rabbitmq
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
20
##
21
global:
22
imageRegistry: ""
23
## E.g.
24
## imagePullSecrets:
25
## - myRegistryKeySecretName
26
##
27
imagePullSecrets: []
28
defaultStorageClass: ""
29
storageClass: ""
30
## Security parameters
31
##
32
security:
33
## @param global.security.allowInsecureImages Allows skipping image verification
34
allowInsecureImages: false
35
## Compatibility adaptations for Kubernetes platforms
36
##
37
compatibility:
38
## Compatibility adaptations for Openshift
39
##
40
openshift:
41
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
42
##
43
adaptSecurityContext: auto
44
org: ""
45
## @section RabbitMQ Image parameters
46
## Iamguarded RabbitMQ image version
47
## @param image.registry [default: REGISTRY_NAME] RabbitMQ image registry
48
## @param image.repository [default: REPOSITORY_NAME/rabbitmq] RabbitMQ image repository
49
## @skip image.tag RabbitMQ image tag (immutable tags are recommended)
50
## @param image.digest RabbitMQ image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
51
## @param image.pullPolicy RabbitMQ image pull policy
52
## @param image.pullSecrets Specify docker-registry secret names as an array
53
## @param image.debug Set to true if you would like to see extra information on logs
54
##
55
image:
56
registry: cgr.dev
57
repository: chainguard-private/rabbitmq-iamguarded
58
tag: 4.2.4
59
digest: ""
60
## set to true if you would like to see extra information on logs
61
## It turns BASH and/or NAMI debugging in the image
62
##
63
debug: false
64
## Specify a imagePullPolicy
65
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
66
##
67
pullPolicy: IfNotPresent
68
## Optionally specify an array of imagePullSecrets.
69
## Secrets must be manually created in the namespace.
70
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
71
## Example:
72
## pullSecrets:
73
## - myRegistryKeySecretName
74
##
75
pullSecrets: []
76
## @section Common parameters
77
##
78
79
## @param nameOverride String to partially override rabbitmq.fullname template (will maintain the release name)
80
##
81
nameOverride: ""
82
## @param fullnameOverride String to fully override rabbitmq.fullname template
83
##
84
fullnameOverride: ""
85
## @param namespaceOverride String to fully override common.names.namespace
86
##
87
namespaceOverride: ""
88
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
89
##
90
kubeVersion: ""
91
## @param clusterDomain Kubernetes Cluster Domain
92
##
93
clusterDomain: cluster.local
94
## @param extraDeploy Array of extra objects to deploy with the release
95
##
96
extraDeploy: []
97
## @param commonAnnotations Annotations to add to all deployed objects
98
##
99
commonAnnotations: {}
100
## @param servicenameOverride String to partially override headless service name
101
##
102
servicenameOverride: ""
103
## @param commonLabels Labels to add to all deployed objects
104
##
105
commonLabels: {}
106
## @param serviceBindings.enabled Create secret for service binding (Experimental)
107
## Ref: https://servicebinding.io/service-provider/
108
##
109
serviceBindings:
110
enabled: false
111
## @param enableServiceLinks Whether information about services should be injected into pod's environment variable
112
## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace.
113
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
114
##
115
enableServiceLinks: true
116
## @param usePasswordFiles Mount credentials as files instead of using environment variables
117
##
118
usePasswordFiles: true
119
## Enable diagnostic mode in the deployment
120
##
121
diagnosticMode:
122
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
123
##
124
enabled: false
125
## @param diagnosticMode.command Command to override all containers in the deployment
126
##
127
command:
128
- sleep
129
## @param diagnosticMode.args Args to override all containers in the deployment
130
##
131
args:
132
- infinity
133
## @param automountServiceAccountToken Mount Service Account token in pod
134
##
135
automountServiceAccountToken: true
136
## @param hostAliases Deployment pod host aliases
137
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
138
##
139
hostAliases: []
140
## @param dnsPolicy DNS Policy for pod
141
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
142
## E.g.
143
## dnsPolicy: ClusterFirst
144
##
145
dnsPolicy: ""
146
## @param dnsConfig DNS Configuration pod
147
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
148
## E.g.
149
## dnsConfig:
150
## options:
151
## - name: ndots
152
## value: "4"
153
##
154
dnsConfig: {}
155
## RabbitMQ Authentication parameters
156
##
157
auth:
158
## @param auth.username RabbitMQ application username
159
##
160
username: user
161
## @param auth.password RabbitMQ application password
162
##
163
password: ""
164
## @param auth.securePassword Whether to set the RabbitMQ password securely. This is incompatible with loading external RabbitMQ definitions and 'true' when not setting the auth.password parameter.
165
##
166
securePassword: true
167
## @param auth.updatePassword Update RabbitMQ password on secret change
168
##
169
updatePassword: false
170
## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey)
171
## e.g:
172
## existingPasswordSecret: name-of-existing-secret
173
##
174
existingPasswordSecret: ""
175
## @param auth.existingSecretPasswordKey [default: rabbitmq-password] Password key to be retrieved from existing secret
176
## NOTE: ignored unless `auth.existingSecret` parameter is set
177
##
178
existingSecretPasswordKey: ""
179
## @param auth.enableLoopbackUser If enabled, the user `auth.username` can only connect from localhost
180
##
181
enableLoopbackUser: false
182
## @param auth.erlangCookie Erlang cookie to determine whether different nodes are allowed to communicate with each other
183
##
184
erlangCookie: ""
185
## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey)
186
## e.g:
187
## existingErlangSecret: name-of-existing-secret
188
##
189
existingErlangSecret: ""
190
## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret
191
## NOTE: ignored unless `auth.existingErlangSecret` parameter is set
192
##
193
existingSecretErlangKey: ""
194
## Enable encryption to rabbitmq
195
## ref: https://www.rabbitmq.com/ssl.html
196
## @param auth.tls.enabled Enable TLS support on RabbitMQ
197
## @param auth.tls.autoGenerated Generate automatically self-signed TLS certificates
198
## @param auth.tls.failIfNoPeerCert When set to true, TLS connection will be rejected if client fails to provide a certificate
199
## @param auth.tls.sslOptionsVerify Should [peer verification](https://www.rabbitmq.com/ssl.html#peer-verification) be enabled?
200
## @param auth.tls.sslOptionsPassword.enabled Enable usage of password for private Key
201
## @param auth.tls.sslOptionsPassword.existingSecret Name of existing Secret containing the sslOptionsPassword
202
## @param auth.tls.sslOptionsPassword.key Enable Key referring to sslOptionsPassword in Secret specified in auth.tls.sslOptionsPassword.existingSecret
203
## @param auth.tls.sslOptionsPassword.password Use this string as Password. If set, auth.tls.sslOptionsPassword.existingSecret and auth.tls.sslOptionsPassword.key are ignored
204
## @param auth.tls.caCertificate Certificate Authority (CA) bundle content
205
## @param auth.tls.serverCertificate Server certificate content
206
## @param auth.tls.serverKey Server private key content
207
## @param auth.tls.existingSecret Existing secret with certificate content to RabbitMQ credentials
208
## @param auth.tls.existingSecretFullChain Whether or not the existing secret contains the full chain in the certificate (`tls.crt`). Will be used in place of `ca.cert` if `true`.
209
## @param auth.tls.overrideCaCertificate Existing secret with certificate content be mounted instead of the `ca.crt` coming from caCertificate or existingSecret/existingSecretFullChain.
210
##
211
tls:
212
enabled: false
213
autoGenerated: false
214
failIfNoPeerCert: true
215
sslOptionsVerify: verify_peer
216
sslOptionsPassword:
217
enabled: false
218
existingSecret: ""
219
key: ""
220
password: ""
221
caCertificate: ""
222
serverCertificate: ""
223
serverKey: ""
224
existingSecret: ""
225
existingSecretFullChain: false
226
overrideCaCertificate: ""
227
## @param logs Path of the RabbitMQ server's Erlang log file. Value for the `RABBITMQ_LOGS` environment variable
228
## ref: https://www.rabbitmq.com/logging.html#log-file-location
229
##
230
logs: "-"
231
## @param ulimitNofiles RabbitMQ Max File Descriptors
232
## ref: https://www.rabbitmq.com/install-debian.html#kernel-resource-limits
233
##
234
ulimitNofiles: "65535"
235
## RabbitMQ maximum available scheduler threads and online scheduler threads. By default it will create a thread per CPU detected, with the following parameters you can tune it manually.
236
## ref: https://hamidreza-s.github.io/erlang/scheduling/real-time/preemptive/migration/2016/02/09/erlang-scheduler-details.html#scheduler-threads
237
## @param maxAvailableSchedulers RabbitMQ maximum available scheduler threads
238
## @param onlineSchedulers RabbitMQ online scheduler threads
239
##
240
maxAvailableSchedulers: ""
241
onlineSchedulers: ""
242
## The memory threshold under which RabbitMQ will stop reading from client network sockets, in order to avoid being killed by the OS
243
## ref: https://www.rabbitmq.com/alarms.html
244
## ref: https://www.rabbitmq.com/memory.html#threshold
245
##
246
memoryHighWatermark:
247
## @param memoryHighWatermark.enabled Enable configuring Memory high watermark on RabbitMQ
248
##
249
enabled: false
250
## @param memoryHighWatermark.type Memory high watermark type. Either `absolute` or `relative`
251
##
252
type: "relative"
253
## Memory high watermark value.
254
## @param memoryHighWatermark.value Memory high watermark value
255
## The default value of 0.4 stands for 40% of available RAM
256
## Note: the memory relative limit is applied to the resourcesPreset memory limit or the resource.limits.memory to calculate the memory threshold
257
## You can also use an absolute value, e.g.: 256Mi
258
##
259
value: 0.4
260
## @param plugins List of default plugins to enable (should only be altered to remove defaults; for additional plugins use `extraPlugins`)
261
##
262
plugins: "rabbitmq_management rabbitmq_peer_discovery_k8s"
263
## @param queue_leader_locator Changes the queue_leader_locator setting in the rabbitmq config file
264
##
265
queue_leader_locator: balanced
266
## @param queue_master_locator DEPRECATED. Use queue_leader_locator instead
267
##
268
queue_master_locator: ""
269
## @param communityPlugins List of Community plugins (URLs) to be downloaded during container initialization
270
## Combine it with extraPlugins to also enable them.
271
##
272
communityPlugins: ""
273
## @param extraPlugins Extra plugins to enable (single string containing a space-separated list)
274
## Use this instead of `plugins` to add new plugins
275
##
276
extraPlugins: "rabbitmq_auth_backend_ldap"
277
## Clustering settings
278
##
279
clustering:
280
## @param clustering.enabled Enable RabbitMQ clustering
281
##
282
enabled: true
283
## @param clustering.name RabbitMQ cluster name
284
## If not set, a name is generated using the common.names.fullname template
285
##
286
name: ""
287
## @param clustering.addressType Switch clustering mode. Either `ip` or `hostname`
288
##
289
addressType: hostname
290
## @param clustering.rebalance Rebalance master for queues in cluster when new replica is created
291
## ref: https://www.rabbitmq.com/rabbitmq-queues.8.html#rebalance
292
##
293
rebalance: false
294
## @param clustering.forceBoot Force boot of an unexpectedly shut down cluster (in an unexpected order).
295
## forceBoot executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an unknown order
296
## ref: https://www.rabbitmq.com/rabbitmqctl.8.html#force_boot
297
##
298
forceBoot: false
299
## @param clustering.partitionHandling Switch Partition Handling Strategy. Either `autoheal` or `pause_minority` or `pause_if_all_down` or `ignore`
300
## ref: https://www.rabbitmq.com/partitions.html#automatic-handling
301
##
302
partitionHandling: autoheal
303
## Loading a RabbitMQ definitions file to configure RabbitMQ
304
##
305
loadDefinition:
306
## @param loadDefinition.enabled Enable loading a RabbitMQ definitions file to configure RabbitMQ
307
##
308
enabled: false
309
## @param loadDefinition.file Name of the definitions file
310
##
311
file: "/app/load_definition.json"
312
## @param loadDefinition.existingSecret Existing secret with the load definitions file
313
## Can be templated if needed, e.g:
314
## existingSecret: "{{ .Release.Name }}-load-definition"
315
##
316
existingSecret: ""
317
## @param command Override default container command (useful when using custom images)
318
##
319
command: []
320
## @param args Override default container args (useful when using custom images)
321
##
322
args: []
323
## @param lifecycleHooks Overwrite livecycle for the RabbitMQ container(s) to automate configuration before or after startup
324
##
325
lifecycleHooks: {}
326
## @param terminationGracePeriodSeconds Default duration in seconds k8s waits for container to exit before sending kill signal.
327
## Any time in excess of 10 seconds will be spent waiting for any synchronization necessary for cluster not to lose data.
328
##
329
terminationGracePeriodSeconds: 120
330
## @param extraEnvVars Extra environment variables to add to RabbitMQ pods
331
## E.g:
332
## extraEnvVars:
333
## - name: FOO
334
## value: BAR
335
##
336
extraEnvVars: []
337
## @param extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
338
##
339
extraEnvVarsCM: ""
340
## @param extraEnvVarsSecret Name of existing Secret containing extra environment variables (in case of sensitive data)
341
##
342
extraEnvVarsSecret: ""
343
## Container Ports
344
## @param containerPorts.amqp
345
## @param containerPorts.amqpTls
346
## @param containerPorts.dist
347
## @param containerPorts.manager
348
## @param containerPorts.epmd
349
## @param containerPorts.metrics
350
##
351
containerPorts:
352
amqp: 5672
353
amqpTls: 5671
354
dist: 25672
355
manager: 15672
356
epmd: 4369
357
metrics: 9419
358
## Host Ports
359
## @param hostPorts.amqp
360
## @param hostPorts.amqpTls
361
## @param hostPorts.manager
362
## @param hostPorts.metrics
363
##
364
hostPorts:
365
amqp: ""
366
amqpTls: ""
367
manager: ""
368
metrics: ""
369
## @param initScripts Dictionary of init scripts. Evaluated as a template.
370
## Specify dictionary of scripts to be run at first boot
371
## Alternatively, you can put your scripts under the files/docker-entrypoint-initdb.d directory
372
## For example:
373
## initScripts:
374
## my_init_script.sh: |
375
## #!/bin/sh
376
## echo "Do something."
377
##
378
initScripts: {}
379
## @param initScriptsCM ConfigMap with the init scripts. Evaluated as a template.
380
## Note: This will override initScripts
381
##
382
initScriptsCM: ""
383
## @param initScriptsSecret Secret containing `/docker-entrypoint-initdb.d` scripts to be executed at initialization time that contain sensitive data. Evaluated as a template.
384
##
385
initScriptsSecret: ""
386
## @param extraContainerPorts Extra ports to be included in container spec, primarily informational
387
## E.g:
388
## extraContainerPorts:
389
## - name: new_port_name
390
## containerPort: 1234
391
##
392
extraContainerPorts: []
393
## @param configuration [string] RabbitMQ Configuration file content: required cluster configuration
394
## Do not override unless you know what you are doing.
395
## To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead
396
##
397
398
## RabbitMQ tcp_listen_options parameters
399
## See : https://www.rabbitmq.com/networking.html for additional information
400
##
401
tcpListenOptions:
402
## @param tcpListenOptions.enabled Enable TCP listen options of RabbitMQ
403
##
404
enabled: true
405
## @param tcpListenOptions.backlog Maximum size of the unaccepted TCP connections queue
406
##
407
backlog: 128
408
## @param tcpListenOptions.nodelay When set to true, deactivates Nagle's algorithm. Default is true. Highly recommended for most users.
409
##
410
nodelay: true
411
## tcpListenOptions.linger
412
##
413
linger:
414
## @param tcpListenOptions.linger.lingerOn Enable Server socket lingering
415
##
416
lingerOn: true
417
## @param tcpListenOptions.linger.timeout Server Socket lingering timeout
418
##
419
timeout: 0
420
## @param tcpListenOptions.keepalive When set to true, enables TCP keepalives
421
##
422
keepalive: false
423
configuration: |-
424
## Username and password
425
default_user = {{ .Values.auth.username }}
426
{{- if and (not .Values.auth.securePassword) .Values.auth.password }}
427
default_pass = {{ .Values.auth.password }}
428
{{- end }}
429
{{- if .Values.clustering.enabled }}
430
## Clustering
431
##
432
cluster_name = {{ default (include "common.names.fullname" .) .Values.clustering.name }}
433
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
434
cluster_formation.k8s.host = kubernetes.default
435
cluster_formation.k8s.address_type = {{ .Values.clustering.addressType }}
436
{{- $svcName := printf "%s-%s" (include "common.names.fullname" .) (default "headless" .Values.servicenameOverride) }}
437
cluster_formation.k8s.service_name = {{ $svcName }}
438
cluster_formation.k8s.hostname_suffix = .{{ $svcName }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}
439
cluster_formation.node_cleanup.interval = 10
440
cluster_formation.node_cleanup.only_log_warning = true
441
cluster_partition_handling = {{ .Values.clustering.partitionHandling }}
442
{{- end }}
443
{{ if and .Values.clustering.enabled .Values.loadDefinition.enabled }}
444
cluster_formation.target_cluster_size_hint = {{ .Values.replicaCount }}
445
{{ end }}
446
{{- if .Values.loadDefinition.enabled }}
447
load_definitions = {{ .Values.loadDefinition.file }}
448
{{- end }}
449
# queue leader locator
450
queue_leader_locator = {{ include "rabbitmq.queueLocator" . }}
451
# enable loopback user
452
{{- if not (empty .Values.auth.username) }}
453
{{- $sanitizedUsername := regexQuoteMeta .Values.auth.username }}
454
loopback_users.{{ $sanitizedUsername }} = {{ .Values.auth.enableLoopbackUser }}
455
{{- else}}
456
loopback_users.guest = {{ .Values.auth.enableLoopbackUser }}
457
{{- end }}
458
{{ template "rabbitmq.extraConfiguration" . }}
459
{{- if .Values.auth.tls.enabled }}
460
ssl_options.verify = {{ .Values.auth.tls.sslOptionsVerify }}
461
listeners.ssl.default = {{ .Values.service.ports.amqpTls }}
462
ssl_options.fail_if_no_peer_cert = {{ .Values.auth.tls.failIfNoPeerCert }}
463
ssl_options.cacertfile = /opt/iamguarded/rabbitmq/certs/ca_certificate.pem
464
ssl_options.certfile = /opt/iamguarded/rabbitmq/certs/server_certificate.pem
465
ssl_options.keyfile = /opt/iamguarded/rabbitmq/certs/server_key.pem
466
{{- if .Values.auth.tls.sslOptionsPassword.enabled }}
467
ssl_options.password = {{ include "common.secrets.passwords.manage" (dict "secret" .Values.auth.tls.sslOptionsPassword.existingSecret "key" .Values.auth.tls.sslOptionsPassword.key "providedValues" (list "auth.tls.sslOptionsPassword.password") "skipB64enc" true "failOnNew" false "context" $) }}
468
{{- end }}
469
{{- end }}
470
{{- if .Values.ldap.enabled }}
471
auth_backends.1.authn = ldap
472
auth_backends.1.authz = {{ ternary "ldap" "internal" .Values.ldap.authorisationEnabled }}
473
auth_backends.2 = internal
474
{{- $host := list }}
475
{{- $port := ternary 636 389 .Values.ldap.tls.enabled }}
476
{{- if .Values.ldap.uri }}
477
{{- $hostPort := get (urlParse .Values.ldap.uri) "host" }}
478
{{- $host = list (index (splitList ":" $hostPort) 0) -}}
479
{{- if (contains ":" $hostPort) }}
480
{{- $port = index (splitList ":" $hostPort) 1 -}}
481
{{- end }}
482
{{- end }}
483
{{- range $index, $server := concat $host .Values.ldap.servers }}
484
auth_ldap.servers.{{ add $index 1 }} = {{ $server }}
485
{{- end }}
486
auth_ldap.port = {{ coalesce .Values.ldap.port $port }}
487
{{- if or .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }}
488
auth_ldap.user_dn_pattern = {{ coalesce .Values.ldap.user_dn_pattern .Values.ldap.userDnPattern }}
489
{{- end }}
490
{{- if .Values.ldap.basedn }}
491
auth_ldap.dn_lookup_base = {{ .Values.ldap.basedn }}
492
{{- end }}
493
{{- if .Values.ldap.uidField }}
494
auth_ldap.dn_lookup_attribute = {{ .Values.ldap.uidField }}
495
{{- end }}
496
{{- if .Values.ldap.binddn }}
497
auth_ldap.dn_lookup_bind.user_dn = {{ .Values.ldap.binddn }}
498
auth_ldap.dn_lookup_bind.password = {{ required "'ldap.bindpw' is required when 'ldap.binddn' is defined" .Values.ldap.bindpw }}
499
{{- end }}
500
{{- if .Values.ldap.tls.enabled }}
501
auth_ldap.use_ssl = {{ not .Values.ldap.tls.startTls }}
502
auth_ldap.use_starttls = {{ .Values.ldap.tls.startTls }}
503
{{- if .Values.ldap.tls.CAFilename }}
504
auth_ldap.ssl_options.cacertfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.CAFilename }}
505
{{- end }}
506
{{- if .Values.ldap.tls.certFilename }}
507
auth_ldap.ssl_options.certfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ .Values.ldap.tls.certFilename }}
508
auth_ldap.ssl_options.keyfile = {{ .Values.ldap.tls.certificatesMountPath }}/{{ required "'ldap.tls.certKeyFilename' is required when 'ldap.tls.certFilename' is defined" .Values.ldap.tls.certKeyFilename }}
509
{{- end }}
510
{{- if .Values.ldap.tls.skipVerify }}
511
auth_ldap.ssl_options.verify = verify_none
512
auth_ldap.ssl_options.fail_if_no_peer_cert = false
513
{{- else if .Values.ldap.tls.verify }}
514
auth_ldap.ssl_options.verify = {{ .Values.ldap.tls.verify }}
515
{{- end }}
516
{{- end }}
517
{{- end }}
518
## Prometheus metrics
519
##
520
prometheus.tcp.port = {{ .Values.containerPorts.metrics }}
521
{{- if .Values.memoryHighWatermark.enabled }}
522
## Memory Threshold
523
##
524
{{- if (dig "limits" "memory" "" .Values.resources) }}
525
total_memory_available_override_value = {{ include "rabbitmq.toBytes" (dig "limits" "memory" "" .Values.resources) }}
526
{{- end }}
527
{{- if (eq .Values.memoryHighWatermark.type "absolute") }}
528
vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ include "rabbitmq.toBytes" .Values.memoryHighWatermark.value }}
529
{{- else if (eq .Values.memoryHighWatermark.type "relative") }}
530
vm_memory_high_watermark.{{ .Values.memoryHighWatermark.type }} = {{ .Values.memoryHighWatermark.value }}
531
{{- end }}
532
{{- end }}
533
{{- if .Values.tcpListenOptions.enabled }}
534
## TCP Listen Options
535
##
536
tcp_listen_options.backlog = {{ .Values.tcpListenOptions.backlog }}
537
tcp_listen_options.nodelay = {{ .Values.tcpListenOptions.nodelay }}
538
tcp_listen_options.linger.on = {{ .Values.tcpListenOptions.linger.lingerOn }}
539
tcp_listen_options.linger.timeout = {{ .Values.tcpListenOptions.linger.timeout }}
540
tcp_listen_options.keepalive = {{ .Values.tcpListenOptions.keepalive }}
541
{{- end }}
542
## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf.
543
## Must contain the key "rabbitmq.conf"
544
## Takes precedence over `configuration`, so do not use both simultaneously
545
## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect
546
##
547
configurationExistingSecret: ""
548
## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
549
## Use this instead of `configuration` to add more configuration
550
## Do not use simultaneously with `extraConfigurationExistingSecret`
551
##
552
extraConfiguration: |-
553
#default_vhost = {{ .Release.Namespace }}-vhost
554
#disk_free_limit.absolute = 50MB
555
## @param extraConfigurationExistingSecret Existing secret with the extra configuration to append to `configuration`.
556
## Must contain the key "extraConfiguration"
557
## Takes precedence over `extraConfiguration`, so do not use both simultaneously
558
##
559
extraConfigurationExistingSecret: ""
560
## @param advancedConfiguration Configuration file content: advanced configuration
561
## Use this as additional configuration in classic config format (Erlang term configuration format)
562
##
563
## LDAP authorisation example:
564
## advancedConfiguration: |-
565
## [{rabbitmq_auth_backend_ldap,[
566
## {tag_queries, [{administrator, {constant, true}},
567
## {management, {constant, true}}]}
568
## ]}].
569
##
570
## If both, advancedConfiguration and advancedConfigurationExistingSecret are set, then advancedConfiguration
571
## will be used instead of the secret.
572
#
573
advancedConfiguration: ""
574
## @param advancedConfigurationExistingSecret Existing secret with the advanced configuration file (must contain a key `advanced.config`).
575
## Use this as additional configuration in classic config format (Erlang term configuration format) as in advancedConfiguration
576
## Do not use in combination with advancedConfiguration, will be ignored
577
##
578
advancedConfigurationExistingSecret: ""
579
## This subsystem was introduced in RabbitMQ 3.8.0 to allow rolling upgrades of cluster members without shutting down the entire cluster.
580
## Feature flags are a mechanism that controls what features are considered to be enabled or available on all cluster nodes. If a feature flag is enabled, so is its associated feature (or behavior). If not then all nodes in the cluster will disable the feature (behavior).
581
## e.g, drop_unroutable_metric,empty_basic_get_metric,implicit_default_bindings,maintenance_mode_status,quorum_queue,virtual_host_metadata
582
## @param featureFlags that controls what features are considered to be enabled or available on all cluster nodes.
583
##
584
featureFlags: ""
585
## LDAP configuration
586
##
587
ldap:
588
## @param ldap.enabled Enable LDAP support
589
##
590
enabled: false
591
## @param ldap.uri LDAP connection string.
592
##
593
uri: ""
594
## @param ldap.servers List of LDAP servers hostnames. This is valid only if ldap.uri is not set
595
##
596
servers: []
597
## @param ldap.port LDAP servers port. This is valid only if ldap.uri is not set
598
##
599
port: ""
600
## DEPRECATED ldap.user_dn_pattern it will removed in a future, please use userDnPattern instead
601
## Pattern used to translate the provided username into a value to be used for the LDAP bind
602
## @param ldap.userDnPattern Pattern used to translate the provided username into a value to be used for the LDAP bind.
603
## ref: https://www.rabbitmq.com/ldap.html#usernames-and-dns
604
##
605
userDnPattern: ""
606
## @param ldap.binddn DN of the account used to search in the LDAP server.
607
##
608
binddn: ""
609
## @param ldap.bindpw Password for binddn account.
610
##
611
bindpw: ""
612
## @param ldap.basedn Base DN path where binddn account will search for the users.
613
##
614
basedn: ""
615
## @param ldap.uidField Field used to match with the user name (uid, samAccountName, cn, etc). It matches with 'dn_lookup_attribute' in RabbitMQ configuration
616
## ref: https://www.rabbitmq.com/ldap.html#usernames-and-dns
617
##
618
## @param ldap.uidField Field used to match with the user name (uid, samAccountName, cn, etc). It matches with 'dn_lookup_attribute' in RabbitMQ configuration
619
##
620
uidField: ""
621
## @param ldap.authorisationEnabled Enable LDAP authorisation. Please set 'advancedConfiguration' with tag, topic, resources and vhost mappings
622
## ref: https://www.rabbitmq.com/ldap.html#authorisation
623
##
624
authorisationEnabled: false
625
## @param ldap.tls.enabled Enabled TLS configuration.
626
## @param ldap.tls.startTls Use STARTTLS instead of LDAPS.
627
## @param ldap.tls.skipVerify Skip any SSL verification (hostanames or certificates)
628
## @param ldap.tls.verify Verify connection. Valid values are 'verify_peer' or 'verify_none'
629
## @param ldap.tls.certificatesMountPath Where LDAP certifcates are mounted.
630
## @param ldap.tls.certificatesSecret Secret with LDAP certificates.
631
## @param ldap.tls.CAFilename CA certificate filename. Should match with the CA entry key in the ldap.tls.certificatesSecret.
632
## @param ldap.tls.certFilename Client certificate filename to authenticate against the LDAP server. Should match with certificate the entry key in the ldap.tls.certificatesSecret.
633
## @param ldap.tls.certKeyFilename Client Key filename to authenticate against the LDAP server. Should match with certificate the entry key in the ldap.tls.certificatesSecret.
634
##
635
tls:
636
enabled: false
637
startTls: false
638
skipVerify: false
639
verify: "verify_peer"
640
certificatesMountPath: /opt/iamguarded/rabbitmq/ldap/certs
641
certificatesSecret: ""
642
CAFilename: ""
643
certFilename: ""
644
certKeyFilename: ""
645
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts
646
## Examples:
647
## extraVolumeMounts:
648
## - name: extras
649
## mountPath: /usr/share/extras
650
## readOnly: true
651
##
652
extraVolumeMounts: []
653
## @param extraVolumes Optionally specify extra list of additional volumes .
654
## Example:
655
## extraVolumes:
656
## - name: extras
657
## emptyDir: {}
658
##
659
extraVolumes: []
660
## @param extraSecrets Optionally specify extra secrets to be created by the chart.
661
## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded.
662
## Example:
663
## extraSecrets:
664
## load-definition:
665
## load_definition.json: |
666
## {
667
## ...
668
## }
669
##
670
extraSecrets: {}
671
## @param extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with <release-name> prepended.
672
##
673
extraSecretsPrependReleaseName: false
674
## @section Statefulset parameters
675
##
676
677
## @param replicaCount Number of RabbitMQ replicas to deploy
678
##
679
replicaCount: 1
680
## @param schedulerName Use an alternate scheduler, e.g. "stork".
681
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
682
##
683
schedulerName: ""
684
## RabbitMQ should be initialized one by one when building cluster for the first time.
685
## Therefore, the default value of podManagementPolicy is 'OrderedReady'
686
## Once the RabbitMQ participates in the cluster, it waits for a response from another
687
## RabbitMQ in the same cluster at reboot, except the last RabbitMQ of the same cluster.
688
## If the cluster exits gracefully, you do not need to change the podManagementPolicy
689
## because the first RabbitMQ of the statefulset always will be last of the cluster.
690
## However if the last RabbitMQ of the cluster is not the first RabbitMQ due to a failure,
691
## you must change podManagementPolicy to 'Parallel'.
692
## ref : https://www.rabbitmq.com/clustering.html#restarting
693
## @param podManagementPolicy Pod management policy
694
##
695
podManagementPolicy: OrderedReady
696
## @param podLabels RabbitMQ Pod labels. Evaluated as a template
697
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
698
##
699
podLabels: {}
700
## @param podAnnotations RabbitMQ Pod annotations. Evaluated as a template
701
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
702
##
703
podAnnotations: {}
704
## @param updateStrategy.type Update strategy type for RabbitMQ statefulset
705
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
706
##
707
updateStrategy:
708
## StrategyType
709
## Can be set to RollingUpdate or OnDelete
710
##
711
type: RollingUpdate
712
## @param statefulsetLabels RabbitMQ statefulset labels. Evaluated as a template
713
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
714
##
715
statefulsetLabels: {}
716
## @param statefulsetAnnotations RabbitMQ statefulset annotations. Evaluated as a template
717
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
718
##
719
statefulsetAnnotations: {}
720
## @param priorityClassName Name of the priority class to be used by RabbitMQ pods, priority class needs to be created beforehand
721
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
722
##
723
priorityClassName: ""
724
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
725
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
726
##
727
podAffinityPreset: ""
728
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
729
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
730
##
731
podAntiAffinityPreset: soft
732
## Node affinity preset
733
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
734
##
735
nodeAffinityPreset:
736
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
737
##
738
type: ""
739
## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
740
## E.g.
741
## key: "kubernetes.io/e2e-az-name"
742
##
743
key: ""
744
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
745
## E.g.
746
## values:
747
## - e2e-az1
748
## - e2e-az2
749
##
750
values: []
751
## @param affinity Affinity for pod assignment. Evaluated as a template
752
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
753
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
754
##
755
affinity: {}
756
## @param nodeSelector Node labels for pod assignment. Evaluated as a template
757
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
758
##
759
nodeSelector: {}
760
## @param tolerations Tolerations for pod assignment. Evaluated as a template
761
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
762
##
763
tolerations: []
764
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
765
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
766
##
767
topologySpreadConstraints: []
768
## RabbitMQ pods' Security Context
769
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
770
## @param podSecurityContext.enabled Enable RabbitMQ pods' Security Context
771
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
772
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
773
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
774
## @param podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
775
##
776
podSecurityContext:
777
enabled: true
778
fsGroupChangePolicy: Always
779
sysctls: []
780
supplementalGroups: []
781
fsGroup: 1001
782
## @param containerSecurityContext.enabled Enabled RabbitMQ containers' Security Context
783
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
784
## @param containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
785
## @param containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
786
## @param containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
787
## @param containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
788
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
789
## @param containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
790
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
791
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
792
## Example:
793
## containerSecurityContext:
794
## capabilities:
795
## drop: ["NET_RAW"]
796
## readOnlyRootFilesystem: true
797
##
798
containerSecurityContext:
799
enabled: true
800
seLinuxOptions: {}
801
runAsUser: 1001
802
runAsGroup: 1001
803
runAsNonRoot: true
804
allowPrivilegeEscalation: false
805
readOnlyRootFilesystem: true
806
capabilities:
807
drop: ["ALL"]
808
seccompProfile:
809
type: "RuntimeDefault"
810
## RabbitMQ containers' resource requests and limits
811
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
812
## We usually recommend not to specify default resources and to leave this as a conscious
813
## choice for the user. This also increases chances charts run on environments with little
814
## resources, such as Minikube. If you do want to specify resources, uncomment the following
815
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
816
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
817
##
818
resourcesPreset: "micro"
819
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
820
## Example:
821
## resources:
822
## requests:
823
## cpu: 2
824
## memory: 512Mi
825
## limits:
826
## cpu: 3
827
## memory: 1024Mi
828
##
829
resources: {}
830
## Configure RabbitMQ containers' extra options for liveness probe
831
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
832
## @param livenessProbe.enabled Enable livenessProbe
833
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
834
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
835
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
836
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
837
## @param livenessProbe.successThreshold Success threshold for livenessProbe
838
##
839
livenessProbe:
840
enabled: true
841
initialDelaySeconds: 120
842
timeoutSeconds: 20
843
periodSeconds: 30
844
failureThreshold: 6
845
successThreshold: 1
846
## Configure RabbitMQ containers' extra options for readiness probe
847
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
848
## @param readinessProbe.enabled Enable readinessProbe
849
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
850
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
851
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
852
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
853
## @param readinessProbe.successThreshold Success threshold for readinessProbe
854
##
855
readinessProbe:
856
enabled: true
857
initialDelaySeconds: 10
858
timeoutSeconds: 20
859
periodSeconds: 30
860
failureThreshold: 3
861
successThreshold: 1
862
## Configure RabbitMQ containers' extra options for startup probe
863
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
864
## @param startupProbe.enabled Enable startupProbe
865
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
866
## @param startupProbe.periodSeconds Period seconds for startupProbe
867
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
868
## @param startupProbe.failureThreshold Failure threshold for startupProbe
869
## @param startupProbe.successThreshold Success threshold for startupProbe
870
##
871
startupProbe:
872
enabled: false
873
initialDelaySeconds: 10
874
timeoutSeconds: 20
875
periodSeconds: 30
876
failureThreshold: 3
877
successThreshold: 1
878
## @param customLivenessProbe Override default liveness probe
879
##
880
customLivenessProbe: {}
881
## @param customReadinessProbe Override default readiness probe
882
##
883
customReadinessProbe: {}
884
## @param customStartupProbe Define a custom startup probe
885
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
886
##
887
customStartupProbe: {}
888
## @param initContainers Add init containers to the RabbitMQ pod
889
## Example:
890
## initContainers:
891
## - name: your-image-name
892
## image: your-image
893
## imagePullPolicy: Always
894
## ports:
895
## - name: portname
896
## containerPort: 1234
897
##
898
initContainers: []
899
## @param sidecars Add sidecar containers to the RabbitMQ pod
900
## Example:
901
## sidecars:
902
## - name: your-image-name
903
## image: your-image
904
## imagePullPolicy: Always
905
## ports:
906
## - name: portname
907
## containerPort: 1234
908
##
909
sidecars: []
910
## Pod Disruption Budget configuration
911
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
912
##
913
pdb:
914
## @param pdb.create Enable/disable a Pod Disruption Budget creation
915
##
916
create: true
917
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
918
##
919
minAvailable: ""
920
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
921
##
922
maxUnavailable: ""
923
## @section RBAC parameters
924
##
925
926
## RabbitMQ pods ServiceAccount
927
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
928
##
929
serviceAccount:
930
## @param serviceAccount.create Enable creation of ServiceAccount for RabbitMQ pods
931
##
932
create: true
933
## @param serviceAccount.name Name of the created serviceAccount
934
## If not set and create is true, a name is generated using the rabbitmq.fullname template
935
##
936
name: ""
937
## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
938
##
939
automountServiceAccountToken: false
940
## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
941
##
942
annotations: {}
943
## Role Based Access
944
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
945
##
946
rbac:
947
## @param rbac.create Whether RBAC rules should be created
948
## binding RabbitMQ ServiceAccount to a role
949
## that allows RabbitMQ pods querying the K8s API
950
##
951
create: true
952
## @param rbac.rules Custom RBAC rules
953
## Example:
954
## rules:
955
## - apiGroups:
956
## - ""
957
## resources:
958
## - pods
959
## verbs:
960
## - get
961
## - list
962
##
963
rules: []
964
## @section Persistence parameters
965
##
966
persistence:
967
## @param persistence.enabled Enable RabbitMQ data persistence using PVC
968
##
969
enabled: true
970
## @param persistence.storageClass PVC Storage Class for RabbitMQ data volume
971
## If defined, storageClassName: <storageClass>
972
## If set to "-", storageClassName: "", which disables dynamic provisioning
973
## If undefined (the default) or set to null, no storageClassName spec is
974
## set, choosing the default provisioner. (gp2 on AWS, standard on
975
## GKE, AWS & OpenStack)
976
##
977
storageClass: ""
978
## @param persistence.selector Selector to match an existing Persistent Volume
979
## selector:
980
## matchLabels:
981
## app: my-app
982
##
983
selector: {}
984
## @param persistence.accessModes PVC Access Modes for RabbitMQ data volume
985
##
986
accessModes:
987
- ReadWriteOnce
988
## @param persistence.existingClaim Provide an existing PersistentVolumeClaims
989
## The value is evaluated as a template
990
## So, for example, the name can depend on .Release or .Chart
991
##
992
existingClaim: ""
993
## @param persistence.mountPath The path the volume will be mounted at
994
## Note: useful when using custom RabbitMQ images
995
##
996
mountPath: /opt/iamguarded/rabbitmq/.rabbitmq/mnesia
997
## @param persistence.subPath The subdirectory of the volume to mount to
998
## Useful in dev environments and one PV for multiple services
999
##
1000
subPath: ""
1001
## @param persistence.size PVC Storage Request for RabbitMQ data volume
1002
## If you change this value, you might have to adjust `rabbitmq.diskFreeLimit` as well
1003
##
1004
size: 8Gi
1005
## @param persistence.annotations Persistence annotations. Evaluated as a template
1006
## Example:
1007
## annotations:
1008
## example.io/disk-volume-type: SSD
1009
##
1010
annotations: {}
1011
## @param persistence.labels Persistence labels. Evaluated as a template
1012
## Example:
1013
## labels:
1014
## app: my-app
1015
labels: {}
1016
## Persistent Volume Claim Retention Policy
1017
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1018
##
1019
persistentVolumeClaimRetentionPolicy:
1020
## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for rabbitmq Statefulset
1021
##
1022
enabled: false
1023
## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1024
##
1025
whenScaled: Retain
1026
## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1027
##
1028
whenDeleted: Retain
1029
## @section Exposure parameters
1030
##
1031
1032
## Kubernetes service type
1033
##
1034
service:
1035
## @param service.type Kubernetes Service type
1036
##
1037
type: ClusterIP
1038
## @param service.portEnabled Amqp port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`.
1039
##
1040
portEnabled: true
1041
## @param service.distPortEnabled Erlang distribution server port
1042
##
1043
distPortEnabled: true
1044
## @param service.managerPortEnabled RabbitMQ Manager port
1045
##
1046
managerPortEnabled: true
1047
## @param service.epmdPortEnabled RabbitMQ EPMD Discovery service port
1048
##
1049
epmdPortEnabled: true
1050
## Service ports
1051
## @param service.ports.amqp Amqp service port
1052
## @param service.ports.amqpTls Amqp TLS service port
1053
## @param service.ports.dist Erlang distribution service port
1054
## @param service.ports.manager RabbitMQ Manager service port
1055
## @param service.ports.metrics RabbitMQ Prometheues metrics service port
1056
## @param service.ports.epmd EPMD Discovery service port
1057
##
1058
ports:
1059
amqp: 5672
1060
amqpTls: 5671
1061
dist: 25672
1062
manager: 15672
1063
metrics: 9419
1064
epmd: 4369
1065
## Service ports name
1066
## @param service.portNames.amqp Amqp service port name
1067
## @param service.portNames.amqpTls Amqp TLS service port name
1068
## @param service.portNames.dist Erlang distribution service port name
1069
## @param service.portNames.manager RabbitMQ Manager service port name
1070
## @param service.portNames.metrics RabbitMQ Prometheues metrics service port name
1071
## @param service.portNames.epmd EPMD Discovery service port name
1072
##
1073
portNames:
1074
amqp: "amqp"
1075
amqpTls: "amqp-tls"
1076
dist: "dist"
1077
manager: "http-stats"
1078
metrics: "metrics"
1079
epmd: "epmd"
1080
## Node ports to expose
1081
## @param service.nodePorts.amqp Node port for Ampq
1082
## @param service.nodePorts.amqpTls Node port for Ampq TLS
1083
## @param service.nodePorts.dist Node port for Erlang distribution
1084
## @param service.nodePorts.manager Node port for RabbitMQ Manager
1085
## @param service.nodePorts.epmd Node port for EPMD Discovery
1086
## @param service.nodePorts.metrics Node port for RabbitMQ Prometheues metrics
1087
##
1088
nodePorts:
1089
amqp: ""
1090
amqpTls: ""
1091
dist: ""
1092
manager: ""
1093
epmd: ""
1094
metrics: ""
1095
## @param service.extraPorts Extra ports to expose in the service
1096
## E.g.:
1097
## extraPorts:
1098
## - name: new_svc_name
1099
## port: 1234
1100
## targetPort: 1234
1101
##
1102
extraPorts: []
1103
## @param service.extraPortsHeadless Extra ports to expose in the headless service
1104
## E.g.:
1105
## extraPortsHeadless:
1106
## - name: new_svc_name
1107
## port: 1234
1108
## targetPort: 1234
1109
##
1110
extraPortsHeadless: []
1111
## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
1112
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1113
## e.g:
1114
## loadBalancerSourceRanges:
1115
## - 10.10.10.0/24
1116
##
1117
loadBalancerSourceRanges: []
1118
## @param service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1119
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1120
##
1121
allocateLoadBalancerNodePorts: true
1122
## @param service.externalIPs Set the ExternalIPs
1123
##
1124
externalIPs: []
1125
## @param service.externalTrafficPolicy Enable client source IP preservation
1126
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1127
##
1128
externalTrafficPolicy: Cluster
1129
## @param service.loadBalancerClass Set the LoadBalancerClass
1130
##
1131
loadBalancerClass: ""
1132
## @param service.loadBalancerIP Set the LoadBalancerIP
1133
##
1134
loadBalancerIP: ""
1135
## @param service.clusterIP Kubernetes service Cluster IP
1136
## e.g.:
1137
## clusterIP: None
1138
##
1139
clusterIP: ""
1140
## @param service.labels Service labels. Evaluated as a template
1141
##
1142
labels: {}
1143
## @param service.annotations Service annotations. Evaluated as a template
1144
## Example:
1145
## annotations:
1146
## service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
1147
##
1148
annotations: {}
1149
## DEPRECATED service.annotationsHeadless it will removed in a future release, please use service.headless.annotations instead
1150
## @param service.annotationsHeadless Headless Service annotations. Evaluated as a template
1151
## Example:
1152
## annotations:
1153
## external-dns.alpha.kubernetes.io/internal-hostname: rabbitmq.example.com
1154
##
1155
annotationsHeadless: {}
1156
## Headless service properties
1157
##
1158
headless:
1159
## @param service.headless.annotations Annotations for the headless service.
1160
##
1161
annotations: {}
1162
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
1163
## If "ClientIP", consecutive client requests will be directed to the same Pod
1164
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
1165
##
1166
sessionAffinity: None
1167
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
1168
## sessionAffinityConfig:
1169
## clientIP:
1170
## timeoutSeconds: 300
1171
##
1172
sessionAffinityConfig: {}
1173
## @param service.trafficDistribution Traffic Distribution provides another
1174
## way to influence traffic routing within a Kubernetes Service.
1175
##
1176
trafficDistribution: "PreferClose"
1177
## Configure the ingress resource that allows you to access the
1178
## RabbitMQ installation. Set up the URL
1179
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
1180
##
1181
ingress:
1182
## @param ingress.enabled Enable ingress resource for Management console
1183
##
1184
enabled: false
1185
## @param ingress.path Path for the default host. You may need to set this to '/*' in order to use this with ALB ingress controllers.
1186
##
1187
path: /
1188
## @param ingress.pathType Ingress path type
1189
##
1190
pathType: ImplementationSpecific
1191
## @param ingress.hostname Default host for the ingress resource
1192
##
1193
hostname: rabbitmq.local
1194
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1195
## For a full list of possible ingress annotations, please see
1196
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
1197
## Use this parameter to set the required annotations for cert-manager, see
1198
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1199
##
1200
## e.g:
1201
## annotations:
1202
## kubernetes.io/ingress.class: nginx
1203
## cert-manager.io/cluster-issuer: cluster-issuer-name
1204
##
1205
annotations: {}
1206
## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
1207
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
1208
## You can:
1209
## - Use the `ingress.secrets` parameter to create this TLS secret
1210
## - Rely on cert-manager to create it by setting the corresponding annotations
1211
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
1212
##
1213
tls: false
1214
## @param ingress.selfSigned Set this to true in order to create a TLS secret for this ingress record
1215
## using self-signed certificates generated by Helm
1216
##
1217
selfSigned: false
1218
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
1219
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
1220
## e.g:
1221
## extraHosts:
1222
## - name: rabbitmq.local
1223
## path: /
1224
##
1225
extraHosts: []
1226
## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
1227
## e.g:
1228
## extraPaths:
1229
## - path: /*
1230
## backend:
1231
## serviceName: ssl-redirect
1232
## servicePort: use-annotation
1233
##
1234
extraPaths: []
1235
## @param ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template
1236
## Useful when looking for additional customization, such as using different backend
1237
##
1238
extraRules: []
1239
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
1240
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1241
## e.g:
1242
## extraTls:
1243
## - hosts:
1244
## - rabbitmq.local
1245
## secretName: rabbitmq.local-tls
1246
##
1247
extraTls: []
1248
## @param ingress.secrets Custom TLS certificates as secrets
1249
## NOTE: 'key' and 'certificate' are expected in PEM format
1250
## NOTE: 'name' should line up with a 'secretName' set further up
1251
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1252
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1253
## It is also possible to create and manage the certificates outside of this helm chart
1254
## Please see README.md for more information
1255
## e.g:
1256
## secrets:
1257
## - name: rabbitmq.local-tls
1258
## key: |-
1259
## -----BEGIN RSA PRIVATE KEY-----
1260
## ...
1261
## -----END RSA PRIVATE KEY-----
1262
## certificate: |-
1263
## -----BEGIN CERTIFICATE-----
1264
## ...
1265
## -----END CERTIFICATE-----
1266
##
1267
secrets: []
1268
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1269
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
1270
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1271
##
1272
ingressClassName: ""
1273
## @param ingress.existingSecret It is you own the certificate as secret.
1274
##
1275
existingSecret: ""
1276
## Network Policies
1277
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1278
##
1279
networkPolicy:
1280
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1281
##
1282
enabled: true
1283
## @param networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
1284
##
1285
kubeAPIServerPorts: [443, 6443, 8443]
1286
## @param networkPolicy.allowExternal Don't require server label for connections
1287
## The Policy model to apply. When set to false, only pods with the correct
1288
## server label will have network access to the ports server is listening
1289
## on. When true, server will accept connections from any source
1290
## (with the correct destination port).
1291
##
1292
allowExternal: true
1293
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1294
##
1295
allowExternalEgress: true
1296
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
1297
##
1298
addExternalClientAccess: true
1299
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1300
## e.g:
1301
## extraIngress:
1302
## - ports:
1303
## - port: 1234
1304
## from:
1305
## - podSelector:
1306
## - matchLabels:
1307
## - role: frontend
1308
## - podSelector:
1309
## - matchExpressions:
1310
## - key: role
1311
## operator: In
1312
## values:
1313
## - frontend
1314
extraIngress: []
1315
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1316
## e.g:
1317
## extraEgress:
1318
## - ports:
1319
## - port: 1234
1320
## to:
1321
## - podSelector:
1322
## - matchLabels:
1323
## - role: frontend
1324
## - podSelector:
1325
## - matchExpressions:
1326
## - key: role
1327
## operator: In
1328
## values:
1329
## - frontend
1330
##
1331
extraEgress: []
1332
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
1333
## e.g:
1334
## ingressPodMatchLabels:
1335
## my-client: "true"
1336
#
1337
ingressPodMatchLabels: {}
1338
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
1339
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
1340
##
1341
ingressNSMatchLabels: {}
1342
ingressNSPodMatchLabels: {}
1343
## @section Metrics Parameters
1344
##
1345
1346
## Prometheus Metrics
1347
##
1348
metrics:
1349
## @param metrics.enabled Enable exposing RabbitMQ metrics to be gathered by Prometheus
1350
##
1351
enabled: false
1352
## @param metrics.plugins Plugins to enable Prometheus metrics in RabbitMQ
1353
##
1354
plugins: "rabbitmq_prometheus"
1355
## Prometheus pod annotations
1356
## @param metrics.podAnnotations [object] Annotations for enabling prometheus to access the metrics endpoint
1357
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1358
##
1359
podAnnotations:
1360
prometheus.io/scrape: "true"
1361
prometheus.io/port: "{{ .Values.service.ports.metrics }}"
1362
## Prometheus Service Monitor
1363
## ref: https://github.com/coreos/prometheus-operator
1364
##
1365
serviceMonitor:
1366
## @param metrics.serviceMonitor.namespace Specify the namespace in which the serviceMonitor resource will be created
1367
##
1368
namespace: ""
1369
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1370
##
1371
jobLabel: ""
1372
## @param metrics.serviceMonitor.targetLabels Used to keep given service's labels in target
1373
## e.g:
1374
## - app.kubernetes.io/name
1375
##
1376
targetLabels: {}
1377
## @param metrics.serviceMonitor.podTargetLabels Used to keep given pod's labels in target
1378
## e.g:
1379
## - app.kubernetes.io/name
1380
##
1381
podTargetLabels: {}
1382
## @param metrics.serviceMonitor.selector ServiceMonitor selector labels
1383
##
1384
## selector:
1385
## prometheus: my-prometheus
1386
##
1387
selector: {}
1388
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1389
##
1390
labels: {}
1391
## @param metrics.serviceMonitor.annotations Extra annotations for the ServiceMonitor
1392
##
1393
annotations: {}
1394
## Scrape metrics from the `/metrics` endpoint
1395
## ref: https://www.rabbitmq.com/docs/prometheus#default-endpoint
1396
##
1397
default:
1398
## @param metrics.serviceMonitor.default.enabled Enable default metrics endpoint (`GET /metrics`) to be scraped by the ServiceMonitor
1399
##
1400
enabled: false
1401
## @param metrics.serviceMonitor.default.interval Specify the interval at which metrics should be scraped
1402
##
1403
interval: 30s
1404
## @param metrics.serviceMonitor.default.scrapeTimeout Specify the timeout after which the scrape is ended
1405
## e.g:
1406
## scrapeTimeout: 30s
1407
##
1408
scrapeTimeout: ""
1409
## @param metrics.serviceMonitor.default.relabelings RelabelConfigs to apply to samples before scraping.
1410
##
1411
relabelings: []
1412
## @param metrics.serviceMonitor.default.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion.
1413
##
1414
metricRelabelings: []
1415
## @param metrics.serviceMonitor.default.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1416
##
1417
honorLabels: false
1418
## Scrape metrics from the `/metrics/per-object` endpoint
1419
## ref: https://www.rabbitmq.com/docs/prometheus#per-object-endpoint
1420
##
1421
perObject:
1422
## @param metrics.serviceMonitor.perObject.enabled Enable per-object metrics endpoint (`GET /metrics/per-object`) to be scraped by the ServiceMonitor
1423
##
1424
enabled: false
1425
## @param metrics.serviceMonitor.perObject.interval Specify the interval at which metrics should be scraped
1426
##
1427
interval: 30s
1428
## @param metrics.serviceMonitor.perObject.scrapeTimeout Specify the timeout after which the scrape is ended
1429
## e.g:
1430
## scrapeTimeout: 30s
1431
##
1432
scrapeTimeout: ""
1433
## @param metrics.serviceMonitor.perObject.relabelings RelabelConfigs to apply to samples before scraping.
1434
##
1435
relabelings: []
1436
## @param metrics.serviceMonitor.perObject.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion.
1437
##
1438
metricRelabelings: []
1439
## @param metrics.serviceMonitor.perObject.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1440
##
1441
honorLabels: false
1442
## Scrape metrics from the `/metrics/detailed` endpoint
1443
## ref: https://www.rabbitmq.com/docs/prometheus#detailed-endpoint
1444
##
1445
detailed:
1446
## @param metrics.serviceMonitor.detailed.enabled Enable detailed metrics endpoint (`GET /metrics/detailed`) to be scraped by the ServiceMonitor
1447
##
1448
enabled: false
1449
## @param metrics.serviceMonitor.detailed.family List of metric families to get
1450
## e.g.
1451
## family: ["queue_coarse_metrics", "queue_consumer_count"]
1452
##
1453
family: []
1454
## @param metrics.serviceMonitor.detailed.vhost Filter metrics to only show for the specified vhosts
1455
##
1456
vhost: []
1457
## @param metrics.serviceMonitor.detailed.interval Specify the interval at which metrics should be scraped
1458
##
1459
interval: 30s
1460
## @param metrics.serviceMonitor.detailed.scrapeTimeout Specify the timeout after which the scrape is ended
1461
## e.g:
1462
## scrapeTimeout: 30s
1463
##
1464
scrapeTimeout: ""
1465
## @param metrics.serviceMonitor.detailed.relabelings RelabelConfigs to apply to samples before scraping.
1466
##
1467
relabelings: []
1468
## @param metrics.serviceMonitor.detailed.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion.
1469
##
1470
metricRelabelings: []
1471
## @param metrics.serviceMonitor.detailed.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1472
##
1473
honorLabels: false
1474
## @param metrics.serviceMonitor.enabled Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1475
##
1476
enabled: false
1477
## @param metrics.serviceMonitor.interval Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1478
##
1479
interval: 30s
1480
## @param metrics.serviceMonitor.scrapeTimeout Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1481
##
1482
scrapeTimeout: ""
1483
## @param metrics.serviceMonitor.relabelings Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1484
##
1485
relabelings: []
1486
## @param metrics.serviceMonitor.metricRelabelings Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1487
##
1488
metricRelabelings: []
1489
## @param metrics.serviceMonitor.honorLabels Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1490
##
1491
honorLabels: false
1492
## @param metrics.serviceMonitor.path Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1493
##
1494
path: ""
1495
## @param metrics.serviceMonitor.params Deprecated. Please use `metrics.serviceMonitor.{default/perObject/detailed}` instead.
1496
##
1497
params: {}
1498
## Custom PrometheusRule to be defined
1499
## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
1500
## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
1501
##
1502
prometheusRule:
1503
## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator
1504
##
1505
enabled: false
1506
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus
1507
##
1508
additionalLabels: {}
1509
## @param metrics.prometheusRule.namespace namespace where prometheusRules resource should be created
1510
##
1511
namespace: ""
1512
## List of rules, used as template by Helm.
1513
## @param metrics.prometheusRule.rules List of rules, used as template by Helm.
1514
## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html
1515
## rules:
1516
## - alert: RabbitmqDown
1517
## expr: rabbitmq_up{service="{{ template "common.names.fullname" . }}"} == 0
1518
## for: 5m
1519
## labels:
1520
## severity: error
1521
## annotations:
1522
## summary: Rabbitmq down (instance {{ "{{ $labels.instance }}" }})
1523
## description: RabbitMQ node down
1524
## - alert: ClusterDown
1525
## expr: |
1526
## sum(rabbitmq_running{service="{{ template "common.names.fullname" . }}"})
1527
## < {{ .Values.replicaCount }}
1528
## for: 5m
1529
## labels:
1530
## severity: error
1531
## annotations:
1532
## summary: Cluster down (instance {{ "{{ $labels.instance }}" }})
1533
## description: |
1534
## Less than {{ .Values.replicaCount }} nodes running in RabbitMQ cluster
1535
## VALUE = {{ "{{ $value }}" }}
1536
## - alert: ClusterPartition
1537
## expr: rabbitmq_partitions{service="{{ template "common.names.fullname" . }}"} > 0
1538
## for: 5m
1539
## labels:
1540
## severity: error
1541
## annotations:
1542
## summary: Cluster partition (instance {{ "{{ $labels.instance }}" }})
1543
## description: |
1544
## Cluster partition
1545
## VALUE = {{ "{{ $value }}" }}
1546
## - alert: OutOfMemory
1547
## expr: |
1548
## rabbitmq_node_mem_used{service="{{ template "common.names.fullname" . }}"}
1549
## / rabbitmq_node_mem_limit{service="{{ template "common.names.fullname" . }}"}
1550
## * 100 > 90
1551
## for: 5m
1552
## labels:
1553
## severity: warning
1554
## annotations:
1555
## summary: Out of memory (instance {{ "{{ $labels.instance }}" }})
1556
## description: |
1557
## Memory available for RabbmitMQ is low (< 10%)\n VALUE = {{ "{{ $value }}" }}
1558
## LABELS: {{ "{{ $labels }}" }}
1559
## - alert: TooManyConnections
1560
## expr: rabbitmq_connectionsTotal{service="{{ template "common.names.fullname" . }}"} > 1000
1561
## for: 5m
1562
## labels:
1563
## severity: warning
1564
## annotations:
1565
## summary: Too many connections (instance {{ "{{ $labels.instance }}" }})
1566
## description: |
1567
## RabbitMQ instance has too many connections (> 1000)
1568
## VALUE = {{ "{{ $value }}" }}\n LABELS: {{ "{{ $labels }}" }}
1569
##
1570
rules: []
1571
## @section Init Container Parameters
1572
##
1573
1574
## Init Container parameters
1575
## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
1576
## values from the securityContext section of the component
1577
##
1578
volumePermissions:
1579
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
1580
##
1581
enabled: false
1582
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
1583
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
1584
## @skip volumePermissions.image.tag Init container volume-permissions image tag
1585
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1586
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
1587
## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
1588
##
1589
image:
1590
registry: cgr.dev
1591
repository: chainguard-private/os-shell-iamguarded
1592
tag: 1.0.0
1593
digest: ""
1594
## Specify a imagePullPolicy
1595
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1596
##
1597
pullPolicy: IfNotPresent
1598
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
1599
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1600
## Example:
1601
## pullSecrets:
1602
## - myRegistryKeySecretName
1603
##
1604
pullSecrets: []
1605
## Init Container resource requests and limits
1606
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1607
## We usually recommend not to specify default resources and to leave this as a conscious
1608
## choice for the user. This also increases chances charts run on environments with little
1609
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1610
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1611
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
1612
##
1613
resourcesPreset: "nano"
1614
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1615
## Example:
1616
## resources:
1617
## requests:
1618
## cpu: 2
1619
## memory: 512Mi
1620
## limits:
1621
## cpu: 3
1622
## memory: 1024Mi
1623
##
1624
resources: {}
1625
## Init container' Security Context
1626
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
1627
## and not the below volumePermissions.containerSecurityContext.runAsUser
1628
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1629
## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
1630
##
1631
containerSecurityContext:
1632
seLinuxOptions: {}
1633
runAsUser: 0
1634