[{{`{{ $labels.name }}`}}] Application not synchronized"
2089
## description: >
2090
## The application [{{`{{ $labels.name }}`}} has not been synchronized for over
2091
## 12 hours which means that the state of this cloud has drifted away from the
2092
## state inside Git.
2093
##
2094
spec: []
2095
## E.g
2096
## selector:
2097
## prometheus: kube-prometheus
2098
##
2099
selector: {}
2100
namespace: monitoring
2101
additionalLabels: {}
2102
## @section Ingest-only nodes parameters
2103
ingest:
2104
## @param ingest.enabled Enable ingest nodes
2105
##
2106
enabled: true
2107
## @param ingest.replicaCount Number of ingest-only replicas to deploy
2108
##
2109
replicaCount: 2
2110
## @param ingest.extraRoles Append extra roles to the node role
2111
##
2112
extraRoles: []
2113
## Pod Disruption Budget configuration
2114
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
2115
## @param ingest.pdb.create Enable/disable a Pod Disruption Budget creation
2116
## @param ingest.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
2117
## @param ingest.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `ingest.pdb.minAvailable` and `ingest.pdb.maxUnavailable` are empty.
2118
##
2119
pdb:
2120
create: true
2121
minAvailable: ""
2122
maxUnavailable: ""
2123
## @param ingest.nameOverride String to partially override opensearch.ingest.fullname
2124
##
2125
nameOverride: ""
2126
## @param ingest.fullnameOverride String to fully override opensearch.ingest.fullname
2127
##
2128
fullnameOverride: ""
2129
## @param ingest.servicenameOverride String to fully override opensearch.ingest.servicename
2130
## DEPRECATED: Use ingest.service.headless.nameOverride instead
2131
##
2132
servicenameOverride: ""
2133
## @param ingest.annotations [object] Annotations for the ingest statefulset
2134
##
2135
annotations: {}
2136
## @param ingest.updateStrategy.type Ingest-only nodes statefulset strategy type
2137
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
2138
##
2139
updateStrategy:
2140
type: RollingUpdate
2141
## OpenSearch resource requests and limits
2142
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2143
## @param ingest.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if ingest.resources is set (ingest.resources is recommended for production).
2144
##
2145
resourcesPreset: "medium"
2146
## @param ingest.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2147
## Example:
2148
## resources:
2149
## requests:
2150
## cpu: 2
2151
## memory: 512Mi
2152
## limits:
2153
## cpu: 3
2154
## memory: 1024Mi
2155
##
2156
resources: {}
2157
## @param ingest.heapSize OpenSearch ingest-only node heap size.
2158
## Note: The recommended heapSize is half of the container's memory.
2159
## If omitted, it will be automatically set.
2160
## Example:
2161
## heapSize: 128m
2162
##
2163
heapSize: 512m
2164
## Configure Pods Security Context
2165
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2166
## @param ingest.podSecurityContext.enabled Enabled ingest-only pods' Security Context
2167
## @param ingest.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
2168
## @param ingest.podSecurityContext.sysctls Set kernel settings using the sysctl interface
2169
## @param ingest.podSecurityContext.supplementalGroups Set filesystem extra groups
2170
## @param ingest.podSecurityContext.fsGroup Set ingest-only pod's Security Context fsGroup
2171
##
2172
podSecurityContext:
2173
enabled: true
2174
fsGroupChangePolicy: Always
2175
sysctls: []
2176
supplementalGroups: []
2177
fsGroup: 1001
2178
## Configure Container Security Context
2179
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2180
## @param ingest.containerSecurityContext.enabled Enabled containers' Security Context
2181
## @param ingest.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2182
## @param ingest.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2183
## @param ingest.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2184
## @param ingest.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
2185
## @param ingest.containerSecurityContext.privileged Set container's Security Context privileged
2186
## @param ingest.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
2187
## @param ingest.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
2188
## @param ingest.containerSecurityContext.capabilities.drop List of capabilities to be dropped
2189
## @param ingest.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
2190
##
2191
containerSecurityContext:
2192
enabled: true
2193
seLinuxOptions: {}
2194
runAsUser: 1001
2195
runAsGroup: 1001
2196
runAsNonRoot: true
2197
privileged: false
2198
readOnlyRootFilesystem: true
2199
allowPrivilegeEscalation: false
2200
capabilities:
2201
drop: ["ALL"]
2202
seccompProfile:
2203
type: "RuntimeDefault"
2204
## @param ingest.automountServiceAccountToken Mount Service Account token in pod
2205
##
2206
automountServiceAccountToken: false
2207
## @param ingest.hostAliases ingest-only pods host aliases
2208
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
2209
##
2210
hostAliases: []
2211
## @param ingest.podLabels Extra labels for ingest-only pods
2212
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
2213
##
2214
podLabels: {}
2215
## @param ingest.podAnnotations Annotations for ingest-only pods
2216
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
2217
##
2218
podAnnotations: {}
2219
## @param ingest.podAffinityPreset Pod affinity preset. Ignored if `ingest.affinity` is set. Allowed values: `soft` or `hard`
2220
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2221
##
2222
podAffinityPreset: ""
2223
## @param ingest.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `ingest.affinity` is set. Allowed values: `soft` or `hard`
2224
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
2225
##
2226
podAntiAffinityPreset: ""
2227
## Node ingest.affinity preset
2228
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
2229
##
2230
nodeAffinityPreset:
2231
## @param ingest.nodeAffinityPreset.type Node affinity preset type. Ignored if `ingest.affinity` is set. Allowed values: `soft` or `hard`
2232
##
2233
type: ""
2234
## @param ingest.nodeAffinityPreset.key Node label key to match. Ignored if `ingest.affinity` is set
2235
##
2236
key: ""
2237
## @param ingest.nodeAffinityPreset.values Node label values to match. Ignored if `ingest.affinity` is set
2238
## E.g.
2239
## values:
2240
## - e2e-az1
2241
## - e2e-az2
2242
##
2243
values: []
2244
## @param ingest.affinity Affinity for ingest-only pods assignment
2245
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
2246
## NOTE: `ingest.podAffinityPreset`, `ingest.podAntiAffinityPreset`, and `ingest.nodeAffinityPreset` will be ignored when it's set
2247
##
2248
affinity: {}
2249
## @param ingest.nodeSelector Node labels for ingest-only pods assignment
2250
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2251
##
2252
nodeSelector: {}
2253
## @param ingest.tolerations Tolerations for ingest-only pods assignment
2254
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2255
##
2256
tolerations: []
2257
## @param ingest.priorityClassName ingest-only pods' priorityClassName
2258
##
2259
priorityClassName: ""
2260
## @param ingest.schedulerName Name of the k8s scheduler (other than default) for ingest-only pods
2261
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2262
##
2263
schedulerName: ""
2264
## @param ingest.terminationGracePeriodSeconds In seconds, time the given to the OpenSearch ingest pod needs to terminate gracefully
2265
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
2266
##
2267
terminationGracePeriodSeconds: ""
2268
## @param ingest.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
2269
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
2270
##
2271
topologySpreadConstraints: []
2272
## @param ingest.podManagementPolicy podManagementPolicy to manage scaling operation of OpenSearch ingest pods
2273
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
2274
##
2275
podManagementPolicy: "Parallel"
2276
## Configure extra options for OpenSearch ingest-only containers' liveness, readiness and startup probes
2277
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2278
## @param ingest.startupProbe.enabled Enable/disable the startup probe (ingest-only nodes pod)
2279
## @param ingest.startupProbe.initialDelaySeconds Delay before startup probe is initiated (ingest-only nodes pod)
2280
## @param ingest.startupProbe.periodSeconds How often to perform the probe (ingest-only nodes pod)
2281
## @param ingest.startupProbe.timeoutSeconds When the probe times out (ingest-only nodes pod)
2282
## @param ingest.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (ingest-only nodes pod)
2283
## @param ingest.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
2284
##
2285
startupProbe:
2286
enabled: false
2287
initialDelaySeconds: 90
2288
periodSeconds: 10
2289
timeoutSeconds: 5
2290
successThreshold: 1
2291
failureThreshold: 5
2292
## @param ingest.livenessProbe.enabled Enable/disable the liveness probe (ingest-only nodes pod)
2293
## @param ingest.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated (ingest-only nodes pod)
2294
## @param ingest.livenessProbe.periodSeconds How often to perform the probe (ingest-only nodes pod)
2295
## @param ingest.livenessProbe.timeoutSeconds When the probe times out (ingest-only nodes pod)
2296
## @param ingest.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (ingest-only nodes pod)
2297
## @param ingest.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
2298
##
2299
livenessProbe:
2300
enabled: true
2301
initialDelaySeconds: 180
2302
periodSeconds: 10
2303
timeoutSeconds: 5
2304
successThreshold: 1
2305
failureThreshold: 5
2306
## @param ingest.readinessProbe.enabled Enable/disable the readiness probe (ingest-only nodes pod)
2307
## @param ingest.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated (ingest-only nodes pod)
2308
## @param ingest.readinessProbe.periodSeconds How often to perform the probe (ingest-only nodes pod)
2309
## @param ingest.readinessProbe.timeoutSeconds When the probe times out (ingest-only nodes pod)
2310
## @param ingest.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (ingest-only nodes pod)
2311
## @param ingest.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
2312
##
2313
readinessProbe:
2314
enabled: true
2315
initialDelaySeconds: 90
2316
periodSeconds: 10
2317
timeoutSeconds: 5
2318
successThreshold: 1
2319
failureThreshold: 5
2320
## @param ingest.customStartupProbe Override default startup probe
2321
##
2322
customStartupProbe: {}
2323
## @param ingest.customLivenessProbe Override default liveness probe
2324
##
2325
customLivenessProbe: {}
2326
## @param ingest.customReadinessProbe Override default readiness probe
2327
##
2328
customReadinessProbe: {}
2329
## @param ingest.command Override default container command (useful when using custom images)
2330
##
2331
command: []
2332
## @param ingest.args Override default container args (useful when using custom images)
2333
##
2334
args: []
2335
## @param ingest.lifecycleHooks for the ingest-only container(s) to automate configuration before or after startup
2336
##
2337
lifecycleHooks: {}
2338
## @param ingest.extraEnvVars Array with extra environment variables to add to ingest-only nodes
2339
## e.g:
2340
## extraEnvVars:
2341
## - name: FOO
2342
## value: "bar"
2343
##
2344
extraEnvVars: []
2345
## @param ingest.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for ingest-only nodes
2346
##
2347
extraEnvVarsCM: ""
2348
## @param ingest.extraEnvVarsSecret Name of existing Secret containing extra env vars for ingest-only nodes
2349
##
2350
extraEnvVarsSecret: ""
2351
## @param ingest.extraVolumes Optionally specify extra list of additional volumes for the ingest-only pod(s)
2352
##
2353
extraVolumes: []
2354
## @param ingest.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the ingest-only container(s)
2355
##
2356
extraVolumeMounts: []
2357
## @param ingest.sidecars Add additional sidecar containers to the ingest-only pod(s)
2358
## e.g:
2359
## sidecars:
2360
## - name: your-image-name
2361
## image: your-image
2362
## imagePullPolicy: Always
2363
## ports:
2364
## - name: portname
2365
## containerPort: 1234
2366
##
2367
sidecars: []
2368
## @param ingest.initContainers Add additional init containers to the ingest-only pod(s)
2369
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
2370
## e.g:
2371
## initContainers:
2372
## - name: your-image-name
2373
## image: your-image
2374
## imagePullPolicy: Always
2375
## command: ['sh', '-c', 'echo "hello world"']
2376
##
2377
initContainers: []
2378
## Pods Service Account
2379
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
2380
## @param ingest.serviceAccount.create Specifies whether a ServiceAccount should be created
2381
## @param ingest.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
2382
## @param ingest.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
2383
## @param ingest.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
2384
##
2385
serviceAccount:
2386
create: false
2387
name: ""
2388
automountServiceAccountToken: false
2389
annotations: {}
2390
## Network Policy configuration
2391
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
2392
##
2393
networkPolicy:
2394
## @param ingest.networkPolicy.enabled Enable creation of NetworkPolicy resources
2395
##
2396
enabled: true
2397
## @param ingest.networkPolicy.allowExternal The Policy model to apply
2398
## When set to false, only pods with the correct client label will have network access to the ports OpenSearch is
2399
## listening on. When true, OpenSearch will accept connections from any source (with the correct destination port).
2400
##
2401
allowExternal: true
2402
## @param ingest.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
2403
##
2404
allowExternalEgress: true
2405
## @param ingest.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
2406
## e.g:
2407
## extraIngress:
2408
## - ports:
2409
## - port: 1234
2410
## from:
2411
## - podSelector:
2412
## - matchLabels:
2413
## - role: frontend
2414
## - podSelector:
2415
## - matchExpressions:
2416
## - key: role
2417
## operator: In
2418
## values:
2419
## - frontend
2420
##
2421
extraIngress: []
2422
## @param ingest.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
2423
## e.g:
2424
## extraEgress:
2425
## - ports:
2426
## - port: 1234
2427
## to:
2428
## - podSelector:
2429
## - matchLabels:
2430
## - role: frontend
2431
## - podSelector:
2432
## - matchExpressions:
2433
## - key: role
2434
## operator: In
2435
## values:
2436
## - frontend
2437
##
2438
extraEgress: []
2439
## @param ingest.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
2440
## @param ingest.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
2441
##
2442
ingressNSMatchLabels: {}
2443
ingressNSPodMatchLabels: {}
2444
autoscaling:
2445
vpa:
2446
## @param ingest.autoscaling.vpa.enabled Enable VPA
2447
##
2448
enabled: false
2449
## @param ingest.autoscaling.vpa.annotations Annotations for VPA resource
2450
##
2451
annotations: {}
2452
## @param ingest.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
2453
##
2454
controlledResources: []
2455
## @param ingest.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
2456
## cpu: 200m
2457
## memory: 100Mi
2458
maxAllowed: {}
2459
## @param ingest.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
2460
## cpu: 200m
2461
## memory: 100Mi
2462
minAllowed: {}
2463
updatePolicy:
2464
## @param ingest.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
2465
## Possible values are "Off", "Initial", "Recreate", and "Auto".
2466
##
2467
updateMode: Auto
2468
hpa:
2469
## @param ingest.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
2470
##
2471
enabled: false
2472
## @param ingest.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
2473
##
2474
minReplicas: 3
2475
## @param ingest.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
2476
##
2477
maxReplicas: 11
2478
## @param ingest.autoscaling.hpa.targetCPU Target CPU utilization percentage
2479
##
2480
targetCPU: ""
2481
## @param ingest.autoscaling.hpa.targetMemory Target Memory utilization percentage
2482
##
2483
targetMemory: ""
2484
## OpenSearch Ingest-only Service
2485
## Recommended for heavy ingestion, improves performance by sending ingest traffic directly into the ingest nodes.
2486
## NOTE: Ingest nodes will only accept index requests with an associated pipeline, any other request won't be rerouted.
2487
##
2488
service:
2489
## @param ingest.service.enabled Enable Ingest-only service
2490
##
2491
enabled: false
2492
## @param ingest.service.type OpenSearch ingest-only service type
2493
##
2494
type: ClusterIP
2495
## @param ingest.service.ports.restAPI OpenSearch service REST API port
2496
## @param ingest.service.ports.transport OpenSearch service transport port
2497
##
2498
ports:
2499
restAPI: 9200
2500
transport: 9300
2501
## Node ports to expose
2502
## @param ingest.service.nodePorts.restAPI Node port for REST API
2503
## @param ingest.service.nodePorts.transport Node port for REST API
2504
## NOTE: choose port between <30000-32767>
2505
##
2506
nodePorts:
2507
restAPI: ""
2508
transport: ""
2509
## @param ingest.service.clusterIP OpenSearch ingest-only service Cluster IP
2510
## e.g.:
2511
## clusterIP: None
2512
##
2513
clusterIP: ""
2514
## @param ingest.service.loadBalancerIP OpenSearch ingest-only service Load Balancer IP
2515
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2516
##
2517
loadBalancerIP: ""
2518
## @param ingest.service.loadBalancerSourceRanges OpenSearch ingest-only service Load Balancer sources
2519
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2520
## e.g:
2521
## loadBalancerSourceRanges:
2522
## - 10.10.10.0/24
2523
##
2524
loadBalancerSourceRanges: []
2525
## @param ingest.service.externalTrafficPolicy OpenSearch ingest-only service external traffic policy
2526
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
2527
##
2528
externalTrafficPolicy: Cluster
2529
## @param ingest.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
2530
##
2531
extraPorts: []
2532
## @param ingest.service.annotations Additional custom annotations for OpenSearch ingest-only service
2533
##
2534
annotations: {}
2535
## @param ingest.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
2536
## If "ClientIP", consecutive client requests will be directed to the same Pod
2537
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
2538
##
2539
sessionAffinity: None
2540
## @param ingest.service.sessionAffinityConfig Additional settings for the sessionAffinity
2541
## sessionAffinityConfig:
2542
## clientIP:
2543
## timeoutSeconds: 300
2544
##
2545
sessionAffinityConfig: {}
2546
## Headless service properties
2547
##
2548
headless:
2549
## @param ingest.service.headless.annotations Annotations for the ingest headless service.
2550
##
2551
annotations: {}
2552
## @param ingest.service.headless.nameOverride String to fully override opensearch.ingest.servicename
2553
##
2554
nameOverride: ""
2555
## @param ingest.service.headless.trafficDistribution String Traffic distribution for the ingest headless service
2556
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
2557
##
2558
trafficDistribution: "PreferClose"
2559
## OpenSearch Ingest-only ingress parameters
2560
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
2561
##
2562
ingress:
2563
## @param ingest.ingress.enabled Enable ingress record generation for OpenSearch
2564
##
2565
enabled: false
2566
## @param ingest.ingress.pathType Ingress path type
2567
##
2568
pathType: ImplementationSpecific
2569
## @param ingest.ingress.apiVersion Force Ingress API version (automatically detected if not set)
2570
##
2571
apiVersion: ""
2572
## @param ingest.ingress.hostname Default host for the ingress record
2573
##
2574
hostname: opensearch-ingest.local
2575
## @param ingest.ingress.path Default path for the ingress record
2576
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
2577
##
2578
path: /
2579
## @param ingest.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
2580
## Use this parameter to set the required annotations for cert-manager, see
2581
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
2582
## e.g:
2583
## annotations:
2584
## kubernetes.io/ingress.class: nginx
2585
## cert-manager.io/cluster-issuer: cluster-issuer-name
2586
##
2587
annotations: {}
2588
## @param ingest.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
2589
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
2590
## You can:
2591
## - Use the `ingress.secrets` parameter to create this TLS secret
2592
## - Rely on cert-manager to create it by setting the corresponding annotations
2593
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
2594
##
2595
tls: false
2596
## @param ingest.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
2597
##
2598
selfSigned: false
2599
## @param ingest.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
2600
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
2601
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
2602
##
2603
ingressClassName: ""
2604
## @param ingest.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
2605
## e.g:
2606
## extraHosts:
2607
## - name: opensearch.local
2608
## path: /
2609
##
2610
extraHosts: []
2611
## @param ingest.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
2612
## e.g:
2613
## extraPaths:
2614
## - path: /*
2615
## backend:
2616
## serviceName: ssl-redirect
2617
## servicePort: use-annotation
2618
##
2619
extraPaths: []
2620
## @param ingest.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
2621
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
2622
## e.g:
2623
## extraTls:
2624
## - hosts:
2625
## - opensearch.local
2626
## secretName: opensearch.local-tls
2627
##
2628
extraTls: []
2629
## @param ingest.ingress.secrets Custom TLS certificates as secrets
2630
## NOTE: 'key' and 'certificate' are expected in PEM format
2631
## NOTE: 'name' should line up with a 'secretName' set further up
2632
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
2633
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
2634
## It is also possible to create and manage the certificates outside of this helm chart
2635
## Please see README.md for more information
2636
## e.g:
2637
## secrets:
2638
## - name: opensearch.local-tls
2639
## key: |-
2640
## -----BEGIN RSA PRIVATE KEY-----
2641
## ...
2642
## -----END RSA PRIVATE KEY-----
2643
## certificate: |-
2644
## -----BEGIN CERTIFICATE-----
2645
## ...
2646
## -----END CERTIFICATE-----
2647
##
2648
secrets: []
2649
## @param ingest.ingress.extraRules Additional rules to be covered with this ingress record
2650
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
2651
## e.g:
2652
## extraRules:
2653
## - host: example.local
2654
## http:
2655
## path: /
2656
## backend:
2657
## service:
2658
## name: example-svc
2659
## port:
2660
## name: http
2661
##
2662
extraRules: []
2663
## Metrics configuration for ingest node
2664
##
2665
metrics:
2666
## @param ingest.metrics.enabled Enable ingest node metrics
2667
##
2668
enabled: false
2669
service:
2670
## @param ingest.metrics.service.ports.metrics ingest node metrics service port
2671
##
2672
ports:
2673
metrics: 80
2674
## @param ingest.metrics.service.clusterIP ingest node metrics service Cluster IP
2675
## e.g.:
2676
## clusterIP: None
2677
##
2678
clusterIP: ""
2679
## ingest node metrics service monitor configuration
2680
##
2681
serviceMonitor:
2682
## @param ingest.metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
2683
##
2684
enabled: false
2685
## @param ingest.metrics.serviceMonitor.namespace Namespace which Prometheus is running in
2686
## e.g:
2687
## namespace: monitoring
2688
##
2689
namespace: ""
2690
## @param ingest.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
2691
##
2692
jobLabel: ""
2693
## @param ingest.metrics.serviceMonitor.interval Interval at which metrics should be scraped
2694
## ref: https://github.com/coreos/prometheus-operator/blob/ingest/Documentation/api.md#endpoint
2695
##
2696
interval: 30s
2697
## @param ingest.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2698
## ref: https://github.com/coreos/prometheus-operator/blob/ingest/Documentation/api.md#endpoint
2699
##
2700
scrapeTimeout: 10s
2701
## @param ingest.metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
2702
## ref: https://github.com/coreos/prometheus-operator/blob/ingest/Documentation/api.md#relabelconfig
2703
##
2704
relabelings: []
2705
## @param ingest.metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
2706
## ref: https://github.com/coreos/prometheus-operator/blob/ingest/Documentation/api.md#relabelconfig
2707
##
2708
metricRelabelings: []
2709
## @param ingest.metrics.serviceMonitor.selector ServiceMonitor selector labels
2710
##
2711
## selector:
2712
## prometheus: my-prometheus
2713
##
2714
selector: {}
2715
## @param ingest.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
2716
##
2717
honorLabels: false
2718
## Rules for PrometheusRule object if enabled
2719
##
2720
## E.g.
2721
## @param ingest.metrics.rules.enabled Enable render extra rules for PrometheusRule object
2722
## @param ingest.metrics.rules.spec Rules to render into the PrometheusRule object
2723
## @param ingest.metrics.rules.selector Selector for the PrometheusRule object
2724
## @param ingest.metrics.rules.namespace Namespace where to create the PrometheusRule object
2725
## @param ingest.metrics.rules.additionalLabels Additional lables to add to the PrometheusRule object
2726
##
2727
rules:
2728
enabled: false
2729
## E.g
2730
## - alert: ArgoAppMissing
2731
## expr: |
2732
## absent(argocd_app_info)
2733
## for: 15m
2734
## labels:
2735
## severity: critical
2736
## annotations:
2737
## summary: "[ArgoCD] No reported applications"
2738
## description: >
2739
## ArgoCD has not reported any applications data for the past 15 minutes which
2740
## means that it must be down or not functioning properly. This needs to be
2741
## resolved for this cloud to continue to maintain state.
2742
## - alert: ArgoAppNotSynced
2743
## expr: |
2744
## argocd_app_info{sync_status!="Synced"} == 1
2745
## for: 12h
2746
## labels:
2747
## severity: warning
2748
## annotations:
2749
## summary: "[{{`{{ $labels.name }}`}}] Application not synchronized"
2750
## description: >
2751
## The application [{{`{{ $labels.name }}`}} has not been synchronized for over
2752
## 12 hours which means that the state of this cloud has drifted away from the
2753
## state inside Git.
2754
##
2755
spec: []
2756
## E.g
2757
## selector:
2758
## prometheus: kube-prometheus
2759
##
2760
selector: {}
2761
namespace: monitoring
2762
additionalLabels: {}
2763
## @section Init Container Parameters
2764
2765
## 'volumePermissions' init container parameters
2766
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
2767
## based on the *podSecurityContext/*containerSecurityContext parameters
2768
##
2769
volumePermissions:
2770
## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work)
2771
##
2772
enabled: false
2773
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
2774
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name
2775
## @skip volumePermissions.image.tag Init container volume-permissions image tag
2776
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2777
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
2778
## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
2779
##
2780
image:
2781
registry: cgr.dev
2782
repository: chainguard-private/os-shell-iamguarded
2783
tag: 1.0.0
2784
digest: ""
2785
pullPolicy: IfNotPresent
2786
## Optionally specify an array of imagePullSecrets.
2787
## Secrets must be manually created in the namespace.
2788
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2789
## e.g:
2790
## pullSecrets:
2791
## - myRegistryKeySecretName
2792
##
2793
pullSecrets: []
2794
## Init container' resource requests and limits
2795
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2796
## We usually recommend not to specify default resources and to leave this as a conscious
2797
## choice for the user. This also increases chances charts run on environments with little
2798
## resources, such as Minikube. If you do want to specify resources, uncomment the following
2799
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
2800
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
2801
##
2802
resourcesPreset: "nano"
2803
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2804
## Example:
2805
## resources:
2806
## requests:
2807
## cpu: 2
2808
## memory: 512Mi
2809
## limits:
2810
## cpu: 3
2811
## memory: 1024Mi
2812
##
2813
resources: {}
2814
## Kernel settings modifier image
2815
##
2816
sysctlImage:
2817
## @param sysctlImage.enabled Enable kernel settings modifier image
2818
##
2819
enabled: true
2820
## @param sysctlImage.registry [default: REGISTRY_NAME] Kernel settings modifier image registry
2821
## @param sysctlImage.repository [default: REPOSITORY_NAME/os-shell] Kernel settings modifier image repository
2822
## @skip sysctlImage.tag Kernel settings modifier image tag
2823
## @param sysctlImage.digest Kernel settings modifier image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2824
## @param sysctlImage.pullPolicy Kernel settings modifier image pull policy
2825
## @param sysctlImage.pullSecrets Kernel settings modifier image pull secrets
2826
##
2827
registry: cgr.dev
2828
repository: chainguard-private/os-shell-iamguarded
2829
tag: 1.0.0
2830
digest: ""
2831
## Specify a imagePullPolicy
2832
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2833
##
2834
pullPolicy: IfNotPresent
2835
## Optionally specify an array of imagePullSecrets.
2836
## Secrets must be manually created in the namespace.
2837
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2838
## e.g:
2839
## pullSecrets:
2840
## - myRegistryKeySecretName
2841
##
2842
pullSecrets: []
2843
## Init container' resource requests and limits
2844
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2845
## We usually recommend not to specify default resources and to leave this as a conscious
2846
## choice for the user. This also increases chances charts run on environments with little
2847
## resources, such as Minikube. If you do want to specify resources, uncomment the following
2848
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
2849
## @param sysctlImage.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if sysctlImage.resources is set (sysctlImage.resources is recommended for production).
2850
##
2851
resourcesPreset: "nano"
2852
## @param sysctlImage.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2853
## Example:
2854
## resources:
2855
## requests:
2856
## cpu: 2
2857
## memory: 512Mi
2858
## limits:
2859
## cpu: 3
2860
## memory: 1024Mi
2861
##
2862
resources: {}
2863
## @section OpenSearch Dashboards Parameters
2864
dashboards:
2865
## @param dashboards.enabled Enables OpenSearch Dashboards deployment
2866
##
2867
enabled: false
2868
## Iamguarded OpenSearch Dashboards image
2869
## @param dashboards.image.registry [default: REGISTRY_NAME] OpenSearch Dashboards image registry
2870
## @param dashboards.image.repository [default: REPOSITORY_NAME/opensearch-dashboards] OpenSearch Dashboards image repository
2871
## @skip dashboards.image.tag OpenSearch Dashboards image tag (immutable tags are recommended)
2872
## @param dashboards.image.digest OpenSearch Dashboards image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
2873
## @param dashboards.image.pullPolicy OpenSearch Dashboards image pull policy
2874
## @param dashboards.image.pullSecrets OpenSearch Dashboards image pull secrets
2875
## @param dashboards.image.debug Enable OpenSearch Dashboards image debug mode
2876
##
2877
image:
2878
registry: cgr.dev
2879
repository: chainguard-private/os-shell-iamguarded
2880
tag: 1.0.0
2881
digest: ""
2882
## Specify a imagePullPolicy
2883
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2884
##
2885
pullPolicy: IfNotPresent
2886
## Optionally specify an array of imagePullSecrets.
2887
## Secrets must be manually created in the namespace.
2888
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2889
## e.g:
2890
## pullSecrets:
2891
## - myRegistryKeySecretName
2892
##
2893
pullSecrets: []
2894
## Enable debug mode
2895
##
2896
debug: false
2897
## OpenSearch Dashboards service parameters
2898
##
2899
service:
2900
## @param dashboards.service.type OpenSearch Dashboards service type
2901
##
2902
type: ClusterIP
2903
## @param dashboards.service.ports.http OpenSearch Dashboards service web UI port
2904
##
2905
ports:
2906
http: 5601
2907
## Node ports to expose
2908
## @param dashboards.service.nodePorts.http Node port for web UI
2909
## NOTE: choose port between <30000-32767>
2910
##
2911
nodePorts:
2912
http: ""
2913
## @param dashboards.service.clusterIP OpenSearch Dashboards service Cluster IP
2914
## e.g.:
2915
## clusterIP: None
2916
##
2917
clusterIP: ""
2918
## @param dashboards.service.loadBalancerIP OpenSearch Dashboards service Load Balancer IP
2919
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
2920
##
2921
loadBalancerIP: ""
2922
## @param dashboards.service.loadBalancerSourceRanges OpenSearch Dashboards service Load Balancer sources
2923
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
2924
## e.g:
2925
## loadBalancerSourceRanges:
2926
## - 10.10.10.0/24
2927
##
2928
loadBalancerSourceRanges: []
2929
## @param dashboards.service.externalTrafficPolicy OpenSearch Dashboards service external traffic policy
2930
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
2931
##
2932
externalTrafficPolicy: Cluster
2933
## @param dashboards.service.annotations Additional custom annotations for OpenSearch Dashboards service
2934
##
2935
annotations: {}
2936
## @param dashboards.service.extraPorts Extra ports to expose in OpenSearch Dashboards service (normally used with the `sidecars` value)
2937
##
2938
extraPorts: []
2939
## @param dashboards.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
2940
## If "ClientIP", consecutive client requests will be directed to the same Pod
2941
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
2942
##
2943
sessionAffinity: None
2944
## @param dashboards.service.sessionAffinityConfig Additional settings for the sessionAffinity
2945
## sessionAffinityConfig:
2946
## clientIP:
2947
## timeoutSeconds: 300
2948
##
2949
sessionAffinityConfig: {}
2950
## @param dashboards.service.nameOverride String to fully override opensearch.dashboards.servicename
2951
##
2952
nameOverride: ""
2953
## OpenSearch Dashboards ingress parameters
2954
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
2955
##
2956
ingress:
2957
## @param dashboards.ingress.enabled Enable ingress record generation for OpenSearch Dashboards
2958
##
2959
enabled: false
2960
## @param dashboards.ingress.pathType Ingress path type
2961
##
2962
pathType: ImplementationSpecific
2963
## @param dashboards.ingress.apiVersion Force Ingress API version (automatically detected if not set)
2964
##
2965
apiVersion: ""
2966
## @param dashboards.ingress.hostname Default host for the ingress record
2967
##
2968
hostname: opensearch-dashboards.local
2969
## @param dashboards.ingress.path Default path for the ingress record
2970
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
2971
##
2972
path: /
2973
## @param dashboards.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
2974
## Use this parameter to set the required annotations for cert-manager, see
2975
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
2976
## e.g:
2977
## annotations:
2978
## kubernetes.io/ingress.class: nginx
2979
## cert-manager.io/cluster-issuer: cluster-issuer-name
2980
##
2981
annotations: {}
2982
## @param dashboards.ingress.tls Enable TLS configuration for the host defined at `dashboards.ingress.hostname` parameter
2983
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
2984
## You can:
2985
## - Use the `ingress.secrets` parameter to create this TLS secret
2986
## - Rely on cert-manager to create it by setting the corresponding annotations
2987
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
2988
##
2989
tls: false
2990
## @param dashboards.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
2991
##
2992
selfSigned: false
2993
## @param dashboards.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
2994
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
2995
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
2996
##
2997
ingressClassName: ""
2998
## @param dashboards.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
2999
## e.g:
3000
## extraHosts:
3001
## - name: opensearch-dashboards.local
3002
## path: /
3003
##
3004
extraHosts: []
3005
## @param dashboards.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
3006
## e.g:
3007
## extraPaths:
3008
## - path: /*
3009
## backend:
3010
## serviceName: ssl-redirect
3011
## servicePort: use-annotation
3012
##
3013
extraPaths: []
3014
## @param dashboards.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
3015
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
3016
## e.g:
3017
## extraTls:
3018
## - hosts:
3019
## - opensearch-dashboards.local
3020
## secretName: opensearch-dashboards.local-tls
3021
##
3022
extraTls: []
3023
## @param dashboards.ingress.secrets Custom TLS certificates as secrets
3024
## NOTE: 'key' and 'certificate' are expected in PEM format
3025
## NOTE: 'name' should line up with a 'secretName' set further up
3026
## If it is not set, and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
3027
## If it is not set, and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
3028
## It is also possible to create and manage the certificates outside of this helm chart
3029
## Please see README.md for more information
3030
## e.g:
3031
## secrets:
3032
## - name: opensearch-dashboards.local-tls
3033
## key: |-
3034
## -----BEGIN RSA PRIVATE KEY-----
3035
## ...
3036
## -----END RSA PRIVATE KEY-----
3037
## certificate: |-
3038
## -----BEGIN CERTIFICATE-----
3039
## ...
3040
## -----END CERTIFICATE-----
3041
##
3042
secrets: []
3043
## @param dashboards.ingress.extraRules Additional rules to be covered with this ingress record
3044
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
3045
## e.g:
3046
## extraRules:
3047
## - host: example.local
3048
## http:
3049
## path: /
3050
## backend:
3051
## service:
3052
## name: example-svc
3053
## port:
3054
## name: http
3055
##
3056
extraRules: []
3057
## @param dashboards.containerPorts.http OpenSearch Dashboards HTTP port
3058
##
3059
containerPorts:
3060
http: 5601
3061
## @param dashboards.password Password for OpenSearch Dashboards
3062
##
3063
password: ""
3064
## @param dashboards.replicaCount Number of data-only replicas to deploy
3065
##
3066
replicaCount: 1
3067
## Pod Disruption Budget configuration
3068
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
3069
## @param dashboards.pdb.create Enable/disable a Pod Disruption Budget creation
3070
## @param dashboards.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
3071
## @param dashboards.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `dashboards.pdb.minAvailable` and `dashboards.pdb.maxUnavailable` are empty.
3072
##
3073
pdb:
3074
create: true
3075
minAvailable: ""
3076
maxUnavailable: ""
3077
## @param dashboards.nameOverride String to partially override opensearch.dashboards.fullname
3078
##
3079
nameOverride: ""
3080
## @param dashboards.fullnameOverride String to fully override opensearch.dashboards.fullname
3081
##
3082
fullnameOverride: ""
3083
## @param dashboards.servicenameOverride String to fully override opensearch.dashboards.servicename
3084
## DEPRECATED: Use dashboards.service.nameOverride instead
3085
##
3086
servicenameOverride: ""
3087
## @param dashboards.updateStrategy.type Data-only nodes statefulset strategy type
3088
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
3089
##
3090
updateStrategy:
3091
type: RollingUpdate
3092
## OpenSearch resource requests and limits
3093
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3094
## @param dashboards.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dashboards.resources is set (dashboards.resources is recommended for production).
3095
##
3096
resourcesPreset: "small"
3097
## @param dashboards.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3098
## Example:
3099
## resources:
3100
## requests:
3101
## cpu: 2
3102
## memory: 512Mi
3103
## limits:
3104
## cpu: 3
3105
## memory: 1024Mi
3106
##
3107
resources: {}
3108
## @param dashboards.heapSize OpenSearch data node heap size.
3109
## Note: The recommended heapSize is half of the container's memory.
3110
## If omitted, it will be automatically set.
3111
## Example:
3112
## heapSize: 128m
3113
##
3114
heapSize: 1024m
3115
## Configure Pods Security Context
3116
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3117
## @param dashboards.podSecurityContext.enabled Enabled data pods' Security Context
3118
## @param dashboards.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
3119
## @param dashboards.podSecurityContext.sysctls Set kernel settings using the sysctl interface
3120
## @param dashboards.podSecurityContext.supplementalGroups Set filesystem extra groups
3121
## @param dashboards.podSecurityContext.fsGroup Set dashboards pod's Security Context fsGroup
3122
##
3123
podSecurityContext:
3124
enabled: true
3125
fsGroupChangePolicy: Always
3126
sysctls: []
3127
supplementalGroups: []
3128
fsGroup: 1001
3129
## Configure Container Security Context
3130
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3131
## @param dashboards.containerSecurityContext.enabled Enabled containers' Security Context
3132
## @param dashboards.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
3133
## @param dashboards.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
3134
## @param dashboards.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
3135
## @param dashboards.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
3136
## @param dashboards.containerSecurityContext.privileged Set container's Security Context privileged
3137
## @param dashboards.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
3138
## @param dashboards.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
3139
## @param dashboards.containerSecurityContext.capabilities.drop List of capabilities to be dropped
3140
## @param dashboards.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
3141
##
3142
containerSecurityContext:
3143
enabled: true
3144
seLinuxOptions: {}
3145
runAsUser: 1001
3146
runAsGroup: 1001
3147
runAsNonRoot: true
3148
privileged: false
3149
readOnlyRootFilesystem: true
3150
allowPrivilegeEscalation: false
3151
capabilities:
3152
drop: ["ALL"]
3153
seccompProfile:
3154
type: "RuntimeDefault"
3155
## @param dashboards.automountServiceAccountToken Mount Service Account token in pod
3156
##
3157
automountServiceAccountToken: false
3158
## @param dashboards.hostAliases data pods host aliases
3159
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
3160
##
3161
hostAliases: []
3162
## @param dashboards.podLabels Extra labels for data pods
3163
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
3164
##
3165
podLabels: {}
3166
## @param dashboards.podAnnotations Annotations for data pods
3167
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
3168
##
3169
podAnnotations: {}
3170
## @param dashboards.podAffinityPreset Pod affinity preset. Ignored if `dashboards.affinity` is set. Allowed values: `soft` or `hard`
3171
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3172
##
3173
podAffinityPreset: ""
3174
## @param dashboards.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `dashboards.affinity` is set. Allowed values: `soft` or `hard`
3175
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
3176
##
3177
podAntiAffinityPreset: ""
3178
## Node dashboards.affinity preset
3179
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
3180
##
3181
nodeAffinityPreset:
3182
## @param dashboards.nodeAffinityPreset.type Node affinity preset type. Ignored if `dashboards.affinity` is set. Allowed values: `soft` or `hard`
3183
##
3184
type: ""
3185
## @param dashboards.nodeAffinityPreset.key Node label key to match. Ignored if `dashboards.affinity` is set
3186
##
3187
key: ""
3188
## @param dashboards.nodeAffinityPreset.values Node label values to match. Ignored if `dashboards.affinity` is set
3189
## E.g.
3190
## values:
3191
## - e2e-az1
3192
## - e2e-az2
3193
##
3194
values: []
3195
## @param dashboards.affinity Affinity for data pods assignment
3196
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
3197
## NOTE: `dashboards.podAffinityPreset`, `dashboards.podAntiAffinityPreset`, and `dashboards.nodeAffinityPreset` will be ignored when it's set
3198
##
3199
affinity: {}
3200
## @param dashboards.nodeSelector Node labels for data pods assignment
3201
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
3202
##
3203
nodeSelector: {}
3204
## @param dashboards.tolerations Tolerations for data pods assignment
3205
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
3206
##
3207
tolerations: []
3208
## @param dashboards.priorityClassName data pods' priorityClassName
3209
##
3210
priorityClassName: ""
3211
## @param dashboards.schedulerName Name of the k8s scheduler (other than default) for data pods
3212
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
3213
##
3214
schedulerName: ""
3215
## @param dashboards.terminationGracePeriodSeconds In seconds, time the given to the OpenSearch data pod needs to terminate gracefully
3216
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
3217
##
3218
terminationGracePeriodSeconds: ""
3219
## @param dashboards.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
3220
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
3221
##
3222
topologySpreadConstraints: []
3223
## Configure extra options for OpenSearch data containers' liveness, readiness and startup probes
3224
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
3225
## @param dashboards.startupProbe.enabled Enable/disable the startup probe (data nodes pod)
3226
## @param dashboards.startupProbe.initialDelaySeconds Delay before startup probe is initiated (data nodes pod)
3227
## @param dashboards.startupProbe.periodSeconds How often to perform the probe (data nodes pod)
3228
## @param dashboards.startupProbe.timeoutSeconds When the probe times out (data nodes pod)
3229
## @param dashboards.startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (data nodes pod)
3230
## @param dashboards.startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
3231
##
3232
startupProbe:
3233
enabled: false
3234
initialDelaySeconds: 120
3235
periodSeconds: 10
3236
timeoutSeconds: 5
3237
successThreshold: 1
3238
failureThreshold: 5
3239
## @param dashboards.livenessProbe.enabled Enable/disable the liveness probe (data nodes pod)
3240
## @param dashboards.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated (data nodes pod)
3241
## @param dashboards.livenessProbe.periodSeconds How often to perform the probe (data nodes pod)
3242
## @param dashboards.livenessProbe.timeoutSeconds When the probe times out (data nodes pod)
3243
## @param dashboards.livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (data nodes pod)
3244
## @param dashboards.livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
3245
##
3246
livenessProbe:
3247
enabled: true
3248
initialDelaySeconds: 180
3249
periodSeconds: 20
3250
timeoutSeconds: 5
3251
successThreshold: 1
3252
failureThreshold: 8
3253
## @param dashboards.readinessProbe.enabled Enable/disable the readiness probe (data nodes pod)
3254
## @param dashboards.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated (data nodes pod)
3255
## @param dashboards.readinessProbe.periodSeconds How often to perform the probe (data nodes pod)
3256
## @param dashboards.readinessProbe.timeoutSeconds When the probe times out (data nodes pod)
3257
## @param dashboards.readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed (data nodes pod)
3258
## @param dashboards.readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded
3259
##
3260
readinessProbe:
3261
enabled: true
3262
initialDelaySeconds: 120
3263
periodSeconds: 10
3264
timeoutSeconds: 5
3265
successThreshold: 1
3266
failureThreshold: 5
3267
## @param dashboards.customStartupProbe Override default startup probe
3268
##
3269
customStartupProbe: {}
3270
## @param dashboards.customLivenessProbe Override default liveness probe
3271
##
3272
customLivenessProbe: {}
3273
## @param dashboards.customReadinessProbe Override default readiness probe
3274
##
3275
customReadinessProbe: {}
3276
## @param dashboards.command Override default container command (useful when using custom images)
3277
##
3278
command: []
3279
## @param dashboards.args Override default container args (useful when using custom images)
3280
##
3281
args: []
3282
## @param dashboards.lifecycleHooks for the data container(s) to automate configuration before or after startup
3283
##
3284
lifecycleHooks: {}
3285
## @param dashboards.extraEnvVars Array with extra environment variables to add to data nodes
3286
## e.g:
3287
## extraEnvVars:
3288
## - name: FOO
3289
## value: "bar"
3290
##
3291
extraEnvVars: []
3292
## @param dashboards.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for data nodes
3293
##
3294
extraEnvVarsCM: ""
3295
## @param dashboards.extraEnvVarsSecret Name of existing Secret containing extra env vars for data nodes
3296
##
3297
extraEnvVarsSecret: ""
3298
## @param dashboards.extraVolumes Optionally specify extra list of additional volumes for the data pod(s)
3299
##
3300
extraVolumes: []
3301
## @param dashboards.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the data container(s)
3302
##
3303
extraVolumeMounts: []
3304
## @param dashboards.sidecars Add additional sidecar containers to the data pod(s)
3305
## e.g:
3306
## sidecars:
3307
## - name: your-image-name
3308
## image: your-image
3309
## imagePullPolicy: Always
3310
## ports:
3311
## - name: portname
3312
## containerPort: 1234
3313
##
3314
sidecars: []
3315
## @param dashboards.initContainers Add additional init containers to the data pod(s)
3316
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
3317
## e.g:
3318
## initContainers:
3319
## - name: your-image-name
3320
## image: your-image
3321
## imagePullPolicy: Always
3322
## command: ['sh', '-c', 'echo "hello world"']
3323
##
3324
initContainers: []
3325
## Pods Service Account
3326
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
3327
## @param dashboards.serviceAccount.create Specifies whether a ServiceAccount should be created
3328
## @param dashboards.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
3329
## @param dashboards.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
3330
## @param dashboards.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
3331
##
3332
serviceAccount:
3333
create: false
3334
name: ""
3335
automountServiceAccountToken: false
3336
annotations: {}
3337
## Network Policy configuration
3338
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
3339
##
3340
networkPolicy:
3341
## @param dashboards.networkPolicy.enabled Enable creation of NetworkPolicy resources
3342
##
3343
enabled: true
3344
## @param dashboards.networkPolicy.allowExternal The Policy model to apply
3345
## When set to false, only pods with the correct client label will have network access to the ports OpenSearch is
3346
## listening on. When true, OpenSearch will accept connections from any source (with the correct destination port).
3347
##
3348
allowExternal: true
3349
## @param dashboards.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
3350
##
3351
allowExternalEgress: true
3352
## @param dashboards.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
3353
## e.g:
3354
## extraIngress:
3355
## - ports:
3356
## - port: 1234
3357
## from:
3358
## - podSelector:
3359
## - matchLabels:
3360
## - role: frontend
3361
## - podSelector:
3362
## - matchExpressions:
3363
## - key: role
3364
## operator: In
3365
## values:
3366
## - frontend
3367
##
3368
extraIngress: []
3369
## @param dashboards.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
3370
## e.g:
3371
## extraEgress:
3372
## - ports:
3373
## - port: 1234
3374
## to:
3375
## - podSelector:
3376
## - matchLabels:
3377
## - role: frontend
3378
## - podSelector:
3379
## - matchExpressions:
3380
## - key: role
3381
## operator: In
3382
## values:
3383
## - frontend
3384
##
3385
extraEgress: []
3386
## @param dashboards.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
3387
## @param dashboards.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
3388
##
3389
ingressNSMatchLabels: {}
3390
ingressNSPodMatchLabels: {}
3391
autoscaling:
3392
vpa:
3393
## @param dashboards.autoscaling.vpa.enabled Enable VPA
3394
##
3395
enabled: false
3396
## @param dashboards.autoscaling.vpa.annotations Annotations for VPA resource
3397
##
3398
annotations: {}
3399
## @param dashboards.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
3400
##
3401
controlledResources: []
3402
## @param dashboards.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
3403
## cpu: 200m
3404
## memory: 100Mi
3405
maxAllowed: {}
3406
## @param dashboards.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
3407
## cpu: 200m
3408
## memory: 100Mi
3409
minAllowed: {}
3410
updatePolicy:
3411
## @param dashboards.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
3412
## Possible values are "Off", "Initial", "Recreate", and "Auto".
3413
##
3414
updateMode: Auto
3415
hpa:
3416
## @param dashboards.autoscaling.hpa.enabled Enable HPA for APISIX Data Plane
3417
##
3418
enabled: false
3419
## @param dashboards.autoscaling.hpa.minReplicas Minimum number of APISIX Data Plane replicas
3420
##
3421
minReplicas: 3
3422
## @param dashboards.autoscaling.hpa.maxReplicas Maximum number of APISIX Data Plane replicas
3423
##
3424
maxReplicas: 11
3425
## @param dashboards.autoscaling.hpa.targetCPU Target CPU utilization percentage
3426
##
3427
targetCPU: ""
3428
## @param dashboards.autoscaling.hpa.targetMemory Target Memory utilization percentage
3429
##
3430
targetMemory: ""
3431
## TLS configuration
3432
##
3433
tls:
3434
## @param dashboards.tls.enabled Enable TLS for OpenSearch Dashboards webserver
3435
##
3436
enabled: false
3437
## @param dashboards.tls.existingSecret Existing secret containing the certificates for OpenSearch Dashboards webserver
3438
##
3439
existingSecret: ""
3440
## @param dashboards.tls.autoGenerated Create self-signed TLS certificates.
3441
## NOTE: If autoGenerated certs are enabled and a new node type is enabled using helm upgrade, make sure you remove previously existing TLS secrets.
3442
## Otherwise, the new node certs won't match the existing certs.
3443
##
3444
autoGenerated: true
3445
## Enable persistence using Persistent Volume Claims
3446
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
3447
##
3448
persistence:
3449
## @param dashboards.persistence.enabled Enable persistence using Persistent Volume Claims
3450
##
3451
enabled: false
3452
## @param dashboards.persistence.mountPath Path to mount the volume at.
3453
##
3454
mountPath: /iamguarded/opensearch-dashboards
3455
## @param dashboards.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
3456
##
3457
subPath: ""
3458
## @param dashboards.persistence.storageClass Storage class of backing PVC
3459
## If defined, storageClassName: <storageClass>
3460
## If set to "-", storageClassName: "", which disables dynamic provisioning
3461
## If undefined (the default) or set to null, no storageClassName spec is
3462
## set, choosing the default provisioner. (gp2 on AWS, standard on
3463
## GKE, AWS & OpenStack)
3464
##
3465
storageClass: ""
3466
## @param dashboards.persistence.annotations Persistent Volume Claim annotations
3467
##
3468
annotations: {}
3469
## @param dashboards.persistence.accessModes Persistent Volume Access Modes
3470
##
3471
accessModes:
3472
- ReadWriteOnce
3473
## @param dashboards.persistence.size Size of data volume
3474
##
3475
size: 8Gi
3476
## @param dashboards.persistence.existingClaim The name of an existing PVC to use for persistence
3477
##
3478
existingClaim: ""
3479
## @param dashboards.persistence.selector Selector to match an existing Persistent Volume for OpenSearch data PVC
3480
## If set, the PVC can't have a PV dynamically provisioned for it
3481
## E.g.
3482
## selector:
3483
## matchLabels:
3484
## app: my-app
3485
##
3486
selector: {}
3487
## @param dashboards.persistence.dataSource Custom PVC data source
3488
##
3489
dataSource: {}
3490
## @section OpenSearch Snapshots Parameters
3491
snapshots:
3492
## @param snapshots.enabled Enable automatic setup of repositories and snapshot policies
3493
##
3494
enabled: false
3495
## @param snapshots.command Override default container command (useful when using custom images)
3496
##
3497
command: []
3498
## Configure Container Security Context
3499
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3500
## @param snapshots.containerSecurityContext.enabled Enabled containers' Security Context
3501
## @param snapshots.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
3502
## @param snapshots.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
3503
## @param snapshots.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
3504
## @param snapshots.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
3505
## @param snapshots.containerSecurityContext.privileged Set container's Security Context privileged
3506
## @param snapshots.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
3507
## @param snapshots.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
3508
## @param snapshots.containerSecurityContext.capabilities.drop List of capabilities to be dropped
3509
## @param snapshots.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
3510
##
3511
containerSecurityContext:
3512
enabled: true
3513
seLinuxOptions: null
3514
runAsUser: 1001
3515
runAsGroup: 1001
3516
runAsNonRoot: true
3517
privileged: false
3518
readOnlyRootFilesystem: true
3519
allowPrivilegeEscalation: false
3520
capabilities:
3521
drop: ["ALL"]
3522
seccompProfile:
3523
type: "RuntimeDefault"
3524
## @param snapshots.fullnameOverride String to fully override opensearch.snapshots.fullname
3525
##
3526
fullnameOverride: ""
3527
## Iamguarded OpenSearch Snapshots image
3528
## @param snapshots.image.registry [default: REGISTRY_NAME] OpenSearch Snapshots image registry
3529
## @param snapshots.image.repository [default: REPOSITORY_NAME/os-shell] OpenSearch Snapshots image repository
3530
## @skip snapshots.image.tag OpenSearch Snapshots image tag (immutable tags are recommended)
3531
## @param snapshots.image.digest OpenSearch Snapshots image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
3532
## @param snapshots.image.pullPolicy OpenSearch Snapshots image pull policy
3533
## @param snapshots.image.pullSecrets OpenSearch Snapshots image pull secrets
3534
## @param snapshots.image.debug Enable OpenSearch Snapshots image debug mode
3535
##
3536
image:
3537
registry: cgr.dev
3538
repository: chainguard-private/os-shell-iamguarded
3539
tag: 1.0.0
3540
digest: ""
3541
## Specify a imagePullPolicy
3542
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
3543
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
3544
##
3545
pullPolicy: IfNotPresent
3546
## Optionally specify an array of imagePullSecrets.
3547
## Secrets must be manually created in the namespace.
3548
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
3549
## e.g:
3550
## pullSecrets:
3551
## - myRegistryKeySecretName
3552
##
3553
pullSecrets: []
3554
## Enable debug mode
3555
##
3556
debug: false
3557
## @param snapshots.nameOverride String to partially override common.names.fullname
3558
##
3559
nameOverride: ""
3560
## Enable persistence using Persistent Volume Claims
3561
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
3562
##
3563
persistence:
3564
## @param snapshots.persistence.enabled Enable persistence using Persistent Volume Claims
3565
##
3566
enabled: false
3567
## @param snapshots.persistence.accessModes Persistent Volume Access Modes
3568
##
3569
accessModes:
3570
- ReadWriteMany
3571
## @param snapshots.persistence.annotations Persistent Volume Claim annotations
3572
##
3573
annotations: {}
3574
## @param snapshots.persistence.dataSource Custom PVC data source
3575
##
3576
dataSource: {}
3577
## @param snapshots.persistence.existingClaim The name of an existing PVC to use for persistence
3578
##
3579
existingClaim: ""
3580
## @param snapshots.persistence.labels Extra labels for the Persistent Volume Claim
3581
##
3582
labels: {}
3583
## @param snapshots.persistence.selector Selector to match an existing Persistent Volume for OpenSearch data PVC
3584
## If set, the PVC can't have a PV dynamically provisioned for it
3585
## E.g.
3586
## selector:
3587
## matchLabels:
3588
## app: my-app
3589
##
3590
selector: {}
3591
## @param snapshots.persistence.size Size of data volume
3592
##
3593
size: 8Gi
3594
## @param snapshots.persistence.storageClass Storage class of backing PVC
3595
## If defined, storageClassName: <storageClass>
3596
## If set to "-", storageClassName: "", which disables dynamic provisioning
3597
## If undefined (the default) or set to null, no storageClassName spec is
3598
## set, choosing the default provisioner. (gp2 on AWS, standard on
3599
## GKE, AWS & OpenStack)
3600
##
3601
storageClass: ""
3602
## @param snapshots.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
3603
##
3604
subPath: ""
3605
## Configure Pods Security Context
3606
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
3607
## @param snapshots.podSecurityContext.enabled Enabled data pods' Security Context
3608
## @param snapshots.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
3609
## @param snapshots.podSecurityContext.sysctls Set kernel settings using the sysctl interface
3610
## @param snapshots.podSecurityContext.supplementalGroups Set filesystem extra groups
3611
## @param snapshots.podSecurityContext.fsGroup Set snapshots pod's Security Context fsGroup
3612
##
3613
podSecurityContext:
3614
enabled: true
3615
fsGroupChangePolicy: Always
3616
sysctls: []
3617
supplementalGroups: []
3618
fsGroup: 1001
3619
## @param snapshots.policies [default: SNAPSHOT_POLICY_API_BODY] Each object represents a snapshot policy in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API.
3620
## NOTE: The field `snapshot_config.repository` in each policy must match a repo name in `snapshots.repositories`.
3621
##
3622
policies:
3623
default:
3624
creation:
3625
schedule:
3626
cron:
3627
expression: "0 20 * * *"
3628
timezone: UTC
3629
deletion:
3630
condition:
3631
max_age: 7d
3632
min_count: 1
3633
schedule:
3634
cron:
3635
expression: 0 20 * * *
3636
timezone: UTC
3637
description: Default snapshot policy
3638
enabled: true
3639
snapshot_config:
3640
repository: default
3641
## @param snapshots.repositories [default: SNAPSHOT_REPO_API_BODY] Each object represents a snapshot repository in YAML form, which will be converted to JSON and then passed as the HTTP body data to the OpenSearch REST API.
3642
## NOTE: The field `settings.location` in each repo must match the snapshot repo path configured in `snapshotRepoPath`, if its `type` is `fs`.
3643
##
3644
repositories:
3645
default:
3646
settings:
3647
location: /snapshots
3648
type: fs
3649
## OpenSearch resource requests and limits
3650
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
3651
## @param snapshots.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if snapshots.resources is set (snapshots.resources is recommended for production).
3652
##
3653
resourcesPreset: "nano"
3654
## @param snapshots.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
3655
## Example:
3656
## resources:
3657
## requests:
3658
## cpu: 100m
3659
## memory: 10Mi
3660
## limits:
3661
## cpu: 200m
3662
## memory: 20Mi
3663
##
3664
resources: {}
3665